Key takeaways:

• • • Profits continue to be strong — Most tax & accounting firms saw revenues and profits increase in 2025 despite a chronic talent shortage and other systemic challenges.

    • Optimism around AI adoption — Tax professionals are generally optimistic about AI-enhanced technologies, and their firms are backing their optimism with unprecedented levels of investment.

    • Expansion of advisory services — Firms are expanding their advisory service offerings to clients in such areas as tax strategy and business consulting, fueling growth and providing opportunities for competitive differentiation.

Tax, audit & accounting firm professionals have been concerned for years that the one-two punch of do-it-yourself tax software and automation might eventually erode the value of —and demand for — their services. However, according to the Thomson Reuters Institute’s “2026 State of Tax Professionals Report”, which surveyed more than 600 tax professionals worldwide, firms of all sizes are adapting remarkably well to the current era of rapid technological change and political upheaval.

Indeed, tax professionals surveyed say that, in addition to traditional tax preparation, their customers want and need more advisory services, a trend that has been gaining momentum for several years. In response, many firms are continuing to expand their service offerings in the areas of tax strategy, business consulting, decision support, and financial planning — especially at larger firms with more abundant resources.

The result of this gradual shift in service offerings is that profit margins for tax & accounting firms worldwide averaged about 30% in 2025, with some firms registering profit margins of more than 40%.

Efficiency and growth were top strategic priorities

When asked about their top strategic priorities for the coming year, survey respondents cite efficiency and promoting firm growth as the top factors on the strategic agenda for 2026, even more emphatically than they did in 2025.

Further, they see that making more and better use of technology is still the most immediate path to greater efficiency, Ěýwhich is why introducing additional automation and AI — or just trying to get the most out of a firm’s existing technology stack — was also mentioned as an important focus for the upcoming year.

Still searching for solutions to talent challenges

Challenges still abound, however. An anemic pipeline of new talent and the ongoing retirement of senior personnel are among the top barriers to progress and profitability at many firms, the report indicates. The report also notes that the resulting competition for qualified candidates leads to overwork, skills gaps, and capacity restraints, all of which can impede a firm’s ability to compete and grow.

Many respondents say their firms are using multiple strategies to address these issues, including more targeted training, career development, outsourcing, task reallocation, and automation. Competition for top talent is intense, nevertheless; and the report shows that midsize tax firms may feel the talent squeeze harder than others, chiefly because larger firms can offer higher salaries and more career opportunities to retain top talent.

Another way firms are addressing their talent challenges is by automating more tax processes and workflows; however, the report also suggests that many firms have reached the point in their technological maturity at which it may be more difficult to identify additional processes to be automated. As a result, these firms find themselves in somewhat of a holding pattern, unable to advance technologically because of unyielding systemic and cultural impediments.

Meanwhile, many larger firms have already built the technological infrastructures they need to support more advanced forms of automation and data analysis. Now, the report reveals, these firms are shifting their focus to make better use of workflow-enhancing tools that can enable more efficient operations, expand their firm’s capabilities, and serve as a competitive differentiator.

Not surprisingly, the conversation around AI is heating up as well. While tax professionals may not be so interested in public chatbots such as Claude and ChatGPT, their attention is directed toward the many ways in which AI can enhance the tools they already use and how intelligent deployment of these tools can benefit their firms. Indeed, AI was the only category of technological investment which experienced year-on-year budget growth, the report shows.

Overall, the “2026 State of Tax Professionals Report” offers invaluable insight into where tax professionals see their firms and their industry now, shedding light on how the world’s top tax leaders are advancing the profession.

You can download a free copy of the full Thomson Reuters Institute “2026 State of Tax Professionals Report” by filling out the form below:

Key highlights:Ěý

• • • The scale of risk demands urgent attention — The World Cup’s five-week span across three nations creates a human trafficking risk profile far beyond any previous North American sporting event.

    • Geographic exposure extends far beyond host cities — Unlike the Super Bowl, where risk is concentrated in one metro area, the World Cup’s national identity-driven fan engagement means every city in the US, Canada, and Mexico is effectively a participant city.

    • Cross-sector preparation is the most critical investment — Cutting down siloed operations among law enforcement, financial institutions, and NGOs is required, that means establishing financial institution task forces, training frontline bank branch employees to recognize trafficking indicators, sharing cross-sector information, and amplifying public awareness campaigns before the tournament begins is crucial.

The 2026 FIFA World Cup will be the largest sporting event ever hosted on North American soil, a tournament with 104 matches spanning more than five weeks across three nations and drawing an estimated 6.5 million visitors from around the world. While the United States hosts large sporting events like the Super Bowl each year, the World Cup brings with it the unique challenges of length of time, fan influx from around the globe, and geographic expansion.

Assessing the scale of human trafficking risk

To understand the magnitude of the human trafficking risk involved in events such as this, it is useful to apply a framework that accounts for three variables: i) the likelihood of a trafficking event; ii) the potential extent of damage; and iii) the duration of exposure. When that framework is applied to the 2026 World Cup, the human trafficking risk associated with the event registers high due to numerous factors.

The most significant differentiating factor of the World Cup is its time duration. The Super Bowl is a single-day event, and the Olympics run approximately two weeks. The 2026 World Cup spans more than five weeks across three nations, a duration that has no modern sporting equivalent. The last three World Cups, held in Brazil, Russia, and Qatar, offer limited comparative value given the substantial differences in legal frameworks, cultural contexts, and infrastructure. For purposes of risk assessment, this is why the Super Bowl represents the most relevant domestic benchmark, even though it falls considerably short as a true comparison.

Human trafficking evidence from the most recent Super Bowl

The most recent Super Bowl, held in the San Francisco Bay Area in February 2026, illustrates the scale of the human trafficking challenge. A coordinated anti-trafficking campaign conducted across 11 Bay Area counties resulted in the recovery of 73 sex trafficking victims, including 10 minors, and 29 arrests, all in connection with a single-day event.

Sex advertisement data from that period further substantiates the scale of human trafficking concern. In the months preceding the event, advertisement volume rose steadily before spiking dramatically during Super Bowl weekend and declining sharply in the days that followed. Analysis that was restricted to advertisements referencing the Super Bowl by name showed trend lines that remained essentially flat until the event itself, at which point volume surged significantly.

Likewise, examination of phone numbers associated with those advertisements revealed organized and purposeful movement. Nearly 500 unique numbers that had posted sex advertisements in other states in the preceding weeks appeared in San Francisco during the event.

The risk of human trafficking expanding beyond the host city is one additional insight uncovered during the anti-trafficking operation during the Super Bowl. Advertisements referencing the Super Bowl spiked simultaneously in Boston and Seattle, the home cities of the two competing teams. In the context of the World Cup, every city in the United States, Mexico, and Canada is effectively a participant city, and national identity rather than team affiliation drives fan engagement. The geographic distribution of risk is therefore exponentially greater than anything observed around the Super Bowl.

Hotspots of sex ads

What anti-trafficking partners should do now

Those organizations and institutions that take action in advance of the World Cup will be substantially better positioned to detect exploitation and protect vulnerable individuals. More specifically, these organizations should:

• Establish financial institution task forces in advance of the event — Convening local financial institutions to align on existing practices and identify gaps will aid in ensuring all parties are on the same page. It also establishes relationships and procedures that cannot be built effectively during a five-to-six-week surge in cross-border transactions. Activating established information-sharing mechanisms, such as the processes supporting the filing of and the , will be essential for detection and pattern recognition.
• Institute branch-level employee training at local financial institutions — Frontline employees possess local knowledge that no centralized system can replicate. A branch employee in a high-traffic urban location understands the patterns of their customer base and is often the first to recognize when something is amiss. What they frequently lack is the context in which to interpret that instinct and the guidance to act upon it. Addressing that training gap before the World Cup represents one of the highest-value preparedness investments available to financial institutions at this time.
• Dismantle institutional silos — Siloed operations, in which law enforcement, financial institutions, and non-governmental organizations (NGOs) each operate independently, represent the least effective organizational posture for an event of this scale. Institutions that establish cross-sector relationships and information-sharing commitments in advance will be meaningfully better equipped to respond.
• Develop and amplify public awareness campaigns — Research demonstrates that sustained public awareness campaigns and visible law enforcement presence reduce demand. Host cities, law enforcement agencies, and NGOs should treat this as actionable guidance in planning their response strategies.

The 2026 FIFA World Cup is not simply another major sporting event. The institutions, agencies, and organizations that approach it as such will find themselves unprepared for a scale of human trafficking risk that North America has never previously encountered.

You can find more about the resources, tools, and information that cities and organizations need to addressĚýhuman trafficking around large-scale sporting events atĚýthe Thomson Reuters Institute’s Large-Scale Public Events Toolkit here

Key insights:

• • • Fraud management works best as a connected workflow —ĚýAligning corporate fraud, AML, compliance, and investigation teams can strengthen visibility and response.

    • Monitoring must move beyond on-boardingĚý— Existing customers require ongoing risk-based review, smart alerts, and transaction monitoring that can identify potentially suspicious behavior without overwhelming teams.

    • AI can accelerate investigations, but humans remain essentialĚý— AI-driven automation helps process data and prioritize alerts; however, skilled analysts are still needed to provide context, judgment, and industry expertise.

Fraud prevention represents only the first step in comprehensive fraud management. Organizations must develop robust detection and investigation capabilities to identify fraudulent activity and respond effectively.

Indeed, the most successful organizations think about fraud management in a systematic way, says Andrew Pellington, a senior director in Risk & Fraud solutions at ¶¶ŇőłÉÄę. “The most successful organizations think about fraud management in more of a workflow phase that moves systematically from initial prevention through ongoing detection and into detailed investigation,” explains Pellington.

Phases of organizational structures

Understanding how these phases interconnect and then building the proper organizational structures to properly execute them can help corporate risk, fraud & compliance teams create the foundation for effective fraud protection. These phases include:

1. Build organizational alignment across fraud and compliance functions

One of the most significant structural shifts in fraud management is the convergence of corporate fraud and anti-money laundering (AML) departments. Historically siloed, these functions are increasingly merging because fraud and money laundering are deeply intertwined. Fraudsters commit fraud, obtain illicit proceeds, and then need to launder those funds — effectively, two sides of the same coin, Pellington notes.

That means, financial and non-financial institutions can benefit from unified teams sharing data, processes, and expertise; and this convergence extends beyond AML and fraud to prevention, detection, and investigation phases. Organizations can gain competitive advantage when these functions share integrated toolsets, consolidated data sources, and cross-departmental communication. Before sharing knowledge across institutions, however, organizations must first establish robust information sharing across their own departments.

2. Establish monitoring systems for existing customers and accounts

As your organization moves through the fraud management workflow, the focus shifts from high-volume account opening activities to continuous monitoring of existing customers and account holders. This phase requires different tools, processes, and resources than does prevention.

Monitoring — both proactively and reactively — allows organizations to identify suspicious patterns and behaviors, then sophisticated systems must track transactions across time, identify deviations from normal behavior, and flag accounts for review.

Proactively, organizations should segment customers by risk level and establish review cycles: monthly for high-risk customers, semi-annual for medium-risk, and annual for lower-risk accounts. Reactively, they should deploy adverse media and sanctions alerts against public records, coupled with transaction monitoring models that specifically identify potential money laundering or structuring patterns.

“As you move through the monitoring, now you’re looking at your existing customers and account holders, and then you get alerts thereafter,” Pellington explains.

3. Implement alert systems and prepare for regulatory scrutiny

While effective monitoring generates alerts that bridge passive systems and active investigation teams, these alerts need to be calibrated to identify genuine fraud risks without overwhelming investigators with false positives. This requires regular tuning and coordination between technology and investigation teams.

Organizations should adopt scenario planning and war games to test their processes by simulating potential fraud cases, regulatory inquiries, and adverse media incidents. Fraud incidents are a matter of when, not if, Pellington says, and those organizations that proactively test their response processes — rather than waiting for actual events — will maintain regulatory confidence and demonstrate institutional readiness.

4. Leverage AI while maintaining human expertise in investigations

While AI-driven automation of some work processes is a big advantage, deeper dive investigations require specialized expertise that cannot be fully automated. This is where generative AI (GenAI) and agentic AI can create significant opportunities. Agentic AI can prescreen alerts and determine which warrant investigation; and GenAI can rapidly produce enhanced due diligence reports by pulling together transaction histories, communications, vendor relationships, and public records.

Automating this work frees specialized fraud analysts to focus on what humans do best — applying industry knowledge and making judgment calls. Indeed, investigation is equal parts art and science, Pellington explains, adding that AI excels at the science — processing data at scale, and humans excel at the art — understanding context, industry fraud typologies, and customer relationships.

5. Transform data into knowledge and wisdom

The final critical gap Pellington identifies is the journey from information to knowledge to wisdom. Organizations possess unprecedented volumes of data, yet many drown in it without extracting actionable intelligence.

More data doesn’t guarantee better decisions; and organizations must elevate information to knowledge, understanding what their peers are doing, what best practices exist, and which approaches work best for the organization. Wisdom then comes from sharing across institutions, learning from industry experts, and avoiding mistakes others have experienced. This requires deliberate peer learning and thought leadership engagement.

Preparing for the future of fraud

Fraud risks are evolving fast, and those organizations best positioned to keep up will be the ones that keep their teams connected, sharpen their investigative tools, and pair AI with human judgment to act faster and stay more resilient while proactively transforming data into actionable wisdom.

By implementing these five phases of fraud protection, organizations can improve their detection and investigation capabilities and create comprehensive fraud protection that evolves with emerging threats.

You can find out more about ways to

Key insights:

• • • Cloud modernization is not enterprise transformation — Competitive advantage will come from architectures that produce measurable economic outcomes, not just scalable infrastructure or faster deployment.

    • AI success depends on data and governance architecture — Fragmented data, inconsistent definitions, and weak governance will cause AI to scale instability instead of intelligence.

    • “Federated coherence” is the new organizational survival model — Organizations must balance local agility with shared semantics, governance, interoperability, and economic measurement to compete in the AI era.

In this two-part blog series about the current state of cloud architecture, we previously looked into where this architecture has failed and now, into what the possible remedies might be.

As we noted previously, the argument is not that the cloud failed. The cloud delivered exactly what it promised: scalability, resiliency, and access to computational capability at speeds previously unattainable. The failures emerged downstream — as implications.

Organizations mistook infrastructure modernization for operational transformation. They accelerated systems without redesigning the economic and data architectures underneath them.

So, that means that the next phase of enterprise survival will not be determined by which organizations possess the most advanced infrastructure, the largest models, or the fastest deployment pipelines. It will be determined by which organizations can produce consistent, measurable, and economically aligned outcomes from fragmented environments that are increasingly dominated by AI-driven decision-making.

This is the point at which the market is beginning to separate into two categories — those organizations that are scaling capability, on the one hand; and those organizations that are scaling coherence, on the other. The difference between the two will define the next decade.

The shift from systems to economic architecture

For decades, organizational architecture centered on systems. Applications were mapped, integrations were documented, and governance was organized around technical domains. Even data architecture frequently existed downstream from software implementation rather than preceding it. That sequence is now economically inverted.

AI, regulatory transparency, real-time operations, and autonomous decision-making require organizations to engineer their architecture around outcomes first, data second, and systems third. The ordering is no longer optional today because AI amplifies architectural conditions already present inside the organization.

If fragmentation exists, AI operationalizes fragmentation faster. If duplication exists, AI scales duplication. If governance is inconsistent, AI accelerates inconsistent decisions.

The result is that organizations can no longer treat architecture as a technical discipline separated from operational economics. Indeed, architecture has become a measurable business competency that’s directly tied to the ability to make decisions quickly, respond to regulatory mandates, adapt operations, improve efficiency in the workforce, and enable success financial outcomes.

This is the emergence of what can be defined as AXTent — an operational model in which systems, governance, and data structures are explicitly engineered around measurable economic outcomes rather than technology deployment alone.

Table 1: Legacy architecture versus survival architecture

The distinction between traditional and AXTent architectures appears subtle, but it is not. Traditional architecture asked, “How should systems connect?” AXTent asks, “How should the organization economically behave under constant change?” That shift fundamentally changes design priorities.

The collapse of compartmentalized operating models

One of the least discussed consequences of the cloud era is the normalization of compartmentalized enterprise design. Departments optimized locally, applications proliferated independently, and data pipelines were built for immediate consumption rather than reusable enterprise value.

For a period of time, this appeared economically rational. Cloud economics rewarded speed, experimentation, and decentralized deployment. The hidden assumption, however, was that interoperability could eventually be solved later — today, with AI, later is now.

Organizations are discovering that independently optimized environments create organization-wide penalties, such as duplication of governance efforts, inconsistent reporting, conflicting analytics, rising costs for storage and processing, and delayed operational response times.

So, the problem is no longer technological debt alone; rather, it is interoperability debt that compounds economically.

Every duplicated data pipeline, inconsistent business definition, or isolated AI deployment can and likely does increase organizational friction. Over time, the organization becomes operationally dense — not because capability is lacking, but because coherence has deteriorated.

Table 2: The economics of architectural fragmentation

This is why many organizations now experience an architectural paradox — as technology capability increases, operational agility declines.

The new core competency: “Federated coherence”

The surviving organizations of the next decade will not centralize everything, nor will they allow unrestricted decentralization because both models fail under modern conditions. Instead, organizations are moving towards “federated coherence”, an operating principle that recognizes the reality that domains must retain operational flexibility, business units require localized agility, and regulatory requirements can differ by function and geography. However, overarching all this, federated coherence recognizes that enterprise semantics, governance, and economic measurement must remain interoperable.

This is the architectural middle ground most organizations have failed to achieve. Federated coherence is not simply a governance model, rather it is an economic design principle that allows organizations to reuse trusted data assets, standardize critical business definitions, reduce reconciliation overhead, accelerate AI deployment confidence, and respond to regulatory changes without widespread disruption.

The key insight is that interoperability is no longer a technical convenience — it is now a survivability multiplier. Organizations capable of adaptive interoperability will outperform those pursuing isolated optimization.

The measurement failure executives must address

One of the largest barriers to transformation is that most organizations still measure their technology capabilities incorrectly. Traditional metrics remain dominated by such concepts as speed of deployment, size of the infrastructure, utilization, and project delivery times.

These indicators measure activity, but they do not measure organizational improvement.

Table 3: Activity metrics versus economic outcome metrics

The next generation of architectural leadership will require direct alignment between technology and operational economics, including a reduction in decision times, decrease in reconciliation efforts, and an acceleration of regulatory response times. This next gen architecture will also measure reusable data, gains in process flow, and measurable margin improvement.

Without these measurements, organizations will continue operating within what can only be described as modernization theater that features visible technological movement with little to no structural economic advancement.

This is why so many corporate boards and executive teams increasingly struggle to articulate the return on investment for their spending on AI and the cloud. The investments are real and the infrastructure exists, but the measurement systems remain disconnected from economics. Architecture without measurable economic alignment simply becomes overhead.

Those organizations most likely to survive the next economic and technological cycle will not necessarily be the largest or the fastest adopters of AI. They will be the organizations that are most able to reduce complexity while increasing adaptability, govern their data without slowing operations, scale intelligence without scaling fragmentation, and align their architecture directly to measurable business outcomes.

In this environment, enterprise architecture now returns, but not as documentation, committees, or abstract frameworks disconnected from execution. It returns as an operational survival discipline. And those organizations emerging from this transition will increasingly resemble adaptive economic systems rather than static technical stacks.

Table 4: Characteristics of the adaptive organization

The implication is difficult but unavoidable. The future competitive advantage for many organizations will not be determined by what technologies they acquire, but by whether their underlying architecture can absorb continuous change without collapsing into operational friction.

That is the real challenge now unfolding beneath the modernization of the AI process. Moreover, it is why the next era of organizational modernization will not belong to those that simply automate faster; rather it will belong to those that finally learn how to architect survival.

You can find more blog postsĚýby this author here

Key insights:

• • • Unauthorized practice of law rules have repeatedly come into conflict with new forms of legal self-help — Each major wave of consumer-facing legal assistance has tested the boundaries of UPL doctrine and forced courts, regulators, and lawmakers to decide where legal information ends and legal advice begins.

    • Technology has expanded access to legal information faster than regulation has adapted — LegalZoom and other justice tech companies showed that legal tools could be delivered at scale, while UPL doctrine often struggled to accommodate new models of legal assistance designed for consumers with unmet legal needs.

    • The rise of AI makes the old UPL framework increasingly inadequate — As GenAI tools provide legal research, document assistance, and guided analysis directly to the public, regulators should move beyond the LegalZoom-era battles and consider a framework focused on consumer protection, transparency, and actual harm.

This two-part blog series examining how regulators, the legal profession, and individual litigants are looking at the unauthorized practice of law (UPL) first looks at the history of UPL and then suggests a consumer protection-based method of regulation to replace today’s supplier-based regulations.

With three-quarters of state court cases including at least one self-represented party, and with 92% of Americans with a legal problem not getting the legal help they need, it’s not surprising that the unauthorized practice of law (UPL) is a concept that’s not far from people’s minds.

It does not have to be this way, of course, and there are solutions to the thornier issues with UPL; but first, it may be helpful to understand how we got to this place and how UPL has evolved.

Legal self-help in a pre-Internet world

In the late-1800s, before UPL was formally articulated, John Wells published “Every Man His Own Lawyer”, a widely circulated guide that explained legal principles and provided practical forms. Its popularity reflected sustained public demand for accessible legal information. Around the same time, the organized bar began to emerge, along with more structured efforts to define and protect the boundaries of legal practice.

By the early-1900s, auto clubs were providing legal help to their members, demonstrating an early form of a prepaid legal services plan that exists to this day, but with typically a wider array of services. As would be the case in later years, an economic downturn soon brought a fight as lawyers used threats of UPL to fight competition. Not long after the Great Depression began, the ABA formed the Committee on Unauthorized Practice of Law, and a wave of litigation ensued to essential end the offering from auto clubs.

Similar dynamics appeared later in the 20th century. In the 1960s, soon before the recession of the 1970s, Norman Dacey’s “How to Avoid Probate!” offered readers tools to manage estate planning without engaging a lawyer. The response included investigations and attempts to suppress the book. Courts ultimately clarified that providing general legal information, even when presented in a structured and practical format, does not constitute individualized legal advice and falls within the scope of protected speech.

Tech enters the equation

By the 1990s, these ideas had moved into a digital environment. Companies such as Nolo and Parsons Technology translated legal forms and guidance into software and the Texas State Bar sued in federal court. Although the bar initially prevailed, a legislative response introduced a software exception to UPL that remains in effect today, reflecting an early acknowledgment that technology-based tools required a different regulatory lens.

By early 2000s, LegalZoom extended these concepts at scale. By automating document creation across a wide range of legal needs, it brought structured legal tools directly to consumers in a more accessible format. While not the first provider of self-help legal resources, it demonstrated how technology could move online and operationalize these services at a national level — not surprisingly, this effort would face resistance at a whole new level.

Launched in 2001, LegalZoom argued that it just represented the modern evolution of books like those written by Wells and Dacey. The response from the legal establishment was ferocious. It began with state bar inquiries trying to understand what LegalZoom was offering, and as the Global Financial Crisis began in 2007, class action lawsuits and regulatory challenges followed.

These suits sought significant damages without alleging specific consumer harm, creating substantial pressure on a still-developing sector and signaled resistance to new models of service delivery. The objections were ostensibly about consumer protection, while more reflecting concerns about changes to established structures in the legal profession.

LegalZoom won some of the class actions and settled others on friendly terms, typically agreeing to limit the use of certain words in its advertising, paying some class member claims, offering its attorney-access plans on a complimentary basis, and paying attorneys’ fees.

Supreme Court precedents

Two U.S. Supreme Court decisions would prove highly important to the UPL battles. The first came in in which the Court ruled that companies could include class action waivers in arbitration provisions. Soon after, LegalZoom began implementing this type of arbitration provision to coincide with the resolution of several major class actions to make sustaining a class action against it in the future more difficult.

The second Supreme Court ruling to impact UPL came in in which the Court ruled that a state occupational licensing board cannot claim state-action antitrust immunity if a controlling number of its decision-makers are active market participants in the occupation it regulates and the state does not actively supervise the board. This decision put state bars at risk.

The fight that changed the conversation was the LegalZoom lawsuit against the North Carolina State Bar (NCSB) that was modeled after the result in the Dental Board matter. LegalZoom had built a prepaid legal services plan offering attorney access to its customers — a narrower version of what the auto clubs had offered in the past. These types of plans historically were supported by the ABA and National Association of Attorneys General, but a few states pushed back on LegalZoom offering one. Most notably, North Carolina objected and LegalZoom sued the NCSB for a declaratory judgment that it was not engaged in UPL as well as on antitrust and other grounds, leading to a settlement and cooperative legislation that cleared the way for LegalZoom to continue operations, including launching its legal plan, in that state.

Upon the case’s conclusion, University of Tennessee College of Law professor , LegalZoom fought the North Carolina Bar — and LegalZoom won. Barton opined that the “South Carolina [where the Supreme Court had found LegalZoom practices lawful] and North Carolina precedents will likely end all state bar action on UPL.” He was largely correct, as future LegalZoom and other industry skirmishes would not amount to much, allowing the industry to thrive.

The future of UPL

Today, the LegalZoom fights look quaint. It was essentially a fight over the online equivalents to form books, when a few years later AI would explode onto the scene and upend everything. We now have everything from foundation models such as ChatGPT, Claude, and Gemini to legal specialists available to the public and generating research memos at the push of a button.

This, perhaps, brings us back to where we started. And now may be the time to ask whether a new system of regulation is needed around UPL, because no other justice tech company should have to run the gauntlet of fights that LegalZoom faced.

In the next part of this blog series, we will look at how the issues raised by UPL in the AI age may require a new regulatory solution, possibly one based on a consumer protection model that would replace today’s supplier-based regulations

Key insights:

• • • AI is supercharging old fraud schemesĚý— By making synthetic identities, deepfake scams, and customer fraud faster, more credible, and harder to detect, AI is amplifying fraud and crime.

    • The real vulnerability may be internal silosĚý— Institutions need to be on the lookout, because what looks like a credit loss, an HR issue, or a payment request may actually be part of a wider multi-vector AI-enabled attack.

    • Institutions already have the tools to respondĚý— Through KYC and internal and behavioral data, financial institutions have the ability to respond to fraud threats — but only if teams connect and act together.

Fraud and crime existed long before AI, of course, but today’s technology delivers an acceleration in speed, scale, and success rate for fraudsters, resulting in billions of dollars in losses for victims. AI-enabled frauds on financial institutions by 2027 in the United States alone, and of detected fraud attempts on financial institutions use AI – and of these, 29% are successful.

To respond effectively to these threats, institutions need to implement a unified response that brings together departments that may not traditionally be partners. This cross-functional coordination should include not only the institution’s fraud and financial crime risk teams but also its credit risk, cybersecurity, and human resources functions.

And this response is critical, because today, financial institutions are being targeted by multiple types of AI-enabled attacks, including tactics such as:

• • • use of synthetic identities to circumvent know your customer/customer due diligence (KYC/CDD) controls and perpetrate fraud or launder money;
    • use of deepfake identities to gain employment, particularly by North Korean IT workers;
    • AI-enhanced “CEO frauds” to deceive staff into taking unauthorized actions; and
    • Bank customers may be targeted by fraud too, presenting further risk to financial institutions.

Let’s look at these threat vectors individually:

Vector 1: Synthetic identities and KYC/CDD

Synthetic identities can be entirely fabricated or may use combinations of real and fabricated personal information to create a new identity. For example, a fraudster may construct a synthetic identity using a Social Security number exposed during a data breach combined with an AI-generated passport.

This threat is real and happening now: identifies that criminals have already used AI to successfully open accounts using falsified documents, photographs, and videos. And according to , synthetic identities were used to open as many as 3% of US bank accounts, representing millions of identities. Not surprisingly, these illicit accounts are used to commit fraud and launder the proceeds of money laundering.

Vector 2: North Korean IT workers

North Korean individuals have successfully gained employment as remote IT workers at American companies, often passing themselves off as US nationals using AI-generated face-swapping technology combined with proxy computers and false identity documents. North Korean IT workers are almost $800 million annually for the regime.

Institutions deceived into employing these workers are not only against North Korea, but they are also exposing commercially sensitive data and systems to an adversary state, increasing the possibility of theft, cyber-attacks, and extortion.

Vector 3: CEO Fraud

A “CEO fraud” is a cybercrime in which an attacker impersonates an executive to deceive an employee into taking actions such as sending unauthorized wire transfers or disclosing sensitive information. AI accelerates these frauds by making them more personalized and credible.

In one of the more well-known examples, in an AI-enhanced CEO fraud in 2024 after the fraudster impersonated Arup Engineering’s CFO and requested a staff member to make several financial transfers. The criminals added credibility to the fraud by using a in which the target recognized many of their colleagues – unfortunately, all of them were deepfakes.

Vector 4: Frauds targeting customers

Where customers are targets, AI provides the scale, speed, and personalization to allow illicit actors to deliver individualized fraud. For example, whereas romance scams previously used repetitive scripts and re-used the same images of the romantic “partner,” fraudsters can now use AI-generated messages, images, or videos, continuously adapting the execution of the scam to the target’s responses and behaviors.

Creating a cross-functional and unified response

The examples above demonstrate the diverse and highly sophisticated uses of AI by illicit actors, both adversary states and criminal networks. Detecting and responding to these illicit activities requires joint action between teams that may not traditionally work closely together.

For example, if an account holder fails to repay a loan, the credit team may consider it to be a default by a legitimate customer and write it off as a credit loss. However, if the account was opened using a synthetic identity, investigation may reveal other accounts that share similar customer data points or transactional patterns. This could reveal a network of accounts that are perpetrating a fraud or money-laundering scheme. To detect and respond effectively, joint action is needed between KYC/CDD on-boarding teams, financial crime investigators, and fraud and credit risk professionals.

Alternatively, for HR teams to effectively identify use of face-swapping videos during a hiring process, knowledge from the organization’s cybersecurity team, especially of deepfake indicators, would be valuable. If a North Korea IT worker is hired and only later identified, cybersecurity and sanctions teams must be involved in the response to mitigate data, network, and compliance exposures.

Detecting and responding to all illicit activities requires joint action between teams that may not traditionally work closely together.

Finally, all staff may be targeted by deepfake fraud, but those in senior positions or departments with financial authority are the most vulnerable. This means it is essential for institutions to deliver employee training using real-life case studies, “near misses,” and scenarios drawn from across the institution and industry. This type of training will increase vigilance and minimize the likelihood of a successful attack.

For customers, financial institutions are well-positioned to identify indicators of fraud due to their extensive datasets of KYC/CDD records, transactional, and behavioral information. Institutions should enhance their customer relationships (as well as meet applicable regulatory requirements) by taking proactive measures to inform and protect their customers.

While AI has accelerated fraud and crime, financial institutions also hold valuable and relevant assets: the knowledge distributed across their cybersecurity, HR, credit risk, financial crime compliance, fraud, and KYC/CDD teams. By connecting these teams together, even in contexts in which these departments have not traditionally been partners, institutions will be well-positioned to protect both themselves and their customers from illicit actors’ sophisticated AI-enabled threats.

You can learn more about the fraud-fighting challenges faced by financial institutions and other organizations here

Key highlights:

• • • The theory-practice gap is now an AI-era crisis— Integrating legal training with hands-on pro bono experience is the future of legal education.

    • A collaborative model merges learning and doing into a single platform— The model connects law students with vetted pro bono opportunities from legal services organizations, while also offering targeted, skills-based training at the moment students step into those matters.

    • Pro bono work is uniquely suited for responsible AI training— On-demand programs led by expert faculty are available to help students sharpen pro bono skills, understand the use of AI in today’s legal practice, and stay on top of developments in numerous industry and practice areas.

Legal education has operated on a familiar, decades-long divide that saw students spend their first years learning the law in the classroom and then after graduation, gaining substantive experience practicing the law in the real world. This gap has always been costly for both students and legal employers, and now it’s emerging as untenable in an era in which AI is rapidly reshaping what junior lawyers do.

Pro bono and skills training close this gap

A new partnership between , a pro bono management platform, and the (PLI), a nonprofit provider of learning resources for legal professionals, is designed to close this gap while showing something larger about where legal education must go.

The partnership is designed to equip students with on-demand, actionable training that supports effective pro bono engagement by offering access to PLI’s training programs directly through Paladin’s platform. Since launching with 30 law schools in August 2025, students have signed up for thousands of pro bono cases through the platform, according to , Co-founder and CEO of Paladin.

For years, experiential learning in law schools was something students had to piece together on their own by hunting across spreadsheets, clinic listings, and externship postings for opportunities, says Sonday, adding that too often students were given little guidance on what they were walking into.

The partnership is designed to equip students with on-demand, actionable training that supports effective pro bono engagement

“What’s fundamentally different is the integration and centralization of learning and doing,” Sonday explains. “Historically, legal education has separated theory, training, and practice.” Now, she notes, a student can learn a concept, build confidence through targeted training, and apply it in a real-world setting within a short amount of time.

, Chief Strategy Officer at PLI, describes the experience from the student’s perspective: “When a first-year logs into the Paladin platform, they are not thrown into the deep end. Instead, they can access skills-based programs, such as a PLI program specifically on how to interview a pro bono client before they ever sit across from someone in need. This leads to a better experience for the student, the law school, and especially for the client.”

Pro bono work suited to responsible AI training

The urgency behind this partnership is inseparable from the impact AI is having on the entry-level legal market.

“We’re already seeing AI reduce the time spent on tasks like initial legal research, document review, drafting memos, and summarizing case law,” Sonday says. “This is work that has traditionally formed the foundation of junior associate training.” The skills AI cannot replicate — such as judgment, issue spotting in ambiguous situations, client communication, and ethical decision-making — are what students need to develop deliberately earlier in their legal careers.

Indeed, those human skills are essential to the effective use of AI, Talmage says. The lawyer of the future will be a strategic advisor and creative problem solver, which are the very attorney roles that AI cannot fill, she explains, adding that those must be cultivated through experience. “You always need to be questioning and verifying and authenticating — and that’s generally a lawyer’s role.”

For years, experiential learning in law schools was something students had to piece together on their own by hunting across spreadsheets, clinic listings, and externship postings for opportunities.

There is a particular logic as to why pro bono work is the right fit for learning to use AI responsibly. Pro bono is “a built-in, humans-in-the-loop model” in which students are always supervised by attorneys, Sonday says. And this supervision creates a structured environment in which to learn how to use AI tools, apply them to real matters, get feedback, and iterate. The result, Sonday argues, will be more attorneys who are AI-fluent early on and throughout their careers.

A message to law school leaders

For law school leaders, both Sonday and Talmage highlight that AI use has already changed the legal profession. The choice then for law schools is whether they evolve by design or by default.

Students know the legal profession has changed and so do employers, CLE providers, and clients, Talmage explains.

Sonday agrees. “The pace of change in the legal profession is accelerating, and students need to be prepared not just for the law today, but also for the practice of law in the future,” she says. “Integrating pro bono platforms and AI-specific training aligns legal education with reality.”

The Paladin/PLI partnership offers a blueprint for what legal education must become in the future, transforming itself into a space that’s grounded in applied legal knowledge, human-supervised, and AI-informed. Indeed, the best way to train the next generation of lawyers is to give them real clients, real cases, and real responsibility while they still have room to grow.

You can find more about the challenges facing law schools and legal education here

Key takeaways:

• • • Mandatory compliance mandates are growing — Pillar 2, DAC6, and other real-time reporting mandates are increasing obligations in dozens of jurisdictions today, and those tax departments without the infrastructure to meet these obligations are already behind.

    • Real-time documentation is critical — The window between a transaction occurring and a tax authority scrutinizing it is shrinking to near zero in some markets, meaning that documentation must exist at the moment it is generated, not reconstructed afterward.

    • Data quality is compliance quality — Real-time compliance brings with it heightened pressure to avoid incomplete or inconsistent inputs, because increasingly sophisticated analytics used by tax authorities will find them.

In 2023, a major European manufacturer was hit with a seven-figure penalty not because its tax return was wrong, but because it couldn’t demonstrate how it arrived at the right answer. No documented governance framework, no clear ownership, and no audit trail. The numbers were defensible, but the process wasn’t.

That gap — between getting the right answer and being able to prove it — is where corporate tax risk now lives.

Governments and tax authorities worldwide are to self-report accurately. They are building legal frameworks, digital infrastructure, and enforcement mechanisms to verify compliance in real time. And for tax departments accustomed to managing compliance on their own terms, the window for a comfortable transition is closing fast.

A global tightening

Tax governance requirements are intensifying on multiple fronts. In the United States, for example, the IRS’s Large Business & International division has significantly expanded its compliance campaigns, targeting transfer pricing, research & development (R&D) credits, and multinational structures. Section 174 of the 2017 Tax Cuts and Jobs Act now requires companies to amortize R&D expenditures over five or 15 years depending on where research occurs — a change that many tax departments are still working through while absorbing new obligations on top of it.

Internationally, the pace is faster still. The framework that the Organisation for Economic Co-operation and Development (OECD) created for its base erosion and profit shifting (BEPS) rules has been adopted by more than 135 countries. Pillar 2 — the global 15% minimum corporate tax rate — is already in effect in dozens of jurisdictions and is actively reshaping how multinationals structure their tax affairs. These are not coming changes — they are current ones.

Mandatory disclosure regimes have expanded in parallel. The European Union’s DAC6 directive requires intermediaries and taxpayers to report potentially aggressive cross-border arrangements, with penalties in some member states reaching hundreds of thousands of euros. The United Kingdom’s Senior Accounting Officer regime goes even further, placing personal legal accountability on named senior executives for the adequacy of their company’s tax accounting arrangements. Similar regimes are expanding in Australia, Canada, and Brazil.

These are not isolated experiments. They represent that is not going to reverse any time soon.

The real-time reporting challenge

That means, corporate tax departments must respond to this shift because the traditional audit model — authorities review historical returns and request documentation years later — is being replaced in a growing number of markets. Spain, Hungary, and South Korea already require taxpayers to submit transactional data directly to tax authorities through mandatory electronic systems. The EU’s Value added tax (VAT) in the Digital Age initiative will extend similar requirements across all 27 member states beginning in 2028.

For tax departments, this reporting compression is the central operational challenge of the next five years. A team that once had 12 to 18 months to reconstruct documentation for an audit now needs that documentation to be accurate and defensible at the moment it is generated. That requires a fundamentally different operating model — not just better record-keeping, but automated data capture and real-time reconciliation built into core financial systems — along with the ability to transfer that documentation electronically in real time.

3 actions tax departments must take now

To begin to address this dramatic change, corporate tax departments need to act now, taking steps that include:

1. Building a formal governance framework

Tax departments need written governance frameworks that clearly define what party owns each compliance decision, how decisions are reviewed and approved, and what controls exist to catch errors before filing. This means named ownership of obligations, documented sign-off processes, and regular internal reviews against a compliance calendar.

In the UK, this is already a legal requirement ; and similar standards are emerging in Germany, Australia, and across the EU. A framework should cover at minimum; the ownership of each material filing obligation; the review and approval chain for positions taken; escalation procedures for uncertain tax positions; and a schedule for internal control testing. Without these processes in place, tax departments could face regulatory penalties, personal liability for senior leaders, and reputational damage that may be difficult to recover from.

2. Fixing the data access problem

Tax departments consistently lack reliable, timely access to the financial data they need. This is primarily an organizational problem, not a technology one. Tax functions often sit downstream from finance systems designed without tax requirements in mind — meaning data often arrives aggregated, reclassified, or stripped of the granularity needed for compliance work.

Solving this requires tax leaders such as finance, IT, and business operations — not just to request data, but to influence how that data is captured at its source. That means participating in enterprise resource planning implementations, establishing data requirements for new business lines before they launch, and building direct feeds from source systems rather than relying on manual extracts.

3. Treating data hygiene as a compliance control

Tax authorities in the UK, the Netherlands, Germany, and the US are deploying advanced analytics to identify anomalies in corporate filings. Unexplained variances between statutory accounts and tax returns, inconsistencies in intercompany pricing, or mismatches between VAT and corporate income tax data could all trigger closer scrutiny.

Data hygiene must be treated as a compliance control, not an IT issue. In practice that means establishing reconciliation checkpoints between source data and tax inputs, maintaining documented data lineage so any figure in a return can be traced to its source, and conducting data quality reviews before filing deadlines — not after.

The bottom line

The regulatory trajectory is set, so that means the question for tax leaders whether their department will be ready when tested. Governance, data access, and data quality are no longer back-office concerns — they are the foundation upon which defensible compliance is now built.

Tax department leaders need to build that foundation now, before the examiner asks.

You can find out more about

Key highlights:

• • • AI governance is hard to prove in practice — While our research shows that 44% of companies publish an AI strategy, 76% of those same companies show no evidence of having policies to evaluate the quality of data used to train AI systems.

    • Workers are being left under-prepared and under-protected — Only 14% of companies have policies to mitigate the negative impacts of AI on workers, and only 31% offer any reskilling or training programs around adapting to an AI-integrated workplace.

    • Human rights and ethics appear an afterthought in AI governance — Almost three-quarters (72%) of companies conduct no AI impact assessments, and less than 1 in 10 companies conduct ethical or human rights assessments.

There is a widening chasm at the heart of corporate AI governance, according to a new report, , published by the ¶¶ŇőłÉÄę Foundation and the United Nations Educational, Scientific and Cultural Organization (UNESCO).

The Foundation’s analyzed publicly available information from nearly 3,000 companies across 11 industry sectors, creating the most comprehensive picture yet of how organizations are managing AI.

Beneath the surface of corporate AI governance mechanisms, divergence between the speed of AI adoption and meaningful human oversight is growing. The report’s findings make clear that this is no longer a gap that organizations can afford to ignore, especially when backlash against is growing and are solidifying among consumers in the United States.

Data highlights the illusion of AI governance

Businesses of different sizes and across multiple sectors are adopting AI technology at a rapid pace. When governance exists only in the wording of a strategy or company vision, however, the people most affected by AI systems — workers, consumers, and communities — are left vulnerable. According to the report:

• • • 44% of companies publicly communicate having an AI strategy. However, a gap in AI governance is evident as more than three-quarters of those companies (76%) do not seem to have policies to evaluate the quality of data used to train AI systems.
    • 40% of companies report board- or committee-level oversight of AI. At the same time, strategic signals do not necessarily indicate operational capacity or day-to-day governance. In fact, less than one-third of all sampled companies claim to have an additional team or resource dedicated to AI governance. Moreover, limited information is publicly disclosed on the teams, processes, and accountability mechanisms that translate intent into action.

Workers are being left behind

Research by the International Monetary Fund finds almost , highlighting the acute nature of concerns about job displacement and declining opportunities for some groups. Without sufficient oversight, AI can threaten workers’ rights, amplify bias, and increase surveillance and work intensity, which can enable inhumane decision-making at scale.

The TR Foundation/UNESCO report notes that many companies are adopting AI without the safeguards needed to support workers and help them to adapt to the changes this technology brings. Less than one-third of companies were shown to offer training and reskilling programs for employees who may be adapting to an AI-integrated workplace. Even within the 31% of organizations in which these training programs exist, there is a vast variation in the scope and depth of the training offered.

In fact, many company training programs are not enterprise-wide or structured. Instead, they are ad-hoc or limited to leadership roles. This lack of investment in talent risks undermining the significant investment that companies are making in AI.

Despite growing pressure from regulators, policymakers and social justice campaigners, the ethical impact of AI appears poorly governed, with companies sharing limited information publicly.

The picture on worker protections is equally concerning. Only 14% of companies have public policies in place to mitigate the negative impacts of AI systems on workers, the report shows. This means the majority of companies either have no policies in place or do not publicly communicate them.

What is more troubling is that when workers experience harm, there is almost nowhere for them to turn. Only 2% of companies indicated they had a complaints mechanism — a critical early warning system for potential concerns. The findings suggest many organizations lack a mechanism for AI-related internal complaints beyond the broad generic complaint channel, and this is compounded by low awareness of the areas in which AI systems may infringe employees’ rights and protections.

Ethics and human dignity as an afterthought

Despite growing pressure from regulators, policymakers and social justice campaigners, the ethical impact of AI appears poorly governed, with companies sharing limited information publicly.

Human rights and ethical use of AI are treated as secondary considerations to compliance, according to our research. The majority of companies (72%) do not conduct any impact assessment with regard to AI. Only 7% publicly communicate conducting a fundamental or human rights impact assessment, and just 5% report conducting an ethical impact assessment.

Among those companies conducting some form of impact assessment, the focus skews sharply toward compliance rather than people. The most prevalent assessments are privacy or compliance-focused, with 18% of those companies that conduct some form of impact assessment reporting that they conducted a data protection impact assessment, and 14% reporting they conducted a privacy impact assessment.

How to center people in AI governance

Closing this governance gap is essential for companies in order to adopt AI responsibly and avoid costly legal, ethical operational, talent-related risks.

To support companies in navigating this challenge, offers a free survey to help companies map the areas in which AI is used across products, operations and services, and then benchmark those against peers their sector.

The report also contains case studies from companies that voluntarily shared their responsible practices with us. For example, German software company SAP intentionally designs and deploys its internal AI systems with a human-in-the-loop in which AI automates repetitive tasks and supports decision-making while final judgment and complex problem-solving remain firmly in the hands of employees.

As AI becomes part of core business infrastructure, companies must move beyond statements of intent and toward measurable AI governance.

In another example, BASF, a German chemical conglomerate, has jointly agreed with its workers’ councils on a general reskilling program that covers technical, hard, and soft skills. Finally, Canadian telecom company TELUS’ Indigenous Advisory Council provides guidance on AI ethics issues that directly affect indigenous communities.

Next steps for companies

The TR Foundation/UNESCO report highlights the most impactful concrete commitments that companies can take now to future proof against AI-related risk, including:

• • • investing in structured, enterprise-wide worker-reskilling programs that measure outcomes, not just participation;
    • establishing enforceable human rights impact assessments as a standard part of AI deployment, not as an optional addition; and
    • creating accessible, AI-specific internal grievance mechanisms so that workers and users have a genuine pathway to raise concerns and seek remedy.

As AI becomes part of core business infrastructure, companies must move beyond statements of intent and toward measurable AI governance. While this data demonstrates clear governance gaps, it also presents an opportunity for companies to take the lead on implementing responsible AI that operates openly in the public interest.

You can learn more about

Key insights:

• • • Define your risk appetite — A clearly defined fraud risk appetite aligns prevention efforts with strategic objectives and ensures accountability by establishing acceptable levels of fraud risk across the organization.

    • Create a fraud-specialized team — Dedicated ownership of the vendors that supply fraud solutions by a fraud-specialized team — rather than by the procurement function — is critical to maximizing technology performance and adapting to emerging threats.

    • Establish a specialized prevention division — The rise of sophisticated scams demands the creation of a separate, specialized prevention division to avoid overburdening core fraud teams and ensure targeted, effective responses.

Corporate fraud represents one of the most significant risks facing organizations today. Yet many companies lack the structured governance and technology infrastructure needed to combat fraud effectively.

The solution requires that comprehensive fraud prevention frameworks be built on clear governance, proper technology deployment, and data-driven insights, according to Aaron Frye, Founder & CEO of Lucid Point Consulting. Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results. These five pillars include:

1. Develop a fraud risk appetite

Effective fraud prevention begins with a well-defined fraud risk appetite that tells the right story to the right stakeholders. Your framework must communicate to your board, executive leadership, and operational teams the level of fraud losses your organization should tolerate, and in which areas you should prioritize fraud prevention investments.

The fraud risk appetite framework must address several key considerations; for example, it should define the level of fraud risk that aligns with the organization’s growth objectives, identify the areas of greatest vulnerability, and evaluate which investments will yield the strongest return. Equally important is the ongoing monitoring and communication of progress through regular reporting on fraud risk metrics, vendor assessments, and investigation outcomes. These actions demonstrate to stakeholders that fraud prevention remains an active priority for the organization and ensures that fraud risk continues to inform organizational decision-making.

2. Establish clear ownership of risk-solution vendors

Many organizations invest significantly in fraud detection tools only to see disappointing returns. The problem often lies not in the tools themselves, but in unclear ownership and accountability for their performance.

Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results.

If your organization lacks a designated person or team within your fraud strategy function whose job it is to ensure the risk-solution tools you’re getting from vendors are the best for your enterprise, you likely aren’t getting the most out of your vendors. This dedicated fraud service ownership role must act as your internal champion, evaluating vendor performance, staying current with product enhancements, and ensuring integration with other fraud prevention initiatives.

Critically, procurement, sourcing, and vendor management functions should never own this role. These teams, by the nature of their titles and responsibilities, don’t prioritize fraud. They lack the specialized knowledge required to assess whether your fraud detection technology is performing optimally or adapting to emerging threat landscapes. Without dedicated fraud expertise overseeing your technological investments, advanced tools sit underutilized and critical fraud signals go undetected.

3. Develop a fraud governance function

Every organization should have a dedicated fraud risk governance team within its fraud risk management organization. This governance function serves as your second line of defense, working proactively to reduce operational chaos within your fraud strategy, operations, and investigation groups.

If a non-fraud governance function owns fraud governance, you are guaranteed not to be getting the best form of governance. Fraud is a specialized discipline requiring dedicated expertise and focus; and your governance team must develop policies, establish standards, monitor control effectiveness, and ensure consistent application of fraud prevention practices across the enterprise.

4. Document existing risks and resource gaps

One of the most important responsibilities of your fraud governance function is identifying and documenting the areas related to fraud risk that your current fraud risk teams don’t have time to review. Due to capacity constraints, it is impossible for many fraud risk teams to cover all open gaps. Your organization must understand those open gaps and not be ashamed to address them.

Create an action plan that documents open risk and self-identified issues that your current team cannot adequately address. This transparency demonstrates clear-eyed realism about your organization’s limitations and creates the business case for requesting additional resources or engaging external consultants to help close these risk gaps.

5. Address the growing scam-prevention challenge

needs its own prevention strategy division within your fraud risk function. Compromised business email, investment scams, and vendor fraud schemes represent an entirely new category of fraud risk that demands specialized attention.

Every organization should have a dedicated fraud risk governance team that serves as its second line of defense, working proactively to reduce operational chaos within corporate strategy, operations, and investigation groups.

There has never been a full manageable grip on fraud prior to the spike in scams. Therefore, you cannot expect your existing fraud risk teams to tackle a new wave of scams as a priority as well as to manage traditional fraud prevention responsibilities. Your core fraud function manages internal control systems, transaction monitoring, and investigation protocols. Adding comprehensive scam prevention to this workload without dedicated resources guarantees that identifying and preventing scams will receive insufficient attention.

Establish a dedicated scam-prevention division focused specifically on emerging scam threats, employee education, scam-specific prevention technology, and response protocols. This specialized approach ensures sophisticated scam schemes receive the expertise and resources necessary while your core fraud function continues addressing traditional fraud prevention requirements.

Going forward into the fight against fraud

In an era of escalating fraud threats, reactive detection is no longer sufficient. Organizations must adopt a proactive stance grounded in strong governance, clear accountability, and strategic resource allocation.

By defining a fraud risk appetite, assigning ownership of fraud prevention tools, strengthening governance, documenting unaddressed risks, and establishing a dedicated scam prevention function, companies can build resilient, forward-looking fraud prevention frameworks. These five pillars enable organizations to anticipate threats, allocate resources effectively, and protect both financial performance and reputational integrity.

Today, the path to fraud resilience begins not with technology alone, but with deliberate, enterprise-wide commitment to proactive risk management.

You can find out more about ways to