What 111 industry voices told FinCEN about the future of AML

‍

‍

If you work in financial crime compliance, there’s a rule coming that will change how your program is judged. Not whether it has the right policies on paper. Whether it actually works.

‍

On April 10, 2026, FinCEN published a proposed rule that would be the biggest overhaul of Bank Secrecy Act compliance requirements since the Anti-Money Laundering Act of 2020 was passed. The comment period closed on June 9. In between, 111 organizations and individuals weighed in: major banks, credit unions, fintechs, crypto companies, compliance technology vendors, national security nonprofits, libertarian think tanks, law students, and at least one very frustrated casino consultant.

‍

We pulled and analyzed all 111 comments. Here’s what stood out.

‍

‍

‍

The system everyone agrees is broken

Before getting into the disagreements, it helps to understand the one thing almost everyone in the docket agrees on: the current AML compliance regime is producing enormous cost and minimal results.

‍

The numbers are hard to ignore. Banks file roughly 20 million Currency Transaction Reports every year. According to a GAO report cited in the American Bankers Association’s comment, fewer than 6% of those CTRs have ever been accessed by law enforcement. The ABA also notes that 25 to 50% of Suspicious Activity Reports are structuring filings with, in their words, “minimal law enforcement value.”

‍

‍

‍

Debra Geister at Section 2 Inc. goes further. She argues the entire framework is optimizing for the wrong thing: it asks “is this transaction unusual?” when the real question is “does this behavior match a known criminal network?” That reframe sits at the heart of why so many people support this rule change.

‍

The Cato Institute puts the cost into perspective with a number that is hard to shake: the BSA compliance industry costs an estimated $59 billion per year, while generating approximately 370 IRS criminal investigation initiations annually. That ratio tells you everything about why reform has broad support across the political spectrum.

‍

What the rule actually proposes

The core of FinCEN’s NPRM is a shift from a process-based standard to an effectiveness-based one. Instead of asking “does your compliance program have these five components?”, the rule asks “does your compliance program actually work?”

‍

The most important structural change is what commenters call the “establish versus maintain” distinction. The idea is that there’s a difference between designing a program (establishing it) and running it day to day (maintaining it). Under the current regime, a single examiner finding, even a minor one, can be treated as a program-level failure. The new framework would require examiners to show a “significant or systemic failure” before treating something as a program breakdown, rather than an isolated gap.

‍

Almost everyone in the comment record thinks this is the right direction. The disagreements are about how much protection it actually provides, and for whom.

‍

‍

‍

The things nearly everyone agrees on

There are a handful of positions that cut across virtually every type of commenter, from the ABA representing $26 trillion in assets to the single BSA officer at a $4 billion community bank in California.

‍

The first is that the “establish versus maintain” distinction and the safe harbor for documented, risk-based decisions need to be in the actual binding rule text, not just the preamble. The preamble is non-binding. Examiners are not required to follow it. The Wolfsberg Group, ABA, ICBA, Stripe, the Crypto Council for Innovation, and more than a dozen other commenters make this exact point: if the protection is not in the rule itself, it is not really a protection.

‍

The second is that the phrase “significant or systemic failure” needs a definition. Without one, examiners can still escalate a minor technical issue into a program-level finding whenever they want. The Wolfsberg Group proposes a specific definition. The Cooperative Credit Union Association asks for example fact patterns. Sunwest Bank says the ambiguity is the single biggest concern in the entire proposal. They are not alone.

‍

The third is that CTR and SAR reporting thresholds are badly overdue for an update. The $10,000 Currency Transaction Report threshold has not changed since 1972. Adjusted for inflation, that’s roughly $77,000 today, according to Centennial Bank’s comment. The ABA and America’s Credit Unions both call for raising it to $30,000. The $5,000 SAR threshold would go to $10,000. The Cato Institute notes, with some color, that “one could buy two Corvettes for $10,000 when the number was first set.”

‍

The fourth is implementation time. The NPRM proposes 12 months. The ICBA, IIB, Defense Credit Union Council, and others want 18 to 24 months. Small institutions in particular need time to revise their risk assessments, training programs, and testing frameworks to match a new standard.

‍

The people who submitted comments

‍

The comment record spans a wider range of stakeholders than most FinCEN rulemakings. A quick tour:

• Major and international banks including HSBC, Forbright Bank, International Bancshares Corporation, Centennial Bank, and Royal Business Bank. Broadly supportive, focused on AI governance and implementation timeline.
• Banking trade associations led by the ABA and ICBA, along with the Institute of International Bankers and the Conference of State Bank Supervisors. These are the loudest and most technically detailed comments in the record.
• Credit unions in force: America’s Credit Unions representing 146 million members, the Cooperative Credit Union Association covering roughly 200 credit unions, the Illinois Credit Union League, the Defense Credit Union Council, and individual credit unions. All supportive but focused on proportionality for small institutions.
• Fintechs and money services businesses including Stripe, Airbnb Payments, SOLO Finance, the Financial Technology Association, the American Fintech Council, INFiN, the Electronic Transactions Association, and others. Key ask: extend the rule’s enforcement protections to MSBs, which the current draft excludes.
• Compliance technology vendors including Unit21, NICE Actimize, Nasdaq Verafin, Ocean Systems, Kharon, Moody’s Analytics, Fivecast, and Oscilar. All advocating for explicit recognition of AI and advanced analytics as effectiveness indicators.
• AI governance specialists: AgentOS, the FLINT Network, NerveSystem, Tokenpods, and a cryptographic timestamping researcher. The most technically granular submissions in the docket, focused on what audit evidence an AI-driven compliance decision actually requires.
• Crypto and digital assets: Coinbase, Circle, a16z, Chainalysis, the Crypto Council for Innovation, the Digital Chamber, Notabene, the Global Blockchain Business Council, Consensys, Coin Center, and Tokenization Systems. The biggest last-day surge in the docket. Their coordinated ask: extend the risk-based framework to CIP and CDD, not just program design.
• National security organizations: the Foundation for Defense of Democracies and Transparency International US, both worried the new framework is calibrated too loosely for adversarial state actors and corrupt officials.
• Nonprofits: the Charity and Security Network, raising the underappreciated concern that aggressive risk-based compliance will accelerate de-risking of legitimate humanitarian organizations operating in high-risk geographies.
• Think tanks: the Cato Institute, with a characteristically pointed critique of the entire BSA regime.

‍

Where the industry splits

For all the consensus, there are real fault lines in this docket. Five are worth paying attention to.

‍

AI: encourage it or stay neutral?

This is the most contested issue in the comment record. One camp, led by technology vendors and large banks, wants FinCEN to explicitly say that using AI and advanced analytics is a positive indicator of program effectiveness. They want the rule to affirmatively reward adoption.

‍

The other camp, which includes the Investment Adviser Association, the Institute of International Bankers, and most credit union associations, wants FinCEN to do the opposite: explicitly confirm that not using AI does not make a program weaker. Their concern is that any language nudging institutions toward technology creates a disadvantage for small compliance teams that cannot afford enterprise platforms.

‍

‍

‍

How tight should the enforcement bar be?

The Foundation for Defense of Democracies and Transparency International US argue the “significant or systemic failure” standard is calibrated for catastrophic program breakdowns. But the most dangerous adversaries, including sanctioned state actors, don’t collapse programs. They exploit single gaps at single institutions.

‍

"Sanctioned actors do not need to collapse a bank’s AML/CFT program. They need to exploit one gap at one institution."

— Foundation for Defense of Democracies

‍

Most institutions want the opposite: a tighter constraint on examiner discretion and a clear presumption of compliance for any decision the institution documented and can explain. These two positions are genuinely in tension, and FinCEN will have to choose.

‍

Privacy-preserving identity vs. biometrics

Coin Center argues that collecting and retaining all this identity data is itself a security problem. Financial services had 739 data compromises in 2025, the most of any U.S. industry. Their answer is zero-knowledge proofs and portable verifiable credentials that verify identity without storing sensitive data.

‍

The Value Technology Foundation argues that deepfakes and synthetic identity fraud require the opposite: facial recognition and biometrics that bind real-world identity to financial accounts more tightly than documents alone can.

‍

These two positions are not reconcilable in the same rule language. FinCEN will have to pick a lane.

‍

Per-decision AI audit trails vs. program-level evidence

‍

A cluster of AI governance vendors argues that as AI systems make millions of alert dispositions per day, regulators will eventually ask for tamper-evident, cryptographic records of individual decisions. Not just model documentation. Not just logs. Proof that a specific decision, made by a specific model version, using specific input data, happened exactly the way the institution claims it did.

‍

Other commenters, including Andres Garcia (former head of AML at Interactive Brokers) and Ocean Systems, argue for a tiered approach: rules-based systems and machine learning models have different evidence requirements, and imposing heavy per-decision audit burdens across all AI would slow adoption more than it helps.

‍

The issues nobody else is talking about

The most interesting parts of the comment record are the arguments that don’t fit neatly into any camp.

‍

You probably can’t legally run AI on SAR data in the cloud

This one from Airbnb Payments is quietly urgent. The SAR confidentiality statute, 31 U.S.C. Section 5318(g)(2), does not clearly permit processing of SAR data through vendor-hosted AI models. That’s a problem because the most valuable AI use cases in compliance — including SAR narrative drafting, typology detection, and quality assurance across filed reports — all require sending that data to a model that lives outside the institution’s own servers.

‍

"An interpretation that effectively confines AML/CFT AI applications to on-premises systems would foreclose responsible AI adoption across the regulated sector."

— Airbnb Payments

‍

If FinCEN doesn’t explicitly address this in the final rule, the legal ambiguity will continue to hold back adoption. Almost nobody else in the docket raises this, which makes it easy to miss and hard to overstate.

‍

Who’s watching the AI agents making transactions?

‍

Joe Taylor at the FLINT Network and KillChain raises something the rule entirely ignores: AI agents are now being granted delegated spending authority across card, ACH, and stablecoin rails. The existing compliance stack verifies the human customer. It does not verify the AI agent executing the transaction, what it’s authorized to do, or how it’s behaving across merchants and sessions.

‍

Taylor proposes what he calls a Know Your Agent (KYA) standard: a six-layer verification framework covering principal identity, agent identity, wallet provenance, authorization scope, environment identity, and cross-merchant reputation. This is not science fiction. Agentic spending is happening now, and the compliance frameworks don’t cover it yet.

‍

The government owes financial institutions feedback it hasn’t delivered

The AML Act of 2020 required FinCEN to tell institutions which of their SARs and CTRs actually proved useful to law enforcement. That feedback would let institutions tune their programs toward what matters. Five years later, the reports haven’t come.

‍

"An effectiveness standard that depends on feedback the government has not delivered cannot bind banks until the government supplies the loop it has owed since 2020."

— Stuart Brock, iKinetiq Innovation Solutions

‍

The ABA flags the same problem. You can’t grade institutions on their effectiveness at producing useful intelligence if you’ve never told them what useful looks like.

‍

Bad actors shop for the weakest link

Georgina Merhom at SOLO Finance makes a game theory argument that the rest of the rule largely ignores. Bad actors don’t hit the most sophisticated institutions. They shop around until they find the weakest controls, which is why synthetic identity fraud keeps growing even as individual institutions invest more in detection. An institution that invests more in verification is subsidizing the cost of an institution that doesn’t. The rule has no mechanism to address this collective action problem.

‍

The AI audit trail problem is real and unresolved

Swapan Shridhar at AgentOS Technologies frames the AI governance challenge in a way that cuts through a lot of the abstract debate about model risk management.

‍

Imagine a financial institution deploys an AI agent to disposition transaction monitoring alerts. The agent reviews 10,000 alerts a day and dismisses 9,200 as false positives. An examiner pulls one of those dismissed alerts and asks: what did the AI decide? What version of the model was running when it decided? What data did it see? And can you prove none of that was changed after the fact?

‍

Right now, the institution would provide model documentation and application logs. Shridhar argues that neither is what the examiner actually needs. Logs can be altered. Model documentation describes how the system is supposed to behave, not how it actually behaved on that specific alert on that specific day.

‍

The timing makes this more urgent: OCC Bulletin 2026-13, published in April, explicitly scoped generative and agentic AI models out of the existing model risk management framework as “novel and rapidly evolving,” with a promise to address them in a future RFI. The old framework has been withdrawn. The new one doesn’t exist yet. Institutions are deploying AI agents into this gap right now.

‍

WHY THIS MATTERS FOR COMPLIANCE TEAMS

The question of what audit evidence an AI-driven compliance decision requires is currently unanswered in any binding regulatory guidance. That means institutions adopting AI today are making bets about what examiners will eventually require. Getting that bet right — or working with vendors who have thought carefully about it — will matter a lot when the first enforcement actions involving AI-assisted decisions arrive.

‍

‍

‍

What the community bank and credit union concerns actually reveal

The credit union and community bank comments are sometimes read as resistance to modernization. That’s not really what’s happening. The BSA Officer at Royal Business Bank, a $4 billion institution serving the Chinese-American community in California, explains the practical reality clearly: their annual risk assessment doesn’t use software or mathematical formulas. It takes two weeks to a month to complete by hand. Asking them to update it “promptly” whenever risk conditions change is a real burden, not a theoretical one.

‍

Joel Patenaude, writing as an individual, puts it directly: “A community bank with two compliance employees does not gain flexibility from an open-ended standard. It gains uncertainty and greater exposure to examiner judgment.”

‍

These are not arguments against effectiveness-based compliance. They are arguments that a truly effective rule has to work for every institution size, not just the ones that can hire teams of technologists. The rule that works at JPMorgan Chase and the rule that works at a $400 million community bank in rural Wisconsin are not automatically the same rule.

‍

The specific changes most likely to matter

Based on the volume and consistency of requests across the comment record, these are the changes most likely to appear in the final rule, and worth watching:

• The establish/maintain distinction gets codified. The weight of comments demanding this moved into binding text is overwhelming. FinCEN would face significant industry pushback if it left this in the preamble.
• “Significant or systemic failure” gets defined. The ambiguity is so universally flagged that leaving it undefined in the final rule would essentially invite legal challenges.
• MSBs get some version of the enforcement protection. Stripe, Airbnb Payments, and the Crypto Council for Innovation all make the case that excluding MSBs from the safe harbors creates a two-tier system that doesn’t reflect the actual industry.
• The AI question gets punted. FinCEN is more likely to add a general statement about technology neutrality than to resolve the AI mandate/neutrality debate in the rule itself. That debate will continue in examination guidance and enforcement actions.
• The SAR/cloud AI question may stay unresolved. This is the most consequential gap in the rule and also the most technically complex. It may require a separate guidance document, which could take years.

‍

What this means for the compliance industry

The comment record shows an industry at a genuine turning point. The shift to effectiveness-based supervision creates both opportunity and risk for compliance professionals and the technology platforms they use.

‍

Tyler Allen, CEO of Unit21, identified the core problem in his comment: “For years, compliance teams have been incentivized to demonstrate that program components exist rather than that they work.”

‍

That diagnosis is almost universally shared across the docket. What it means in practice is that the compliance programs that will thrive under the new standard are the ones that can show their work: clear risk-based decisions, documented reasoning, and evidence of outcomes, not just activity.

‍

‍

‍

The final-day wave: crypto, fintech, and the rule they want

The comment record closed on June 9, 2026 — and the final 24 hours transformed it. Over 50 submissions arrived on the last day, representing the largest coordinated industry response in the docket. The late wave wasn’t random; it was organized, thematically consistent, and dominated by the digital assets and fintech sectors.

‍

Coinbase, Circle, a16z, Chainalysis, the Digital Chamber, the Crypto Council for Innovation, Notabene, and a dozen related organizations filed on the last day with a unified ask: the risk-based framework should extend to Customer Identification Program (CIP) and Customer Due Diligence (CDD) requirements, not just program design. The crypto industry’s argument is structurally important: they accept the effectiveness standard for AML programs but warn that the current proposal leaves CIP and CDD requirements unchanged, which means the most burdensome compliance obligations — the ones that create friction for onboarding and transaction monitoring — are unaffected.

‍

Chainalysis made the analytics case in detail: blockchain’s inherent transparency makes on-chain transaction history a more auditable and reliable source of customer risk information than traditional document collection, yet the current CIP rules don’t recognize it. The implication is that a truly modern risk-based standard would allow institutions to substitute demonstrated on-chain behavior for some documentary requirements — a significant ask, but one grounded in the rule’s own effectiveness logic.

‍

The fintech side of the last-day surge was equally organized. The Electronic Transactions Association, Financial Technology Association, American Fintech Council, and INFiN filed coordinated comments on the MSB coverage gap — the same structural problem highlighted by Stripe and others in the first wave. The volume of these submissions makes the MSB exclusion a serious candidate for correction in the final rule.

‍

Two late submissions stand out for raising issues the docket otherwise largely ignored. The Charity and Security Network filed a pointed comment on nonprofit de-risking: as financial institutions adopt risk-based AML frameworks, humanitarian organizations operating in conflict zones or sanctions-adjacent geographies face account closures that have no clear legal basis. The concern is that effectiveness-based compliance, without explicit safe harbors, gives examiners no reason to question a decision to de-risk an entire sector. The Bank Policy Institute and The Clearing House submitted a detailed 59-page technical comment — the most thorough single filing in the docket — addressing model risk management, enterprise-wide risk assessment methodology, and the interaction between the proposed rule and existing supervisory guidance on model governance.

‍

David Landsman, a former senior Treasury official, filed what may be the sharpest criticism in the entire record: FinCEN’s NPRM does not mention the Corporate Transparency Act or Beneficial Ownership Information registry even once, despite the fact that effective AML compliance now depends fundamentally on accurate ownership data. If the BOI database is not maintained, funded, and integrated into financial institution due diligence, the effectiveness standard the rule creates becomes harder to achieve in practice. The silence, Landsman argues, is not a drafting omission — it reflects a policy choice that undermines the rule’s own stated goals.

‍

Voices from the record

A selection of direct quotes from public submissions, in their own words:

‍

‍"America has a system designed to measure success by the volume of paperwork rather than the ability to stop illicit finance threats."

‍— Nicholas Anthony, Cato Institute

‍

"Over 25% of ABA members spend 25 to 50% of all BSA compliance costs on CTR filings alone."

— Heather Trew, American Bankers Association

‍

"The majority of sanctioned persons rarely transact in their own names. A rational, modern compliance program would spend fewer resources on screening for true matches against government lists and place greater emphasis on more effective sanctions-related detection."

— Kharon

‍

"Many significant AML failures have occurred not because institutions lacked transaction data, but because material risk indicators appeared earlier in public digital environments. Illicit intent and coordination manifest online before funds move through the financial system."

— Fivecast Ltd.

‍

"Financial institutions are persistent targets for cybercriminals because they collect and retain the very information criminals need to defeat identity controls."

— Lizandro Pieper, Coin Center

‍

"AI in compliance does not require institutions to choose between performance and auditability. Well-designed systems log every action, preserve the reasoning behind every disposition, and keep a human accountable for consequential decisions."

— Tyler Allen, CEO, Unit21

‍

"The NPRM’s silence on BOI/CTA is striking. FinCEN cannot build an effectiveness standard for AML while ignoring whether the beneficial ownership data that standard depends on is available, accurate, and integrated into due diligence workflows."

— David Landsman, David Landsman Consulting (former Treasury senior official)

‍

"Blockchain analytics provide greater transparency into the source and destination of funds than traditional financial records — yet current CIP rules offer no mechanism to credit this information. A risk-based framework that ignores on-chain evidence is not truly risk-based."

— Chainalysis

‍

"The de-risking problem is not a side effect of AML compliance — it is a predictable consequence of compliance regimes that reward avoidance. Without explicit safe harbors for legitimate nonprofit activity in high-risk geographies, an effectiveness-based standard will produce the same outcome as the one it replaces."

— Charity and Security Network

‍

‍

All quotes are verbatim from the public record. Docket: FINCEN-2026-0034, RIN 1506-AB72. Comment period closed June 9, 2026. Analysis prepared June 2026. Full comment record available at regulations.gov.

‍

‍