Key highlights:

• • • Plans without funding are political theater, not strategy 鈥� Across the G20 and beyond, governments spend about $1 per vulnerable person per year, making the most comprehensive national action plans functionally undeliverable.

    • Corporate forced labor is a crime with no perpetrators 鈥� Despite an estimated tens of millions of victims in global supply chains, there has been only one forced labor investigation ever brought against a Fortune 500 company, exposing a near-total absence of criminal accountability in non-financial industries.

    • Real-time data accountability can work on a shoestring budgets 鈥� Uganda’s TipMap platform, built on a budget of just hundreds of thousands of dollars with NGO and US government support, demonstrates that transparent, publicly accessible prosecution tracking is achievable even for low-income countries 鈥� yet most wealthy nations have yet to replicate this model.

Every year, governments around the world publish sweeping national action plans to combat modern slavery, covering everything from vulnerable children, forced labor, and gender-based violence to prosecution targets and victim support. These action plans are, in many cases, genuinely comprehensive documents, and also in many cases, they are almost entirely unfunded.

That is the central finding of the (MSPI), a new tool developed by Duncan Jepson, Director of Strategy and Operations at . After decades working across supply chains, corporate law, and financial crime compliance in Asia, Jepson grew frustrated with a sector that was generating more conferences and consultants than criminal prosecutions. The MSPI takes a step back from that ground-level work and asks how governments are investing in this problem at a scale that matches their stated ambitions.

The answer, unsurprisingly, is that there is a big gap between plans and funding the execution of those plans. Across the G20 plus additional countries, total government spending on modern slavery prevention amounts to roughly $1.6 billion annually, Jepson notes. When measured against the estimated population of up to 2 billion people living in conditions of poverty and precarity that make them vulnerable to exploitation, the 鈥渋nvestment鈥� by governments works out to approximately $1 per person per year.

Grand plans & empty coffers

The MSPI evaluates governments across four dimensions, which include the context of exploitation within their borders, the comprehensiveness of their national action plan, the funding allocated to that plan, and the measurable outcomes produced. The gap between the second and third dimensions is the point at which the analysis reveals the most confounding gap.

Most national action plans, Jepson notes, look remarkably similar regardless of whether they come from wealthy nations or some of the poorest countries in the world. They include all the right elements; however, the problem is that the ambition of the plan rarely maps onto available resources. “If you see a similar kind of plan in a country which is not providing anywhere near the same investment, maybe only providing $10 million to $20 million,” then they’re clearly not going to be able to build the kind of institutional mechanisms and have them operational to achieve their stated ends, Jepson explains.

When measured against the estimated population of up to 2 billion people living in conditions of poverty, the 鈥渋nvestment鈥� by governments works out to approximately $1 per person per year.

This gap is partly a result of how these plans get written. Policy teams include every desirable outcome, every population group, and every intervention type because comprehensiveness signals seriousness. The result is what Jepson describes as a political product rather than a strategic one because it is detached from realities of resource constraints.

The three Ps framework 鈥� set out in the , which organizes anti-trafficking efforts around prevention, protection, and prosecution 鈥� has drifted from being a planning tool into being a target in itself. Governments check the boxes, publish the plan, and treat that as a win. The actual investment required to deliver outcomes becomes secondary.

Many perpetrators face no accountability

Perhaps the most sobering element of Jepson’s analysis concerns corporate accountability which, outside of healthcare and financial services, is extremely limited for criminal matters such as forced labor. Modern slavery in global supply chains, particularly forced labor in agriculture, manufacturing, fishing, and extractive industries, generates enormous profits. Prosecutions against the corporations involved are nearly nonexistent.

The , which Jepson brought to the U.S. Department of Homeland Security鈥檚 investigations unit a few years ago, remains a rare landmark. When he received a World Customs Organization award for the work, the citation described it as recognition for “the first investigation into a Fortune 500 company.鈥� Indeed, the fact that there is only one successful investigation in the entire history of Fortune 500 enforcement on forced labor is stunning in itself.

The structural reason for this, Jepson argues, is that non-financial industries operate without a criminal legal framework wrapped around their regulatory obligations. Banks are required to identify suspicious transactions, file reports, and de-risk clients connected to illicit activity, all under threat of serious legal regulatory consequence.

Modern slavery in global supply chains, particularly forced labor in agriculture, manufacturing, fishing, and extractive industries, generates enormous profits, while prosecutions against the corporations involved are nearly nonexistent.

Manufacturers, food producers, and commodity traders face no equivalent pressure. Their obligations tend to be framed in the language of sustainability and ethical sourcing, which are voluntary, subjective, and entirely company controlled.

When violations are discovered, the response is typically managed internally through grievance mechanisms, remediation programs, and consultant-led audits. Workers rarely have access to independent legal recourse and access to justice.

What good funding and enforcement should look like

Jepson is careful to point out that meaningful progress exists, even on limited budgets. , developed with support from the Human Trafficking Institute and US funding, provides a real-time, publicly accessible database of trafficking prosecutions and arrests. For a country investing only hundreds of thousands of dollars in this space, the platform demonstrates how transparency and institutional accountability can be achieved without enormous resources.

Italy and Germany both earn recognition for aligning their plans with their investment levels and for building on contextual knowledge. Yet neither country has solved corporate supply chain accountability, even though both demonstrate that coherent strategy tied to realistic resourcing produces better outcomes than aspirational planning without funding.

The US import ban mechanism, developed through U.S. Customs and Border Protection, remains the most significant enforcement tool in the world, although it鈥檚 still largely unique to one country.

The case for realistic investment

What Jepson would like to see instead is relatively straightforward. Governments need to develop a deeper, intentional recognition that their current spending levels are insufficient, he says, adding that investment in prevention also makes economic sense.

Every dollar not spent stopping exploitation upstream generates far greater costs in law enforcement response, victim and social services, and lost economic productivity downstream. Clearly, $1 per vulnerable person per year will not build the necessary infrastructure to protect anyone.

You can find out more about the challenges in combatting force labor in supply chains here

Key insights:

• • • The Panama Papers transformed beneficial ownership 鈥� The release of the Papers in 2016 changed the idea of beneficial ownership from a technical compliance footnote into a global policy imperative, and the pressure has not let up.

    • Regulatory responses have been significant but uneven 鈥� The EU has pushed forward aggressively, while US reforms under the Corporate Transparency Act have been substantially narrowed.

    • For compliance professionals, the enduring lesson is not about any single regulation 鈥� Rather, compliance professionals should have one goal: Maintaining the discipline of asking who, ultimately, is behind the transaction.

When 11.5 million documents from Mossack Fonseca were published on April 3, 2016, compliance teams across financial institutions around the world faced unprecedented pressure from senior leadership to prove they actually knew the true identities of their clients’ beneficial owners. A decade later, establishing that ultimate ownership remains both the most important and the most difficult task in anti-money laundering compliance.

A watershed moment, but not a starting point

It would be a mistake to credit the Panama Papers with inventing beneficial ownership as a compliance concern. The Financial Action Task Force (FATF), an intergovernmental organization created to promote anti-money laundering (AML) activities, had long emphasized the risks of anonymous shell companies. The United Kingdom was already developing its Persons with Significant Control register; and the United States鈥� Treasury Department鈥檚 Financial Crimes Enforcement Network (FinCEN) had a draft of customer due diligence guidance in circulation before a single Mossack Fonseca document was made public.

Yet, what the leak of the Panama Papers did was something more powerful than create law 鈥� it created political will.

The leak showed, with granular specificity, how shell companies, nominee directors, layered trusts, and intermediary accounts could be stacked together to place meaningful distance between regulators and the individuals who actually control the assets. These were not fringe techniques; rather, they were routine services offered at scale to clients in more than 200 jurisdictions. The “gatekeeper problem” 鈥� the tendency of lawyers, accountants, and formation agents to introduce clients without responsibility for verifying who those clients ultimately were 鈥� was no longer theoretical. It was documented, widespread, and systemic.

What the decade of response produced

The regulatory response to the Panama Papers was substantial, even if ultimately uneven in execution.

In the US, FinCEN’s 2016 CDD Final Rule standardized what many institutions were doing selectively: requiring identification and verification of beneficial owners of legal-entity customers using a 25% ownership threshold and a control prong. For the first time, this was an enforceable expectation across covered financial institutions 鈥� not a best practice, but a mandate.

The regulatory response to the Panama Papers was substantial, even if ultimately uneven in execution.

Globally, the momentum was stronger. The European Union moved through successive Anti-Money Laundering Directives, expanding registration requirements and tightening obligations for designated non-financial businesses and professions. Ultimately, the EU established the Anti-Money Laundering Authority (AMLA) in its 2024 package to deliver cross-border supervisory consistency. And the FATF’s revised Recommendation 24 in 2022 raised the bar further, shifting the mission from collecting beneficial ownership data to ensuring it is accurate, current, and verifiable, with timely access for competent authorities. Having a register is not the same as having reliable information, and regulators have spent a decade making that distinction explicit.

The 2020 FinCEN Files added a further dimension. Where the Panama leak exposed the formation agents who were enabling shell company abuse, the FinCEN Files implicated the banks themselves, showing that suspicious activity reports (SARs) were being filed on transactions that institutions continued to process. Together, these successive leaks sustained the political will that the Panama Papers first generated.

The data is only as good as what’s behind it

The Panama Papers exposed that beneficial ownership frameworks could be gamed in ways that left regulators technically satisfied but substantively blind. Nominee arrangements created paper trails that went nowhere, and outdated register entries gave the appearance of compliance while concealing real control.

The lesson that proved most durable is that transparency requires verification, accessibility, and enforcement working together. A register without verification is a filing cabinet, verified data without accessible reporting channels is compliance theater, and accessible data without enforcement consequences for misrepresentation is an honor system.

For compliance professionals today, this translates into a concrete operational expectation. Enhanced scrutiny for complex legal entity customers is not optional. Nominee arrangements, offshore links, unexplained control structures, and identifying a politically exposed person (PEP) are not risk factors to note and move past. They are the scenarios that point to where the framework is most likely to fail, and examiners know it.

Where the picture gets complicated

Today, further progress is real, but uneven. In the US, the Corporate Transparency Act of 2021 was the most ambitious attempt to extend beneficial ownership reporting to companies themselves, not just the financial institutions serving them.

Under FinCEN’s March 2025 interim final rule, that ambition has been significantly narrowed: US-formed entities and US persons are now exempt, with reporting obligations falling primarily on certain foreign entities registered to do business domestically. That outcome followed a prolonged and contentious legal battle, involving multiple conflicting injunctions, a Supreme Court intervention, and sustained pushback from small business and industry groups, which ultimately made a political resolution rather than a judicial one the path of least resistance for the U.S. Treasury Department.

听The core problem shone by the Panama Papers leak in 2016 remains unresolved. A decade of regulatory response has only narrowed it.

Real estate reporting faces its own legal turbulence, with the Residential Real Estate Rule vacated and on appeal; and investment adviser AML coverage has been pushed to 2028, a delay driven in part by industry objections and competing agency priorities. These are not minor footnotes; rather, they are meaningful gaps in a system that was supposed to be closing.

Enforcement outcomes globally have been equally inconsistent. Panama’s own courts in a major Panama Papers-related trial in 2024. And Germany charged , the firm’s co-founder, in 2026. Jurisdiction still matters enormously, which is precisely what offshore structures were designed to exploit.

The durable lesson

Of course, none of this means the decade of reform was without consequence. It simply means the work is not done.

The Panama Papers’ most important legacy is not any specific regulation; rather it鈥檚 a permanently elevated expectation around knowing your customer, not just by name, but by ultimate beneficial owner, control structure, the credibility of information on file, and the ongoing monitoring that keeps that picture current. The most effective AML programs treat beneficial ownership as a living element of the customer relationship, not a checkbox at onboarding.

Still, the core problem shone by the Panama Papers leak in 2016 remains unresolved. A decade of regulatory response has only narrowed it and made it significantly harder to exploit, but as compliance professionals know better than most, the absence of a finding is not the same as the absence of risk.

You can find out more about the challenges of fraud identification and prevention here

Key insights:

• • • Fraud management works best as a connected workflow 鈥斕鼳ligning corporate fraud, AML, compliance, and investigation teams can strengthen visibility and response.

    • Monitoring must move beyond on-boarding听鈥� Existing customers require ongoing risk-based review, smart alerts, and transaction monitoring that can identify potentially suspicious behavior without overwhelming teams.

    • AI can accelerate investigations, but humans remain essential听鈥� AI-driven automation helps process data and prioritize alerts; however, skilled analysts are still needed to provide context, judgment, and industry expertise.

Fraud prevention represents only the first step in comprehensive fraud management. Organizations must develop robust detection and investigation capabilities to identify fraudulent activity and respond effectively.

Indeed, the most successful organizations think about fraud management in a systematic way, says Andrew Pellington, a senior director in Risk & Fraud solutions at 成人VR视频. 鈥淭he most successful organizations think about fraud management in more of a workflow phase that moves systematically from initial prevention through ongoing detection and into detailed investigation,鈥� explains Pellington.

Phases of organizational structures

Understanding how these phases interconnect and then building the proper organizational structures to properly execute them can help corporate risk, fraud & compliance teams create the foundation for effective fraud protection. These phases include:

1. Build organizational alignment across fraud and compliance functions

One of the most significant structural shifts in fraud management is the convergence of corporate fraud and anti-money laundering (AML) departments. Historically siloed, these functions are increasingly merging because fraud and money laundering are deeply intertwined. Fraudsters commit fraud, obtain illicit proceeds, and then need to launder those funds 鈥� effectively, two sides of the same coin, Pellington notes.

That means, financial and non-financial institutions can benefit from unified teams sharing data, processes, and expertise; and this convergence extends beyond AML and fraud to prevention, detection, and investigation phases. Organizations can gain competitive advantage when these functions share integrated toolsets, consolidated data sources, and cross-departmental communication. Before sharing knowledge across institutions, however, organizations must first establish robust information sharing across their own departments.

2. Establish monitoring systems for existing customers and accounts

As your organization moves through the fraud management workflow, the focus shifts from high-volume account opening activities to continuous monitoring of existing customers and account holders. This phase requires different tools, processes, and resources than does prevention.

Monitoring 鈥� both proactively and reactively 鈥� allows organizations to identify suspicious patterns and behaviors, then sophisticated systems must track transactions across time, identify deviations from normal behavior, and flag accounts for review.

Proactively, organizations should segment customers by risk level and establish review cycles: monthly for high-risk customers, semi-annual for medium-risk, and annual for lower-risk accounts. Reactively, they should deploy adverse media and sanctions alerts against public records, coupled with transaction monitoring models that specifically identify potential money laundering or structuring patterns.

“As you move through the monitoring, now you’re looking at your existing customers and account holders, and then you get alerts thereafter,鈥� Pellington explains.

3. Implement alert systems and prepare for regulatory scrutiny

While effective monitoring generates alerts that bridge passive systems and active investigation teams, these alerts need to be calibrated to identify genuine fraud risks without overwhelming investigators with false positives. This requires regular tuning and coordination between technology and investigation teams.

Organizations should adopt scenario planning and war games to test their processes by simulating potential fraud cases, regulatory inquiries, and adverse media incidents. Fraud incidents are a matter of when, not if, Pellington says, and those organizations that proactively test their response processes 鈥� rather than waiting for actual events 鈥� will maintain regulatory confidence and demonstrate institutional readiness.

4. Leverage AI while maintaining human expertise in investigations

While AI-driven automation of some work processes is a big advantage, deeper dive investigations require specialized expertise that cannot be fully automated. This is where generative AI (GenAI) and agentic AI can create significant opportunities. Agentic AI can prescreen alerts and determine which warrant investigation; and GenAI can rapidly produce enhanced due diligence reports by pulling together transaction histories, communications, vendor relationships, and public records.

Automating this work frees specialized fraud analysts to focus on what humans do best 鈥� applying industry knowledge and making judgment calls. Indeed, investigation is equal parts art and science, Pellington explains, adding that AI excels at the science 鈥� processing data at scale, and humans excel at the art 鈥� understanding context, industry fraud typologies, and customer relationships.

5. Transform data into knowledge and wisdom

The final critical gap Pellington identifies is the journey from information to knowledge to wisdom. Organizations possess unprecedented volumes of data, yet many drown in it without extracting actionable intelligence.

More data doesn’t guarantee better decisions; and organizations must elevate information to knowledge, understanding what their peers are doing, what best practices exist, and which approaches work best for the organization. Wisdom then comes from sharing across institutions, learning from industry experts, and avoiding mistakes others have experienced. This requires deliberate peer learning and thought leadership engagement.

Preparing for the future of fraud

Fraud risks are evolving fast, and those organizations best positioned to keep up will be the ones that keep their teams connected, sharpen their investigative tools, and pair AI with human judgment to act faster and stay more resilient while proactively transforming data into actionable wisdom.

By implementing these five phases of fraud protection, organizations can improve their detection and investigation capabilities and create comprehensive fraud protection that evolves with emerging threats.

You can find out more about ways to

Key insights:

• • • AI is supercharging old fraud schemes听鈥� By making synthetic identities, deepfake scams, and customer fraud faster, more credible, and harder to detect, AI is amplifying fraud and crime.

    • The real vulnerability may be internal silos听鈥� Institutions need to be on the lookout, because what looks like a credit loss, an HR issue, or a payment request may actually be part of a wider multi-vector AI-enabled attack.

    • Institutions already have the tools to respond听鈥� Through KYC and internal and behavioral data, financial institutions have the ability to respond to fraud threats 鈥� but only if teams connect and act together.

Fraud and crime existed long before AI, of course, but today鈥檚 technology delivers an acceleration in speed, scale, and success rate for fraudsters, resulting in billions of dollars in losses for victims. AI-enabled frauds on financial institutions by 2027 in the United States alone, and of detected fraud attempts on financial institutions use AI 鈥� and of these, 29% are successful.

To respond effectively to these threats, institutions need to implement a unified response that brings together departments that may not traditionally be partners. This cross-functional coordination should include not only the institution鈥檚 fraud and financial crime risk teams but also its credit risk, cybersecurity, and human resources functions.

And this response is critical, because today, financial institutions are being targeted by multiple types of AI-enabled attacks, including tactics such as:

• • • use of synthetic identities to circumvent know your customer/customer due diligence (KYC/CDD) controls and perpetrate fraud or launder money;
    • use of deepfake identities to gain employment, particularly by North Korean IT workers;
    • AI-enhanced 鈥淐EO frauds鈥� to deceive staff into taking unauthorized actions; and
    • Bank customers may be targeted by fraud too, presenting further risk to financial institutions.

Let鈥檚 look at these threat vectors individually:

Vector 1: Synthetic identities and KYC/CDD

Synthetic identities can be entirely fabricated or may use combinations of real and fabricated personal information to create a new identity. For example, a fraudster may construct a synthetic identity using a Social Security number exposed during a data breach combined with an AI-generated passport.

This threat is real and happening now: identifies that criminals have already used AI to successfully open accounts using falsified documents, photographs, and videos. And according to , synthetic identities were used to open as many as 3% of US bank accounts, representing millions of identities. Not surprisingly, these illicit accounts are used to commit fraud and launder the proceeds of money laundering.

Vector 2: North Korean IT workers

North Korean individuals have successfully gained employment as remote IT workers at American companies, often passing themselves off as US nationals using AI-generated face-swapping technology combined with proxy computers and false identity documents. North Korean IT workers are almost $800 million annually for the regime.

Institutions deceived into employing these workers are not only against North Korea, but they are also exposing commercially sensitive data and systems to an adversary state, increasing the possibility of theft, cyber-attacks, and extortion.

Vector 3: CEO Fraud

A 鈥淐EO fraud鈥� is a cybercrime in which an attacker impersonates an executive to deceive an employee into taking actions such as sending unauthorized wire transfers or disclosing sensitive information. AI accelerates these frauds by making them more personalized and credible.

In one of the more well-known examples, in an AI-enhanced CEO fraud in 2024 after the fraudster impersonated Arup Engineering鈥檚 CFO and requested a staff member to make several financial transfers. The criminals added credibility to the fraud by using a in which the target recognized many of their colleagues 鈥� unfortunately, all of them were deepfakes.

Vector 4: Frauds targeting customers

Where customers are targets, AI provides the scale, speed, and personalization to allow illicit actors to deliver individualized fraud. For example, whereas romance scams previously used repetitive scripts and re-used the same images of the romantic 鈥減artner,鈥� fraudsters can now use AI-generated messages, images, or videos, continuously adapting the execution of the scam to the target鈥檚 responses and behaviors.

Creating a cross-functional and unified response

The examples above demonstrate the diverse and highly sophisticated uses of AI by illicit actors, both adversary states and criminal networks. Detecting and responding to these illicit activities requires joint action between teams that may not traditionally work closely together.

For example, if an account holder fails to repay a loan, the credit team may consider it to be a default by a legitimate customer and write it off as a credit loss. However, if the account was opened using a synthetic identity, investigation may reveal other accounts that share similar customer data points or transactional patterns. This could reveal a network of accounts that are perpetrating a fraud or money-laundering scheme. To detect and respond effectively, joint action is needed between KYC/CDD on-boarding teams, financial crime investigators, and fraud and credit risk professionals.

Alternatively, for HR teams to effectively identify use of face-swapping videos during a hiring process, knowledge from the organization鈥檚 cybersecurity team, especially of deepfake indicators, would be valuable. If a North Korea IT worker is hired and only later identified, cybersecurity and sanctions teams must be involved in the response to mitigate data, network, and compliance exposures.

Detecting and responding to all illicit activities requires joint action between teams that may not traditionally work closely together.

Finally, all staff may be targeted by deepfake fraud, but those in senior positions or departments with financial authority are the most vulnerable. This means it is essential for institutions to deliver employee training using real-life case studies, 鈥渘ear misses,鈥� and scenarios drawn from across the institution and industry. This type of training will increase vigilance and minimize the likelihood of a successful attack.

For customers, financial institutions are well-positioned to identify indicators of fraud due to their extensive datasets of KYC/CDD records, transactional, and behavioral information. Institutions should enhance their customer relationships (as well as meet applicable regulatory requirements) by taking proactive measures to inform and protect their customers.

While AI has accelerated fraud and crime, financial institutions also hold valuable and relevant assets: the knowledge distributed across their cybersecurity, HR, credit risk, financial crime compliance, fraud, and KYC/CDD teams. By connecting these teams together, even in contexts in which these departments have not traditionally been partners, institutions will be well-positioned to protect both themselves and their customers from illicit actors鈥� sophisticated AI-enabled threats.

You can learn more about the fraud-fighting challenges faced by financial institutions and other organizations here

Key highlights:

• • • AI governance is hard to prove in practice 鈥� While our research shows that 44% of companies publish an AI strategy, 76% of those same companies show no evidence of having policies to evaluate the quality of data used to train AI systems.

    • Workers are being left under-prepared and under-protected 鈥� Only 14% of companies have policies to mitigate the negative impacts of AI on workers, and only 31% offer any reskilling or training programs around adapting to an AI-integrated workplace.

    • Human rights and ethics appear an afterthought in AI governance 鈥� Almost three-quarters (72%) of companies conduct no AI impact assessments, and less than 1 in 10 companies conduct ethical or human rights assessments.

There is a widening chasm at the heart of corporate AI governance, according to a new report, , published by the 成人VR视频 Foundation and the United Nations Educational, Scientific and Cultural Organization (UNESCO).

The Foundation鈥檚 analyzed publicly available information from nearly 3,000 companies across 11 industry sectors, creating the most comprehensive picture yet of how organizations are managing AI.

Beneath the surface of corporate AI governance mechanisms, divergence between the speed of AI adoption and meaningful human oversight is growing. The report’s findings make clear that this is no longer a gap that organizations can afford to ignore, especially when backlash against is growing and are solidifying among consumers in the United States.

Data highlights the illusion of AI governance

Businesses of different sizes and across multiple sectors are adopting AI technology at a rapid pace. When governance exists only in the wording of a strategy or company vision, however, the people most affected by AI systems 鈥� workers, consumers, and communities 鈥� are left vulnerable. According to the report:

• • • 44% of companies publicly communicate having an AI strategy. However, a gap in AI governance is evident as more than three-quarters of those companies (76%) do not seem to have policies to evaluate the quality of data used to train AI systems.
    • 40% of companies report board- or committee-level oversight of AI. At the same time, strategic signals do not necessarily indicate operational capacity or day-to-day governance. In fact, less than one-third of all sampled companies claim to have an additional team or resource dedicated to AI governance. Moreover, limited information is publicly disclosed on the teams, processes, and accountability mechanisms that translate intent into action.

Workers are being left behind

Research by the International Monetary Fund finds almost , highlighting the acute nature of concerns about job displacement and declining opportunities for some groups. Without sufficient oversight, AI can threaten workers’ rights, amplify bias, and increase surveillance and work intensity, which can enable inhumane decision-making at scale.

The TR Foundation/UNESCO report notes that many companies are adopting AI without the safeguards needed to support workers and help them to adapt to the changes this technology brings. Less than one-third of companies were shown to offer training and reskilling programs for employees who may be adapting to an AI-integrated workplace. Even within the 31% of organizations in which these training programs exist, there is a vast variation in the scope and depth of the training offered.

In fact, many company training programs are not enterprise-wide or structured. Instead, they are ad-hoc or limited to leadership roles. This lack of investment in talent risks undermining the significant investment that companies are making in AI.

Despite growing pressure from regulators, policymakers and social justice campaigners, the ethical impact of AI appears poorly governed, with companies sharing limited information publicly.

The picture on worker protections is equally concerning. Only 14% of companies have public policies in place to mitigate the negative impacts of AI systems on workers, the report shows. This means the majority of companies either have no policies in place or do not publicly communicate them.

What is more troubling is that when workers experience harm, there is almost nowhere for them to turn. Only 2% of companies indicated they had a complaints mechanism 鈥� a critical early warning system for potential concerns. The findings suggest many organizations lack a mechanism for AI-related internal complaints beyond the broad generic complaint channel, and this is compounded by low awareness of the areas in which AI systems may infringe employees’ rights and protections.

Ethics and human dignity as an afterthought

Despite growing pressure from regulators, policymakers and social justice campaigners, the ethical impact of AI appears poorly governed, with companies sharing limited information publicly.

Human rights and ethical use of AI are treated as secondary considerations to compliance, according to our research. The majority of companies (72%) do not conduct any impact assessment with regard to AI. Only 7% publicly communicate conducting a fundamental or human rights impact assessment, and just 5% report conducting an ethical impact assessment.

Among those companies conducting some form of impact assessment, the focus skews sharply toward compliance rather than people. The most prevalent assessments are privacy or compliance-focused, with 18% of those companies that conduct some form of impact assessment reporting that they conducted a data protection impact assessment, and 14% reporting they conducted a privacy impact assessment.

How to center people in AI governance

Closing this governance gap is essential for companies in order to adopt AI responsibly and avoid costly legal, ethical operational, talent-related risks.

To support companies in navigating this challenge, offers a free survey to help companies map the areas in which AI is used across products, operations and services, and then benchmark those against peers their sector.

The report also contains case studies from companies that voluntarily shared their responsible practices with us. For example, German software company SAP intentionally designs and deploys its internal AI systems with a human-in-the-loop in which AI automates repetitive tasks and supports decision-making while final judgment and complex problem-solving remain firmly in the hands of employees.

As AI becomes part of core business infrastructure, companies must move beyond statements of intent and toward measurable AI governance.

In another example, BASF, a German chemical conglomerate, has jointly agreed with its workers’ councils on a general reskilling program that covers technical, hard, and soft skills. Finally, Canadian telecom company TELUS’ Indigenous Advisory Council provides guidance on AI ethics issues that directly affect indigenous communities.

Next steps for companies

The TR Foundation/UNESCO report highlights the most impactful concrete commitments that companies can take now to future proof against AI-related risk, including:

• • • investing in structured, enterprise-wide worker-reskilling programs that measure outcomes, not just participation;
    • establishing enforceable human rights impact assessments as a standard part of AI deployment, not as an optional addition; and
    • creating accessible, AI-specific internal grievance mechanisms so that workers and users have a genuine pathway to raise concerns and seek remedy.

As AI becomes part of core business infrastructure, companies must move beyond statements of intent and toward measurable AI governance. While this data demonstrates clear governance gaps, it also presents an opportunity for companies to take the lead on implementing responsible AI that operates openly in the public interest.

You can learn more about

Key insights:

• • • Define your risk appetite 鈥� A clearly defined fraud risk appetite aligns prevention efforts with strategic objectives and ensures accountability by establishing acceptable levels of fraud risk across the organization.

    • Create a fraud-specialized team 鈥� Dedicated ownership of the vendors that supply fraud solutions by a fraud-specialized team 鈥� rather than by the procurement function 鈥� is critical to maximizing technology performance and adapting to emerging threats.

    • Establish a specialized prevention division 鈥� The rise of sophisticated scams demands the creation of a separate, specialized prevention division to avoid overburdening core fraud teams and ensure targeted, effective responses.

Corporate fraud represents one of the most significant risks facing organizations today. Yet many companies lack the structured governance and technology infrastructure needed to combat fraud effectively.

The solution requires that comprehensive fraud prevention frameworks be built on clear governance, proper technology deployment, and data-driven insights, according to Aaron Frye, Founder & CEO of Lucid Point Consulting. Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results. These five pillars include:

1. Develop a fraud risk appetite

Effective fraud prevention begins with a well-defined fraud risk appetite that tells the right story to the right stakeholders. Your framework must communicate to your board, executive leadership, and operational teams the level of fraud losses your organization should tolerate, and in which areas you should prioritize fraud prevention investments.

The fraud risk appetite framework must address several key considerations; for example, it should define the level of fraud risk that aligns with the organization’s growth objectives, identify the areas of greatest vulnerability, and evaluate which investments will yield the strongest return. Equally important is the ongoing monitoring and communication of progress through regular reporting on fraud risk metrics, vendor assessments, and investigation outcomes. These actions demonstrate to stakeholders that fraud prevention remains an active priority for the organization and ensures that fraud risk continues to inform organizational decision-making.

2. Establish clear ownership of risk-solution vendors

Many organizations invest significantly in fraud detection tools only to see disappointing returns. The problem often lies not in the tools themselves, but in unclear ownership and accountability for their performance.

Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results.

If your organization lacks a designated person or team within your fraud strategy function whose job it is to ensure the risk-solution tools you鈥檙e getting from vendors are the best for your enterprise, you likely aren’t getting the most out of your vendors. This dedicated fraud service ownership role must act as your internal champion, evaluating vendor performance, staying current with product enhancements, and ensuring integration with other fraud prevention initiatives.

Critically, procurement, sourcing, and vendor management functions should never own this role. These teams, by the nature of their titles and responsibilities, don’t prioritize fraud. They lack the specialized knowledge required to assess whether your fraud detection technology is performing optimally or adapting to emerging threat landscapes. Without dedicated fraud expertise overseeing your technological investments, advanced tools sit underutilized and critical fraud signals go undetected.

3. Develop a fraud governance function

Every organization should have a dedicated fraud risk governance team within its fraud risk management organization. This governance function serves as your second line of defense, working proactively to reduce operational chaos within your fraud strategy, operations, and investigation groups.

If a non-fraud governance function owns fraud governance, you are guaranteed not to be getting the best form of governance. Fraud is a specialized discipline requiring dedicated expertise and focus; and your governance team must develop policies, establish standards, monitor control effectiveness, and ensure consistent application of fraud prevention practices across the enterprise.

4. Document existing risks and resource gaps

One of the most important responsibilities of your fraud governance function is identifying and documenting the areas related to fraud risk that your current fraud risk teams don’t have time to review. Due to capacity constraints, it is impossible for many fraud risk teams to cover all open gaps. Your organization must understand those open gaps and not be ashamed to address them.

Create an action plan that documents open risk and self-identified issues that your current team cannot adequately address. This transparency demonstrates clear-eyed realism about your organization鈥檚 limitations and creates the business case for requesting additional resources or engaging external consultants to help close these risk gaps.

5. Address the growing scam-prevention challenge

needs its own prevention strategy division within your fraud risk function. Compromised business email, investment scams, and vendor fraud schemes represent an entirely new category of fraud risk that demands specialized attention.

Every organization should have a dedicated fraud risk governance team that serves as its second line of defense, working proactively to reduce operational chaos within corporate strategy, operations, and investigation groups.

There has never been a full manageable grip on fraud prior to the spike in scams. Therefore, you cannot expect your existing fraud risk teams to tackle a new wave of scams as a priority as well as to manage traditional fraud prevention responsibilities. Your core fraud function manages internal control systems, transaction monitoring, and investigation protocols. Adding comprehensive scam prevention to this workload without dedicated resources guarantees that identifying and preventing scams will receive insufficient attention.

Establish a dedicated scam-prevention division focused specifically on emerging scam threats, employee education, scam-specific prevention technology, and response protocols. This specialized approach ensures sophisticated scam schemes receive the expertise and resources necessary while your core fraud function continues addressing traditional fraud prevention requirements.

Going forward into the fight against fraud

In an era of escalating fraud threats, reactive detection is no longer sufficient. Organizations must adopt a proactive stance grounded in strong governance, clear accountability, and strategic resource allocation.

By defining a fraud risk appetite, assigning ownership of fraud prevention tools, strengthening governance, documenting unaddressed risks, and establishing a dedicated scam prevention function, companies can build resilient, forward-looking fraud prevention frameworks. These five pillars enable organizations to anticipate threats, allocate resources effectively, and protect both financial performance and reputational integrity.

Today, the path to fraud resilience begins not with technology alone, but with deliberate, enterprise-wide commitment to proactive risk management.

You can find out more about ways to

Key insights:

• • • Prediction markets sit in a regulatory gray zone 鈥� Prediction markets鈥� economic function often looks much closer to gambling than traditional finance.

    • That ambiguity creates an AML blind spot 鈥� This blind spot allows potentially weaker controls around KYC, source of funds, sanctions screening, and suspicious activity reporting.

    • Banks and payment processors should focus on actual risk, not labels 鈥� Reputational, legal, and financial crime risk exposure can arise long before regulators clarify the rules.

Prediction markets have grown into a multi-billion-dollar ecosystem, offering the ability to enter into a contract to predict the outcomes on everything from elections and sports games to economic data and weather events. Yet as these platforms expand, they operate in a regulatory gray zone that raises serious questions for banks, payment processors, and compliance professionals.

Yet, the classification question that regulators and financial institutions continue to debate is not merely academic. It determines whether prediction market platforms will face the same anti-money laundering (AML) and know-your-customer (KYC) obligations as casinos and sportsbook venues, or whether prediction markets can continue to operate with minimal compliance oversight. This distinction has real consequences for the financial system.

鈥淧rediction markets are not just a classification problem, they represent a structural gap in how financial crime risk is currently understood and managed,鈥� says James Lephew, Founder & CEO of , a Charlotte-based consulting firm that serves major gambling operators and financial institutions globally.

Clarification is required in classifying this sector

Prediction markets occupy an ambiguous middle ground. Market operators position their platforms as financial derivatives or forecasting tools rather than gambling venues, emphasizing price discovery and statistical analysis over chance-based wagering. A contract on the outcome of a presidential election or a sports event, they argue, reflects crowd-sourced probability estimates grounded in information aggregation, not gambling luck.

Yet the fundamental mechanics raise legitimate questions. A user who buys a contract predicting that a candidate will lose an election is, in economic terms, wagering money on an uncertain outcome. The distinction between betting on a football game and trading a contract on the outcome of that same game becomes difficult to defend from a regulatory standpoint 鈥� and this classification matters enormously.

The distinction between betting on a football game and trading a contract on the outcome of that same game becomes difficult to defend from a regulatory standpoint 鈥� and this classification matters enormously.

If prediction markets are treated as gaming operations, they trigger Title 31 obligations under the Bank Secrecy Act, including currency transaction reporting, suspicious activity reporting (SAR) requirements, and comprehensive KYC procedures. If on the other hand, prediction markets are classified more akin to financial markets, these requirements may not apply. Currently, many prediction market platforms claim financial market status, allowing them to operate outside gaming regulations and with potentially weaker AML controls.

There is a compliance gap

Without clear regulatory classification, prediction markets create a significant AML blind spot. Casinos must report cash transactions exceeding $10,000, conduct source-of-funds reviews, and maintain detailed customer profiles. Sportsbooks face licensing requirements, geolocation checks, and responsible-gaming safeguards. Prediction market platforms, by contrast, often operate with minimal reporting obligations.

This gap introduces concrete risks. Digital wallets and cryptocurrency channels can obscure the source of funds. Structuring and layering of sources become easier without robust verification, further clouding who exactly playing in these markets. Collusive trading through multiple accounts allows value transfer that may go undetected. And VPN use and foreign payment channels can enable sanctions evasion.

Further, without mandatory SAR reporting, suspicious patterns tied to money laundering, terrorist financing, or market manipulation may never reach law enforcement.

“What we’re seeing is an AML blind spot,鈥� says Lephew. 鈥淧latforms enabling financial flows with characteristics of gambling, but without the controls that regulators would normally expect.” Until classification catches up with the technology, he adds, this blind spot remains open 鈥� and exploitable.

Why this matters for banks and processors

Banks and payment processors that support prediction market platforms may carry significant reputational and legal risk if they haven’t conducted thorough due diligence 鈥� and they cannot rely on a platform’s self-classification as a financial market or forecasting tool. Nevada and other jurisdictions are actively examining whether these platforms constitute gambling, echoing concerns from the American Gaming Association that products carrying similar economic risks deserve similar regulatory treatment.

If a product allows participants to wager on uncertain outcomes and creates risk that is substantially similar to gambling, it should face AML and customer identification requirements proportionate to that risk.

“Risk must be assessed based on how the product actually behaves, not how it is marketed,” Lephew explains. And that means evaluating whether a platform applies robust KYC procedures, verifies the source of deposits and beneficial ownership, screens against sanctions lists, reports SARs to the government, prohibits contracts on high-risk events such as assassinations or terrorism, and uses geolocation controls to block users in restrictive jurisdictions. Those answers matter far more than whatever label the platform chooses, Lephew says.

The path forward

Regulators have several options. One approach applies gaming regulations uniformly, treating all prediction markets with economic characteristics similar to gambling as gaming operations subject to Title 31. A second approach creates explicit financial market classification with statutory AML obligations and enhanced scrutiny of high-risk contracts. A third option adopts a tiered or risk-based framework, classifying contracts on lower-risk events such as economic data or weather under financial market rules, while sports and election markets could face enhanced scrutiny. Violent outcome markets would be prohibited entirely.

Regardless of which path regulators choose, the principle should be the same: Classification should follow economic function. If a product allows participants to wager on uncertain outcomes and creates risk that is substantially similar to gambling, it should face AML and customer identification requirements proportionate to that risk.

Financial institutions should not wait for regulatory clarity. They should apply rigorous due diligence now, treating prediction markets with a heightened level of scrutiny appropriate to their actual risk profile rather than their claimed legal status.

The goal is not to eliminate prediction markets, but to ensure they operate within a framework that prevents money laundering, terrorist financing, and market abuse. “If it looks like gambling, behaves like gambling, and carries the same financial crime risk, it should be regulated accordingly,鈥� Lephew notes. 鈥淎nything less creates systemic exposure.”

You can find out more about the challenges financial institutions face in their anti-money laundering efforts here

Key insights:

• • • Human rights and environmental sustainability in sports are inseparable 鈥� Environmental harms from major sporting events 鈥� such as pollution, extreme heat, and flooding 鈥� directly undermine fundamental human rights including health, housing, and safe working conditions.

    • Mega sporting events require an integrated, lifecycle-wide approach 鈥� From supply chains and stadium construction to urban planning and event delivery, the sports industry鈥檚 environmental footprint and human rights impacts span the full lifecycle of these events, demanding a single, integrated playbook.

    • Accountability extends to sponsors and partners, not just hosts and organizers 鈥� As scrutiny from regulators, media, and civil society grows, sponsors and corporate partners are increasingly seen as responsible for the combined human rights and environmental impacts of the events they support.

This blog post was co-written with Sreeratna Kancherla and Anna J. Christians of the Henekom Group.

Sports are entering a defining decade. The convergence of climate and nature risk, growing environmental accountability, and increasing scrutiny of how mega sporting events affect the communities that build and host them has brought a long-overdue challenge to the center of sports governance.

Due to their scale, frequency, and global reach, the upcoming FIFA World Cup 2026 and the 2028 Olympics to be held in Los Angeles, alongside competitions such as the 2027 Rugby World Cup and the ICC Men’s T20 World Cup, form part of an ambitious pipeline of major events in a generation. How the sports sector responds to that challenge will shape how the next era of global sport is planned, delivered, and remembered.

Human rights due diligence during mega sporting events and environmental sustainability are often thought of as neighboring agendas, related but managed separately. In practice, however, they are inseparable. When air quality deteriorates, the right to health is at stake. When flooding displaces communities, the right to housing and livelihood is at stake. When extreme heat makes outdoor labor dangerous, the right to safe working conditions is at stake.

The environment is the condition in which human rights are either protected or violated, and sustainability, properly understood, is the commitment to preserving those conditions for current and future generations.

The need for an integrated playbook

The case for an across the lifecycle of sport reflects the scale and complexity of the sporting industry鈥檚 impact, with emissions comparable to those of a midsize country, according to . The industry’s heavy reliance on plastics across stadiums, equipment, and apparel contributes to pollution that worsens the global environmental crisis. And those environmental choices carry human consequences at every stage, for the workers who build the facilities, the residents who live alongside them, and the fans who attend the events.

The environmental footprint of the sports industry touches people across the entire lifecycle of a major event. The supply chains necessary to deliver a mega-sports event span facility development, apparel, technology, and food & beverage. These industries are among the highest risk for labor exploitation, migrant worker abuse, and unsafe working conditions. When a host city builds a stadium and hosts events there, the environmental impact is measurable and so is the human rights impact on the workers building the stadium. Indeed, this impact extends to the neighborhoods that may be displaced to make room for it, and to the residents left to live alongside its infrastructure once the event has ended.

You can find more about the resources, tools, and information that cities and organizations need to address听human trafficking around large-scale sporting events at the 成人VR视频 Institute鈥檚 Large-Scale Public Events Toolkit here

In addition, major events that rely on street circuits or temporary urban infrastructure can significantly reshape public space and surrounding neighborhoods. Air pollution, construction zones, and rising short-term rental demand also may displace residents and the unhoused population, restrict access to services, or place pressure on already fragile housing markets. In these cases, mega-sports event planning intersects directly with citizens鈥� rights to housing, mobility, and access to public space.

Expanding accountability

, rooted in the , is the structured process that makes those consequences visible and gives sustainability strategy its human accountability. Because environmental and human rights impacts are inseparable in practice, that accountability extends beyond organizers and host governments to the sponsors and corporate partners of the event. Many operate in sectors which already face scrutiny over their global supply chains; and therefore, alignment with a contentious event can amplify these vulnerabilities while inviting additional public and regulatory attention.

As the regulatory landscape, advocacy groups, and the media intensify their focus on the impact of these mega-sport events, sponsors are increasingly seen not only as influential stakeholders, but as actors with a degree of responsibility for the combined environmental and human rights impacts of the events they fund and support.

Moving from principle to practice

For example, Mercedes-Benz Stadium in Atlanta 鈥� home of the NFL鈥檚 Atlanta Falcons along with a venue for soccer and concerts 鈥� demonstrates that environmental performance and community impact are the same priority and can be pursued through a single design brief. Indeed, it was the first stadium worldwide to receive for zero waste, and its 2.1-million-gallon system helps prevent flooding in neighboring communities. Additionally, the stadium created targeted employment through the and delivered staff training to more than 700 people.

The same integrated logic is now being applied at the event level. Ahead of the FIFA World Cup 2026, host city organizing committees in Houston and Dallas introduced听that address labor exploitation, including human trafficking risks, alongside targeted environmental measures. These measures are treated as a single procurement workstream to be addressed through an integrated response.

Leadership, legacy & the decade ahead

The organizations that will define the next decade of global sports are those that treat human rights and environmental sustainability not as parallel strategies but as two expressions of the same obligation to the people and communities on which sports depend.

This means designing facilities with both environment and humanity in mind from the outset, managing worker rights and environmental standards together across supply chains, and placing extreme heat measures, labor protections, community access, and sustainability targets within a single accountable governance framework.

Governing bodies, organizing committees, sponsors, and host cities that act on this integrated approach have the opportunity to build systems that are more responsible, more durable, and more trusted to define what credible and future-ready sports event management looks like.

You can find more about the impact of mega-sporting events on communities here

Key insights:

• • • SAR volume is significantly underreported 鈥� Continuing and amended filings add approximately 20% to the official count yet remain invisible in trend analyses.

    • Filing activity is highly concentrated 鈥� A few large financial institutions dominate SARs volume, meaning trends reflect their practices more than systemic changes.

    • Agentic AI will drive a surge in SARs 鈥� Agentic AI risks increased noise over actionable intelligence, without addressing the unresolved question of whether current filings yield meaningful law enforcement outcomes.

The Suspicious Activity Reports (SAR) that financial institutions file with the U.S. Treasury Department鈥檚 Financial Crimes Enforcement Network (FinCEN) provide valuable insight, although they may not offer a comprehensive picture.

Prior to meaningful discussions regarding the future of SARs, it is essential for the financial crime community to clarify what is being measured. In 2025, for example, SAR filings of more than 4.1 million, representing an almost 8% increase compared to the total number of SARs filed in 2024.

Every figure FinCEN has published reflects original SARs only. Continuing activity SARs, which represent roughly 15% of all filings, are submitted under the original Bank Secrecy Act (BSA) identification number and never appear as new filings. Corrected and amended SARs add another 5% on top of that. This makes the real volume of SARs activity approximately 20% higher than what is reported.

The average community bank files fewer than one SAR a week, while the largest institutions file more than 500 a day.

Recent FinCEN guidance giving financial institutions more flexibility around continuing activity SARs sounds significant on paper, but as former Wells Fargo BSA/AML chief Jim Richards points out: “It won’t change the reported numbers 鈥� because those filings were never counted to begin with.” Financial crime professionals need to keep that gap in mind every time a trend line gets cited.

2025 was steady, not spectacular

There were roughly 300,000 SARs filed every single month of 2025, and the most notable thing is that nothing notable happened. That is likely a first on the volume side and worth acknowledging, but beyond that milestone the year did not hand financial crime professionals anything noteworthy. In a space that has dealt with pandemic distortions, crypto chaos, and fraud spikes that seemed to come out of nowhere, steady volume and predictable patterns are a little surprising. A quiet data set, however, is not the same as a quiet landscape, and financial crime professionals who are reading stability as stagnation may find themselves flat-footed when the numbers start moving again.

For example, one of the most underleveraged insights in the SARs space is just how concentrated filing activity really is. The numbers are stark: The top four banks file more SARs in a single day than 80% of the rest of the banks file in 10 years, according to 2019 data from a .

The average community bank files fewer than one SAR a week, while the largest institutions file more than 500 a day. “50 a year versus 500 a day,” notes Wells Fargo鈥檚 Richards, adding that such asymmetry has real implications for how the financial industry interprets trends. Meaningful movement in SARs data, up or down, is almost entirely dependent on what a handful of mega-institutions decide to do.

Not surprisingly, money services businesses (MSBs) are the second largest filing category, and virtual currency exchanges are almost certainly driving recent growth there, even if outdated category definitions make that difficult to confirm directly. Credit unions round out the top three.

The filing philosophy hasn’t changed and shouldn’t

Regulatory noise occasionally suggests that institutions should be more selective about what they file. However, compliance and legal reality have not shifted. No institution has ever faced serious consequences for filing too many SARs, and the cases that result in enforcement actions, reputational damage, and regulatory scrutiny are consistently about missed filings or late ones.

鈥淵ou’re not going to get in trouble from filing too much,鈥� Richards says. 鈥淣obody ever has, and I doubt if anyone ever will.” For financial crime professionals, the calculus remains exactly what it has always been 鈥� when in doubt, file. That posture isn’t going to change, and frankly it shouldn’t.

Yet, here is where the SARs space gets genuinely interesting. Agentic AI use in SARs filings 鈥� systems in which multiple AI agents work through a case from screening to decision to documentation 鈥� is beginning to move from concept to deployment. The impact on filing volume likely will be significant.

The risk is a system flooded with AI-generated SARs of variable quality, creating more noise for law enforcement to sort through rather than sharper intelligence to act upon.

Whereas a small team today might work through a handful of cases a week, AI-assisted workflows could push that into the dozens. Multiply that across institutions already inclined to file rather than miss something, and the result is a coming surge in SARs volume that could play out over the next two to four years.

“Agentic AI has the potential to be a game changer on how we do our work,鈥� Richards explains. 鈥淏ut I believe it’ll guarantee that there will be more SARs filed and not necessarily better and fewer SARs filed.” Indeed, the critical point for the financial crime community to internalize is exactly that.

The risk is a system flooded with AI-generated SARs of variable quality, creating more noise for law enforcement to sort through rather than sharper intelligence to act upon. Once the largest institutions adopt agentic AI as a best practice, others will follow quickly, and regulators will likely be several steps behind.

The value question can’t wait

The has been in place since 2014. Yet after 12 years of filings, the financial crime community still lacks a clear public accounting of whether that data has produced actionable law enforcement outcomes.

So, the question Richards is asking is one the entire industry should be asking: “Has anybody asked law enforcement?”

This question reflects a larger challenge that the industry needs to confront more aggressively, especially as AI technology is set to dramatically increase filing volume across the board. Increasing the volume without improving how the information is used does not represent progress. If SARs are not generating real investigative value, the solution is not to file more of them faster 鈥� instead, the pipeline should be fixed before it grows any bigger.

You can find more about the challenges that financial institutions face in managing SARs here

• • • The ceasefire is between the US and Iran and is not a regional peace 鈥�听Israel launched its heaviest strikes yet on Lebanon within hours of the announced deal. Iran hit oil infrastructure in Kuwait, the UAE, Bahrain, and Saudi Arabia 鈥� including the East-West Pipeline, the primary route for bypassing the Strait of Hormuz. Companies planning around a return to normal should instead plan around the idea that the war has narrowed, not ended.

    • If the disruption stays within one quarter, the economic damage is painful but reversible 鈥� The Dallas Fed projects WTI oil at roughly $98 per barrel with a modest GDP hit in a short-closure scenario. The catastrophic scenario 鈥� WTI above $132 with sustained negative growth 鈥� requires the closure of the war to drag past Q2. Every week the ceasefire holds improves the odds, but Iran’s strike on the Saudi bypass pipeline complicates even the optimistic timeline.

    • Iran may have stumbled into the most lucrative chokepoint tax in modern history 鈥� At conservative estimates, transit fees charged for traversing the Strait of Hormuz could generate $40 billion to $50 billion for Iran annually, or roughly 10% to 15% of Iran’s pre-war GDP 鈥� all at near-zero operating cost. That revenue stream inverts Tehran’s incentives. Indeed, keeping the toll system in place may now be worth more than restoring free transit.

On April 7, less than two hours before a self-imposed deadline that threatened the destruction of Iran’s civilian infrastructure, President Donald J. Trump announced a two-week ceasefire in the war in Iran that began on the last day of February and continued over 38 days of sustained air strikes by the Unites States and Israel. In turn, Iran carried out retaliatory attacks across over a dozen countries and forced the effective closure of the Strait of Hormuz.

With the ceasefire, all that has paused. Yet, the question every boardroom, general counsel’s office, and procurement team is asking right now is simple: How can I plan around this?

The honest answer is, not yet 鈥� and the first 24 hours have already shown why.

A fragile, but functional peace

The ceasefire is remarkably thin, and it鈥檚 based on three operative clauses: i) the US and Israel halt strikes on Iran; ii) Iran halts retaliatory attacks on the US and Israel; and iii) Iran allows “safe passage” through the Strait of Hormuz. Everything else 鈥� from nuclear terms, sanctions, reconstruction, and the legal status of Hormuz transit 鈥� has been punted to negotiations in Islamabad beginning April 10, with Pakistan mediating.

With the ceasefire, the question every boardroom, general counsel’s office, and procurement team is asking right now is simple: “How can I plan around this?”

However, what the ceasefire covers matters less than what it doesn’t. Within hours of the announcement, Israel launched its heaviest strikes yet on Lebanon, and Iran warned it would withdraw from the ceasefire if attacks on Lebanon continue. Meanwhile, Kuwait, the UAE, and Bahrain all reported fresh Iranian missile and drone strikes targeting oil, power, and desalination infrastructure after the ceasefire was in place. Most critically, Iran struck Saudi Arabia’s East-West Pipeline, the main route by which Gulf producers have been rerouting oil to bypass the blockaded strait.

That pipeline strike should command attention in every supply chain and energy risk briefing this week because it signals how shaky the agreement is, and that Iran remains a long-term threat to vital infrastructure across the region.

For companies operating in or sourcing from the Gulf, the practical implications are immediate. This is not a ceasefire that restores pre-war operating conditions; rather it is a bilateral pause between two belligerents while the regional war continues around them. Insurance premiums, shipping risk assessments, and supply chain contingency plans should reflect that distinction until there is a meaningful shift.

What does this mean for the next two weeks?

Both sides are claiming victory 鈥� and increasingly, claiming different deals. Trump called Iran’s 10-point proposal “a workable basis on which to negotiate”; and Iran’s Supreme National Security Council called the ceasefire a “crushing defeat” for Washington. The White House now says the 10-point plan Iran is publicly circulating differs from the terms that were actually negotiated for the ceasefire. Tehran, meanwhile, says there is no deal at all if Lebanon isn’t included 鈥� a condition the US has not acknowledged. And of course, the Strait of Hormuz remains closed.

These are not the hallmarks of a stable agreement; but they may be the hallmarks of a durable one. The deal is thin enough so that each side can brief its domestic audience on a different story, and as long as neither is forced to reconcile those stories publicly, the pause holds.

And the incentives to keep talking are asymmetric but real. The US has watched gas prices surge past $4 nationally as domestic support for the war 鈥� which started at levels best described as in a hole 鈥� continued to drop even further. Goldman Sachs raised its recession probability to 30% and JPMorgan to 35%, and every day the strait stays closed pushes those numbers higher. The administration needs the global economy to exhale and needs distance itself from a war so it can focus on other priorities, including an already difficult midterm election cycle.

With the ceasefire, all that has paused. Yet, the question every boardroom, general counsel’s office, and procurement team is asking right now is simple: How can I plan around this?

Iran, for its part, wants the bombing to stop. Its conventional navy has been functionally destroyed, its air defenses are highly degraded, its nuclear facilities have sustained severe damage, and its cities, bridges, and transportation networks have been hit repeatedly. The regime survived and arguably emerged with greater domestic legitimacy than it had before the war, but the physical toll is mounting. Tehran wants the strikes to stop so it can claim victory by survival without incurring any more costs.

This mutual exhaustion is the load-bearing structure of the ceasefire. If the ceasefire holds for 72 hours (as I think it might), and if the strait begins opening to escorted traffic by Friday as Iranian officials have signaled, and if neither side finds a reason to walk away before the Islamabad talks convene, then the ceasefire will likely be extended. Not because the underlying disputes get resolved, but because the cost of resuming hostilities exceeds the cost of continuing to talk. Expect a rolling series of extensions, probably 30 to 45 days at a time, that resolve nothing while letting global markets gradually stabilize.

As we wrote earlier this month, if the disruption remains limited to roughly one quarter, the oil price shock is painful but reversible, ugly, but manageable. And every week the ceasefire holds pushes the trajectory toward the manageable scenario.

What happens after the ceasefire?

Again, if the ceasefire holds, we then have to start thinking about how this conflict resolves. Not surprisingly, this is where it gets uncomfortable.

The conventional assumption in Washington and in global markets is that the Strait of Hormuz will return to normal once the fighting stops. That assumption underestimates what Iran has built.

Iran’s parliament is working to pass a Strait of Hormuz Management Plan, codifying its claimed sovereignty over strait transit and establishing a legal framework for collecting toll fees. Media reports indicate Iran has been charging vessels between $1 million and $2 million per transit and is planning to keep charging those tolls for all ships as the strait reopens. So, at $1 million per ship, and with up to 135 transits per day, 365 days a year, that’s about $40 billion to $50 billion in annual revenue for Iran, or up to 15% of Iran’s pre-war GDP. All at an operating cost that approaches zero.

Iran didn’t enter this war planning to build the most lucrative chokepoint tax in modern history, but it may have stumbled into exactly that.

Compare that to Iran’s oil sector, which generated approximately $53 billion annually in 2022 and 2023, required massive capital investment and maintenance, and was subject to constant disruption. The toll revenue is comparable in scale, dramatically cheaper to operate, and immune to sanctions. If the final number is even a fraction of this, it鈥檚 still a massive financial shot in the arm for Iran that could become a far greater advantage than the damage to capital that the war has inflicted upon the state.

Iran didn’t enter this war planning to build the most lucrative chokepoint tax in modern history, but it may have stumbled into exactly that.

Of course, this changes the structural incentives around the Strait of Hormuz in ways most analysts haven’t fully absorbed. A permanent toll system gives Iran a revenue base to rebuild the military assets it lost, reduce its dependence on oil exports, and fund domestic investment that could blunt future protest movements. The regime’s cost-benefit calculus has inverted: Keeping the toll operational in place may now be worth more than restoring the pre-war status quo.

For the US and Israel, the only way to dismantle this arrangement is by force and the last 38 days demonstrated the limits of that approach. The US achieved air and naval superiority, destroyed Iran’s conventional military, and killed the supreme leader. None of it was enough to compel capitulation, and in fact, may not have even come close. A second campaign faces the same likely result, against a population now unified by the experience of surviving the first one.

The war didn’t just disrupt global trade. It may have permanently repriced the most important shipping lane on Earth 鈥� and left every piece of energy infrastructure in the Gulf more vulnerable than it was before the first air strike landed.

You can find more about the global impact of the war in Iran here