The Compliance Paradox: Why More Data Is Making Fraud Harder to Fight

The latest Corruption Perceptions Index (CPI), released this month, confirms a troubling reality: global corruption remains entrenched, with more than two-thirds of countries scoring below 50 and showing little sustained improvement despite rising compliance costs.

Global compliance spending continues to increase, yet corruption indicators show limited structural progress. At the same time, the World Economic Forum's Global Risks Report highlights a parallel erosion of institutional trust across public and private sectors — including what seems to be declining confidence in corporate governance and regulatory effectiveness.

Together, these trends present a fundamental challenge for governance, risk, and compliance (GRC) leaders: how to demonstrate measurable impact against fraud and illicit finance risk while reducing operational and cyber exposure. As a veteran regulatory and compliance expert, director and advisor to digital asset companies including stablecoins as well as author of Triple Bottom Line Compliance: How to Deliver more Protection, Productivity and Impact, I am optimistic about the potential to leverage these trends to solve a problem many in the industry have been focused on.

You can review CPI findings here: Transparency International – 2025 Corruption Perceptions Index

The WEF analysis is available here: World Economic Forum – Global Risks Report 2025

The Compliance Paradox

Legacy compliance architectures were built for documentation-heavy, intermediary-based financial systems designed around batch processing, manual oversight, and centralized recordkeeping. Today's financial infrastructure is increasingly real-time, cross-border, API-connected, and programmable. Artificial intelligence and blockchain technologies are no longer experimental — they are increasingly core components of modern finance.

Yet many institutions continue layering advanced analytics and now AI onto centralized data warehouses — expanding attack surfaces and regulatory exposure without considering a fundamental redesign of the control architecture.

The result is a compliance paradox:

• More data collection
• Higher risk and compliance operating costs
• Expanded cyber and breach liability
• Limited measurable reduction in fraud and illicit finance outcomes

If fraud and illicit finance risk is increasingly networked and technologically adaptive, static operational risk frameworks cannot keep pace.

AI as Preventative Infrastructure

AI is often discussed in governance forums primarily as a risk concern — model bias, explainability gaps, data integrity concerns, and regulatory uncertainty. These risks are real and require formal model governance, audit logging, and supervisory alignment. However, AI should also be recognized as a potential preventative control infrastructure — capable of shifting risk and compliance from retrospective review to continuous monitoring.

Properly designed AI systems have the potential to:

• Detect anomalous behavioral patterns earlier than static rule sets
• Continuously test control effectiveness in real time
• Reduce false positives and operational friction
• Generate structured, regulator-ready audit logs

For management teams, the strategic question is not whether to deploy AI in GRC — it is whether AI will be governed as an enterprise control function or treated as a disconnected analytics tool.

Blockchain Transparency Without Centralized Exposure

Blockchain infrastructure introduces a structural shift in compliance design — moving transparency from centralized reporting toward shared, verifiable ledgers. Public ledgers provide immutable transaction records that can be analyzed in real time without replicating sensitive identity data across internal systems. Smart contracts allow policy logic to be embedded directly into asset transfers. Cryptographic attestations enable verification without unnecessary disclosure.

In the Stablecoin Standard whitepaper, "Programmable Compliance for Digital Money and Assets," which I co-authored, we outline a modular RegTech framework organized around four lifecycle functions: Prevent, Detect, Trace, Protect. The architecture emphasizes interoperability, real-time monitoring, and, critically, data minimization.

Rather than expanding centralized compliance databases — which increase data breach risk radius — institutions can leverage blockchain-native monitoring and privacy-enhancing technologies to confirm compliance conditions while minimizing personal data exposure. This represents a shift from "collect and store" compliance toward "verify and attest" compliance.

You can access the whitepaper here: Stablecoin Standard – Programmable Compliance for Digital Money and Assets

The key insight is structural: AML/KYC surveillance and cybersecurity serve different but complementary functions. Conflating them or solving risk through ever-expanding data aggregation creates unnecessary digital "honey pots" — centralized repositories that attract cyber attackers.

Stablecoins as a Live Case Study

I work primarily at the intersection of digital finance and GRC, and stablecoins offer a live test case in programmable compliance — particularly as regulatory regimes such as the GENIUS Act and EU's Markets in Crypto-Assets (MiCA) framework impose governance, reserve transparency, and operational resilience requirements on issuers.

In 2024, stablecoins moved approximately $15.6 trillion in value. They are increasingly used for:

• Cross-border settlement
• Corporate treasury management
• Global payroll distribution
• Remittances in volatile economies

Critics frequently associate stablecoins with illicit finance risk which is an important risk to mitigate for all digital finance. However, blockchain analytics demonstrate that illicit activity represents a small percentage of overall transaction volume, and on-chain transparency enables automated sanctions screening, wallet risk scoring, geofencing, and transaction monitoring in real time. As outlined in the Stablecoin Standard white paper, programmable compliance logic can embed Prevent, Detect, Trace, and Protect functions directly into digital asset infrastructure — reducing reliance on after-the-fact reporting.

The policy question should not be whether programmable money is inherently high risk. The better question is whether regulatory frameworks will be reimagined to incentivize more embedded compliance logic — or default to expanding centralized reporting structures that continue to increase systemic cyber exposure.

Avoiding the Data Honey Pot Trap

In an era of escalating ransomware, insider threats, and nation-state cyber activity, over-collection is not neutral; it is a governance liability that directly affects enterprise risk exposure and insurance costs. The risk equation is straightforward: More centralized AML/KYC data, with AI ingestion across systems and expanding third-party integrations will arguably lead to larger breach risk radius and higher legal and regulatory liability.

The convergence of AI and blockchain presents a rare opportunity to re-architect compliance systems fundamentally.

Next-generation compliance architecture should be guided by three key principles:

• Interoperability: Risk-relevant information moves securely without unnecessary duplication.
• Transparency: AI models and blockchain analytics are explainable, logged, and regulator ready.
• Data Minimization: Institutions verify conditions cryptographically rather than aggregating excess identity data.

For management teams, these are operational design choices — not abstract privacy preferences.

• Compliance architecture should be reviewed alongside cybersecurity architecture, not separately.
• AI deployment must be governed under formal model risk and AI governance frameworks.
• Data retention policies should align with breach impact analysis.
• Stablecoin and digital asset strategies should be evaluated not only for market opportunity but for control innovation.