.svg)
There is much debate about the suitability of AI for financial crime compliance. But for too long that debate has been relatively binary, and it’s the wrong framing for where the industry now stands. Because if you look closely, financial crime compliance is no longer choosing between promise or peril; it’s experiencing them simultaneously.
The promise is real. Technology is maturing, regulation is catching up, and the will of the industry and regulators is aligning behind transformation. We’re seeing tangible results, not theoretical benefits. Australia Post is a case in point. As it evolved from traditional postal services into digital banking and financial services, it implemented modern AML systems that reduced false positives by more than 50% while increasing accurate detection of unusual activity by 135%. That’s not incremental optimisation; that’s a step-change in operational effectiveness. More importantly, it had real-world impact; contributing intelligence that helped dismantle a cross-country money laundering syndicate.
This is what promise looks like when it moves beyond pilots and into production.
But the peril is evolving just as quickly. And it’s being driven by the same force: AI.
Australian fraud and fincrime trends
The Napier AI / AML Index highlights the scale of the challenge. In 2024–2025, Australia lost an estimated $87.39 billion (AUD) to money laundering. While AI presents an opportunity to recover an estimated $2.65 billion, the trajectory is concerning. Losses are growing at 3% year-on-year, while the cost of compliance is rising at 9%—well above global averages.
This imbalance matters. It signals a system under strain, where increasing spend isn’t translating into proportional improvements in outcomes.
At the same time, criminals are industrialising their operations. AI is being used to automate and scale typologies such as smurfing, synthetic identity creation, and mass-market scams. These aren’t new techniques, but AI has fundamentally altered the economics behind them. What was once labour-intensive is now algorithmically optimised. What was once small-scale is now global and persistent.
In Australia, the most commonly observed typologies identified by the AI / AML Index reflect this shift:
- Human exploitation and trafficking enabled through money muling networks
- Drug-related financial flows through informal systems like hawala banking
- Cyber-enabled financial crime, including large-scale smurfing campaigns
This is the attacker’s advantage: lower cost, higher volume, and faster iteration.
AML’s structural problem: built for a different era
If criminals are operating with AI-native capabilities, most AML systems are not.
Legacy platforms were designed for a very different world, one of batch processing, static rules, and manual investigations. Screening overnight was considered best practice. Rule changes were infrequent. High alert volumes were accepted as the cost of doing business.
That model no longer holds.
And yet, many institutions are attempting to “modernise” by layering AI onto these legacy environments. On the surface, it looks like progress. In reality, it often just entrenches the problem.
If rule changes still take months, if decisioning remains too slow for real-time intervention, and if upgrades are episodic rather than continuous, then automation hasn’t transformed the system it has simply obscured its limitations.
The result is a growing disconnect: a modern threat landscape colliding with outdated infrastructure.
Why AML has lagged behind the AI adoption curve
There are reasons AML has been slower to adopt AI than adjacent domains.
It is high risk, mission critical, and—unlike fraud—doesn’t have a direct financial loss budget line to justify investment for banks. That has historically made the business case harder.
But that dynamic is changing.
AML is increasingly becoming the bottleneck to growth. We’re seeing regulators delay or block product launches and market expansion until remediation programmes are completed and validated. In that context, AML is no longer a cost centre, it’s a strategic dependency.
And it is ripe for transformation. Few domains are as burdened by manual, repetitive processes and high FTE overhead. The challenge is not whether to introduce AI, it’s how to do so safely.
This is where many institutions struggle. The risk of false negatives (missing true criminal activity) means that simply layering AI into existing rule-based engines without a clear understanding of the underlying risk profile can increase exposure.
The answer isn’t to aim for zero false positives. That’s neither realistic nor desirable. The answer is to start with a robust, compliance-first, risk-based assessment: defining what risk is acceptable, what must always be reviewed, and what can be safely automated. There will be false positives that sit within certain risk thresholds that your policies say must be reviewed by a human in the loop. That is part of a robust risk-based strategy.
AUSTRAC is not holding back innovation
There’s a persistent myth that regulation is holding AI adoption back. The evidence suggests the opposite.
Across major jurisdictions, regulators are not only permitting AI in financial crime compliance, they are actively encouraging it. Australia, for example, ranks among the top globally for a positive view of the regulator’s role in supporting adoption of AI for AML. Financial institutions increasingly view regulatory expansion into new sectors as modernisation, not burden.
But there is a tension.
Regulatory frameworks, including sandboxes, AI governance models, and outcomes-based supervision all assume that firms are operating on modern, transparent, and flexible technology foundations. In reality, many are not.
This gap creates risk. Not because regulation is too strict, but because it is calibrated for a level of technological maturity that isn’t yet universal.
Bridging that gap requires focus on foundational capabilities: scalable architecture, integrated data environments, configurable workflows, continuous testing, and automated maintenance. Without these, AI adoption will remain constrained not by regulation, but by infrastructure.
Human-in-the-loop: from principle to production
As AI adoption accelerates, the role of human judgement becomes more important.
We are already seeing regulatory scrutiny in this area. A recent Federal Court of Australia judgement highlighted the risks of relying on large language models to summarise complex material without proper human validation. The issue wasn’t the use of AI itself, it was the absence of accountable oversight.
In practice, “human-in-the-loop” must be defined through a risk lens.
Low-risk scenarios can—and should—be fully automated, with appropriate monitoring and sampling. High-risk decisions, however, require explicit human review, supported by explainable AI outputs. The dividing line between the two must be grounded in a rigorous risk-based assessment.
This is not a regulatory prescription, it is an institutional responsibility. And should be approached with that mindset: compliance-first not check-the-box.
The most effective models combine three modes of operation:
- Fully autonomous automation for low-risk activities
- AI-assisted decisioning for medium-risk scenarios
- Human-led investigation and validation for high-risk cases
Crucially, domain expertise remains central. Analysts are not replaced, they are repositioned even elevated. Their role becomes one of expertise not volume of effort: defining normal behaviour, validating model outputs, and continuously improving detection through feedback loops.
AI in Australian AML operations
If there is one takeaway for organisations, it is this: AI in AML is no longer an experiment. It is an operational requirement.
But success depends on how it is implemented.
Any new AI capability must be built with an evidentiary trail from day one. Explainability, auditability, and validation cannot be retrofitted. Equally, the focus should be shifting beyond copilots and incremental enhancements towards agentic AI and automated decisioning—areas where tangible impact is already being demonstrated.
Finally, there is a talent dimension that cannot be ignored. Embedding data scientists within AML teams is no longer optional. Effective AI requires continuous validation against domain expertise and evolving typologies.
From Inflection to Action
So, are we closer to promise or peril?
The answer is both. But more importantly, we are at the point where standing still is the greatest risk of all.
The institutions that succeed will not be those that experiment with AI in the edge cases. They will be the ones that rethink AML from the foundation up, aligning technology, risk, and regulation into a system designed for the world as it is, not as it was.
That’s where promise becomes reality.
