By Rob Cutler, Managing Director, Nexus AML
Financial crime compliance is being reshaped by artificial intelligence faster than almost any other corner of financial services. But the firms getting the best results are not the ones automating the most, but the ones balancing rules, people and AI as a deliberate operating choice.
Walk into any compliance conference in 2026 and the conversation is dominated by a single subject: artificial intelligence. Agentic systems, large reasoning models, and generative AI for case narratives are major talking points. The pitch decks are crowded with promises of straight-through processing and dramatically reduced headcount. The numbers behind the trend are striking. According to research from Fenergo, the use of advanced AI tools in KYC and AML surged from 42% in 2024 to 82% in 2025, with firms in Singapore (92%), the United States (79%) and the United Kingdom (77%) leading adoption.
Yet even as the technology accelerates, the regulatory perimeter is tightening around it. The UK’s Financial Conduct Authority has been explicit that it will not introduce an AI-specific rulebook. Instead, it expects firms to apply existing principles around governance, explainability and accountability to every AI deployment, with senior managers remaining personally on the hook for outcomes. Across the Atlantic and in Asia, the message is similar: “The algorithm decided” is no longer an acceptable answer to a regulator or a customer.
This tension between the commercial pull of automation and the regulatory demand for control is forcing a more mature conversation about how financial crime operations should actually be built. In my view, the answer is not to pick a winning technology. It aims to design operating models around three complementary methods of analysis: rules-based logic, human execution, and AI and machine learning.
For a deeper explanation of this operational model, see Nexus AML’s three-method framework.
The case against single-method thinking
Each of the three methods has been treated, at various points over the last decade, as the future of financial crime detection. Rules-based engines underpinned the first generation of transaction monitoring and sanctions screening systems and remain the backbone of most compliance programmes. Human investigators have always been the final decision-makers on edge cases. AI and machine learning, the newest entrant at scale, are now being positioned as the dominant model.
The either-or framing does not survive contact with real operations. Each method has clear strengths and equally clear limits.
Rules-based logic delivers certainty, speed and auditability. If a firm wants to automatically reject every transaction linked to a sanctioned jurisdiction, a deterministic rule will do this consistently every time. The trade-off is that rules struggle with messy or unstructured data, and that adding more rules to cover edge cases gradually produces systems that become layered, brittle and hard to explain.
Human execution provides context, judgement and adaptability. Skilled analysts can weigh up conflicting signals, interpret incomplete information and apply a firm’s risk appetite in ways that are extremely difficult to codify. The limits are well known. Human review is expensive, capacity is hard to scale up and down with demand, and inconsistency creeps in when different analysts interpret the same data differently.
AI and machine learning offer scale and pattern recognition at a marginal cost that rules-based systems and human teams cannot match. Models can detect anomalies hidden across billions of data points, summarise cases, draft suspicious activity reports for review and, in the case of newer agentic systems, pull data from multiple sources to assemble investigations end-to-end. But AI models do not genuinely understand context. They can hallucinate, drift over time, and reproduce bias in the data they are trained on. Crucially, in high-risk AML processes, many models cannot easily explain themselves in plain language, a problem that runs directly into regulatory expectations.
None of these methods works well in isolation. The strongest operating models treat them as building blocks to be deliberately combined, monitored and rebalanced as risk and regulation evolve.
The three factors that decide the mix
If the question is not “which method?” but “how much of each and where?”, the answer comes down to three variables: Complexity, repeatability and data availability.
Complexity is about the number of data points in play and how they interact. A retail customer might involve 30 or 40 data points. A multi-jurisdictional corporate structure with layered subsidiaries can involve thousands. As complexity rises, the value of human judgement, and of AI tools that can surface relationships at scale, rises with it. Pure rules become unwieldy.
Repeatability is about how similar each case is to the next. AI models thrive on repetition because patterns can be learned. Where every case is genuinely different, such as a mix of individual accounts, shell entities and unusual corporate structures, models struggle, and human analysts become essential.
Data availability is the third factor and often the most underestimated. Both rules and AI depend on clean, accessible, structured information. In the real world, particularly in cross-border financial crime work, the data is often restricted, hard to obtain, or inconsistently recorded. Human analysts are what allow firms to make defensible decisions when the data is incomplete, and to chase the information that is missing.
Why the balance keeps shifting
The right mix is not static. As patterns become clearer, work can be codified into rules. As scale grows, repeatable tasks can be migrated to AI. When a process starts to fail, or the environment shifts, work can be pulled back to human execution. Active management of the mix, rather than one-off transformation programmes, is what separates the strongest operating models from the weakest.
This matters in part because financial crime itself is never static. The UN Office on Drugs and Crime estimates the global cost of financial crime at up to $2 trillion annually, and the methods used to commit it are becoming markedly more sophisticated. Deepfake-related fraud attempts in the US rose more than 1,100% in early 2025, according to industry research cited by Silent Eight, while synthetic-ID document fraud rose 300% in the same period.
Every control a firm puts in place will eventually be probed for weaknesses. Rules-based systems are predictable by design, so once a threshold is identified, it can be exploited repeatedly. AI is less predictable but can still be reverse engineered once patterns are understood. Human analysts, applying suspicion and reasoning, are the hardest layer to systematically game. That, in itself, is an argument for keeping all three methods in play.
The governance question regulators are actually asking
Regulatory expectations around AI in financial services have crystallised quickly. The FCA’s 2025 AI Update made clear that firms must embed AI within existing governance frameworks, particularly the Senior Managers and Certification Regime and the Consumer Duty. The FCA and the Information Commissioner’s Office announced in June 2025 that they would create a joint statutory code of practice for firms developing or deploying AI for automated decision-making. Similar themes around explainability, human oversight, and lifecycle risk assessment are emerging from the EU AI Act, Singapore’s MAS, and supervisors in Australia, Canada and Thailand.
The practical implication for AML operations is significant. Firms cannot deploy opaque models in high-risk processes and explain them away as “the AI’s decision”. They need to demonstrate who is accountable, how the model was tested, how its outputs are monitored, and what the fallback is when it drifts or fails. The Financial Action Task Force (FATF) has also emphasized the importance of risk-based supervision, explainability, and governance as financial institutions expand the use of advanced technologies in compliance operations.
Equally important is what I would call a connected ecosystem. The firms that struggle with AI governance are typically the ones that have allowed technology developers, regulatory specialists and front-line operations teams to drift into silos. Without practitioners who understand all three methods, and the typologies, regulations and investigative practice underneath them, it becomes very difficult to know whether an upstream model is filtering out the right information or quietly discarding important cases.
More details on how integrated compliance technology ecosystems are being developed can be found at Nexus AML Technology.
Designing for the next decade, not the last one
Automation and AI will continue to expand their footprint in financial crime operations. The economics are too compelling and the volumes too large for any other outcome. But the firms that succeed in the next decade are unlikely to be those that automate the most. They are more likely to be those that treat AML not as a static system to be optimised, but as an adaptive capability designed intentionally, governed rigorously, and improved continuously.
In that environment, the value of a clear three-method framework is less about which technology a firm chooses today, and more about its ability to keep rebalancing as the threat landscape, the data and the regulations all continue to shift.
This article is contributed by Nexus AML, a managed services firm providing financial crime operational support to regulated institutions.
