USD 206 billion.

That’s an approximate annual cost financial institutions spend on AML/KYC compliance, according to a survey by the Bank Policy Institute.

What drives this figure?

The obvious answer is financial crime risk. But in practice, a large part of that cost is driven by expectations: regulatory, and increasingly, from counterparties.

That raises a fair question: how effective are the tools driving that spend?

The same survey suggests that some screening systems produce false positives at rates above 95%, which inevitbly leads to another question.

What if there’s a different approach?

Earlier this year, Australia’s regulator, AUSTRAC, released a set of “starter kits” for small, low-complexity businesses.

The regulator explicitly acknowledged that customer screening can be performed using open sources, including internet search engines, provided the process is structured, documented, and defensible.

Not as a fallback, but as a legitimate compliance approach.

In anticipation of the fifth-round mutual evaluation, Australia is aligning with a simple reality: outcomes matter more than form.

FATF is less concerned with whether a small business has a perfectly drafted policy, and more with whether it is actually performing due diligence in practice.

AUSTRAC’s approach focuses on:

rather than which screening provider you used.

Timing here is not accidental.

With over 80,000 newly regulated small businesses expected to be compliance-ready by mid-2026, AUSTRAC faced a practical constraint.

Many of these firms cannot afford, or effectively operate, sophisticated screening systems.

The alternative with formal compliance without real implementation was not viable.

So the regulator lowered the barrier to entry, without lowering the expectation of results.

Across much of Asia-Pacific, there is a persistent gap between:

The result is a familiar pattern:

An outcomes-based approach, supported by structured open-source screening, offers a potential way to close that gap.

What makes this approach viable today is the information environment.

With modern tools:

For larger institutions, it is more likely to complement existing systems rather than replace them, but for a smaller firm, this can be a great start.

For example, OpenSanctions aggregates more than 320 data sources into a single dataset. OpenScreening combines sanctions data, beneficial ownership information, and PEP records form the ICIJ Offshore Leaks database. AI can also run structured adverse media searches and more, all fit for an audit-ready report for future reference.

Open-source screening introduces challenges:

AUSTRAC’s response is procedural.

Firms are expected to:

A simpler tool requires a stronger process.

There is a practical question sitting behind all of this.

Not whether open-source screening is perfect. We all know it is not.

But whether a well-documented, consistently applied process using accessible tools is more effective than a sophisticated system that is poorly understood or inconsistently used.

AUSTRAC’s approach suggests that credibility in compliance comes less from the tool itself, and more from the reasoning and evidence behind its use.

If FATF accepts that logic, it may reshape how smaller institutions approach compliance and not just in Australia, but more broadly around the world.

How soon will other jurisdictions shall follow if FATF approves of such an approach?

Let me know your thoughts alexey [at] atyurin.com

Thanks for reading,

Alexey