At conferences and client events, I often find myself talking with Non-Executive Directors about financial crime. Many ask what financial crime risks and trends they should be watching most closely, and it’s interesting to hear their perspective from the boardroom.
As a NED, you carry wide responsibilities for oversight, governance and assurance. You’re expected to understand your organisation’s exposure, how prevention and detection are managed, and how assurance is obtained.
My aim here is to offer some practical observations that may help you feel confident the right questions are being asked, that accountability is clear, and that controls are proportionate to the risks the firm faces.
-1.png)
Over the past two years, financial crime has become one of the most active areas of regulatory and reputational risk. The increased use of digital channels, vast range of products and rise of automation/AI – coupled with reduced human involvement in many processes – has created fertile ground for criminal networks. They move funds and identities across borders faster than most control systems can react.
Fraud, once considered a problem primarily for retail banking, now cuts across every part of financial services. Regulators have tightened expectations accordingly. The FCA and international supervisors have issued significant fines against major institutions such as Barclays and JP Morgan. These shifts need to be reflected in governance, data, reporting and risk assessments.
If you sit on the board of any financial institution, you will want confidence that these risks are well understood – not only because of regulatory obligations, but because a serious failure in financial crime control can damage reputation, customer trust and operational resilience long after the compliance issue has been resolved.
The essential question is whether financial crime risk is properly owned, governed and reported. The leadership team should be able to demonstrate a credible understanding of the threats faced and the controls in place.
Under the FCA’s Senior Managers and Certification Regime, accountability for financial crime is explicit. Each responsibility must be owned by a named executive with the authority, resources and competence to deliver. For many firms, what matters most is whether those individuals have genuine oversight and whether the board’s dialogue with them is open and probing.
Legal teams are an important source of advice, but financial crime compliance is a risk-based discipline that depends on proportionate, practical measures that work day to day. In my experience, over-reliance on legal interpretation can either over-engineer controls or leave gaps in coverage.
It’s worth remembering that exposure doesn’t just come from the volume of transactions. Who the organisation does business with – its clients, counterparties and intermediaries – often presents the greatest source of financial crime risk.
Financial crime deserves a regular place on the board agenda, supported by clear reporting and periodic discussion. The form this takes will vary between organisations, but the objective is the same: to give the board confidence that financial crime risks are understood, owned and properly managed.
In firms that come under the UK’s anti-money laundering regime, two documents usually provide the backbone of board oversight:
- The MLRO Report, summarising financial crime risk, control performance and key findings.
- The Business-Wide Risk Assessment (BWRA), which incorporates how the firm identifies and assesses exposure to money laundering and terrorist financing, and how its controls address those risks.
For institutions outside the formal AML regime – such as many insurers or technology-driven businesses – there may be no requirement to produce these specific documents, but equivalent sources of assurance are essential. Many boards rely on a Financial Crime or Compliance Report alongside a firm-level risk assessment or control effectiveness review. Whatever the format, the goal is to give directors a clear view of the main exposures, how they are mitigated, and where improvement is needed.
It’s worth considering how well the reporting reflects the current business model and future plans – for example, whether new products, markets or delivery channels have been captured. And if every indicator appears consistently “green”, that may be a sign to probe deeper.
Financial crime risk doesn’t stop at the boundary of a firm. Management should benchmark performance against peers, monitor enforcement trends and maintain clear ownership for horizon-scanning.
Third-party and vendor arrangements deserve close attention. Many institutions now depend on external providers for KYC, screening or monitoring. Those relationships bring capability but also exposure. Accountability for financial crime risk cannot be outsourced, so the board should take assurance that oversight of key suppliers is active, documented and effective.
Certain developments often signal pressure on financial crime controls: rapid entry into new markets, complex product structures, or heavy reliance on cross-border third parties. When these arise, the key question is whether the organisation has the resources, capability and governance to manage the complexity it is creating.
Some weaknesses are easy to spot. Control frameworks that are incomplete or inconsistently applied. Decision-making that lacks transparency. Management information that is thin or unreliable. Weak data quality is often a symptom of weak governance.
Regulatory enforcement cases tend to share common causes: unclear ownership, poor transparency and an inability to evidence decisions when questioned. Firms that understand their control environment, act on early warnings and document how they make decisions rarely end up in enforcement.
Perfect control is neither possible nor required. What matters is credible control – demonstrably improving over time – and a culture that surfaces issues early and fixes them properly.
Surveillance has become a major area of regulatory focus, particularly around staff communications and potential insider activity. Boards should expect proportionate monitoring and independent testing, supported by a credible internal audit function.
Audit teams need to be close enough to understand the business, yet independent enough to provide challenge. If every report gives a clean bill of health, that in itself may be worth exploring further.
Culture plays a decisive role in how well financial crime risk is managed. The board’s clearest window into culture is how issues are raised and addressed, not just how they are fixed. Incentives, escalation pathways and tone from the top all shape how people respond when something doesn’t look right.
AI is beginning to reshape financial crime prevention, presenting both opportunity and risk. The opportunity lies in improved efficiency, faster detection and stronger regulatory outcomes. The risk lies in weak governance, poor explainability, over-reliance and loss of control over how models behave in practice.
The most effective use of AI comes when organisations apply it to specific, well-governed use cases rather than broad transformation projects. Trust and accountability are essential. The successful programmes we have seen to date have started small, maintained human oversight, and treated AI as an evolving capability that requires continuous validation and retraining.
AI may not yet be central to the control environment, but boards should at least understand where it is being tested or relied upon, and how it is governed. Before introducing advanced models, there needs to be confidence in the quality of today’s human decisions. If these are inconsistent or biased, automation may simply amplify the problem.
Boards should look for programmes that build trust, show early results and strengthen human expertise. Good practice includes hybrid implementation (AI alongside existing controls), clear ownership for model governance, transparent validation, and measurable business and compliance outcomes – not technology for its own sake.
The financial crime function isn’t there to slow commercial progress but to ensure that growth happens safely. When major problems in controls come to light, or when a regulatory fine is incurred, the impact on the business can be severe. Senior leaders are pulled into remediation work, meetings with regulators and extra oversight, which diverts attention from growth and into firefighting.
Pressure on control teams to dilute standards or defer issues is itself a governance risk. Boards that reinforce the message that good control and good business are aligned tend to sustain both.
Simple, precise questions often tell you most about how well a business understands its risks. One I often suggest is: What is the key financial crime risk we face right now, what controls mitigate it, and who owns those controls? A clear answer indicates maturity; an unclear one shows where attention is needed.
At BeyondFS, where I’m a Partner and Co-founder, we’ve worked with a wide range of financial institutions to assess the strength of their financial crime frameworks and clarify what “good” looks like in practice.
I’ve found that conversations with board members about financial crime oversight tend to surface pressure points that need attention or practical opportunities to strengthen controls. If you’d find it helpful to compare perspectives or discuss any aspect of financial crime governance, I’m always glad to exchange notes.
-1.png)