Key highlights:

• • • Plans without funding are political theater, not strategy 鈥� Across the G20 and beyond, governments spend about $1 per vulnerable person per year, making the most comprehensive national action plans functionally undeliverable.

    • Corporate forced labor is a crime with no perpetrators 鈥� Despite an estimated tens of millions of victims in global supply chains, there has been only one forced labor investigation ever brought against a Fortune 500 company, exposing a near-total absence of criminal accountability in non-financial industries.

    • Real-time data accountability can work on a shoestring budgets 鈥� Uganda’s TipMap platform, built on a budget of just hundreds of thousands of dollars with NGO and US government support, demonstrates that transparent, publicly accessible prosecution tracking is achievable even for low-income countries 鈥� yet most wealthy nations have yet to replicate this model.

Every year, governments around the world publish sweeping national action plans to combat modern slavery, covering everything from vulnerable children, forced labor, and gender-based violence to prosecution targets and victim support. These action plans are, in many cases, genuinely comprehensive documents, and also in many cases, they are almost entirely unfunded.

That is the central finding of the (MSPI), a new tool developed by Duncan Jepson, Director of Strategy and Operations at . After decades working across supply chains, corporate law, and financial crime compliance in Asia, Jepson grew frustrated with a sector that was generating more conferences and consultants than criminal prosecutions. The MSPI takes a step back from that ground-level work and asks how governments are investing in this problem at a scale that matches their stated ambitions.

The answer, unsurprisingly, is that there is a big gap between plans and funding the execution of those plans. Across the G20 plus additional countries, total government spending on modern slavery prevention amounts to roughly $1.6 billion annually, Jepson notes. When measured against the estimated population of up to 2 billion people living in conditions of poverty and precarity that make them vulnerable to exploitation, the 鈥渋nvestment鈥� by governments works out to approximately $1 per person per year.

Grand plans & empty coffers

The MSPI evaluates governments across four dimensions, which include the context of exploitation within their borders, the comprehensiveness of their national action plan, the funding allocated to that plan, and the measurable outcomes produced. The gap between the second and third dimensions is the point at which the analysis reveals the most confounding gap.

Most national action plans, Jepson notes, look remarkably similar regardless of whether they come from wealthy nations or some of the poorest countries in the world. They include all the right elements; however, the problem is that the ambition of the plan rarely maps onto available resources. “If you see a similar kind of plan in a country which is not providing anywhere near the same investment, maybe only providing $10 million to $20 million,” then they’re clearly not going to be able to build the kind of institutional mechanisms and have them operational to achieve their stated ends, Jepson explains.

When measured against the estimated population of up to 2 billion people living in conditions of poverty, the 鈥渋nvestment鈥� by governments works out to approximately $1 per person per year.

This gap is partly a result of how these plans get written. Policy teams include every desirable outcome, every population group, and every intervention type because comprehensiveness signals seriousness. The result is what Jepson describes as a political product rather than a strategic one because it is detached from realities of resource constraints.

The three Ps framework 鈥� set out in the , which organizes anti-trafficking efforts around prevention, protection, and prosecution 鈥� has drifted from being a planning tool into being a target in itself. Governments check the boxes, publish the plan, and treat that as a win. The actual investment required to deliver outcomes becomes secondary.

Many perpetrators face no accountability

Perhaps the most sobering element of Jepson’s analysis concerns corporate accountability which, outside of healthcare and financial services, is extremely limited for criminal matters such as forced labor. Modern slavery in global supply chains, particularly forced labor in agriculture, manufacturing, fishing, and extractive industries, generates enormous profits. Prosecutions against the corporations involved are nearly nonexistent.

The , which Jepson brought to the U.S. Department of Homeland Security鈥檚 investigations unit a few years ago, remains a rare landmark. When he received a World Customs Organization award for the work, the citation described it as recognition for “the first investigation into a Fortune 500 company.鈥� Indeed, the fact that there is only one successful investigation in the entire history of Fortune 500 enforcement on forced labor is stunning in itself.

The structural reason for this, Jepson argues, is that non-financial industries operate without a criminal legal framework wrapped around their regulatory obligations. Banks are required to identify suspicious transactions, file reports, and de-risk clients connected to illicit activity, all under threat of serious legal regulatory consequence.

Modern slavery in global supply chains, particularly forced labor in agriculture, manufacturing, fishing, and extractive industries, generates enormous profits, while prosecutions against the corporations involved are nearly nonexistent.

Manufacturers, food producers, and commodity traders face no equivalent pressure. Their obligations tend to be framed in the language of sustainability and ethical sourcing, which are voluntary, subjective, and entirely company controlled.

When violations are discovered, the response is typically managed internally through grievance mechanisms, remediation programs, and consultant-led audits. Workers rarely have access to independent legal recourse and access to justice.

What good funding and enforcement should look like

Jepson is careful to point out that meaningful progress exists, even on limited budgets. , developed with support from the Human Trafficking Institute and US funding, provides a real-time, publicly accessible database of trafficking prosecutions and arrests. For a country investing only hundreds of thousands of dollars in this space, the platform demonstrates how transparency and institutional accountability can be achieved without enormous resources.

Italy and Germany both earn recognition for aligning their plans with their investment levels and for building on contextual knowledge. Yet neither country has solved corporate supply chain accountability, even though both demonstrate that coherent strategy tied to realistic resourcing produces better outcomes than aspirational planning without funding.

The US import ban mechanism, developed through U.S. Customs and Border Protection, remains the most significant enforcement tool in the world, although it鈥檚 still largely unique to one country.

The case for realistic investment

What Jepson would like to see instead is relatively straightforward. Governments need to develop a deeper, intentional recognition that their current spending levels are insufficient, he says, adding that investment in prevention also makes economic sense.

Every dollar not spent stopping exploitation upstream generates far greater costs in law enforcement response, victim and social services, and lost economic productivity downstream. Clearly, $1 per vulnerable person per year will not build the necessary infrastructure to protect anyone.

You can find out more about the challenges in combatting force labor in supply chains here

Key insights:

• • • The Panama Papers transformed beneficial ownership 鈥� The release of the Papers in 2016 changed the idea of beneficial ownership from a technical compliance footnote into a global policy imperative, and the pressure has not let up.

    • Regulatory responses have been significant but uneven 鈥� The EU has pushed forward aggressively, while US reforms under the Corporate Transparency Act have been substantially narrowed.

    • For compliance professionals, the enduring lesson is not about any single regulation 鈥� Rather, compliance professionals should have one goal: Maintaining the discipline of asking who, ultimately, is behind the transaction.

When 11.5 million documents from Mossack Fonseca were published on April 3, 2016, compliance teams across financial institutions around the world faced unprecedented pressure from senior leadership to prove they actually knew the true identities of their clients’ beneficial owners. A decade later, establishing that ultimate ownership remains both the most important and the most difficult task in anti-money laundering compliance.

A watershed moment, but not a starting point

It would be a mistake to credit the Panama Papers with inventing beneficial ownership as a compliance concern. The Financial Action Task Force (FATF), an intergovernmental organization created to promote anti-money laundering (AML) activities, had long emphasized the risks of anonymous shell companies. The United Kingdom was already developing its Persons with Significant Control register; and the United States鈥� Treasury Department鈥檚 Financial Crimes Enforcement Network (FinCEN) had a draft of customer due diligence guidance in circulation before a single Mossack Fonseca document was made public.

Yet, what the leak of the Panama Papers did was something more powerful than create law 鈥� it created political will.

The leak showed, with granular specificity, how shell companies, nominee directors, layered trusts, and intermediary accounts could be stacked together to place meaningful distance between regulators and the individuals who actually control the assets. These were not fringe techniques; rather, they were routine services offered at scale to clients in more than 200 jurisdictions. The “gatekeeper problem” 鈥� the tendency of lawyers, accountants, and formation agents to introduce clients without responsibility for verifying who those clients ultimately were 鈥� was no longer theoretical. It was documented, widespread, and systemic.

What the decade of response produced

The regulatory response to the Panama Papers was substantial, even if ultimately uneven in execution.

In the US, FinCEN’s 2016 CDD Final Rule standardized what many institutions were doing selectively: requiring identification and verification of beneficial owners of legal-entity customers using a 25% ownership threshold and a control prong. For the first time, this was an enforceable expectation across covered financial institutions 鈥� not a best practice, but a mandate.

The regulatory response to the Panama Papers was substantial, even if ultimately uneven in execution.

Globally, the momentum was stronger. The European Union moved through successive Anti-Money Laundering Directives, expanding registration requirements and tightening obligations for designated non-financial businesses and professions. Ultimately, the EU established the Anti-Money Laundering Authority (AMLA) in its 2024 package to deliver cross-border supervisory consistency. And the FATF’s revised Recommendation 24 in 2022 raised the bar further, shifting the mission from collecting beneficial ownership data to ensuring it is accurate, current, and verifiable, with timely access for competent authorities. Having a register is not the same as having reliable information, and regulators have spent a decade making that distinction explicit.

The 2020 FinCEN Files added a further dimension. Where the Panama leak exposed the formation agents who were enabling shell company abuse, the FinCEN Files implicated the banks themselves, showing that suspicious activity reports (SARs) were being filed on transactions that institutions continued to process. Together, these successive leaks sustained the political will that the Panama Papers first generated.

The data is only as good as what’s behind it

The Panama Papers exposed that beneficial ownership frameworks could be gamed in ways that left regulators technically satisfied but substantively blind. Nominee arrangements created paper trails that went nowhere, and outdated register entries gave the appearance of compliance while concealing real control.

The lesson that proved most durable is that transparency requires verification, accessibility, and enforcement working together. A register without verification is a filing cabinet, verified data without accessible reporting channels is compliance theater, and accessible data without enforcement consequences for misrepresentation is an honor system.

For compliance professionals today, this translates into a concrete operational expectation. Enhanced scrutiny for complex legal entity customers is not optional. Nominee arrangements, offshore links, unexplained control structures, and identifying a politically exposed person (PEP) are not risk factors to note and move past. They are the scenarios that point to where the framework is most likely to fail, and examiners know it.

Where the picture gets complicated

Today, further progress is real, but uneven. In the US, the Corporate Transparency Act of 2021 was the most ambitious attempt to extend beneficial ownership reporting to companies themselves, not just the financial institutions serving them.

Under FinCEN’s March 2025 interim final rule, that ambition has been significantly narrowed: US-formed entities and US persons are now exempt, with reporting obligations falling primarily on certain foreign entities registered to do business domestically. That outcome followed a prolonged and contentious legal battle, involving multiple conflicting injunctions, a Supreme Court intervention, and sustained pushback from small business and industry groups, which ultimately made a political resolution rather than a judicial one the path of least resistance for the U.S. Treasury Department.

听The core problem shone by the Panama Papers leak in 2016 remains unresolved. A decade of regulatory response has only narrowed it.

Real estate reporting faces its own legal turbulence, with the Residential Real Estate Rule vacated and on appeal; and investment adviser AML coverage has been pushed to 2028, a delay driven in part by industry objections and competing agency priorities. These are not minor footnotes; rather, they are meaningful gaps in a system that was supposed to be closing.

Enforcement outcomes globally have been equally inconsistent. Panama’s own courts in a major Panama Papers-related trial in 2024. And Germany charged , the firm’s co-founder, in 2026. Jurisdiction still matters enormously, which is precisely what offshore structures were designed to exploit.

The durable lesson

Of course, none of this means the decade of reform was without consequence. It simply means the work is not done.

The Panama Papers’ most important legacy is not any specific regulation; rather it鈥檚 a permanently elevated expectation around knowing your customer, not just by name, but by ultimate beneficial owner, control structure, the credibility of information on file, and the ongoing monitoring that keeps that picture current. The most effective AML programs treat beneficial ownership as a living element of the customer relationship, not a checkbox at onboarding.

Still, the core problem shone by the Panama Papers leak in 2016 remains unresolved. A decade of regulatory response has only narrowed it and made it significantly harder to exploit, but as compliance professionals know better than most, the absence of a finding is not the same as the absence of risk.

You can find out more about the challenges of fraud identification and prevention here

Key insights:

• • • Fraud management works best as a connected workflow 鈥斕鼳ligning corporate fraud, AML, compliance, and investigation teams can strengthen visibility and response.

    • Monitoring must move beyond on-boarding听鈥� Existing customers require ongoing risk-based review, smart alerts, and transaction monitoring that can identify potentially suspicious behavior without overwhelming teams.

    • AI can accelerate investigations, but humans remain essential听鈥� AI-driven automation helps process data and prioritize alerts; however, skilled analysts are still needed to provide context, judgment, and industry expertise.

Fraud prevention represents only the first step in comprehensive fraud management. Organizations must develop robust detection and investigation capabilities to identify fraudulent activity and respond effectively.

Indeed, the most successful organizations think about fraud management in a systematic way, says Andrew Pellington, a senior director in Risk & Fraud solutions at 成人VR视频. 鈥淭he most successful organizations think about fraud management in more of a workflow phase that moves systematically from initial prevention through ongoing detection and into detailed investigation,鈥� explains Pellington.

Phases of organizational structures

Understanding how these phases interconnect and then building the proper organizational structures to properly execute them can help corporate risk, fraud & compliance teams create the foundation for effective fraud protection. These phases include:

1. Build organizational alignment across fraud and compliance functions

One of the most significant structural shifts in fraud management is the convergence of corporate fraud and anti-money laundering (AML) departments. Historically siloed, these functions are increasingly merging because fraud and money laundering are deeply intertwined. Fraudsters commit fraud, obtain illicit proceeds, and then need to launder those funds 鈥� effectively, two sides of the same coin, Pellington notes.

That means, financial and non-financial institutions can benefit from unified teams sharing data, processes, and expertise; and this convergence extends beyond AML and fraud to prevention, detection, and investigation phases. Organizations can gain competitive advantage when these functions share integrated toolsets, consolidated data sources, and cross-departmental communication. Before sharing knowledge across institutions, however, organizations must first establish robust information sharing across their own departments.

2. Establish monitoring systems for existing customers and accounts

As your organization moves through the fraud management workflow, the focus shifts from high-volume account opening activities to continuous monitoring of existing customers and account holders. This phase requires different tools, processes, and resources than does prevention.

Monitoring 鈥� both proactively and reactively 鈥� allows organizations to identify suspicious patterns and behaviors, then sophisticated systems must track transactions across time, identify deviations from normal behavior, and flag accounts for review.

Proactively, organizations should segment customers by risk level and establish review cycles: monthly for high-risk customers, semi-annual for medium-risk, and annual for lower-risk accounts. Reactively, they should deploy adverse media and sanctions alerts against public records, coupled with transaction monitoring models that specifically identify potential money laundering or structuring patterns.

“As you move through the monitoring, now you’re looking at your existing customers and account holders, and then you get alerts thereafter,鈥� Pellington explains.

3. Implement alert systems and prepare for regulatory scrutiny

While effective monitoring generates alerts that bridge passive systems and active investigation teams, these alerts need to be calibrated to identify genuine fraud risks without overwhelming investigators with false positives. This requires regular tuning and coordination between technology and investigation teams.

Organizations should adopt scenario planning and war games to test their processes by simulating potential fraud cases, regulatory inquiries, and adverse media incidents. Fraud incidents are a matter of when, not if, Pellington says, and those organizations that proactively test their response processes 鈥� rather than waiting for actual events 鈥� will maintain regulatory confidence and demonstrate institutional readiness.

4. Leverage AI while maintaining human expertise in investigations

While AI-driven automation of some work processes is a big advantage, deeper dive investigations require specialized expertise that cannot be fully automated. This is where generative AI (GenAI) and agentic AI can create significant opportunities. Agentic AI can prescreen alerts and determine which warrant investigation; and GenAI can rapidly produce enhanced due diligence reports by pulling together transaction histories, communications, vendor relationships, and public records.

Automating this work frees specialized fraud analysts to focus on what humans do best 鈥� applying industry knowledge and making judgment calls. Indeed, investigation is equal parts art and science, Pellington explains, adding that AI excels at the science 鈥� processing data at scale, and humans excel at the art 鈥� understanding context, industry fraud typologies, and customer relationships.

5. Transform data into knowledge and wisdom

The final critical gap Pellington identifies is the journey from information to knowledge to wisdom. Organizations possess unprecedented volumes of data, yet many drown in it without extracting actionable intelligence.

More data doesn’t guarantee better decisions; and organizations must elevate information to knowledge, understanding what their peers are doing, what best practices exist, and which approaches work best for the organization. Wisdom then comes from sharing across institutions, learning from industry experts, and avoiding mistakes others have experienced. This requires deliberate peer learning and thought leadership engagement.

Preparing for the future of fraud

Fraud risks are evolving fast, and those organizations best positioned to keep up will be the ones that keep their teams connected, sharpen their investigative tools, and pair AI with human judgment to act faster and stay more resilient while proactively transforming data into actionable wisdom.

By implementing these five phases of fraud protection, organizations can improve their detection and investigation capabilities and create comprehensive fraud protection that evolves with emerging threats.

You can find out more about ways to

Key insights:

• • • Unauthorized practice of law rules have repeatedly come into conflict with new forms of legal self-help 鈥� Each major wave of consumer-facing legal assistance has tested the boundaries of UPL doctrine and forced courts, regulators, and lawmakers to decide where legal information ends and legal advice begins.

    • Technology has expanded access to legal information faster than regulation has adapted 鈥� LegalZoom and other justice tech companies showed that legal tools could be delivered at scale, while UPL doctrine often struggled to accommodate new models of legal assistance designed for consumers with unmet legal needs.

    • The rise of AI makes the old UPL framework increasingly inadequate 鈥� As GenAI tools provide legal research, document assistance, and guided analysis directly to the public, regulators should move beyond the LegalZoom-era battles and consider a framework focused on consumer protection, transparency, and actual harm.

This two-part blog series examining how regulators, the legal profession, and individual litigants are looking at the unauthorized practice of law (UPL) first looks at the history of UPL and then suggests a consumer protection-based method of regulation to replace today鈥檚 supplier-based regulations.

With three-quarters of state court cases including at least one self-represented party, and with 92% of Americans with a legal problem not getting the legal help they need, it鈥檚 not surprising that the unauthorized practice of law (UPL) is a concept that鈥檚 not far from people鈥檚 minds.

It does not have to be this way, of course, and there are solutions to the thornier issues with UPL; but first, it may be helpful to understand how we got to this place and how UPL has evolved.

Legal self-help in a pre-Internet world

In the late-1800s, before UPL was formally articulated, John Wells published “Every Man His Own Lawyer”, a widely circulated guide that explained legal principles and provided practical forms. Its popularity reflected sustained public demand for accessible legal information. Around the same time, the organized bar began to emerge, along with more structured efforts to define and protect the boundaries of legal practice.

By the early-1900s, auto clubs were providing legal help to their members, demonstrating an early form of a prepaid legal services plan that exists to this day, but with typically a wider array of services. As would be the case in later years, an economic downturn soon brought a fight as lawyers used threats of UPL to fight competition. Not long after the Great Depression began, the ABA formed the Committee on Unauthorized Practice of Law, and a wave of litigation ensued to essential end the offering from auto clubs.

Similar dynamics appeared later in the 20th century. In the 1960s, soon before the recession of the 1970s, Norman Dacey鈥檚 “How to Avoid Probate!” offered readers tools to manage estate planning without engaging a lawyer. The response included investigations and attempts to suppress the book. Courts ultimately clarified that providing general legal information, even when presented in a structured and practical format, does not constitute individualized legal advice and falls within the scope of protected speech.

Tech enters the equation

By the 1990s, these ideas had moved into a digital environment. Companies such as Nolo and Parsons Technology translated legal forms and guidance into software and the Texas State Bar sued in federal court. Although the bar initially prevailed, a legislative response introduced a software exception to UPL that remains in effect today, reflecting an early acknowledgment that technology-based tools required a different regulatory lens.

By early 2000s, LegalZoom extended these concepts at scale. By automating document creation across a wide range of legal needs, it brought structured legal tools directly to consumers in a more accessible format. While not the first provider of self-help legal resources, it demonstrated how technology could move online and operationalize these services at a national level 鈥� not surprisingly, this effort would face resistance at a whole new level.

Launched in 2001, LegalZoom argued that it just represented the modern evolution of books like those written by Wells and Dacey. The response from the legal establishment was ferocious. It began with state bar inquiries trying to understand what LegalZoom was offering, and as the Global Financial Crisis began in 2007, class action lawsuits and regulatory challenges followed.

These suits sought significant damages without alleging specific consumer harm, creating substantial pressure on a still-developing sector and signaled resistance to new models of service delivery. The objections were ostensibly about consumer protection, while more reflecting concerns about changes to established structures in the legal profession.

LegalZoom won some of the class actions and settled others on friendly terms, typically agreeing to limit the use of certain words in its advertising, paying some class member claims, offering its attorney-access plans on a complimentary basis, and paying attorneys鈥� fees.

Supreme Court precedents

Two U.S. Supreme Court decisions would prove highly important to the UPL battles. The first came in in which the Court ruled that companies could include class action waivers in arbitration provisions. Soon after, LegalZoom began implementing this type of arbitration provision to coincide with the resolution of several major class actions to make sustaining a class action against it in the future more difficult.

The second Supreme Court ruling to impact UPL came in in which the Court ruled that a state occupational licensing board cannot claim state-action antitrust immunity if a controlling number of its decision-makers are active market participants in the occupation it regulates and the state does not actively supervise the board. This decision put state bars at risk.

The fight that changed the conversation was the LegalZoom lawsuit against the North Carolina State Bar (NCSB) that was modeled after the result in the Dental Board matter. LegalZoom had built a prepaid legal services plan offering attorney access to its customers 鈥� a narrower version of what the auto clubs had offered in the past. These types of plans historically were supported by the ABA and National Association of Attorneys General, but a few states pushed back on LegalZoom offering one. Most notably, North Carolina objected and LegalZoom sued the NCSB for a declaratory judgment that it was not engaged in UPL as well as on antitrust and other grounds, leading to a settlement and cooperative legislation that cleared the way for LegalZoom to continue operations, including launching its legal plan, in that state.

Upon the case’s conclusion, University of Tennessee College of Law professor , LegalZoom fought the North Carolina Bar 鈥� and LegalZoom won. Barton opined that the 鈥淪outh Carolina [where the Supreme Court had found LegalZoom practices lawful] and North Carolina precedents will likely end all state bar action on UPL.鈥� He was largely correct, as future LegalZoom and other industry skirmishes would not amount to much, allowing the industry to thrive.

The future of UPL

Today, the LegalZoom fights look quaint. It was essentially a fight over the online equivalents to form books, when a few years later AI would explode onto the scene and upend everything. We now have everything from foundation models such as ChatGPT, Claude, and Gemini to legal specialists available to the public and generating research memos at the push of a button.

This, perhaps, brings us back to where we started. And now may be the time to ask whether a new system of regulation is needed around UPL, because no other justice tech company should have to run the gauntlet of fights that LegalZoom faced.

In the next part of this blog series, we will look at how the issues raised by UPL in the AI age may require a new regulatory solution, possibly one based on a consumer protection model that would replace today鈥檚 supplier-based regulations

Key insights:

• • • AI is supercharging old fraud schemes听鈥� By making synthetic identities, deepfake scams, and customer fraud faster, more credible, and harder to detect, AI is amplifying fraud and crime.

    • The real vulnerability may be internal silos听鈥� Institutions need to be on the lookout, because what looks like a credit loss, an HR issue, or a payment request may actually be part of a wider multi-vector AI-enabled attack.

    • Institutions already have the tools to respond听鈥� Through KYC and internal and behavioral data, financial institutions have the ability to respond to fraud threats 鈥� but only if teams connect and act together.

Fraud and crime existed long before AI, of course, but today鈥檚 technology delivers an acceleration in speed, scale, and success rate for fraudsters, resulting in billions of dollars in losses for victims. AI-enabled frauds on financial institutions by 2027 in the United States alone, and of detected fraud attempts on financial institutions use AI 鈥� and of these, 29% are successful.

To respond effectively to these threats, institutions need to implement a unified response that brings together departments that may not traditionally be partners. This cross-functional coordination should include not only the institution鈥檚 fraud and financial crime risk teams but also its credit risk, cybersecurity, and human resources functions.

And this response is critical, because today, financial institutions are being targeted by multiple types of AI-enabled attacks, including tactics such as:

• • • use of synthetic identities to circumvent know your customer/customer due diligence (KYC/CDD) controls and perpetrate fraud or launder money;
    • use of deepfake identities to gain employment, particularly by North Korean IT workers;
    • AI-enhanced 鈥淐EO frauds鈥� to deceive staff into taking unauthorized actions; and
    • Bank customers may be targeted by fraud too, presenting further risk to financial institutions.

Let鈥檚 look at these threat vectors individually:

Vector 1: Synthetic identities and KYC/CDD

Synthetic identities can be entirely fabricated or may use combinations of real and fabricated personal information to create a new identity. For example, a fraudster may construct a synthetic identity using a Social Security number exposed during a data breach combined with an AI-generated passport.

This threat is real and happening now: identifies that criminals have already used AI to successfully open accounts using falsified documents, photographs, and videos. And according to , synthetic identities were used to open as many as 3% of US bank accounts, representing millions of identities. Not surprisingly, these illicit accounts are used to commit fraud and launder the proceeds of money laundering.

Vector 2: North Korean IT workers

North Korean individuals have successfully gained employment as remote IT workers at American companies, often passing themselves off as US nationals using AI-generated face-swapping technology combined with proxy computers and false identity documents. North Korean IT workers are almost $800 million annually for the regime.

Institutions deceived into employing these workers are not only against North Korea, but they are also exposing commercially sensitive data and systems to an adversary state, increasing the possibility of theft, cyber-attacks, and extortion.

Vector 3: CEO Fraud

A 鈥淐EO fraud鈥� is a cybercrime in which an attacker impersonates an executive to deceive an employee into taking actions such as sending unauthorized wire transfers or disclosing sensitive information. AI accelerates these frauds by making them more personalized and credible.

In one of the more well-known examples, in an AI-enhanced CEO fraud in 2024 after the fraudster impersonated Arup Engineering鈥檚 CFO and requested a staff member to make several financial transfers. The criminals added credibility to the fraud by using a in which the target recognized many of their colleagues 鈥� unfortunately, all of them were deepfakes.

Vector 4: Frauds targeting customers

Where customers are targets, AI provides the scale, speed, and personalization to allow illicit actors to deliver individualized fraud. For example, whereas romance scams previously used repetitive scripts and re-used the same images of the romantic 鈥減artner,鈥� fraudsters can now use AI-generated messages, images, or videos, continuously adapting the execution of the scam to the target鈥檚 responses and behaviors.

Creating a cross-functional and unified response

The examples above demonstrate the diverse and highly sophisticated uses of AI by illicit actors, both adversary states and criminal networks. Detecting and responding to these illicit activities requires joint action between teams that may not traditionally work closely together.

For example, if an account holder fails to repay a loan, the credit team may consider it to be a default by a legitimate customer and write it off as a credit loss. However, if the account was opened using a synthetic identity, investigation may reveal other accounts that share similar customer data points or transactional patterns. This could reveal a network of accounts that are perpetrating a fraud or money-laundering scheme. To detect and respond effectively, joint action is needed between KYC/CDD on-boarding teams, financial crime investigators, and fraud and credit risk professionals.

Alternatively, for HR teams to effectively identify use of face-swapping videos during a hiring process, knowledge from the organization鈥檚 cybersecurity team, especially of deepfake indicators, would be valuable. If a North Korea IT worker is hired and only later identified, cybersecurity and sanctions teams must be involved in the response to mitigate data, network, and compliance exposures.

Detecting and responding to all illicit activities requires joint action between teams that may not traditionally work closely together.

Finally, all staff may be targeted by deepfake fraud, but those in senior positions or departments with financial authority are the most vulnerable. This means it is essential for institutions to deliver employee training using real-life case studies, 鈥渘ear misses,鈥� and scenarios drawn from across the institution and industry. This type of training will increase vigilance and minimize the likelihood of a successful attack.

For customers, financial institutions are well-positioned to identify indicators of fraud due to their extensive datasets of KYC/CDD records, transactional, and behavioral information. Institutions should enhance their customer relationships (as well as meet applicable regulatory requirements) by taking proactive measures to inform and protect their customers.

While AI has accelerated fraud and crime, financial institutions also hold valuable and relevant assets: the knowledge distributed across their cybersecurity, HR, credit risk, financial crime compliance, fraud, and KYC/CDD teams. By connecting these teams together, even in contexts in which these departments have not traditionally been partners, institutions will be well-positioned to protect both themselves and their customers from illicit actors鈥� sophisticated AI-enabled threats.

You can learn more about the fraud-fighting challenges faced by financial institutions and other organizations here

Key highlights:

• • • AI governance is hard to prove in practice 鈥� While our research shows that 44% of companies publish an AI strategy, 76% of those same companies show no evidence of having policies to evaluate the quality of data used to train AI systems.

    • Workers are being left under-prepared and under-protected 鈥� Only 14% of companies have policies to mitigate the negative impacts of AI on workers, and only 31% offer any reskilling or training programs around adapting to an AI-integrated workplace.

    • Human rights and ethics appear an afterthought in AI governance 鈥� Almost three-quarters (72%) of companies conduct no AI impact assessments, and less than 1 in 10 companies conduct ethical or human rights assessments.

There is a widening chasm at the heart of corporate AI governance, according to a new report, , published by the 成人VR视频 Foundation and the United Nations Educational, Scientific and Cultural Organization (UNESCO).

The Foundation鈥檚 analyzed publicly available information from nearly 3,000 companies across 11 industry sectors, creating the most comprehensive picture yet of how organizations are managing AI.

Beneath the surface of corporate AI governance mechanisms, divergence between the speed of AI adoption and meaningful human oversight is growing. The report’s findings make clear that this is no longer a gap that organizations can afford to ignore, especially when backlash against is growing and are solidifying among consumers in the United States.

Data highlights the illusion of AI governance

Businesses of different sizes and across multiple sectors are adopting AI technology at a rapid pace. When governance exists only in the wording of a strategy or company vision, however, the people most affected by AI systems 鈥� workers, consumers, and communities 鈥� are left vulnerable. According to the report:

• • • 44% of companies publicly communicate having an AI strategy. However, a gap in AI governance is evident as more than three-quarters of those companies (76%) do not seem to have policies to evaluate the quality of data used to train AI systems.
    • 40% of companies report board- or committee-level oversight of AI. At the same time, strategic signals do not necessarily indicate operational capacity or day-to-day governance. In fact, less than one-third of all sampled companies claim to have an additional team or resource dedicated to AI governance. Moreover, limited information is publicly disclosed on the teams, processes, and accountability mechanisms that translate intent into action.

Workers are being left behind

Research by the International Monetary Fund finds almost , highlighting the acute nature of concerns about job displacement and declining opportunities for some groups. Without sufficient oversight, AI can threaten workers’ rights, amplify bias, and increase surveillance and work intensity, which can enable inhumane decision-making at scale.

The TR Foundation/UNESCO report notes that many companies are adopting AI without the safeguards needed to support workers and help them to adapt to the changes this technology brings. Less than one-third of companies were shown to offer training and reskilling programs for employees who may be adapting to an AI-integrated workplace. Even within the 31% of organizations in which these training programs exist, there is a vast variation in the scope and depth of the training offered.

In fact, many company training programs are not enterprise-wide or structured. Instead, they are ad-hoc or limited to leadership roles. This lack of investment in talent risks undermining the significant investment that companies are making in AI.

Despite growing pressure from regulators, policymakers and social justice campaigners, the ethical impact of AI appears poorly governed, with companies sharing limited information publicly.

The picture on worker protections is equally concerning. Only 14% of companies have public policies in place to mitigate the negative impacts of AI systems on workers, the report shows. This means the majority of companies either have no policies in place or do not publicly communicate them.

What is more troubling is that when workers experience harm, there is almost nowhere for them to turn. Only 2% of companies indicated they had a complaints mechanism 鈥� a critical early warning system for potential concerns. The findings suggest many organizations lack a mechanism for AI-related internal complaints beyond the broad generic complaint channel, and this is compounded by low awareness of the areas in which AI systems may infringe employees’ rights and protections.

Ethics and human dignity as an afterthought

Despite growing pressure from regulators, policymakers and social justice campaigners, the ethical impact of AI appears poorly governed, with companies sharing limited information publicly.

Human rights and ethical use of AI are treated as secondary considerations to compliance, according to our research. The majority of companies (72%) do not conduct any impact assessment with regard to AI. Only 7% publicly communicate conducting a fundamental or human rights impact assessment, and just 5% report conducting an ethical impact assessment.

Among those companies conducting some form of impact assessment, the focus skews sharply toward compliance rather than people. The most prevalent assessments are privacy or compliance-focused, with 18% of those companies that conduct some form of impact assessment reporting that they conducted a data protection impact assessment, and 14% reporting they conducted a privacy impact assessment.

How to center people in AI governance

Closing this governance gap is essential for companies in order to adopt AI responsibly and avoid costly legal, ethical operational, talent-related risks.

To support companies in navigating this challenge, offers a free survey to help companies map the areas in which AI is used across products, operations and services, and then benchmark those against peers their sector.

The report also contains case studies from companies that voluntarily shared their responsible practices with us. For example, German software company SAP intentionally designs and deploys its internal AI systems with a human-in-the-loop in which AI automates repetitive tasks and supports decision-making while final judgment and complex problem-solving remain firmly in the hands of employees.

As AI becomes part of core business infrastructure, companies must move beyond statements of intent and toward measurable AI governance.

In another example, BASF, a German chemical conglomerate, has jointly agreed with its workers’ councils on a general reskilling program that covers technical, hard, and soft skills. Finally, Canadian telecom company TELUS’ Indigenous Advisory Council provides guidance on AI ethics issues that directly affect indigenous communities.

Next steps for companies

The TR Foundation/UNESCO report highlights the most impactful concrete commitments that companies can take now to future proof against AI-related risk, including:

• • • investing in structured, enterprise-wide worker-reskilling programs that measure outcomes, not just participation;
    • establishing enforceable human rights impact assessments as a standard part of AI deployment, not as an optional addition; and
    • creating accessible, AI-specific internal grievance mechanisms so that workers and users have a genuine pathway to raise concerns and seek remedy.

As AI becomes part of core business infrastructure, companies must move beyond statements of intent and toward measurable AI governance. While this data demonstrates clear governance gaps, it also presents an opportunity for companies to take the lead on implementing responsible AI that operates openly in the public interest.

You can learn more about

Key insights:

• • • Define your risk appetite 鈥� A clearly defined fraud risk appetite aligns prevention efforts with strategic objectives and ensures accountability by establishing acceptable levels of fraud risk across the organization.

    • Create a fraud-specialized team 鈥� Dedicated ownership of the vendors that supply fraud solutions by a fraud-specialized team 鈥� rather than by the procurement function 鈥� is critical to maximizing technology performance and adapting to emerging threats.

    • Establish a specialized prevention division 鈥� The rise of sophisticated scams demands the creation of a separate, specialized prevention division to avoid overburdening core fraud teams and ensure targeted, effective responses.

Corporate fraud represents one of the most significant risks facing organizations today. Yet many companies lack the structured governance and technology infrastructure needed to combat fraud effectively.

The solution requires that comprehensive fraud prevention frameworks be built on clear governance, proper technology deployment, and data-driven insights, according to Aaron Frye, Founder & CEO of Lucid Point Consulting. Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results. These five pillars include:

1. Develop a fraud risk appetite

Effective fraud prevention begins with a well-defined fraud risk appetite that tells the right story to the right stakeholders. Your framework must communicate to your board, executive leadership, and operational teams the level of fraud losses your organization should tolerate, and in which areas you should prioritize fraud prevention investments.

The fraud risk appetite framework must address several key considerations; for example, it should define the level of fraud risk that aligns with the organization’s growth objectives, identify the areas of greatest vulnerability, and evaluate which investments will yield the strongest return. Equally important is the ongoing monitoring and communication of progress through regular reporting on fraud risk metrics, vendor assessments, and investigation outcomes. These actions demonstrate to stakeholders that fraud prevention remains an active priority for the organization and ensures that fraud risk continues to inform organizational decision-making.

2. Establish clear ownership of risk-solution vendors

Many organizations invest significantly in fraud detection tools only to see disappointing returns. The problem often lies not in the tools themselves, but in unclear ownership and accountability for their performance.

Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results.

If your organization lacks a designated person or team within your fraud strategy function whose job it is to ensure the risk-solution tools you鈥檙e getting from vendors are the best for your enterprise, you likely aren’t getting the most out of your vendors. This dedicated fraud service ownership role must act as your internal champion, evaluating vendor performance, staying current with product enhancements, and ensuring integration with other fraud prevention initiatives.

Critically, procurement, sourcing, and vendor management functions should never own this role. These teams, by the nature of their titles and responsibilities, don’t prioritize fraud. They lack the specialized knowledge required to assess whether your fraud detection technology is performing optimally or adapting to emerging threat landscapes. Without dedicated fraud expertise overseeing your technological investments, advanced tools sit underutilized and critical fraud signals go undetected.

3. Develop a fraud governance function

Every organization should have a dedicated fraud risk governance team within its fraud risk management organization. This governance function serves as your second line of defense, working proactively to reduce operational chaos within your fraud strategy, operations, and investigation groups.

If a non-fraud governance function owns fraud governance, you are guaranteed not to be getting the best form of governance. Fraud is a specialized discipline requiring dedicated expertise and focus; and your governance team must develop policies, establish standards, monitor control effectiveness, and ensure consistent application of fraud prevention practices across the enterprise.

4. Document existing risks and resource gaps

One of the most important responsibilities of your fraud governance function is identifying and documenting the areas related to fraud risk that your current fraud risk teams don’t have time to review. Due to capacity constraints, it is impossible for many fraud risk teams to cover all open gaps. Your organization must understand those open gaps and not be ashamed to address them.

Create an action plan that documents open risk and self-identified issues that your current team cannot adequately address. This transparency demonstrates clear-eyed realism about your organization鈥檚 limitations and creates the business case for requesting additional resources or engaging external consultants to help close these risk gaps.

5. Address the growing scam-prevention challenge

needs its own prevention strategy division within your fraud risk function. Compromised business email, investment scams, and vendor fraud schemes represent an entirely new category of fraud risk that demands specialized attention.

Every organization should have a dedicated fraud risk governance team that serves as its second line of defense, working proactively to reduce operational chaos within corporate strategy, operations, and investigation groups.

There has never been a full manageable grip on fraud prior to the spike in scams. Therefore, you cannot expect your existing fraud risk teams to tackle a new wave of scams as a priority as well as to manage traditional fraud prevention responsibilities. Your core fraud function manages internal control systems, transaction monitoring, and investigation protocols. Adding comprehensive scam prevention to this workload without dedicated resources guarantees that identifying and preventing scams will receive insufficient attention.

Establish a dedicated scam-prevention division focused specifically on emerging scam threats, employee education, scam-specific prevention technology, and response protocols. This specialized approach ensures sophisticated scam schemes receive the expertise and resources necessary while your core fraud function continues addressing traditional fraud prevention requirements.

Going forward into the fight against fraud

In an era of escalating fraud threats, reactive detection is no longer sufficient. Organizations must adopt a proactive stance grounded in strong governance, clear accountability, and strategic resource allocation.

By defining a fraud risk appetite, assigning ownership of fraud prevention tools, strengthening governance, documenting unaddressed risks, and establishing a dedicated scam prevention function, companies can build resilient, forward-looking fraud prevention frameworks. These five pillars enable organizations to anticipate threats, allocate resources effectively, and protect both financial performance and reputational integrity.

Today, the path to fraud resilience begins not with technology alone, but with deliberate, enterprise-wide commitment to proactive risk management.

You can find out more about ways to

Key insights:

• • • AI can improve officer safety听鈥� By helping them prepare for high-risk situations and make better decisions under pressure, advanced technology can enhance officer safety.

    • AI can increase operational efficiency听鈥� AI can reduce administrative burdens and improve efficiency overall, allowing officers to spend more time on police work.

    • Responsible implementation is essential听鈥� To ensure AI strengthens public trust while protecting civil liberties, proper guardrails and oversight need to be enacted.

Each year, during , we pause to honor the brave men and women in law enforcement who have made the ultimate sacrifice in service to their communities. As we pay tribute to those we have lost, we are reminded of the inherent dangers officers face every day.

In recognition of the importance of reflection and advancement, it is imperative that we examine the responsible application of emerging technologies, especially AI, to enhance officer safety, support their objectives, and reinforce overall public safety.

AI is already being integrated into public safety systems in meaningful, measurable ways. When guided by strong ethical principles, transparency, and commitment to community trust, AI can serve as a force multiplier and a protective partner for members of law enforcement. The goal is not to replace officers, of course, but to equip them with better tools, that allow them to reduce risk and return home safely after every shift.

Improving situational awareness and operational readiness

One of the most immediate benefits of AI in law enforcement is its ability to enhance situational awareness. When officers respond to a call, the first minutes on scene are often the most critical 鈥� and the most dangerous. AI can help reduce uncertainty by providing rapid access to relevant information.

For example, AI-powered systems can analyze incident data, criminal records, and community reports to give officers a clearer picture of what to expect when they arrive on scene. This includes identifying patterns of violence, recognizing repeat offenders, or flagging locations that may have a history of high-risk activity. Such insights allow for better preparation, smarter deployment, and more informed decision-making under pressure.

Additionally, AI can assist in public records and open-source searches, pulling critical data from comprehensive databases, the internet, and connected devices in seconds rather than hours. This immediate access to information enables faster, more effective responses. In short, AI can save valuable time when seconds count.

Streamlining administrative work to focus on the mission

Law enforcement officers spend a significant portion of their time on administrative duties, such as writing incident reports and managing court schedules and citations. These tasks, while necessary, take officers away from community engagement and proactive policing.

AI can help reduce this administrative burden by automating routine documentation. Natural language processing tools can draft reports based on officer input, ensuring consistency and freeing up time for frontline duties. Similarly, AI-driven scheduling systems can optimize shift assignments, account for court appearances, and manage on-call rotations. This AI-enabled administrative assistance goes a long way in ensuring that staffing levels are appropriate and that officers are not overburdened.

When guided by strong ethical principles, transparency, and commitment to community trust, AI can serve as a force multiplier and a protective partner for members of law enforcement.

By reducing the administrative load, AI allows officers to focus on what they do best 鈥� serving and protecting their communities. This not only improves job satisfaction among officers themselves but also increases operational efficiency and public safety outcomes.

Building guardrails for responsible AI use

As with any powerful advanced technology, the integration of AI into law enforcement must be guided by clear policies, oversight, and accountability. The goal is not to deploy AI indiscriminately, but rather to ensure its use enhances safety without compromising civil liberties or public trust.

This requires proactive collaboration between technologists, law enforcement agencies, policymakers, and the communities they serve. Standards must be developed for data privacy, algorithmic transparency, and bias mitigation. AI-enabled systems should undergo rigorous testing and independent review before deployment. Further, officers must be trained not only on how to use these tools, but also on the limitations and ethical implications of using these tools as well.

Finally, public trust is essential. Members of the community need to know that AI is being used to protect their safety and that of law enforcement 鈥� it is not a tool to surveil them without cause. Communicating transparently how the AI systems are designed, what data they use, and how decisions are made will be key to maintaining legitimacy and trust with the public.

A future of safer streets and stronger trust

The integration of AI into law enforcement is not about replacing human judgment 鈥� rather, it鈥檚 about augmenting officers鈥� judgment. When used responsibly, AI can reduce risk, improve preparedness, and support officers in carrying out their duties more safely and effectively.

In the years ahead, we can expect to see broader adoption of drone first responders, real-time language translation tools, and predictive systems that further help enhance officer and community safety measures. However, technology alone is not the answer. Success will depend on how thoughtfully these tools are implemented, how well citizens鈥� rights are safeguarded, and how deeply communities are involved in the process.

This week, as we honor those officers who have fallen in the line of duty, let us also commit to doing everything we can to protect those who serve today. AI, when applied with care, can be a powerful ally in their mission, keeping officers safe, allowing them to make better decisions, and together, building stronger, safer communities for all.

The data provided to you may not be used as a factor in establishing a consumer鈥檚 eligibility for credit, insurance, employment, or for any other purpose authorized under the Fair Credit Reporting Act.

You can find more on the challenges facing law enforcement here

Key insights:

• • • Prediction markets sit in a regulatory gray zone 鈥� Prediction markets鈥� economic function often looks much closer to gambling than traditional finance.

    • That ambiguity creates an AML blind spot 鈥� This blind spot allows potentially weaker controls around KYC, source of funds, sanctions screening, and suspicious activity reporting.

    • Banks and payment processors should focus on actual risk, not labels 鈥� Reputational, legal, and financial crime risk exposure can arise long before regulators clarify the rules.

Prediction markets have grown into a multi-billion-dollar ecosystem, offering the ability to enter into a contract to predict the outcomes on everything from elections and sports games to economic data and weather events. Yet as these platforms expand, they operate in a regulatory gray zone that raises serious questions for banks, payment processors, and compliance professionals.

Yet, the classification question that regulators and financial institutions continue to debate is not merely academic. It determines whether prediction market platforms will face the same anti-money laundering (AML) and know-your-customer (KYC) obligations as casinos and sportsbook venues, or whether prediction markets can continue to operate with minimal compliance oversight. This distinction has real consequences for the financial system.

鈥淧rediction markets are not just a classification problem, they represent a structural gap in how financial crime risk is currently understood and managed,鈥� says James Lephew, Founder & CEO of , a Charlotte-based consulting firm that serves major gambling operators and financial institutions globally.

Clarification is required in classifying this sector

Prediction markets occupy an ambiguous middle ground. Market operators position their platforms as financial derivatives or forecasting tools rather than gambling venues, emphasizing price discovery and statistical analysis over chance-based wagering. A contract on the outcome of a presidential election or a sports event, they argue, reflects crowd-sourced probability estimates grounded in information aggregation, not gambling luck.

Yet the fundamental mechanics raise legitimate questions. A user who buys a contract predicting that a candidate will lose an election is, in economic terms, wagering money on an uncertain outcome. The distinction between betting on a football game and trading a contract on the outcome of that same game becomes difficult to defend from a regulatory standpoint 鈥� and this classification matters enormously.

The distinction between betting on a football game and trading a contract on the outcome of that same game becomes difficult to defend from a regulatory standpoint 鈥� and this classification matters enormously.

If prediction markets are treated as gaming operations, they trigger Title 31 obligations under the Bank Secrecy Act, including currency transaction reporting, suspicious activity reporting (SAR) requirements, and comprehensive KYC procedures. If on the other hand, prediction markets are classified more akin to financial markets, these requirements may not apply. Currently, many prediction market platforms claim financial market status, allowing them to operate outside gaming regulations and with potentially weaker AML controls.

There is a compliance gap

Without clear regulatory classification, prediction markets create a significant AML blind spot. Casinos must report cash transactions exceeding $10,000, conduct source-of-funds reviews, and maintain detailed customer profiles. Sportsbooks face licensing requirements, geolocation checks, and responsible-gaming safeguards. Prediction market platforms, by contrast, often operate with minimal reporting obligations.

This gap introduces concrete risks. Digital wallets and cryptocurrency channels can obscure the source of funds. Structuring and layering of sources become easier without robust verification, further clouding who exactly playing in these markets. Collusive trading through multiple accounts allows value transfer that may go undetected. And VPN use and foreign payment channels can enable sanctions evasion.

Further, without mandatory SAR reporting, suspicious patterns tied to money laundering, terrorist financing, or market manipulation may never reach law enforcement.

“What we’re seeing is an AML blind spot,鈥� says Lephew. 鈥淧latforms enabling financial flows with characteristics of gambling, but without the controls that regulators would normally expect.” Until classification catches up with the technology, he adds, this blind spot remains open 鈥� and exploitable.

Why this matters for banks and processors

Banks and payment processors that support prediction market platforms may carry significant reputational and legal risk if they haven’t conducted thorough due diligence 鈥� and they cannot rely on a platform’s self-classification as a financial market or forecasting tool. Nevada and other jurisdictions are actively examining whether these platforms constitute gambling, echoing concerns from the American Gaming Association that products carrying similar economic risks deserve similar regulatory treatment.

If a product allows participants to wager on uncertain outcomes and creates risk that is substantially similar to gambling, it should face AML and customer identification requirements proportionate to that risk.

“Risk must be assessed based on how the product actually behaves, not how it is marketed,” Lephew explains. And that means evaluating whether a platform applies robust KYC procedures, verifies the source of deposits and beneficial ownership, screens against sanctions lists, reports SARs to the government, prohibits contracts on high-risk events such as assassinations or terrorism, and uses geolocation controls to block users in restrictive jurisdictions. Those answers matter far more than whatever label the platform chooses, Lephew says.

The path forward

Regulators have several options. One approach applies gaming regulations uniformly, treating all prediction markets with economic characteristics similar to gambling as gaming operations subject to Title 31. A second approach creates explicit financial market classification with statutory AML obligations and enhanced scrutiny of high-risk contracts. A third option adopts a tiered or risk-based framework, classifying contracts on lower-risk events such as economic data or weather under financial market rules, while sports and election markets could face enhanced scrutiny. Violent outcome markets would be prohibited entirely.

Regardless of which path regulators choose, the principle should be the same: Classification should follow economic function. If a product allows participants to wager on uncertain outcomes and creates risk that is substantially similar to gambling, it should face AML and customer identification requirements proportionate to that risk.

Financial institutions should not wait for regulatory clarity. They should apply rigorous due diligence now, treating prediction markets with a heightened level of scrutiny appropriate to their actual risk profile rather than their claimed legal status.

The goal is not to eliminate prediction markets, but to ensure they operate within a framework that prevents money laundering, terrorist financing, and market abuse. “If it looks like gambling, behaves like gambling, and carries the same financial crime risk, it should be regulated accordingly,鈥� Lephew notes. 鈥淎nything less creates systemic exposure.”

You can find out more about the challenges financial institutions face in their anti-money laundering efforts here

Key insights:

• • • Protecting SNAP requires modernization and accountability 鈥� This includes providing chip-enabled cards, stronger monitoring, recipient education, retailer oversight, cross-agency coordination, and fair reimbursement for victims.

    • Skimming is a growing problem 鈥� In the context of financial fraud, skimming refers to the illegal capture of personal data, typically through concealed electronic devices placed over legitimate card readers.

    • The harm can be immediate and severe 鈥� If their food benefits are stolen through skimming, vulnerable households can lose essential food funds, deepening food insecurity in their community.

Electronic Benefit Transfer (EBT) cards serve as a critical resource for the millions of Americans who depend on the nation鈥檚 Supplemental Nutrition Assistance Program (SNAP) to keep food on the table. The typical SNAP household is low-income and often includes children, seniors, or individuals with disabilities, who have earnings that fall at or below the federal poverty level. Based on household size, income, and other qualifying factors, these families receive monthly monetary assistance to help cover basic nutritional needs at authorized retailers.

Think of an EBT card as a debit card specifically designed for food benefits. Recipients use it to access their monthly balance at approved stores, making the process straightforward and dignified. However, like any electronic payment system, EBT is not immune to exploitation. One of the most pressing threats is a type of fraud known as skimming, which puts vulnerable households at serious financial risk.

What is EBT skimming?

Skimming, in the context of financial fraud, refers to the illegal capture of personal data, typically through concealed electronic devices that are placed over legitimate card readers. In the case of EBT fraud, criminals generally install tampered card terminals to steal EBT card information, including account numbers and PINs.

Unlike most modern credit and debit cards, EBT cards still rely on magnetic stripe technology, not more secure embedded chips. This outdated system makes them especially vulnerable to cloning, or the creation of counterfeit cards that contain the victim鈥檚 account number and PIN. Once a thief captures the data, they can create these counterfeit cards and drain benefits almost immediately, often within minutes of the monthly benefit deposit.

The result is that much needed food benefits, meant to last an entire month, are stolen without warning or recourse.

Why is EBT skimming so devastating

The consequences of EBT skimming go far beyond financial loss. For recipients, the theft of SNAP benefits can have immediate and severe impacts on their household food security and well-being. Other reasons why this form of fraud is particularly harmful include:

• • • Irreplaceable funds 鈥� For low-income households, SNAP benefits represent a critical portion of their monthly food budget. Once stolen, these funds are often impossible to replace. Families may be forced to skip meals, rely on emergency food pantries, or divert money from other essential needs like rent or medicine.
    • Outdated security technology 鈥� Despite advances in payment security, most EBT cards still use magnetic stripes, which can be easily copied with inexpensive skimming devices. By contrast, EMV chip technology, standard on most consumer credit and debit cards, makes cloning significantly more difficult.
    • Speed and precision of theft 鈥� Thieves often time their attacks to coincide with the monthly benefit deposit cycle. Once benefits are loaded, stolen card data is used rapidly, sometimes within minutes, making recovery nearly impossible.
    • Targeting vulnerable populations 鈥� EBT skimming preys on some of the most vulnerable members of society, including seniors, disabled individuals, and families living paycheck to paycheck. Many recipients may not have the resources or knowledge to monitor account activity regularly or to lock their cards after use, leaving them at greater risk.

Beyond skimming: A broader challenge of fraud, waste & abuse

While skimming is a serious and visible form of EBT fraud, it is only one symptom of a larger systemic challenge that fraud, waste & abuse cause in federal benefit programs.

Other forms of fraud include: retailers trafficking in EBT benefits for cash, which is a violation of SNAP rules; misrepresentation of income or household size during application; duplicate or ineligible benefit issuance; and administrative errors that lead to overpayments.

Each instance, whether intentional or not, erodes public trust in the entire benefit system, strains limited program budgets, and diverts resources from those individuals who need them most.

With federal funding for social programs under constant scrutiny and subject to periodic budget constraints, it is imperative that every dollar is protected and used appropriately. Preventing fraud is not just about saving money 鈥� it鈥檚 about ensuring that limited public resources serve their intended purposes of reducing hunger and supporting economic stability.

How to prevent fraud, waste & abuse in SNAP

Addressing EBT skimming and broader program vulnerabilities requires a well-rounded strategy that features technology, policy, education, and oversight working together.

On the technology side, one of the most impactful steps forward would be transitioning EBT cards from outdated magnetic stripes to EMV chip technology. This upgrade alone would significantly reduce skimming risks, and federal investment in that infrastructure is a necessary part of making it happen. Alongside that, state and federal agencies should be leveraging data analytics and real-time transaction monitoring to flag suspicious activity, like multiple withdrawals across different locations within a short window of time.

Education also plays a bigger role than many people realize. A large portion of EBT users simply do not know how to protect themselves. Basic habits like covering the keypad when entering a PIN, routinely checking account balances, and reporting lost or stolen cards right away can go a long way in reducing exposure.

One of the most pressing threats is a type of fraud known as skimming, which puts vulnerable households at serious financial risk.

From an oversight perspective, the U.S. Department of Agriculture 鈥� the government agency that oversees SNAP 鈥� and state agencies need to conduct regular audits of authorized retailers and hold them accountable. Any retailer found engaging in trafficking or enabling skimming should face deauthorization and legal consequences as well. Equally important is making sure that victims of confirmed fraud are not left without recourse. Clear and consistent policies for replacing stolen benefits can help restore trust in the program and prevent the food insecurity that this type of fraud directly causes.

Finally, none of this works in isolation. Effective fraud prevention depends on strong coordination between state human services departments, law enforcement, financial institutions, and technology providers. Information sharing and joint task forces strengthen the ability to detect threats early and respond quickly when issues arise.

Protecting the safety net

SNAP is one of the nation’s most effective tools in the fight against hunger. However, its success depends on both integrity and accessibility. Skimming and other forms of fraud not only steal from individuals, but they also undermine confidence in the entire system.

Policymakers, administrators, and citizens must prioritize modernization, accountability, and victim protection. By addressing vulnerabilities like EBT skimming and reinforcing safeguards against waste and abuse, we can ensure that SNAP remains a reliable and secure resource for the millions of individuals who rely on it.

You can find out more about how public agencies are working to fight fraud in government benefit programs here