Written by Rob Cutler, Managing Director, Nexus AML
Financial crime compliance is being reshaped by artificial intelligence faster than any other area of financial services. But the companies with the best results are not the ones that automate the most, but the ones that balance rules, people, and AI as a deliberate operational choice.
Attend any compliance conference in 2026 and one topic will dominate the conversation: artificial intelligence. Agent systems, large-scale inference models, and generative AI for case explanations are key topics. The pitch deck is crowded with promises of smooth processing and significantly reduced headcount. The numbers behind this trend are surprising. According to Fenergo research, the usage of advanced AI tools in KYC and AML will jump from 42% in 2024 to 82% in 2025, with companies in Singapore (92%), the US (79%), and the UK (77%) leading the way in adoption.
But as technology accelerates, the regulatory boundaries around it are tightening. The UK’s Financial Conduct Authority has made it clear that it will not introduce an AI-specific rulebook. Instead, we expect companies to apply existing principles of governance, accountability, and accountability to all AI deployments, and to hold senior managers personally accountable for results. Across the Atlantic and in Asia, the message is similar. “The algorithm decided that” is no longer an acceptable answer for regulators or customers.
This tension between the commercial appeal of automation and the regulatory demands of regulation is forcing a more mature discussion about how financial crime activities should be structured in practice. In my opinion, the answer is not to choose a winning technology. It aims to design an operating model around three complementary analysis methods: Rule-based logic, human execution, AI and machine learning.
For more information about this operating model, see: Nexus AML three method framework.
Opposition to the idea of a single methodology
Each of the three methods has been heralded as the future of financial crime detection at various points in the past decade. Rules-based engines powered the first generation of transaction monitoring and sanctions review systems and remain the backbone of most compliance programs. The final decision maker in edge cases is always a human investigator. Big new entrants, AI and machine learning, are now positioned as dominant models.
One or the other framing does not survive when it comes into contact with actual operations. Each method has distinct strengths as well as distinct limitations.
Rules-based logic provides certainty, speed, and auditability. If a company wants to automatically reject all transactions related to sanctioned jurisdictions, a deterministic rule will do this consistently every time. The trade-off is that rules have a hard time dealing with messy or unstructured data, and adding more rules to cover edge cases gradually makes the system layered, brittle, and difficult to explain.
Human execution provides context, judgment, and adaptability. A skilled analyst can weigh conflicting signals, interpret incomplete information, and apply a company’s risk appetite in ways that are extremely difficult to codify. The limitations are well known. Human reviews are costly, it’s difficult to scale capacity up or down based on demand, and there are inconsistencies when different analysts interpret the same data differently.
AI and machine learning provide scale and pattern recognition at marginal costs that rule-based systems and human teams cannot achieve. Models can detect anomalies hidden in billions of data points, summarize cases, create suspicious activity reports for review, and, in the case of new agent systems, pull data from multiple sources to assemble investigations end-to-end. However, AI models do not truly understand context. They can hallucinate, drift over time, and reproduce biases in the data they were trained on. Importantly, in high-risk AML processes, many models cannot be easily explained in plain language. This issue applies directly to regulatory expectations.
None of these methods work well on their own. The most powerful operating models treat these as building blocks that can be intentionally combined, monitored, and rebalanced as risks and regulations evolve.
Three factors that determine the mix
If the question isn’t “which way?” but “how much of each and where?” the answer comes down to three variables: complexity, reproducibility, and data availability.
Complexity relates to the number of data points used and how they interact. A retail customer might involve 30 or 40 data points. A multijurisdictional corporate structure may involve thousands of subsidiary companies. As complexity increases, so does the value of human judgment and of AI tools that can reveal relationships at scale. Pure rules become unwieldy.
Reproducibility is how similar each case is to the next. AI models can learn patterns, so they work through repetition. When every case is truly different, such as a mix of individual accounts, shell entities, and unusual corporate structures, the model struggles and human analysts become essential.
Data availability is the third and often most underestimated factor. Both rules and AI rely on clean, easily accessible, and structured information. In the real world, especially in cross-border financial crime operations, data is often limited, difficult to obtain, or inconsistently recorded. The presence of human analysts enables companies to make defensible decisions even when data is incomplete and allows them to track down missing information.
Why does the balance keep changing?
A good mix isn’t static. As patterns become clearer, you can organize your work into rules. As you scale, repeatable tasks can be moved to AI. If the process starts to fail or the environment changes, work can be pulled back to human execution. Actively managing the mix, rather than a one-time transformation program, is what separates the strongest operating models from the weakest.
This is important because financial crime itself is never static. The United Nations Office on Drugs and Crime estimates that global financial crimes cost up to $2 trillion annually, and criminal techniques have become significantly more sophisticated. According to industry research cited by Silent Eight, deepfake-related fraud in the U.S. increased by more than 1,100% in early 2025, and synthetic ID document fraud increased by 300% over the same period.
Every control a company puts in place will eventually be examined for weaknesses. Because rule-based systems are predictable by design, they can be exploited repeatedly once a threshold is identified. AI is less predictable, but can be reverse engineered by understanding patterns. Human analysts, who apply suspicion and reasoning, are the most difficult layer to game systematically. That in itself is an argument for continuing to implement all three methods.
Governance questions regulators are actually asking
Regulatory expectations regarding AI in financial services are rapidly taking shape. The FCA’s 2025 AI Update makes it clear that companies need to embed AI into their existing governance frameworks, particularly senior management and attestation schemes, and consumer obligations. In June 2025, the FCA and the Information Commissioner’s Office announced they would create a joint legal code of practice for companies developing or deploying AI for automated decision-making. Similar themes around explainability, human oversight and lifecycle risk assessment are emerging from EU AI legislation, MAS in Singapore, and supervisory authorities in Australia, Canada and Thailand.
The practical implications for AML operations are important. Companies cannot introduce opaque models into high-risk processes and explain them as “AI decisions.” You need to demonstrate who is responsible, how the model was tested, how its output will be monitored, and what the fallbacks are if the model drifts or fails. Financial Action Task Force (FATF) It also emphasizes the importance of risk-based oversight, accountability, and governance as financial institutions expand their use of advanced technology in compliance operations.
Equally important is what I call the connected ecosystem. Companies struggling with AI governance typically technology developerregulatory experts and front-line operational teams become silos. Without practitioners who understand all three techniques and their underlying typologies, regulations, and investigative practices, it becomes very difficult to know whether upstream models are filtering the right information or silently discarding important cases.
More information about how an integrated compliance technology ecosystem is being developed can be found at: Nexus AML Technology.
Design for the next 10 years, not the past 10 years
Automation and AI will continue to expand their influence in financial crime activities. The economics are too compelling and the volume too high for any other outcome. But the companies that succeed over the next decade may not be the ones that automate the most. These are more likely to treat AML not as a static system to be optimized, but as an adaptive capability that is intentionally designed, tightly managed, and continuously improved.
In such an environment, the value of a well-defined three-way framework is less about which technology a company chooses today and more about its ability to continue to rebalance as the threat landscape, data, and regulations all continue to change.
This article was contributed by Nexus AMLis a managed services company that provides financial crime activity support to regulated entities.
