There is genuine excitement in the compliance industry about what artificial intelligence can do for AML programmes and it is largely deserved. AI can process transaction volumes no human team could handle, surface patterns hard to catch through manual review, and substantially reduce the time cost of routine due diligence work. At Leo RegTech we have been building in this direction for several years, and we believe the technology genuinely improves compliance outcomes.
There is a problem however, and the industry is not being honest enough. As someone who has spent over two decades in financial regulation, as a financial lawyer, a hedge fund COO, and founder of three compliance businesses, I think I can say honestly that, as we are in 2026, AI still gets it wrong. A lot. In AML, the consequences could be huge.
What the Research Actually Shows
Fraud detection, AML transaction monitoring, and credit scoring are explicitly classified as high-risk AI under Annex III of the EU AI Act. This is according to the EU which prefers to regulate and may be taken with a pinch of salt, but it remains hard not to agree to the risk related to AML. As such at some point someone will get it wrong when using AI for this type of AML work, and it may well be the next scandal.
A Microsoft study called DELEGATE-52 tested 19 AI models across 52 professional domains, simulating real-world workflows where documents are reviewed and updated iteratively. The findings were not good: frontier models including the most advanced versions of GPT, Gemini, and Claude lost on average 25% of document content accuracy across 20 delegated interactions, with average degradation across all models reaching 50%. Critically, the study found that errors were sparse but severe, compounding silently over longer workflows, and that agentic tool use did not improve performance. The degradation worsened with document size, interaction length, and the presence of competing information.
In legal research tools specifically, a closely analogous professional context, an independent Stanford study in 2024 found that AI tools made by LexisNexis and Thomson Reuters each hallucinated between 17% and 33% of the time. [1]
Read those numbers in the context of an AML client file. The assessment of PEP status, beneficial ownership chains, sanctions exposure, adverse media, source of wealth, and source of funds, is the kind of multi-step, document-intensive, judgment-layered workflow where errors would compound. A 25% accuracy loss in that context is a huge regulatory liability.
How AML Compliance Actually Works and Why That Matters for AI
Before any AI tool can be legitimately useful in an AML workflow, it needs to understand what that workflow actually is.
Understanding AML Workflow
Under the UK Money Laundering Regulations, for example, firms are required to identify and assess the risks of money laundering and terrorist financing to which their business is subject, taking account of factors including customers, countries, products or services, transactions, and delivery channels. This Business-Wide Risk Assessment is the foundation built on a firm-specific analysis of what risks the business actually faces. It reflects the firm’s client base, geographic position, products offered, and ownership structures. From that, firms must build a customer risk appetite framework which is a documented policy defining what types of client they will and will not accept, at what risk tolerance, and under what conditions enhanced due diligence is triggered. The FCA requires firms to carry out this risk assessment, have appropriate systems and controls in place, conduct due diligence, and appoint a Money Laundering Reporting Officer with overall senior management responsibility.
The equivalent obligations apply in the US under FinCEN’s Customer Due Diligence rule and the Bank Secrecy Act framework, and across the EU under the Fourth and (as amended by the) Fifth Anti-Money Laundering Directives (the Sixth will apply from 2027 in most parts).
Only once those foundational documents are in place can the firm begin onboarding individual clients. For each new client, whether an individual, a corporate entity, a fund, or a trust etc, the firm must establish and verify identity, screen against sanctions lists, check for PEP status, review adverse media, assess source of wealth and source of funds, and determine whether the overall profile is consistent with the firm’s risk appetite. For corporate clients, that extends to beneficial ownership chains, often multi-layered, cross-jurisdictional, and structurally complex.
The Technology to Back Up AML
Each of those steps now has specialist technology supporting it. Sanctions screening and adverse media monitoring use real-time AI-enhanced systems. Identity verification relies on document scanning and biometric checks. Beneficial ownership analysis uses graph-based intelligence to map corporate structures. Leo RegTech, for example, integrates Vartion Pascal for KYC data and Yoti ID for digital identity verification, both AI-assisted tools that operate as discrete, specialist components within a broader process.
The critical point is this: an AI tool that purports to assist with AML compliance must be able to ingest and apply the firm’s own Business-Wide Risk Assessment and client risk appetite framework before it comes to reviewing a single client file. Without that context, it is operating on generic assumptions that may bear no relationship to the firm’s actual regulatory obligations or risk profile. In that regard using specialist components makes sense, but to seek to rely on broader AI analysis and conclusions is unwise.
The Vendors and Their Claims
The AML technology market is growing rapidly, projected to reach $9.4 billion by 2030 at a compound annual growth rate of nearly 18%. A number of well-funded companies are actively marketing AI-driven AML solutions. Compliance officers evaluating these vendors should understand who they are, where they are based, and who owns them before creating a system of reliance that could cost them not just civil but criminal liability. The following are just some examples chosen randomly and which have a notable presence already:
Quantexa (London) focuses on entity resolution and decision intelligence, seeking to map corporate ownership networks and surfacing cross-dataset connections. It has raised $546 million and was valued at $2.6 billion in March 2025. It is targeting a 2026 IPO and is primarily built for large financial institutions.
Feedzai (founded in Portugal, headquartered in San Mateo, California) focuses on AI-native fraud detection and transaction monitoring. It has raised $347 million and is valued at approximately $2 billion.
Napier AI (London) is a UK-based AML platform serving banks and financial institutions, with approximately $57 million raised.
NICE Actimize (US-headquartered, part of the publicly listed Israeli group NICE Systems) is one of the larger incumbents in financial crime compliance software. Actimize has operated within NICE since 2007 and targets enterprise banks primarily.
There is nothing inherently wrong with any of these businesses as technology providers. But compliance officers should understand their capabilities in context. It may also be useful to follow the ownership as many VC or PE-backed companies at growth stage are operating under investor return expectations with defined timelines. That shapes product roadmaps, pricing decisions, and support priorities and not purely what serves an institution’s AML programme best. All in all, software providers are not yet offering a compliance decision on any client KYC.
The Legal Profession Has Already Learned This Lesson
The compliance industry would do well to pay close attention to what has been happening in law, because the many parallels.
In 2023, in Mata v. Avianca in the Southern District of New York, two attorneys were sanctioned after submitting a brief built on six entirely fabricated court decisions generated by ChatGPT. One attorney later testified he was operating under the belief that the tool could not fabricate cases.
Then, in April 2026, Sullivan & Cromwell, one of the most prestigious law firms in the world, apologised to Chief Judge Martin Glenn of the US Bankruptcy Court after admitting that an emergency motion contained inaccurate citations and other errors caused by AI hallucinations. The letter of apology came with a three-page single-spaced attachment of corrections. The firm acknowledged that its internal AI policies were not followed, and that its standard review process failed to catch the errors before filing.
A researcher tracking AI hallucination incidents globally has now identified over 1,300 such cases in legal filings, with the trend accelerating sharply: 10 documented cases in 2023, 37 in 2024, and 73 in just the first five months of 2025, with qualified legal professionals increasingly at fault[2]. The AI legal tools themselves are not immune to scrutiny. Harvey AI, recently valued at $8 billion, has faced reported hallucination rates that its own internal benchmarks dispute, but which no fully independent third-party evaluation has yet resolved.
The EU AI Act: A Deadline Now Extended
Most firms using AI in their AML programmes are unaware of what the EU AI Act requires of them. This is important if you are in the relevant jurisdiction, however, it may also serve as guidance for any firm to draft its own policy, wherever it is.
The high-risk AI provisions of the EU AI Act were originally set to become enforceable on 2 August 2026. Following the EU Digital Omnibus agreement of May 2026, the deadline for high-risk AI systems under Annex III has been extended to 2 December 2027. For firms using AI in fraud detection, AML monitoring, or credit scoring within the European Union, that date will mark the point at which human oversight and auditability become legal requirements, but until then, it would be wise to prepare. Penalties for non-compliance would reach up to €35 million or 7% of global annual turnover, whichever is higher.[3]
Crucially, the EU AI Act distinguishes between providers, who develop AI systems, and deployers, who use them. This is an interesting parallel. Both carry obligations, and deployers cannot outsource their compliance to the vendor like Leo RegTech for example. If your firm purchases an AI-powered AML tool from a third-party vendor and that tool operates as a black box with no explainability, the deployer is liable for failing to meet the high-risk requirements.
Under the Act’s framework an event or malfunction that has or could have a significant impact on health, safety, fundamental rights, or legal obligations, must be documented and, depending on severity, reported to national supervisory authorities. For AML purposes, this could mean: a system that misclassifies client risk, produces a flawed SAR recommendation, fails to surface a sanctions match, or generates an adverse media conclusion based on hallucinated or corrupted information. So is a system that operates without human oversight mechanisms, without proper logging, or without the explainability required to audit its outputs. Reliance on AI therefore, is a gamble and for compliance officers we are safe only with the evidence of what was done to avoid such errors.
Your Staff Is Already Using AI
Every compliance team is using AI tools right now, whether authorised or not or whether a policy exists or not. The tools are on their phones, in their browsers, embedded in the software they use daily. The question is not whether AI is in your compliance process. It is whether you have any visibility or control over how it is used.
An AI policy in a regulated financial services firm today should cover, at a minimum:
- Which tools are permitted for which tasks,
- what outputs require human verification before use,
- how AI-assisted work is documented for audit purposes, and
- what the escalation path is when an AI output is uncertain or contradictory.
Among compliance professionals sceptical of AI, nearly 40% cite accuracy and reliability as their primary concern. The answer is not to avoid AI (I understand this is what the SEC is trying to do) but to govern it properly, because the alternative, which consists of undocumented, unreviewed AI outputs sitting inside regulated workflows, should not be an option.
To Conclude…
AI belongs in AML compliance. FinCEN, the FCA, FATF, and the European Banking Authority, to name a few, all encourage its use. Real-time sanctions screening, AI-enhanced adverse media monitoring, and biometric identity verification are all valuable applications where AI genuinely improves coverage, speed, and consistency.
What AI should not be doing is making the final call on client risk classification, SAR decisions, or enhanced due diligence conclusions without a qualified human in the loop. This will still require having properly ingested the firm’s own risk framework and an audit trail.
AI is an accelerator and a first filter. You do not want a system that replaces the MLRO’s judgement, but one that makes that judgement faster, better evidenced, and more defensible under examination. The firms that will get this right are not the ones that adopt AI fastest. They are the ones who adopt it most carefully.
***
Jerome Lussan is CEO of Leo RegTech and Chairman of Laven Advisors, a leading UK regulatory host. Leo RegTech provides compliance technology for financial services, focused on compliance management and oversight across the UK, EU, US, and Caribbean. Leo RegTech is independent, with no external VC or PE investors. That shapes how we think.
[1] https://dho.stanford.edu/wp-content/uploads/Legal_RAG_Hallucinations.pdf
[2] Thomson Reuters Institute, AI Hallucinations in Legal Filings: Tracking Report, 2025
[3] https://artificialintelligenceact.eu/article/99/
