JUNE 16, 2026
%22%3E%3Cpath%20d=%22M12%206.18945C12%205.99054%2011.921%205.79978%2011.7803%205.65912%2011.6397%205.51847%2011.4489%205.43945%2011.25%205.43945S10.8603%205.51847%2010.7197%205.65912C10.579%205.79978%2010.5%205.99054%2010.5%206.18945V14.4395C10.5%2014.5717%2010.535%2014.7015%2010.6014%2014.8158S10.7632%2015.0249%2010.878%2015.0905l5.25%203C16.3003%2018.1836%2016.5022%2018.2056%2016.6905%2018.1518%2016.8788%2018.0981%2017.0386%2017.9728%2017.1358%2017.8028%2017.2329%2017.6327%2017.2597%2017.4314%2017.2104%2017.2419%2017.1612%2017.0523%2017.0397%2016.8896%2016.872%2016.7885L12%2014.0045V6.18945z%22%20fill=%22%23111%22/%3E%3Cpath%20d=%22M12%2024.9395c3.1826.0%206.2348-1.2643%208.4853-3.5148C22.7357%2019.1743%2024%2016.1221%2024%2012.9395c0-3.18264-1.2643-6.23489-3.5147-8.48533C18.2348%202.20374%2015.1826.939453%2012%20.939453S5.76516%202.20374%203.51472%204.45417C1.26428%206.70461.0%209.75686.0%2012.9395c0%203.1826%201.26428%206.2348%203.51472%208.4852C5.76516%2023.6752%208.8174%2024.9395%2012%2024.9395zm10.5-12c0%202.7847-1.1062%205.4554-3.0754%207.4246-1.9691%201.9691-4.6398%203.0754-7.4246%203.0754-2.78477.0-5.45549-1.1063-7.42462-3.0754C2.60625%2018.3949%201.5%2015.7242%201.5%2012.9395c0-2.7848%201.10625-5.45554%203.07538-7.42467S9.21523%202.43945%2012%202.43945c2.7848.0%205.4555%201.10625%207.4246%203.07538C21.3938%207.48396%2022.5%2010.1547%2022.5%2012.9395z%22%20fill=%22%23111%22/%3E%3C/g%3E%3Cdefs%3E%3CclipPath%20id=%22clip0_1107_2521%22%3E%3Crect%20width=%2224%22%20height=%2224%22%20fill=%22%23fff%22%20transform=%22translate(0%200.939453)%22/%3E%3C/clipPath%3E%3C/defs%3E%3C/svg%3E){kind=small}
31 min listen
Host
Tune in to the Full Podcast Episode Below
Listen now on
For most of the last twenty years, AML and financial crime compliance was structured around a single question: did you have the systems and processes in place? KYC, transaction monitoring, sanctions screening, SAR generation. If the boxes were ticked, the institution was compliant.
That model is ending.
In this episode of the Fintech Garden Podcast, host Dumitru Condrea sits down with Adam McLaughlin — Director of Financial Crime Product at Fenergo, former UK police detective at City of London Police, former AML compliance lead at JP Morgan, and former Global Director of Financial Crime Strategy at NICE Actimize — to unpack what has actually changed.
The summary is honest. The regulatory frame is shifting from technical compliance to outcome-based assessment. Most institutions are still operating on the architecture of the old model. And — the part most vendors will not say out loud — the good guys are not winning. They are holding the line.
The Shift From Tick-Box to Outcome-Based
The first generation of financial crime technology, which entered banking in the mid-1990s, was rules-based and siloed.
Each vendor sold a specialised piece. Each bank ran four or five different systems for different lines of business — retail, wholesale, investment, trade.
Even within the same institution, the same customer could exist as four different records across four systems that never spoke to each other.
The regulators of the era reinforced the model. KYC was a procedure. SARs were a deliverable. Alert volume was a KPI.
Criminals adapted. They learned exactly what the static systems looked for. They went around the controls.
What is now changing — driven by FATF standards and the regulators that follow them — is the question being asked.
The old question: do you have the systems in place? The new question: are you actually identifying and stopping financial crime?
This is the shift from technical compliance to outcome-based assessment.
It is the most consequential change in AML in two decades, and most institutions are still working out what it means for their operating model.
The Siloed KYC Problem Inside Large Banks
The legacy architecture is the constraint.
Large banks frequently operate four KYC systems — one for retail, one for wholesale, one for the investment side, one for trade — that don’t talk to each other. The same customer can exist as four separate records.
This is not a 1990s problem. Adam is clear that institutions are still working through it now.
The strategic implication is that contextual monitoring — the foundation of outcome-based compliance — cannot be built on top of siloed data.
The work of consolidating data foundations is unglamorous, expensive, and slow. It is also the work that determines whether everything else functions.
The institutions that have not started have a runway problem. The institutions that have started have a complexity problem.
Either way, the unified customer view is the prerequisite for everything the regulators are now asking about.
“Do I Understand My Customer?”
Adam reframes the entire compliance conversation around one question.
Do I understand my customer? Yes or no.
Most institutions cannot honestly answer yes. KYC, treated as a tick-box exercise, produces documents but not understanding. Identity is verified. The deeper context — who the customer actually is, what they do, who they associate with, what abnormal looks like for this specific profile — gets lost in the operational mechanics.
The further an institution can move toward genuinely answering yes to that question, the easier it becomes to identify what is abnormal.
The criminals, Adam notes, have not fundamentally changed their playbook in decades. New typologies layer on. Crypto adds complexity. AI compounds the speed. But the underlying structure — move funds from A to B, through corporate vehicles, with services support, across jurisdictions — has been stable for a long time.
The asymmetry that institutions can address is in understanding the customer well enough to spot the deviation. It is not in chasing every new wrapper.
The Honest Answer on Whether We’re Winning
This is the part of the episode that should reset most internal narratives.
Asked whether AML technology, AI, and better data have shifted the balance, Adam’s answer is direct.
We are not winning. We are holding the line.
New schemes emerge as old ones close. Sanctions add friction but do not eliminate the problem. Crypto, AI, and embedded finance compound the operational complexity for both sides.
The honest framing — the goal is to make the cost of doing business higher for criminals, not to eliminate crime — is more useful than the marketing one.
It also changes how institutions should set their internal targets. The KPI is not “have we won.” The KPI is “have we made the system more expensive and more risky for the bad actors.”
That is a different kind of success metric, and it is the one actually being assessed.
The Two Real Gaps Are Data and Information Sharing
A common assumption is that the gap in financial crime is technological. Adam pushes back.
The technology — AI, network graph analytics, anomaly detection, pattern recognition — is mature. The gaps are upstream.
Gap one is data. The contextual information needed to answer “do we understand this customer” is often outdated, missing, or fragmented across systems that don’t talk to each other. The model can only reason about what it can see.
Gap two is information sharing. Criminals operate across multiple institutions deliberately, spreading operational risk. A South American cartel working with Albanian gangs, Italian intermediaries, and Chinese networks does not respect data privacy law. They share what they need to share.
Banks, constrained by GDPR and equivalent regimes globally, have historically been unable to share information about suspicious customers between themselves.
This is the structural asymmetry that hurts most. It is also the gap that’s finally moving.
Information Sharing Is Moving — Slowly
The legislative direction is set, even if the pace is uneven.
Article 75 in Europe is enabling controlled private-sector information sharing for AML purposes.
Section 314(b) in the US has existed for years as the framework for inter-institutional sharing in support of investigations.
Canada is now bringing equivalent legislation forward.
The dial is moving. The pace, relative to how quickly criminals adapt, is the question.
For institutions designing 2027 and 2028 roadmaps, the implication is concrete. The information-sharing layer is going to be part of the operating model. The data architecture should be designed with that in mind now, not retrofitted later.
Sanctions Still Matter, But Evasion Is the Battle
Adam pushes hard on the question that many in compliance privately ask but rarely say out loud.
Do sanctions lists still matter? Yes. But the way they matter has shifted.
The point of a sanction is to raise the cost of doing business for those listed. Sanctioned individuals cannot freely move money into Western financial systems. They have to find alternative routes, third-party companies, neutral jurisdictions — all of which are more expensive and slower than direct access.
The new front is sanctions evasion through neutral countries.
These are jurisdictions that have not sanctioned Russia, Iran, or other targeted states, but maintain active financial and commercial relationships with the West.
This dual position becomes a structural weak point. A company in a neutral country, owned by a third party who is not sanctioned, can receive funds from a sanctioned source and route them onward into Western markets.
The tools to close this gap are network analytics and pattern recognition, applied to the relationships between entities rather than the individuals themselves.
Sanctions lists are not obsolete. They are the starting point, not the endpoint.
The Professional Services Network Around Organised Crime
This is the part of the conversation operators sometimes miss.
Organised crime does not exist in isolation. Around it sits a layer of designated non-financial businesses and professions — DNFBPs in the regulatory language.
Accountants. Law firms. Notaries. Incorporation agents. Formation specialists. Often family businesses, sometimes operating for decades.
Each one serves a portfolio of clients. Some of those clients are legitimate. Some are criminal enterprises. Some are both.
The same law firm may be servicing half a dozen organised criminal groups without filing a SAR on any of them.
These professional service providers are the structural layer that allows organised crime to interface with the regulated financial system. They incorporate the corporate structures. They handle the formation paperwork. They open the accounts.
The KYC question, therefore, evolves.
It is no longer just “Is this customer a criminal?” It is “Is this customer supporting a criminal enterprise?”
Most institutions are not yet built to answer the second question.
AI Is a Tool, Not a Silver Bullet
The episode is direct about AI’s actual role in financial crime.
AI is use-case driven. Different problems require different AI:
— Supervised machine learning for known patterns. — Unsupervised learning for anomaly detection. — Agentic AI for orchestration across systems. — Network graph for relationship analysis.
The pervasive misconception — that AI will solve financial crime — is one Adam pushes back on hard.
AI cannot replace bad governance. AI cannot fix inexperienced staff. AI cannot make a poor process work.
What AI can do is augment good people. It can assess data at scale much faster than any human. It can point investigators in the right direction. It can surface the data points that matter. It can automate the repetitive work that consumes investigator time.
The human-in-the-loop remains essential for high-touch decisions. AI guides. The human decides.
This framing matters for operators because the alternative — assuming AI will absorb the complexity — produces worse outcomes than the prior generation of tools.
Crypto Investigation: Easier and Harder at the Same Time
Asked whether crypto makes investigation easier or harder, Adam’s answer is both.
Easier, because the blockchain is the most traceable financial ledger ever built. Every transaction, every hop, every wallet is recorded permanently. The early myth that crypto was inherently anonymous has largely collapsed. Most Virtual Asset Service Providers now perform KYC and transaction monitoring. Most major chains are transparent.
Harder, because there is no equivalent of the travel rule.
In fiat payments, every transaction carries identifying metadata — sender, receiver, amount, account numbers, payment messages — passed through Swift or similar centralised infrastructure. The rules are owned and enforced by a central authority.
Crypto, as a decentralised system, has no central owner of the format. Implementing a travel rule equivalent is structurally difficult. Who defines it? Who enforces it?
Investigators must request KYC information from each VASP individually. This prolongs the investigation cycle compared to fiat tracing.
The visibility points that matter most are the on-ramps and off-ramps — where crypto converts to or from fiat. These are the moments when the underlying identity surfaces, and they are where investigative effort produces the highest leverage.
What the Next Ten Years Look Like
Adam’s view of the decade ahead is operational and specific.
More collaboration between financial institutions, including private-sector cooperation that goes beyond formal information-sharing legislation.
Shared KYC databases, where multiple banks validate against a centralised customer profile rather than each performing the same exercise independently.
Joint transaction monitoring, conducted at the network level rather than within individual institutions.
AI applied at scale and speed to pattern analysis that is currently impossible at the institutional level alone.
Real-time suspicious activity flagging across the ecosystem.
And, on the counter-side, criminals are using the same AI to find holes in the new controls.
The endpoint is not victory. Adam is consistent on this throughout the conversation.
The endpoint is a more expensive, more contested, and more transparent operating environment for organised crime — one that reduces, though does not eliminate, the volume of criminal activity that successfully completes.
For operators building in this space, the strategic question for the next 24 to 36 months is not “how do we win.” It is “how do we make ourselves part of the collaborative architecture that is finally being built?”
The institutions that figure this out early will own a meaningful position in the next phase of compliance. The ones that don’t will be defending the old model long after the regulators have moved on.
Share article
Host
