Why Mid-Market Banks Are Adopting Intelligence Tradecraft to Combat Modern Financial Crime — i2 Group - June 26, 2026
A Conversation with i2 Group’s John Watson
Financial crimes targeting mid-market financial institutions are rapidly evolving into highly sophisticated networked, identity-centric attacks that are difficult to detect through traditional compliance and investigative processes. Fraud rings, synthetic identities, account takeover schemes, and AI-enabled deception campaigns frequently span multiple channels, institutions, and categories of criminal activity, creating challenges that many banking organizations were not originally structured to address.
In a recent BizTechReports executive vidcast interview, John Watson of i2 Group discussed how investigative methodologies traditionally associated with intelligence agencies and law enforcement organizations are finding a growing role in commercial banking environments. He explained why many mid-market financial institutions are rethinking how they approach fraud, anti-money laundering, identity verification, and risk management in response to these sophisticated threats.
Here is what he had to say:
Q: Financial crime has traditionally been viewed through the lens of fraud prevention, compliance, or anti-money laundering. Why are banking leaders beginning to think about these issues differently?
Watson: The nature of financial crime has changed dramatically. Historically, organizations could address fraud, AML [anti-money laundering], cybersecurity, and identity verification as largely separate functions because the threats themselves tended to be more compartmentalized. Today, that distinction is becoming much harder to maintain.
Modern criminal organizations operate across multiple channels simultaneously. A single operation may involve synthetic identities, account takeover attacks, social engineering, cybercrime, and money laundering activities that touch different systems and departments throughout the institution. When organizations investigate those activities independently, they risk missing the broader pattern.
What we're seeing is a shift from viewing fraud as a series of isolated incidents toward understanding it as a networked problem. That requires a different investigative mindset and a different approach to understanding risk.
Q: Why is identity becoming such an important focus area?
Watson: Identity has effectively become the common denominator across many forms of financial crime. Whether you're talking about fraud, money laundering, cybercrime, or regulatory compliance, understanding who you're dealing with has become crucially important.
The challenge is that identity is no longer static. Criminals are using synthetic identities, compromised credentials, fraudulent documentation, and AI-generated personas to manipulate traditional verification processes. As a result, organizations are moving away from viewing identity as something verified once during onboarding and toward treating it as something that must be continuously assessed and validated.
That shift changes how institutions think about customer relationships, risk management, and investigations throughout the customer lifecycle.
Q: Why are mid-market banks feeling this pressure now?
Watson: Large financial institutions have been investing in specialized investigative and intelligence capabilities for years because they were often the primary targets of sophisticated criminal organizations. Today, those same threat actors are targeting mid-market institutions.
The challenge is that mid-market banks frequently face the same threats without having access to the same level of resources, staffing, or organizational specialization. They still need to understand sophisticated fraud networks, but they must do so with smaller teams and tighter budgets.
That reality is forcing many institutions to look for ways to improve investigative effectiveness rather than simply expanding headcount.
Q: What are the limitations of traditional investigative models?
Watson: Many organizations are still structured around separate operational functions. Fraud teams investigate fraud. AML teams investigate money laundering. Cybersecurity teams investigate digital threats. Compliance teams manage regulatory requirements.
Those structures made sense when threats were easier to categorize. Today, however, criminal activity frequently crosses those boundaries.
The result is that important information often exists across multiple systems and teams. Individual signals may appear insignificant when viewed separately, but they can become highly meaningful when examined collectively. Investigators need a way to connect those signals and understand how they relate to one another.
Q: How does an intelligence-led approach differ from a traditional banking investigation?
Watson: Traditional banking investigations often begin with a transaction, an alert, or a suspicious activity report. The investigation focuses on determining whether that specific activity represents a problem.
Intelligence investigations approach the challenge differently. Rather than focusing exclusively on a single event, they examine relationships among people, organizations, communications, accounts, devices, locations, and activities. The objective is to understand the broader network surrounding the event.
That distinction is important because sophisticated criminal operations rarely reveal themselves through a single transaction. They become visible when investigators understand the relationships connecting multiple activities together.
Q: What organizational changes are required to support that approach?
Watson: The biggest change is often cultural rather than technological.
Organizations need to improve information sharing across fraud, AML, cybersecurity, and compliance teams. They need investigators who can understand relationships across different data sources rather than focusing exclusively on individual systems or functions.
Many institutions already possess most of the information they need. The challenge is making that information available in a way that enables investigators to see the broader picture.
Q: What is the business case for intelligence-led investigations?
Watson: Financial institutions are under constant pressure to improve efficiency while simultaneously managing growing regulatory expectations and sophisticated threats.
Simply adding more investigators is rarely a sustainable strategy. Investigative workloads continue to grow, and experienced personnel remain difficult to recruit, train, and retain.
The organizations making the most progress are often those that improve the effectiveness of their existing teams by providing greater visibility into relationships, networks, and risk indicators. When investigators can reach conclusions faster and with greater confidence, institutions can focus resources on the highest-risk activities.
Q: Does this represent a major technology investment?
Watson: Not necessarily. One of the most important misconceptions is that this begins with technology.
The first step is understanding where information exists, how investigations are currently conducted, and where organizational blind spots may be occurring. Technology certainly plays a role, but clarity comes first.
The most successful institutions typically take a phased approach. They focus on improving visibility, integrating relevant information sources, and creating a more complete understanding of investigative relationships before attempting large-scale transformation initiatives.
Q: What role does link analysis play in modern investigations?
Watson: Link analysis is one of the foundational disciplines used within intelligence and law enforcement environments.
At its core, link analysis focuses on identifying and visualizing relationships among people, organizations, accounts, devices, transactions, locations, and events. By understanding how those entities connect, investigators can uncover hidden associations and identify patterns that may not be visible through traditional investigative methods.
For example, a single fraud alert may appear routine in isolation. Through link analysis, investigators may discover that the account shares devices, addresses, contact information, or transaction patterns with numerous other accounts already under investigation. What initially appears to be an isolated incident can quickly emerge as part of a broader fraud network.\
Q: Where does Analyst's Notebook fit into that process?
Watson: Analyst's Notebook has been used by intelligence agencies and law enforcement organizations for decades to support complex investigations involving large volumes of interconnected information.
The same principles are relevant within commercial banking. Investigators need ways to connect information from multiple sources, visualize relationships among entities, and identify patterns that may otherwise remain hidden.
The technology supports the investigative process, but the larger story is really about adopting an intelligence-led mindset. The objective is to help organizations move beyond isolated events and develop a more complete understanding of the networks driving modern financial crime.
Q: Looking ahead, how do you see investigations evolving over the next several years?
Watson: I think we're going to see continued convergence among fraud, AML, identity, cybersecurity, and compliance functions because the threats themselves are converging.
Investigators will increasingly focus on understanding relationships, networks, and behaviors rather than individual events. Identity intelligence will become more important. Link analysis will become more common. Collaboration across organizational boundaries will become necessary.
The institutions that adapt most effectively will likely be those that recognize financial crime as a network problem and build investigative capabilities designed to understand the networks behind the activity.
###