The conformity trap: How AML standardization is giving financial crime somewhere to hide
AML regulation is undergoing significant changes. Across jurisdictions, regulators are moving away from assessing whether institutions have appropriate controls in place, toward a more demanding standard: whether those controls can be demonstrated to work in practice.
This is evident in recent developments across the European Union and the United Kingdom, as well as in global guidance from the Financial Action Task Force (FATF). It reflects a broader recognition that formal compliance does not necessarily translate into effective detection of financial crime.
Taken together, these represent a meaningful improvement in regulatory thinking. It reframes AML as an outcomes-based discipline rather than a procedural one.
| The key takeaway: The regulatory move toward demonstrable effectiveness is well-founded and reflects a necessary evolution in AML supervision. It raises expectations of outcomes while also implicitly calling for more adaptive and innovative approaches to detecting financial crime. However, this assumes a level of detection capability, system integration, and data visibility that many institutions do not yet possess, creating a gap between what regulators are now asking of institutions and what current systems are structurally able to deliver. More subtly, the move toward greater standardisation begins to shape how institutions interpret and respond to risk, raising the possibility that improvements in consistency may come at the expense of diversity in detection and, in turn, the system’s ability to identify what does not conform. What this means in practice 🟣Expectations are rising faster than system capability 🟣Standardisation improves consistency, but narrows detection 🟣The risk is reduced diversity in how financial crime is identified |
Europe’s response: Harmonization and centralization
The European Union has been the first to operationalize this move toward demonstrable effectiveness through the introduction of a single AML rulebook and the creation of the Anti-Money Laundering Authority (AMLA).
Essentially, this reform seeks to address a long-standing structural weakness in the European AML framework: fragmentation. Historically, differences in national implementation, supervisory intensity, and interpretation of regulatory standards have led to uneven enforcement across member states. This has created inefficiencies and enabled financial crime risk to migrate toward jurisdictions perceived as less stringent.
The harmonized rulebook and centralized supervision is designed to reduce this variability. By establishing consistent expectations across institutions and enabling greater comparability of outcomes, AMLA aims to strengthen both oversight and accountability at a system-wide level.
In this respect, the direction of travel is clear and well-founded. Greater consistency reduces ambiguity, improves supervisory clarity, and limits opportunities for regulatory arbitrage.
However, harmonization also introduces a new dynamic into the system.
As expectations become more consistent and outcomes more comparable, they begin to shape how institutions interpret and respond to risk. What is defined, measured, and evaluated at a system level increasingly influences what is prioritized at an institutional level.
Consistency, therefore, does not operate purely as a clarifying force. It also acts as a behavioral one, shaping how institutions define, prioritize, and ultimately pursue the detection of risk.
The risk-based principle and emerging tension
AML frameworks globally remain grounded in the risk-based approach, as reinforced by guidance from the Financial Action Task Force. Institutions are expected to allocate resources dynamically, respond to emerging threats, and tailor their controls to the specific risks they face.
Alongside this, supervisory models (particularly within the European Union) are increasingly oriented toward standardization. This is reflected in the growing emphasis on consistent reporting structures, comparable metrics, and auditable decision-making frameworks that allow regulators to assess performance across institutions in a more systematic way.
Individually, these developments are coherent. Together, they introduce a structural tension.
Institutions are being asked to do two things at once:
- ➡adapt to emerging and evolving risks
- ➡demonstrate their approach in a consistent and comparable way
As expectations become more clearly defined, the range of acceptable approaches implicitly narrows.
Some observers, including EY, have noted that increasing standardization may reduce flexibility in the application of risk-based approaches. The issue is not that flexibility has been removed in principle, but that it must increasingly operate within a defined and observable structure.
The result is not an explicit contradiction in the rules, but a practical paradox in their application. Institutions retain the ability to innovate in how they detect risk, but must express that innovation in a standardized and comparable form.
In effect, flexibility remains, but it is conditioned by the need to demonstrate it within a common frame.
Behavioural consequences inside institutions
Regulatory systems do not simply define requirements; they also determine behavior.
As expectations become clearer and supervisory scrutiny increases, institutions respond rationally. This response is already observable in areas such as model validation, audit processes, and regulatory review, where the need to demonstrate compliance in a consistent and defensible manner becomes central.
Within this environment, certain patterns begin to emerge. Institutions show a growing preference for models that are more readily explainable, approaches that align with established supervisory expectations, and decision-making processes that prioritize defensibility alongside, and at times over, exploratory accuracy. These tendencies are not the result of regulatory failure, but of institutional adaptation to the incentives embedded within the supervisory framework.
Over time, these behaviors lead to convergence. Detection approaches become more similar across institutions, interpretations of risk begin to align, and methods that fall outside accepted frameworks are less likely to be pursued, regardless of their potential effectiveness.
This convergence introduces a new form of systemic risk. When institutions approach detection in similar ways, the diversity of perspectives that can expose non-obvious or emerging threats is reduced. As a result, blind spots are less likely to be isolated and more likely to become shared.
In this sense, the system becomes more consistent, but also more predictable, increasing the risk that vulnerabilities are replicated across institutions rather than contained within them.
Global context: Alignment in direction, divergence in approach
While Europe is pursuing harmonization through a centralized supervisory model, the broader global AML landscape reflects a more diverse set of approaches.
At a foundational level, there remains a high degree of alignment. Guidance from the Financial Action Task Force continues to emphasise the risk-based approach, encouraging jurisdictions to tailor their frameworks to local conditions while focusing on effectiveness in outcomes rather than formal compliance alone. Across most regions, there is a shared commitment to improving transparency, strengthening detection, and enhancing the overall integrity of financial systems.
This shared direction, however, coexists with a growing divergence in how these objectives are operationalized.
Within the EU, the introduction of a single rulebook and the establishment of the Anti-Money Laundering Authority reflect a clear prioritization of consistency and comparability, supported by centralized supervision. In the United States, reforms associated with the Anti-Money Laundering Act of 2020 have placed greater emphasis on transparency, most notably through beneficial ownership requirements, alongside an expanded focus on the use of data, technology, and information sharing to enhance detection capability.
Other jurisdictions broadly align with FATF principles, while continuing to implement them within national frameworks that preserve a degree of local flexibility and variation.
Taken together, these approaches point in the same strategic direction, while reflecting different assumptions about how improvement is best achieved.
- ➡Europe seeks to strengthen the system through harmonization and supervisory alignment.
- ➡The United States places greater weight on capability, innovation, and the effective use of data. FATF maintains a principle-based stance that allows for diversity in implementation.
These differences also reflect underlying institutional and regulatory cultures. The European approach places greater emphasis on structural alignment, consistency, and centralized oversight as mechanisms for improving outcomes. The United States places more weight on capability, innovation, and the use of data to enhance detection. FATF, by design, maintains a framework that accommodates variation and local adaptation.
In this sense, the divergence is not simply about implementation. It reflects differing assumptions as to how complex systems are most effectively governed and improved.
The result is a globally aligned objective alongside an increasingly fragmented execution model.
The structural limitation: Fragmented insight
Beneath these regulatory developments lies a more fundamental constraint that remains largely unresolved.
Financial crime operates across networks. It spans multiple institutions, crosses jurisdictions, and relies on patterns that emerge only when activity is viewed in aggregate. The signals that indicate risk are often distributed across entities rather than contained within any single organisation.
Detection, by contrast, remains largely siloed at each institution. Each firm monitors its own transactions, assesses its own customers, and generates its own alerts based on the data available within its own perimeter. While these processes may be increasingly sophisticated, they are inherently partial.
This creates a structural limitation.
Even as supervision becomes more consistent and expectations more clearly defined, institutions continue to operate with incomplete visibility of the networks in which financial crime occurs.
The quality of detection is therefore constrained not only by the models or controls applied, but by the scope of the data those models can access. In effect, institutions are optimizing within their field of view, rather than expanding it.
Regulators, in turn, assess effectiveness based on outcomes that are themselves shaped by this fragmentation. Improvements in consistency and governance do not necessarily translate into a corresponding expansion of insight.
The result is a persistent mismatch between the nature of the threat and the structure of the response. Financial crime is networked, while detection remains localized.
In this context, the system becomes more consistent without becoming more connected. Its ability to explain what it sees improves; its ability to see more remains limited.
From standardisation to system capability
While AML regulation has successfully driven a movement toward greater consistency, this has not solved the underlying structural limitation: detection remains localized while the threat is networked.
The next phase of evolution must therefore focus on system capability, including how to generate and combine insight across institutions without requiring data centralization.
From data to intelligence
The trajectory of AML regulation is clear and directionally sound. The shared objective across jurisdictions is to improve the effectiveness of financial crime detection through stronger supervision, greater transparency, and more meaningful evaluation of outcomes. That direction is well founded.
This evolution, however, brings a more fundamental question into focus. Can a system built on fragmented data deliver genuinely effective detection at scale?
Where data cannot be centralized, whether due to privacy, legal, or competitive constraints, the problem requires reframing. The challenge extends beyond standardizing processes within institutions to how insight can be generated across them. The question becomes one of intelligence rather than data. If data cannot be pooled, can intelligence be combined?
The limits of centralization
Centralized approaches seek to address this by bringing data into a single environment. In practice, they encounter legal, privacy, and competitive constraints that are unlikely to ease at scale. More fundamentally, centralization requires alignment at the level of data, which is precisely where fragmentation is most entrenched. The approach attempts to solve the problem at the point where change is most difficult.
Learning across institutions
Distributed approaches follow a different path. Rather than attempting to unify data, they enable learning to occur across it. Models are trained locally and combined at the level of insight, preserving the separation of underlying data while extending the scope of detection. The system moves from integrating information to integrating understanding.
Because learning occurs on locally distinct data reflecting different customer bases and risk profiles, the resulting intelligence preserves diversity even as it is combined. Consistency at the level of insight does not require conformity at the level of detection.
Preserving diversity in detection
The implications extend beyond architecture. As explored earlier, regulatory standardization shapes institutional behaviour and drives convergence in how risk is detected and interpreted. This convergence improves consistency, while reducing the diversity of perspective that surfaces non-obvious and emerging threats.
Distributed approaches offer a structural counterbalance to that dynamic. They allow insight to be combined across institutions without requiring institutions to detect risk in the same way. In doing so, they address both the fragmentation of insight and the convergence of detection that makes the system predictable.
Complementary forces
Different jurisdictions are approaching this through distinct models, aligned toward a common aim. Europe emphasises consistency and supervisory alignment, seeking to raise the baseline of performance across the system. The United States places greater weight on capability and innovation, seeking to improve the precision of detection within and across institutions. These represent different levers applied to the same objective and are more complementary than they first appear.
Standardization and innovation are not alternatives. Regulatory frameworks define expectations and create consistency; technological capability determines how far those expectations can be realized in practice. The next stage of AML evolution lies in aligning these two forces, enabling systems to learn across institutional boundaries while respecting them.
In this way, AML moves from a collection of isolated perspectives toward a more connected and capable understanding of risk, while preserving the diversity required to detect it effectively.
Beyond consistency: The next evolution
AML regulation is undergoing a necessary and well-directed evolution. Across jurisdictions, there is a clear movement toward greater transparency, stronger supervision, and a more explicit focus on demonstrable effectiveness. This represents a meaningful improvement on prior models that emphasised the presence of controls over their outcomes.
Different regulatory approaches reflect distinct paths toward the same objective. The European model seeks to raise the baseline of performance through harmonization and supervisory alignment. The United States places greater emphasis on capability, innovation, and the effective use of data. FATF continues to provide a flexible, principle-based framework that accommodates variation in implementation. Together, these approaches indicate a broad convergence on the importance of improving detection.
At the same time, this evolution has exposed a structural limitation. Financial crime operates across networks, while detection remains largely confined within institutional boundaries. Improvements in consistency and governance do not, on their own, expand the scope of what institutions are able to observe. As a result, the effectiveness being sought is constrained by the fragmented nature of the underlying system.
Addressing this limitation does not necessarily require new regulatory frameworks or changes to data privacy regimes. In many respects, the constraints that prevent data from being centralized are well-founded and unlikely to change. The challenge, therefore, is not to remove these constraints, but to work within them.
The focus therefore moves from regulation to architecture. The question is how systems can generate and share insight. Advances in data science and distributed computation suggest that this is increasingly feasible. Approaches that enable institutions to learn collectively, while retaining control over their data, offer a way to extend visibility without compromising existing safeguards.
The implications extend beyond technical capability. As standardization shapes behaviour, it also shapes how risk is perceived and acted upon. The convergence of approaches across institutions increases consistency, but reduces diversity in detection. Over time, this creates the potential for shared blind spots, where risks that fall outside prevailing models are less likely to be identified across the system as a whole.
The effectiveness now being sought is therefore not only a function of improved supervision, but of how systems are designed to both connect insight and preserve diversity in how risk is detected. The future of AML lies not in expanding the perimeter of regulation, but improving the connections within it — and ensuring that those connections preserve the diversity of detection that makes the system genuinely hard to predict.
Want to see what federated learning could do for your AML program? We’d love to walk you through it. Let’s talk.
Related reading:
