Anti-money laundering (AML) regulation is entering a new phase. Across jurisdictions, regulators are shifting away from simply checking whether institutions have controls in place, and towards demanding proof that those controls actually work.
According to Consillient, recent moves by the European Union, the United Kingdom, and the Financial Action Task Force (FATF) all reflect a growing consensus that formal compliance does not, on its own, guarantee effective detection of financial crime. It is a meaningful reframing — moving AML from a box-ticking exercise to an outcomes-based discipline.
Consillient recently discussed the conformity trap, and how AML standardization is giving financial crime somewhere to hide.
The EU has been quickest to act on this shift. Through a single AML rulebook and the establishment of the Anti-Money Laundering Authority (AMLA), Brussels is targeting a long-standing structural flaw in Europe’s AML architecture: fragmentation. Historically, inconsistencies in how member states implemented and enforced AML standards created an uneven regulatory landscape, allowing financial crime risk to gravitate towards jurisdictions perceived as softer. The harmonised rulebook and centralised supervision are designed to close these gaps, reduce ambiguity and limit the scope for regulatory arbitrage. In principle, the direction is sound.
However, harmonisation introduces a subtle but consequential dynamic. As expectations become more uniform and outcomes more comparable across institutions, those institutions begin to interpret and respond to risk in increasingly similar ways. What regulators define and measure at a system level shapes what institutions prioritise at an operational level. Consistency, then, is not simply a clarifying force — it is a behavioural one.
This creates a structural tension at the heart of the risk-based approach. Institutions are simultaneously expected to adapt dynamically to emerging threats and to demonstrate that adaptation in a standardised, auditable format. As the range of acceptable approaches narrows, institutions gravitate towards models that are easier to explain, decisions that align with supervisory expectations, and frameworks that prioritise defensibility. The flexibility that the risk-based principle was designed to preserve is not removed — but it becomes increasingly conditioned by the need to perform within a common frame. Some observers, including EY, have flagged that increasing standardisation may reduce how flexibly the risk-based approach is applied in practice.
Over time, this produces convergence. Detection methodologies begin to look alike across institutions, interpretations of risk align, and approaches that fall outside prevailing frameworks are less likely to be pursued — regardless of their potential effectiveness. The result is a new form of systemic risk: when institutions detect risk in similar ways, they tend to share the same blind spots. Vulnerabilities that fall outside accepted models are not contained within a single firm; they replicate across the system.
The global picture is one of shared direction but divergent execution. FATF continues to advocate a principles-based, risk-sensitive framework that accommodates local variation. The United States, through reforms introduced by the Anti-Money Laundering Act of 2020, has placed heavier emphasis on data, technology and information-sharing as tools for improving detection capability. Europe, meanwhile, is betting on structural alignment and centralised oversight. These are not contradictory approaches — they reflect different assumptions about how complex regulatory systems are best improved — but they are pulling in distinct directions even as the strategic goal remains the same.
Beneath these regulatory developments lies a more fundamental constraint. Financial crime operates across networks — spanning multiple institutions and jurisdictions, generating patterns that only become visible in aggregate. Detection, by contrast, remains largely siloed within individual firms. Each institution monitors its own transactions, assesses its own customers and generates its own alerts based on data within its own perimeter. Even as supervision becomes more consistent and sophisticated, institutions continue to operate with incomplete visibility of the broader networks in which financial crime occurs. The system becomes more coherent without becoming more connected.
Addressing this limitation does not necessarily require dismantling existing data privacy regimes or centralising information at scale. Those constraints are well-founded and unlikely to ease. The more promising path lies in distributed approaches — enabling learning to occur across institutions at the level of insight rather than raw data. Models trained on locally distinct datasets can be combined to generate broader intelligence, preserving data separation while extending the scope of detection. This allows institutions to contribute to a collective understanding of risk without sacrificing control over their own data.
Crucially, this approach also offers a counterbalance to the convergence risk that standardisation creates. By allowing institutions to detect risk in their own way while pooling the resulting intelligence, such systems preserve the diversity of perspective that makes financial crime harder to predict and easier to surface. Standardisation and innovation are not alternatives — regulatory frameworks set the expectations; technological capability determines how far those expectations can be realised.
The future of AML does not lie in expanding the perimeter of regulation. It lies in improving the connections within it — and ensuring that those connections preserve enough diversity in detection to keep the system genuinely unpredictable to those seeking to exploit it.
Read the full Consillient post here.
Copyright © 2026 FinTech Global
