INSIGHT: The Shiny Hammer and the Crooked Nail — Financial Crime in 2026

FINANCIAL crime conferences are not, on the face of it, where one goes in search of optimism.

Yet by midafternoon at the Institute’s 2026 gathering in London, focused on The Future of Financial Crime Prevention, one began to suspect that the launderers may finally have drawn the shorter straw.

The British organisation, which gathers leading AML professionals, ensured the tone was set by the opening keynote.

Its thesis could be summarised as: the bad guys still have one job, move the money, but for the first time the good guys have the tools, the legal cover and (occasionally) the budget to do theirs properly.

From castles to kingdoms

For years, financial institutions have behaved like anxious medieval barons: build a higher wall, pull up the drawbridge, and pray the marauders try the bank next door instead. The Economic Crime and Corporate Transparency Act (ECCTA) is supposed to change that. Instead of each firm hoarding its own suspicions like dragon gold, the new information sharing provisions create something closer to a standing army.

In the morning’s first session, practitioners walked through the mechanics. Direct “warnings” allow Bank A to tell Bank B that it has just booted out a customer for economic crime concerns, without waiting for the police, without fearing breach of confidence litigation. “Requests” let Bank B ask its peers for corroborating information when it suspects a need for action but is not quite sure of the full picture yet.

The pilots have been startlingly effective. In one, a single warning about a network of accounts triggered investigations at ten institutions, 1.4m of funds frozen under account freezing orders, and hundreds of relationships either exited or never opened in the first place.

It is hard to overstate the cultural shift. For years, GDPR was blamed for every refusal to share even the most anodyne detail. Now, as one bank’s nominated officer put it, “GDPR is not an excuse anymore, it’s a legitimate interest.” The legislation, in other words, is there. What’s missing, if anything, is the know-how to start sharing. 

Plausibility, not paranoia

If ECCTA is about joining the dots between institutions, the second session asked whether banks are even joining the dots inside their own heads. The theme was “plausibility”, a word that, in compliance circles, tends to appear only in enforcement notices after the fact.

The suggested solution was not rocket science: Does the story make sense in its market? Do the projected numbers resemble anything seen amongst other customers? Does the LinkedIn profile look like someone who could plausibly command £260,000 in commissions, or does it still list “Assistant Manager, Nando’s” as the last substantive role? Sometimes clients provide desired rather than realistic earnings projections, sometimes it may be something a lot more concerning. 

The point is to legitimise “critical curiosity” as a skill rather than a nuisance. When a customer’s projected income is an order of magnitude higher than the sector norm, the right response is not to copy and paste it into the KYC form. It is to ask questions and, unfashionable though it may be, to write down the answers.

High risk onboarding: between Caracas and compliance

Session three took this instinct for sceptical curiosity and dropped it into the deep end: onboarding clients whose very existence gives risk committees palpitations.

Practitioners from intelligence consultancies and banks swapped war stories. Enhanced due diligence (EDD) was a recurring theme. The panel argued EDD cannot credibly be outsourced entirely to databases and OSINT vendors. In opaque markets, there is no substitute for local human sources who understand which newspapers are mouthpieces, which “regulators” are letterhead level frauds, and whether a politician’s wealth predates his time in office or appears suspiciously on the day he leaves it.

Crucially, one of the most effective solutions will often involve the client itself. Compliance teams are often squeamish about asking blunt questions, and concerned about “tipping off”. Yet as one speaker pointed out, there is a world of difference between ringing someone to say “the SFO has just been in my office asking about you” (a real prosecuted example) and saying “to get this over the line , I’m going to need chapter and verse on how you made your money”. 

Companies House: not clean, but very useful

The fourth session put Companies House under the microscope. The new identity verification regime may be welcome, but anyone treating the register as “clean” has not spent enough time in the advanced search tab.

The tricks demonstrated were simple, powerful and, for UK based institutions, free. How many companies share this registered address and does that address appear to be a family semi in a resolutely uncommercial cul-de‑sac? How many dissolved entities share directors, SIC codes and advisers with that shiny new trading company whose relationship manager insists is “a great opportunity”?

Perhaps most sobering was the revelation that Companies House’s own aggregation of directorships is often incomplete. Searching for an individual via their officer page might reveal eight appointments. Searching the same name afresh, with alternate spellings, middle initials or accents, produced several thousand. Criminals, it turns out, have discovered Ctrl+F.

AI: the shiny hammer and the very complicated nail

After lunch, attention turned to the inevitable: artificial intelligence. The question posed was not whether AI would transform financial crime control, it already has, but whether anyone is quite sure into what.

The case for the machines is well rehearsed. Machine learning models excel at gobbling up oceans of data: millions of transactions, hundreds of corporate structures, gigabytes of open source chatter. They can spot behavioural anomalies, subtle shifts in how a customer spends, sends or receives funds, long before a human analyst would notice. They can do entity resolution across shell companies more quickly than a roomful of analysts with coloured pens.

Less often talked about are the drawbacks. AI finds anomalies; it does not know which ones matter. Give it mis-specified rules and poor quality training data, and it will diligently deliver nonsense at scale. One speaker described models breathlessly flagging a “4,000 alerts per month crisis” in a bank whose true baseline, once someone bothered to check, turned out to be an annual rolling total. 

Psychology

There is also the problem of human psychology. Generative models respond with an air of unshakeable confidence, generating not just answers but authoritative sounding conclusions. Faced with such certainty (and maybe pressure to get things moving), junior staff may find it easier to click “accept” than to admit they disagree with the machine. The panel referred to this as “cognitive surrender”, the quiet offloading of judgement to a tool whose workings neither the user nor the vendor fully understands.

Governance, therefore, becomes the dull but vital star of the show. Good practice, in the panellists’ view, involves (at least) three disciplines. First, a human must always remain in the loop, with the clear authority to override the model. Second, every AI assisted decision needs an audit trail: which data were fed in, which prompts were used, which documents underpinned the answer. Third, senior management must understand enough about AI to ask intelligent questions of their own teams, rather than treating “we use AI” as a talisman against regulatory displeasure.

The discussion also veered into climate. Training and running large models is energy hungry; some estimates suggest an AI query consumes ten times the energy of a standard web search and significant quantities of cooling water. Data centres, it turns out, are real places with real turbines, sometimes planted in already deprived communities that could do without one more source of respiratory problems. Artificial intelligence, it seems, is not quite as virtual as its marketing suggests.

Howlers, balloons and the veto that dare not speak its name

If the morning was about promise, the mid‑afternoon “howlers” session offered a bracing reminder of reality: the recurring ways firms still get it wrong, even with better laws and shinier tools.

Common failings are depressingly familiar and include; treating existing customers as automatically safe when they apply for new products; forgetting to re‑check the FCA Register before opening a client money account for a firm whose ability to hold client assets has been publicly restricted; agreeing to voluntary restrictions with the regulator (e.g. no high‑risk customers) and then failing to adjust onboarding systems, with predictable enforcement consequences.

The balloon debate that followed tried to answer an awkward question: who, exactly, is supposed to stop this sort of thing? An argument was advanced, with some justification, that compliance officers already have a de facto veto. A statutory manager with personal liability under SMCR is unlikely to be cheerfully overruled by a growth-hungry business head.

Counter-argument

The counter-argument advanced was that formalising such a veto is precisely how to breed a “computer says no” culture. If the first line believes that “compliance owns the risk”, it will inevitably treat AFC as an adversarial gatekeeper, drip feeding it carefully curated information and blaming it for every declined deal. Better it was argued, to squarely plant financial crime risk ownership in the business, and keep the MLRO as an influential, noisy but ultimately advisory conscience.

On KYC refresh, the audience was similarly split. Large banks with sophisticated data and monitoring capabilities might wax lyrical about perpetual KYC: dynamic, trigger driven views of customer risk that make three-year cycles look, it was said, positively Victorian. Others, especially from smaller institutions, often maintained a soft spot for periodic reviews as a safety net, the only time anyone looks at the entire customer picture without the distortion of a single alert. The consensus, if there was one, favoured hybrid models: trigger driven surveillance for most, anchored by occasional structured sanity checks.

Fraud and AML: the great uncoupling

The final session turned to a structural oddity that criminals have exploited for years: the tendency of firms to treat fraud and AML as separate universes. Internally, fraud tends to belong to operations or customer services; AML to risk and compliance. Externally, regulators split responsibility between conduct and prudential teams. Criminals, inconveniently, do neither.

Panellists described cases where fraud teams diligently closed mule accounts, refunded victims and moved on while AML teams, in another part of the building, contemplated the same payment flows in isolation and concluded they lacked sufficient suspicion to file a SAR. The result: neat profit and loss statement and a tidy fraud loss report, but little in the way of useful intelligence for law enforcement.

Bringing the disciplines together does not require an organisational revolution. Some of the most effective changes described were deceptively simple: shared case management systems, joint forums for typology development, deliberate career paths that move good investigators between fraud and AML rather than locking them in silos. The payoff is a richer understanding of customer behaviour and a far lower chance that one team will diligently fix what the other never quite notices.

The quiet shift (with strings attached)

By the time the last questions were taken, a pattern had emerged. The innovations under discussion during the course of the day were not exotic regtech baubles or grand policy pronouncements. They were, for the most part, unglamorous changes in how existing tools are used: looking again at Companies House, sharing information that has been there all along, asking awkward questions that were previously ducked, wiring fraud and AML together so that lessons learned in one corner of the firm do not die there and, of course, a measured use of the AI potential.

This is not quite the dawn of a brave new era but more the discovery that the profession has been issued with a sharper spade and a slightly better map. Whether those end up digging criminals out of their tunnels or just a deeper hole for the same firms will depend on whether anyone actually skilfully uses them.