The €500 Million Red Flag: Why the Wise Investigation Means Banks Need Better Fraud Technology

0
Belgian authorities are investigating the fintech company Wise. The reason: about €500 million in transactions that looked suspicious. The investigation is still going on. No charges have been filed yet. Wise says it is cooperating fully and does not agree that being investigated means it did something wrong.

But no matter how this case ends, it sends a clear message: the old “check-the-box” way of fighting money laundering does not work anymore.

Today, criminals can move stolen money through many shell companies and across many countries in just seconds. So the industry needs to ask itself a hard question: are our old identity-check and anti-money-laundering (AML) systems strong enough to stop AI-powered fraud?

This question matters because digital identity checks are what allowed fintech companies to grow around the world in the first place. As we explained in Shufti’s article “Fintechs Went Global Because IDV Made It Possible,” identity verification is more than just a legal requirement. It is the foundation that let fintechs expand into new countries while still keeping the process easy for users, safe from fraud, and compliant with the law. As international payments keep growing and getting more complex, this foundation is under more pressure than ever.

Problem 1: Checking a Person’s Address Is Still Too Slow and Easy to Fake

One of the biggest challenges for any large fintech company is Proof of Address (PoA), confirming that a customer really lives where they say they live. Even with better technology available, many companies still rely on checking physical utility bills or bank statements. This is hard because there are more than 10,000 types of address documents used around the world, and none of them follow the same format or language.

When humans check these documents by hand, the process is slow, expensive, and full of mistakes. Fraudsters take advantage of this. They use fake addresses or high-quality fake documents that old scanning software (OCR) cannot tell apart from real ones.

At Shufti, we solve this with a step-by-step system that matches how much checking is actually needed:

  • First, we try a fast, document-free check. This compares the customer’s claimed address against government and credit records. It takes under 3 seconds when this kind of data is available for that country.
  • If that is not enough, we move to a full document check. This usually takes about 35 seconds and includes a deeper look at the uploaded document.
  • At the same time, in the background, we run a location check. This compares the customer’s internet (IP) location to their claimed address. If the distance is unusual, or if the customer is using a VPN, proxy, or Tor to hide their real location, we flag it right away.
  • When a document is needed, we don’t just scan the text. We break the address down into parts (street, city, postal code, etc.) and match it against trusted address databases to confirm it’s real.

This approach keeps the process fast and easy for honest customers, while making it much harder for fraudsters to use fake addresses.

But the challenge doesn’t stop there. Every new country has its own ID documents, languages, spelling rules, and legal requirements. A system that works well in one country might completely fail in another. This is why having identity verification technology that works globally is not just a nice extra; it’s a basic requirement for any company that wants to operate internationally.

Problem 2: Checking Someone Once Is Not Enough

The Wise case suggests that some suspicious activity happened in accounts that had already passed identity checks. This shows a major weakness in old-style verification: checking someone’s identity is treated as a one-time event, done only when they first sign up.

But risk changes over time. It is not fixed. Someone who looks “low risk” today could become a Politically Exposed Person (PEP), someone in a position of political power or influence) tomorrow. Or their name could suddenly appear in negative news reports.

Real compliance means watching a customer’s risk level throughout the entire relationship, not just once at the start. This is exactly where old systems fall short. Most AML providers only update their watchlists every 24 to 72 hours. In a case like Wise’s, a 72-hour delay gives criminals plenty of time to move money through several more steps in a laundering scheme.

Shufti’s Ongoing AML Monitoring works differently. It checks customers continuously against more than 1,700 global watchlists and sanctions lists, refreshing the data every 15 minutes instead of every few days. It also scans more than 50,000 global news and media sources, in over 80 languages, across more than 400 categories of risk.

This speed matters for a specific reason connected to the Wise case. The kind of suspicious money movement regulators are investigating often comes from “money mule” networks, groups of accounts used to quickly receive and pass along laundered money. Behavioral analysis tools that spot unusual “money in, money out” patterns can catch this kind of activity while it’s happening, instead of only discovering it afterward during an audit. Without ongoing monitoring, a company might not notice a risky account until long after the damage is done and by then, it’s very hard to explain why nothing was caught earlier.

Problem 3: Fighting AI Fraud With AI

The biggest new threat today is fraud powered by artificial intelligence. Older identity-check systems were never built to detect things like face-swapping, deepfake documents, or fully fake identities created by AI.
For many companies, this problem may already exist inside their own customer database. Millions of users were verified between 2020 and 2023, using technology built for speed, not for catching this new generation of AI fraud.

This is why it has become important to go back and re-check old customer records using more advanced tools. Doing this can uncover fake identities or manipulated documents that were missed the first time, helping companies clean up their existing customer base without disturbing real, legitimate users.

At Shufti, we built a tool for exactly this purpose, called the Blind Spot Audit. It uses four separate detection engines:
1. Face Deepfake – checks if a person’s face was digitally faked.
2. Face Liveness – checks if the person was really present (not a recording or a fake video).
3. Document Deepfake – checks if an ID document was created or altered using AI.
4. Document Originality – checks if a document has been reused across different accounts, or if parts of it were edited (like a screenshot or a copy of a copy).

These four tools re-check old, already-approved sessions to catch fraud that was missed before.

Importantly, this tool runs inside the company’s own cloud system (currently AWS), not on Shufti’s servers. This means sensitive historical customer data never has to leave the company’s own systems. For financial institutions worried about data privacy, this makes the process much simpler; it turns a large, complicated audit project into a quiet, low-risk check that produces clear results for fraud teams, auditors, and company leadership.

Building a Complete, 360-Degree Risk Picture

The lesson from the Wise case is simple: companies need to rethink how they verify customers. It’s not enough to check one document one time. Identity needs to be watched continuously,

Throughout the entire time someone is a customer, that identity data needs to be connected to the business relationships and transactions around it.

  • This requires a full, 360-degree approach that combines:
  • Identity verification (checking who a person is)
  • Business verification, or KYB (checking who owns and controls a company)
  • Behavior-based risk analysis (watching for suspicious patterns over time)

On the business side, Shufti’s Know Your Business (KYB) tool works in more than 250 countries and territories through a single system. It automatically traces company ownership structures to find the real people who ultimately own or control a business, known as Ultimate Beneficial Owners (UBOs). This helps uncover shell companies that would otherwise stay hidden behind several layers of ownership.

Connecting this business and identity data with other risk signals, like device information, location, and transaction behavior, is what actually helps companies spot mule account networks moving illegal money across countries. No single check can catch this alone; it takes all of these signals working together.

Regulators are raising the bar. The upcoming EU AMLA framework is one example of stricter rules on the way. Simply reacting to fraud after it happens is no longer good enough. Fintech companies that want to grow internationally will need systems that can adapt as fast as the threats they face.

In the future, the best AML systems won’t be judged by how well they document fraud after it happens. They’ll be judged by how well they stop it before it ever enters the financial system.

Learn more at https://shuftipro.com/

Related News:

Shadow AI in the Workplace: New Research Exposes AI Skills Gap

Black Kite 2026 State of Financial Services Report Released

Share.

About Author

Faryam Asif is the Chief Technology Officer at Shufti, where he leads the engineering and IT teams building the company's AI-powered identity verification and compliance platform. Based in Lahore, he brings 5+ years of experience in full-stack software development, DevOps, database management, and SQA. Before his CTO role, Faryam held positions at Shufti in earlier capacities and previously served as Chief Development Officer at Programmers Force. He also worked at EMC Solutions and The Punjab Information Technology Board. A University of Central Punjab graduate, Faryam is a technology enthusiast skilled in building large-scale web applications to high-quality standards. He leads a team of 29+ engineers delivering Shufti's core technology infrastructure.