AI · Accountability · Compliance

"It's Not My Fault — The AI Did It"
Is Not a Defence

What a US$3 billion bank fine, a Big Four refund and 1,700 court cases teach every professional who uses AI.

Nawshad Bhunnoo 10 min read July 2026
It's Not My Fault — The AI Did It — Is Not a Defence. AI may assist, humans decide and are accountable.

April 2026. The Nebraska Supreme Court suspends a lawyer from practice: 57 of the 63 citations in his appeal brief were defective — fictitious quotes, wrong case numbers, and cases that exist in no jurisdiction. Asked directly by the justices in February whether he had used AI, he denied it, before later admitting it (WOWT, 2026; Nebraska Public Media, 2026).

October 2025. Deloitte Australia partially refunds a AU$440,000 (about US$290,000) government report after a university researcher discovers it quotes academics who do not exist and attributes an invented quote to a federal court judgment. AI had been used to help produce it (Fortune, 2025).

October 2024. TD Bank becomes the first US national bank ever to plead guilty to conspiring to launder money, paying US$3.09 billion after leaving roughly US$18.3 trillion — 92% of its transaction volume — unmonitored for six years (US Department of Justice, 2024).

Three different professions. Three different failures. One identical lesson: in every case, the technology was blamed — and in every case, the regulator, the court, and the client held a person accountable.

If you work in compliance, fiduciary services, or fund administration, this article is about the question you will eventually be asked — why did you decide that? — and why "the system said so" has now been tested as a defence, repeatedly, in public, and has failed every time.

Why This Matters Right Now

Three developments make this month the wrong time to look away:

  • 2 August 2026 — the EU AI Act's next wave goes live. Transparency obligations under Article 50, including the duty to disclose when users are interacting with AI, apply from that date, with fines for the most serious breaches of the Act reaching €35 million or 7% of global turnover (Latham & Watkins, 2026). A political agreement reached on 7 May 2026 defers the heaviest high-risk system obligations to December 2027 — but the prohibitions and general-purpose AI rules are already in force, and Mauritius structures whose AI outputs are used in EU markets may fall within the Act's extraterritorial reach (Gibson Dunn, 2026).
  • FINRA has flagged AI agents as a distinct supervisory concern. Its 2026 Annual Regulatory Oversight Report warns of agents acting autonomously without human validation and approval, acting beyond their intended scope and authority, and defeating auditability — and asks firms to define where "human in the loop" oversight sits before deployment, not after (FINRA, 2025).
  • Adoption has outrun understanding. The FCA's chief executive told a techUK audience in June 2026 that over 80% of financial services firms are already using or adopting AI (Rathi, 2026). Yet the Bank of England and FCA's own survey found that only 34% of firms reported a complete understanding of the AI they use — 46% admitted their understanding was partial, particularly where tools came from third-party vendors (Bank of England and FCA, 2024).

That gap — between what firms are using and what they can defend — is where the enforcement of the next five years will happen. Closer to home, the FSC Mauritius saw this coming: its Fintech Series Guidance Notes No. 4 (September 2025) set out nine principles for the responsible use of AI, with accountability resting squarely on boards and senior management for all AI-generated outcomes, whether the tool was built in-house or bought (FSC Mauritius, 2025).

The Evidence: What "The AI Did It" Actually Costs

CaseWhat went wrongThe costThe real failure
TD Bank (US, 2024)Transaction monitoring not substantively updated 2014–2022; 92% of volume (~US$18.3tn) unmonitored; three laundering networks moved US$670m+US$3.09bn penalties; guilty plea; asset cap; 5-year monitorship (US Department of Justice, 2024)Not a software failure — a budget decision. Executives enforced a "flat cost paradigm" while risk grew (ABA Banking Journal, 2024)
Deloitte Australia (2025)AI-assisted government report contained fabricated academic references and an invented quote from a federal court judgmentPartial refund of AU$440,000; public correction; reputational damage far exceeding the fee (Fortune, 2025)Output was never verified against primary sources before a professional firm put its name on it
Mata v Avianca and its 1,700+ successors (global, 2023–2026)Lawyers filed AI-fabricated citations without reading themFrom a US$5,000 fine in 2023 to six-figure sanctions and, in April 2026, the first suspension of a law licence in Nebraska; over 1,700 documented court decisions worldwide (Charlotin, 2026)Courts ruled the source is irrelevant: if you signed it, you verified it — or you answer for it

Not one of these penalties was paid by an algorithm.

Read the third column again. And the courts have been pointed about how avoidable it all was: in the Nebraska matter, the Supreme Court noted that the fabrications could have been easily discovered using traditional legal research (Nebraska Public Media, 2026). The check that would have prevented career-ending damage was ordinary professional diligence — the kind every reader of this article already knows how to perform.

To be clear, none of this is an argument against the technology. The FATF itself concluded that these tools can make risk analysis more accurate, timely and comprehensive (FATF, 2021). It is an argument about where responsibility sits when the tools are used — and every case above answers that question the same way.

Gap Analysis: Where Firms Think They Are vs Where Regulators Expect Them to Be

Based on the FSC's nine principles, the Wolfsberg Group's five elements for AI in financial crime compliance, and the FATF's technology guidance, here is the honest gap most firms need to close:

#Regulators expectCommon current practiceThe gap
1A complete inventory of every AI tool in use, including staff's unofficial ones"We don't really use AI" — while staff quietly use chatbots for drafting and researchShadow AI: you cannot govern what you have not mapped
2Human review at every decision point, with authority to overrideAI output pasted into client files, reports, and screening conclusions unchangedReview exists on paper; verification does not happen in practice
3Named accountability for each AI-assisted process"IT handles the system" / "the vendor is responsible"Wolfsberg (2022) and FSC (2025) both reject this: accountability stays with the licensee and its board
4Documented reasoning behind decisions, not just outcomesFiles record what was decided, rarely whyThe one document an inspector actually wants is the one most files lack
5Understanding of what the tool does, what it misses, and how it failsTools adopted on vendor demos; limitations never tested — only 34% of firms surveyed by the Bank of England and FCA reported complete understanding of the AI they use (Bank of England and FCA, 2024)FATF (2021) expects institutions to understand their systems before deployment
6Proportionate use aligned to a risk-based approachSame automated depth applied to every file, high-risk or lowRisk-based means allocating human attention where risk is highest — that allocation is a judgement no tool makes for you
The Honest Benchmark

If more than two rows describe your organisation, you are not unusual. But "not unusual" was TD Bank's position too.

Seven Steps That Survive an Inspection

Concise, sequenced, and none requires a technology budget:

  • 1
    Run an AI amnesty this month.Ask every team member to list every AI tool they use for work — no penalties for honesty. The inventory is your foundation; shadow AI is your largest unrecorded risk.
  • 2
    Classify each use against risk.Drafting an internal email is not the same as screening a client. Map each tool to the decisions it touches, and apply the FSC's nine principles proportionately (FSC Mauritius, 2025).
  • 3
    Name one accountable owner per AI-assisted process.A person, not a department. If no one's name is next to it, the regulator will choose a name for you — usually at board level.
  • 4
    Impose a verification rule with no exceptions.Nothing AI-produced enters a client file, a court document, a regulatory filing, or a report bearing your firm's name until a human has checked it against a primary source. This is precisely the rule courts have now enforced over 1,700 times (Charlotin, 2026).
  • 5
    Record the reasoning, not just the result."Approved" is an outcome. "Approved because source of funds is evidenced by the audited accounts, the adverse media hit was assessed and discounted as a different individual, and residual risk sits within appetite" — written at the time — is a defence.
  • 6
    Treat AI output as evidence, never as a decision.A machine-generated risk score is an input with a provenance, like a bank reference. It informs judgement; it does not replace the human at the decision point (Wolfsberg Group, 2022).
  • 7
    Rehearse the question.Once a quarter, pick a closed file and ask the team: if the FSC asked us today why we decided this, what would we show them? If the answer is a system log and silence, you have found your gap while it is still free to fix.

The Skill That Survives the Machines

Here is the uncomfortable truth inside all the cases above: none was caused by bad AI. The models did what they were built to do — produce plausible output at speed. The failures happened in the space between the output and the signature, the space where a professional is paid to think. TD Bank's systems raised flags; humans chose not to fund the follow-up. Deloitte's report looked authoritative; no one checked whether the sources existed. The sanctioned lawyers received perfectly formatted citations; they simply never read them.

In fiduciary practice, I have watched how quickly a well-written summary hardens into an unquestioned fact on a file. Plausibility is the most dangerous quality AI output has — it wears the costume of verified work. The discipline of asking how do we know this? before anything enters a client record was valuable before these tools existed; it is now the difference between a defensible file and an expensive one.

That space — between what the machine produces and what you are willing to sign — is where compliance careers will be made or ended over the next decade. The professionals who let AI do the gathering while keeping the judging, who can show their reasoning in writing, and who can answer why without reaching for the system log, will not merely survive the AI era. They will be the ones regulators trust, boards promote, and clients keep.

The machine will keep getting better at finding things. Deciding what the findings mean — and standing behind that decision — was never the machine's job. It is still yours. That is not a burden. In a profession built on trust, it is the entire point.

This article reflects the author's personal views and general observations on professional practice. It does not constitute legal, regulatory, or professional advice, and does not describe the practices of any specific organisation.

References

ABA Banking Journal (2024) 'TD Bank agrees to pay $3.1 billion to resolve AML allegations', ABA Banking Journal, 1 November. Available at: https://bankingjournal.aba.com/2024/11/td-bank-agrees-to-pay-3-1-billion-to-resolve-aml-allegations/ (Accessed: 7 July 2026).

Bank of England and FCA (2024) Artificial intelligence in UK financial services — 2024. London: Bank of England and Financial Conduct Authority, 21 November. Available at: https://www.fca.org.uk/publications/research-notes/ai-uk-financial-services (Accessed: 7 July 2026).

Charlotin, D. (2026) AI Hallucination Cases Database. Available at: https://www.damiencharlotin.com/hallucinations/ (Accessed: 7 July 2026).

FATF (2021) Opportunities and Challenges of New Technologies for AML/CFT. Paris: Financial Action Task Force. Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/Opportunities-Challenges-of-New-Technologies-for-AML-CFT.pdf (Accessed: 7 July 2026).

FINRA (2025) 2026 FINRA Annual Regulatory Oversight Report. Washington, DC: Financial Industry Regulatory Authority, December. Available at: https://www.finra.org/sites/default/files/2025-12/2026-annual-regulatory-oversight-report.pdf (Accessed: 7 July 2026).

Fortune (2025) 'Deloitte was caught using AI in $290,000 report to help the Australian government crack down on welfare after a researcher flagged hallucinations', Fortune, 7 October. Available at: https://fortune.com/2025/10/07/deloitte-ai-australia-government-report-hallucinations-technology-290000-refund/ (Accessed: 7 July 2026).

FSC Mauritius (2025) Fintech Series Guidance Notes No. 4: Guidance Notes on the Responsible Use of Artificial Intelligence in Financial Services. Ebène: Financial Services Commission, Mauritius. Available at: https://www.fscmauritius.org/media/206401/guidelines-on-responsible-use-of-ai.pdf (Accessed: 7 July 2026).

Gibson Dunn (2026) 'EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes', 27 May. Available at: https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/ (Accessed: 7 July 2026).

Latham & Watkins (2026) 'AI Act Update: EU Resolves to Change Rules and Extend Deadlines', 13 May. Available at: https://www.lw.com/en/insights/ai-act-update-eu-resolves-to-change-rules-and-extend-deadlines (Accessed: 7 July 2026).

Nebraska Public Media (2026) 'Nebraska Supreme Court blasts AI-authored court filings, recommends discipline', 20 March. Available at: https://nebraskapublicmedia.org/en/news/news-articles/nebraska-supreme-court-blasts-ai-authored-court-filings-recommends-discipline/ (Accessed: 7 July 2026).

Rathi, N. (2026) Rethinking regulation for the age of AI. Speech at techUK's Agents of Change: Generative and Agentic AI in Financial Services 2026, 24 June. London: Financial Conduct Authority. Available at: https://www.fca.org.uk/news/speeches/rethinking-regulation-age-ai (Accessed: 7 July 2026).

US Department of Justice (2024) United States of America v. TD Bank, N.A. Washington, DC: Department of Justice, Criminal Division, 10 October. Available at: https://www.justice.gov/criminal/case/united-states-america-v-td-bank-na (Accessed: 7 July 2026).

Wolfsberg Group (2022) Wolfsberg Principles for Using Artificial Intelligence and Machine Learning in Financial Crime Compliance. Basel: The Wolfsberg Group. Available at: https://wolfsberg-group.org/resources/202/93 (Accessed: 7 July 2026).

WOWT (2026) 'Nebraska Supreme Court suspends Omaha attorney over AI use', WOWT NBC Omaha, 16 April. Available at: https://www.wowt.com/2026/04/16/nebraska-supreme-court-suspends-omaha-attorney-over-ai-use/ (Accessed: 7 July 2026).

The right question to ask today.

Does your organisation have a clear, written policy on how AI tools are used — and by whom? If not, that is where to start.

Get in Touch
AI Accountability AML/CFT Compliance EU AI Act FSC Mauritius FINRA Risk Management Fiduciary Duty
Nawshad Bhunnoo

Nawshad Bhunnoo

Corporate Services & Private Wealth · Mauritius

A seasoned professional with over 10 years of experience in financial and corporate services, holding an MSc in Finance and Investment. Specialising in Global Business Companies, Trusts, Foundations, and regulatory compliance across jurisdictions.

Connect on LinkedIn →