Why Compliance Alert Floods Need AI, Not More Rules

Simon Carver

[warmly] Welcome to the show. This is “The Compliance Illusion,” and the whole argument is simple: a lot of banks built compliance systems to survive audits, not to stop modern financial crime. If you enjoy these quick takes, please like, share, and subscribe—it really helps people find the show. I’m Simon Carver, with Lachlan Reed and our guest Jack Burns. And Lachlan, let me start with the number that should make anybody in compliance sit upright: if your institution generates 40,000 alerts in a month and only five represent actual criminal activity, are you running a security system... or just manufacturing noise?

Lachlan Reed

[curious] Yeah, 40,000-to-five is the bit that sticks, mate. That’s not a haystack with a needle in it—that’s like tipping a whole beach into the office and telling some poor analyst, “Good luck by Friday.” And the ugly part is, loads of teams got built around that mess. People doing repetitive reviews, defensive SAR filing, clicking through case screens all day, just trying not to miss the one thing that gets them roasted later.

Jack Burns

[calm] That 40,000-to-five ratio is not merely inefficient. It is a signal-to-noise collapse. When a system produces overwhelming volumes of low-value alerts, the operator stops distinguishing relevance from ritual. We saw that in military intelligence. We saw it in cybersecurity. And now we are seeing it in financial crime operations. The institution begins to confuse activity with awareness.

Simon Carver

[questioning tone] “Activity with awareness” is exactly it. Because on paper, a bank can say, look, we reviewed the alerts, documented the workflow, filed the reports. But Jack, that’s the illusion, right? They can prove the machine was busy without proving the system was actually intelligent.

Jack Burns

[matter-of-fact] Correct. Traditional BSA and AML programs were built around static controls—thresholds, rules, queues, periodic reviews. The famous $10,000 CTR threshold is the obvious symbol of this mindset. Useful in its place, but criminals study the threshold too. They adapt around it. They structure below it. They disperse transactions. They use smurfing, mule accounts, shell-company layering, and disconnected identities because they understand the geometry of the rulebook.

Lachlan Reed

[responds quickly] Wait—the $10,000 figure is the memory hook there. Once a threshold becomes common knowledge, it’s basically a road sign for crooks: “Slow down here, speed up over there.” That’s the mad part. Banks keep acting like an IF/THEN rule from decades ago is a guard dog, but the dog’s asleep in the ute.

Simon Carver

[laughs softly] Defending a drone swarm with filing cabinets. That’s what this sounds like to me. You’ve got networks moving money across shell entities and synthetic profiles in real time, and on the other side somebody is still saying, “Well, the branch monitor will catch it in the next cycle.”

Jack Burns

[skeptical] And “next cycle” is exactly the problem. Modern laundering operations do not respect delayed reporting cycles, siloed branch monitoring, or fragmented customer identity records. They exploit them. A synthetic identity may appear benign in one product line, a mule account may look ordinary in another, and a shell-company transaction may seem routine in a third. No single static rule sees the pattern. The criminal organization relies on that fragmentation.

Lachlan Reed

[hesitates] So let me try to say that back—slightly badly, probably. The old model assumes the bad guy will trip one alarm. The new reality is they smear themselves across ten systems so no single alarm looks dramatic. Is that roughly it?

Jack Burns

[calm] Almost. The more important point is that dispersion is not accidental anymore. It can be operationally optimized. Criminals already automate pieces of fraud pattern generation, routing, identity obfuscation, even fake business creation. So the spread across those ten systems can become deliberate, adaptive behavior.

Simon Carver

[quietly] “Operationally optimized.” That’s the phrase I’m not going to forget. Because the public conversation still treats AI like a tool only legitimate companies have. Meanwhile the people laundering money, running fraud, building synthetic KYC packages—they’re not waiting for permission. They’re using the fastest tool available.

Lachlan Reed

[frustrated] And the average analyst is up against machine-speed criminal infrastructure while still working in spreadsheet-speed workflows. That mismatch is brutal. It’s not just a tech problem either—it’s a human one. You burn out good people by trapping them in admin fog, then act surprised when the work gets shallower.

Simon Carver

[reflective] This is where the conversation gets more interesting for me. Because the cheap headline is “AI replaces compliance workers.” But that’s too flat. What I’m hearing instead is that the job changes shape. Less alert clearing, less copy-paste narrative writing, less static risk scoring... more judgment, more supervision, more investigation.

Lachlan Reed

[excited] Yeah, exactly. The old gig is repetitive reviews and defensive SAR writing—basically paperwork yoga. The emerging gig is investigative orchestration. You’re validating anomalies, comparing patterns across systems, checking whether what the model found actually means something in the real world. That’s a very different kind of work. More brains, less hamster wheel.

Jack Burns

[measured] I would go one step further. Humans are not becoming obsolete. Humans are becoming governors of increasingly autonomous systems. That means the investigator of the future is closer to an intelligence operator managing machine reconnaissance. The AI can surface patterns, cluster anomalies, prioritize attention, even recommend escalation. But it should not independently file a SAR and disappear behind its own output. Accountability must remain human.

Simon Carver

[questioning tone] Let’s stay on that word—SAR. You’re saying AI can recommend the SAR, but not file it autonomously. Not because the machine is useless, but because the legal and ethical burden belongs somewhere specific.

Jack Burns

[firmly] Precisely. A suspicious activity report is not just a data artifact. It is an escalation decision with regulatory, legal, and reputational consequences. If an examiner asks why the institution acted, or failed to act, “the model thought so” is not a governance framework. Explainability matters. Supervision matters. The human-in-the-loop is not decorative. It is the control.

Lachlan Reed

[curious] And explainability is the bit leaders love to dodge, hey. They want the shiny AI dashboard, but when someone asks, “Why did the model flag this customer and ignore that one?” suddenly everybody’s looking at their shoes. The institutions that survive won’t be the ones with the MOST AI. They’ll be the ones with the best-governed AI.

Simon Carver

[warmly] Best-governed AI—that’s the line. Because there’s another trap here. If a company cuts too many experienced investigators in the name of efficiency, it may save money this quarter and destroy its own supervision layer at the same time. You don’t just lose headcount. You lose institutional intuition—the person who can look at a weird cluster of transactions and say, “No, this pattern smells wrong even if the rule didn’t fire.”

Jack Burns

[reflective] Yes. Organizations often underestimate apprenticeship effects. Junior analysts learn by watching experienced investigators distinguish a false positive from a meaningful anomaly. Remove enough of those experienced people, and you weaken not only today’s decisions but tomorrow’s judgment. Then the institution becomes dependent on models it no longer fully understands or properly challenges.

Lachlan Reed

[short pause] That’s the part that gives me the shivers a bit. Because we talk about AI like it saves labour, but sometimes it just reveals whether you’ve got any real craft left in the building. If all your team knows how to do is clear alerts, then yeah, they’re in strife. But if they can interpret behaviour, test assumptions, escalate with context—that’s gold.

Simon Carver

[softly] So the real shift isn’t from human work to machine work. It’s from clerical compliance to supervised intelligence work. From proving that activity occurred... to proving that intelligence exists.

Jack Burns

[calm] Exactly. The future analyst is not a paperwork processor. They are a strategic defender inside a financial battlefield moving at machine speed. If leadership still believes this is a world of forms, thresholds, and checklists, then leadership is already years behind the threat.

Lachlan Reed

[deadpan] And if your master plan is still “maybe the spreadsheet will save us,” well... even a kangaroo could trip over that one. [chuckles] Seriously though, this is the moment to rebuild the job before the job gets rebuilt for you.

Simon Carver

[warmly] That’s a good place to leave it. Thanks for listening, and thanks, Jack, for helping us cut through the fog.

Jack Burns

[softly] A pleasure.

Lachlan Reed

[friendly] Good on you for being here, folks.

Simon Carver

If you enjoyed this episode, like, share, and subscribe—and maybe send it to somebody who still thinks spreadsheets can stop automated crime. We’ll see you next time.