The Risk and Reg Edit: Autumn 2025 edition

In this edition of the Risk and Reg Edit, we examine some key developments in the financial crime arena, setting out suggested areas of focus for Risk and Compliance leaders seeking to position their organisations at the cutting edge of crime prevention.

Read on for our experts’ views on:

• Lessons from 2025 – and priorities for 2026
• The next-gen FIU: from reactive report-processing to predictive threat hunting
• Preparing for identity verification
• Increasing the effectiveness of Financial Crime Operations
• Crime still pays in 2025

Lessons from 2025 – and priorities for 2026

Elena Kalaitzi

For financial services organisations , the financial crime landscape in 2025 has continued to be challenging. With increased complexity driven by heightened regulatory expectations and the requirement for more sustainable compliance frameworks.

The full spectrum of financial crime risks is changing rapidly. Fraud typologies are also evolving, with AI-driven scams, synthetic identities, and deepfake-enabled fraud challenging traditional controls. Regulators are also imposing fines and expanding their focus to crypto, fintech, cross-border, and emerging risks.

Despite significant investment in next-gen technology, many firms still fall short on foundational compliance. In 2025, fines have been issued for fundamental failures such as inadequate customer due diligence (CDD), onboarding high-risk customers despite restrictions, ignoring law enforcement alerts, persistent weaknesses in transaction monitoring, and sanctions screening systems. These enforcement trends highlight a critical disconnect – while firms invest in advanced technologies to tackle new threats, basic compliance obligations remain a vulnerability.

Regulators are also driving greater accountability and harmonisation, with the Financial Conduct Authority (FCA) pushing proactive governance, the Financial Action Task Force (FATF) advancing transparency on legal persons and trusts, and the EU implementing the Anti-Money Laundering Authority (AMLA) and the Single Rulebook. Under the Economic Crime and Corporate Transparency Act (ECCTA), Companies House began mandatory identity verification for directors and people with significant controls (PSCs) on 18 November 2025, with a 12-month phased rollout. The UK’s new corporate offence of ‘failure to prevent fraud’ also took effect on 1 September 2025, requiring firms to embed reasonable fraud-prevention procedures.

Initiatives to support more effective intelligence sharing are also accelerating. For example, UK authorities are piloting real-time data-sharing initiatives between banks and the National Crime Agency (NCA). Already, this has identified eight criminal networks and supported 10 major investigations, with bank analysts seconded to the NCA to review suspicious transactions.

Looking ahead, financial institutions will need to continue digital transformation programmes, and develop more adaptive, intelligence-driven systems able to counter evolving threats.

Key priorities for 2026 should include:

• Updating due diligence processes to align with FCA guidance linking controls to institutional risk assessments. Recalibrate, enhance, and simplify due diligence thresholds, apply lighter checks for domestic Politically Exposed Persons (PEPs), and leverage new flexibility in senior management sign-off to reduce operational burden while maintaining oversight.
• Integrating AI and machine learning for real-time risk monitoring and fraud detection, analysing large data sets and adapting to evolving threats to keep controls robust against evolving fraud tactics.
• Updating governance for AMLA, FCA, and ECCTA, ensure clear accountability, tighten outsourcing controls, and adopt hybrid models with transparent audit trails for global compliance.
• Enabling secure intelligence sharing with institutions, regulators, and RegTech partners, leveraging Joint Money Laundering Intelligence Taskforce (JMLIT) and safe-harbour regimes to strengthen collective resilience against financial crime.
• Embedding fraud-prevention procedures, updating policies and training, and integrating onboarding with Companies House API for real-time verification and timely regulatory compliance.

2026 represents a critical inflection point, closing foundational control gaps, embedding AI-driven intelligence, and scaling collaboration are essential, and institutions that prepare for this will be well-equipped for the year to come.

The next-gen FIU: from reactive report-processing to predictive threat hunting

Gavin Lau

Bank Financial Intelligence Units (FIUs) are shifting from reactive report processing to proactive threat hunting, powered by AI. As financial crime becomes faster and more complex, after-the-fact analysis is no longer enough. Instead, banks must evolve into predictive intelligence centres to counter evolving criminal tactics and rising report volumes. While the FCA has yet to set firm rules for AI, it is showing a willingness to let innovation lead the way. But how far will regulators go to trust AI machines with the frontlines of financial integrity?

AI agents: redefining the art of financial crime combat

A new generation of AI-powered Financial Intelligence Units (FIUs) are evolving to not only detect financial crime but also anticipate it. While AI excels at triaging alerts, analysing unstructured data, and revealing hidden risks, its role in complex investigations remains unproven. Bias, hallucinations, and unreliable decisions make large-scale deployment risky. Yet, with global banks processing nearly a billion transactions monthly, leveraging AI for faster, more precise crime detection is more critical than ever.

Beyond patterns: towards prediction, reasoning, and network disruption

Modern FIUs now use advanced predictive models that leverage behavioural analytics, deep learning, and graph neural networks to anticipate criminal tactics before they reach the financial system. These models analyse millions of data points to detect behavioural shifts across entities and networks, while natural language processing extracts insights from Suspicious Activity Report (SAR) narratives and open-source intelligence that manual reviews often miss. This innovation is accelerating, with network analysis proving transformative.

AI tools can now map complex criminal networks, uncovering money-laundering rings that once went undetected. For example, our SARs-AI Intelligence solution has demonstrated how advanced natural language processing and graph neural networks can transform disparate SARs data into actionable, regulator-ready insights – enabling law enforcement to gain deeper insights and analysis into suspicious activity.

AI adoption shifts FIUs from reactive to predictive

Regulators and FIUs are sharpening their focus on real-world outcomes, prioritising crime disruption and asset recovery over box-ticking. With compliance risks top of leaders’ minds, the most forward-thinking FIUs are unifying AML, sanctions, and fraud data around the customer and modernising technology to ensure detection systems work seamlessly together. Investigators are evolving into strategic analysts, powered by AI agents that tackle complex analysis. The future-ready FIU will serve as a digital command centre blending behavioural analytics and live network mapping to track criminal networks, run predictive simulations, and outpace emerging threats, arming decision makers with rapid, actionable intelligence.

The future of FIUs: Intelligence, integration, and innovation

The momentum is unmistakable: 90 percent of financial institutions worldwide are leveraging AI to fight fraud and financial crime, improving detection and minimising customer friction. Regulators such as the FCA support this shift, so long as governance remains strong, while boards now demand real-world results, not just compliance. With AI driving speed and insights, and humans providing judgment, the industry stands at a crossroads: remain reactive or transform into proactive threat hunters. By combining responsible AI, robust intelligence, and strong oversight, FIUs can finally outpace financial crime instead of trailing behind it.

Preparing for identity verification

Daniel Sharpe

In September, the UK Government announced plans to create a new mandatory digital ID scheme – to prove individuals’ right to work . The full details have yet to be announced, but commentators are indicating that the scheme is likely to leverage the GOV.UK One Login unified account system and the GOV.UK wallet app.

Banks have been wrestling with the ID elements of ‘Know your customer’ (KYC) for many years – something that’s apparent from recent regulatory penalties for onboarding failures (over £20 million of fines have been issued on AML failings in 2025 alone). Any new digital ID scheme will have significant implications for financial institutions’ crime prevention, fraud mitigation, and compliance activities.

First, banks’ counter-fraud and data security capabilities could see a new form of high-confidence identification as a positive step. A new form of digital ID would tie directly back to a government maintained authoritative source, which could enhance confidence in the methods of verification and reduce the impact of AI generated synthetic identities. Digital systems, such as Sweden’s BankID, have helped to reduce the use of synthetic identities, building confidence in customer identification, trust in the wider ecosystem, and a more consistent way of authenticating. A survey conducted on Sweden’s BankID suggested that 95 percent of respondents trusted BankID, and 99 percent found it easy to use.

A new digital ID scheme could open up a conversation between public and private sectors, as the scheme will be led by the Cabinet Office and DSIT, but requires private sector engagement when considering the product rollout and adoption. This presents an opportunity for closer collaboration in the ecosystem, enhancing the overall intelligence picture. Providing a clearer path to public-private communication on economic crime.

As with any public sector initiative, it will be imperative for government to ensure that citizen data is protected, the roll-out is carefully planned and managed, and that the scheme is accessible to those with lower digital competencies. For the private sector, the potential for misuse and abuse of digital ID will also need to be carefully considered, and firms and regulators will want to grow customer confidence in the ID card.

Finally, a new scheme could prompt firms to review their Identify and Verification infrastructure, upgrade and extend systems that meet Digital Identity Attributes Trust Framework (DIATF) standards, and incorporate systems that can interact with the GOV.UK Wallet. This presents a transformative opportunity, to place greater trust in onboarding and ongoing monitoring processes, build a more consolidated but richer picture of a banking customer, and create more bespoke control and support across the ecosystem.

For now, we wait for more clarity from the UK’s Cabinet Office on the UK digital ID scheme, as further guidance is required on the impact to financial services firms from the FCA. Meanwhile, CROs can prepare for its potential impact with structured planning such as:

• In the short term, monitor legislative developments and public consultations, await guidance from the FCA on how this impacts Money Laundering Regulations, engage with the government participants in the Digital ID solution, and begin internal risk and readiness assessments
• In the medium term, pilot the integration of a new digital ID into onboarding and KYC workflows, leveraging ongoing due diligence processes to enhance forms of verification, begin staff training and customer education, develop fallback processes for non-digital customers, and review the firm’s service catalogue to determine where fraud prevention and anti-money laundering technology can be enhanced
• In the long term, firms can achieve full compliance with requirements for mandatory ID checks, and explore interoperability with international digital ID systems.

By engaging early and preparing for integration, firms can turn potential disruption into an opportunity to strengthen compliance, security, and customer experience.

Increasing the effectiveness of Financial Crime Operations

Sarah Mason

Financial crime continues to grow in scale and sophistication, placing pressure on firms’ operational capabilities. Traditional Financial Crime Operations (FC Ops) are taking the lead to investigate unusual activity, manage alerts, produce suspicious activity reports, undertake due diligence, and screening requirements. This is vital but labour-intensive work, much of which involves eliminating false positives.

Despite significant investments and widespread nearshoring or offshoring to control costs, the cost of compliance across EMEA has risen by 12 percent per year to reach £85 billion – driven by stricter regulatory requirements, increased transaction complexity, and the need for advanced monitoring.

While automation helps to reduce false positives, true effectiveness requires a full operating model rethink – integrating people, processes, and technology to create an agile, intelligence-led FC Ops function.

1. Technology: automation and beyond

AI and advanced analytics are revolutionising FC Ops, cutting false positives by up to 90 percent and uncovering hidden crime patterns. Risk-based alert prioritisation and natural language processing enhance data quality and contextual insights. Emerging AI Agents promise real-time detection and efficiency gains, but require strong quality assurance, bias controls, and ongoing model training.

2. People: upskilling and role evolution

Automation should augment, not replace, human expertise. Teams must upskill for analytical roles, understand explainable AI, and adopt “single case handler” models for ownership and speed. Clear RACI and agile structures reduce ambiguity and accelerate decisions.

3 . Process: streamlining for impact

Legacy, siloed workflows hinder efficiency and risk detection. Firms must streamline processes end-to-end, integrate risk views across the customer lifecycle, and avoid simply layering new tools onto outdated frameworks. Holistic redesign delivers lasting impact beyond short-term tech fixes.

An integrated approach to effectiveness

Enhancing FC Ops requires more than technology – it’s an organisational transformation aligning skills, processes, and technology. Leading this change cuts costs and accelerates risk detection.

With regulatory attention increasing, firms need a vision for FC Ops that blends automation with dynamic intelligence-led approaches.

Crime still pays in 2025 – how can firms raise the bar in the fight against fraud?

James Fanning and Lilly McKenzie

Fraud is big business for criminals. UK Finance estimates that fraud cost UK financial services firms £1.17 billion in 2024. Not to forget the human impact with people losing their savings, businesses and pensions. While criminals destabilise our economy and threaten the integrity of financial markets, fraud remains the biggest crime in the UK.

For banks, there have been significant steps taken to tackle banking-related fraud in recent years. Key changes include the introduction of dual-factor authentication, confirmation of payee requirements, and Authorised Push Payment (APP) fraud regulation. Governments have passed legislation, and firms have made enormous investments in combating fraud. But have these measures been successful?

UK Finance data shows that despite significant investment in anti-fraud measures, the overall picture remains largely unchanged. From 2023 to 2024, authorised fraud losses fell slightly (from £460 million to £451million), but this marginal improvement comes at the cost of new legislation and expensive processes. During the same period, unauthorised fraud continues to rise, increasing from £709 million to £722 million, with cases climbing from 2.7 million to 3.1 million.

The reality is clear: fraudsters are adapting faster than the industry. While controls against authorised fraud have reduced case numbers, criminals have simply shifted their focus to other methods. The lack of meaningful progress signals that current strategies are not working, and incremental tweaks will not be enough.

To make meaningful change, the industry, regulators, telecoms, social media platforms, government, and law enforcement need to better and faster predict the behaviours of criminals. This means using new technology, identifying vulnerabilities, and constantly adapting existing approaches to combat crime where intended results are not realised.

The focus must shift from isolated controls to strategic, data-driven prevention. For example:

• Harnessing adaptive AI, which continuously learns and evolves to counter emerging fraud patterns, and collaborative analytics that combines internal data with shared industry intelligence, to identify and interrupt fraud in real time with greater precision and early warning
• Delivering targeted customer interventions at critical moments by integrating behavioural science principles (such as nudges, timely alerts and decision framing) to improve digital risk education and reduce success rates for scams and social engineering
• Automating key actions using process mining technology and layer in expert review for complex or emerging threats, ensuring rapid adjustment as fraud tactics shift
• Creating unified customer risk profiles by integrating data from all channels to support context-aware decisions and more effective, tailored controls
• Building active partnerships with peer institutions, fintechs, and regulators to share threat intelligence and coordinate rapid collective responses when new fraud patterns emerge
• Regularly running adversarial ‘red team’ exercises and scenario-based drills to test controls against new fraud techniques, feeding lessons learned directly into policy and technology upgrades
• Anticipating regulatory change and evolving threats by stress-testing systems, operating models, and leadership accountability for quick response ensuring readiness for the next ‘failure to prevent’ threshold.

Adopting these changes will fundamentally shift the competitive boundary. Firms who move early, from patchwork controls to intelligent, networked, and agile models, will not only reduce losses, but gain trust and regulatory comfort.

Now is the time for the industry to lead innovation, be vigilant, and maintain a relentless focus on customer protection. The fight against fraud is perpetual but with smarter collaboration and continual adaptation, financial organisations can build a safer and more resilient future for everyone.

People trust us because of our deep knowledge of the regulatory system. Our experience working with regulators, banks, insurers, building societies, and others means we’ll give you advice that works in the real world. If you’d like to discuss any of these issues in depth with our experts, you can do so here.