AI Compliance Checks Banks Need After a $35m Fine

A $35 million penalty sounds big—until you put it next to 15 years of reporting failures and the 73 million short-sale transactions Macquarie admitted it misreported. ASIC’s estimate that the misreporting could reach 1.5 billion short sales turns this from a “bad quarter” story into a systems story.

For anyone building or buying AI in finance tools—regtech teams, compliance heads, CTOs, and fintech founders—this is the part to focus on: the conduct wasn’t a single rogue trade. It was multiple systems failures that stayed invisible for more than a decade. That’s not just a governance problem. It’s a data, controls, and monitoring problem.

I’m going to take a stance: most banks still treat regulatory reporting like a back-office ETL chore, not like a real-time product with measurable reliability. The Macquarie case shows why that mindset gets expensive.

What the Macquarie short-sale case is really about

It’s about market transparency failing quietly at scale. Short-sale reporting is a core market integrity mechanism. When those reports are wrong, regulators can’t reliably interpret market activity—especially during volatility.

Based on the publicly reported settlement details, Macquarie agreed to a $35 million fine (subject to court approval) after ASIC commenced legal action in May 2025. Macquarie admitted failures to correctly report at least 73 million short sales between 2009 and 2024, with ASIC estimating the misreporting could be as high as 1.5 billion.

Why regulators care is straightforward:

• Short-sale data informs surveillance. It helps detect manipulation, disorderly markets, and unusual positioning.
• Bad reporting distorts risk signals. Regulators and exchanges use these feeds to decide what to investigate and when.
• Errors compound over time. One mapping issue becomes millions of wrong records if no one’s watching.

A detail that should land with boards: Macquarie’s market cap and profits were highlighted alongside the penalty, as was the fact the potential maximum penalty could have been far higher. The headline fine isn’t the whole cost; it’s the part you can count.

Why traditional controls didn’t catch it (and why that’s common)

The core problem is that controls often validate “format” instead of “truth.” Many institutions have checks that confirm a report file was produced, a schema matches, a job ran on time, and totals roughly reconcile. Those are necessary, but they’re not sufficient.

Here’s what I see repeatedly in large financial institutions:

The control gap: “Completed” vs “Correct”

A reporting pipeline can be green end-to-end while still producing systematically wrong classifications—like mis-tagging whether a sale is short, or misinterpreting flags from upstream order systems.

Classic failure modes include:

• Reference data drift (product codes, venue IDs, counterparty attributes)
• Logic drift (a business rule changed in trading but not in reporting)
• System replacements where one field’s meaning changes and nobody updates downstream mapping
• Manual workarounds that bypass validations (often introduced during peak periods)

Long-lived errors are usually “boring”

A decade-long issue rarely looks dramatic day-to-day. It looks like slightly-off distributions, occasional exceptions, and reconciliation breaks that get waived because the business needs to keep moving.

That’s exactly where AI-based anomaly detection can help—if it’s designed for compliance reality rather than demo-day dashboards.

How AI helps: move from periodic sampling to continuous assurance

AI can prevent long-running reporting failures by continuously testing whether reported data matches plausible market behavior and internal source-of-truth systems. The goal isn’t to replace compliance judgment. It’s to catch what humans and traditional rules miss: subtle, persistent, large-scale drift.

In the AI in Finance and FinTech series, we’ve talked a lot about fraud detection and credit models. Regulatory reporting deserves the same treatment: treat it as a high-risk production system with observability.

1) AI anomaly detection for reporting integrity (the practical version)

This is the highest-ROI use case: use models to learn “normal” patterns and alert on changes that shouldn’t happen.

What to monitor for short-sale reporting:

• Rate shifts: short-sale proportion by desk, instrument, venue, and time-of-day
• Peer comparisons: desk A diverges from desk B after a system change
• Break clustering: the same validation errors recurring in bursts
• Latency anomalies: reporting delays that correlate with specific upstream services

A model doesn’t need to be exotic. In many cases, robust statistics, time-series change detection, or isolation forests outperform complicated approaches because they’re easier to explain to audit.

2) Entity resolution and field-level “truth tests” across systems

Short-sale reporting isn’t created in one system. It’s stitched together from order management, execution, settlement, and reference data.

AI helps here by:

• Matching records across heterogeneous logs (even when IDs don’t line up perfectly)
• Flagging impossible combinations (e.g., attributes that contradict instrument type)
• Detecting duplicate or missing events in an event chain (order → execution → allocation → report)

Think of this as transaction lineage for compliance—with automation that scales.

3) Natural language AI for control evidence (use it carefully)

Generative AI can speed up compliance operations, but it needs guardrails. Good uses include:

• Summarising incident timelines from tickets, system logs, and change records
• Drafting remediation narratives for internal governance packs
• Mapping regulatory obligations to internal controls and creating gap lists

Bad uses include letting an LLM “decide” if something is compliant. The model should help humans assemble evidence, not replace accountability.

A useful rule: If you can’t defend it in a regulator meeting, don’t automate the decision—automate the evidence collection.

The compliance blueprint: controls banks should implement in 2026

The fix is a layered system: deterministic controls for known requirements, plus AI monitoring for unknown failure modes. If you’re planning budgets right now (end of year is when these projects get funded), here’s a concrete blueprint.

1) Build “regulatory reporting observability” like SRE

Treat reporting like a reliability discipline with clear SLAs.

Minimum metrics:

• Completeness: % of eligible trades reported
• Accuracy proxies: distributions and cross-checks against source systems
• Timeliness: end-to-end reporting latency
• Stability: change failure rate after releases

Make these metrics visible beyond compliance—technology leadership should own them too.

2) Add model-driven monitoring with human escalation paths

AI alerts without a workflow become noise. Wire alerts into:

• Tiered severity (P1/P2/P3)
• Named owners by desk/system
• Time-bound triage and closure
• Root cause categories that feed back into engineering priorities

3) Design for auditability: features, thresholds, and reasons

Regulators and internal audit will ask “why did the model alert?” and “why didn’t it?”

Design requirements:

• Store alert context: key drivers, baseline comparisons, affected populations
• Version controls for models and thresholds
• “What changed?” linkage to deployments, reference data updates, and configuration changes

4) Don’t skip data governance basics

AI won’t save poor definitions. You still need:

• A controlled business glossary (what exactly is a “short sale” in each context?)
• Data ownership per field
• Change management that forces downstream impact assessment
• Back-testing after changes (did distributions shift?)

If your field definitions live in tribal knowledge, you’re betting against time.

What fintechs and regtech vendors should learn from this

Selling “AI compliance” is easy; deploying it inside a bank is hard. The Macquarie story highlights what buyers will demand more of in 2026:

Buyers want fewer promises and more proofs

If you’re a vendor, expect procurement and risk teams to ask:

• Can your system work with partial, messy identifiers across trading platforms?
• How do you prevent model drift after system upgrades?
• Can you show how you handle false positives and alert fatigue?
• Can you produce audit-ready evidence packages quickly?

“Real-time” needs a definition

In many reporting environments, “real-time” means “intra-day” and “fast enough to stop a month of wrong data.” That’s still valuable.

A sensible target:

• Detect material anomalies within hours, not quarters
• Fix and re-report within days, not years

The best product angle: reduce regulatory downside and operational drag

A compliance leader doesn’t want another dashboard. They want:

• Earlier detection
• Fewer manual reconciliations
• Cleaner audit trails
• Lower probability of headline-risk events

That’s the story that converts to leads.

A practical checklist: if you oversee reporting, ask these 10 questions

These questions reveal whether your reporting program can catch silent failure. You can use them in a board pack, a vendor evaluation, or an internal health check.

1. Do we measure reporting completeness, timeliness, and anomaly rates weekly?
2. Can we trace each reported record back to source transactions and transformations?
3. Do we compare short-sale rates by desk, venue, and instrument against history?
4. After system changes, do we run distribution tests and sign-offs?
5. Are alerts tied to a workflow with owners and deadlines?
6. Do we have a playbook for re-reporting and remediation at scale?
7. Can we explain model alerts in one page for audit and regulators?
8. Are reference data changes governed and impact-assessed?
9. Are exception waivers time-limited, or do they linger?
10. If a defect started today, how fast would we know—hours, weeks, or years?

If you don’t like the answer to #10, start there.

Where this fits in the AI in Finance and FinTech series

Regulatory reporting failures aren’t as flashy as consumer fraud rings or deepfake scams, but they hit the same nerve: trust depends on data integrity. In finance, trust is a product feature.

The Macquarie short-sale misreporting case is a reminder that compliance can’t rely on periodic checks and hope. The volume is too high, the systems are too interconnected, and the cost of being wrong shows up long after the root cause.

If you’re planning your 2026 roadmap, a strong next step is a targeted pilot: pick one reporting stream (short sales, transaction reporting, or market conduct surveillance), implement observability metrics, and add AI anomaly detection with a real escalation workflow. You’ll learn quickly whether your data is strong enough—and you’ll find issues you didn’t know you had.

Most companies get this wrong: they buy tools to look compliant. The better approach is building systems that make it hard to stay wrong for 15 years.

What would your regulator see if they asked for your reporting accuracy evidence tomorrow morning?