April 2026. The Nebraska Supreme Court suspends a lawyer from practice: 57 of the 63 citations in his appeal brief were defective — fictitious quotes, wrong case numbers, and cases that exist in no jurisdiction. Asked directly by the justices in February whether he had used AI, he denied it, before later admitting it (WOWT, 2026; Nebraska Public Media, 2026).
October 2025. Deloitte Australia partially refunds a AU$440,000 (about US$290,000) government report after a university researcher discovers it quotes academics who do not exist and attributes an invented quote to a federal court judgment. AI had been used to help produce it (Fortune, 2025).
October 2024. TD Bank becomes the first US national bank ever to plead guilty to conspiring to launder money, paying US$3.09 billion after leaving roughly US$18.3 trillion — 92% of its transaction volume — unmonitored for six years (US Department of Justice, 2024).
Three different professions. Three different failures. One identical lesson: in every case, the technology was blamed — and in every case, the regulator, the court, and the client held a person accountable.
If you work in compliance, fiduciary services, or fund administration, this article is about the question you will eventually be asked — why did you decide that? — and why "the system said so" has now been tested as a defence, repeatedly, in public, and has failed every time.
Why This Matters Right Now
Three developments make this month the wrong time to look away:
- 2 August 2026 — the EU AI Act's next wave goes live. Transparency obligations under Article 50, including the duty to disclose when users are interacting with AI, apply from that date, with fines for the most serious breaches of the Act reaching €35 million or 7% of global turnover (Latham & Watkins, 2026). A political agreement reached on 7 May 2026 defers the heaviest high-risk system obligations to December 2027 — but the prohibitions and general-purpose AI rules are already in force, and Mauritius structures whose AI outputs are used in EU markets may fall within the Act's extraterritorial reach (Gibson Dunn, 2026).
- FINRA has flagged AI agents as a distinct supervisory concern. Its 2026 Annual Regulatory Oversight Report warns of agents acting autonomously without human validation and approval, acting beyond their intended scope and authority, and defeating auditability — and asks firms to define where "human in the loop" oversight sits before deployment, not after (FINRA, 2025).
- Adoption has outrun understanding. The FCA's chief executive told a techUK audience in June 2026 that over 80% of financial services firms are already using or adopting AI (Rathi, 2026). Yet the Bank of England and FCA's own survey found that only 34% of firms reported a complete understanding of the AI they use — 46% admitted their understanding was partial, particularly where tools came from third-party vendors (Bank of England and FCA, 2024).
That gap — between what firms are using and what they can defend — is where the enforcement of the next five years will happen. Closer to home, the FSC Mauritius saw this coming: its Fintech Series Guidance Notes No. 4 (September 2025) set out nine principles for the responsible use of AI, with accountability resting squarely on boards and senior management for all AI-generated outcomes, whether the tool was built in-house or bought (FSC Mauritius, 2025).
The Evidence: What "The AI Did It" Actually Costs
| Case | What went wrong | The cost | The real failure |
|---|---|---|---|
| TD Bank (US, 2024) | Transaction monitoring not substantively updated 2014–2022; 92% of volume (~US$18.3tn) unmonitored; three laundering networks moved US$670m+ | US$3.09bn penalties; guilty plea; asset cap; 5-year monitorship (US Department of Justice, 2024) | Not a software failure — a budget decision. Executives enforced a "flat cost paradigm" while risk grew (ABA Banking Journal, 2024) |
| Deloitte Australia (2025) | AI-assisted government report contained fabricated academic references and an invented quote from a federal court judgment | Partial refund of AU$440,000; public correction; reputational damage far exceeding the fee (Fortune, 2025) | Output was never verified against primary sources before a professional firm put its name on it |
| Mata v Avianca and its 1,700+ successors (global, 2023–2026) | Lawyers filed AI-fabricated citations without reading them | From a US$5,000 fine in 2023 to six-figure sanctions and, in April 2026, the first suspension of a law licence in Nebraska; over 1,700 documented court decisions worldwide (Charlotin, 2026) | Courts ruled the source is irrelevant: if you signed it, you verified it — or you answer for it |
Not one of these penalties was paid by an algorithm.
Read the third column again. And the courts have been pointed about how avoidable it all was: in the Nebraska matter, the Supreme Court noted that the fabrications could have been easily discovered using traditional legal research (Nebraska Public Media, 2026). The check that would have prevented career-ending damage was ordinary professional diligence — the kind every reader of this article already knows how to perform.
To be clear, none of this is an argument against the technology. The FATF itself concluded that these tools can make risk analysis more accurate, timely and comprehensive (FATF, 2021). It is an argument about where responsibility sits when the tools are used — and every case above answers that question the same way.
Gap Analysis: Where Firms Think They Are vs Where Regulators Expect Them to Be
Based on the FSC's nine principles, the Wolfsberg Group's five elements for AI in financial crime compliance, and the FATF's technology guidance, here is the honest gap most firms need to close:
| # | Regulators expect | Common current practice | The gap |
|---|---|---|---|
| 1 | A complete inventory of every AI tool in use, including staff's unofficial ones | "We don't really use AI" — while staff quietly use chatbots for drafting and research | Shadow AI: you cannot govern what you have not mapped |
| 2 | Human review at every decision point, with authority to override | AI output pasted into client files, reports, and screening conclusions unchanged | Review exists on paper; verification does not happen in practice |
| 3 | Named accountability for each AI-assisted process | "IT handles the system" / "the vendor is responsible" | Wolfsberg (2022) and FSC (2025) both reject this: accountability stays with the licensee and its board |
| 4 | Documented reasoning behind decisions, not just outcomes | Files record what was decided, rarely why | The one document an inspector actually wants is the one most files lack |
| 5 | Understanding of what the tool does, what it misses, and how it fails | Tools adopted on vendor demos; limitations never tested — only 34% of firms surveyed by the Bank of England and FCA reported complete understanding of the AI they use (Bank of England and FCA, 2024) | FATF (2021) expects institutions to understand their systems before deployment |
| 6 | Proportionate use aligned to a risk-based approach | Same automated depth applied to every file, high-risk or low | Risk-based means allocating human attention where risk is highest — that allocation is a judgement no tool makes for you |
If more than two rows describe your organisation, you are not unusual. But "not unusual" was TD Bank's position too.
Seven Steps That Survive an Inspection
Concise, sequenced, and none requires a technology budget:
- 1Run an AI amnesty this month.Ask every team member to list every AI tool they use for work — no penalties for honesty. The inventory is your foundation; shadow AI is your largest unrecorded risk.
- 2Classify each use against risk.Drafting an internal email is not the same as screening a client. Map each tool to the decisions it touches, and apply the FSC's nine principles proportionately (FSC Mauritius, 2025).
- 3Name one accountable owner per AI-assisted process.A person, not a department. If no one's name is next to it, the regulator will choose a name for you — usually at board level.
- 4Impose a verification rule with no exceptions.Nothing AI-produced enters a client file, a court document, a regulatory filing, or a report bearing your firm's name until a human has checked it against a primary source. This is precisely the rule courts have now enforced over 1,700 times (Charlotin, 2026).
- 5Record the reasoning, not just the result."Approved" is an outcome. "Approved because source of funds is evidenced by the audited accounts, the adverse media hit was assessed and discounted as a different individual, and residual risk sits within appetite" — written at the time — is a defence.
- 6Treat AI output as evidence, never as a decision.A machine-generated risk score is an input with a provenance, like a bank reference. It informs judgement; it does not replace the human at the decision point (Wolfsberg Group, 2022).
- 7Rehearse the question.Once a quarter, pick a closed file and ask the team: if the FSC asked us today why we decided this, what would we show them? If the answer is a system log and silence, you have found your gap while it is still free to fix.
The Skill That Survives the Machines
Here is the uncomfortable truth inside all the cases above: none was caused by bad AI. The models did what they were built to do — produce plausible output at speed. The failures happened in the space between the output and the signature, the space where a professional is paid to think. TD Bank's systems raised flags; humans chose not to fund the follow-up. Deloitte's report looked authoritative; no one checked whether the sources existed. The sanctioned lawyers received perfectly formatted citations; they simply never read them.
In fiduciary practice, I have watched how quickly a well-written summary hardens into an unquestioned fact on a file. Plausibility is the most dangerous quality AI output has — it wears the costume of verified work. The discipline of asking how do we know this? before anything enters a client record was valuable before these tools existed; it is now the difference between a defensible file and an expensive one.
That space — between what the machine produces and what you are willing to sign — is where compliance careers will be made or ended over the next decade. The professionals who let AI do the gathering while keeping the judging, who can show their reasoning in writing, and who can answer why without reaching for the system log, will not merely survive the AI era. They will be the ones regulators trust, boards promote, and clients keep.
The machine will keep getting better at finding things. Deciding what the findings mean — and standing behind that decision — was never the machine's job. It is still yours. That is not a burden. In a profession built on trust, it is the entire point.
This article reflects the author's personal views and general observations on professional practice. It does not constitute legal, regulatory, or professional advice, and does not describe the practices of any specific organisation.
References
ABA Banking Journal (2024) 'TD Bank agrees to pay $3.1 billion to resolve AML allegations', ABA Banking Journal, 1 November. Available at: https://bankingjournal.aba.com/2024/11/td-bank-agrees-to-pay-3-1-billion-to-resolve-aml-allegations/ (Accessed: 7 July 2026).
Bank of England and FCA (2024) Artificial intelligence in UK financial services — 2024. London: Bank of England and Financial Conduct Authority, 21 November. Available at: https://www.fca.org.uk/publications/research-notes/ai-uk-financial-services (Accessed: 7 July 2026).
Charlotin, D. (2026) AI Hallucination Cases Database. Available at: https://www.damiencharlotin.com/hallucinations/ (Accessed: 7 July 2026).
FATF (2021) Opportunities and Challenges of New Technologies for AML/CFT. Paris: Financial Action Task Force. Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/Opportunities-Challenges-of-New-Technologies-for-AML-CFT.pdf (Accessed: 7 July 2026).
FINRA (2025) 2026 FINRA Annual Regulatory Oversight Report. Washington, DC: Financial Industry Regulatory Authority, December. Available at: https://www.finra.org/sites/default/files/2025-12/2026-annual-regulatory-oversight-report.pdf (Accessed: 7 July 2026).
Fortune (2025) 'Deloitte was caught using AI in $290,000 report to help the Australian government crack down on welfare after a researcher flagged hallucinations', Fortune, 7 October. Available at: https://fortune.com/2025/10/07/deloitte-ai-australia-government-report-hallucinations-technology-290000-refund/ (Accessed: 7 July 2026).
FSC Mauritius (2025) Fintech Series Guidance Notes No. 4: Guidance Notes on the Responsible Use of Artificial Intelligence in Financial Services. Ebène: Financial Services Commission, Mauritius. Available at: https://www.fscmauritius.org/media/206401/guidelines-on-responsible-use-of-ai.pdf (Accessed: 7 July 2026).
Gibson Dunn (2026) 'EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes', 27 May. Available at: https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/ (Accessed: 7 July 2026).
Latham & Watkins (2026) 'AI Act Update: EU Resolves to Change Rules and Extend Deadlines', 13 May. Available at: https://www.lw.com/en/insights/ai-act-update-eu-resolves-to-change-rules-and-extend-deadlines (Accessed: 7 July 2026).
Nebraska Public Media (2026) 'Nebraska Supreme Court blasts AI-authored court filings, recommends discipline', 20 March. Available at: https://nebraskapublicmedia.org/en/news/news-articles/nebraska-supreme-court-blasts-ai-authored-court-filings-recommends-discipline/ (Accessed: 7 July 2026).
Rathi, N. (2026) Rethinking regulation for the age of AI. Speech at techUK's Agents of Change: Generative and Agentic AI in Financial Services 2026, 24 June. London: Financial Conduct Authority. Available at: https://www.fca.org.uk/news/speeches/rethinking-regulation-age-ai (Accessed: 7 July 2026).
US Department of Justice (2024) United States of America v. TD Bank, N.A. Washington, DC: Department of Justice, Criminal Division, 10 October. Available at: https://www.justice.gov/criminal/case/united-states-america-v-td-bank-na (Accessed: 7 July 2026).
Wolfsberg Group (2022) Wolfsberg Principles for Using Artificial Intelligence and Machine Learning in Financial Crime Compliance. Basel: The Wolfsberg Group. Available at: https://wolfsberg-group.org/resources/202/93 (Accessed: 7 July 2026).
WOWT (2026) 'Nebraska Supreme Court suspends Omaha attorney over AI use', WOWT NBC Omaha, 16 April. Available at: https://www.wowt.com/2026/04/16/nebraska-supreme-court-suspends-omaha-attorney-over-ai-use/ (Accessed: 7 July 2026).
