The Missing Map: Why Compliance Needs Its Own Risk Navigator
- juliachinjfourth
- 5 days ago
- 6 min read
How fragmented risk data creates blind spots in financial crime prevention—and what integrated risk intelligence could look like.

Earlier this year, researchers at MIT faced a problem that will sound familiar to anyone in financial crime compliance. They had five separate datasets tracking AI risks: 1,595 risks from academic research, 1,497 real-world incidents, 1,069 laws and regulations from around the world, 831 documented solutions, and 272 expert survey responses.
Good data. Scattered everywhere.
"These datasets existed in isolation," the team explained. "Exploring one meant losing sight of the rest."
Their solution wasn't another database. It was a shared language. They created a taxonomy of seven domains and twenty-four subdomains, then applied it consistently across all five datasets. Now, pick any risk category and you immediately see what researchers have written about it, where real incidents have occurred, what regulations exist, and what solutions are available. All in one view.
Sound familiar?
The insight worth noting: they didn't start with technology. They started with vocabulary.
The Financial Crime Version of This Problem
We see the same fragmentation in financial crime every day.
The fraud team has their alerts. The AML team has their transaction monitoring. The cyber team tracks device anomalies. The credit risk team watches repayment patterns. Each group has their own systems, their own language, their own priorities.
The same customer can trigger concerns across all four areas. But no one sees the complete picture until an investigation forces everyone into the same room.
Here's what this looks like in practice. A customer opens an account using fake identity documents. The fraud team's checks don't catch it because the documents look legitimate. A few months later, the customer applies for a loan. The credit team reviews income and repayment ability. Six months after that, the AML team spots unusual transactions, but by then money has already moved through multiple accounts. Meanwhile, the cyber team had flagged the customer's device as suspicious weeks earlier. That alert sat in a different queue, reviewed by different people, using different criteria.
Each team did their job. Nobody saw the whole story.
The World Bank's guidance on AML/CFT makes this point directly: fraud, identity theft, credit abuse, and money laundering often happen together in the same scheme. A stolen identity opens an account, gets a loan, and launders the proceeds. The attack crosses boundaries. Our defenses usually don't.
The Gap Between Knowing and Doing
MIT's Navigator has a feature called "Where Datasets Disagree." It shows where academic research focuses versus where real incidents actually happen versus what regulations address. The mismatches reveal blind spots.
In their AI data, "Malicious Actors & Misuse" accounts for nearly 29% of real-world incidents. But academic attention doesn't always line up with where the harm is occurring. Some risks get studied heavily while incidents cluster elsewhere.
Financial crime has the same pattern.
Researchers warned about trade-based money laundering in the early 2000s. FATF didn't publish foundational guidance until 2006. It took years more for individual countries to act. Crypto laundering appeared in academic papers long before most jurisdictions had licensing rules. Environmental crime and wildlife trafficking have been on researchers' radar for over a decade. Most AML programs still treat them as edge cases.
The pattern keeps repeating: researchers spot the risk, frontline teams encounter it, and regulatory guidance shows up after significant harm has already happened.
The risks sitting in that gap are the ones that become tomorrow's enforcement headlines. They're also the ones our current structures are least equipped to catch.
What a Connected Approach Would Look Like
MIT mapped five datasets to one taxonomy, then built tools that let users see across all of them at once.
A financial crime version might connect these five areas:
Risk Intelligence: Where are the known threats? This includes regulator guidance, FIU advisories, industry working groups, and academic research on emerging methods. The challenge is that these sources use different terms, different categories, and update on different schedules.
Incident Data: Where has harm actually happened? Most institutions track their own suspicious activity reports and investigations. Few systematically compare these against external enforcement actions or industry patterns. Each organization learns mostly from its own experience, missing what's visible only at a wider level.
Governance Coverage: Where do clear rules exist, and where are teams making judgment calls? MIT scored over a thousand governance documents against each risk subdomain. A financial crime version would map AML rules, fraud requirements, cyber standards, and credit regulations against a shared framework. This would show where coverage is strong and where guidance is thin.
Solutions Inventory: What controls exist, and what risks do they actually address? Transaction monitoring, identity checks, device tracking, behavior analysis. Each tool covers certain risks. Mapping them against a common framework shows gaps and overlaps.
Capability Assessment: Can teams actually use what they have? This is the human side that technology lists miss. A team might have advanced tools but lack expertise to interpret the results. Another might have deep knowledge but not enough people to handle the volume. Understanding capability alongside coverage shifts the question from "do we have a control?" to "can we actually run it?"
The value isn't in any single dataset. It's in the connections between them.
Why Technology Alone Won't Fix This
Building the technical connections is the easier part. Getting people to use them is harder.
This is where culture matters. Integration isn't just a systems project. It's a people project.
Shared Purpose: Why connect these datasets at all? If the answer is "because regulators want it," the effort will stay shallow. Teams will check the box while keeping their silos intact. If the answer is "because fragmented information means we miss patterns that hurt customers and help criminals," the effort has a reason to last.
Mutual Understanding: Do teams actually understand each other's work? A shared vocabulary requires shared comprehension. Fraud analysts need to understand why AML cares about layering. Cyber teams need to understand why fraud cares about device fingerprints. Credit teams need to understand why unusual repayment patterns might signal more than default risk. Without this, any new taxonomy becomes another system people work around.
Clear Ownership: Who is accountable for the connections? Siloed teams report to siloed leaders. Cross-domain intelligence needs someone responsible for how the pieces fit together. This doesn't require a new role, but it does require explicit accountability. Someone has to care whether fraud alerts reach AML analysts, whether cyber intelligence informs onboarding, whether patterns visible across domains lead to action.
Supporting Systems: Technical infrastructure matters, but it comes last, not first. Data lakes, entity resolution, cross-domain alerts. These are enablers. They don't create integration on their own. Many institutions have invested heavily in technology only to find teams still working in parallel, feeding data into shared systems while drawing conclusions from familiar silos.
Real Engagement: Are people actually using the connected view? This is where integration succeeds or fails. The best framework is worthless if analysts don't trust it, don't understand it, or don't have time for it. Training helps, but so does capacity. Teams already stretched thin won't adopt new workflows unless those workflows clearly make their work easier or their results better.
The Question Worth Considering
MIT built their Navigator because scattered data created blind spots. Financial crime has the same problem, often worse.
The technical tools to connect our datasets already exist. Entity resolution, shared data platforms, cross-domain analytics. These are available now.
The question is whether organizations are ready to use them. Whether leaders will invest in shared language before buying the next tool. Whether someone will own the connections, not just the pieces. Whether teams will have the capacity, capability, and confidence to work across boundaries that have shaped their roles for years.
Are we building bridges? Or just adding more silos?
The answer will determine whether our defenses keep pace with threats that have never respected our organizational charts.
Where JFourth Fits
This is what transformation-focused advisory looks like.
Not just frameworks and policies. Not just risk and compliance programmes and training. But the deeper work of building organisations where integration is practiced, not just discussed.
We work with banks, fintechs, risk and compliance teams, and leadership navigating these challenges—in Singapore, across Asia, the Middle East, and globally.
Our focus: Building risk and compliance into business design, not bolting it on as an afterthought.
Whether you're breaking down silos between fraud, AML, and cyber teams, building cross-domain judgment capability, or recognising that your culture hasn't kept pace with how criminals actually operate—the question is the same:
What kind of organisation do you want to build?
We help you answer that. And then we help you build it.
💙
-----
Related Reading
MIT AI Risk Navigator
MIT AI Risk Navigator – Explore the full landscape of AI risk through MIT's integrated taxonomy
Introducing the AI Risk Navigator – How MIT built a cross-dataset exploration tool for AI risk
MIT AI Risk Initiative – The research programme behind the Navigator and its datasets
About the Navigator – Technical details and methodology
World Bank AML/CFT Resources
AML/CFT Risk Management in Emerging Market Banks: Good Practice Note – IFC guidance on strengthening AML/CFT programmes
Preventing Money Laundering and Terrorist Financing: A Practical Guide for Bank Supervisors (PDF) – World Bank's comprehensive supervisory guide (Second Edition, 2022)



Comments