The Illusion of Control: Why AI in Financial Crime Demands More Than Automation

On 22 January 2026, the House of Commons Treasury Select Committee published a stark verdict on the state of artificial intelligence in UK financial services. The Financial Conduct Authority (FCA), the Bank of England and HM Treasury, the Committee concluded, are not doing enough to manage the risks presented by AI. By adopting a wait-and-see approach, the authorities are exposing consumers and the financial system to potentially serious harm.

The Committee’s Chair, Dame Meg Hillier, was blunt. She stated that she was not confident the financial system is prepared for a major AI-related incident. The report called for the FCA to publish practical guidance on AI accountability by the end of 2026. It also recommended AI-specific stress testing and the designation of major AI and cloud providers as critical third parties.

Yet the scale of adoption that prompted this intervention is itself revealing. The Bank of England and FCA’s joint Artificial Intelligence in UK Financial Services survey, published in November 2024, found that 75% of firms were already using AI, up from 58% in 2022. Foundation models accounted for 17% of all use cases. AI had moved from experimentation to operational reality.

Buried within the same survey, however, was a more disquieting finding. Forty-six per cent of respondents reported only a partial understanding of the AI systems they had deployed. Just 34% claimed complete understanding.

A third of all use cases were third-party implementations, up from 17% in 2022. Firms were increasingly reliant on external systems whose internal workings they could neither examine nor fully explain. The sector was adopting AI at pace; it was not adopting it with comprehension.

This is the paradox at the heart of AI in financial crime compliance. The technology screens transactions at a scale no human team could match and profiles risk with statistical precision. The narrative is seductively simple: speed, accuracy and cost efficiency.

Yet the institutions deploying these systems often cannot explain how they work or whether their outputs remain reliable over time. The result is not intelligent compliance. It is the outsourcing of judgement to a process that few can interrogate and fewer still can defend before a regulator.

Accountability cannot be automated

In traditional compliance functions, accountability is traceable. Policies are drafted by human teams. Models used for anti-money laundering (AML) monitoring are documented, tested, calibrated and validated by specialists who understand their foundations and limitations. Regulators can interrogate assumptions, examine false positive rates and trace decision paths from input to output.

AI unsettles this structure fundamentally. Machine learning systems behave as probabilistic engines that evolve over time. Their internal logic cannot easily be translated into human language. Even where developers claim explainability, what they typically mean is interpretability at a superficial level: identifying which input variables contributed most to a given output. The deeper mathematical relationships remain opaque to all but the most specialised experts.

This raises a question that the industry has not yet answered convincingly: who is qualified to audit these systems? Internal model risk teams possess quantitative skills but their expertise is rooted in credit and market risk, not the non-linear architectures underpinning modern AI. External consultants, sometimes the same firms that built the tools, face inherent conflicts of interest. Technology vendors provide documentation that varies significantly in rigour.

The result is a fragile chain of accountability. The people charged with auditing AI may not fully understand how the systems operate. They can check documentation, test outputs and challenge assumptions. Yet challenge is not the same as comprehension. Without genuine understanding, audit becomes a ritual of compliance rather than substantive oversight.

The European Banking Authority (EBA) acknowledged this concern in its Report on Big Data and Advanced Analytics in January 2020. It warned that lack of explainability is a prominent risk where AI systems are provided by third parties and deployed as opaque systems. The EBA emphasised that institutions need the ability to validate results without relying too heavily on the service provider.

These are not theoretical anxieties. They strike at the core of the financial crime regime: accountability. If a bank cannot articulate why a model made a particular decision, it cannot demonstrate proportionality or defensibility within its risk management framework.

Correlation is not comprehension

One of the most pervasive assumptions in the industry is that AI learns patterns of financial crime. In reality, AI identifies statistical correlations in vast datasets. It does not understand context, intention or legality. It cannot distinguish between a benign pattern that resembles criminal behaviour and a harmful pattern that appears entirely unremarkable.

Banks are therefore dependent on the quality of data, the parameters established during model training and the interpretative layers designed by developers. Most institutions use third-party AI engines trained on datasets they neither own nor can examine. Vendors rarely publish the provenance or potential biases of their training data. In some cases, they cannot do so for commercial or contractual reasons.

The risk of embedded bias is well documented. The Alan Turing Institute, in its 2021 report AI in Financial Services commissioned by the FCA, warned that AI systems can entrench biases present in historical data. The consequences extend to fairness and regulatory compliance alike. More recently, the Turing Institute’s Fairness in AI for the Financial Sector (FAIR) programme has demonstrated that traditional validation methodologies are insufficient for the vendor-driven AI workflows now prevalent across the industry.

A similar dynamic may emerge in AML. Certain customer groups could be unfairly escalated to higher risk tiers due to incomplete or historically skewed data. The bias is invisible until its effects are measured, and few firms measure them with the frequency or rigour required.

Equally significant is the risk of model drift. Criminal behaviour evolves constantly. AI models that are not regularly recalibrated may become misaligned with the current threat environment, either missing new typologies or generating high volumes of false positives. Institutions often assume the system is still performing because alerts continue to be generated. Alert volume, however, is not a measure of quality. It is an output of mathematical thresholds.

The uncomfortable truth is that many firms do not know whether their AI is still working as intended. They trust the dashboards, the vendor assurances and the comfort that automation provides. Trust without verification is not governance. It is institutional complacency.

Regulators expect reasoning, not approximation

The regulatory expectation is unambiguous. Supervisors require clear reasoning behind financial crime decisions, not probabilistic approximations. Firms must explain why particular customers, transactions or patterns of behaviour were flagged as suspicious.

The National Crime Agency (NCA), in its updated SARs Best Practice Guidance published in November 2025, reiterated that high-quality suspicious activity reports (SARs) require complete, structured data and a clear reason for suspicion. Reporters should focus on the activity indicating criminal or terrorist property, rather than attempting to prove a predicate offence. Regulators do not accept the proposition that the system made the decision.

The challenge is that AI models frequently produce outputs without human-readable logic. Even where explainability tools are applied, these provide high-level interpretations rather than true causal explanations. This places firms in a precarious position. When reporting suspicious activity, they must articulate the rationale for suspicion. If that rationale traces back to an AI engine whose reasoning cannot be fully explained, the firm risks submitting a SAR that lacks defensible clarity.

If the sector becomes fully reliant on AI for detection yet cannot provide human explanation for its decisions, a dangerous gap emerges between identification and articulation. That gap undermines the core purpose of financial crime reporting: producing intelligence that law enforcement can act upon. AI can detect statistical anomalies. Only humans can place those anomalies in context.

Adoption without comprehension is not progress

Part of the sector’s over-reliance on AI stems from a deeper cultural tendency to equate technological adoption with institutional modernisation. Senior executives fear being seen as lagging behind competitors. Technology is therefore adopted not only for its operational value, but for its reputational and strategic signalling.

In this context, AI becomes a symbol of progress rather than a tool grounded in proportionality and need. Firms adopt AI to appear innovative, to reduce costs and to satisfy expectations of modernity. Innovation without comprehension, however, is not progress. It is risk.

The EU AI Act, which entered into force in August 2024, reflects a growing regulatory recognition that adoption has outstripped governance. High-risk obligations for financial services are due to take full effect by August 2026. The Act classifies AI-driven creditworthiness assessments as high-risk and imposes requirements around transparency, documentation, human oversight and bias mitigation. The EBA confirmed in November 2025 that it will undertake specific implementation activities in banking and payments during 2026 and 2027.

In the UK, the FCA has opted for a principles-based, outcomes-focused approach rather than AI-specific regulation. Its 2025-2030 strategy, published in March 2025, identified fighting financial crime as one of four priorities. The FCA has also launched practical initiatives, including its AI Lab in October 2024 and AI Live Testing, confirmed through Feedback Statement FS25/5 in September 2025.

Yet the Treasury Committee’s January 2026 report suggests that principles alone may not be enough. Firms that cannot explain their AI-driven decisions will find little comfort in a regime that demands precisely that: explanation, accountability and demonstrable control effectiveness.

Judgement is not a function that can be outsourced

Financial crime risk management has always been a judgement-based discipline. It requires human interpretation of context, behaviour, ethics and proportionality. When firms outsource judgement to algorithms, they risk hollowing out the expertise that underpins effective decision-making.

One consequence is skill erosion. If analysts become reliant on AI-generated recommendations, they may lose the critical thinking necessary to challenge the system. This is already visible in some transaction monitoring operations, where junior staff accept system-generated alerts without question. Compliance culture is shaped by machine logic rather than human discernment.

Another consequence is cultural displacement. Compliance becomes something the system does, not something the organisation embodies. Ethical responsibility migrates from human actors to technological abstractions. This undermines the foundational purpose of AML and sanctions compliance, which is not to produce alerts but to prevent harm.

AI governance must evolve to address these risks in practice. Model validation frameworks need to be re-engineered to address explainability, bias detection, algorithmic drift and dataset provenance. Oversight structures should include experts who understand not only data science but also ethics, law and behavioural risk. Firms must invest in the interpretative capabilities of their staff. Analysts need training to understand how AI models function, when to trust them and when to challenge them.

Without this investment, AI remains a black box. The institution becomes dependent on a system it cannot control.

The ethical limit of AI is the integrity of those who govern it

The acceleration towards AI-driven compliance shows no sign of slowing. Firms are told that automation is necessary to keep pace with regulatory pressure, rising transaction volumes and criminal sophistication. Speed, however, is not a substitute for comprehension. Efficiency is not a proxy for integrity.

Financial crime compliance exists to protect the financial system from abuse and to safeguard society from the harms that illicit finance enables. These are moral as well as operational objectives. They cannot be delegated entirely to algorithms, however sophisticated those algorithms may be.

The institutions that will navigate this landscape most effectively are not those with the most sophisticated technology. They are those that treat AI as a tool whose value is defined by the governance, comprehension and ethical rigour of the people who deploy it.

If 46% of firms cannot fully explain the AI systems they rely upon, the question is no longer whether AI can transform financial crime compliance. The question is whether the sector is prepared to govern that transformation with the seriousness it demands.

Can your firm explain, defend and govern the AI systems it depends on?

At OpusDatum, we help firms assess and strengthen the governance frameworks that underpin their use of AI in financial crime compliance. Our advisory services support institutions in building proportionate, defensible and operationally realistic oversight structures for automated systems.

Contact us to discuss how we can support your AI governance and financial crime compliance strategy.