Financial Crime Has Gone Industrial and the Industry Must Respond

The numbers are no longer shocking. That is itself the problem.

$442 billion. That is the estimated sum lost to scams globally last year - every transaction of it authorised by the victim, validated by their financial institution, and pocketed by criminals who, in many cases, never met their targets, never touched cash, and never operated within a jurisdiction that could pursue them. Interpol now ranks fraud among the world's largest criminal industries, alongside cocaine and heroin trafficking.

At Transform Finance's 4th annual FinCrime Leaders Summit in Europe, Amsterdam, more than 200 senior practitioners from banks, fintechs, regulators, and technology providers gathered to confront this reality. What emerged over the course of a day of unusually candid conversation was not a portrait of an industry in crisis but something more unsettling: an industry that knows precisely what it is up against, and is only beginning to mobilise accordingly.

The central argument, advanced from multiple directions throughout the day, was this: financial crime has industrialised. It has acquired the characteristics of a legitimate business sector - scale, specialisation, automation, global reach, and a relentless focus on return on investment. The institutions fighting it, by contrast, remain largely organised as they were twenty years ago: by regulatory category, by geography, by function. That mismatch is where criminals thrive.

The Industrial Criminal

The clearest illustration of this shift came not from a regulatory panel but from satellite imagery. A series of images tracking the growth of a single scam compound on the Myanmar-Thai border - from open fields in 2020 to a sprawling facility housing some 20,000 people by 2025 - drew audible responses from the room. These are not dens of opportunistic fraud. They are purpose-built facilities, staffed by what one fraud intelligence specialist described as the full infrastructure of a corporate operation: human resources functions, recruiting and managing workers (many of them trafficking victims coerced into service), IT teams running phishing kits, CRM systems tracking victim profiles, and finance functions managing the laundering chain.

Compounds once concentrated in Southeast Asia are now documented in Africa, Eastern Europe and Central America. One facility alone is estimated to house workers from 80 different nationalities. The expansion is rational; where the margins are high and the legal risk is low, capital flows.

The economics are startling. Fraud operations powered by artificial intelligence are, according to figures cited at the summit, 4.5 times more profitable than non-AI equivalents. A convincing deepfake video can be generated in minutes. Voice cloning requires ten seconds of audio. Fully scripted AI avatars - certified, credentialled, entirely synthetic - can conduct what appears to be a regulated KYC onboarding conversation without a human criminal ever being involved. Custom fraud toolkits targeting specific banks are available on dark web forums for as little as $50.

One fraud intelligence specialist put it directly: fraud is no longer a single-step crime. It is a lifecycle - emotional manipulation to lower defences, sustained coaching to build compliance, and finally a transfer that the victim authorises themselves. Most financial institutions, it was argued, have built their entire defensive apparatus around the last of those three stages - by which point the fraud has already been committed.

The AI Arms Race

Artificial intelligence dominated both stages throughout the day - but the conversation was notably more mature than the AI discourse of recent years. Generative AI has had its moment of wonder. The industry is now in the harder work of operationalising it.

One major European bank described a journey that began with machine learning models in 2019, moved through internal GPT-style tools and analyst prompt libraries, and has now reached the deployment of agentic AI systems capable of conducting multi-stage investigations with minimal human involvement. In one live configuration described from the Main Stage, a transaction monitoring alert triggers a cascade of AI agents: the first analyses transaction patterns, the second applies typology knowledge, the third enriches the investigation with open-source intelligence, and the fourth drafts a suspicious activity report in the institution's house style. A human reviews and decides.

The efficiency gains are material. A compliance technology case study presented from the floor described reducing KYC file processing time from eight hours to eleven minutes, with a team of three analysts managing 25,000 clients across two jurisdictions. Without automation, the same workload would have required, by that firm's own estimate, six times as many staff.

But the more arresting point was about adversarial resilience. Institutions that deploy AI systems without stress-testing them against motivated adversaries are, in effect, publishing their playbook. Criminals are already probing the edges of detection models systematically - the same way those models were built. "Implement AI that works in real time," one panellist urged. "But challenge your AI. Crack it yourself before others do."

There was also a more structural argument on the table. Legacy transaction monitoring systems generate false positive rates of up to 95% in some configurations. That is not merely an efficiency problem; it is a signal problem. Agentic AI, applied to a properly integrated data environment, offers a credible route out of it. But only if the underlying data quality is addressed first. The most memorable formulation of the day came from a speaker discussing AI deployment in compliance: the function, they argued, is not under-resourced. It is misdeployed.

One Crime, Many Departments

The most persistent tension of the summit was institutional rather than technological. Financial institutions continue to organise their defences in silos - separate AML teams, fraud teams, sanctions teams and KYC functions - each with its own systems, escalation paths and regulatory obligations. Criminals observe no such boundaries.

Fraud is a predicate offence to money laundering; the two cannot be meaningfully separated. The money stolen through a romance scam, an investment fraud or an authorised push payment is the same money that moves through mule networks and surfaces eventually in property, luxury goods or cryptocurrency wallets. Investigating the fraud and the laundering as distinct problems means investigators see only fragments of a pattern that, assembled, would be unmistakable.

The consequences are felt at every level. A customer under investigation for a suspicious transaction may simultaneously receive outreach from the fraud team, the AML team, the sanctions screening function and a periodic CDD review - each unaware of the others, each asking overlapping questions. The experience reinforces precisely the conditions that social engineers exploit: the institution appears confused, disorganised, and eminently predictable.

There was broad consensus at the summit that the emerging response must be a unified financial crime function - one alert and case management system, a shared customer risk profile, and analysts trained to recognise patterns across typologies rather than within a single domain. Progress is being made. But as one veteran practitioner observed, it is a long road, and the criminals are not waiting.

Regulation: Pressure and Promise

The summit took place against a backdrop of significant regulatory change. AMLA, the new EU anti-money laundering authority, begins direct supervision in 2027, with a single rulebook requiring genuine harmonisation across member states for the first time. PSD3 and the Payment Services Regulation add obligations around fraud liability and data sharing. MiCA has brought crypto asset service providers firmly into the regulatory mainstream.

The mood was cautiously optimistic, but clear-eyed. One industry estimate put the share of financial institutions that will be fully ready for AMLA's requirements by July 2027 at no more than 30%. Legacy data systems, fragmented customer records, and the volume of technical standards still to be finalised were cited as the primary obstacles. For the funds industry, there was a pointed concern: that certain articles in the AMLA regulation had been drafted with a retail banking model in mind, and applied poorly to intermediated distribution structures. In one scenario outlined at the summit, a single rule on complex ownership structures would automatically reclassify 80% of a major asset manager's client base as high risk - not because those clients posed elevated risk, but because the regulatory text had not anticipated the reality of institutional fund distribution.

The counterpoint was equally forceful. Article 75 of the AMLA framework - which creates a legal basis for cross-border public-private information sharing partnerships - was described by multiple speakers as potentially the most significant tool the industry has been handed in years. "The criminals have always worked cross-border," one practitioner remarked. "This is the first time the framework allows us to do the same."

The Weakest Link

Beneath the technology and the regulation, the summit kept returning to a simpler, harder truth: the most consistently exploited vulnerability in the financial system is human.

A presentation on cyberpsychology catalogued the cognitive shortcuts - heuristics, authority bias, loss aversion, manufactured scarcity - that fraudsters exploit with the same methodical precision that legitimate marketers use to drive conversions. The difference is intent. Where an e-commerce firm A/B tests banner colours to optimise click-through rates, a romance fraudster calibrates the pace of emotional escalation to maximise eventual compliance. Both are working from the same psychological manual.

The discomfort in the room was palpable when it was observed that financial institutions themselves deploy many of these same techniques: urgency, social proof, and personalisation in their customer communications. The tools of persuasion and the tools of manipulation are, in many cases, identical.

And the vulnerability is not confined to customers. A live demonstration of an end-to-end bank breach - from LinkedIn reconnaissance to full database access in under twenty minutes, using freely available tools and a single well-crafted phishing email - drew silence from a room of seasoned practitioners. The entry point was not a technical flaw in the institution's infrastructure. It was a pressured employee who opened an attachment.

What Good Looks Like

The summit did not confine itself to diagnosis. Several models of effective response were examined.

Australia's cross-sector fraud prevention partnership - bringing together government, banks, telecommunications companies and social media platforms to share intelligence in near real time - was cited as the most advanced example of the collaborative infrastructure the industry needs to build. Singapore's government-mandated data sharing protocols were credited with producing measurable reductions in fraud losses. In the Netherlands, domestic public-private information sharing structures were held up as proof of concept for what Article 75 might enable at European scale, if the political will is there.

On active defence, a technology demonstration showed how AI-powered systems can be deployed to infiltrate criminal networks - engaging fraudsters in extended conversations, harvesting the account details they nominate to receive criminal proceeds, and surfacing compromised accounts an average of two months before any signal appears in a bank's own systems. It is, in effect, a reversal of the traditional detection model. Rather than waiting for a transaction to trigger an alert, the intelligence arrives upstream - before the victim has been fully coached, before the transfer has been initiated.

A Moment of Reckoning

The summit's closing remarks touched on a theme that had run quietly through every session: the gap between the scale of the problem and the scale of the response.

$442 billion in annual fraud losses. 2% of criminal assets confiscated across the EU. False positive rates in legacy transaction monitoring approaching 95% in some systems. 30% of institutions projected to meet the next regulatory standard by its own deadline. These are not numbers that suggest an industry operating at the level the threat demands.

But they are numbers that the industry, increasingly, is prepared to say out loud. The willingness to name the failures - the silos, the misdeployment, the gap between regulatory compliance and operational effectiveness - was itself a form of progress. Amsterdam 2026 was, among other things, a summit where the pretence of having things broadly under control gave way to the harder, more useful conversation about what it would actually take to get there.

The answer was not a single technology or a single regulation. It was the convergence of functions within institutions, of standards across borders, of data across sectors, and of purpose across an industry that has, until recently, been more comfortable managing risk than hunting it.

This article is part of Transform Finance's coverage of the 4th Annual FinCrime Leaders Summit Europe, Amsterdam 2026.