The architecture advantage: How unified compliance unlocks risk intelligence at scale

At an estimated $5.6 trillion laundered annually, the money laundering economy is larger than Germany’s. If it were a country, it would be the world’s third-largest, behind only the United States and China. Yet the compliance functions responsible for fighting it are, in many cases, running their programs on a patchwork of disconnected systems.

In our annual State of Financial Crime survey of more than 600 compliance leaders, we found that 97% use two or more solutions for customer screening alone, and 53% use between eight and ten different systems across their compliance stack. That fragmentation is more than a procurement problem. It is a risk intelligence problem. When customer data, screening alerts, transaction patterns, and case outcomes sit in disconnected systems, no one has the holistic view of risk that regulators now expect, that auditors can probe, or that analysts need to make confident decisions at speed.

In the second panel of our North American Future of Compliance summit, three experts joined our Global Head of FCC Strategy, Andrew Davies, to examine what unified compliance architecture actually delivers. The panel was John Tobon, independent consultant and former Assistant Director for Homeland Security Investigations; Nicole Costaldo, Senior Managing Director in the data and analytics practice at FTI Consulting; and Sandra Desautels, a financial crime compliance consultant with 25 years advising financial institutions, and 15 years of federal law enforcement experience before that.

This article captures the heart of their conversation: how compliance architecture has become a determinant of growth, why data quality is the precondition for any meaningful AI investment, and what regulator-ready risk intelligence looks like in practice.

The cost of fragmented compliance architecture

The customer-facing cost is the one most product teams notice first. When compliance data is fragmented across systems acquired through M&A, built for individual business lines, or layered over time, the institution loses the ability to understand any single customer holistically. That hurts onboarding speed, undermines tailored risk-based offers, and erodes the customer trust that drives retention.

The regulatory cost is heavier. The panel pointed to a real-world example of a regulated firm that had identified a significant opportunity to expand into a new jurisdiction. The local regulator blocked the expansion until the firm could prove a comprehensive set of compliance controls, particularly in know your customer (KYC) and transaction monitoring. The firm had the customer demand. It did not have the architecture to evidence it could serve those customers safely.

Underlying both costs is a shift in the effectiveness bar. As US anti-money laundering (AML) reform moves toward judging compliance on outcomes rather than activity, the question is no longer whether the institution had a control in place, but whether it used the data it already had.

“The one thing you do not want is to find something on a look back that should have told you to take different steps. When systems are not interconnected, when we cannot connect a nugget of information in one place to a significant piece in another, we end up in a situation where we had the information all along. You knew or you should have known. You should have known because you had the data. All you needed was to put the pieces of that puzzle together.”

John Tobon, Principal, Tobon Consulting, LLC.

That framing reorients the architecture conversation. The defensive question is no longer “do we have enough tools?” It is “can we connect the data we already have well enough to act on it before it becomes a look-back finding?”

Data quality is the precondition for AI

The next instinct, once a fragmentation problem comes into view, is to ask whether AI can solve it. The panel was direct that AI cannot fix data architecture. It will, if anything, amplify whatever quality exists underneath it.

This is the most common reason AI implementations stall. An organization that has acquired competitors, integrated platforms incrementally, and built point solutions for individual risk types often has data that is technically present but not reliably mapped, lineage-tracked, or current enough to support the predictions a machine learning (ML) model is being asked to make.

“If your data is not correctly mapped, if you don’t have confidence in what is going into your systems, you’re not going to get the efficiency that you’re expecting, even by moving to the new technologies.”

Sandra Desautels, Independent consultant

Drawing the panel’s points together, four dimensions of data quality matter most for compliance architecture:

1. Veracity: Is the data accurate at the point of capture? Sources that have not been independently verified should not feed automated decisioning.
2. Integrity: Has the data been preserved without distortion through the pipeline from collection to consumption?
3. Lineage: Can the institution show where a given data point originated, how it was transformed, and which systems have touched it? This is the audit trail regulators increasingly expect.
4. Currency: How quickly does new information, especially sanctions and adverse media data, propagate through the stack? Legacy update cycles of 24 to 48 hours are no longer adequate when value moves in seconds.

Watch The Future of Compliance North America on-demand

Access every session from our North American compliance summit, covering this year’s theme: Unlocking opportunity through intelligent design.

Watch now

AI adoption: from budget line to operating model

The pressure to adopt AI is unmistakable. Our research shows that 99% of organizations have either deployed or are evaluating AI in their financial crime programs, 99% have AI-specific budget allocated, and 88% now require AI capabilities in vendor proposals. Boards have made AI a de facto requirement.

The risk in that pressure is doing AI for AI’s sake. The panel returned repeatedly to a more disciplined framing: start from a specific pain point identified in the risk assessment, deploy AI where the business case is clearest, and let the human team focus on the cases that genuinely require their judgment.

One example the panel offered: an organization issuing COVID relief loans had hundreds of investigators working through alerts on potentially fraudulent applications. By layering machine learning across the full population of loans, the team identified patterns invisible at the individual case level. What emerged was a coordinated network of criminal groups using mule structures to submit low-value applications that, in aggregate, amounted to hundreds of millions of dollars. Without the unified data view and the right model, those connections would have stayed invisible.

“People call AI a great disruptor, but in many ways, for organizations all facing the challenge of how to use it, when to use it, and making sure they’re using it right, it’s also a great equalizer.”

Nicole Costaldo, Senior Managing Director, FTI Consulting

The equalizing point cuts in two directions. Institutions that move now build the operating capability and the documentation history that regulators will increasingly expect. Institutions that wait will eventually be forced to transform under regulatory pressure, on someone else’s timeline.

Building regulator-ready governance

The architecture that supports AI at scale is not just the model. It is the governance wrapped around it. The panel converged on three governance disciplines that compliance leaders should treat as non-negotiable.

• Documentation: Every model, every threshold, every agentic decision pattern must be documented to a standard that an external auditor can follow without internal explanation. Documentation is the difference between an efficient program and a defensible one.
• Training: Compliance and risk teams must understand how the AI tools they oversee actually work, including what training data was used, what the model is optimized for, and where its known limitations sit. Without that fluency, the institution cannot interrogate its own outputs.
• Explainability for multiple audiences: Regulators are one audience. Analysts who act on AI-prioritized alerts are another. Boards and executives are a third. The architecture must produce explanations that each audience can act on without losing the precision the model itself delivers.
  

The through-line is trust. Trust travels with the data, the model, and the institution’s ability to demonstrate that its compliance program is working. A unified architecture makes that demonstration straightforward. A fragmented one makes it nearly impossible.

The window for compliance leaders is open

The pace of change in AI is not slowing. The panel was clear that compliance functions cannot afford to design a static architecture for a dynamic environment. The right posture is forward-leaning: a program that assumes its tools will be more capable in six months than they are today and that builds with that growth path in mind.

For compliance leaders mapping the next 12 to 24 months, three priorities follow from the discussion:

1. Consolidate before you automate. A unified data view across screening, monitoring, and case management is the foundation that makes AI investment worthwhile in the first place.
2. Start where the pain is clearest. Identify the workflow where bad data, high false positive rates, or fragmented alerts are costing the team most, and deploy AI there first. Iterate from there.
3. Build governance and training in parallel with technology. The institutions that come through the next exam cycle in good shape will be the ones whose people, processes, and documentation moved at the same pace as their models.
   

The technology to support all of this exists. The question is whether compliance functions will lead the conversation about how to apply it, or react to it after a regulator, peer, or criminal does it first.