top of page
Search

The 2026 Compliance Landscape (Part 3 of 3)

  • juliachinjfourth
  • Jan 6
  • 6 min read

Updated: Jan 7


Criminals are using AI better than most compliance teams.


That's not hyperbole. That's the 2026 reality.


This is the final part of our series on the 2026 compliance landscape. Part 1 covered the regulatory shift - FATF's proportionality mandate, enforcement divergence, and the 3-year cliff. Part 2 examined the liability revolution - fraud reimbursement rules, stablecoin regulation, and ESG divergence.


Here's what's happening on the technology front, and why it all comes back to the people we're meant to protect.


1. The AI Double-Edged Sword


Last year, we highlighted generative AI's growing role in banking. In 2026, we've moved beyond experimentation.


Agentic AI, systems that can autonomously execute multi-step tasks, make decisions, and take actions, is now operational in over 70% of major financial institutions. The applications are compelling: automated transaction monitoring, intelligent case management, real-time risk assessment.


But governance frameworks have not kept pace with adoption.


Questions around accountability, explainability, and bias remain largely unanswered. When an AI system flags, or fails to flag a transaction, who is responsible? When algorithms encode historical biases that exclude vulnerable populations from financial services, who bears the consequence?


The flip side is even more troubling.


Sophisticated fraud operations now leverage AI capabilities that frequently exceed those available to compliance teams. Pig butchering scams, synthetic identity fraud, and deepfake-enabled social engineering have industrialised at alarming scale.


The same AI that can draft a compliance policy can draft a thousand personalised scam messages. The same voice cloning that enables accessibility features enables CEO fraud. The asymmetry is real and it's growing.


The Strategic Opportunity:


→ AI Governance as Competitive Advantage: Organisations that build robust AI governance frameworks now with clear accountability, explainability standards, and bias testing will be better positioned as regulation catches up. The EU AI Act is already in force; others will follow.


→ Defensive AI Investment: The arms race is real, but it's winnable. Institutions that invest in AI-powered fraud detection, behavioural analytics, and anomaly detection can match and exceed criminal capabilities. The key is speed of adoption.


→ Human-In-The-Loop: The most effective models aren't fully automated. They combine AI pattern recognition with human judgement. Build systems that augment your analysts, not replace them.


The Risks to Manage:


→ The Governance Gap: Deploying AI without governance is deploying risk. Ensure every AI system has clear ownership, documented decision logic, and regular bias audits.


→ Vendor Dependency: Many institutions rely on third-party AI solutions without understanding the underlying models. When regulators ask how your system made a decision, "the vendor handles that" won't be an acceptable answer.


→ Automating Exclusion: AI trained on historical data can perpetuate historical exclusion. If your models are flagging entire demographic groups as "high risk," you're not managing risk — you're encoding discrimination.


2. Cybercrime Professionalisation and the Corruption Nexus


Cybersecurity threats have evolved beyond traditional criminal enterprises.


Some nation-states are now actively partnering with criminal organisations, blending geopolitical objectives with financial crime. Ransomware, extortion, and data theft have become tools of both profit and statecraft.


But here's what's often overlooked: the corruption that enables this ecosystem.


Scam compounds across Southeast Asia don't operate in a vacuum. They require protection from local officials, law enforcement, border agents. The journalists and NGOs fighting to expose these operations are often investigating the same networks that enable cybercrime to flourish.


When corrupt acts are buried faster than they can be uncovered, criminal enterprises thrive. The professionalisation of cybercrime isn't just a technology story. It's a governance story. An accountability story. A corruption story.


The Strategic Opportunity:


→ Integrated Threat Intelligence: Break down silos between cybersecurity, fraud, and AML teams. The same networks that launch ransomware attacks launder the proceeds through your payment systems. Integrated intelligence enables integrated response.


→ Public-Private Collaboration: The coalitions emerging to tackle transnational cybercrime, like those formed through GASA and GCFFC, demonstrate that collective action works. Institutions that engage in information-sharing gain access to threat intelligence they couldn't develop alone.


→ Following the Corruption Thread: Understanding the corruption that enables cybercrime helps predict where threats will emerge. Jurisdictions with weak governance and compromised enforcement are incubators for the next wave of attacks.


The Risks to Manage:


→ Geopolitical Exposure: Financial institutions are increasingly caught in conflicts between nation-states. Sanctions, counter-sanctions, and cyber operations create operational and reputational risks that extend far beyond commercial concerns.


→ Third-Party Vulnerabilities: Your cybersecurity is only as strong as your weakest vendor. Supply chain attacks like those targeting software providers to reach their clients are escalating. Third-party risk management must include cyber resilience.


→ The Human Element: The most sophisticated technical controls can be bypassed by a single employee clicking a phishing link or a single insider with compromised loyalties. Social engineering remains the primary attack vector. Training and culture matter as much as technology.


3. RegTech Acceleration


The pressure to do more with less has accelerated RegTech adoption.


Real-time payment monitoring, no-code compliance platforms, and AI-driven automation are becoming standard rather than aspirational. The question is no longer whether to invest in RegTech, but how to select, implement, and govern these solutions effectively.


The promise is real: technology that enables smaller institutions to maintain robust compliance without the headcount of a global bank. Technology that can process in seconds what would take analysts days. Technology that can identify patterns invisible to human review.


But technology is not neutral.


RegTech solutions encode assumptions about risk, about behaviour, about who deserves access to financial services. Without careful governance, we risk automating exclusion. We risk building systems that are efficient but not equitable.


The Strategic Opportunity:


→ Democratising Compliance: RegTech can level the playing field. Smaller institutions and emerging market players can now access capabilities previously reserved for global banks. This expands competition and, ultimately, financial inclusion.


→ Proportionate Controls: FATF's proportionality mandate from Part 1 requires risk-based approaches. RegTech enables this, applying appropriate friction based on actual risk rather than blanket restrictions that exclude legitimate customers.


→ Real-Time Response: The liability revolution from Part 2 demands speed. When you're responsible for reimbursing fraud victims, detecting and stopping fraud in real-time isn't optional. RegTech makes real-time response possible.


The Risks to Manage:


→ Implementation Without Strategy: RegTech is a tool, not a solution. Deploying technology without clear objectives, integration planning, and change management creates expensive shelfware.


→ Data Quality Dependency: AI and automation are only as good as the data they're built on. Garbage in, garbage out. Before investing in sophisticated analytics, ensure your underlying data is accurate, complete, and accessible.


→ The Inclusion Test: Every RegTech implementation should be tested against inclusion outcomes. Does this technology expand access or restrict it? Does it apply proportionate controls or blanket exclusion? The answer should shape your deployment.


The Real Question


Here's what I keep coming back to:


Every trend in this series - fraud liability, AI governance, regulatory fragmentation, cybercrime escalation, corruption, has the same downstream impact.


It affects the grandmother who loses her life savings to a romance scam.


The migrant worker whose remittance corridor gets cut because banks can't manage the risk.


The small business owner in an emerging market who can't access basic financial services because compliance costs make them "unprofitable."


The journalist in Southeast Asia risking everything to expose the corruption that enables it all.


We can build the most sophisticated frameworks in the world. But if they don't protect the people the financial system is supposed to serve, what are we actually building?


The Path Forward


The 2026 compliance landscape demands frameworks that are:


→ Resilient: able to withstand regulatory fragmentation, enforcement divergence, and geopolitical volatility


→ Integrated: breaking down silos between fraud, AML, cybersecurity, and anti-corruption


→ Proportionate: applying controls based on actual risk, not blanket restrictions


→ Inclusive: expanding access to financial services while protecting against abuse


→ Adaptive: evolving as threats evolve, with governance frameworks that keep pace with technology adoption


The trends are clear. The question is: will we use them to create systems that are both safe AND inclusive?


That's the work we're committed to. And we hope you'll join us.


The Bottom Line


Part 1 showed us a regulatory landscape in flux — FATF demanding proportionality while enforcement fragments across jurisdictions. Part 2 revealed the liability revolution - fraud reimbursement rules, stablecoin legitimisation, and ESG divergence reshaping who pays when things go wrong.


Part 3 brings us to the front lines: the AI arms race, the corruption-enabled cybercrime ecosystem, and the RegTech acceleration that could either democratise compliance or automate exclusion.


The common thread? The human cost.


Every compliance failure has a victim. Every framework we build either protects or excludes real people. The grandmother. The migrant worker. The small business owner. The journalist.


The 2026 compliance landscape isn't just about managing regulatory risk or avoiding enforcement action. It's about building financial systems worthy of the people they're meant to serve.


The technology exists. The regulatory direction is clear. The question is whether we have the will to build frameworks that are robust enough to stop criminals and inclusive enough to serve everyone else.


That's the challenge. That's the opportunity. That's the work.


-----


📚 Read the complete series:



-----


JFourth works at the intersection of compliance, technology, and financial inclusion, helping organisations harness innovation responsibly while protecting the people the financial system is meant to serve.


Get in touch to learn more.


 
 
 

Comments

bottom of page