A single click can trigger a global investigation—when transactional data falls into the wrong hands, billions in illicit flows can vanish through the cracks. The Bank for International Settlements (BIS) has put a glaring spotlight on this risk, warning that financial crime is mutating as criminals and even legitimate actors misuse payment data. The result? A seismic compliance and AML challenge for institutions everywhere, with regulatory expectations growing more complex by the month. This deep dive explores the latest evidence, international guidance, and critical risks underscored by the BIS, giving compliance professionals a roadmap for defending their institutions in the data age.

Financial Crime Risks in Transactional Data Misuse

Transactional data is the lifeblood of global finance. Each digital transfer, securities trade, and payment instruction creates a trail of sensitive data—prime real estate for financial crime. The BIS, in its recent analysis, highlights how these data trails are increasingly targeted by criminal groups, from classic money laundering rings to tech-savvy fraudsters. New techniques, like combining leaked payment details with open-source intelligence, allow criminals to map networks, build synthetic identities, and design ever-more sophisticated layering strategies.

Anti-money laundering teams are fighting typologies that never existed in the cash-dominated era. Data breaches now feed fraud and laundering at scale, giving rise to threats like account takeovers and cross-border money mule networks. At the same time, digital transformation of finance—faster payments, open banking, real-time settlement—means that both the scale and speed of data misuse are accelerating.

Global regulators, including the European Union’s GDPR, the US Bank Secrecy Act, and standards set by the Financial Action Task Force (FATF), require institutions to protect customer data and monitor transactions for illicit activity. Yet as the BIS paper makes clear, the rapid digitalization of payments has left many compliance frameworks lagging. Criminals exploit these gaps, leveraging everything from SIM swaps to credential stuffing to compromise and repurpose transactional data, putting institutions at risk of regulatory sanctions and brand damage.

AML Compliance Failures and the High Cost of Data Misuse

Some of the biggest compliance scandals in recent years have shared a common thread: poor controls over transactional data. In 2024, a leading European bank faced a €50 million fine when investigators uncovered a ring of insiders who sold SWIFT message data to organized crime. The subsequent laundered funds flowed undetected through a patchwork of global banks. The penalties cited breaches of both GDPR’s Article 32 (on data security) and the EU’s AML Directive 2018/1673 (Article 7, transaction monitoring). It was a wakeup call that poor data hygiene can bring dual regulatory action—from privacy and AML watchdogs alike.

Across the Atlantic, the US Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC) have similarly targeted banks for data-related AML failures. When poor encryption or weak access controls let criminal networks tap transactional flows, institutions face not only fines, but the risk of ongoing criminal exploitation. Cases of synthetic identity fraud, account takeovers, and real-time payment scams have all been traced back to lapses in transactional data management.

The economic cost is staggering. Industry research and BIS estimates put global losses to data-driven financial crime at more than $60 billion in 2024 alone, with the majority tied to money laundering and fraud. For compliance and AML teams, investing in robust internal controls, data segregation, and continuous monitoring is not just best practice—it’s existential risk management.

Regulatory Evolution and the Push for Data Integrity in AML

The regulatory landscape is evolving fast, with a wave of guidance focused on the intersection of data integrity, privacy, and AML obligations. Following a series of headline data breaches and high-profile cyberattacks, regulatory authorities have moved to tighten rules around transactional data access and monitoring.

The EU’s Sixth AML Directive (6AMLD) and the latest revisions to the GDPR emphasize proactive risk assessment and security of transactional data. Article 32a of the AML Directive explicitly names the safeguarding of transactional records as a compliance imperative. In the United States, FinCEN’s 2024 guidance on digital identity verification highlights the need for banks to not only monitor but also actively secure transactional data points from both insider and external threats.

The Financial Action Task Force (FATF) also stepped up in 2025, revising its methodology to place data integrity and real-time monitoring at the heart of effective AML/CFT programs. The BIS bulletin reflects this global shift: institutions must ensure that customer due diligence, transaction monitoring, and suspicious activity reporting are underpinned by robust data governance. In Asia-Pacific, the Monetary Authority of Singapore (MAS) and Hong Kong Monetary Authority (HKMA) have issued directives echoing these standards, emphasizing encryption, multi-factor authentication, and advanced analytics as non-negotiable components of AML compliance.

Emerging Typologies and AML Controls in the Data Age

As regulatory requirements harden, criminals continue to innovate. The BIS highlights a disturbing trend: the weaponization of aggregated payment data to facilitate large-scale financial crime. This includes:

• Synthetic identity fraud: Criminals use data leaks to build credible but fake customer profiles, bypassing traditional KYC checks and enabling fraudulent account openings.
• Account takeover schemes: Access to transactional data makes it easier to defeat step-up authentication, take control of accounts, and launder money in real time.
• Business email compromise and payment diversion: Transaction data is exploited to time fraudulent instructions or reroute legitimate payments.
• Trade-based money laundering: Detailed payment records are manipulated to disguise illicit value transfers behind seemingly legitimate trade flows.

AML systems must evolve to detect these patterns. Institutions are turning to behavioral analytics, machine learning, and biometric controls to spot anomalies in real time. Yet, as the BIS points out, technology is not a silver bullet—success requires a foundation of sound data management, staff training, and board-level accountability.

Data governance frameworks need to cover the full lifecycle of transactional data, from capture and storage to sharing and destruction. Role-based access, regular audits, and encryption are now baseline expectations. The BIS urges a holistic risk approach: combining technology investment with strong internal controls, continuous staff training, and real-world scenario testing.

Securing the Future of AML in a Data-Driven World

Mitigating the misuse of transactional data will define the next decade of financial crime compliance. The BIS’s warnings are not just for headline effect—they point to the existential risks and regulatory scrutiny awaiting any institution that underestimates the threat.

Future-ready AML programs must blend technology with governance. This means real-time anomaly detection, privacy-by-design in payments infrastructure, and a corporate culture that prizes data stewardship. The regulatory direction is clear: financial institutions that fail to proactively secure transactional data risk not just fines, but systemic damage to trust and operational resilience.

Emerging global standards will further raise the bar. Institutions should benchmark their practices not only against current local regulations, but also against BIS recommendations, FATF guidelines, and the strictest privacy rules worldwide. Those that succeed will protect themselves, their customers, and the integrity of the financial system—while those who lag will face rising compliance costs and reputational risk.

---

Related Links

• FATF: International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation
• EU Sixth Anti-Money Laundering Directive (6AMLD) Text
• FinCEN: Bank Secrecy Act Resource Center
• GDPR Official Portal

Other FinCrime Central Articles About the BIS

• BIS and Bank of England Showcase Next-Generation AML Solutions with Project Hertha
• Central Banks Lead the Way in Compliance for Cross-Border Transactions

Source: BIS Bulletin 108 (PDF)

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand with us or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.