People
AI is supercharging fraud and financial crime risk. The system-wide response from regulators and industry is picking up pace—but real resilience is still an inside job.
In early 2024, we spoke to RTHK’s Money Talk about the rise of deepfake attacks. We were recently back on The Close to explore how AI-enabled crime has evolved: what we’re seeing now is a whole ecosystem, adapting at a rate few businesses are built to match.
We outline why regulatory and enforcement pushback is only part of the answer—and how the firms leading on AI-driven risk are tackling it earlier and deeper than crisis response.
The key takeaways:
As a production tool, AI is now baseline. As a threat amplifier, it’s just getting started
Deepfakes were the first criminal AI use case to rattle global business, and for good reason. Identity fraud in 2026 is fast, cheap, and unbelievably believable. The same tools and turnkey apps that have industrialized content for legitimate commercial use are a gift to bad actors. Early telltale glitches—flickering jawlines, odd eye movements—are largely gone; a few seconds of audio is now enough to clone a voice.
The expected tidal wave of attacks hasn’t quite broken; criminal groups seem to be scaling up selectively, rather than going all-in in ways that would trigger a full-scale clampdown. Sensible planning has to assume they’ll weaponize whatever proves both lucrative and hard to prosecute.
The bigger worry for business is that gen-AI manipulation is just the poster child for a much broader criminal build-out. Early experiments have matured into a full tech stack: from data-mining and reconnaissance to system break-ins, payment fraud, laundering, and AML evasion. AI agents can scan for weak points, generate tailored lures for victims and run whole stretches of the attack workflow—in effect, act as an automated assistant at any hacker’s elbow. Machine-speed, continuously adaptive threats are hitting defenses that were never designed to move that fast.
The scams are international by design; the safeguards are still catching up
For years, governments and industry have been grappling with this as a borderless problem: call centers in one country, money launderers in another, victims region-wide, and new digital assets that hop jurisdictions at a keystroke, outside any single regulator’s line of sight. Until recently, most international cooperation was after the fact—joint investigations, tracing funds—rather than the kind of live data-sharing that could change the odds.
The balance is starting to tilt toward front-end efforts: jurisdictions jointly mapping how these scams operate, and regulators piloting cross-institution data-sharing so that a red flag raised in one bank is visible when another runs checks. Hong Kong is making a notable push to bring virtual-asset firms into licensing regimes and the regulated system. These are important moves—but they don’t change the basic asymmetry. AI-assisted crime is global, and enforcement and supervision are still boxed in by national lines. Firms need to plan to manage that gap themselves, not hope it gets fixed.
What business can do: drills are good, but depth is better
More organizations are now getting practical about the front line, with live scenarios, red-team/blue-team exercises, and role-specific training aimed at the people and processes that are most costly when compromised. It’s valuable work that makes it harder to breach obvious pressure points.
But reflexes aren’t the same as resilience. Cultural foundations are what stop problems taking root, and they’re weakening just as risk ramps up. Regulatory emphasis on misconduct, bribery, and corruption has quieted. High turnover is a feature of fintech and crypto, and traditional firms are restructuring and cutting headcount: that level of churn makes it harder to monitor behavior over time and embed consistent norms and standards. But it matters: firms that keep an eye on the gap between rhetoric and operating reality usually see trouble earlier—and avoid the kind of conduct failures that erode trust and earnings.
Governance is the other fault line. Risk management still trails the money: commercial teams set the pace, and risk and compliance have to work around decisions already made. Recommendations then have to work their way through governance built for stability—siloed teams, committee layers, annual risk-appetite cycles—not for threats that reconfigure in hours rather than quarters.
Crisis drills are necessary, but resilience is built in a few upstream choices:
Don’t fight AI with AI alone. Pattern detection at scale is critical but trained human judgment is what turns signals, including the ones machines miss, into good decisions. On the calls that matter most, treat the system as input and give the right person final say.
Redesign governance for speed. Reduce the drag between risk and response, give AI-related threats clear ownership, and make sure business leaders share the risk as well as the upside.
Encourage challenge over passive compliance. Rules and controls are vital, but a real speak-up culture, where people question unusual activity and escalate concerns early, is what separates prevention from clean-up.
Build safe, fast ways to experiment. Sandboxed environments allow teams to get comfortable with new tools—and their vulnerabilities—without putting live data or processes at risk.
Push for data-sharing and joint responses. Criminals already collaborate; doing the same makes it harder for attackers to reuse playbooks.
