top of page
Search

The IFC Just Validated What We've Been Saying

177 pages on AML/CFT technology. The most important chapter? Manual controls.



The IFC just released a 177-page Good Practice Note on AML/CFT technology. It covers machine learning, agentic AI, advanced analytics, and migration roadmaps.


But the chapter I keep coming back to is Chapter 6.


Manual controls.


Not because we're against technology. But because this chapter validates something we've been saying in boardrooms across Asia and Africa for years: human-centered approaches work when paired with clear governance and oversight.


The IFC puts it plainly:

"Technology amplifies the effectiveness of a sound program but cannot replace it."

And later:

"FIs with weak data quality, unclear risk ownership, or poorly designed processes risk automating inefficiencies."

This isn't anti-technology. It's anti-magical-thinking.


Seven Years of Saying the Same Thing


Here's what struck me most about this report: there is nothing new.


The IFC and World Bank have been building this message for seven years.



The message was clear: emerging markets need fit-for-purpose AML programs, not copy-paste frameworks from developed markets. Proportionality matters. Context matters. One size does not fit all.



This shifted the lens to oversight, how supervisors should apply risk-based approaches rather than tick-box compliance. The emphasis was on understanding institutional context, not just checking boxes.


2026: Now this. The technology report. And what does it say? Technology amplifies. It doesn't replace. Manual controls remain valid when properly governed. Fit-for-purpose beats best-in-class.


Three documents. Seven years. One consistent message.


Proportionality isn't compromise. It's intelligence.


If you've been advocating for human-centered, risk-based approaches in emerging markets, and feeling like you're swimming against the tide of AI hype, this is your validation. The IFC has been on your side all along.


Why This Matters for Emerging Markets


There's a persistent pressure in emerging markets to copy Singapore or London. To buy the same systems, implement the same frameworks, chase the same benchmarks.


But the IFC report says something different. Chapter 6 explicitly validates manual screening and monitoring for lower-risk profiles when supported by clear governance and documented procedures.


You don't need a million-dollar transaction monitoring system if your customer base is 5,000 accounts with straightforward products. You need clear procedures, consistent execution, and oversight that actually works.


The IFC calls this "fit-for-purpose." We've been calling it common sense.


The Enablement Gap


Here's what the IFC report doesn't say explicitly, but practitioners know instinctively:


  1. Guidance without enablement changes nothing

  2. Regulators can issue circulars on proportionality

  3. The IFC can publish 177 pages of good practice.


But if Compliance teams are under-resourced, if analysts don't have the confidence to make risk-based calls, if relationship managers have never been trained on what "proportionality" actually looks like in practice, nothing changes.


We wrote about this recently when MAS told private banks to shorten account opening times. The guidance was sensible. But the real question wasn't what MAS was asking. It was whether we'd built the capability to actually deliver it.


The same applies here.


The IFC has given us a framework. The question is whether we have the people, the processes, and the culture to use it.


The Six Dimensions Validated


Back in February, we published the blog about the six dimensions of RegTech readiness. The argument was simple: before you buy any technology, assess whether you're actually ready to absorb it.


Those six dimensions were:


  1. Data Readiness: Is your data clean enough to feed an AI system?

  2. Process Clarity: Do you actually know how work flows today?

  3. Change Capacity: Can your organisation absorb another transformation?

  4. Executive Commitment: Is this a priority or a checkbox?

  5. Team Readiness: Do you have the skills to own this?

  6. Culture Foundation: Do people trust each other enough to trust a new system?


The IFC report validates every single one.


Chapter 7 addresses technology strategy and explicitly warns against buying before you're ready.


Chapter 8 covers deployment practices and emphasises change management over system features.


Throughout, the report returns to the same theme: technology amplifies what's already there.


If your foundations are solid, technology accelerates you.


If your foundations are broken, technology exposes you.


Trust Is the Only Currency That Lasts


At Risk Ready Kuala Lumpur earlier this year, our founder, Julia held a 163-year-old Banking Almanac (Fun fact: Bankers Almanac was first published in 1845). The 1862 edition. Not a replica, but the real thing.


Turning those pages, she realised: the people who compiled them were solving the same problem we're solving today.


Who can you trust to move your money?


Before telephones (Fun fact: Abraham Graham Bell was granted official patent on 7 March 1976). Before SWIFT. Before AML was a concept. Before regulators existed as we know them.

They built trust through documentation. Through verification. Through knowing who stood behind the name.


180 years later, the format has changed. The question hasn't.


We've replaced leather-bound directories with APIs and real-time screening. We've traded ink for algorithms.


But the fundamental work remains human: deciding who to trust, and why.


Compliance isn't the cost of doing business. It's the cost of building trust.


And TRUST is the only currency that's lasted 180 years.


The Question Nobody's Asking


We talk endlessly about what AI can do. We debate vendors, features, implementation timelines. We benchmark against competitors and worry about falling behind.


But there's a question that rarely makes it into the boardroom:


Who makes the call when the machine says maybe?


Because that's where the real work happens. Not in the algorithm. In the judgement. In the human being who has to decide whether this alert is real, whether this customer is legitimate, whether this risk is acceptable.


Technology can compress timelines. It can surface patterns. It can reduce false positives.


But it cannot replace the person who makes the call.


And if we haven't trained that person, if we haven't built the culture that supports good judgement — then no technology will save us.


A Practical Tool: The AML/CFT Technology Readiness Checklist


We've turned the IFC's 177 pages into something practical.


The AML/CFT Technology Readiness Checklist covers five phases:


  1. Foundation Assessment: Data quality, process documentation, governance structures

  2. Strategy Definition: Business case, success metrics, proportionality decisions

  3. Vendor Selection: Evaluation criteria, due diligence, contract considerations

  4. Implementation: Change management, testing, go-live readiness

  5. Ongoing Governance: Model oversight, performance monitoring, regulatory engagement


Each phase includes specific checkboxes drawn from IFC guidance. Score yourself. Identify gaps. Know where you stand before your next technology conversation.



How to Use the Checklist


For Boards and Executives: Use the scoring summary to assess organisational readiness before approving technology investments. A score below 15 suggests foundational work is needed first. That's not failure. That's proportionality.


For Compliance Teams: Work through each phase honestly. The checklist isn't about getting to 57/57. It's about knowing where your gaps are and addressing them before they become implementation failures.


For Emerging Market FIs: Start with Phase 1 and Chapter 6 of the IFC report. You may find that enhanced manual controls — properly governed — are more appropriate than advanced automation. That's not falling behind. That's fit-for-purpose.


Where to Start in the IFC Report


If you're reading the full report, here's our recommended sequence:

  1. Chapter 6: Manual controls and low-tech approaches

  2. Chapter 7.2: Technology strategy framework

  3. Appendix B: Control maturity matrix

  4. Chapter 7.3: Designing an AML/CFT Technology Selection and Implementation Strategy

  5. Chapter 7.4: Vendor selection and due diligence

  6. Chapter 8: Deployment and implementation


Skip the AI sections until you've honestly assessed whether you're ready for them.


Where JFourth Fits


This is what transformation-focused advisory looks like.


Not just frameworks and policies. Not just Risk and Compliance programmes and training. But the deeper work of building organisations where proportionality is practiced, not just permitted.


We work with banks, non bank financial institutions, fintechs, DNFBPS Risk and Compliance teams, and leadership navigating these challenges, in Singapore, across Asia, the Middle East and Africa, and globally.


Our focus: Building risk and compliance into business design, not bolting it on as an afterthought.


Whether you're operationalising new guidance, building judgement capability in your teams, or recognising that your culture hasn't kept pace with regulatory expectations, the question is the same:


What kind of organisation do you want to build?


We help you answer that. And then we help you build it.


The Bottom Line


The IFC report is 177 pages of validation for something practitioners have known all along:


Technology is an enabler. Not a replacement.


Judgement cannot be automated.


And the question that matters most isn't "what system should we buy?"


It's "who makes the call when the machine says maybe?"


💙



RESOURCES


Download:



Related Reading:


The Seven-Year Arc - IFC & World Bank Guidance:



 
 
 

Comments

bottom of page