INTRODUCTION

The FATF’s Roadmap 26 to 28 on Combatting Fraud should be read as a clear signal of where the financial crime effectiveness debate is moving. Launched under the UK Presidency in July 2026, the roadmap places fraud at the centre of the international AML and CFT agenda. 

It focuses on the use of the AML and CFT framework to disrupt fraud related financial flows, including freezing and seizing assets, suspending fraudulent transactions and improving cross border intelligence sharing. The FATF has also stated that nearly 90% of assessments in the previous round of mutual evaluations identified fraud as a major proceeds generating offence.

What is the implication for banks?

Contents

The FATF’s roadmap changes the question

The implication for banks is significant. Fraud can no longer be treated as a separate operational loss issue that eventually becomes relevant to AML once the proceeds are identified. In many fraud typologies, the fraud and the laundering are not separate events. They form part of the same transaction sequence. The victim payment is the offence. It is also the first movement of criminal value. The beneficiary account may be a mule account. The onward transfer, withdrawal, dispersal or cross border movement may follow within minutes. By the time the AML framework receives the matter through a conventional escalation route, the funds may already have left the beneficiary bank.

This is the weakness the FATF’s roadmap exposes. Most banks have a fraud control framework and an AML framework. Both may be well documented. Both may have systems, governance, policies, escalation paths and reporting routines. The fraud framework is often focused on customer harm, disputed transactions, recovery and operational loss. The AML framework is focused on proceeds of crime, suspicious activity, regulatory reporting and broader financial crime risk.

The difficulty is that the movement of fraud proceeds is continuous, while the bank’s control response is often fragmented. Fraud may be identified in one framework, suspicious activity assessed in another, and restraint considered only once the issue has moved through several handoffs. By that stage, the funds may already have left the beneficiary bank. The same transaction can be a customer harm event, a mule account indicator, a suspicious transaction and the first stage of laundering. If those issues are assessed by separate teams, through separate systems, at different speeds, the institution may not form a complete view until the opportunity to freeze funds has passed.

 

Why current controls may be too slow

The Thailand example referred to at the FATF launch illustrates the issue. Once a victim transfers money, roughly half the loss can leave the country within three minutes. The victim typically only realises they have been scammed around twenty hours later. That gap matters because many controls still assume that there is time to detect, analyse and escalate. Historically, AML controls have often worked after the event. The transaction is processed, monitoring identifies potential suspicion, an analyst reviews the activity, the case moves through escalation, and a decision on reporting or restraint is made only once the facts have been assembled. That sequence may be appropriate for some forms of suspicious activity, but it is poorly aligned to fraud proceeds moving through mule accounts and payment channels at speed.

The same issue appears in transaction monitoring design. Many AML models were built around traditional laundering assumptions. The predicate offence happens first. The proceeds then enter the financial system. The institution monitors for placement, layering and integration. Fraud often collapses that sequence. The predicate offence and the laundering activity can occur at the same time. A model calibrated mainly to detect laundering after the predicate offence may therefore be looking too late. It may identify suspicious movement only after the funds have left the beneficiary account or moved beyond the bank’s practical control.

This is not only a tuning issue. It goes to the assumptions on which the model was designed. Model validation should therefore ask whether transaction monitoring reflects fraud typologies as they operate in practice. It should test whether the logic identifies mule behaviour, rapid onward movement, unusual beneficiary patterns, newly active accounts, changes in customer behaviour, payment velocity and connections between fraud indicators and AML risk indicators. It should also test whether alerts are produced at a point where intervention remains possible.

The same principle applies to customer risk assessment. Mule accounts, fraud enabled accounts, compromised customers and synthetic identities should not sit outside the AML risk view. If fraud intelligence does not inform customer risk, the institution may underestimate risk at the precise point where escalation is most important.

 

How the response needs to change

The answer is not simply to merge fraud and AML into one department. The more important requirement is operational integration. Fraud and AML need a shared view of risk. They need common typologies, shared data, aligned escalation triggers and a clear understanding of when urgent intervention is required. Fraud intelligence should inform AML monitoring. AML intelligence should support fraud containment. Mule account data should feed customer risk assessment. Payment alerts should be assessed against customer behaviour, beneficiary patterns and network indicators, not only static rules.

This requires monitoring closer to the transaction event. Batch monitoring and next day review may still have value in parts of the AML framework, but they are not sufficient where fraud proceeds can move beyond reach in minutes. Banks need the ability to identify risk before funds leave the beneficiary bank where this is possible.

Banks also need clear authority to act. If staff are expected to pause, hold or freeze funds, the legal basis, procedural threshold, approval route, customer handling approach and audit trail must be clear. Uncertainty creates delay, and delay benefits the network moving the proceeds.

Technology can improve the response, but only if it is tied to the operating model. Network analysis can help banks identify linked accounts, mule clusters, circular flows, common beneficiaries and rapid dispersal patterns. It can support both immediate intervention and subsequent investigations by showing how funds moved, who received them, and where recovery efforts should be directed.

Federated machine learning may also become important. It allows models to train across multiple institutions without requiring banks to pool raw customer or transaction data. The model travels to the data, while the data remains within each institution. This is relevant because fraud proceeds often move across institutions, while each bank sees only part of the chain.

Used properly, federated learning can help institutions identify mule networks, rapid layering and recurring fraud movement patterns that may not be visible to one bank acting alone. It should supplement existing monitoring and screening. It does not replace governance, legal authority, typology development, model validation, explainability or information sharing.

Subsequent investigations also need to be treated as part of the control response. Where funds have already moved, banks should be able to reconstruct the transaction chain quickly, identify connected accounts, support freezing requests, assist recovery and feed new intelligence back into monitoring and customer risk models.

Investigation should not sit at the end of the process as a reporting exercise. It should strengthen the next detection cycle.

 

What banks should do now

Banks should not wait for the next mutual evaluation cycle to test this. They should assess whether their fraud and AML frameworks operate as a single response when fraud and laundering occur within the same transaction sequence.

That assessment should be practical, and banks should ask several questions of themselves. Can the bank identify fraud linked proceeds before they leave the beneficiary bank? Do fraud systems and AML systems share relevant data? Does customer risk assessment reflect mule and fraud intelligence? Are monitoring models validated against current fraud typologies? Are staff authorised to act quickly when indicators justify restraint? Does governance measure outcomes, or only the completion of processes?

The next round of mutual evaluations is likely to place greater emphasis on these questions. The issue will not only be whether controls exist.

It will be whether they produce results.

Whether funds were traced.

Whether assets were restrained.

Whether intelligence was shared.

Whether banks and authorities could act at the speed of the risk.

 

For Grant Thornton UAE, this is where Risk Innovation and Financial Crime Compliance connect.

Our work is to assess whether controls produce defensible outcomes, validate models against current fraud typologies, redesign operating models for speed, and evaluate technologies that can support a more integrated response.

If fraud and laundering now form part of the same transaction sequence, a bank cannot rely on a control model built for a time when they didn't.