Last week, the FCA’s chief executive told a London conference that separating financial services from national security has become “outdated and dangerous”. The statement circulated through compliance and fintech commentators as a watershed moment, a reframing that finally positions financial crime at the heart of state security.

But financial crime has been a policy-level national security threat for at least thirteen years.

In 2013, the UK government formally grouped financial and serious economic crime alongside traditional threats to national security. The National Crime Agency was launched on that premise. The logic was straightforward; money laundering finances terrorism, corruption erodes institutional legitimacy, and fraud drains capital from productive sectors, fueling organised crime. The harm is not back-office risk management. It is structural, political and strategic.

What has changed between 2013 and May 2026 is not the framing. It is the political will to resource it accordingly, and the visibility of that resource constraint becoming intolerable. That distinction is one of the reasons why this “reframing” that is not a reframing matters, because it tells us something about how we communicate policy and how we understand the ground truth of regulatory action.

The FCA’s statement is not incorrect. But it is presented as novel to new audiences, many of whom were not in the sector thirteen years ago or more, when the infrastructure was being argued for and built. So here is the problem: when we present the financial crime-national security nexus as a recently discovered truth rather than as a product of specific historical choices and institutional construction, we erase the genealogy of how we got here. We lose what Foucault called “the history of the present”. We treat current policy as though it emerged naturally, inevitably, as obvious common sense, when actually it emerged through years of contestation, experimentation, enforcement failure, and accumulated evidence. Without understanding that genealogy, practitioners cannot tell which parts of the current system are foundational and which can flex, which typologies have been stress-tested and which are provisional, what constraints exist and why they exist.

Financial crime prevention as a sector has boomed, with a growing number of professionals, reg-tech start-ups and thought leadership. But we cannot erase the sector’s history in order to focus on an innovative glance at the future, because if we truly understand where the sector has already travelled, we may begin to see what is headed, and exactly what is positive innovation, and what is not.

Every month, I encounter thought leaders, consultants, and rising institutional voices making observations about financial crime as though they are uncovering a buried truth rather than describing what competent practitioners have been doing, saying, documenting, and writing about for many, many years. They cite frameworks as if they are discoveries. They propose solutions that exist already, documented in Home Office strategies, NCA reporting, EU AML directives, and peer-reviewed research published half a decade ago. They build on each other’s observations, creating a sedimentary layer of commentary that bears almost no relationship to the institutional knowledge that practitioners have actually accumulated.

The cost of this is not academic. It is operational.

When regulatory guidance is written by people who do not understand the trajectory of how we got here, it defaults to surface-level frameworks. When compliance officers are trained by consultants who arrived in the sector in 2024, they miss the institutional rationales for why certain procedures exist, which means they cannot adapt them intelligently when criminal behaviour shifts. When AI systems are deployed to generate thought leadership without human expertise grounding them, they hallucinate references and cite whitepapers that do not exist. (I am thinking here of EY’s recent output, where an AI tool generated citations to papers with fabricated authors and publication details, which then circulated through the compliance community as authoritative guidance.) These systems have no genealogy, no understanding of how we learned what we know. And when none of this is interrogated because everyone is speaking too fast to notice, institutional memory becomes a liability rather than an asset.

The problem is not new experts. New experts are necessary and very much welcomed into the sector. The problem is new experts without historical grounding, and existing institutions that are outsourcing their voice to systems that have no accountability to accuracy, no experience of enforcement failure, and no skin in the game when the typology breaks down mid-operation.

This matters for actual prevention, detection, and disruption.

The FinCEN alert issued on 11 May on Iranian sanctions evasion provides a useful example. The alert treats sanctions evasion not as discrete transactional misconduct but as a vertically integrated illicit market: production, trade infrastructure, settlement architecture, and final procurement. This is enterprise crime mapping applied to state actors. It is sophisticated, precise, and built upon years of typology development, from the NCA’s organised crime networks mapping to EU AML directive evolution, to the accumulation of OFAC and FinCEN red-flag catalogues.

Someone who has studied that trajectory understands what the alert is not saying, which is often more important than what it is saying. They understand the constraints on enforcement reach against state actors. They understand why targeting the administrative apparatus (the indoctrination centres, the disinformation agencies) can matter more than targeting only the principals. They understand the difference between the expressive function of sanctions and their immediate financial bite. They do not need to learn that from a briefing; they already know it from watching how similar operations unfolded against other adversaries over more than a decade.

This is institutional memory, cutting across the sector – the history of the present at work. This is what we lose when thought leadership is algorithmic and when experts are hired for access rather than depth.

The data quality question cuts equally sharp. Prevention, detection, and disruption strategies are only as good as the intelligence that informs them. That intelligence comes from reported typologies, from investigated cases, from regulatory guidance built on accumulated evidence about how criminal markets actually move. If thought leaders are repeating narratives without interrogating whether those narratives remain empirically accurate, the feedback loop breaks. If new entrants to the sector are publishing guidance based on what other new entrants published six months ago rather than what the Home Office Strategic Threat Assessment or the NCA Annual Report actually documents, we are building policy on sand.

The sector’s strength against an ever-multiplying criminal attack is its collective institutional memory and the data infrastructure that runs on top of it. We know what we know because thousands of practitioners have paid attention, documented, analysed, and shared findings over more than a decade. We have built typologies, tracked displacement, and we have learned what works and what fails. That knowledge is not infinite or perfect, but it is what we have, and it is what separates educated responses from panic-driven policy.

Protecting it requires three things.

First, it requires thought leaders to be transparent about their own historical grounding. If you arrived in financial crime recently, say so – fresh eyes often bring innovation. If your expertise is in parallel sectors and you are reasoning by analogy, be explicit about that. If you are citing research, verify that it actually exists and that you have read it. This is not gatekeeping – it is intellectual honesty.

Second, it requires institutions to stop outsourcing their voice to systems without human expertise backing them. An AI tool can synthesise language, it cannot understand what it has not experienced. It cannot tell you whether your typology is accurate because it has no stake in whether it works in practice. Words matter when they come from respected entities, which is precisely why they require evidence and depth of experience, not computational speed. They require the genealogy that AI cannot possess.

Third, it requires practitioners to be willing to be boring. The most important insights in financial crime are not novel. They are forgotten. They are lessons we learned ten years ago and then stopped applying. They are frameworks that work reliably but do not make compelling conference presentations. They are the unglamorous work of building coherent data infrastructure and maintaining institutional memory when there is no budget line for it and no one gets promoted for doing it well.

The FCA’s chief executive was not wrong, but he was late. And in that lateness, there is a lesson about what happens when we allow the sector’s own history to be overwritten by new voices speaking without context. The criminal networks we are trying to disrupt maintain institutional memory better than we do.

Criminals do not erase their genealogy, because there is nothing to gain in doing so – their profit comes from using that knowledge to their advantage. So they study old crimes to understand new methods, and they share history across networks and generations. A trafficking organisation that moved money through hawala in 2008 teaches that knowledge to the cell operating in 2026. A fraud scheme that failed understands why it failed and builds the next iteration on that understanding. They treat history as operational capital. They do not reinvent wheels because someone new arrived in the organisation and did not know the wheel existed.

But we do. Every time a thought leader presents decades-old frameworks as discoveries, every time an AI system generates guidance without grounding in how we learned what we know, every time a consultant trained in 2024 trains compliance officers without understanding why the procedures they are implementing exist, we are giving our adversaries an advantage. We are saying to them: your institutional memory is better than ours.

The strength we have built is fragile, not because the threats are novel, but because we keep forgetting what we learned the last time. And our adversaries are watching us forget. We cannot afford to do that again.