ASK MAT – Why Do You Say Spreadsheets Are No Longer Fit for Purpose in AML/CTF/CPF Risk Management?

ASK MAT – Why Do You Say Spreadsheets Are No Longer Fit for Purpose in AML/CTF/CPF Risk Management?

MAT SAYS:

• Thank you for a great question.
• As you may have guessed, I'm not a fan of spreadsheets.
• This may be because I’m not an accountant (they love them), or maybe it's because spreadsheets are like that, unreliable, e.g., full of hidden formulas, prone to errors, and always crashing at the worst possible moment.

Let me explain further.

• Excel was first released on 30 September 1985 for the Apple Macintosh, and it will turn 41 years old in September 2026
• Over this time, spreadsheets have served as the go-to tool for compliance teams: flexible, familiar, quick to implement and cheap at the point of entry
• However, as financial institutions face escalating regulatory demands and increasingly sophisticated financial crime threats, spreadsheets have transitioned from a reliable aid to a significant liability.
• Contemporary AML/CTF/CPF (Anti-Money Laundering/Counter-Terrorist Financing/Counter-Proliferation Financing) compliance requires robust controls, defensibility, and auditability that traditional spreadsheets cannot deliver.

Below I’ll support my views by:-

• Examining why spreadsheets fall short for AML/CTF/CPF risk management, drawing on evidence from industry analyses, regulatory insights, and expert commentary.
• Expanding upon the key vulnerabilities, supported by recent sources, and
• Highlighting the shift toward better (more advanced) solutions.

1. Spreadsheets Introduce Structural Vulnerabilities in AML/CTF/CPF Programs

• Although spreadsheets remain widespread, they were not built for enterprise-scale financial crime risk management.
• According to iTrackAML,
• "Many financial institutions default to spreadsheets for assessing money laundering (ML), terrorist financing (TF), and proliferation financing (PF) risks due to their flexibility, familiarity, quick implementation, and low initial costs.
• However, this reliance has evolved into a 'structural vulnerability' as regulatory complexity and organisational scale continue to grow, exposing programs to data fragility, manual errors, and scalability issues.
• While spreadsheets may seem cheap up front, their hidden long-term costs, such as time-intensive maintenance, reconciliation, and potential regulatory penalties, often make them far more expensive to deliver.
• AML/CTF/CPF programs must manage vast datasets, diverse business lines, and evolving risk typologies. Spreadsheets falter in these areas due to:
• Data fragility: Overwriting cells or undetected formula errors can erase or corrupt extensive work.
• Reliance on manual processes: This makes them prone to operational breakdowns and human error.
• Limited scalability: As institutions expand into cross-border products and digital channels, spreadsheets become unmanageable.
• These shortcomings increase systemic risks at a time when regulators are demanding higher rigour, as noted in FATF guidance on leveraging new technologies for AML/CFT, which highlights how static tools like spreadsheets limit effective data analysis.

2. Absence of Governance, Version Control, and Audit Trails

• Regulators now closely examine the processes [including methodology] behind risk ratings, not just the outcomes.
• Effective AML/CTF/CPF frameworks must feature:
• Strong governance structures,
• Transparent methodologies,
• Evidence-based decision-making,
• Consistent risk scoring,
• Comprehensive auditability for reviews by internal auditors, boards, or supervisors.
• Spreadsheets fail across these criteria.
• As a RegTech Analyst points out, they cannot enforce governance, ensure scoring consistency, track data lineage, block unauthorised changes, or generate reliable audit trails.
• In real-world scenarios, this leads to challenges during regulatory scrutiny. Institutions often resort to time-intensive retrospective reconstructions of decisions, which can be incomplete or impossible to complete. For instance,
• Manual email-based approvals and scattered versions exacerbate inconsistencies, leaving compliance teams exposed.

3. Spreadsheets Compromise Regulatory Defensibility

• Aligned with FATF standards, financial crime regulators expect defensible, centralised, and data-driven risk assessment methodologies.
• While FATF does not outright prohibit spreadsheets, its recommendations emphasise
• Documented risk-based approaches,
• Evidence-supported scoring,
• Enterprise-wide consistency, and
• The ability to explain judgments requirements that spreadsheet processes rarely fulfil reliably.
• Common pitfalls include
• Multiple conflicting versions,
• Inconsistent formulas, and
• Undocumented modifications, which often surface only during audits or reviews.
• These vulnerabilities can lead to regulatory findings, mandated remediation, and enforcement actions, as evidenced by industry reports on compliance failures.

4. Operational Inefficiencies and Underestimated Costs

• On the surface, spreadsheets seem cost-effective.
• Yet their hidden compliance expenses are considerable. Organisations often overlook the resources needed to reconcile versions, validate formulas, track evidence, generate reports, and handle manual approval workflows.
• In AML/CTF/CPF contexts, these translate to:
• Delayed risk assessments,
• Slower responses to emerging threats,
• Heightened human error rates,
• Fragmented reporting across units.
• This inefficiency reduces productivity and increases operational risk, potentially causing compliance teams to spend hundreds of hours annually on administrative tasks rather than on strategic risk mitigation.

5. Spreadsheets Are Ill-Suited for Modern Enterprise-Level Financial Crime Risk

• Today's AML/CTF/CPF risk assessments demand more than basic calculations. They require
• Dynamic modelling,
• Integrated governance workflows,
• Real-time data feeds,
• Role-based access,
• Automated evidence logging,
• Regulatory alignment, and
• Uniform application across the enterprise.
• Spreadsheets lack these capabilities systematically.
• In contrast, modern RegTech platforms integrated into GRC (Governance, Risk, and Compliance) systems or standalone solutions offer embedded controls, automation, and scalability to meet regulatory standards. As threats such as digital assets and cross-border financing evolve, the gap between spreadsheets and advanced tools is widening, underscoring the need for a technological upgrade.

Conclusion: Time to Move Beyond Spreadsheets in AML/CTF/CPF Risk Management

• Industry consensus is unequivocal: Spreadsheets, once a staple in AML/CTF/CPF efforts, now present substantial governance, operational, and regulatory risks.
• Evidence from RegTech Analyst, Arctic Intelligence, and FATF-aligned insights confirms that spreadsheet-based systems lack the defensibility, traceability, and resilience required by today's financial crime landscape.
• As expectations for data integrity, auditability, consistency, and enterprise governance rise, institutions need to adopt controlled, scalable, technology-driven solutions. Spreadsheets were a practical starting point, but they are no longer a viable endpoint for robust compliance.

To back up my thinking, here's an expanded list for further reading:

• [regtechanalyst.com] https://regtechanalyst.com/why-spreadsheets-fail-financial-crime-risk-teams/
• [arctic-intelligence.com] https://arctic-intelligence.com/insights/blog/general/spreadsheet-trap-manual-financial-crime-risk-assessments-scale
• [fintech.global] https://fintech.global/2026/02/16/the-spreadsheet-trap-in-financial-crime-risk
• [fatf-gafi.org] https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/Opportunities-Challenges-of-New-Technologies-for-AML-CFT.pdf
• [inscope-aml.co.uk] https://www.inscope-aml.co.uk/spreadsheets-for-aml-compliance-a-recipe-for-disaster
• [protechtgroup.com] https://www.protechtgroup.com/en-us/blog/regtech-compliance-failures-what-the-eba-report-reveals
• [riskonnect.com] https://riskonnect.com/reporting-analytics/spreadsheets-hurt-governance-risk-compliance
• [elucidate.co] https://www.elucidate.co/blog/5-reasons-why-the-global-anti-money-laundering-system-is-failing-financial-institutions
• [oysterllc.com] https://www.oysterllc.com/what-we-think/blog-your-aml-risk-assessment-is-not-an-audit-and-why-it-matters
• [arctic-intelligence.com] https://arctic-intelligence.com/insights/digitising-financial-crime-risk-assessments-transitioning-from-excel-to-regtech-platforms
• [centraleyes.com] https://www.centraleyes.com/spreadsheets-managing-risk-assessments
• [venminder.com] https://www.venminder.com/7-reasons-shouldnt-use-spreadsheets-vendor-management
• [msg-compliance.de] https://www.msg-compliance.de/en/blog/financial-crime-risk-assessment-there-is-a-smarter-way
• [connect.cefpro.com] https://connect.cefpro.com/article/view/why-spreadsheets-wont-save-your-risk-strategy
• [finosec.com] https://finosec.com/resources/blog/why-spreadsheets-are-risky-for-managing-cybersecurity-and-risk-management
• [thomsonreuters.com] https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/european-banks-aml-efforts