Financial crime compliance

Financial crime losses are rising not because banks are doing less, but because fragmented defences cannot keep pace with coordinated, AI-enabled attackers

When we wrote on financial crime compliance in last year’s report, the central message was that threats were outpacing the industry’s traditional response and that simply throwing more resources at the problem was no longer a viable response. Twelve months later, scams are becoming increasingly sophisticated, and methods such as authorised push payment (APP) fraud is moving funds out of victim accounts faster than banks can respond.

The number of deception cases in Hong Kong has more than doubled over the past five years¹, despite a modest 3% decline in 2025. Technology-enabled deception – including online shopping scams, investment scams and impersonation of officials – now accounts for the majority of cases reported to the police.

Hong Kong’s experience is consistent with the pattern observed in KPMG’s Global Banking Scam Survey, which covered 48 banks across 16 countries².

Two findings from the survey are particularly important for boards and senior management in Hong Kong. First, 60% of banks have seen scam-related customer complaints rise, with the most common grievances being dissatisfaction with reimbursement decisions, frustration at transactional friction, and a feeling that the bank could be doing more to protect them.

Second, while the use of deepfakes and generative AI in scams is not yet prevalent in case volumes, it is universally expected to increase — and is already showing up in falsified KYC documents, fraudulent bank impersonation websites, multilingual phishing campaigns and deepfake-driven investment scams featuring well-known public figures on social media.

Chad Olsen

Head of Forensic Services, Hong Kong SAR

KPMG China

mail
call

Sue Bradford

Partner, Forensic

KPMG Australia

mail
call

The very AI technology the industry is deploying to disrupt financial crime is, in parallel, being weaponised against it.

The regulatory direction of travel

Looking at the direction of travel set by regulators in Hong Kong and globally, three themes stand out.

filter_1

A shift from experimentation to measurable outcomes

After several years in which sandboxes, proofs of concept and isolated pilots have been the dominant mode of engagement with AI in financial crime, the expectation is that banks should now be translating this into demonstrable real-world impact.

filter_2

Embedding of governance and accountability across all lines of defence

As banks deploy AI, and in some cases agentic AI, into customer due diligence, transaction monitoring and risk scoring, supervisors are looking for model governance, explainability and human oversight to be part of the initial design rather than retrofitted after deployment.

filter_3

Transition from rule-based to intelligence-led risk management

Regulators increasingly expect a move away from periodic KYC reviews towards perpetual, signal-driven customer monitoring; and towards greater intelligence sharing between banks, with law enforcement, and across the wider ecosystem.

Taken together, these themes signal that the bar for financial crime compliance is being raised in a specific and deliberate way. Banks that continue to rely primarily on rule-based controls and periodic reviews are likely to find themselves increasingly out of step with both the threat landscape and supervisory expectations.

What an intelligence-led model looks like in practice

Intelligence-led financial crime management is less a single technology choice than a different way of organising the function. Four shifts define what this looks like in practice:

filter_1

Perpetual KYC replacing periodic review

Rather than triggering a full customer refresh every one, three or five years, banks need to continuously monitor signals such as transactional behaviour, changes in digital footprint and network linkages to update risk ratings dynamically. The effect is that effort is concentrated where risk has genuinely moved, rather than spread evenly across a population on a calendar basis. For most banks in Hong Kong, this is a multi-year transition, but it is the single change most likely to improve both effectiveness and efficiency over time.

filter_2

Use of AI to support detection and investigation

Agentic systems can triage alerts, gather context from internal and external sources, draft investigator narratives and escalate cases that genuinely require human judgement. The institutions making the most progress are those that connect these capabilities across onboarding, transaction monitoring, fraud and scam detection, rather than running them as separate point solutions.

filter_3

Real-time, customer-centric intervention in place of purely downstream investigation

The most effective prevention controls identified in our Global Banking Scam Survey were transaction pausing and account freezing, rated effective by 91% and 85% of banks respectively, followed by targeted customer contact at 76%. Generic warnings and pop-up messages, which remain common in digital channels, were rated effective by just 47%. The implication is that intervention needs to happen at the point of risk, not after the funds have left the bank.

filter_4

Operating as part of a wider ecosystem rather than in isolation

Many scam syndicates are cross-institutional and cross-border by design, and no single bank can see the full picture on its own. Addressing them effectively requires shared typologies, consortium data and coordinated action with law enforcement. Hong Kong’s financial infrastructure and regulatory environment place it in a strong position to contribute to this kind of ecosystem response, and this is an area where we expect to see meaningful progress over the next two years.