A conversation with Kevin Moss, former Chief Risk Officer at Wells Fargo, on deploying AI in financial crime compliance — the real challenges, and what separates the institutions getting it right
Kevin Moss has spent decades at the sharp end of financial crime risk. As former CRO of Wells Fargo and SoFi, and a long-standing adviser in fraud, credit, and BSA/AML, he has watched the compliance function absorb more and more cost without a proportional improvement in outcomes. In a recent conversation with Arva AI CEO Rhim Shah, he was direct about what that means: according to Moss, some estimates suggest banks are finding as little as 1% of real financial crime.
That is the problem worth solving. Not just making compliance cheaper. Actually, finding more.
The False Positive Trap
Most transaction monitoring systems are calibrated to avoid missing anything, which means they generate enormous alert volumes — the majority of them noise. Compliance analysts spend most of their time ruling out cases that were never suspicious, leaving less capacity for the ones that are. The system is expensive, slow, and still under-detecting.
AI agents change the economics of that equation. By handling high-volume, lower-complexity triage — the L1 alerts that absorb the most analyst hours — they redirect human attention to cases that genuinely require it. KYC, KYB, and transaction monitoring are the natural starting points: structured decision-making, documented SOPs, clear escalation paths. AI agents can work through them consistently and at scale, without the fatigue that degrades human performance over time.
What Happens After You Deploy
Deploying AI is the easy part of the conversation. What comes after is harder.
"You hear about the latest and greatest, but you don't really hear people talking about the maintenance — once you build one of these, how you have to track it and monitor it."
More complex models drift faster. The interactions that drove performance at launch shift over time as transaction patterns, customer behaviours, and typologies evolve. Institutions that deploy without a rigorous monitoring and retraining cadence will find performance degrading quietly — which in a compliance context is a serious problem. The governance work after deployment is as important as the work before it.
SR 11-7 has always been the reference standard, and its principles apply to AI models just as they did to the logistic regression models that preceded them. What has changed is the surface area for failure and the speed at which things can go wrong.
The Deployment Path That Holds Up
"The end state is people out of the loop — but to get to that state, there's a level of testing and comfort that has to be built, so that you know this thing is going to stay on the tracks and do the job we think it’s going to do."
The institutions getting this right are not flipping a switch. They run shadow mode deployments, build a performance track record, and expand automation incrementally. L1 triage first. L2 investigation support — where agents surface and structure relevant data while humans retain decision authority — follows. Broader automation comes once the record is there.
At Arva, robustness, explainability, and accuracy come before efficiency. Not because efficiency doesn't matter — it does — but because without the former, the latter doesn't materialise. Every decision our agents make is auditable and explainable. That is what makes it deployable in a regulated environment.
Implementation Depth Is the Real Differentiator
The technology is no longer the bottleneck. Most institutions lack the internal depth to implement it well — knowing how to instrument the right controls, build human-in-the-loop workflows, and govern the system on an ongoing basis. That is where the gap is, and it is where Arva earns its place. We have implemented across banks, credit unions, and fintechs. We know where the edge cases are, what regulators look for, and how to build the confidence that takes institutions from pilot to production.
The Shift Is Already Underway
Twelve months ago, most institutions were asking exploratory questions. Now they are running active pilots and pushing toward production. The competitive pressure is building — not because AI in compliance is a nice-to-have, but because the institutions moving now are getting real efficiency gains and better detection rates, and that gap will compound.
