Automating Financial Crime Compliance

While AI and RegTech can offer efficiencies in financial crime detection, courts and regulators warn against over-reliance on technology. Recent cases and enforcement show that human oversight remains critical to avoid compliance failings or excessive “de-risking.” Our Financial Regulation team explores how firms can strike the right balance.

There have been a number of recent developments which have prompted regulated financial service providers (FSPs) to exercise increased caution and to avoid over-reliance on technology in detecting financial crime. While artificial intelligence (AI) and regulatory technology (RegTech) promise notable efficiency gains, regulators and courts stress that system-generated financial crime alerts are only a starting point. Regulated FSPs are reminded that human judgment, careful legal analysis (which may require specialist legal advice) and rigorous governance are necessary for robust detection. Therefore, the challenge for firms is ensuring that automated results are handled with sufficient human oversight to avoid scrutiny for misplaced conservatism, regulatory gold-plating or undermining financial inclusion. Now is the time for firms to act to review their risk management controls.

Regulatory support for technological innovation

In recent years, the Central Bank of Ireland (Central Bank) has increased its emphasis on harnessing the opportunities and transformative potential that technology offers to the financial sector. Its Regulatory & Supervisory Outlook Reports have recognised the significant benefits offered by AI, noting its emerging uses in fraud detection and automated reporting. The Central Bank highlighted its commitment to exploring the benefits of innovation in financial crime prevention by selecting ‘Combatting Financial Crime’ as the theme of its first Innovation Sandbox Programme, which launched in December 2024.

The voice of reason: opportunity v risk

The Central Bank, however, has consistently tempered its support for financial innovation with reminders of the need for careful risk management. This means deploying technology responsibly and proportionately with meaningful senior management oversight, strong governance and continuing manual processes to ensure the ‘analytical thinking of humans’ retains a safeguarding role. The Central Bank has pointed to technology-led payments, e-money and crypto sectors for their tendency towards immature risk cultures. The regulator cites that these often lead to weaker control frameworks that can be more vulnerable to financial crime.

There may also be broader risk management considerations for firms deploying vendor-supplied technologies in areas such as:

• Operational resilience
• Governance and accountability
• Third-party risk management
• Outsourcing, and
• Data protection

Therefore, a holistic approach to risk management is crucial and firms should think bigger than the immediate goal of financial crime compliance.

Responsible deployment: best practice

Recent developments outside Ireland have highlighted how financial firms can apply anti-financial crime technologies responsibly. Regulators and courts are scrutinising what responsible deployment looks like and are actively setting expectations for effective risk management frameworks as the adoption of technology grows.

EBA criticises ‘unthinking use’ of RegTech

The European Banking Authority (EBA) published an Opinion on money laundering and terrorist financing risks in the EU’s financial sector in July 2025. It reported that more than half of serious compliance failures reported to its EuReCA database – a central hub for bank supervisory data – involved the improper use of RegTech tools. The EBA warned that despite its potential to enhance compliance and reduce manual errors, RegTech is often poorly implemented due to deficient expertise and oversight. It also noted that institutions often lack adequate systems to implement financial sanctions effectively. This comes at a time when the growing number and complexity of sanctions measures are putting pressure on standard screening tools. This is a challenge further compounded by new requirements such as SEPA instant transfer screening.

Sanctions compliance: human effort essential for ‘reasonable cause to suspect’

In a recent case, Tonzip Maritime Ltd v 2Rivers Pte Ltd, the Commercial Court of England and Wales considered the degree of additional due diligence needed to establish a ‘reasonable cause to suspect’ that the performance of a contract would breach UK sanctions, following vendor-generated screening matches. Tonzip, the claimant shipowner in this case, refused to unload cargo for Russian company, Neftisa. Tonzip’s refusal was based on screening alerts suggesting a link to a sanctioned individual. Tonzip argued that the screening matches invoked the protections of the contract’s sanctions clause, allowing for the rejection of orders exposing it to sanctions risk. The Court disagreed, finding Tonzip’s response speculative and not objectively reasonable. It noted there was no evidence that the sanctioned person controlled Neftisa in practice, with Tonzip having failed to properly consider supporting documents to that effect.

Beware of ‘de-risking’

While it may seem clear that the claimant in Tonzip should have done more to investigate the screening match, the case raises relevant considerations for FSPs. It highlights, for example, the difficulty institutions face in balancing sanctions compliance with the risk of adopting decisions that could be deemed too defensive if challenged in the courts. Firms may feel ‘caught between a rock and a hard place’, particularly larger institutions faced with the added operational burden of reviewing large batches of system-generated alerts.

Striking the right balance is key. Both the courts and regulators have warned financial participants against gold-plating financial crime regulatory requirements even where higher risk indicators are detected, where doing so risks undermining financial inclusion. The recent Advocate General (AG) Opinion of the CJEU, delivered on 4 September in the case of LH v OTP banka d.d. is particularly insightful. Here, the AG criticised a Slovenian bank for refusing to open a basic payment account for an individual based solely on a confirmed US sanctions match. Specifically, the AG noted the absence of any indication that opening the account would infringe local AML/CFT requirements, or that collecting risk-based (enhanced) customer due diligence would not be possible.

Automation pitfalls: recent enforcements

Recent enforcement activity demonstrates a clear supervisory focus on the limitations of using automated screening solutions. Their concerns broadly reflect those of the EBA and the Commercial Court in Tonzip and include:

• Incomplete manual investigation of automated alerts
• Reliance on defective screening technology
• Insufficient assurance, governance and oversight of screening processes, and
• Lax screening controls

Case studies

• Bunq B.V. The Dutch central bank (DNB) imposed a €2.6 million fine on online bank Bunq in August 2025 for AML control deficiencies. These included inadequate investigation and reporting of potential financial crimes, and weak follow-ups on transaction monitoring alerts. The issues were identified between January 2021 and May 2022. Bunq has reportedly objected to the fine, stating ‘We use the most advanced technology and continuously strengthen our systems’. Notably, the fine followed a 2022 Dutch court ruling where Bunq successfully challenged DNB's prohibition on using AI for AML monitoring purposes.
• Metro Bank PLC The FCA fined Metro Bank PLC £16.7 million in November 2024 for transaction monitoring failures. During the relevant period, the bank’s automated transaction monitoring system failed to monitor over 60 million transactions, with a value of over £51 billion. The FCA highlighted deficiencies including:
  • Incomplete data
  • Oversight and governance issues
  • Inadequate alert handling, and
  • Ineffective reconciliation processes

• Starling Bank Limited The FCA previously imposed a fine of almost £29 million on Starling Bank Limited. The bank had realised in January 2023 that, since 2017, its automated screening system had only been screening customers against a fraction of the full financial sanctions list. The FCA described the bank’s financial sanctions screening controls as ‘shockingly lax’.

Time to act

As the examples detailed in this article show, the information generated by financial crime compliance technologies should never be accepted ‘unthinkingly’, used as a pre-text to ‘de-risk’ or to avoid the perceived burden of completing enhanced due diligence. Effective governance and holistic risk management are also crucial, remembering that accountability remains with the firm.

Amid increasingly complex international sanctions requirements and with a significant wave of EU AML regulatory change on the horizon, firms should act now to review and future-proof their use of technology in detecting financial crime.

For expert advice on effectively deploying risk management protocols for robust detection of financial crime, contact a member of our Financial Regulation team.

This content was contributed by Barbara Parnell, Knowledge Lawyer.

The content of this article is provided for information purposes only and does not constitute legal or other advice.