Oonagh van den Berg, award-winning Compliance and Financial Crime expert, shares her insights at a time when Mauritius is strengthening its position as an International Financial Centre. Currently working with Acropolis Training Institution on several industrywide initiatives for Mauritius, she is supporting capability uplift and Financial Action Task Force (FATF) readiness across the sector.

?You are widely recognised as an award-winning compliance expert. What first drew you into this field?

My compliance career nearly derailed at the start. After completing my legal training at the European Central Bank (ECB), I moved to London. At the ECB, I had been advising central banks across Europe on monetary regulatory policy. Yet recruiters told me I “wasn’t qualified” to work in compliance because I had “no experience”. They couldn’t “sell” me. To this day, I see that mindset as one of the biggest risks in entry-level compliance recruitment. It didn’t deter me – I’m quite driven – but what I had learnt very quickly at the ECB was this: if you don’t understand products, regulation is meaningless.

If you don’t understand how money moves and how products actually work, you can’t regulate risk. That gap remains one of the biggest weaknesses in compliance teams and education today. So, I used that rejection as a redirection. I took a role in product development at J.P. Morgan Asset Management, translating regulatory intent into the design of basket funds for different markets. That grounding – understanding how funds are structured, risk-weighted, packaged and sold – set me up for my first formal compliance role at Mitsubishi UFJ Financial Group, working across public and private side advisory and policy, and leading Markets in Financial Instruments Directive implementation

Fun story: just 18 months later, I was nominated for – and won – UK Young Compliance Officer of the Year. I still feel I owe those recruiters a proper Pretty Woman moment: walking back into their office with the award and saying, “Big mistake. Huge.”

?What surprised you most when you first started in compliance?And has that changed 20 years later?

Three things stood out – and, strikingly, most remain unresolved today. First, the way compliance was perceived. It was not regarded as an integral part of the business, but merely as a regulatory obligation – a necessary evil. A box to tick, rather than a partner in decision-making. Second, how little many compliance teams truly understood the products they were overseeing. Over the years, I have seen too many professionals advising based solely on what they had been told, rather than on what they actually understood. They relied heavily on the business to act with integrity and honesty. Business ownership of compliance is absolutely right – but if you can’t be objective because you don’t understand the product, and challenge what you have been told, that’s dangerous. Even today, I still encounter compliance professionals who can quote regulations and speak at length about theory, yet cannot answer basic business questions or articulate how to design and implement operational risk management controls. It is frightening – particularly in an era of heightened accountability. And, ultimately, it is simply unacceptable. Third, training and access to learning. When I started out, training opportunities were limited and prohibitively expensive. If your employer did not pay for training, you simply did not train. Today, online platforms make it possible to access a vast amount of learning at no cost – and that is a powerful shift. However, many compliance-recognised certifications remain, in my view, unfit for purpose and often overpriced. This was one of the reasons I founded RAW Compliance as a social enterprise in 2020. Since then, we have trained more than 10,000 people globally, free of charge. We need people from diverse backgrounds and with a wide range of skill sets – and that cannot be constrained by cost.

?What is the biggest risk management threat facing financial institutions today?

It is the lack of holistic risk management. That may sound obvious – but in reality, risk in most financial institutions is still managed in silos. Teams do not share data, frameworks fail to connect, and entire parts of organisations operate without ever seeing the full picture. Criminals understand this – and they exploit it. Financial crime isn’t neatly separated in categories such as Anti-Money Laundering (AML), fraud, sanctions, cyber, tax evasion or data protection. Real-world criminal typologies cut across all of them. Yet in many firms, each risk sits in a different department, supported by disconnected systems and unlinked data. The result is that activity which would be immediately visible if viewed collectively remains invisible. The crimes affecting ordinary customers today are hybrid by design – part fraud, part money laundering, part cyber, part data compromise. Still, many institutions remain structured as if these risks were isolated. This is not merely a technical gap. It is a systemic failure of protection – and ultimately, a threat to the integrity of the financial system itself. What makes this particularly frustrating is that solutions already exist. But they require integrated data, shared ownership, and a fundamental shift in mindset: from ‘functional oversight’ to genuinely holistic risk management.

?There are hundreds of thousands of compliance professionals in the US alone. You are very well known in your field – how have you differentiated yourself?

I’ve differentiated myself by doing almost the opposite of what is traditionally expected of a ‘typical’ compliance officer. From day one, I embedded myself within the business, built strong commercial relationships, and focused on practical risk outcomes rather than policy for policy’s sake. That approach wasn’t always popular. I was told more than once that there “should be a barrier” between the first and second lines of defence. In my view, that mindset is precisely what creates compliance failures. Compliance doesn’t ‘own’ compliance. It is an advisory and monitoring function. Our job is to help the business meet its obligations while managing risk effectively. If you don’t build trust and offer practical solutions, two things tend to happen: the business becomes constrained by bad, overly manual processes, or emerging risks go unidentified until it’s too late. My differentiation has always been to sit in that uncomfortable but powerful space – commercially literate, product-savvy, independent – and relentlessly focus on realworld risk rather than optics. That hasn’t always made me popular. But I didn’t build a career on politics. I built it on impact, effectiveness, and protecting organisations in an increasingly complex, technology-driven risk environment.

?What motivated you to build a long-term career in compliance?

Simple – I love it. The passion that first drew me into the field has never faded. What keeps me here is impact: building controls that actually work in practice, helping organisations move from box-ticking to genuine risk ownership, and constantly learning in an environment that never stands still. Growing up in Northern Ireland, I saw first-hand the real-world harm caused by terrorist financing. I still believe this profession can make credible change and help protect people who cannot protect themselves.

I genuinely enjoy financial regulation – not as theory, but as something you bring to life through workable, holistic, tech-enabled risk management. You have to understand your products, analyse data, challenge assumptions, think two steps ahead, and anticipate the knock-on effects of every control decision. With new products, new threats and new technologies, effectiveness is never static. And finally, I love the people side – working with the business, engineers and multidisciplinary teams.

?With over 20 years’ experience spanning traditional banking, fintech and cryptocurrency, how has the role of the compliance officer evolved?

When I started, most compliance officers came from accounting or legal backgrounds, because that is where institutions parked regulatory responsibility. We have since shifted from back-office ‘checkers’ to strategic operators – part risk architect, part data-driven investigator, and part business translator. The bar is no longer effort; it is effectiveness. Today, compliance is – or should be – data-first and tech-enabled. The skill set is far more diverse: you need people who understand engineering, product, operations, financial crime, behavioral science, and regulation, all working together. That blend simply did not exist 20 years ago.

?Technology has significantly reshaped risk management. When did artificial intelligence, in your view, become a real game changer for compliance?

Artificial intelligence (AI) has the potential to be a genuine game changer for compliance – but only if we separate promise from reality. We are still at an early stage and several dimensions need to be properly understood. Right now, too many firms are buying impressive-looking tools marketed as ‘AI’ when, in reality, the functionality is not yet there. In some cases, clients are effectively acting as the test environment for a vendor’s product development, which is fine if everyone understands that. But if a tool has not matured beyond beta, the real question is whether it is fit for purpose. If it is not, it ends up sitting on the shelf. The business still runs the same processes, just with a shinier system and a smaller budget. It is like watching someone mop the floor in a shop full of robot vacuum cleaners. That is not ‘human in the loop’ – it is operational absurdity.

For me, AI becomes transformational when it stops being a dashboard and becomes genuine decision support. That means detecting complex behavioral and network patterns, prioritising real risk, and reducing false positives at scale. The turning point comes when three foundations are in place: better quality and accessibility of data, truly holistic risk models, and a clearly defined problem we are trying to solve. Without those, AI is simply a technology layer sitting on top of fragmented thinking. Right now, an estimated 70-80% of AI implementations fail – not because the tools are bad, but because the problem was never properly defined. Boards want ‘AI’ as a strategic headline, but you cannot buy a concept; you buy outcomes. If you cannot clearly articulate what risk weakness exists today, how it manifests in data and operations, and how AI will improve that outcome, then you are not implementing AI – you are purchasing theatre.

From a practical standpoint, three capabilities have genuinely changed the game compared with ten years ago. Behavioral analytics at scale now allow risk to be identified based on behavioral deviation rather than simple rules. Entity resolution and network detection make it possible to connect people, wallets, devices, and businesses across messy, fragmented data. Intelligent alert triage helps rank what truly matters so investigators focus their time on genuine risk rather than noise. That is the difference between merely monitoring transactions and actually understanding financial crime behaviour. A real-world example is the collaboration between HSBC and Google, which uncovered complex hidden networks that would have been almost impossible to identify without this type of tooling, unless a specific trigger event had forced a forensic review.

?Mauritius is positioning itself as an International Financial Centre. What do you see as the country’s most pressing challenges in terms of financial crime and compliance?

Mauritius has made real progress, but the pressure points facing all growing International Financial Centres are familiar. Keeping pace with fast-evolving threats remains a challenge, particularly those linked to cross-border flows, nominee structures, and trade-based abuse. There is also the need to ensure consistent supervisory expectations across sectors, especially between the banking sector and the broader non-bank and Trust or Company Service Provider ecosystem. Above all, the focus must increasingly be on demonstrating effectiveness, not just having rules on paper, particularly as the legislative and regulatory environment continues to evolve at speed. The key question for the next phase is no longer “do you have regulation?” but rather “does it work in practice?”

?In 2021, Mauritius was grey-listed by FATF and then took great steps to remedy that. What do you see as the impact of the 2027 Mutual Evaluation?

The 2027 FATF Mutual Evaluation represents a pivotal moment for Mauritius. The country is already a strategically important financial gateway into Africa and the opportunity is clear. However, FATF’s focus has shifted. The question is no longer “do you have a strong regulatory framework?” but rather “can you detect and combat financial crime effectively in practice?” The biggest risk is that financial crime is now technologydriven, while many strategically important institutions still rely on manual processes, fragmented systems, and inconsistent data. This is not even about artificial intelligence, but about basic automation, data integrity, and system integration. It is a global challenge, but Mauritius will be tested on it sooner than most.

If Mauritius can evidence a clear, datadriven line from Enterprise-Wide Risk Assessment to controls to outcomes, supported by credible supervision and enforcement, the 2027 evaluation could significantly strengthen its position as a trusted International Financial Centre. If not, the reputational and developmental risk is very real.

?Can AI help a jurisdiction like Mauritius strengthen its international credibility in governance and regulatory compliance? If so, how?

Yes – if it is used as an effectiveness engine, not a marketing slogan. AI can help Mauritius improve the quality of suspicious activity detection through better triage, stronger narratives, and more meaningful referrals to the Financial Intelligence Unit. It can enable supervisory analytics, allowing regulators to identify sector-wide weaknesses and outliers earlier, and it can strengthen risk-based supervision by applying consistent, data-led indicators across regulated sectors. Ultimately, credibility is not built on frameworks alone, but on visible and consistent action. AI that supports smarter enforcement, stronger analytics, and more informed policymaking can genuinely strengthen Mauritius’ international standing – provided governance, accountability, and oversight are clear.

?For Mauritian financial institutions that remain hesitant about adopting AI in their compliance functions, what key message would you like to share?

Hesitation is understandable. Inertia is dangerous. Criminals are already using automation and AI, while global standard-setters are explicitly focusing on how emerging technologies can be abused – from deepfakes and AI agents to large-scale fraud. Standing still is not neutral; it is moving backwards. My advice is to start practical. Pick one painful area, whether that is alert triage, sanctions and screening optimisation, or entity resolution. Build strong governance around that use case, clean your data, and measure outcomes. Then scale what works. AI is no longer ‘the future’; it is rapidly becoming the baseline required just to keep up. But – and I cannot emphasise this enough – get your data in order first and be crystal clear on your problem statement. Do not waste money on technology to solve a problem you have never properly defined, no matter how good it looks in a board pack.