Key insights:

• • • AI is supercharging old fraud schemesĚý— By making synthetic identities, deepfake scams, and customer fraud faster, more credible, and harder to detect, AI is amplifying fraud and crime.

    • The real vulnerability may be internal silosĚý— Institutions need to be on the lookout, because what looks like a credit loss, an HR issue, or a payment request may actually be part of a wider multi-vector AI-enabled attack.

    • Institutions already have the tools to respondĚý— Through KYC and internal and behavioral data, financial institutions have the ability to respond to fraud threats — but only if teams connect and act together.

Fraud and crime existed long before AI, of course, but today’s technology delivers an acceleration in speed, scale, and success rate for fraudsters, resulting in billions of dollars in losses for victims. AI-enabled frauds on financial institutions by 2027 in the United States alone, and of detected fraud attempts on financial institutions use AI – and of these, 29% are successful.

To respond effectively to these threats, institutions need to implement a unified response that brings together departments that may not traditionally be partners. This cross-functional coordination should include not only the institution’s fraud and financial crime risk teams but also its credit risk, cybersecurity, and human resources functions.

And this response is critical, because today, financial institutions are being targeted by multiple types of AI-enabled attacks, including tactics such as:

• • • use of synthetic identities to circumvent know your customer/customer due diligence (KYC/CDD) controls and perpetrate fraud or launder money;
    • use of deepfake identities to gain employment, particularly by North Korean IT workers;
    • AI-enhanced “CEO frauds” to deceive staff into taking unauthorized actions; and
    • Bank customers may be targeted by fraud too, presenting further risk to financial institutions.

Let’s look at these threat vectors individually:

Vector 1: Synthetic identities and KYC/CDD

Synthetic identities can be entirely fabricated or may use combinations of real and fabricated personal information to create a new identity. For example, a fraudster may construct a synthetic identity using a Social Security number exposed during a data breach combined with an AI-generated passport.

This threat is real and happening now: identifies that criminals have already used AI to successfully open accounts using falsified documents, photographs, and videos. And according to , synthetic identities were used to open as many as 3% of US bank accounts, representing millions of identities. Not surprisingly, these illicit accounts are used to commit fraud and launder the proceeds of money laundering.

Vector 2: North Korean IT workers

North Korean individuals have successfully gained employment as remote IT workers at American companies, often passing themselves off as US nationals using AI-generated face-swapping technology combined with proxy computers and false identity documents. North Korean IT workers are almost $800 million annually for the regime.

Institutions deceived into employing these workers are not only against North Korea, but they are also exposing commercially sensitive data and systems to an adversary state, increasing the possibility of theft, cyber-attacks, and extortion.

Vector 3: CEO Fraud

A “CEO fraud” is a cybercrime in which an attacker impersonates an executive to deceive an employee into taking actions such as sending unauthorized wire transfers or disclosing sensitive information. AI accelerates these frauds by making them more personalized and credible.

In one of the more well-known examples, in an AI-enhanced CEO fraud in 2024 after the fraudster impersonated Arup Engineering’s CFO and requested a staff member to make several financial transfers. The criminals added credibility to the fraud by using a in which the target recognized many of their colleagues – unfortunately, all of them were deepfakes.

Vector 4: Frauds targeting customers

Where customers are targets, AI provides the scale, speed, and personalization to allow illicit actors to deliver individualized fraud. For example, whereas romance scams previously used repetitive scripts and re-used the same images of the romantic “partner,” fraudsters can now use AI-generated messages, images, or videos, continuously adapting the execution of the scam to the target’s responses and behaviors.

Creating a cross-functional and unified response

The examples above demonstrate the diverse and highly sophisticated uses of AI by illicit actors, both adversary states and criminal networks. Detecting and responding to these illicit activities requires joint action between teams that may not traditionally work closely together.

For example, if an account holder fails to repay a loan, the credit team may consider it to be a default by a legitimate customer and write it off as a credit loss. However, if the account was opened using a synthetic identity, investigation may reveal other accounts that share similar customer data points or transactional patterns. This could reveal a network of accounts that are perpetrating a fraud or money-laundering scheme. To detect and respond effectively, joint action is needed between KYC/CDD on-boarding teams, financial crime investigators, and fraud and credit risk professionals.

Alternatively, for HR teams to effectively identify use of face-swapping videos during a hiring process, knowledge from the organization’s cybersecurity team, especially of deepfake indicators, would be valuable. If a North Korea IT worker is hired and only later identified, cybersecurity and sanctions teams must be involved in the response to mitigate data, network, and compliance exposures.

Detecting and responding to all illicit activities requires joint action between teams that may not traditionally work closely together.

Finally, all staff may be targeted by deepfake fraud, but those in senior positions or departments with financial authority are the most vulnerable. This means it is essential for institutions to deliver employee training using real-life case studies, “near misses,” and scenarios drawn from across the institution and industry. This type of training will increase vigilance and minimize the likelihood of a successful attack.

For customers, financial institutions are well-positioned to identify indicators of fraud due to their extensive datasets of KYC/CDD records, transactional, and behavioral information. Institutions should enhance their customer relationships (as well as meet applicable regulatory requirements) by taking proactive measures to inform and protect their customers.

While AI has accelerated fraud and crime, financial institutions also hold valuable and relevant assets: the knowledge distributed across their cybersecurity, HR, credit risk, financial crime compliance, fraud, and KYC/CDD teams. By connecting these teams together, even in contexts in which these departments have not traditionally been partners, institutions will be well-positioned to protect both themselves and their customers from illicit actors’ sophisticated AI-enabled threats.

You can learn more about the fraud-fighting challenges faced by financial institutions and other organizations here

Key takeaways:

• • • Mandatory compliance mandates are growing — Pillar 2, DAC6, and other real-time reporting mandates are increasing obligations in dozens of jurisdictions today, and those tax departments without the infrastructure to meet these obligations are already behind.

    • Real-time documentation is critical — The window between a transaction occurring and a tax authority scrutinizing it is shrinking to near zero in some markets, meaning that documentation must exist at the moment it is generated, not reconstructed afterward.

    • Data quality is compliance quality — Real-time compliance brings with it heightened pressure to avoid incomplete or inconsistent inputs, because increasingly sophisticated analytics used by tax authorities will find them.

In 2023, a major European manufacturer was hit with a seven-figure penalty not because its tax return was wrong, but because it couldn’t demonstrate how it arrived at the right answer. No documented governance framework, no clear ownership, and no audit trail. The numbers were defensible, but the process wasn’t.

That gap — between getting the right answer and being able to prove it — is where corporate tax risk now lives.

Governments and tax authorities worldwide are to self-report accurately. They are building legal frameworks, digital infrastructure, and enforcement mechanisms to verify compliance in real time. And for tax departments accustomed to managing compliance on their own terms, the window for a comfortable transition is closing fast.

A global tightening

Tax governance requirements are intensifying on multiple fronts. In the United States, for example, the IRS’s Large Business & International division has significantly expanded its compliance campaigns, targeting transfer pricing, research & development (R&D) credits, and multinational structures. Section 174 of the 2017 Tax Cuts and Jobs Act now requires companies to amortize R&D expenditures over five or 15 years depending on where research occurs — a change that many tax departments are still working through while absorbing new obligations on top of it.

Internationally, the pace is faster still. The framework that the Organisation for Economic Co-operation and Development (OECD) created for its base erosion and profit shifting (BEPS) rules has been adopted by more than 135 countries. Pillar 2 — the global 15% minimum corporate tax rate — is already in effect in dozens of jurisdictions and is actively reshaping how multinationals structure their tax affairs. These are not coming changes — they are current ones.

Mandatory disclosure regimes have expanded in parallel. The European Union’s DAC6 directive requires intermediaries and taxpayers to report potentially aggressive cross-border arrangements, with penalties in some member states reaching hundreds of thousands of euros. The United Kingdom’s Senior Accounting Officer regime goes even further, placing personal legal accountability on named senior executives for the adequacy of their company’s tax accounting arrangements. Similar regimes are expanding in Australia, Canada, and Brazil.

These are not isolated experiments. They represent that is not going to reverse any time soon.

The real-time reporting challenge

That means, corporate tax departments must respond to this shift because the traditional audit model — authorities review historical returns and request documentation years later — is being replaced in a growing number of markets. Spain, Hungary, and South Korea already require taxpayers to submit transactional data directly to tax authorities through mandatory electronic systems. The EU’s Value added tax (VAT) in the Digital Age initiative will extend similar requirements across all 27 member states beginning in 2028.

For tax departments, this reporting compression is the central operational challenge of the next five years. A team that once had 12 to 18 months to reconstruct documentation for an audit now needs that documentation to be accurate and defensible at the moment it is generated. That requires a fundamentally different operating model — not just better record-keeping, but automated data capture and real-time reconciliation built into core financial systems — along with the ability to transfer that documentation electronically in real time.

3 actions tax departments must take now

To begin to address this dramatic change, corporate tax departments need to act now, taking steps that include:

1. Building a formal governance framework

Tax departments need written governance frameworks that clearly define what party owns each compliance decision, how decisions are reviewed and approved, and what controls exist to catch errors before filing. This means named ownership of obligations, documented sign-off processes, and regular internal reviews against a compliance calendar.

In the UK, this is already a legal requirement ; and similar standards are emerging in Germany, Australia, and across the EU. A framework should cover at minimum; the ownership of each material filing obligation; the review and approval chain for positions taken; escalation procedures for uncertain tax positions; and a schedule for internal control testing. Without these processes in place, tax departments could face regulatory penalties, personal liability for senior leaders, and reputational damage that may be difficult to recover from.

2. Fixing the data access problem

Tax departments consistently lack reliable, timely access to the financial data they need. This is primarily an organizational problem, not a technology one. Tax functions often sit downstream from finance systems designed without tax requirements in mind — meaning data often arrives aggregated, reclassified, or stripped of the granularity needed for compliance work.

Solving this requires tax leaders such as finance, IT, and business operations — not just to request data, but to influence how that data is captured at its source. That means participating in enterprise resource planning implementations, establishing data requirements for new business lines before they launch, and building direct feeds from source systems rather than relying on manual extracts.

3. Treating data hygiene as a compliance control

Tax authorities in the UK, the Netherlands, Germany, and the US are deploying advanced analytics to identify anomalies in corporate filings. Unexplained variances between statutory accounts and tax returns, inconsistencies in intercompany pricing, or mismatches between VAT and corporate income tax data could all trigger closer scrutiny.

Data hygiene must be treated as a compliance control, not an IT issue. In practice that means establishing reconciliation checkpoints between source data and tax inputs, maintaining documented data lineage so any figure in a return can be traced to its source, and conducting data quality reviews before filing deadlines — not after.

The bottom line

The regulatory trajectory is set, so that means the question for tax leaders whether their department will be ready when tested. Governance, data access, and data quality are no longer back-office concerns — they are the foundation upon which defensible compliance is now built.

Tax department leaders need to build that foundation now, before the examiner asks.

You can find out more about

Key insights:

• • • Define your risk appetite — A clearly defined fraud risk appetite aligns prevention efforts with strategic objectives and ensures accountability by establishing acceptable levels of fraud risk across the organization.

    • Create a fraud-specialized team — Dedicated ownership of the vendors that supply fraud solutions by a fraud-specialized team — rather than by the procurement function — is critical to maximizing technology performance and adapting to emerging threats.

    • Establish a specialized prevention division — The rise of sophisticated scams demands the creation of a separate, specialized prevention division to avoid overburdening core fraud teams and ensure targeted, effective responses.

Corporate fraud represents one of the most significant risks facing organizations today. Yet many companies lack the structured governance and technology infrastructure needed to combat fraud effectively.

The solution requires that comprehensive fraud prevention frameworks be built on clear governance, proper technology deployment, and data-driven insights, according to Aaron Frye, Founder & CEO of Lucid Point Consulting. Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results. These five pillars include:

1. Develop a fraud risk appetite

Effective fraud prevention begins with a well-defined fraud risk appetite that tells the right story to the right stakeholders. Your framework must communicate to your board, executive leadership, and operational teams the level of fraud losses your organization should tolerate, and in which areas you should prioritize fraud prevention investments.

The fraud risk appetite framework must address several key considerations; for example, it should define the level of fraud risk that aligns with the organization’s growth objectives, identify the areas of greatest vulnerability, and evaluate which investments will yield the strongest return. Equally important is the ongoing monitoring and communication of progress through regular reporting on fraud risk metrics, vendor assessments, and investigation outcomes. These actions demonstrate to stakeholders that fraud prevention remains an active priority for the organization and ensures that fraud risk continues to inform organizational decision-making.

2. Establish clear ownership of risk-solution vendors

Many organizations invest significantly in fraud detection tools only to see disappointing returns. The problem often lies not in the tools themselves, but in unclear ownership and accountability for their performance.

Organizations that implement these five pillars create resilient fraud prevention functions capable of identifying and preventing fraud before it impacts results.

If your organization lacks a designated person or team within your fraud strategy function whose job it is to ensure the risk-solution tools you’re getting from vendors are the best for your enterprise, you likely aren’t getting the most out of your vendors. This dedicated fraud service ownership role must act as your internal champion, evaluating vendor performance, staying current with product enhancements, and ensuring integration with other fraud prevention initiatives.

Critically, procurement, sourcing, and vendor management functions should never own this role. These teams, by the nature of their titles and responsibilities, don’t prioritize fraud. They lack the specialized knowledge required to assess whether your fraud detection technology is performing optimally or adapting to emerging threat landscapes. Without dedicated fraud expertise overseeing your technological investments, advanced tools sit underutilized and critical fraud signals go undetected.

3. Develop a fraud governance function

Every organization should have a dedicated fraud risk governance team within its fraud risk management organization. This governance function serves as your second line of defense, working proactively to reduce operational chaos within your fraud strategy, operations, and investigation groups.

If a non-fraud governance function owns fraud governance, you are guaranteed not to be getting the best form of governance. Fraud is a specialized discipline requiring dedicated expertise and focus; and your governance team must develop policies, establish standards, monitor control effectiveness, and ensure consistent application of fraud prevention practices across the enterprise.

4. Document existing risks and resource gaps

One of the most important responsibilities of your fraud governance function is identifying and documenting the areas related to fraud risk that your current fraud risk teams don’t have time to review. Due to capacity constraints, it is impossible for many fraud risk teams to cover all open gaps. Your organization must understand those open gaps and not be ashamed to address them.

Create an action plan that documents open risk and self-identified issues that your current team cannot adequately address. This transparency demonstrates clear-eyed realism about your organization’s limitations and creates the business case for requesting additional resources or engaging external consultants to help close these risk gaps.

5. Address the growing scam-prevention challenge

needs its own prevention strategy division within your fraud risk function. Compromised business email, investment scams, and vendor fraud schemes represent an entirely new category of fraud risk that demands specialized attention.

Every organization should have a dedicated fraud risk governance team that serves as its second line of defense, working proactively to reduce operational chaos within corporate strategy, operations, and investigation groups.

There has never been a full manageable grip on fraud prior to the spike in scams. Therefore, you cannot expect your existing fraud risk teams to tackle a new wave of scams as a priority as well as to manage traditional fraud prevention responsibilities. Your core fraud function manages internal control systems, transaction monitoring, and investigation protocols. Adding comprehensive scam prevention to this workload without dedicated resources guarantees that identifying and preventing scams will receive insufficient attention.

Establish a dedicated scam-prevention division focused specifically on emerging scam threats, employee education, scam-specific prevention technology, and response protocols. This specialized approach ensures sophisticated scam schemes receive the expertise and resources necessary while your core fraud function continues addressing traditional fraud prevention requirements.

Going forward into the fight against fraud

In an era of escalating fraud threats, reactive detection is no longer sufficient. Organizations must adopt a proactive stance grounded in strong governance, clear accountability, and strategic resource allocation.

By defining a fraud risk appetite, assigning ownership of fraud prevention tools, strengthening governance, documenting unaddressed risks, and establishing a dedicated scam prevention function, companies can build resilient, forward-looking fraud prevention frameworks. These five pillars enable organizations to anticipate threats, allocate resources effectively, and protect both financial performance and reputational integrity.

Today, the path to fraud resilience begins not with technology alone, but with deliberate, enterprise-wide commitment to proactive risk management.

You can find out more about ways to

Key insights:

• • • Real-time tax compliance has restructured the tax function — Dozens of nations now require structured invoice data in real time, with the EU mandating cross-border digital reporting by 2030. The traditional file-and-wait audit cycle is gone now, replaced by clearance regimes that can freeze multi-million-dollar invoices for nonconforming data.

    • Regulators have pulled ahead of the businesses they oversee — Tax authorities in mature CTC jurisdictions now arrive at audits with structured transaction data already processed by their own analytics. Government turnaround times that took months now take weeks, forcing multinational tax leaders to compress multi-year roadmaps into 12- and 18-month cycles to keep up.

    • The lessons travel beyond tax — There are two ways to lose this race: Outrun your own controls or surrender entirely. Both showed up in Las Vegas, and both will show up in every other regulated profession over the next decade.

LAS VEGAS — TheĚý sold out. A guest list that included tax directors from Amazon, Walmart, and Procter & Gamble, OpenAI’s tax department, the Big Four, ¶¶ŇőłÉÄę and every other major tax software provider in the market spent three days at the Aria with pool deck, casino floor, and restaurants worth lingering over all a few steps away.

The room had every reason to spend its evenings somewhere else other than a sunless conference room talking about tax. Yet almost no one did. They were too busy grappling with an arms race the corporate audit side had begun to suspect it was losing.

And it’s one they cannot afford to lose.

End of the traditional model

The arms race is real-time tax compliance, and it has dramatically restructured the ground beneath the tax profession in less than a decade. By April, more than 60 jurisdictions have moved or are moving to continuous transaction controls. Italy and Hungary were early; Poland, France, Belgium, Brazil, Saudi Arabia, India, and Singapore are now operational or imminent, and countries like Spain, Germany, the United Kingdom and the United Arab Emirates are on the way. The European Union has locked onto a 2030 deadline for cross-border real-time digital reporting and a 2035 backstop for harmonizing what’s left.

The traditional model — issue an invoice, file a return weeks later, audit when the auditor gets around to it — no longer exists in those jurisdictions. Tax authorities now see the transaction as it happens, validates it in structured form, and pre-fills the return on the taxpayer’s behalf.

What this new process has done to the tax function is fundamentally alter its structure in a way leaves practitioners reeling. The job used to be a craft of Excel, judgment, and institutional memory. Now, at the high end, it has become as much a data science problem as an accounting one.

The arms race is real-time tax compliance, and it has dramatically restructured the ground beneath the tax profession in less than a decade.

Attendees at TEI’s 2026 Tax Technology Seminar polled themselves on tooling, and the answers came back as a list of data pipelines that dozens of attendees seemed to favor: Alteryx, Power Platform, Snowflake, Databricks, Microsoft Fabric, & Palantir Foundry. These platforms are running agentic AI systems against historical filings, deploying validation agents to critique their own outputs, and using AI-driven image-to-text solutions to pull structured data out of state tax notices that never arrive in the same format twice. They are data integration pipelines in 15 minutes that would have sat in an IT queue for two months before being answered.

They have little choice as the stakes are far higher and the challenges far more demanding than they used to be. In a clearance regime, an invoice has no legal force until the tax authority returns its identifier. Did you submit the wrong VAT ID, malformed schema, or mismatched master data? Congratulations! Your invoice is rejected. That means the truck doesn’t move, the buyer doesn’t pay an invoice that may be in the millions of dollars and then the penalties stack on top. Italy, for instance, charges a fee of 70% of the disputed VAT.

And then there are the audits.

Outgunned

The audit isn’t an occasional event anymore. In government jurisdictions with mature continuous-transaction-control tax regimes, it is a conversation that started weeks before the auditor walked in, on data their analytics had already processed.

A speaker on a seminar panel led by Deloitte and ¶¶ŇőłÉÄę described the dynamic plainly: Tax authorities in those jurisdictions have arrived at audits already knowing more about the transactions than the companies and their in-house audit teams sitting across the table. Not because anyone is hiding anything, but because the data arrived at the tax authority in structured form, in real time, and the authority had run its analytics on it before the meeting was even on the calendar. One panelist said this represents “a shift from us preparing returns to us answering notices on the data that’s been shared.”

What the room kept circling around, however, was that regulators have not just kept pace with their counterparties, they’ve now pulled ahead. Singapore, one panelist noted, is doing more with AI than even major companies. Indeed, government turnaround times that used to take months are now closing in weeks, which is forcing multinational tax leaders to compress their multi-year roadmaps into 12- and 18-month cycles — not because they want to but because their counterparties already had.

The lesson that corporate tax functions have been forced to absorb is that there are two ways to lose this race, and both were on display at TEI’s 2026 Tax Technology Seminar as cautionary tales.

This asymmetry is structural, and that is what makes it an arms race rather than a transition. There is no version of this dynamic in which the company being audited wins by being more careful, more thorough, or more well-prepared at the end of the quarter. The advantage now accrues to the side with the fastest and cleanest pipelines, that runs the smartest AI, and that understands the way these increasingly complex systems interact. Increasingly, that winning side is the government. And, more alarming, this isn’t just a problem for this particular industry — tax just happened to get here first. However, it’s coming for everyone.

Two ways to lose

The lesson that corporate tax functions have been forced to absorb is that there are two ways to lose this race, and both were on display at TEI’s 2026 Tax Technology Seminar as cautionary tales. The first is to outrun your own controls. AI coding tools that let a tax analyst build a working data integration pipeline in 15 minutes are genuinely valuable; they also let that same analyst deploy something nobody else has reviewed, documented, or knows how to maintain. An OpenAI panelist conceded the point when an audience member asked about the security implications of vibe coding — clearly, a new capability is also a new problem.

The second way to lose is harder to talk about. One panelist described, to attendees’ general dismay, hearing of companies that have given up on compliance entirely — instead, they pad their numbers with a safety margin and treat the eventual audit as the cheaper of the two costs. The panel recoiled — one member responded with a flat “Do not do this.” However, the anecdote landed because it isn’t theoretical. When the gap between what regulators can see and what your team can produce becomes wide enough, surrender starts to look rational.

Playing to win

Of course, the attendees at TEI’s 2026 Tax Technology Seminar were not surrendering. If they were, they’d have been at the pool deep into their third cocktail. Or they’d have been on the casino floor or were about to catch an afternoon show. Instead, day after day, the tables filled, the exhibit hall ran hot, and the room was buying, listening, and building.

The game has changed and the stakes have risen — and the room is dead set on playing to win.

You can find more ofĚýour coverage of Tax Executives Institute events here

Key insights:

• • • Prediction markets sit in a regulatory gray zone — Prediction markets’ economic function often looks much closer to gambling than traditional finance.

    • That ambiguity creates an AML blind spot — This blind spot allows potentially weaker controls around KYC, source of funds, sanctions screening, and suspicious activity reporting.

    • Banks and payment processors should focus on actual risk, not labels — Reputational, legal, and financial crime risk exposure can arise long before regulators clarify the rules.

Prediction markets have grown into a multi-billion-dollar ecosystem, offering the ability to enter into a contract to predict the outcomes on everything from elections and sports games to economic data and weather events. Yet as these platforms expand, they operate in a regulatory gray zone that raises serious questions for banks, payment processors, and compliance professionals.

Yet, the classification question that regulators and financial institutions continue to debate is not merely academic. It determines whether prediction market platforms will face the same anti-money laundering (AML) and know-your-customer (KYC) obligations as casinos and sportsbook venues, or whether prediction markets can continue to operate with minimal compliance oversight. This distinction has real consequences for the financial system.

“Prediction markets are not just a classification problem, they represent a structural gap in how financial crime risk is currently understood and managed,” says James Lephew, Founder & CEO of , a Charlotte-based consulting firm that serves major gambling operators and financial institutions globally.

Clarification is required in classifying this sector

Prediction markets occupy an ambiguous middle ground. Market operators position their platforms as financial derivatives or forecasting tools rather than gambling venues, emphasizing price discovery and statistical analysis over chance-based wagering. A contract on the outcome of a presidential election or a sports event, they argue, reflects crowd-sourced probability estimates grounded in information aggregation, not gambling luck.

Yet the fundamental mechanics raise legitimate questions. A user who buys a contract predicting that a candidate will lose an election is, in economic terms, wagering money on an uncertain outcome. The distinction between betting on a football game and trading a contract on the outcome of that same game becomes difficult to defend from a regulatory standpoint — and this classification matters enormously.

The distinction between betting on a football game and trading a contract on the outcome of that same game becomes difficult to defend from a regulatory standpoint — and this classification matters enormously.

If prediction markets are treated as gaming operations, they trigger Title 31 obligations under the Bank Secrecy Act, including currency transaction reporting, suspicious activity reporting (SAR) requirements, and comprehensive KYC procedures. If on the other hand, prediction markets are classified more akin to financial markets, these requirements may not apply. Currently, many prediction market platforms claim financial market status, allowing them to operate outside gaming regulations and with potentially weaker AML controls.

There is a compliance gap

Without clear regulatory classification, prediction markets create a significant AML blind spot. Casinos must report cash transactions exceeding $10,000, conduct source-of-funds reviews, and maintain detailed customer profiles. Sportsbooks face licensing requirements, geolocation checks, and responsible-gaming safeguards. Prediction market platforms, by contrast, often operate with minimal reporting obligations.

This gap introduces concrete risks. Digital wallets and cryptocurrency channels can obscure the source of funds. Structuring and layering of sources become easier without robust verification, further clouding who exactly playing in these markets. Collusive trading through multiple accounts allows value transfer that may go undetected. And VPN use and foreign payment channels can enable sanctions evasion.

Further, without mandatory SAR reporting, suspicious patterns tied to money laundering, terrorist financing, or market manipulation may never reach law enforcement.

“What we’re seeing is an AML blind spot,” says Lephew. “Platforms enabling financial flows with characteristics of gambling, but without the controls that regulators would normally expect.” Until classification catches up with the technology, he adds, this blind spot remains open — and exploitable.

Why this matters for banks and processors

Banks and payment processors that support prediction market platforms may carry significant reputational and legal risk if they haven’t conducted thorough due diligence — and they cannot rely on a platform’s self-classification as a financial market or forecasting tool. Nevada and other jurisdictions are actively examining whether these platforms constitute gambling, echoing concerns from the American Gaming Association that products carrying similar economic risks deserve similar regulatory treatment.

If a product allows participants to wager on uncertain outcomes and creates risk that is substantially similar to gambling, it should face AML and customer identification requirements proportionate to that risk.

“Risk must be assessed based on how the product actually behaves, not how it is marketed,” Lephew explains. And that means evaluating whether a platform applies robust KYC procedures, verifies the source of deposits and beneficial ownership, screens against sanctions lists, reports SARs to the government, prohibits contracts on high-risk events such as assassinations or terrorism, and uses geolocation controls to block users in restrictive jurisdictions. Those answers matter far more than whatever label the platform chooses, Lephew says.

The path forward

Regulators have several options. One approach applies gaming regulations uniformly, treating all prediction markets with economic characteristics similar to gambling as gaming operations subject to Title 31. A second approach creates explicit financial market classification with statutory AML obligations and enhanced scrutiny of high-risk contracts. A third option adopts a tiered or risk-based framework, classifying contracts on lower-risk events such as economic data or weather under financial market rules, while sports and election markets could face enhanced scrutiny. Violent outcome markets would be prohibited entirely.

Regardless of which path regulators choose, the principle should be the same: Classification should follow economic function. If a product allows participants to wager on uncertain outcomes and creates risk that is substantially similar to gambling, it should face AML and customer identification requirements proportionate to that risk.

Financial institutions should not wait for regulatory clarity. They should apply rigorous due diligence now, treating prediction markets with a heightened level of scrutiny appropriate to their actual risk profile rather than their claimed legal status.

The goal is not to eliminate prediction markets, but to ensure they operate within a framework that prevents money laundering, terrorist financing, and market abuse. “If it looks like gambling, behaves like gambling, and carries the same financial crime risk, it should be regulated accordingly,” Lephew notes. “Anything less creates systemic exposure.”

You can find out more about the challenges financial institutions face in their anti-money laundering efforts here

Key insights:

• • • Protecting SNAP requires modernization and accountability — This includes providing chip-enabled cards, stronger monitoring, recipient education, retailer oversight, cross-agency coordination, and fair reimbursement for victims.

    • Skimming is a growing problem — In the context of financial fraud, skimming refers to the illegal capture of personal data, typically through concealed electronic devices placed over legitimate card readers.

    • The harm can be immediate and severe — If their food benefits are stolen through skimming, vulnerable households can lose essential food funds, deepening food insecurity in their community.

Electronic Benefit Transfer (EBT) cards serve as a critical resource for the millions of Americans who depend on the nation’s Supplemental Nutrition Assistance Program (SNAP) to keep food on the table. The typical SNAP household is low-income and often includes children, seniors, or individuals with disabilities, who have earnings that fall at or below the federal poverty level. Based on household size, income, and other qualifying factors, these families receive monthly monetary assistance to help cover basic nutritional needs at authorized retailers.

Think of an EBT card as a debit card specifically designed for food benefits. Recipients use it to access their monthly balance at approved stores, making the process straightforward and dignified. However, like any electronic payment system, EBT is not immune to exploitation. One of the most pressing threats is a type of fraud known as skimming, which puts vulnerable households at serious financial risk.

What is EBT skimming?

Skimming, in the context of financial fraud, refers to the illegal capture of personal data, typically through concealed electronic devices that are placed over legitimate card readers. In the case of EBT fraud, criminals generally install tampered card terminals to steal EBT card information, including account numbers and PINs.

Unlike most modern credit and debit cards, EBT cards still rely on magnetic stripe technology, not more secure embedded chips. This outdated system makes them especially vulnerable to cloning, or the creation of counterfeit cards that contain the victim’s account number and PIN. Once a thief captures the data, they can create these counterfeit cards and drain benefits almost immediately, often within minutes of the monthly benefit deposit.

The result is that much needed food benefits, meant to last an entire month, are stolen without warning or recourse.

Why is EBT skimming so devastating

The consequences of EBT skimming go far beyond financial loss. For recipients, the theft of SNAP benefits can have immediate and severe impacts on their household food security and well-being. Other reasons why this form of fraud is particularly harmful include:

• • • Irreplaceable funds — For low-income households, SNAP benefits represent a critical portion of their monthly food budget. Once stolen, these funds are often impossible to replace. Families may be forced to skip meals, rely on emergency food pantries, or divert money from other essential needs like rent or medicine.
    • Outdated security technology — Despite advances in payment security, most EBT cards still use magnetic stripes, which can be easily copied with inexpensive skimming devices. By contrast, EMV chip technology, standard on most consumer credit and debit cards, makes cloning significantly more difficult.
    • Speed and precision of theft — Thieves often time their attacks to coincide with the monthly benefit deposit cycle. Once benefits are loaded, stolen card data is used rapidly, sometimes within minutes, making recovery nearly impossible.
    • Targeting vulnerable populations — EBT skimming preys on some of the most vulnerable members of society, including seniors, disabled individuals, and families living paycheck to paycheck. Many recipients may not have the resources or knowledge to monitor account activity regularly or to lock their cards after use, leaving them at greater risk.

Beyond skimming: A broader challenge of fraud, waste & abuse

While skimming is a serious and visible form of EBT fraud, it is only one symptom of a larger systemic challenge that fraud, waste & abuse cause in federal benefit programs.

Other forms of fraud include: retailers trafficking in EBT benefits for cash, which is a violation of SNAP rules; misrepresentation of income or household size during application; duplicate or ineligible benefit issuance; and administrative errors that lead to overpayments.

Each instance, whether intentional or not, erodes public trust in the entire benefit system, strains limited program budgets, and diverts resources from those individuals who need them most.

With federal funding for social programs under constant scrutiny and subject to periodic budget constraints, it is imperative that every dollar is protected and used appropriately. Preventing fraud is not just about saving money — it’s about ensuring that limited public resources serve their intended purposes of reducing hunger and supporting economic stability.

How to prevent fraud, waste & abuse in SNAP

Addressing EBT skimming and broader program vulnerabilities requires a well-rounded strategy that features technology, policy, education, and oversight working together.

On the technology side, one of the most impactful steps forward would be transitioning EBT cards from outdated magnetic stripes to EMV chip technology. This upgrade alone would significantly reduce skimming risks, and federal investment in that infrastructure is a necessary part of making it happen. Alongside that, state and federal agencies should be leveraging data analytics and real-time transaction monitoring to flag suspicious activity, like multiple withdrawals across different locations within a short window of time.

Education also plays a bigger role than many people realize. A large portion of EBT users simply do not know how to protect themselves. Basic habits like covering the keypad when entering a PIN, routinely checking account balances, and reporting lost or stolen cards right away can go a long way in reducing exposure.

One of the most pressing threats is a type of fraud known as skimming, which puts vulnerable households at serious financial risk.

From an oversight perspective, the U.S. Department of Agriculture — the government agency that oversees SNAP — and state agencies need to conduct regular audits of authorized retailers and hold them accountable. Any retailer found engaging in trafficking or enabling skimming should face deauthorization and legal consequences as well. Equally important is making sure that victims of confirmed fraud are not left without recourse. Clear and consistent policies for replacing stolen benefits can help restore trust in the program and prevent the food insecurity that this type of fraud directly causes.

Finally, none of this works in isolation. Effective fraud prevention depends on strong coordination between state human services departments, law enforcement, financial institutions, and technology providers. Information sharing and joint task forces strengthen the ability to detect threats early and respond quickly when issues arise.

Protecting the safety net

SNAP is one of the nation’s most effective tools in the fight against hunger. However, its success depends on both integrity and accessibility. Skimming and other forms of fraud not only steal from individuals, but they also undermine confidence in the entire system.

Policymakers, administrators, and citizens must prioritize modernization, accountability, and victim protection. By addressing vulnerabilities like EBT skimming and reinforcing safeguards against waste and abuse, we can ensure that SNAP remains a reliable and secure resource for the millions of individuals who rely on it.

You can find out more about how public agencies are working to fight fraud in government benefit programs here

Key insights:

• • • Conflict of interest doesn’t start with bad intent — Often, conflict of interest starts with tenure, trust, and relationships that slowly blur the line between good judgment and personal interest.

    • The real exposure isn’t the fraud itself — The real damage from conflict of interest can be years of skewed vendor decisions, above-market pricing, and lost competitive ground.

    • Companies shouldn’t treat conflict of interest as a disclosure problem — Companies would do well to remember that often conflict of interest is really a data and systems problem.

His access logs were clean, so it took weeks to find out what actually happened. He had been borrowing colleagues’ IT logins, who had handed them over without much thought, even though they knew it broke policy. They just didn’t think it mattered. He used those logins to steer million-dollar contracts to selected vendors who were paying him kickbacks.

The company’s conflict of interest policy existed, and people had signed it. Yet, nobody checked whether anyone followed it. And this scheme wasn’t even caught internally. Fortunately, someone outside found it.

This gap between knowing something is wrong and believing it matters — that’s where conflict of interest lives.

The financial exposure goes well beyond the kickback itself

The kickback that was paid to an insider is not the real cost to the company. The real cost is what happens while nobody is looking. As a result of this fraud, this company didn’t even know they were experiencing years of sourcing decisions that were shaped by hidden interests, vendors who never got a fair shot, and pricing that stayed above market price because the person managing the relationship had a reason to keep it there.

Throughout many industries, the numbers back this up. The from the Association of Certified Fraud Examiners (ACFE) found corruption in almost half (48%) of all fraud cases. Median loss for corruption schemes was around $200,000, and the average scheme run for about 12 months before anyone catches on. Not surprisingly, 87% of conflict-of-interest fraud perpetrators had no prior criminal record. Indeed, they were trusted employees, not career criminals.

What makes this worse is that most organizations have no reliable way to catch it. Across industry guidance, compliance publications, and professional forums, a consistent picture emerges: The majority of organizations rely entirely on disclosure forms and self-reporting to manage conflicts of interest. Leading compliance expert, Rebecca Walker has publicly admitted that — and even though the tools exist, almost nobody is using them.

The statistics, however, only capture what gets caught. The psychology of how it starts is harder to measure — and more important to understand. Conflict of interest rarely begins with a plan to steal. Rather, it starts with tenure, trust, and relationships that make someone hard to replace. Over time, the line between good judgment and personal interest doesn’t get crossed, it just disappears.

Taking a more structured approach

Most companies rely on disclosure forms, ethics training, and a code of conduct. They want to tell people what a conflict looks like, ask them to report it, and assume they will. Too often, they won’t.

Disclosure forms ask employees to self-report behavior they often don’t recognize as problematic, and those who do recognize it worry they’ll be investigated or treated unfairly themselves. They’ve watched junior staff held to strict standards while senior leaders get a pass. Unfortunately, that teaches everyone the same lesson: Stay quiet. When 85% of companies with a code of conduct still have fraud at this scale, the problem is not what people know, rather it’s how the program is built.

These failures point to three specific gaps in how most organizations approach conflict of interest: i) how they gather information; ii) how they monitor risk; and iii) how they receive reports. A structured framework — one based on concepts of design, detect, and deploy — can address each one of these gaps directly, with each component being measurable in financial terms.

Design: Are you collecting facts or asking people to confess?

Take a look at how you approach employees around conflict-of-interest issues. Are you seeking information or just generally hoping the employee admits wrongdoing, even inadvertently. A better approach could be to ask specific questions: How long has the employee worked with this vendor? Can the employee award contracts to them? Does the employee have any ownership stake in a company on the approved vendor list?

Let the employee give the facts and then let the system make the call. When you separate sharing information from being judged for it, people actually share and you get better data. And better data means better procurement decisions. That is not a compliance win — that’s a business win.

Detect: Are you looking for conflicts or hoping someone speaks up?

Run your vendor list against your employee records and flag matching addresses, phone numbers, and bank accounts. Check public registries for shared directors between your staff and your suppliers. Look at who has been awarding contracts in the same role for years without rotating, and managers who keep hiring from former employers.

Any company with an ERP system and an HR database can run these checks quarterly. And ACFE data underscores the value in taking the proactive approach: On average, companies using automated transaction monitoring catch fraud within six months and lose about $83,000; and companies that wait for law enforcement to alert them to the fraud take 24 months and lose $675,000.

Deploy: Is your hotline a business tool or a poster on a wall?

Tips catch 43% of all fraud — more than audits, management reviews, and law enforcement combined. Companies with hotlines lose $100,000 in median fraud; but companies without them lose $200,000. A working tips hotline can cut your losses in half.

However, most hotlines are not functioning as intended. They exist on paper without the visibility, trust, or independence required to generate reliable reports. For example, a senior executive was steering contracts to his own associates. And even though a company hotline existed, the executive actually sat on the committee that received the reports. The tool was built to catch misconduct and was working properly, yet it was controlled by the person committing the fraud. The matter had to be escalated outside normal channels, and the senior executive was eventually fired for cause.

Almost half (46%) of employees who report misconduct face retaliation, according to the , from the nonprofit Ethics and Compliance Initiative. When that is the outcome, silence becomes the rational choice. If you want your hotline to work, promote it every quarter. Show people what was reported and what happened because of it. Make sure no single person can block or read a report before it reaches the right people. Being that proactive around your hotline will give employees proof that the system protects them.

Is it worth the investment?

Of course, the question is not whether your company has a conflict-of-interest policy, it most likely does. Rather, the question is whether you would know if someone were breaking it right now.

Companies that design better fact-gathering, detect through monitoring, and deploy trusted reporting can do more than catch fraud early. They can buy from better vendors, compete on fairer pricing, protect their board from liability, and build a culture in which raising a red flag is seen as protecting the business.

If the honest answer is that you would not know if someone was violating your company’s conflict of interest policy, then business case for being more proactive has already been made.

You can find more about how companies can best manage business fraud here

Key insights:

• • • Getting at the core legal question — In a case brought by defendant Ongkaruck Sripetch, the Supreme Court is deciding whether the SEC must prove investors suffered measurable financial loss before courts can order disgorgement, which would require fraudsters to give up illegal profits.

    • Why it’s high-stakes — Disgorgement is a major SEC enforcement tool — representing billions of dollars annually — so a new requirement to prove investor losses could sharply limit when and how much the SEC can recover.

    • How the justices seemed to lean (so far) — Questions at the argument before the Court suggested skepticism toward Sripetch’s position, with several justices asking why it would be an unfair penalty to take back ill-gotten gains and noting the practical difficulty of proving each investor’s exact loss.

If you’ve ever wondered how the U.S. Securities and Exchange Commission (SEC) actually gets money back after it catches a fraudster, one of its biggest tools, disgorgement, is now under the microscope. This week, the U.S. Supreme Court heard arguments in a case, Sripetch v. SEC, that sounds technical on paper but has at its core a simple question: When the SEC makes a fraudster give up illegal profits, does it have to prove that investors suffered measurable, out-of-pocket losses first?

The case centers on Ongkaruck Sripetch, who the SEC says pocketed illicit proceeds through a classic pump-and-dump scheme from 2013 to 2017. Pump-and-dumps often involve penny stocks in which a person will hype up the price of these thinly traded stocks, then sell into the price spike they caused and walk away richer. Other stock traders who bought into the hype are the ones left holding the bag.

Sripetch admitted violating securities law and, in his subsequent criminal case, was sentenced to 21 months in prison. Separately, in the SEC’s civil action, a federal court in California ordered Sripetch to repay more than $3 million in ill-gotten gains plus interest.

The Supreme Court case isn’t a serious argument against the SEC’s ability to seek disgorgement — numerous courts have recognized the remedy for years, and Congress has since written the SEC’s ability to pursue it into federal law. The core question in the case is narrower, yet crucial for the SEC’s mission. It asks whether the SEC must show that victims suffered pecuniary or economic harm before a court can order disgorgement. Federal appeals courts have split on that point, which is why the Supreme Court agreed to take the case.

What is disgorgement, exactly?

Think of disgorgement as a legal give it back order. If a person or company makes money by breaking the securities laws — say by manipulating prices, lying to investors, or running a Ponzi-style scheme — disgorgement is designed to strip the profits away from that wrongdoing and the wrongdoers. In theory, it’s not about punishing someone for being bad, rather it’s about making sure crime doesn’t pay.

In real markets, harm can be scattered across thousands of trades, mixed up with normal price swings, and hard to trace to one bad actor. Disgorgement, on the other hand, gives securities regulators a way to focus on the part that’s often the clearest: How much ill-gotten profit the fraudster made.

Indeed, that not a punishment framing is important because the SEC has other ways to punish those convicted of securities law violations — such as civil penalties, disbarment from serving as an officer or director, industry suspensions, and more. Disgorgement is supposed to be different — an action that aims at profits, not pain. The government’s position in the Sripetch case puts it bluntly: Disgorgement is meant to strip ill-gotten gains from wrongdoers, not to compensate victims for their losses.

And disgorgement is not a niche tool. The SEC regularly collects big sums of seized money through disgorgement. According to recent figures, the SEC obtained about $1.4 billion through disgorgement in fiscal 2025 (excluding certain amounts), and $6.1 billion the year before, which represented nearly three-quarters of its total financial penalties for that year.

Those numbers may help explain why this Supreme Court fight is being watched so closely: The outcome could either keep the SEC’s playbook intact or force it to do a lot more legwork before it can ask courts to order payback.

The arguments before the Court

Earlier this week, both sides argued before the Supreme Court as to the potential future use of disgorgement and what requirements the SEC might have to meet when requesting court to order it.

Sripetch’s argument — Lawyers for Sripetch told the Court that the SEC shouldn’t be able to get disgorgement unless it can show that investors actually suffered financial harm, such as a price drop caused by the fraud or some other measurable loss. If the SEC can’t prove that kind of harm, the lawyer argues, then making Sripetch pay money looks less like giving it back and more like an impermissible penalty that the SEC is not allowed to levy.

The government’s argument — Lawyers for the U.S. Justice Department, defending the SEC, said the proof-of-loss requirement makes no sense. Disgorgement, in their view, is about the defendant’s gains, not the victim’s losses. One government lawyer summed it up as a straightforward principle: Disgorgement is intended to ensure a defendant does not profit from their own wrongdoing.

At this week’s argument, the justices sounded (at least generally) more sympathetic to the government than to Sripetch. Justice Amy Coney Barrett pressed the defense on its basic logic: If the court is only taking away ill-gotten gains — money the wrongdoer was never entitled to — why is that a penalty at all? Justice Ketanji Brown Jackson made a similar point, suggesting disgorgement would only feel like punishment when someone is forced to pay money that was rightfully theirs.

When Sripetch’s lawyer suggested the SEC should have to identify and prove each victim’s dollar loss, Justice Sonia Sotomayor’s response was basically, Why would anyone bother? If the SEC has to run a mini-trial on every investor’s exact harm just to reclaim the fraudster’s profits, disgorgement would be unworkable in many cases.

The practicality of that point is a big deal in securities fraud. In real markets, harm can be scattered across thousands of trades, mixed up with normal price swings, and hard to trace to one bad actor. Disgorgement, on the other hand, gives securities regulators a way to focus on the part that’s often the clearest: How much ill-gotten profit the fraudster made. The idea is deterrence-by-math — if you can’t keep the profits, the incentive to run the scheme shrinks.

The Supreme Court’s ruling, when it comes, could re-shape how the SEC negotiates settlements, litigates fraud cases, and talks about remedies and punishments going forward.

Still, some justices raised broader concerns about how disgorgement gets used in the real world, such as whether certain applications start to look punitive, or whether they raise questions about a defendant’s right to a trial by jury. However, the Court also seemed interested in deciding only the question of the requirement to prove victims’ losses and leaving those bigger constitutional debates for another day.

Why this matters (even if you aren’t the SEC)

If the Supreme Court agrees with Sripetch and requires proof of investor pecuniary harm, the SEC could face a higher hurdle in cases in which misconduct is real, but losses are tough to quantify on a trade-by-trade basis. That could mean fewer disgorgement awards, smaller ones, or more pressure to rely on classic penalties instead.

If the Court backs the government, however, disgorgement stays what it has largely been — a fast, flexible way to reclaim profits from securities fraud and a core part of how the SEC tries to keep the securities markets honest.

Either way, the ruling will shape how the SEC negotiates settlements, litigates fraud cases, and talks about remedies and punishments going forward. With the Court expected to issue its decision by the end of June, securities lawyers and stock market mavens will be keeping an eye on this case.

You can find more about the challenges facing the SEC here

Key insights:

• • • SAR volume is significantly underreported — Continuing and amended filings add approximately 20% to the official count yet remain invisible in trend analyses.

    • Filing activity is highly concentrated — A few large financial institutions dominate SARs volume, meaning trends reflect their practices more than systemic changes.

    • Agentic AI will drive a surge in SARs — Agentic AI risks increased noise over actionable intelligence, without addressing the unresolved question of whether current filings yield meaningful law enforcement outcomes.

The Suspicious Activity Reports (SAR) that financial institutions file with the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) provide valuable insight, although they may not offer a comprehensive picture.

Prior to meaningful discussions regarding the future of SARs, it is essential for the financial crime community to clarify what is being measured. In 2025, for example, SAR filings of more than 4.1 million, representing an almost 8% increase compared to the total number of SARs filed in 2024.

Every figure FinCEN has published reflects original SARs only. Continuing activity SARs, which represent roughly 15% of all filings, are submitted under the original Bank Secrecy Act (BSA) identification number and never appear as new filings. Corrected and amended SARs add another 5% on top of that. This makes the real volume of SARs activity approximately 20% higher than what is reported.

The average community bank files fewer than one SAR a week, while the largest institutions file more than 500 a day.

Recent FinCEN guidance giving financial institutions more flexibility around continuing activity SARs sounds significant on paper, but as former Wells Fargo BSA/AML chief Jim Richards points out: “It won’t change the reported numbers — because those filings were never counted to begin with.” Financial crime professionals need to keep that gap in mind every time a trend line gets cited.

2025 was steady, not spectacular

There were roughly 300,000 SARs filed every single month of 2025, and the most notable thing is that nothing notable happened. That is likely a first on the volume side and worth acknowledging, but beyond that milestone the year did not hand financial crime professionals anything noteworthy. In a space that has dealt with pandemic distortions, crypto chaos, and fraud spikes that seemed to come out of nowhere, steady volume and predictable patterns are a little surprising. A quiet data set, however, is not the same as a quiet landscape, and financial crime professionals who are reading stability as stagnation may find themselves flat-footed when the numbers start moving again.

For example, one of the most underleveraged insights in the SARs space is just how concentrated filing activity really is. The numbers are stark: The top four banks file more SARs in a single day than 80% of the rest of the banks file in 10 years, according to 2019 data from a .

The average community bank files fewer than one SAR a week, while the largest institutions file more than 500 a day. “50 a year versus 500 a day,” notes Wells Fargo’s Richards, adding that such asymmetry has real implications for how the financial industry interprets trends. Meaningful movement in SARs data, up or down, is almost entirely dependent on what a handful of mega-institutions decide to do.

Not surprisingly, money services businesses (MSBs) are the second largest filing category, and virtual currency exchanges are almost certainly driving recent growth there, even if outdated category definitions make that difficult to confirm directly. Credit unions round out the top three.

The filing philosophy hasn’t changed and shouldn’t

Regulatory noise occasionally suggests that institutions should be more selective about what they file. However, compliance and legal reality have not shifted. No institution has ever faced serious consequences for filing too many SARs, and the cases that result in enforcement actions, reputational damage, and regulatory scrutiny are consistently about missed filings or late ones.

“You’re not going to get in trouble from filing too much,” Richards says. “Nobody ever has, and I doubt if anyone ever will.” For financial crime professionals, the calculus remains exactly what it has always been — when in doubt, file. That posture isn’t going to change, and frankly it shouldn’t.

Yet, here is where the SARs space gets genuinely interesting. Agentic AI use in SARs filings — systems in which multiple AI agents work through a case from screening to decision to documentation — is beginning to move from concept to deployment. The impact on filing volume likely will be significant.

The risk is a system flooded with AI-generated SARs of variable quality, creating more noise for law enforcement to sort through rather than sharper intelligence to act upon.

Whereas a small team today might work through a handful of cases a week, AI-assisted workflows could push that into the dozens. Multiply that across institutions already inclined to file rather than miss something, and the result is a coming surge in SARs volume that could play out over the next two to four years.

“Agentic AI has the potential to be a game changer on how we do our work,” Richards explains. “But I believe it’ll guarantee that there will be more SARs filed and not necessarily better and fewer SARs filed.” Indeed, the critical point for the financial crime community to internalize is exactly that.

The risk is a system flooded with AI-generated SARs of variable quality, creating more noise for law enforcement to sort through rather than sharper intelligence to act upon. Once the largest institutions adopt agentic AI as a best practice, others will follow quickly, and regulators will likely be several steps behind.

The value question can’t wait

The has been in place since 2014. Yet after 12 years of filings, the financial crime community still lacks a clear public accounting of whether that data has produced actionable law enforcement outcomes.

So, the question Richards is asking is one the entire industry should be asking: “Has anybody asked law enforcement?”

This question reflects a larger challenge that the industry needs to confront more aggressively, especially as AI technology is set to dramatically increase filing volume across the board. Increasing the volume without improving how the information is used does not represent progress. If SARs are not generating real investigative value, the solution is not to file more of them faster — instead, the pipeline should be fixed before it grows any bigger.

You can find more about the challenges that financial institutions face in managing SARs here

• • • The ceasefire is between the US and Iran and is not a regional peace —ĚýIsrael launched its heaviest strikes yet on Lebanon within hours of the announced deal. Iran hit oil infrastructure in Kuwait, the UAE, Bahrain, and Saudi Arabia — including the East-West Pipeline, the primary route for bypassing the Strait of Hormuz. Companies planning around a return to normal should instead plan around the idea that the war has narrowed, not ended.

    • If the disruption stays within one quarter, the economic damage is painful but reversible — The Dallas Fed projects WTI oil at roughly $98 per barrel with a modest GDP hit in a short-closure scenario. The catastrophic scenario — WTI above $132 with sustained negative growth — requires the closure of the war to drag past Q2. Every week the ceasefire holds improves the odds, but Iran’s strike on the Saudi bypass pipeline complicates even the optimistic timeline.

    • Iran may have stumbled into the most lucrative chokepoint tax in modern history — At conservative estimates, transit fees charged for traversing the Strait of Hormuz could generate $40 billion to $50 billion for Iran annually, or roughly 10% to 15% of Iran’s pre-war GDP — all at near-zero operating cost. That revenue stream inverts Tehran’s incentives. Indeed, keeping the toll system in place may now be worth more than restoring free transit.

On April 7, less than two hours before a self-imposed deadline that threatened the destruction of Iran’s civilian infrastructure, President Donald J. Trump announced a two-week ceasefire in the war in Iran that began on the last day of February and continued over 38 days of sustained air strikes by the Unites States and Israel. In turn, Iran carried out retaliatory attacks across over a dozen countries and forced the effective closure of the Strait of Hormuz.

With the ceasefire, all that has paused. Yet, the question every boardroom, general counsel’s office, and procurement team is asking right now is simple: How can I plan around this?

The honest answer is, not yet — and the first 24 hours have already shown why.

A fragile, but functional peace

The ceasefire is remarkably thin, and it’s based on three operative clauses: i) the US and Israel halt strikes on Iran; ii) Iran halts retaliatory attacks on the US and Israel; and iii) Iran allows “safe passage” through the Strait of Hormuz. Everything else — from nuclear terms, sanctions, reconstruction, and the legal status of Hormuz transit — has been punted to negotiations in Islamabad beginning April 10, with Pakistan mediating.

With the ceasefire, the question every boardroom, general counsel’s office, and procurement team is asking right now is simple: “How can I plan around this?”

However, what the ceasefire covers matters less than what it doesn’t. Within hours of the announcement, Israel launched its heaviest strikes yet on Lebanon, and Iran warned it would withdraw from the ceasefire if attacks on Lebanon continue. Meanwhile, Kuwait, the UAE, and Bahrain all reported fresh Iranian missile and drone strikes targeting oil, power, and desalination infrastructure after the ceasefire was in place. Most critically, Iran struck Saudi Arabia’s East-West Pipeline, the main route by which Gulf producers have been rerouting oil to bypass the blockaded strait.

That pipeline strike should command attention in every supply chain and energy risk briefing this week because it signals how shaky the agreement is, and that Iran remains a long-term threat to vital infrastructure across the region.

For companies operating in or sourcing from the Gulf, the practical implications are immediate. This is not a ceasefire that restores pre-war operating conditions; rather it is a bilateral pause between two belligerents while the regional war continues around them. Insurance premiums, shipping risk assessments, and supply chain contingency plans should reflect that distinction until there is a meaningful shift.

What does this mean for the next two weeks?

Both sides are claiming victory — and increasingly, claiming different deals. Trump called Iran’s 10-point proposal “a workable basis on which to negotiate”; and Iran’s Supreme National Security Council called the ceasefire a “crushing defeat” for Washington. The White House now says the 10-point plan Iran is publicly circulating differs from the terms that were actually negotiated for the ceasefire. Tehran, meanwhile, says there is no deal at all if Lebanon isn’t included — a condition the US has not acknowledged. And of course, the Strait of Hormuz remains closed.

These are not the hallmarks of a stable agreement; but they may be the hallmarks of a durable one. The deal is thin enough so that each side can brief its domestic audience on a different story, and as long as neither is forced to reconcile those stories publicly, the pause holds.

And the incentives to keep talking are asymmetric but real. The US has watched gas prices surge past $4 nationally as domestic support for the war — which started at levels best described as in a hole — continued to drop even further. Goldman Sachs raised its recession probability to 30% and JPMorgan to 35%, and every day the strait stays closed pushes those numbers higher. The administration needs the global economy to exhale and needs distance itself from a war so it can focus on other priorities, including an already difficult midterm election cycle.

With the ceasefire, all that has paused. Yet, the question every boardroom, general counsel’s office, and procurement team is asking right now is simple: How can I plan around this?

Iran, for its part, wants the bombing to stop. Its conventional navy has been functionally destroyed, its air defenses are highly degraded, its nuclear facilities have sustained severe damage, and its cities, bridges, and transportation networks have been hit repeatedly. The regime survived and arguably emerged with greater domestic legitimacy than it had before the war, but the physical toll is mounting. Tehran wants the strikes to stop so it can claim victory by survival without incurring any more costs.

This mutual exhaustion is the load-bearing structure of the ceasefire. If the ceasefire holds for 72 hours (as I think it might), and if the strait begins opening to escorted traffic by Friday as Iranian officials have signaled, and if neither side finds a reason to walk away before the Islamabad talks convene, then the ceasefire will likely be extended. Not because the underlying disputes get resolved, but because the cost of resuming hostilities exceeds the cost of continuing to talk. Expect a rolling series of extensions, probably 30 to 45 days at a time, that resolve nothing while letting global markets gradually stabilize.

As we wrote earlier this month, if the disruption remains limited to roughly one quarter, the oil price shock is painful but reversible, ugly, but manageable. And every week the ceasefire holds pushes the trajectory toward the manageable scenario.

What happens after the ceasefire?

Again, if the ceasefire holds, we then have to start thinking about how this conflict resolves. Not surprisingly, this is where it gets uncomfortable.

The conventional assumption in Washington and in global markets is that the Strait of Hormuz will return to normal once the fighting stops. That assumption underestimates what Iran has built.

Iran’s parliament is working to pass a Strait of Hormuz Management Plan, codifying its claimed sovereignty over strait transit and establishing a legal framework for collecting toll fees. Media reports indicate Iran has been charging vessels between $1 million and $2 million per transit and is planning to keep charging those tolls for all ships as the strait reopens. So, at $1 million per ship, and with up to 135 transits per day, 365 days a year, that’s about $40 billion to $50 billion in annual revenue for Iran, or up to 15% of Iran’s pre-war GDP. All at an operating cost that approaches zero.

Iran didn’t enter this war planning to build the most lucrative chokepoint tax in modern history, but it may have stumbled into exactly that.

Compare that to Iran’s oil sector, which generated approximately $53 billion annually in 2022 and 2023, required massive capital investment and maintenance, and was subject to constant disruption. The toll revenue is comparable in scale, dramatically cheaper to operate, and immune to sanctions. If the final number is even a fraction of this, it’s still a massive financial shot in the arm for Iran that could become a far greater advantage than the damage to capital that the war has inflicted upon the state.

Iran didn’t enter this war planning to build the most lucrative chokepoint tax in modern history, but it may have stumbled into exactly that.

Of course, this changes the structural incentives around the Strait of Hormuz in ways most analysts haven’t fully absorbed. A permanent toll system gives Iran a revenue base to rebuild the military assets it lost, reduce its dependence on oil exports, and fund domestic investment that could blunt future protest movements. The regime’s cost-benefit calculus has inverted: Keeping the toll operational in place may now be worth more than restoring the pre-war status quo.

For the US and Israel, the only way to dismantle this arrangement is by force and the last 38 days demonstrated the limits of that approach. The US achieved air and naval superiority, destroyed Iran’s conventional military, and killed the supreme leader. None of it was enough to compel capitulation, and in fact, may not have even come close. A second campaign faces the same likely result, against a population now unified by the experience of surviving the first one.

The war didn’t just disrupt global trade. It may have permanently repriced the most important shipping lane on Earth — and left every piece of energy infrastructure in the Gulf more vulnerable than it was before the first air strike landed.

You can find more about the global impact of the war in Iran here