BIS Issues Stark Warning on Transactional Data Misuse and Global AML Threats

A single click can now launch a global investigation—such is the scale of risk tied to the misuse of transactional data. When this critical financial information falls into the wrong hands, billions in illicit flows can slip through the cracks. The Bank for International Settlements (BIS) has placed a sharp focus on this rising threat, warning that financial crime is evolving rapidly as bad actors—including not only criminal organizations but sometimes legitimate players—exploit payment data. The implications for compliance officers and anti-money laundering (AML) teams are enormous, with growing regulatory expectations making the challenge more complex than ever. In a sweeping new analysis, the BIS outlines the urgent risks, emerging typologies, and international guidance institutions must now follow to protect themselves in this data-driven era.

Transactional data—the digital DNA of finance—is becoming prime territory for exploitation. Every digital payment, securities settlement, and transfer instruction leaves a sensitive data trail. Criminals are targeting these trails with increasing sophistication. As the BIS warns, this is no longer just a case of hacked bank accounts or stolen credit cards. Advanced fraud rings are using payment data in conjunction with open-source intelligence to map financial networks, forge synthetic identities, and engineer sophisticated layering strategies designed to launder money across borders undetected.

The typologies compliance teams are now confronting bear little resemblance to those of the cash-dominated past. Large-scale data breaches feed organized fraud and money laundering schemes, fueling tactics such as account takeovers and the use of international money mule networks. Meanwhile, the speed of financial innovation—real-time payments, open banking frameworks, and instant settlement systems—has further amplified both the scale and velocity of transactional data abuse.

Global compliance regimes, from the European Union’s General Data Protection Regulation (GDPR) to the US Bank Secrecy Act and standards outlined by the Financial Action Task Force (FATF), all stress the need to protect customer data and monitor for illicit behavior. But the BIS warns that compliance infrastructures have not kept pace with the rapid digitization of the financial system. Gaps in protections are being exploited through techniques ranging from SIM swap fraud and credential stuffing to full-scale data leaks, placing financial institutions in jeopardy of sanctions, criminal infiltration, and reputational collapse.

Recent compliance failures have underscored these dangers. In 2024, a major European financial institution was hit with a €50 million penalty after regulators uncovered an insider operation selling SWIFT message data to organized crime groups. The resulting illicit funds were funneled through a complex network of banks, evading detection. Authorities cited dual violations: GDPR Article 32, which mandates strong data security, and Article 7 of the EU AML Directive 2018/1673, which requires effective transaction monitoring. The case served as a blunt reminder that weak data security invites consequences from both privacy and AML regulators.

Across the United States, the Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC) have taken similar action against institutions with inadequate controls over transactional data. Failures in encryption, insufficient user access restrictions, and poor data segmentation have led to fraud involving synthetic identities, real-time laundering, and compromised customer accounts. The financial toll is staggering—estimates from BIS and industry analysts suggest more than $60 billion was lost globally in 2024 due to financial crime enabled by data misuse, with the bulk tied to laundering and fraud.

Regulators are not standing still. New mandates are reshaping the compliance landscape. The EU’s Sixth Anti-Money Laundering Directive (6AMLD) and recent updates to the GDPR now stress proactive risk management and security of financial records. Article 32a of 6AMLD places direct responsibility on institutions to secure transactional data. In the US, FinCEN’s 2024 guidance on digital identity calls on banks to protect transaction data not only from outside attacks but also from internal misuse.

In 2025, FATF revised its global assessment methodology to incorporate data integrity and real-time analytics as foundational components of effective AML/CFT programs. Echoing this, the BIS paper urges financial firms to ensure that core elements—customer due diligence, suspicious activity monitoring, and transaction analysis—are backed by resilient data governance. Regional regulators such as the Monetary Authority of Singapore (MAS) and the Hong Kong Monetary Authority (HKMA) have echoed these concerns, issuing technical requirements around encryption, biometrics, multi-factor authentication, and secure analytics.

But even as regulations tighten, criminal innovation is accelerating. The BIS highlights disturbing trends in the weaponization of transactional data. Synthetic identity fraud now allows criminals to craft fake, convincing personas using leaked datasets, evading traditional know-your-customer (KYC) checks. Transactional data is also enabling business email compromise (BEC) schemes, where fraudulent instructions are timed with uncanny precision. Trade-based money laundering is getting more complex, with payment data doctored to mask illicit value transfers under the guise of legitimate trade.

To keep pace, institutions are increasingly deploying machine learning, behavioral analytics, and biometric tools to flag suspicious transactions in real time. Yet, as the BIS stresses, “technology is not a silver bullet.” These efforts must rest on a bedrock of strong internal governance. That includes role-based data access, end-to-end encryption, continuous staff training, and scheduled scenario testing. A full data lifecycle approach—covering collection, usage, sharing, and deletion—is now the baseline for regulatory compliance and risk management.

Looking ahead, the BIS makes one thing abundantly clear: defending against data misuse is central to the future of AML enforcement. “Future-ready AML programs must blend technology with governance,” the report notes, emphasizing the need for privacy-by-design infrastructure and a compliance culture rooted in accountability and data protection. Institutions that fail to secure transactional data won’t just face hefty fines—they may face systemic damage to customer trust and operational viability.

The BIS’s message aligns with broader global trends. Institutions are being urged to measure themselves not only against their national laws but against the strictest global standards—including FATF benchmarks and BIS expectations. Those that lead in data protection will reinforce trust, minimize exposure to illicit activity, and strengthen the financial system’s integrity. Those that lag, however, will face rising compliance costs, enforcement scrutiny, and reputational damage in a financial ecosystem that no longer tolerates data neglect.

By fLEXI tEAM