The Anti-Money Laundering Paradox: AI versus Outlier Criminality

The global financial system moves vast sums of money every second—a blur of capital that includes everything from micro-payments to billions of dollars changing hands electronically. This week on “What the Hack?” we look at the criminals in that blur.

Within the daily torrent of capital moving around the globe, criminals inject and launder illicit funds, relying on the sheer volume and complexity of the system to hide in plain sight. While AI adds exponential capacity to monitor and police this data stream, it relies on established data patterns and that creates a unique (read: critical) problem because criminals succeed through strategic novelty—outlier thinking that AI, by its very nature, cannot yet predict or replicate.

Tracing the Invisible: Financial Data Trails

Modern technology has fundamentally changed the old adage that “money doesn’t know where it came from,” because every financial activity leaves a forensic trail. 

Trillions of dollars zip around the globe annually. In the torrent of currency, a $40 Venmo to settle a bar tab looks like a smaller version of a wire transfer for a real estate deal, which is dwarfed by a billion-dollar shipment of crude oil but all these as well as the dough sent to buy the raw materials to make fentanyl look the same in the money trucks moving along the global financial highways. It’s all just money till someone stops the truck and runs the driver’s license. 

The blur of finance is slowed down with the application of AI, which slows things down enough to lift the fingerprints off bad money. Illicit funds can be identified. Even if a cousins child’s babysitter is making the payment it can be identified. The connections are as findable as we are online in the everyday sense of People Search data broker sites and the like, but more accurately, they are exposed by the hyper-dimensional OSINT that maps this ecosystem.

I talked to Jeff Williams, the CISO at Sigma360 about all this. Williams painted a picture that promises a brighter future in the dark world of dirty money and sanctions compliance. Combining transaction data with publicly available information—including device IDs, IP addresses, names of flagged individuals, shell company registrations, and global news mentions—Williams is in the business of mapping criminal networks way beyond any one government list of sanctioned players to bolster KYC and protect clients against laundering campaigns. 

The system can see patterns, trace accounts to addresses, devices, IP addresses, names, shell companies, fake merchants. They can map entire webs of relationships, who’s connected to what and how fast the money is moving. This capacity turns the financial system into a battlefield where every transactional event is a potential intelligence source. 

The Nuances of Global Blacklisting

Ironically, the global compliance architecture, enforced by agencies like the U.S. Treasury’s OFAC, demands a level of complexity that AI cannot yet execute without a human keeper running the plays. 

When it comes to integrating the sanctions lists and intelligence from other countries, added to OFAC’s rules, AI is fine. That said: Problem not solved. It would instantly spiral out of control without the agency of an experienced human looking for trouble because criminals are good at outlier thinking and AI sucks at it.

Let’s say OFAC lists an entity that owns 50% or more of a company. That person is somebody who should be sanctioned if the company is sanctioned, but who looks to see if the cousin of that person owns 1% and they own 49%? And that’s saying nothing of aggregate ownership and whole constellations of other data points.

Williams leaned into the position that If you don’t go out and look at those next-level relationships and how things map together and how they graph out, you’re going to miss things.

Strategic obfuscation is the hallmark of criminals. Imagine if the School of Hard Knocks gave out MBAs and Ph.Ds in outlier thinking; now, imagine how hard that would be to police. 

Mind the Gap

Enterprise hates compliance because it requires massive investment, but there’s no guarantee when it comes to regulatory penalties exposure. You can throw everything you have at a problem and at the end of the day get fined because you didn’t solve for it (though if you can prove you tried your best, you might not have to pay quite as much).

The basic problem with compliance is that we have somehow decided that’s the goal. We treat compliance like a hurdle we have to clear, when it should be the ground underneath our feet. 

Meanwhile there’s an aberration gap. By focusing only on achieving regulatory standards (i.e., detecting known, patterned crimes and threat actors) and trusting tech to do its thing, next-gen criminal non-patterned threat actors have an open field. 

The Capacity Ceiling of Algorithmic Security

Since AI is trained on historical patterns, it can only identify deviations that exist, and it’s bad at strategic thinking for the same reason. Aberration from the norm? Does not compute.

My takeaway from the conversation from Jeff Williams is that humans survive another day. The same systems that spot hidden crime can also generate false positives as well, which is yet another reason a human-in-the-loop model is wise. An experienced, intelligent analyst is still the essential, non-replicable component in the war on creative outlier thinking driving the finances of criminal enterprises globally.

Ethical Responsibility and the AML Future

Technological limits versus criminal innovation is a boring war minus ethical responsibility. Financial gatekeepers wrestle with both technical difficulty and the systemic tendency to choose the optimization of profits over the costly, difficult work of “perfect policing,” or whatever the closest thing to that may be.

So it’s time for a rhetorical question: What ever happened to doing the right thing and having that be reason enough to do it?

When it comes to ensuring and governing legit transactions, computational power alone cannot win the day. The ultimate capacity needed to defeat sophisticated criminal deviation is the cognitive ability and moral will of the human analysts, transforming compliance from a regulatory hurdle into a proactive–Spy vs Spy–commitment to security.