Sign up
Subscribe
Home / news / AI attackers are breaking financial crime compliance
news

AI attackers are breaking financial crime compliance

AI attackers are breaking financial crime compliance

The old compliance playbook assumed the person on the other side of onboarding was human, time-constrained, and discouraged by friction. That assumption is now breaking down: AI agents can run thousands of applications at once, generate documents, spoof liveness checks, and build synthetic companies that look fine to standard KYB (know-your-business) controls.

  1. According to Duna, the financial industry spent three decades responding to fraud by adding more checks: more vendors, more workflow steps, and more document requirements. That approach made sense when the attacker was a person who could be worn down by delays and paperwork. It is much less useful when the attacker is a model with effectively unlimited time and near-zero marginal cost per attempt.
  2. The numbers in the source are the uncomfortable part. McKinsey & Company’s Agentic AI Report (2025) says only 2% of global financial crime is being detected today, even as the US spends $46bn annually on financial crime compliance and cumulative AML (anti-money laundering) fines since 2008 have reached $321bn globally. The point is not that compliance is cheap; the point is that it is expensive and still missing most of what it is supposed to catch.
  3. Four AI threat classes in identity verification are already being catalogued by regulators including FATF, Europol, and the FBI’s Internet Crime Complaint Centre (IC3) as of 2025. The first is AI-generated documents: large language models and image synthesis tools can produce utility bills, incorporation certificates, and beneficial ownership records that pass surface-level visual checks. If your document review depends mainly on template matching or OCR (optical character recognition), the source says that control is now weak.
  4. The second threat is deepfake video at onboarding. Real-time face-swapping and voice synthesis have reached the point where liveness checks can be defeated without specialised hardware. In practice, that means a control built to prove a human is present can now be passed by a synthetic face driven by a model.
  5. The third threat is synthetic companies. The source says it is now possible to create a company with a plausible digital footprint — registered address, director history, company number, and even adverse-media-free history — using public registries and AI-assisted content generation. Standard KYB checks that rely on registry data alone will not catch a synthetic company that is built to look clean on paper.

For PSPs, acquirers, and banks that still treat onboarding as a document-and-liveness problem, the practical takeaway is simple: the adversary has changed class. The control stack now has to deal with machine-generated identities, not just noisy humans trying to sneak through.

Weekly high-risk digest

Regulation, sanctions and payment news across your verticals — once a week, free.

Please check your inbox and click the link to confirm your subscription.

Please enter a valid email address!