Modernization, Models, and More Effective Outcomes
Recent AML/CFT Regulatory Action from FinCEN, OFAC, and the Federal Banking Agencies
The Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), alongside the Office of Foreign Assets Control (“OFAC”) and the Federal Banking Agencies, is spearheading a significant transformation of the U.S. financial crimes compliance regime, driven by the Anti-Money Laundering Act of 2020 (the “AML Act”), and the Guiding and Establishing National Innovation for U.S. Stablecoins Act (“GENIUS Act”):
1
2
3
Collectively, these actions signal that a successful risk-based financial crimes compliance program will no longer be measured by procedural perfection, but by the demonstrable effectiveness of strategic judgments—both in producing meaningful outcomes for law enforcement and national security agencies in priority areas, and in mitigating an institution’s unique risk profile.
1. Modernizing AML/CFT for Existing Financial Institutions: The AML/CFT Program Rule NPRM
This proposal aims to strengthen and modernize Financial Institutions' AML programs by shifting the focus from procedural perfection to the demonstrable effectiveness of strategic judgments, and a mandated risk-based approach. As underlined by the Secretary of the Treasury, as part of the mandated risk-based approach, Financial Institutions will be expressly permitted to direct more resources to higher-risk areas to generate highly useful information for law enforcement and national security agencies in priority areas.
Practical Steps for Financial Institutions:
- Assess Program Gaps and Develop a Strategic Roadmap: Conduct a strategic assessment of your AML/CFT program against the proposed updates to develop a time-bound, board-level roadmap for modernization to ensure preparedness for when the final rule becomes effective.
- Prepare for the “Two-Prong” Effectiveness Framework: Clearly document AML/CFT program design decisions and governance rationales to distinguish defensible risk‑based architecture from isolated execution lapses. Proactively define broad terms including “significant,” “systemic,” “isolated,” and “technical” used in the proposal as a critical part of pre-examination preparation and defending an AML program’s effectiveness.
- Elevate the Risk Assessment to the Core Engine of the AML/CFT Framework: Reposition the enterprise AML/CFT risk assessment as a living, continuously updated driver of program design, priorities, and control coverage, explicitly incorporating FinCEN’s AML/CFT Priorities.
- Operationalize Risk-Based Resource Allocation: Formally align staffing, technology, and “digital labor” (e.g., computational capacity and token-based commitments) to identified risk levels, and document why reallocating effort away from lower‑risk activity remains consistent with the institution’s risk profile.
- Reset the Role of Independent Testing (Audit/QA): Reorient testing to assess whether the AML/CFT program was properly established and maintained, without substituting auditor judgment for management’s risk‑based decisions.
- Responsibly Advance Innovation While Managing Model Risk: Expand use of advanced analytics and AI within AML/CFT programs under clear governance and validation controls, leveraging FinCEN’s stated support for responsible experimentation without increasing enforcement exposure.
2. Addressing New Frontiers: The FinCEN and OFAC GENIUS Act Joint Rule Proposal
The FinCEN and OFAC GENIUS Act Joint Rule Proposal treats Permitted Payment Stablecoin Issuers (“PPSIs”) as Financial Institutions for BSA purposes and subjects them to AML/CFT and sanctions obligations, including crypto-specific obligations required by the GENIUS Act for PPSIs. The Proposal codifies the first time that Federal law has explicitly mandated a particular U.S. person have an effective sanctions compliance program.
The Proposal seeks to balance obligations placed on PPSIs by separating primary market activity (where a PPSI interacts directly with a user or holder of a payment stablecoin through issuance, repurchase, and burning) and secondary market activity (peer-to-peer transactions).
This framework strategically limits certain customer-facing duties, like Suspicious Activity Report filing, to the primary market. However, recognizing that the majority of illicit risk resides in the secondary market, this Proposal imposes a technical control mandate by requiring PPSIs to have the built-in capability to block, freeze, and reject specific or impermissible transactions across the primary and secondary market, thereby turning the PPSI into a key enforcement node for both primary and secondary market activity.
Practical Steps for PPSIs:
- Risk-Based AML/CFT Program Governance: Establish a comprehensive, board approved AML/CFT program built on clearly documented, risk-based design decisions, with defensible separation between program architecture and day-to-day implementation.
- Dynamic Risk Assessment as the Program Anchor: Operate a continuously updated AML/CFT risk assessment that evaluates ML/TF exposure, incorporates AML/CFT Priorities, and drives proportional controls, monitoring, and resourcing decisions.
- Independent Oversight, Training, and Accountability: Maintain independent testing, ongoing role-based training, and a qualified U.S. based AML/CFT Officer with direct FinCEN access and GENIUS Act eligibility oversight.
- Sanctions and Strict Liability Compliance: Operate a sanctions compliance program aligned to OFAC’s five-pillar framework, recognizing that strict liability may attach to sanctions breaches even in decentralized or secondary market contexts.
- Build with On-Chain Control Capabilities: Design stablecoin architecture with technical capabilities built to block, freeze, seize, or otherwise restrict transactions in real-time to comply with sanctions, BSA obligations, and lawful governmental orders.
- Integrate On-Chain and Off-Chain Intelligence Capabilities: Integrate intelligence capabilities from both on-chain sources (e.g., blockchain analytics) and off-chain sources (e.g., customer risk-ratings, IP address data, and sanctions list updates) to ensure an effective, risk-based program, including for customer risk assessments.
3. Reframing Model Risk Management in a Principles‑Based Era
The Interagency Supervisory Guidance Model Risk Management (“MRM”) establishes critical MRM principles by emphasizing a risk-based approach tailored to a banking organization's Model risk profile and operational complexity. This updated Guidance introduces a revised definition of "Model" as a complex quantitative method applying statistical, economic, or financial theories, notably excluding Generative AI and agentic AI models from its immediate scope due to their evolving nature. Within the context of AML/CFT and sanctions compliance, the new Model definition is of particular interest given the exclusion of deterministic, rules-based processes, which may include certain transaction monitoring and sanctions screening algorithms.
Practical Steps for Banks:
- Re-evaluate "Model" Definition and Scope: Assess quantitative methods, systems, and approaches against the new definition of Model. Despite the exclusion of rules-based, deterministic, generative AI, and agentic AI models from the scope of this Guidance, robust internal risk management and governance for these technologies remain essential.
- Tailor MRM to Risk Profile and Operations: Review and adapt MRM frameworks to align with the Guidance's emphasis on a principles-based, risk-tailored approach. This means MRM practices should be proportionate to the organization's specific Model risk profile and the size and complexity of its operations, moving away from a one-size-fits-all approach.
- Focus on Model Materiality: Prioritize MRM efforts based on the materiality of models to the organization's significant business lines, operations, services, and functions. Rigorous oversight should be reserved for models deemed of higher materiality.
- Strengthen Continuous Model Monitoring and Response: Implement or enhance ongoing monitoring plans that regularly assess Model limitations and establish clear procedures for responding to issues identified. This includes being prepared to perform adjustments, recalibrations, or redevelopments when Model performance deviates meaningfully from expectations or established thresholds.
- AML/CFT-Specific Guidance: Financial Institutions should note that the new Interagency Guidance supersedes and replaces prior Interagency MRM Guidance, including the 2021 Interagency Statement on BSA/AML Model Risk Management, in which FinCEN was a consulting party. In the AML/CFT Program Rule NPRM, FinCEN acknowledged concerns surrounding MRM at Financial Institutions; AML Act Section 6209 remains an available mechanism for FinCEN to issue a targeted rulemaking regarding AML/CFT models in the near term.
Pulling the Thread: Risk- and Principle-Based Frameworks
These reforms reflect a distinct regulatory vision that encourages innovation and risk-based allocation of resources, and places a premium on defensible strategic judgment. Institutions that can clearly articulate their risk assessments, governance decisions, and resource tradeoffs will be best positioned to meet both supervisory expectations and the broader objective of protecting the integrity of the U.S. financial system.
Meet our team
