Five percent of global GDP. That's the estimated share of illicit criminal proceeds moving through the financial system each year. Or, as I like to put it: if global crime were a country, it'd be a member of the G7.
Over the last two months, those figures have been front and center for me. In February, I was in Brussels for a Council of Europe working group developing minimum data standards for financial crime reporting. In March, I was in Vienna for the UN's Global Fraud Summit. Different cities, different agendas – but the same conclusion: the global scamdemic may finally force a structural breakthrough that years of incremental reform have failed to produce.
The problem has outgrown our frameworks
The Vienna summit opened with radical agreement on what we're facing. Faster payments mean faster fraud. For HSBC alone, victim reimbursement is a $1 billion line item. INTERPOL's Secretary General made the core point plainly: fraud is transnational, and cannot be effectively fought without transnational information sharing.
The message was consistent regardless of whether the speaker was from Singapore, France, India, or South Africa. We are facing a globally coordinated criminal enterprise – and our national enforcement frameworks are structurally unable to keep up.
The most clarifying concept from Vienna was what several speakers independently called "scammer arbitrage": the deliberate exploitation of gaps between legal definitions, enforcement frameworks, and reporting obligations across different countries. As Singapore's Minister of Law put it simply, criminals maneuver between our laws.
New Zealand's Minister of Customs added a framing that resets the entire policy conversation: scams aren't just a financial crime – they're also a crime against a person. As long as legal frameworks treat fraud as something categorically different from other crimes against individuals, we hand criminal networks a structural advantage. The law hasn't caught up to what the criminals already understand.
The silo problem is structural, not organizational
The second dominant theme in Vienna was polycriminality – the idea that sophisticated criminal enterprises don't specialize. Human trafficking brings people into compounds. Cyber fraud generates revenue. Laundering specialists and underground banking move the money. These aren't separate criminal industries; they're integrated business units inside the same enterprise.
The implications for compliance are significant. Siloed approaches – AML teams operating independently from fraud teams, telcos, and social platforms that don't share signals with banks, law enforcement in one country that can't see what's visible to counterparts elsewhere – aren't just inefficient. They are structurally incapable of addressing the threat. You can't fight a coordinated network with a fragmented response.
What's changed is the political will to do something about it. The Vienna summit had ministers from more than a dozen countries in the same room as leaders from Google, HSBC, Amazon, and Meta. That room simply didn't exist five years ago.
Brussels: Where policy becomes plumbing
Weeks before Vienna, the Council of Europe working group in Brussels was tackling a problem that never makes headlines but sits at the root of everything else: minimum data standards for suspicious activity reporting across European financial intelligence units.
The problem is real and familiar to anyone inside a financial institution. A single institution operating across multiple European countries may file reports to four FIUs in four different formats – and those FIUs receive them, can't easily connect them to each other, and often store them as PDFs. A financial institution can know that the same fraud ring is behind all four reports. The FIUs, by default, cannot.
The Netherlands FIU offered a compelling example: by standardizing reporting around eight specific fraud typologies, they were able to generate dramatically more actionable case data. The Brussels working group is now trying to scale that insight across 30 countries, with a mandate to deliver a technical minimum data standard to the new EU Anti-Money Laundering Authority by late May.
What struck me in Brussels was the same thing that struck me in Vienna: the conversation has shifted. The old debate about whether to share information has given way to a harder, more practical question – how do you make information sharing work at scale, across jurisdictions, in machine-readable formats?
The answer the working group kept returning to wasn't about any particular data field. It was about connections – the relationships between entities, between transactions, and between entities and transactions. That's where intelligence lives. And that's exactly what fragmented, PDF-based reporting destroys.
The infrastructure we actually need
The through line across both Brussels and Vienna is this: the gap between criminal coordination and institutional response is, at its core, an infrastructure problem. Criminals move faster than multilateral negotiation. The question is whether the private sector can close that gap.
The answer to scammer arbitrage isn't more summits – it's interoperable data standards that allow financial intelligence to travel across borders as fast as criminal proceeds do. Shared typologies that describe fraud schemes in machine-readable formats, meaning the same thing to a bank in Singapore, an FIU in the Netherlands, and a law enforcement agency in Japan. Infrastructure that lets a victim's bank file a report that contributes to an investigation spanning three continents, rather than generating a SAR that collects dust in a legacy database.
Some pieces are falling into place. Singapore's Anti-Scam Command seats banks next to law enforcement with direct, real-time intelligence sharing. The Council of Europe is doing the patient work of standardizing what data should even be collected. But the pace of multilateral agreement is still a fraction of the speed at which criminal networks adapt.
Compliance infrastructure built on shared, machine-interpretable typologies – rather than institution-specific rules – lets intelligence aggregate in ways that surface patterns no single institution can see. That's the private sector's contribution to make.
A selectively optimistic take
I left Vienna more optimistic than when I arrived. Not because the problem is solved – it isn't. But the political will now exists at a scale it simply didn't before. Politicians are making commitments. Technical working groups are operationalizing those commitments into standards. Financial institutions are facing balance sheet consequences that make fraud prevention a strategic priority rather than a compliance checkbox.
My time working with these groups over the past few months confirms my deeply held belief that the missing piece is infrastructure. And building infrastructure is something the private sector does faster than intergovernmental bodies. The path forward is public-private collaboration: governments shape what should be built and mandate open standards; the private sector makes it happen.
Scams are the crisis that will finally force us to build the connected, data-driven financial crime system we've needed for years. The question is whether we build it before the next generation of scam operations makes our current efforts look like a fax machine.
