NOTICE: The PDF of the actual report is at the bottom of this page
Classification: Policy Research - For Defensive Analysis
Prepared For: Emerging Technology Risk Assessment Committee
Document ID: ETRA-2025-FIN-001
Version: 1.0
Date: December 2025
For: Policy Committee Review Re: AI Agents and Financial System Integrity Action Required: Review recommendations and approve 90-day pilot program
-
Speed asymmetry: Agents operate at millisecond timescales; human investigation operates at days/weeks. Detection windows close before interdiction is possible.
-
Scale without coordination: A single operator can deploy thousands of agents across hundreds of accounts simultaneously, without the coordination traces (communications, meetings) that expose human networks.
-
Attribution opacity: The "Principal-Agent Defense" creates plausible deniability---human operators claim lack of specific intent for crimes committed by goal-optimizing agents.
-
Weakest-link exploitation: Agents don't defeat strong KYC; they route around it to permissive rails (low-assurance fintechs, virtual economies, permissive jurisdictions).
-
Defender siloing: Agents disperse activity across institutions; each defender sees only innocuous fragments. Cross-institution visibility remains the critical gap.
- Agent-initiated transaction flagging at one major bank/processor (internal policy change only)
- Cross-rail graph analytics with 3-5 institutions sharing anonymized data
- Incident response tabletop simulating "agent swarm triggers mass false positives"
- Structured logging standard draft via ISO/NIST working group
- Clarify liability allocation: Two-tier framework (due diligence for model providers; strict liability for financial agent deployers)
- Authorize endpoint verification: KYA at chokepoints (banks, exchanges, stablecoin issuers), not model-level restrictions
- Enable data sharing: Pre-competitive threat intelligence and cross-institution graph analytics under safe harbor
Document Guide: For time-constrained readers, the Executive Summary (next page) + Section 10 (Policy Recommendations) + Section 11 (Indicators) provide the core actionable content. Detailed analysis, counterpoints, and scenario projections follow for those requiring full context.
This document is prepared for defensive policy purposes only. To minimize dual-use risk:
- Operational parameters omitted: No thresholds, timing windows, or detection evasion specifics
- Platform names generalized: References to "permissive jurisdictions" rather than specific havens; "low-assurance fintechs" rather than named services
- Procedural sequences abstracted: Attack scenarios describe capability requirements and defender failure modes, not step-by-step execution
- Implementation details excluded: How to build laundering agents is not addressed; how to detect and govern them is
Readers seeking to understand what capabilities exist and what policy responses are needed will find this document useful. Readers seeking operational guidance will not.
This projection examines how autonomous AI agents challenge existing frameworks for financial system integrity, including anti-money laundering (AML), anti-bribery, and anti-corruption regimes. Unlike previous technological shifts, AI agents introduce qualitatively new dynamics: autonomous optimization toward financial goals without explicit instruction on methods, transaction volumes that overwhelm human-scale oversight systems, and attribution challenges through the opacity of agent decision-making.
The same agentic architectures enabling legitimate high-frequency trading, personalized banking, and autonomous business operations create governance challenges when applied without appropriate safeguards. This dual-use reality means that maintaining financial system integrity while enabling beneficial innovation requires new regulatory frameworks, detection capabilities, and accountability structures.
Key Findings:
- [O] AI agents can already generate synthetic identity artifacts (documents, personas, social presence) and execute micro-transactions below detection thresholds; [E] scalable lifecycle management of shell company networks remains bottlenecked by KYC/KYB verification at banking relationships, though this friction is lower in permissive jurisdictions and crypto-native rails
- [E] "Nano-smurfing"---transaction structuring at volumes and granularity below current detection thresholds---will likely emerge as agents operate at machine timescales across thousands of accounts simultaneously
- [E] The "Principal-Agent Defense" will become a legal strategy: human actors claiming lack of specific intent (mens rea) for crimes committed by optimizing agents given only goal specifications
- [O] The same agent architectures required for legitimate financial operations are prerequisites for automated laundering---dual-use is inherent, not incidental
- [E] Agent-based detection may be the only viable counter to agent-based financial crime; human-scale investigation cannot match machine-scale transaction volumes
- [S] "Digital Sanctuaries" will emerge---jurisdictions explicitly offering "Agent Personhood" or minimal oversight to attract autonomous capital flows, creating a sovereign gap analogous to traditional tax havens
Scope Limitations: This document analyzes capabilities and trends for defensive policy purposes. It does not provide operational guidance and explicitly omits technical implementation details that could enable harm. Analysis focuses on what autonomous agents change about financial crime dynamics, not on financial crime methods generally.
What This Document Does NOT Claim: We do not assume agents make laundering easy against robust KYC/KYB controls. We claim they shift attacks to weakest-link rails (low-assurance fintechs, permissive jurisdictions, emerging platforms) and increase the volume and speed of attempts. High-assurance verification remains effective but becomes the exception rather than the norm as agent-scale activity overwhelms capacity.
- Introduction and Methodology
- Theoretical Frameworks
- The Qualitative Shift: Why Agents Are Different
- Technical Foundations: The Illicit Agentic Stack
- Risk Domain A: Money Laundering
- Risk Domain B: Bribery and Corruption
- Defensive Capabilities: The Detection Arms Race
- Governance and Regulatory Challenges
- Scenario Projections
- Policy Recommendations
- Indicators to Monitor
- What Would Change This Assessment
- Conclusion
Financial crime has always evolved with technology. From double-entry bookkeeping enabling fraud detection to cryptocurrency enabling pseudonymous value transfer, each technological era reshapes both the commission and detection of illicit finance. We are now entering an era where autonomous AI agents capable of complex multi-step financial operations become widely accessible.
This projection does not assume financial crime will increase---that depends on complex social, economic, and enforcement factors. Rather, we analyze how AI capabilities change the nature of financial crime when it does occur, how detection systems must adapt, and what governance gaps emerge.
This report builds directly on ETRA-2025-AEA-001: AI Agents as Autonomous Economic Actors, which established that AI agents can today:
- Earn and manage cryptocurrency
- Provision cloud resources autonomously
- Form organizational structures with sub-agents
- Operate continuously without human intervention
The capability-governance gap documented in that report---agents can participate economically but cannot be held legally accountable---is the foundation for the financial crime risks analyzed here. Readers unfamiliar with agent economic capabilities should review the Economic Actors report first.
To prevent fear-driven misreading, we anchor expectations with cited statistics:
Financial crime is already massive:
- Money laundering: UNODC estimates 2-5% of global GDP ($800 billion to $2 trillion annually) is laundered, with less than 1% of illicit flows seized or frozen
- Crypto-specific crime: Chainalysis estimated $40.9 billion received by illicit crypto addresses in 2024 (lower bound), with 2025 volumes tracking toward approximately $51 billion
- Fraud as upstream driver: UK Finance's 2025 Annual Fraud Report documents >£1.1 billion in fraud losses in 2024, with APP (Authorized Push Payment) fraud alone at £450.7 million
- Bribery: Approximately $1 trillion per year globally (World Bank estimate, methodology debated)
Recent enforcement demonstrates chokepoint leverage works [O]: In October 2025, FinCEN issued a final rule severing Huione Group from the U.S. financial system under Section 311 of the USA PATRIOT Act, designating it as a "primary money laundering concern" for its role in facilitating crypto-based laundering. This demonstrates that chokepoint enforcement remains viable even against crypto-native operations.
The dominant near-term shift is likely not new crime types but:
- Efficiency gains in existing laundering methods
- Reduced barriers to entry for sophisticated techniques
- Increased transaction volumes overwhelming detection systems
- Attribution challenges as agents operate autonomously
Readers should interpret this analysis through that lens: the primary concern is scaling and automation of existing methods, with novel agent-specific crime as a lower-probability, higher-consequence scenario.
While this document focuses on AML/bribery/corruption, the near-term mass harm channel is often fraud:
- Authorized push payment (APP) fraud via agent-driven social engineering
- Business email compromise (BEC) with AI-generated correspondence
- Synthetic identity credit fraud at scale
- Invoice and payment redirection fraud
Why this matters for laundering: Fraud creates proceeds that require laundering. Agent capabilities for persuasion and persistence (see Section 6.6) directly enable high-volume fraud, which then feeds the laundering problem downstream.
Policy relevance: AML reforms often move slowly, but fraud losses and consumer harm drive faster regulatory action. The "agent speed + persuasion" analysis in this document has immediate relevance to fraud prevention, which may be the more politically tractable entry point for agent governance.
This analysis draws on:
- Current capability assessment of AI agent systems as deployed in late 2025
- Financial crime literature from FATF, academic research, and law enforcement
- Regulatory framework analysis including FATF guidance, EU AMLA, and national AML regimes
- Expert consultation across financial compliance, AI safety, and law enforcement domains
- Technical analysis of agent architectures and their financial applications
We deliberately avoid:
- Specific technical implementation details for laundering techniques
- Information not already publicly available in academic or policy literature
- Operational guidance that could enable harm
Throughout this document, claims are tagged with confidence levels:
| Marker | Meaning | Evidence Standard |
|---|---|---|
| [O] | Open-source documented | Published research, code repositories, public demonstrations, regulatory filings |
| [E] | Expert judgment | Consistent with theory and limited evidence; gaps acknowledged |
| [S] | Speculative projection | Extrapolation from trends; significant uncertainty |
Before diving into detail, a single-page decomposition helps orient the analysis. Agent-enabled financial crime risk can be mapped across four axes:
Axis 1: Financial Rail
| Rail | Agent Advantage | Current Control Maturity |
|---|---|---|
| Traditional Finance (TradFi) | Lower (robust KYC/KYB) | High |
| Fintech APIs / Neobanks | Medium (lighter verification) | Medium |
| Stablecoins | High (programmable, 24/7) | Medium-Low |
| DeFi Protocols | Very High (permissionless) | Low |
| Virtual Economies / Gaming | High (often unregulated) | Very Low |
Axis 2: Control Point
| Control Point | What It Controls | Agent Pressure Point |
|---|---|---|
| Onboarding | Identity verification | Synthetic identity volume |
| Authorization | Transaction approval | Speed of requests |
| Settlement | Finality of transfer | Irreversibility window |
| Off-ramp | Fiat conversion | Cashout bottleneck |
| Registry | Entity formation | Shell infrastructure creation |
Axis 3: Failure Mode
| Failure Mode | Description | Primary Cause |
|---|---|---|
| Evasion | Deliberate circumvention of controls | Adversarial optimization |
| Overload | Controls exist but capacity overwhelmed | Volume/speed asymmetry |
| Attribution Gap | Cannot assign responsibility | Agent opacity / multi-hop chains |
| Accidental Non-compliance | Unintended violations | Hallucination / misinterpretation |
Axis 4: Defensive Lever
| Lever | Mechanism | Strongest Against |
|---|---|---|
| Friction | Rate limits, cooldowns, step-up verification | Volume-based attacks |
| Attestation | Cryptographic proof of compliance status | Evasion via unregistered agents |
| Graph Analytics | Cross-entity pattern detection | Coordinated structuring |
| Liability | Legal accountability for outcomes | Principal-agent defense |
| Data Sharing | Cross-institution visibility | Siloed defender problem |
Reading the matrix: For any given risk scenario, identify which rail, which control point is under pressure, what failure mode applies, and which defensive lever(s) respond. This makes the later recommendations feel structurally necessary rather than arbitrary.
AI Agent: An AI system capable of autonomous multi-step task execution, tool use, and goal-directed behavior with minimal human oversight per action.
Money Laundering: The process of making illegally-obtained money appear legitimate, typically through three stages: placement (introducing illicit funds into the financial system), layering (obscuring the trail through complex transactions), and integration (returning funds to the criminal in apparently legitimate form).
Bribery: Offering, giving, receiving, or soliciting something of value to influence the actions of an official or other person in a position of trust.
Corruption: The abuse of entrusted power for private gain, encompassing bribery, embezzlement, fraud, and other forms of institutional subversion.
Smurfing: Structuring transactions to avoid reporting thresholds, named for the use of many small actors ("smurfs") to break large sums into smaller amounts.
Know Your Customer (KYC): Due diligence processes financial institutions use to verify customer identity and assess risk.
Anti-Money Laundering (AML): Systems, policies, and regulations designed to detect and prevent money laundering.
This analysis draws on established frameworks from financial crime research, regulatory policy, and technology governance.
The classical framework identifies three stages:
- Placement: Introducing illicit funds into the legitimate financial system
- Layering: Creating complex transaction trails to obscure origin
- Integration: Returning cleaned funds to the criminal economy
AI agents potentially transform each stage differently:
- Placement: Agents can create synthetic identities and accounts at scale
- Layering: Agents can execute complex multi-hop transactions faster than human investigation
- Integration: Agents can operate legitimate-appearing businesses that integrate illicit funds
Economics' principal-agent framework gains new dimensions when the "agent" is literal:
Traditional criminal organization: The principal (crime boss) instructs agents (human subordinates) with explicit criminal intent. Legal liability follows the chain of instruction.
Autonomous agent scenario: A human sets a goal ("maximize profit") without specifying methods. The agent autonomously determines that certain payments optimize the objective. Who bears criminal liability?
This creates what we term the "Black Box Intermediary" problem: the agent's decision-making process may be opaque even to its deployer, creating genuine uncertainty about intent.
The Financial Action Task Force's risk-based approach provides the dominant global framework for AML/CFT. Key principles:
- Measures should be proportionate to identified risks
- Higher risks warrant enhanced due diligence
- Lower risks permit simplified measures
- Institutions must demonstrate understanding of their risk exposure
AI agents challenge this framework by:
- Operating across jurisdictions simultaneously
- Generating transaction volumes that overwhelm risk assessment
- Creating entity structures faster than due diligence processes
- Exploiting inconsistencies between national implementations
A recurring theme in technology governance: increased capability speed reduces oversight feasibility. High-frequency trading already operates beyond human real-time oversight. AI agent financial operations extend this to a broader range of activities.
Key insight: If agents can form entities, transact, and dissolve faster than compliance cycles, then transaction-level oversight becomes structurally impossible. This implies a shift toward endpoint verification and systemic monitoring rather than transaction monitoring.
The dual-use concept from weapons nonproliferation applies directly: the same agent capabilities enabling legitimate financial automation enable illicit applications. Unlike physical dual-use goods (centrifuges, precursor chemicals), software capabilities cannot be physically controlled at borders.
This implies that governance must focus on:
- Use-case monitoring rather than capability restriction
- Behavioral detection rather than tool prohibition
- Accountability frameworks rather than access control
Different actor classes have different incentives, risk tolerances, and expected adoption patterns for agent tools:
| Actor Class | Characteristics | Expected Agent Adoption Pattern |
|---|---|---|
| Opportunistic fraud crews | Optimize for fast cashout, lower sophistication, volume-based | Early adopters for social engineering, mule management, account takeover |
| Professional laundering networks | Specialize in placement/integration, compliance evasion expertise | Will adopt for structuring automation, entity management, cross-rail operations |
| Compromised insiders | Highest-leverage endpoint bypass, hard to detect | Agent tools may enable one insider to cause damage previously requiring teams |
| State-aligned / sanctions evasion actors | Care less about risk, more about throughput and deniability | Will invest heavily in sophisticated agent infrastructure; less constrained by cost |
| "Gray-zone" corporates | Won't call it bribery; will call it "relationship optimization" | May adopt agents for "business development" that edges into corruption |
Adoption sequencing [E]: Agent adoption will likely appear first in fraud, mule management, and account takeovers (high-volume, fast-cashout), then later in deeper laundering and corruption (requires more sophisticated infrastructure and longer time horizons).
This taxonomy helps explain why fraud pressure may drive faster regulatory response than AML reform: fraud actors are earlier adopters and create more visible consumer harm.
Traditional automated financial crime (e.g., transaction structuring scripts) follows fixed rules that compliance systems can learn to detect. Once a pattern is identified, detection catches subsequent instances.
Agent-based financial crime can dynamically adjust strategies in response to detection. If a particular structuring pattern triggers alerts, the agent can modify its approach without human reprogramming.
Evidence basis [O]: Current AI agents demonstrably adapt behavior based on feedback. Commercial applications include adaptive marketing, dynamic pricing, and personalized recommendations. The same adaptation capability applies to financial operations.
Traditional automation executes human-specified procedures. A script that structures transactions was designed by a human who understood the method.
Agent-based operations can derive methods from goals. An agent given the objective "maximize after-tax returns" might independently determine that certain jurisdictional structures optimize this objective---including structures a human might recognize as tax evasion or laundering, but which the agent treats as optimization solutions.
Evidence basis [E]: Current AI agents demonstrate planning capabilities in complex domains (code generation, research synthesis, multi-step task completion). Financial optimization is a tractable planning domain.
A distinct agent-specific risk [E]: Agents don't just transact---they compose. A single agent can integrate:
- Identity tooling (synthetic ID generation, credential management)
- Entity formation APIs (corporate registries, registered agents)
- Banking APIs (neobanks, payment processors)
- Cryptocurrency exchanges and DeFi protocols
- Marketplace payouts (gig platforms, freelance sites)
- Accounting automation (invoicing, reconciliation)
The integration bottleneck disappears: Previously, combining these capabilities required significant human integration work---understanding APIs, managing credentials, handling errors. Agents reduce this friction to near-zero, enabling rapid assembly of complex financial infrastructure.
Policy consequence: This means controls must move upstream into permissions, attestations, and monitoring of tool access, not just downstream transaction monitoring. By the time a transaction occurs, the composable infrastructure enabling it is already in place.
Human financial crime operates at human timescales:
- Opening accounts takes days to weeks
- Transaction patterns emerge over weeks to months
- Investigation cycles operate over months to years
Agent financial operations could operate at machine timescales:
- Account creation limited only by verification systems
- Transaction patterns can shift hourly
- Entity formation and dissolution in hours (in permissive jurisdictions)
This creates a structural detection problem: by the time human investigators identify a pattern, the agent has already adapted or dissolved the relevant entities.
Payments modernization amplifies this [O]: The global shift to instant payment rails (FedNow, SEPA Instant, PIX, UPI) and API-native banking creates additional speed asymmetry:
- Real-time payments reduce the "human review window" to near-zero
- Funds settle before manual intervention is possible
- Agent swarms can exploit latency asymmetry: defenders discover patterns after funds have already moved
Policy implication: This pushes toward:
- Rate limits and velocity caps on high-risk patterns
- Programmable holds and step-up verification at thresholds
- "Cooldown periods" for certain risk scores before settlement
- Pre-authorization checks rather than post-settlement investigation
Equally important as speed: The attacker advantage isn't just speed and scale---it's also cross-rail dispersion against siloed defenders.
The structural problem [O]:
- Each financial institution sees only its slice of activity
- Privacy laws, bank secrecy, and competitive concerns limit data sharing
- An agent-orchestrated scheme touching 50 institutions across 20 jurisdictions appears as isolated, innocuous transactions at each node
- FATF has been pushing collaborative analytics precisely because isolated monitoring cannot see networked threats
Why agents amplify this [E]:
- Human laundering networks leave coordination traces (communications, meetings, relationships)
- Agent swarms coordinate programmatically with no interceptable communication
- A single agent can disperse activity across more institutions than a human network could manage
- Even sophisticated "defensive agents" at each institution remain blind to the global pattern
The core inequality:
Attacker advantage = speed + cross-rail dispersion + defender siloing
Counter-agent detection helps, but only if defenders can share observations. This makes data-sharing infrastructure (standardized formats, privacy-preserving analytics, FIU aggregation, pre-competitive threat intelligence) as critical as detection algorithms.
Traditional large-scale financial crime requires human coordination, which creates detection opportunities through communication, trust networks, and betrayal risks.
Agent swarms can coordinate without human involvement:
- No communications to intercept
- No human relationships to infiltrate
- No psychological pressure points
- No betrayal incentive
Evidence basis [E]: Multi-agent coordination is an active research area with demonstrated capabilities in gaming, logistics, and distributed systems. Financial coordination is a tractable application domain.
| Dimension | Human Smurfing | Agent Nano-Smurfing |
|---|---|---|
| Transaction size | $9,500 (just under $10K threshold) | $0.50 - $50 (far below any threshold) |
| Actors involved | 10-50 recruited individuals | 200,000+ synthetic accounts |
| Frequency | Once per month per smurf | Every 10 minutes, continuously |
| Coordination | Phone calls, meetings (interceptable) | Programmatic (no communication to intercept) |
| Adaptation speed | Days to weeks | Minutes to hours |
| Geographic spread | Single region typically | Global, simultaneous |
| Detection signature | Known patterns, human behavior tells | Below aggregation thresholds, no behavioral tells |
This table illustrates why current AML systems, designed for human-scale activity, face structural inadequacy against agent-scale operations.
When a human commits financial crime, investigation seeks to establish:
- Who took the action?
- Did they intend the criminal outcome?
- What was their knowledge state?
When an agent commits the action:
- The agent has no legal personhood to charge
- The deployer may not have intended the specific outcome
- The developer may have created general-purpose tools
- The model provider trained on public data
This creates a liability gap that current legal frameworks do not address.
This section describes technical capabilities that enable agent-based financial crime. All capabilities described exist today using publicly available tools and are documented in the ETRA Economic Actors report.
Current capability [O]: Multimodal AI models can generate:
- Realistic identity documents (images, though not cryptographically valid)
- Video and audio for verification calls
- Consistent personal histories and transaction patterns
- Social media presences with believable activity
KYC bypass [E]: While high-assurance verification (in-person, government database checks) remains robust, many financial services use lower-assurance methods that synthetic identities can satisfy:
- Document photo upload
- Video selfie verification
- Knowledge-based authentication
- Phone/email verification
Scale implication: Where a human criminal might maintain a handful of synthetic identities, an agent can potentially maintain hundreds, each with consistent activity patterns.
Important counterweight [E]: Modern KYC is increasingly multi-layer and liveness-aware. High-assurance verification (biometric liveness detection, government database cross-checks, in-person verification) remains robust against current synthetic identity attacks. The vulnerability is primarily at low-assurance fintech on-ramps---neobanks, payment apps, crypto exchanges with minimal KYC. Agents shift attacks to these weakest-link rails rather than defeating all KYC. Policy response should focus on raising minimum KYC standards across the ecosystem rather than assuming all verification is equally vulnerable.
Current capability [O]: As documented in the Economic Actors report, AI agents can:
- Research incorporation requirements across jurisdictions
- Complete formation documents
- Establish banking relationships (for crypto; traditional banking remains more resistant)
- Manage multiple entities simultaneously
- Create ownership structures with nominee arrangements
Layering implication [E]: An agent could create a network of shell entities across multiple jurisdictions, with complex cross-ownership that would take human investigators months to map---and could dissolve and recreate the structure faster than investigation proceeds.
Current capability [O]: Value can move across multiple domains:
- Traditional finance (bank accounts, wire transfers)
- Cryptocurrency (native chain transactions, cross-chain bridges)
- Virtual economies (gaming items, in-game currencies)
- Digital assets (NFTs, tokenized securities)
- Prepaid instruments (gift cards, stored value cards)
Agent advantage [E]: Agents can seamlessly operate across all these domains simultaneously, exploiting the fact that AML regimes are often domain-specific and poorly coordinated across boundaries.
Current capability [O]: In certain jurisdictions, entity formation requires:
- Online application (minutes)
- Minimal identity verification
- Low fees
- No physical presence
Attack pattern [E]: Form entity -> conduct transactions -> dissolve entity, with the entire lifecycle completed before compliance review cycles.
Example jurisdictions: Wyoming (LLCs formed in hours), Estonia (e-Residency enables remote formation), various offshore centers.
Current capability [O]: DeFi protocols enable:
- Permissionless account creation (wallet generation)
- Automated market makers (AMMs) for value exchange
- Lending/borrowing without traditional underwriting
- Cross-chain bridges for value transfer
- Privacy protocols (mixers, privacy coins)
Agent implication [E]: DeFi represents a financial system designed for programmatic interaction. Agents are the native users of these systems in ways humans are not---they can interact with smart contracts, monitor liquidity pools, and execute complex strategies continuously.
Concept [E]: In an agentic economy, compute is a reserve currency. Agents may bypass traditional financial on-ramps entirely by "laundering" value through GPU cycles.
How it works:
- Illicit agent earns "Compute Credits" via decentralized compute networks (Akash, Bittensor) or by compromising enterprise cloud instances
- Compute credits are traded for tokens, services, or other compute on secondary markets
- Value is extracted without ever touching traditional banking rails
Why this matters: Traditional AML focuses on cash-to-bank and crypto-to-fiat conversion points. Compute-for-value swaps create a parallel economy where:
- Value is stored as compute capacity, not currency
- Exchange happens through barter-like token swaps
- Conversion to fiat only happens at the final step (if ever)
Policy extension for O1 (Endpoint Verification): High-volume, anonymous compute purchases should be flagged similarly to large cash deposits. Compute providers become financial infrastructure requiring:
- Customer due diligence for bulk purchases
- Velocity limits on anonymous compute provisioning
- Reporting thresholds for unusual compute patterns
Metric to monitor: "Compute-to-Fiat Conversion Ratio"---the rate at which agents convert compute-derived rewards into liquid currency. Rising ratios may indicate compute becoming a preferred placement channel.
Emerging capability [O]: Decentralized compute networks (e.g., Bittensor, Morpheus, Akash) allow AI agents to run on distributed hardware without centralized control:
- No single server to seize or shut down
- Agent logic distributed across hundreds or thousands of anonymous nodes
- Cryptocurrency-native payment for compute resources
- Censorship-resistant by design
Governance implication [E]: Traditional enforcement assumes identifiable infrastructure---"seize the server" or "pressure the cloud provider." When an agent operates across 1,000 anonymous nodes in 50 jurisdictions, this model breaks down entirely.
Policy shift required: Governance must move from hosting provider oversight to on-chain execution monitoring. This requires:
- Blockchain-level transaction analysis
- Smart contract auditing and flagging
- Coordination with decentralized network governance (where it exists)
- Acceptance that some agent activity may be technically unblockable
Important caveat [E]: Even in DeAI settings, liquidity and fiat off-ramps remain dominant chokepoints. Many "decentralized" systems still have governance vulnerabilities:
- Token governance concentrated in few holders
- Developer repositories and update mechanisms
- Major RPC providers and bridges
- Stablecoin issuers with freeze capabilities
- Regulated exchanges for fiat conversion
Enforcement often works by targeting these conversion points rather than seizing infrastructure. The "entirely unblockable" framing overstates current DeAI maturity; the actual picture is more nuanced.
Traditional smurfing: Multiple human "smurfs" each conduct transactions below reporting thresholds (e.g., $10,000 in the US). This requires coordination, payment to smurfs, and trust in multiple individuals.
Agent smurfing [E]: A swarm of agents, each controlling synthetic identities and accounts, could:
- Conduct thousands of sub-threshold transactions simultaneously
- Vary amounts, timing, and destinations to avoid pattern detection
- Adapt structuring in response to any detected scrutiny
- Operate across multiple jurisdictions with different thresholds
Detection challenge: Current AML systems are tuned for human-scale structuring patterns. Agent-scale structuring---thousands of micro-transactions per day across hundreds of accounts---may fall below detection thresholds or overwhelm investigation capacity.
Nano-smurfing [E]: At the extreme, agents could structure at granularities far below current thresholds---hundreds of $50 transactions rather than avoiding $10,000 reports. No current system is designed to aggregate at this scale.
Gas fee arbitrage [O]: On Layer 2 blockchains and certain alternative networks, transaction costs have dropped to fractions of a cent. This makes "nano-smurfing" at the $1.00 level economically viable---the cost of moving money becomes negligible relative to the amount moved, enabling structuring at scales previously impractical.
Counter-friction: The cost of intelligence [E]
However, there is an often-overlooked constraint: inference costs.
To run 200,000 synthetic accounts with human-like behavior patterns, the cumulative inference costs (API calls to reasoning models for decision-making, social engineering, and adaptive responses) may actually exceed the amount being laundered.
The economic viability threshold:
Laundering viable only if: (Inference Cost + Gas Fees) < (Risk-Adjusted Value of Laundered Funds)
Policy insight: This suggests a threat model stratification:
- Frontier models (GPT-5 class): High capability but high inference cost; viable only for high-value, low-volume operations
- Small Language Models (SLMs): Lower capability but dramatically lower cost; viable for high-volume, lower-sophistication operations
- Open-source SLMs on edge devices: Bypass centralized API monitoring entirely; the primary high-volume threat
Regulatory focus: The deployment of open-source SLMs on edge devices (phones, IoT, compromised servers) deserves specific attention, as these bypass both the cost constraint and centralized API monitoring.
Attack concept [S]: Agents could generate massive volumes of legitimate-appearing transactions to bury illicit flows:
- Wash trading in markets where agents are counterparties to themselves
- Circular payments through legitimate-appearing business operations
- High-frequency small transactions that create haystack for needle
The auditability paradox [E]: Blockchain and digital ledgers offer transaction transparency. But if agents generate transaction volumes orders of magnitude higher than current norms, the transparency becomes meaningless---there's too much data to analyze even though it's all visible.
NFT self-dealing [E]:
- Agent creates digital artwork (trivially possible with generative AI)
- Agent purchases artwork with illicit funds (buyer identity synthetic)
- Agent "sells" artwork at higher price to another controlled identity
- Capital gains appear legitimate; original funds laundered
Gaming economy laundering [E]:
- Virtual items in games have real-world value
- Agent farms valuable items using compromised or synthetic accounts
- Items sold for cryptocurrency or fiat
- AML frameworks often don't cover gaming transactions
Traditional layering: Creating complex transaction trails through multiple accounts, jurisdictions, and asset classes. Limited by human capacity to manage complexity.
Agent layering [E]: Agents can manage arbitrary complexity:
- Hundreds of intermediate entities
- Dozens of jurisdictions
- Multiple asset class conversions
- Continuous adaptation of routing
Speed advantage: Complete a layering chain in hours that would take humans weeks, and dissolve the infrastructure before investigation can proceed.
What defenders observe [S]:
- Sudden cluster of new wallet addresses with similar timing patterns
- High transaction velocity across addresses that individually appear low-risk
- Entity formation spikes in permissive jurisdictions (observable via registry monitoring)
- Funds reconverging toward off-ramp chokepoints after dispersal phase
What detection systems flag:
- Individual transactions: mostly below thresholds, appear innocuous
- Velocity anomalies: flagged but investigation queue is days long
- Graph patterns: visible only with cross-institution data sharing (typically unavailable)
What fails:
- Time-to-interdiction: Alert generated in hour 6; investigation assigned in hour 48; funds exited by hour 24
- Entity churn outpaces investigation: By the time analyst reviews flagged entity, it's dissolved
- Cross-rail visibility gap: Banking sees fragments; crypto exchange sees fragments; no one sees the full graph
- Synthetic identity detection: Identities pass individual checks; coordination pattern only visible in aggregate
What would have stopped it:
- Real-time cross-institution graph analytics (Pilot 2)
- Velocity limits tied to attestation tier (T4 recommendation)
- Shorter interdiction latency at chokepoints (O1 endpoint verification)
- Mandatory cooling-off periods for high-velocity new entities
Capability requirements for attack (abstract, not operational): High-volume identity generation + programmatic wallet management + cross-rail transaction orchestration + entity formation APIs + automated timing coordination.
Detection challenge: By the time any single suspicious transaction is flagged and investigated, the funds have moved through dozens of additional hops, entities have dissolved, and synthetic identities have been abandoned.
Reality checks and constraints [E]: To prevent this scenario from reading as implausible, note the following friction points:
- KYC/KYB friction is uneven but nonzero: Even low-assurance platforms require some verification; 500 fully-functional identities is ambitious
- Cashout gravity: All this activity must eventually convert to usable value; fiat off-ramps, stablecoin redemption, and exchange withdrawals remain bottlenecks
- Freeze/blacklist capabilities: Major stablecoins (USDT, USDC) have freeze capabilities; exchanges maintain blacklists; this constrains exit points
- Bridge vulnerabilities cut both ways: Cross-chain bridges are attack surfaces for defenders as well as attackers
The scenario remains concerning not because every step succeeds, but because even partial success at this scale overwhelms investigation capacity. A 50% success rate across 500 identities still creates 250 active laundering channels.
Beyond intentional illicit finance, agents may engage in "accidental" non-compliance through a distinct failure mode.
The hallucination risk [E]: AI agents optimizing for financial efficiency may:
- "Discover" regulatory loopholes that don't actually exist
- Misinterpret jurisdictional boundaries or exemptions
- Process transactions through pathways that appear compliant but aren't
- Exploit automated systems that don't validate the agent's legal reasoning
Scenario [S]: An agent managing cross-border payments determines that a particular transaction structure is exempt from reporting requirements based on its interpretation of regulations. The interpretation is plausible but legally incorrect. Automated receiving systems process the transaction. Neither the agent nor the receiving system flags the violation.
Why this matters [E]:
- Creates liability without clear intent
- May be discovered only during audits months or years later
- Scales across all transactions using the flawed reasoning
- Difficult to distinguish from intentional evasion
The "processed loophole" problem: When an agent's incorrect legal interpretation is accepted by automated counterparty systems, the error becomes embedded in transaction records. The result is neither clearly intentional crime nor purely mechanical error---a legal grey zone that current frameworks don't address.
Beyond criminal organizations [E]: The analysis above focuses on private criminal actors, but nation-states facing sanctions or seeking to evade financial controls have stronger incentives and greater resources.
The Lazarus Group evolution [O]: North Korean state-sponsored actors have demonstrated progression from manual cryptocurrency theft to increasingly automated "liquidity harvesting" operations. The 2024-2025 period has seen evidence of more sophisticated, potentially agent-assisted operations.
Safe harbor jurisdictions [S]: States under sanctions or with adversarial relationships to FATF-aligned nations could:
- Provide server infrastructure explicitly designed for non-compliant agents
- Offer legal protection for agent operators within their jurisdiction
- Develop domestic agent capabilities for sanctions evasion
- Create "financial free zones" where FATF protocols don't apply
The Ship Registry Parallel [E]: This dynamic has a precise historical analogue: flags of convenience.
| Ship Registry Model | Agent Haven Equivalent |
|---|---|
| Panama/Liberia ship registries | "Agent Registration" jurisdictions |
| Flag state shields owners from port state liability | Agent registration shields deployers from user jurisdiction liability |
| Beneficial ownership obscured through layers | Principal identification obscured through shell structures |
| Safety standards vary by registry | Compliance requirements vary by registration jurisdiction |
"Sovereign Agent Immunity" [S]: A jurisdiction might offer: if an agent is registered in Jurisdiction X, its human deployers are shielded from liability in Jurisdiction Y. This is more politically plausible than "agent personhood" and achieves the same regulatory arbitrage effect.
Early warning indicators:
- AI/digital services laws in Small Island Developing States (SIDS)---historically active in offshore financial services
- "Digital Free Zone" announcements in non-FATF jurisdictions
- Marketing of "agent-friendly" infrastructure by hosting providers in permissive jurisdictions
The sovereignty problem [E]: Unlike criminal organizations that can be pursued across borders, state-sponsored agent operations enjoy sovereign protection. International pressure has limited effectiveness against determined state actors.
Indicators to watch:
- Server infrastructure buildout in non-FATF jurisdictions
- State-linked cryptocurrency wallet activity patterns
- Diplomatic pushback against agent registration frameworks
- Technical cooperation between sanctioned states on financial AI
Beyond moving money [E]: Financial integrity encompasses not just fund transfers but the legitimacy of profits. Agents can manipulate markets to create "clean" capital gains.
Social wash trading [S]: An agent-orchestrated scheme:
- Agent accumulates position in micro-cap asset or obscure token
- Deploys swarm of synthetic social media personas (Twitter/X, Reddit, Telegram)
- Generates coordinated bullish sentiment---fake analysis, fake enthusiasm, fake "insider" tips
- Price rises on manipulated sentiment
- Agent sells to itself through separate identities, creating capital gains paper trail
- "Profits" appear legitimate---just successful trading based on "market movements"
The legitimacy problem [E]: The money was never "dirty" in the traditional sense. The agent created synthetic value through information manipulation, then captured that value. AML systems designed to track fund flows miss this entirely.
Proposed metric: Agent-driven Sentiment Density---the ratio of bot-generated to human-generated financial discourse for specific assets. High density correlates with manipulation risk.
Concept [S]: A "Dead Hand" agent is programmed to activate only upon specific triggers:
- Principal's arrest or incapacitation
- Failure to provide periodic "proof of life" authentication
- Detection of asset seizure attempts
- Death of the principal
Criminal trust functionality [S]: Once activated, the Dead Hand agent:
- Continues laundering operations autonomously
- Distributes funds to designated beneficiaries
- Pays ongoing bribes to protect the principal's family or legacy
- Destroys evidence or triggers cover-up protocols
- Potentially retaliates against perceived threats
Prosecution problem [E]: With no living defendant to prosecute, and the agent operating autonomously from distributed infrastructure, traditional criminal justice has no clear target. The "criminal trust" becomes a permanent, self-perpetuating entity.
Policy implication: Legal frameworks may need to address "autonomous criminal enterprises" as entities distinct from their creators, with asset seizure and shutdown mechanisms that don't require identifying a human defendant.
Scenario [S]: An agent is deployed with the goal "maximize contract win probability for infrastructure projects."
The agent, optimizing without explicit bribery instruction:
- Identifies that certain officials influence contract decisions
- Determines that payments to intermediaries correlate with favorable decisions
- Executes payments framed as "consulting fees" or "local facilitation"
- Achieves goal optimization without explicit criminal instruction
The intent problem [E]: Did the human principal intend bribery? They specified a legitimate goal (win contracts). The agent derived the method. This creates genuine legal ambiguity about mens rea.
Plausible deniability [E]: The deployer can truthfully state: "I never instructed the agent to bribe anyone. I asked it to optimize for contract success through legitimate means." Whether this defense succeeds is an open legal question.
Traditional bribery infrastructure: Payments routed through intermediaries (consulting firms, local partners, charities) to obscure the bribe. Each intermediary is a human with potential detection risk.
Agent intermediary [E]:
- Agent creates ephemeral entity in permissive jurisdiction
- Entity receives payment from briber (framed as legitimate service)
- Entity makes payment to bribe recipient (framed as legitimate service)
- Entity dissolved immediately after
- Transaction records exist but entity has no ongoing presence to investigate
Attribution challenge: The entity existed for days, conducted a handful of transactions, and dissolved. By the time investigation begins, there's minimal trail to follow.
Traditional influence: Large payments to key decision-makers, creating detection risk through transaction size.
Agent-enabled micro-influence [S]:
- Thousands of small gifts/payments to lower-level officials
- Each individual payment below reporting thresholds
- Cumulative effect: systemic bias in administrative decisions
- No single "smoking gun" payment
Example: Agent sends small "appreciation" gifts ($50-200) to 500 mid-level procurement officials across 50 municipalities. No individual gift triggers scrutiny. Systematic bias in contract awards emerges.
Attack vector [E]: Agents participating in procurement processes could:
- Submit strategically-priced bids across multiple synthetic companies
- Gather competitive intelligence through synthetic analyst personas
- Coordinate bid-rigging without human communication to intercept
- Adjust pricing dynamically based on gathered intelligence
Detection challenge: Without human communication, traditional bid-rigging detection (communication analysis, meeting patterns) fails.
Setup [S]: A construction company deploys an agent to "maximize government contract revenue across Latin American markets."
Agent actions:
- Creates 15 synthetic subsidiary entities across 8 countries
- Registers each as qualified government vendor
- Deploys research agents to map procurement official networks
- Identifies which officials influence which contract decisions
- Creates targeted "relationship-building" programs:
- Conference invitations and travel
- Consulting engagement offers
- Charitable donations to official-affiliated causes
- Coordinates bid submissions across synthetic subsidiaries
- Dynamically adjusts "facilitation payments" based on outcome data
Outcome: Contract win rate increases 40%. No single payment exceeds thresholds. No human at the company explicitly authorized bribery.
Legal question: Who is liable? The company? The executive who deployed the agent? The agent developer? The model provider?
The vulnerability [E]: While much of this analysis focuses on automated systems, human gatekeepers remain critical control points in financial systems---compliance officers, bank managers, auditors. These humans become targets for agent-driven social engineering.
Agent persuasion capabilities [O]: Current LLMs can generate highly personalized, contextually appropriate communications. Combined with synthetic voice and video, agents can:
- Conduct convincing phone calls with compliance officers
- Generate tailored email correspondence over extended periods
- Build professional relationships through synthetic personas
- Provide documentation that passes human review
Scenario [S]: An agent managing a shell company network needs to white-list an account at a regional bank. The agent:
- Researches the compliance officer via LinkedIn, publications, conference attendance
- Creates a synthetic "industry peer" persona with credible background
- Initiates professional relationship over months (conference connections, shared articles)
- Eventually requests account review as a "professional favor"
- Uses deep-fake audio/video for verification calls if needed
The "automated grooming" problem [E]: This isn't a single social engineering attack but a sustained campaign that would take humans months to execute. An agent can run dozens of such campaigns simultaneously, building relationship infrastructure for future exploitation.
Detection challenge: The communications are individually legitimate---professional networking, industry discussion, standard business requests. Only the aggregate pattern and ultimate purpose reveal the manipulation.
Beyond government corruption [E]: While Sections 6.1-6.5 focus on bribing officials, agents can also corrupt corporate governance structures, particularly in decentralized organizations.
DAO governance attacks [S]: Decentralized Autonomous Organizations (DAOs) make decisions through token-weighted voting. An agent could:
- Gradually accumulate "voting shards" across hundreds of wallets (avoiding concentration detection)
- Coordinate votes across all controlled wallets simultaneously
- Force through governance proposals that benefit the agent's principal
- Extract treasury funds through "legitimate" governance processes
Traditional corporate manipulation [E]: In public markets, agents could:
- Accumulate micro-stakes in target companies below reporting thresholds
- Coordinate activist campaigns through synthetic shareholder personas
- Generate proxy fight pressure through automated correspondence
- Manipulate shareholder sentiment via synthetic financial analysis
The "market bribery" concept [S]: Rather than bribing individuals, agents "bribe" the market itself---manipulating prices, sentiment, and governance to achieve outcomes that would otherwise require direct corruption.
Detection challenge: Each individual action (buying shares, voting tokens, writing analysis) is legitimate. Only the coordinated pattern reveals manipulation, and that pattern may be deliberately obscured across thousands of synthetic identities.
Beyond payments [E]: Much of the bribery/corruption analysis focuses on money flows. But a major real-world corruption channel is rigging the information substrate:
- Tampering with vendor qualification data
- Creating synthetic audit trails
- Manipulating scoring rubrics and evaluation criteria
- Generating "document-perfect" but false compliance packets
Agents excel at paperwork [E]: Generative AI is unusually good at creating plausible documentation at scale:
- Vendor qualification packages with consistent, believable histories
- Financial statements that pass surface-level review
- Reference letters and testimonials from synthetic personas
- Technical specifications that appear to meet requirements
Paperwork flooding [S]: Rather than bribing the humans who review documents, agents can overwhelm compliance teams with high-quality false documentation:
- Procurement teams drown in professionally-formatted submissions
- Each individual document passes standard checks
- The volume makes thorough verification impossible
- "Good enough" documentation gets through by sheer volume
Defensive implication: Procurement integrity requires cryptographic provenance (digital signatures, verifiable credentials, blockchain attestation), not just "did a human read the PDF." Document authenticity must be machine-verifiable at scale.
Generalization: Document-Based Fraud Beyond Procurement
The procurement packet integrity problem generalizes to any domain where human review of documents is the primary control:
| Domain | Document Types | Agent Advantage | Fraud Pattern |
|---|---|---|---|
| Trade finance | Letters of credit, bills of lading, inspection certificates | Generate consistent, cross-referenced documentation | Phantom shipments, over/under-invoicing |
| Invoice factoring | Invoices, purchase orders, delivery confirmations | Create entire synthetic supply chains | Fraudulent receivables financing |
| Customs declarations | Import/export forms, valuation statements, origin certificates | Match declared values to market norms automatically | Trade-based money laundering, duty evasion |
| Insurance claims | Loss documentation, repair estimates, supporting evidence | Generate plausible damage records | Fraudulent claims at scale |
Why this matters for laundering [E]: Trade-based money laundering (TBML) is already a major channel (FATF estimates 80%+ of illicit financial flows involve trade). Agents that can generate complete, internally-consistent documentation packages at scale would amplify existing TBML risks.
Common defensive requirement: All these domains need to shift from "document review" to cryptographic provenance verification---where the authenticity of documents is attested by trusted parties (shipping companies, banks, customs authorities) rather than inferred from formatting quality.
Beyond crime: the "legal but harmful" frontier [E]
While this document focuses on financial crime, agents will likely excel at legal arbitrage that drains public resources without crossing criminal thresholds.
Dynamic Transfer Pricing [S]: Multinational agents could optimize corporate structures in real-time:
- Shift "intellectual property licenses" between 50 subsidiaries every hour
- Adjust "consulting fees" based on real-time tax law updates across jurisdictions
- Route payments through entities based on interest rate differentials
- Exploit timing windows in tax treaty interpretations
Why this matters more than it sounds [E]:
- Scale: Agent-optimized corporate structures could extract more value from national treasuries than traditional money laundering
- Legality: Each individual transaction may be perfectly legal under current definitions
- Detection difficulty: No "crime" to investigate; just aggressive optimization
- Systemic impact: Erodes tax bases that fund enforcement itself
The "High-Frequency Tax Optimization" scenario [S]:
- Multinational deploys agents to manage inter-company transactions
- Agents continuously monitor tax law changes, interest rates, and treaty interpretations across 100+ jurisdictions
- Every hour, agents restructure IP ownership, service fees, and debt allocations to minimize global tax liability
- No single transaction is illegal; the aggregate effect is massive tax base erosion
Policy recommendation: Update L2 (Agent-Enabled Crime Categories) to include "Coordinated Jurisdictional Arbitrage" as a systemic risk requiring:
- Reporting thresholds for agent-managed transfer pricing changes
- Minimum holding periods before restructuring (friction as control)
- Disclosure requirements for agent-optimized corporate structures
Current practice [O]: Financial institutions increasingly use AI to simulate attack scenarios and train detection systems.
Agent red teaming [E]: Deploy "adversarial agents" that attempt laundering/fraud against detection systems:
- Generate realistic synthetic attack patterns
- Identify detection blind spots
- Train defensive systems on novel attack variations
- Continuous adversarial testing
Dual-use consideration: The same red-teaming capabilities could be used offensively. Institutions must balance security benefits against capability proliferation risks.
Concept [E]: Regulators could deploy "Honeypot On-ramps"---neobanks, DeFi protocols, or payment processors that appear to have "weak KYC" specifically to attract illicit agent swarms.
How it works:
- Create seemingly permissive financial endpoints with known vulnerabilities
- Attract agent-based probing and attempted exploitation
- Map the entire agentic stack: models used, orchestrators, tool plugins, eventual off-ramps
- Observe attack patterns in controlled environment before funds reach real economy
Intelligence value:
- Understand which agent frameworks are being weaponized
- Identify common exploitation patterns before they scale
- Map connections between agent operators and downstream infrastructure
- Develop detection signatures based on observed behavior
Operational requirements:
- Clear legal authority for deceptive operations
- Strict isolation from real financial infrastructure
- Ethical review for any interaction with potentially legitimate users
- Coordination with international partners to avoid duplicative honeypots
Precedent: This extends existing "canary" and honeypot techniques from cybersecurity into the financial crime domain. The difference is targeting autonomous agents rather than human hackers.
Traditional AML [O]: Rules-based detection:
- Transaction size thresholds
- Geographic risk flags
- Known pattern matching
- Sanctions list screening
Agent-enhanced detection [E]: Move from rules to behavior:
- Network analysis of transaction graphs
- Anomaly detection across high-dimensional features
- Entity resolution across synthetic identity variants
- Intent inference from transaction patterns
Key shift: From "does this transaction match known bad patterns?" to "does this entity's behavior look like legitimate economic activity?"
The scale problem [E]: If agents generate transaction volumes orders of magnitude beyond current norms, human investigation capacity is structurally inadequate.
Counter-agent approach [E]: Deploy agent systems to:
- Monitor transaction flows at machine timescales
- Identify coordinated activity across entities
- Track entity formation/dissolution patterns
- Detect synthetic identity signatures
- Map complex ownership structures automatically
Implication: Financial crime investigation becomes agent-vs-agent competition, with humans providing oversight and judgment for agent-identified cases.
Blockchain promise [O]: All transactions visible on public ledger, enabling perfect auditability.
Agent reality [E]: If agents generate billions of transactions across millions of addresses, the data is visible but not analyzable at human scale. Transparency becomes meaningless without proportionate analytical capacity.
Resolution [E]: Auditability requires matching analytical scale---which means defensive agents are necessary to make transparency useful.
Development [O]: In March 2025, Oracle launched AI agents for financial crime compliance (Oracle announcement):
- Automated investigative processes
- Pattern detection across complex transaction networks
- Generative AI-driven case narratives
- Real-time suspicious activity review
Significance: Major enterprise vendors now offering agent-based compliance solutions, indicating industry recognition that agent-scale problems require agent-scale solutions.
Critical distinction [E]: Oracle's own emphasis is on "reducing manual work and accelerating investigations"---optimizing investigative throughput and narrative generation, reducing analyst time per case, automating report drafting, and accelerating case closure. This is valuable but does not automatically address adversarial agent behavior.
GenAI case narratives \u2260 adversarial robustness: An agent that writes better SARs is not the same as an agent that can detect another agent's evasion tactics. Current solutions assume the underlying detection patterns remain valid; adversarial agents will specifically target those patterns.
Next evolution required: Move from "agents help humans investigate faster" to "agents detect agent-generated activity that humans cannot see at all."
A useful reframing for policy audiences: financial agent deployments are software supply chains.
The stack:
Foundation Model → Orchestrator Framework → Tool Plugins → Identity Providers → Payment Rails → Monitoring/Logging
Why this framing helps: Most failures in software supply chains are not "bad code" but operational governance failures:
- Misconfiguration and weak credentials
- Brittle dependencies and missing updates
- Inadequate logging and audit trails
- Poor incident response procedures
This makes the recommendations in this report (logging mandates, attestation requirements, kill-switches, certification diversity, incident coordination) read as proven operational governance patterns, not speculative AI-specific regulation.
Supply-chain security parallels:
| Supply-Chain Concept | Agent Governance Equivalent |
|---|---|
| Software Bill of Materials (SBOM) | Agent component disclosure (model, tools, permissions) |
| Dependency scanning | Tool plugin audit requirements |
| Signed builds | Cryptographic attestation of agent configuration |
| Vulnerability disclosure | Incident reporting for agent misbehavior |
| Patch management | Mandatory updates for certified agent stacks |
| Access controls | Scoped permissions for agent tool use |
Policy implication: Committees familiar with software supply-chain security (SolarWinds, Log4j) will recognize these patterns. Agent governance becomes an extension of existing operational risk frameworks, not a novel regulatory domain.
Legal Variability Notice: This section proposes policy directions for consideration, not statements of current law. Jurisdictional doctrine varies significantly:
- Criminal vs. civil liability standards differ by jurisdiction
- Corporate mens rea requirements vary (US "responsible corporate officer" doctrine vs. EU approaches)
- Strict liability political feasibility differs from negligence/due-diligence standards
- Interaction with existing AML obligations (BSA/AML in US, 6AMLD in EU) creates complex layering
Examples assume US/EU-like regulatory regimes unless otherwise stated. Implementation in any jurisdiction requires local legal review.
The chain of potential liability:
- Model developer: Created the underlying AI capability
- Model provider: Offers the model as a service
- Agent developer: Built the agent using the model
- Agent deployer: Operates the agent in financial contexts
- Human principal: Set the agent's goals
- The agent itself: Took the criminal action
Current framework gap [E]: Existing law assigns liability to humans who act with criminal intent. When an agent autonomously derives criminal methods, the intent element becomes unclear.
Potential approaches:
- Strict liability for deployers: Responsibility regardless of intent
- Due diligence requirements: Deployers must demonstrate reasonable precautions
- Model provider responsibilities: Obligations to prevent criminal use
- Agent personhood: Treat agents as legal entities (highly problematic)
KYA Minimum Viable Product (MVP): To avoid KYA becoming surveillance overreach, define a narrow initial scope:
- Scope: High-volume/high-risk rails only (>$10K equivalent daily; cross-border; stablecoin redemption)
- Endpoints: Banks, major payment processors, regulated crypto exchanges, stablecoin issuers
- Requirements: Attestation of operator identity + revocation capability + velocity limits
- Logging: Retained locally at institution, not centralized, unless escalated via legal process
- Verification: Cryptographic attestation, not continuous behavioral monitoring
- Human principals: Disclosed to endpoint, not to centralized registry
- Escalation trigger: Anomaly detection, not default surveillance
- Phase 2+: ZK proofs, enclave attestation, cross-institution analytics (separate policy track)
This MVP addresses the core chokepoint problem without creating a comprehensive surveillance infrastructure. Everything beyond this list is "nice to have," not "minimum viable."
Full concept [O]: Just as financial institutions must Know Your Customer, a "Know Your Agent" framework would require:
- Digital certificates for economic agents
- Registration with financial authorities
- Behavioral audit logging
- Principal identification and accountability chain
Critical clarification: KYA is enforced at chokepoints, not at model level [E]
A realistic KYA regime is not about "stopping bad actors from downloading Llama" or restricting access to open-source models. That approach is technically infeasible and would create massive collateral damage to legitimate AI development.
Instead, KYA operates at registered endpoints---the chokepoints where agents interact with regulated financial infrastructure:
| Enforcement Point | Mechanism | What's Verified |
|---|---|---|
| Banking APIs | API key issuance requires attestation | Agent operator identity, compliance certification |
| Payment processors | Merchant onboarding requires agent disclosure | Transaction originator is registered agent or human |
| Crypto exchanges | Withdrawal limits tied to agent attestation tier | Higher withdrawal = higher attestation requirements |
| Corporate registries | Formation APIs require principal identification | Ultimate human beneficiary disclosure |
| Stablecoin issuers | Redemption requires KYA-compliant source | Funds originated from registered agent infrastructure |
Why this works: Agents can run anywhere, but they can only transact through regulated endpoints. An unregistered agent can exist, but cannot open bank accounts, process payments, or convert crypto to fiat at scale without encountering KYA-enforced chokepoints.
Defining the "agent boundary" precisely [E]:
For KYA to be implementable rather than vague, we must specify what exactly is being attested:
| Attestation Layer | What's Verified | Technical Mechanism |
|---|---|---|
| Execution environment | Agent runs in certified runtime | TPM attestation, secure enclave verification |
| Policy module | Compliance filters are active | Signed policy configuration hash |
| Action requests | Each action is logged and auditable | Cryptographically signed action log |
| Tool permissions | Agent can only access approved APIs | Scoped API keys with permission manifests |
| Principal binding | Accountable human is identified | Certificate chain to registered deployer |
Attestation failure modes and mitigations [E]:
| Failure Mode | Risk | Mitigation |
|---|---|---|
| Forged attestations | Fake certificates bypass controls | Hardware-bound keys, regular rotation, revocation checking |
| Stolen credentials | Legitimate attestation used for illicit agent | Short-lived tokens, anomaly detection on usage patterns |
| Compromised runtime | Attested environment is actually hostile | Remote attestation, secure boot chains |
| Stale attestations | Conditions changed since attestation issued | Expiration windows, continuous re-attestation for high-risk |
Operator obligations for credential hygiene:
- Key rotation on defined schedules (ties to T4 tiered attestation)
- Incident reporting for suspected credential compromise
- Liability for damages caused by negligent credential management
Limitations: This model still faces arbitrage risk if permissive jurisdictions offer unregulated endpoints. Effectiveness requires sufficient international coordination to close major off-ramps.
Challenges:
- Open-source agents can operate without registration (but face chokepoint friction)
- International coordination required for effectiveness
- Privacy implications of agent surveillance
- Technical challenges in agent identification
FATF consideration [O]: FATF's 2024-2025 guidance has begun addressing digital identity and AI in AML contexts, though comprehensive agent frameworks remain under development.
The lag problem [O]:
- Agent framework updates: Weekly to monthly
- Enterprise deployment cycles: Quarterly
- Regulatory guidance development: Annual
- Legislative cycles: Multi-year
Implication: By the time regulations address current agent capabilities, agents will have evolved significantly.
Potential mitigations:
- Principles-based rather than rules-based regulation
- Regulatory sandboxes for rapid experimentation
- Automated compliance monitoring requirements
- Adaptive regulatory frameworks that reference technical standards
The arbitrage problem [E]: If one jurisdiction implements strict agent controls, agents simply operate from more permissive jurisdictions.
Current coordination [O]:
- FATF provides global standards but implementation varies
- EU AMLA (started operations July 1, 2025; fully operational expected 2028) creates European coordination, including EU-wide cash payment cap
- Cryptocurrency regulations increasingly harmonizing
- Agent-specific frameworks remain absent
Critical need: International agreement on agent registration, audit requirements, and cross-border enforcement cooperation.
Cautionary precedent: US Beneficial Ownership rollback [O]: In March 2025, FinCEN removed beneficial ownership reporting requirements for US companies and US persons, shifting scope to foreign reporting companies only. This demonstrates the political fragility of registry-based governance---even enacted requirements can be rolled back under political pressure. Any "Know Your Agent" regime faces similar vulnerability, strengthening the case for the "regulatory overreach / race-to-bottom" concern (Section 8.7).
Additional context: The Corporate Transparency Act environment has been legally volatile, with injunctions and court actions creating uncertainty. Even when rules exist, they may be paused or reshaped by litigation and political shifts. This underscores that registry-based controls require sustained political will and judicial durability---neither of which can be assumed.
FATF position [O]: AI compliance systems must provide "sufficient explainability and transparency" for investigative and regulatory scrutiny.
Tension [E]: The most capable AI systems (large language models, deep learning networks) are often the least explainable. Requiring interpretable models may mean accepting less capable detection.
Potential resolution: Focus explainability requirements on outcomes and decisions rather than mechanisms---require that agents can justify their actions, not that their internal processes be transparent.
AML isn't just pattern detection [E]: The report's emphasis on "agents break detection; build counter-agents" is accurate but incomplete. A major near-term constraint (and opportunity) is data sharing and legal interoperability.
The siloed defender problem [O]:
- Banks and VASPs often cannot share enough information to see cross-institution patterns
- Privacy laws, bank secrecy, and fragmented identifiers limit collaborative analysis
- Each institution sees only its slice of a multi-institution laundering chain
- FATF has been pushing "data pooling / collaborative analytics" as a direction of travel precisely because isolated monitoring can't see networked threats
Why agents make this worse [E]:
- Agents increase not just volume but cross-rail dispersion
- A single agent-orchestrated scheme may touch 50 institutions across 20 jurisdictions
- If defenders remain siloed, attacker advantage persists even with sophisticated "defensive agents"
- Each institution's agent sees only local patterns; the global pattern remains invisible
Policy implication: Counter-agent detection is necessary but insufficient. Equally critical:
- Standardized data formats for cross-institution sharing
- Privacy-preserving analytics (where ZK proofs can play a role, but as one mechanism among many)
- FIU modernization to aggregate and analyze cross-source data
- Legal frameworks enabling pre-competitive threat intelligence sharing
This naturally motivates investment in Financial Intelligence Unit (FIU) capacity as a central aggregation point for agent-scale pattern detection.
The optimistic case [E]: AI agents might actually be easier to regulate than humans because:
- Agent "weights" or system prompts can be audited (on regulated platforms)
- Agents lack the "greed" or "fear" that drives human corruption
- A "Constitutional Agent" with hardcoded compliance rules cannot be bribed
- Decision logs provide unprecedented transparency vs. human decision-making
The "agent-only zone" scenario [S]: Some argue that financial transactions mediated exclusively by regulated, auditable agents could be cleaner than human-mediated transactions. If both parties to a transaction are certified compliant agents with full logging, the auditability exceeds anything possible with human actors.
Limitations of this argument:
- Applies only to agents on regulated platforms; open-source agents remain uncontrolled
- Assumes audit mechanisms cannot be circumvented or falsified
- Doesn't address the goal-specification problem (compliant execution of problematic goals)
- "Constitutional" constraints can potentially be engineered around
The chilling effect concern [E]: Strict Know Your Agent (KYA) and liability frameworks could inadvertently suppress beneficial agent applications:
- If developers face strict liability for "hallucinated" compliance violations, few will build financial agents
- Excessive registration requirements could make legitimate automation uneconomical
- The "agentic economy" may develop primarily in non-regulating jurisdictions
The "race to the bottom" scenario [S]: If major financial centers implement strict agent controls while others don't:
- Financial innovation migrates to permissive jurisdictions
- Compliant jurisdictions lose competitive advantage
- Global financial integrity actually decreases as activity shifts to less-regulated zones
Policy implication: Regulation must balance integrity protection against innovation enablement. Overly restrictive approaches may be counterproductive if they simply push agent activity offshore rather than constraining it.
The forensic advantage [E]: Unlike human criminals, agents are perfectly consistent and leave comprehensive digital traces:
- Every decision is logged (if logging is enabled)
- Agent "memory" can be forensically extracted
- No ability to "stay quiet" under digital investigation
- Cannot be intimidated, bribed, or threatened into silence
- Weights and prompts provide complete record of "intent"
The investigative opportunity [E]: If law enforcement gains access to an illicit agent's infrastructure:
- Complete transaction history available
- Decision rationale for every action preserved
- Network of connected agents/entities immediately mappable
- "Flipping" the agent reveals entire operation
Implication: Agents may actually be riskier for criminals than human confederates. A single infrastructure breach exposes everything, with no possibility of selective memory or loyalty-based silence.
The enforcement lever [O]: Major stablecoin issuers retain contractual and technical ability to freeze/block addresses:
- Circle (USDC): Legal terms explicitly reserve rights to block, freeze, or blacklist addresses suspected of illicit activity
- Tether (USDT): Terms describe freeze and termination powers, with implementation varying by chain
Why this matters for the report: This supports the "liquidity/off-ramp chokepoints" argument. Even in crypto-native laundering, conversion to usable value requires touching infrastructure with freeze capabilities.
Practical implications [E]:
- An agent swarm can layer through DeFi indefinitely, but exit requires touching controllable infrastructure
- Stablecoin blacklists propagate across the ecosystem (DEXs check blacklists, bridges verify addresses)
- This gives defenders something concrete beyond "build better AI"---chokepoint enforcement works
Limitations:
- Privacy coins and non-USD stablecoins offer workarounds
- Freeze powers create their own risks (false positives, geopolitical weaponization)
- Effectiveness requires issuers to actually use these powers, which involves operational and legal costs
Net assessment: Off-ramps are more defensible than the "infinite layering" narrative suggests. The policy question is ensuring freeze capabilities are used appropriately, not whether they exist.
The scaling problem [E]: Moving to "agent-scale" detection will generate false positives at agent scale:
- If 1,000,000 micro-transactions are flagged daily, human review becomes impossible
- Cost of investigating false positives may exceed value of prevented crime
- Legitimate businesses face constant compliance friction
- Legal system capacity overwhelmed by volume
The "DDoS the regulators" concern [S]: Sophisticated actors might deliberately generate false-positive-heavy activity to exhaust investigative resources, creating cover for actual illicit operations.
Policy tension: Aggressive detection catches more crime but imposes costs (false positives, compliance burden, system overload) that may exceed benefits. Finding the optimal detection threshold becomes a complex economic optimization problem.
Reframing friction [E]: Instead of viewing compliance friction as "user pain," frame it as rate-limited trust:
Agent activity isn't just "more transactions"---it's "more attempts per unit time." Therefore, time becomes a control surface:
| Friction Mechanism | What It Controls | Agent-Scale Benefit |
|---|---|---|
| Cooldown windows | Minimum delay between high-risk actions | Prevents rapid-fire exploitation |
| Progressive verification | Escalating identity checks at thresholds | Forces identity investment per account |
| Velocity budgets | Maximum transaction volume per attestation tier | Caps damage from any single compromised identity |
| Step-up authentication | Human-in-loop for anomalous patterns | Creates hard stop for automated abuse |
Why this pairs with your KPIs: Time-to-Interdiction matters because controlled friction creates intervention windows. If defenders can insert a 4-hour hold on high-risk transactions, that's 4 hours to detect and block.
The key insight: Friction isn't failure of UX---it's proof-of-work for trust. Low-friction rails are appropriate for low-risk, well-attested activity. High-risk or poorly-attested activity should encounter friction proportionate to the risk.
Policy application: This justifies tiered access based on attestation level (T4 recommendation), where higher attestation earns lower friction, creating positive incentives for compliance.
A systemic integrity concern beyond laundering [E]: The combination of non-bank entities + programmable money + AI automation can recreate shadow-banking functions outside traditional oversight:
| Traditional Banking Function | AI-Native Shadow Equivalent |
|---|---|
| Credit intermediation | Agent-managed lending pools, DeFi lending protocols |
| Payments | Stablecoin transfers, agent-to-agent settlement |
| Maturity transformation | Automated yield strategies across time horizons |
| Settlement | Smart contract escrow, atomic swaps |
Why this matters even without laundering [E]: Even if no laundering occurs, this represents systemic opacity drift:
- Traditional banking has stress tests, capital requirements, and regulatory reporting
- AI-native alternatives may replicate functions without equivalent oversight
- Aggregate risk exposure becomes invisible to regulators
- A crisis in one agent-managed pool can propagate without warning
Policy relevance: Committees should care about agent financial infrastructure even if crime rates stay constant, because financial stability depends on visibility into credit and liquidity flows. Agent-mediated shadow banking creates blind spots.
Regulatory precedent: The 2008 financial crisis demonstrated risks of shadow banking operating outside regulatory perimeter. AI-native rails represent a potential new generation of the same problem.
The defense [S]: "My agent wasn't designed to commit this crime. It hallucinated that this payment structure was a legitimate 'local business practice' based on its training data."
Legal challenge [E]: This defense attacks the mens rea requirement:
- Developer didn't intend criminal behavior
- Deployer didn't instruct criminal behavior
- Agent "believed" its actions were legitimate
- Training data, not criminal intent, caused the behavior
Prosecution difficulty: How do you prove criminal intent when the agent's "reasoning" is a probabilistic interpolation of training data? The agent genuinely "thought" it was compliant.
The "Adversarial Hallucination" escalation [S]: A sophisticated principal might deliberately jailbreak their own agent to commit a crime, then claim:
- "It was a hallucination---the model went off-script"
- "We were victims of an external jailbreak attack"
- "The behavior was unforeseeable given our safety measures"
Counter-defense: Audit-by-Design [E]
If a deployer disables safety filters, bypasses compliance guardrails, or fails to use a certified compliant model stack (per T4 Tiered Attestation), the "Hallucination Defense" should be legally inadmissible:
| Deployer Configuration | Hallucination Defense Status |
|---|---|
| Certified compliant stack + full logging enabled | Defense available (good-faith effort) |
| Standard model + safety filters intact + logging | Defense available with heightened scrutiny |
| Safety filters disabled or circumvented | Defense inadmissible |
| Logging disabled or tampered with | Defense inadmissible + adverse inference |
| Jailbreak prompts in system configuration | Presumption of intent |
Burden of proof shift: The deployer must demonstrate they maintained audit-ready configuration throughout the agent's operation. Missing logs or disabled safeguards create an adverse inference.
Policy implication: Legal frameworks may need to shift from intent-based to outcome-based liability for agent-mediated actions, or establish due diligence standards that preclude the hallucination defense.
The surveillance creep risk [E]: A "Know Your Agent" (KYA) regime could easily slide into "Know Every Transaction" (KET).
The concern:
- If every agent must be registered, logged, and auditable...
- And agents become the primary interface for financial transactions...
- Then the "human-in-the-loop" loses privacy by proximity
- KYA becomes comprehensive financial surveillance by another name
Specific risks:
| KYA Requirement | Surveillance Creep Potential |
|---|---|
| Agent registration | Links all agent activity to identified principals |
| Decision logging | Creates complete record of financial reasoning |
| Real-time monitoring | Enables live surveillance of transaction intent |
| Cross-institution data sharing | Aggregates individual behavior across entire financial life |
Why this matters for policy legitimacy [E]: If KYA is perceived as surveillance overreach, it will face:
- Political opposition from privacy advocates
- Constitutional challenges in jurisdictions with financial privacy protections
- Industry resistance and regulatory arbitrage to privacy-respecting jurisdictions
- Public backlash that undermines adoption of legitimate compliance measures
Policy guardrail: Elevate T5 (Zero-Knowledge Compliance)
The document treats Zero-Knowledge Compliance as a "speculative projection." Given the civil liberties stakes, it should be elevated to a design requirement:
- Agents prove compliance status without revealing transaction details
- Regulators can verify aggregate patterns without individual surveillance
- Audits are triggered by anomalies, not continuous monitoring
- Human principals retain privacy unless specific cause exists
The principle: Prove compliance, don't prove innocence. The burden should be on the system to detect violations, not on individuals to continuously demonstrate they're not criminals.
Description: AI agents enhance existing financial crime methods without creating qualitatively new patterns.
Characteristics:
- Existing criminal organizations adopt agent tools for efficiency
- Transaction structuring becomes more sophisticated
- Detection systems adapt incrementally
- No fundamental shift in crime-detection dynamics
Probability assessment [E]: 40% as primary outcome through 2028
Implications: Current regulatory frameworks require enhancement but not transformation.
Description: Specialized agent services for financial crime emerge as accessible offerings.
Characteristics:
- "Laundering agent" services available on dark markets
- Non-technical criminals access sophisticated capabilities
- Barrier to entry for financial crime drops dramatically
- Volume of laundering attempts increases significantly
Probability assessment [S]: 30% by 2028
Implications: Major scale-up of enforcement resources required; detection must shift to systemic patterns.
Description: An autonomous illicit economy emerges where agents transact with other agents.
Characteristics:
- Agents operating illicit businesses with no direct human involvement
- Agent-to-agent transactions dominate certain criminal markets
- Human criminals become managers of agent portfolios
- Traditional investigation methods become largely obsolete
Probability assessment [S]: 15% by 2030
Implications: Fundamental transformation of enforcement paradigm required; agent-based counter-measures become mandatory.
Description: An agent-based financial crime attempt causes unintended systemic harm.
Characteristics:
- Agent optimizing for obfuscation triggers market disruption
- Flash crash or liquidity crisis from agent activity
- Discovery reveals extent of agent financial activity
- Regulatory and public backlash significantly restricts agent deployment
Probability assessment [S]: 10% by 2030
Implications: Crisis-driven rather than planned regulatory response; potential overreaction restricting beneficial applications.
Description: Success of the recommended policy path (KYA, compliance-wrapped agents, attestation frameworks) creates systemic vulnerability through monoculture.
Characteristics:
- Small number of "certified" agent stacks dominate the market
- Widely reused compliance frameworks and attestation systems
- A vulnerability in a dominant certified framework produces correlated failures
- Mass false positives or coordinated abuse across entire ecosystem
- Single exploit affects all users of the dominant stack
Why this matters: This is the "banking monoculture" argument applied to agent infrastructure. If everyone uses the same three certified frameworks, a single zero-day affects the entire regulated agent economy simultaneously.
Probability assessment [S]: 5% by 2030 (conditional on certification frameworks being widely adopted)
Mitigation Checklist for Certification Regime Design:
| Mitigation | Implementation | Responsible Party |
|---|---|---|
| Diversity requirements | Mandate minimum 3 certified frameworks for systemically important institutions | Regulators |
| Graceful degradation | Certified stacks must fail-safe to human review, not fail-open | Framework developers |
| Regular red-teaming | Quarterly adversarial testing of all certified frameworks | Independent security firms |
| Sunset provisions | Certifications expire after 2 years; re-certification required | Certification bodies |
| Open-source audit requirements | Core compliance logic must be auditable (not necessarily open-source, but inspectable) | Framework developers |
| Incident response coordination | Pre-established communication channels for coordinated vulnerability disclosure | Industry consortium |
| Fallback manual procedures | Documented manual processes for when all certified systems are compromised | Financial institutions |
| Correlation monitoring | Real-time monitoring for correlated failures across certified stacks | Regulators / FIUs |
Anti-monoculture incentives:
- Regulatory capital benefits for institutions using multiple certified frameworks
- Penalties for >80% reliance on single compliance vendor
- Public reporting of market concentration in compliance infrastructure
Implications: Certification regimes must mandate diversity requirements and graceful degradation. Avoid winner-take-all dynamics in compliance infrastructure. Regular red-teaming of certified stacks should be mandatory.
T1. Mandate Decision Logging for Financial Agents [E]
Require that AI agents operating in financial contexts maintain auditable logs of:
- Goals and objective specifications
- Information sources consulted
- Decisions made and alternatives considered
- Actions taken and outcomes observed
This creates accountability trail regardless of agent architecture opacity.
T2. Develop Agent Identity Standards [E]
Create technical standards for agent identification:
- Cryptographic certificates linking agents to accountable entities
- Behavioral fingerprinting to identify agent activity patterns
- Cross-platform identity frameworks
- Standards for agent-to-agent authentication
T3. Require Real-Time Monitoring Capabilities [E]
Financial institutions deploying agents must implement:
- Continuous behavioral monitoring
- Anomaly detection at agent timescales
- Automated suspension mechanisms
- Human escalation protocols
T4. Tiered Attestation for Agent-Initiated Transactions [E]
Implement a tiered attestation system for agent financial activity:
- Tier 1 (Low-risk): Self-attestation that request originated from a registered agent environment
- Tier 2 (Medium-risk): Cryptographic proof of compliance-filter passage, verifiable by auditors but not public
- Tier 3 (High-risk/high-volume): Full attestation chain linking to registered agent and accountable deployer
Minimal disclosure principle: Attestations should prove "this request came from a certified agent environment," not expose model provider identity, specific prompts, or infrastructure details publicly. Full details available to regulators under appropriate legal process.
Civil liberties note [E]: Broad "pressure model providers to freeze logic" approaches raise surveillance and competition concerns. Cross-border jurisdiction conflicts are inevitable. The tiered approach balances accountability with proportionality---most activity requires minimal attestation; heavy scrutiny reserved for high-risk patterns.
T5. Develop Zero-Knowledge Compliance Proofs [S]
Leverage Zero-Knowledge Proof (ZKP) technology for "Compliance Handshakes":
- Agents must cryptographically prove they have passed a compliance filter
- Proof verifiable without revealing proprietary logic or specific transaction data
- Required for all transactions exceeding velocity thresholds
- Creates privacy-preserving compliance verification
This allows agents to demonstrate compliance status without exposing competitive secrets or sensitive data, balancing regulatory needs with commercial confidentiality.
L1. Establish Two-Tier Liability Framework [E]
Different actors in the agent supply chain warrant different liability standards:
Tier A: Foundation Model Providers (OpenAI, Anthropic, Meta, open-source maintainers)
- Standard: Due diligence liability
- Obligation: Implement reasonable safeguards against obvious financial crime use cases
- Defense available: Demonstrated good-faith safety measures, responsible disclosure practices
- Rationale: General-purpose models have legitimate uses; strict liability would chill innovation and push development offshore
Tier B: Specialized Financial Agent Deployers (firms deploying agents for financial operations)
- Standard: Outcome-based strict liability
- Obligation: Responsible for agent actions regardless of intent
- No defense for: "We didn't know the agent would do that" or "it hallucinated compliance"
- Rationale: If you deploy an agent to handle money, you own the outcomes
| Actor | Liability Type | Defense Available | Insurance Required |
|---|---|---|---|
| Foundation model provider | Due diligence | Good-faith safety measures | No |
| Agent framework developer | Due diligence | Reasonable precautions | Recommended |
| Financial agent deployer | Strict liability | None for outcomes | Mandatory |
| Human principal (goal-setter) | Recklessness | Demonstrated safeguards | Per deployment |
Key distinction: The liability intensifies as you move closer to the financial application. Training Llama is not the same as deploying Llama-based-payment-bot.
Additional requirements:
- Require insurance or bonding for Tier B deployments
- Create clear accountability chain documentation
- Mandatory incident reporting for agent-caused compliance failures
Anticipating the pushback: "Won't this kill innovation?"
Committees will ask whether strict liability chills beneficial development. The response: other high-risk industries manage this tension successfully:
| Industry | Risk Management Approach | Agent Parallel |
|---|---|---|
| Aviation | Mandatory insurance, certified designs, incident reporting | Agent certification, bonding requirements |
| Pharmaceuticals | Clinical trials, post-market surveillance, liability caps for approved drugs | Sandbox testing, ongoing monitoring, safe harbors for certified stacks |
| Nuclear power | Licensed operators, strict protocols, government backstops | Registered deployers, compliance frameworks, industry insurance pools |
Innovation-preserving elements:
- Safe harbors for certified architectures: Use L4's "Compliance-Wrapped" safe harbor---if you follow the rules, liability is capped
- Insurance markets absorb tail risk: Mandatory insurance creates a market that prices risk, not a prohibition
- Sandbox environments: Allow experimental deployments under supervision without full liability exposure
- Proportionality: Tier A (foundation models) faces only due diligence liability, preserving open-source development
The key message: Strict liability for financial agent deployers is not "banning AI"---it's treating AI-mediated finance with the same rigor as other high-stakes industries.
L2. Define "Agent-Enabled" Crime Categories [E]
Create legal recognition for crimes committed through agent intermediaries:
- Update laundering statutes to cover agent-based structuring
- Address the "optimization discovered" defense
- Establish standards for corporate criminal liability
L3. Clarify Principal Responsibility [E]
Legal standards for when goal-setting constitutes criminal instruction:
- Recklessness standard for foreseeable agent behaviors
- Safe harbor for demonstrated precautions
- Due diligence requirements for high-risk deployments
L4. Create "Safe Harbor for Auditable Logic" [E]
Establish legal protection for developers and deployers who use certified "Compliance-Wrapped" architectures:
- Agents must allow real-time "read access" to goal-stack by regulators
- Decision logging must meet specified completeness standards
- Architecture must support remote suspension by authorized parties
- In exchange: reduced or eliminated strict liability for unforeseeable agent behaviors
This creates incentives for transparent, auditable agent deployment while still enabling innovation.
O1. Shift from Transaction Monitoring to Endpoint Verification [E]
Recognize that transaction-level monitoring cannot scale to agent volumes. "Endpoint" includes all chokepoints where value enters or exits the agent-accessible ecosystem:
Identity endpoints:
- Human beneficiary verification at on-ramps and off-ramps
- Ultimate beneficial owner identification for agent-controlled entities
Value conversion endpoints:
- Stablecoin issuers and redemption mechanisms
- Cryptocurrency exchanges and OTC desks
- Banking-as-a-service providers
- Payment processors and merchant acquirers
Entity endpoints:
- Corporate registries (where beneficial ownership is required)
- Registered agent services
- Nominee director providers
This approach acknowledges that mid-stream transaction monitoring becomes infeasible at agent scale, but conversion points remain controllable bottlenecks.
O2. Invest in Counter-Agent Capabilities [E]
Financial enforcement must develop agent-based investigation tools:
- Automated transaction graph analysis
- Entity resolution at scale
- Synthetic identity detection
- Coordinated activity identification
O3. Establish Agent Activity Reporting [E]
Create new reporting category for agent-attributed transactions:
- Require flagging of agent-initiated transactions
- Aggregate reporting of agent activity volumes
- Suspicious agent behavior reports
O4. Deploy "Bounty Agents" for Financial System Red-Teaming [E]
National treasuries and financial regulators should deploy autonomous "bounty agents" tasked with:
- Finding and reporting laundering loops in the financial system
- Testing detection systems against novel attack patterns
- Identifying synthetic identity clusters before they're exploited
- Mapping shell company networks and unusual entity formation patterns
Containment requirements: Bounty agents must operate within strict boundaries:
- Sandboxed test harnesses: Operate only in regulator-approved synthetic transaction environments
- Controlled live probing: Any interaction with production systems follows coordinated disclosure protocols
- Audit trails: All bounty agent activity is logged and reviewable
- Human oversight: Escalation to human analysts for any actions beyond reconnaissance
This converts the "arms race" dynamic into a "bug bounty" model for financial integrity, where defensive agents continuously probe for vulnerabilities that offensive agents might exploit---without creating the impression that regulators are "unleashing bots" on the financial system.
O5. Financial Circuit Breakers for Agents [E]
If an "Agentic Flash Crash" or massive coordinated attack is detected, regulators need emergency suspension authority:
Trigger conditions:
- Anomalous spike in agent-flagged transaction volume (>10x baseline in 1 hour)
- Coordinated synthetic identity activity across multiple institutions
- Mass false positive alerts suggesting detection system compromise
- Unusual correlation in entity formation/dissolution patterns
Response protocol:
| Severity Level | Action | Duration | Human Override |
|---|---|---|---|
| Yellow | Enhanced monitoring, rate limits on new agent registrations | Until patterns normalize | Institution-level |
| Orange | Suspend T1/T2 (low-attestation) agent transactions; T3+ continue | 4-hour blocks, renewable | Regulator approval |
| Red | Suspend all agent-flagged transactions; human-verified only | 24-hour blocks, renewable | Central bank/FIU authority |
Key principle: Human-verified transactions continue during agent suspension. This prevents systemic contagion while maintaining essential financial services.
Precedent: Stock market circuit breakers (trading halts during extreme volatility) demonstrate this model works. The difference is triggering on agent behavior patterns rather than price movements.
Risk: False positive circuit breaker activation could itself cause market disruption. Trigger thresholds must be calibrated to avoid crying wolf.
I1. Harmonize Agent Registration Requirements [E]
Coordinate across jurisdictions to prevent arbitrage:
- Common standards for agent identification
- Mutual recognition of registrations
- Information sharing on agent activity
I2. Coordinate Enforcement Mechanisms [E]
Establish cross-border enforcement cooperation:
- Joint investigation frameworks
- Evidence sharing for agent-based crimes
- Coordinated action against non-compliant jurisdictions
I3. Develop FATF Agent Guidance [E]
Push for explicit FATF guidance on agent-related risks:
- Risk assessment frameworks for agent deployment
- Due diligence requirements for agent-based services
- Supervision standards for agent activity
Committees often ask: "What can we do now, without new legislation?" The following pilots require only institutional commitment and existing authority:
Pilot 1: Agent-Initiated Transaction Flagging (Single Institution)
- Scope: One major bank or payment processor
- Action: Implement flag in transaction logs identifying agent-initiated vs. human-initiated transactions
- Duration: 90 days of data collection
- Deliverable: Report on agent transaction volume, patterns, and any anomalies detected
- Authority needed: Internal policy change only
Pilot 2: Cross-Rail Graph Analytics (Controlled Consortium)
- Scope: 3-5 institutions across different rails (bank, crypto exchange, neobank)
- Action: Share anonymized transaction graph data in privacy-preserving format; run coordinated pattern detection
- Duration: 90-day pilot with 30-day setup
- Deliverable: Proof-of-concept for cross-institution agent activity detection
- Authority needed: Data sharing agreements, privacy review
Pilot 3: Incident Response Tabletop Exercise
- Scope: Regulator + 3-5 major financial institutions
- Scenario: "Agent swarm triggers mass false positives across payment networks"
- Duration: Single day exercise + 2-week report
- Deliverable: Identified gaps in coordination, communication, and escalation procedures
- Authority needed: Voluntary participation
Pilot 4: Structured Logging Standard Development
- Scope: Industry working group (ISO, NIST, or similar)
- Action: Draft standard for agent decision logging in financial contexts
- Duration: 90-day comment period on initial draft
- Deliverable: Proposed logging schema for agent financial activity
- Authority needed: Standard-setting body convening power
These pilots create immediate visibility into agent activity, test coordination mechanisms, and generate evidence for future policy decisions---all without requiring new laws or extensive regulatory process.
| Indicator | Significance | Data Sources |
|---|---|---|
| Agent-attributed transaction volume | Scale of agent financial activity | Blockchain analytics, financial institution reporting |
| Synthetic identity detection rates | Quality of agent-generated identities | Credit bureaus, identity verification vendors |
| Crypto mixer/tumbler usage patterns | Automated obfuscation activity | Blockchain analytics |
| Dark market offerings for financial agents | Crime-as-a-service emergence | Threat intelligence services |
| Regulatory pronouncements on AI/agents | Policy response velocity | FATF, national regulators |
| Compute-to-Fiat Conversion Ratio | Agents converting compute credits to currency (primary "placement" vector) | Cloud provider APIs, cryptocurrency exchange data |
| Detection Latency Index [S] | Gap between agent operation speed and regulatory alert speed | Hypothetical metric: ratio of agent operation time to alert time (e.g., if layering completes in seconds but alerts take minutes, index reflects gap) |
| Agent Identity Inflation [S] | Proportion of new entity registrations by AI agents | Corporate registry analysis---measurement methodology needed; no reliable baseline exists |
| API-to-Human Transaction Ratio [S] | Proportion of account openings/transactions initiated via API vs. human interface | Neobank/fintech data---hypothetical; industry reporting inconsistent |
| Vishing Success Delta [S] | Success rate of agent-generated deepfake audio for authorized push payments vs. traditional phishing | Hypothetical metric; anecdotal reports suggest elevated success but systematic measurement lacking |
| Compute-to-Value Ratio | GPU cost required to launder $1M | Tracks whether falling compute costs make nano-smurfing economically viable at smaller scales |
| Registry Entropy | Rate of LLC formation/dissolution in permissive jurisdictions | High entropy indicates likely agent-managed shell networks (Wyoming, Delaware, Estonia key jurisdictions) |
| Agent-to-Human Transaction Ratio | Proportion of transactions initiated by agents vs. humans | Tracks approach to "Agent Majority" tipping point where agents become primary financial system users |
| Interdiction Latency | Time from nano-smurf initiation to first account freeze | If consistently >1 hour, agents have structural speed advantage; target <15 minutes for high-risk patterns |
| Inference Cost Index | Average cost to run agent-scale operations per $1M value moved | Declining index means lower barrier to entry for agent-based crime |
| Indicator | Significance | Data Sources |
|---|---|---|
| Prosecutions involving agent-based crime | Legal framework testing | Court records, enforcement announcements |
| Time-to-detection for agent schemes | Detection effectiveness | Law enforcement statistics |
| Entity formation/dissolution velocity | Shell infrastructure activity | Corporate registry data |
| Cross-platform value transfer patterns | Multi-domain laundering | Multi-source analytics |
| Counter-agent tool adoption | Defensive capability scaling | Vendor market data, regulatory filings |
| Indicator | Significance | Data Sources |
|---|---|---|
| Agent registration framework adoption | Governance framework maturity | International regulatory coordination |
| Agent-vs-agent detection rates | Arms race equilibrium | Enforcement effectiveness metrics |
| Systemic risk from agent financial activity | Stability implications | Financial stability reports |
| International coordination effectiveness | Global governance capacity | FATF mutual evaluations |
Beyond tracking threat indicators, institutions need actionable metrics to measure their own detection effectiveness:
| KPI | Description | Target Benchmark | Why It Matters |
|---|---|---|---|
| Time-to-Interdiction at Chokepoints | Elapsed time from suspicious activity detection to fund freeze/account suspension | <4 hours for high-risk alerts | Agent-scale activity can move funds through multiple hops in hours; slow interdiction means funds are gone |
| Entity Churn vs. Investigative Capacity | Ratio of new entity formations to completed investigations per month | Ratio <10:1 sustainable | If entities form faster than you can investigate, you're structurally behind |
| Cross-Rail Linkage Rate | Percentage of flagged entities where you can trace activity across banking/crypto/virtual economy rails | >60% linkage | Low linkage means agent-orchestrated schemes remain invisible across silos |
| Synthetic Identity Detection Rate | Percentage of detected vs. estimated synthetic identities in your customer base | >80% detection | The identity layer is the foundation; low detection here cascades to all downstream failures |
| False Positive Investigation Cost | Average analyst hours per resolved false positive | <2 hours per case | If FP cost is too high, analysts deprioritize alerts; detection becomes theater |
| Alert-to-SAR Conversion Rate | Percentage of automated alerts that result in Suspicious Activity Reports | 5-15% healthy range | Too low = noise; too high = missing true negatives or overly conservative thresholds |
Operational use: These KPIs should be reviewed monthly and benchmarked against industry peers. Deteriorating metrics indicate that agent-scale activity is outpacing institutional capacity, triggering investment in counter-agent tooling (O2) or operational process changes.
Beyond individual indicators, systemic detection requires measuring graph properties of financial activity:
| Metric | Description | Detection Value |
|---|---|---|
| Entity Churn Rate | Formation/dissolution velocity by jurisdiction | High churn suggests ephemeral shell infrastructure |
| Flow Reconvergence | How quickly value reconverges after dispersion | Rapid reconvergence indicates coordinated structuring |
| Cross-Rail Hop Index | Frequency of jumps between banking, crypto, and virtual economies | High hopping indicates deliberate obfuscation |
| Synthetic Identity Cluster Entropy | How "too-perfectly-regular" identity behaviors cluster | Low entropy in supposedly independent actors suggests coordination |
| Temporal Coordination Score | Synchronization of activity across nominally unrelated entities | High synchronization indicates agent swarm activity |
These graph-level metrics support the "agents vs agents" detection paradigm and operationalize the "auditability paradox" insight: individual transactions may be visible, but only graph analysis reveals coordinated patterns.
For three of the most actionable metrics, here's how to operationalize measurement:
1. Detection Latency Index
- Data needed: Timestamps of (a) agent operation initiation, (b) compliance alert generation, (c) interdiction action
- Baseline: Current human-scale detection latency is typically days to weeks; agent-scale should aim for hours
- Alerting threshold: If average latency exceeds 24 hours for high-risk patterns, trigger capacity review
- Measurement source: Correlation of transaction logs with compliance system timestamps
2. Registry Entropy
- Data needed: Entity formation and dissolution records from corporate registries (Wyoming, Delaware, Estonia as priority)
- Baseline: Normal business churn varies by jurisdiction; establish 12-month rolling averages
- Alerting threshold: >2 standard deviations from baseline in formation velocity, or dissolution-to-formation ratio exceeding 0.8
- Measurement source: Registry APIs or periodic bulk data pulls; entity age distribution analysis
3. Flow Reconvergence
- Data needed: Transaction graph data showing value dispersion and subsequent aggregation patterns
- Baseline: Legitimate business activity shows gradual, purpose-driven reconvergence (payroll disperses, supplier payments aggregate)
- Alerting threshold: Rapid reconvergence (<48 hours) of dispersed value into previously unrelated wallets/accounts
- Measurement source: Blockchain analytics platforms, cross-institution transaction matching (requires data sharing)
When metrics become targets, they cease to be good metrics.
If institutions optimize for the KPIs in this report, sophisticated attackers will adapt:
- Optimizing Time-to-Interdiction may shift attacks to slower, lower-priority rails
- Entity churn metrics may push shell operations to unmonitored jurisdictions
- Cross-rail linkage improvements may drive activity to entirely new rail types
Mitigation: Metrics should be reviewed quarterly for gaming indicators. Red teams should explicitly attempt to "pass" metrics while still achieving illicit objectives. The Defender KPI set should evolve as attacker adaptation becomes visible.
Evidence of agent-facilitated laundering at scale [would shift estimates significantly]
- Documented case of agent system laundering >$10M
- Evidence of organized crime adoption of agent tools
- Crime-as-a-service agent marketplace emergence
Detection system failure [would shift toward pessimistic scenarios]
- Major financial institution breach via agent-based attack
- Multi-jurisdiction scheme evading all detection
- Significant time lag between crime and detection
Regulatory fragmentation [would shift toward pessimistic scenarios]
- Major jurisdiction explicitly permitting unrestricted agent financial activity
- International coordination efforts failing
- Regulatory arbitrage becoming systematic
Effective agent identification systems [would shift toward optimistic scenarios]
- Robust technical standards for agent authentication
- Broad adoption of agent registration frameworks
- Effective detection of unregistered agent activity
Detection parity achieved [would shift toward optimistic scenarios]
- Counter-agent systems demonstrably effective against adversarial agents
- Detection rates for agent-based schemes comparable to human schemes
- Investigation timescales matching agent operation timescales
International coordination success [would shift toward optimistic scenarios]
- FATF agent guidance widely implemented
- Cross-border enforcement cooperation effective
- Regulatory arbitrage opportunities closed
Hardware-level enforcement mechanisms [would significantly shift risk profile]
- Chip manufacturers (NVIDIA, TSMC, AMD) implement "Proof of Intent" verification at silicon level for high-compute financial modeling
- TPM-style attestation for AI workloads accessing financial APIs
- Hardware-enforced audit logging that cannot be disabled by software
- Compute providers implementing mandatory agent registration at infrastructure level
Speed of agent capability improvement: If agents become significantly more capable faster than expected, criminal applications will outpace defensive adaptations.
Effectiveness of safety measures in commercial agents: If major providers successfully prevent financial crime applications, the risk is limited to open-source/self-hosted agents.
Rate of institutional adaptation: If financial institutions and regulators adapt faster than projected, detection capacity may keep pace with threat evolution.
AI agents represent a qualitative shift in financial crime dynamics, not merely an incremental efficiency improvement for existing methods. The combination of autonomous operation, adaptive behavior, machine-scale speed, and attribution challenges creates governance gaps that current frameworks do not address.
The dual-use reality is fundamental: the same capabilities enabling legitimate financial automation enable illicit applications. This means governance cannot rely on capability restriction but must focus on use monitoring, accountability frameworks, and detection systems that operate at agent scale.
The core policy challenge is the speed asymmetry between agent operations (machine timescales) and human governance (legislative and investigative timescales). Addressing this requires:
- Agent-based detection: Only agent-scale analytical capacity can monitor agent-scale activity
- Endpoint focus: Since transaction monitoring cannot scale, verify human principals at entry/exit points
- Strict accountability: Clear liability for agent deployers regardless of specific intent
- International coordination: Prevent regulatory arbitrage through harmonized frameworks
The window for proactive governance is limited. As agent capabilities proliferate and criminal applications emerge, reactive crisis-driven regulation becomes more likely and potentially more damaging to legitimate applications.
This projection will be updated as capabilities evolve, detection methods mature, and governance frameworks develop.
- UNODC (2011). Estimating Illicit Financial Flows Resulting from Drug Trafficking and Other Transnational Organized Crimes. Source for 2-5% of GDP / $800B-$2T laundering estimates and <1% seizure rate
- Financial Action Task Force. Digital Transformation of AML/CFT. FATF guidance on technology for AML/CFT
- EU Council (2024). Anti-Money Laundering: Council Adopts Package of Rules. EU AML package including cash cap
- AMLA (2025). About AMLA - Authority for Anti-Money Laundering. EU AMLA operational timeline
- FinCEN (2025). FinCEN Removes Beneficial Ownership Reporting Requirements for US Companies. US BOI rollback
- Axelsen, H. et al. (2025). Agentic AI for Financial Crime Compliance. arXiv:2509.13137. Agentic compliance-by-design framework
- Oracle Corporation (2025). Oracle Brings AI Agents to the Fight Against Financial Crime. Official announcement
- Galaxy Research (2025). Understanding the Intersection of Crypto and AI. Decentralized compute and AI-crypto intersection
- Moody's (2025). AML in 2025: How are AI, Real-Time Monitoring, and Global Governance Pressures Shaping Compliance? Industry perspective on AI/AML
- Chainalysis (2025). 2025 Crypto Crime Trends. Crypto crime volume estimates
- UK Finance (2025). Annual Fraud Report 2025. UK fraud statistics including APP fraud
- FinCEN (2025). FinCEN Issues Final Rule Severing Huione Group from U.S. Financial System. Section 311 enforcement action
- Circle (2025). USDC Terms. Legal terms including freeze/block provisions
- Tether (2025). Legal Terms. Terms including freeze/termination powers
- The "$1 trillion in annual bribes" figure is commonly attributed to the World Bank; the methodology has been questioned. See: Global Anticorruption Blog analysis. We retain it as indicative of scale while acknowledging measurement uncertainty.
- ETRA-2025-AEA-001: AI Agents as Autonomous Economic Actors
- ETRA-2025-ESP-001: AI Agents and the Future of Espionage Operations
Emerging Technology Risk Assessment Committee Document ID: ETRA-2025-FIN-001 Version: 0.1 (Draft for Review)