A Risk-Based Future: What FinCEN’s AML Reset Means for International Business

Since 1970, the United States Bank Secrecy Act (BSA) has been the bedrock much of America’s financial frameworks, overseeing how institutions structure their internal controls.  

Despite the exciting name, it’s got a reputation as one of the more dry and practical legislative instruments around, which isn’t entirely fair since it introduced the very important mechanism of the Suspicious Activity Report (SAR).  

Put simply, the law introduced reporting mechanisms that held institutions to account, and became increasingly important as banking grew exponentially more international. In 1985 the BSA kickstarted the modern Anti-Money Laundering (AML) environment, as it was used to prosecute the First National Bank of Boston for packing up $1.22 billion in cash in wooden crates and shipping them to Switzerland to dodge awkward questions about where it came from.  

The First National Bank of Boston received what was, back then, a landmark fine of $500,000.  

Even the most forward-looking regulatory apparatus often eventually lose a step and age into a sprawling, bureaucratic mess. Financial institutions increasingly found themselves evaluated on their ability to execute mechanical, check-the-box compliance rather than demonstrate success in disrupting criminal activity.  

The financial compliance model, first empowered by the BSA, has lately been less renowned for its efficacy as for its ability to generate massive volumes of defensive reporting, burying intelligence teams under mountains of low-value data, and allowing the now highly sophisticated illicit finance networks to easily evade detection. 

As of Q1 2026, this is all about to change, at least according to the U.S. Department of the Treasury. From the start of April, the Treasury’s Financial Crimes Enforcement Network (FinCEN) began putting into action root-and-branch retargeting of priorities. In a hotly anticipated Notice of Proposed Rulemaking (NPRM), FinCEN introduced a framework specifically designed to reform how financial institutions design, implement, and maintain their AML and Countering the Financing of Terrorism (CFT) programs.  

Treasury Secretary Scott Bessent laid down his administration’s philosophy in robust style, saying that “…for far too long, Washington has forced financial institutions to measure their success by the sheer volume of their paperwork rather than their empirical ability to stop illicit finance threats”. Naturally, anything that promises to reduce regulation and paperwork resonates with the global banking sector, particularly those sections of it struggling under the weight of defensive, low-value compliance exercises. 

The Shift from Compliance to Effectiveness

The 2026 NPRM introduces what it calls a ‘two-pronged framework’ that legally distinguishes between the design or ‘establishment’ of a compliance program and its ongoing ‘maintenance’ or implementation.  

This isn’t just a case of having to learn the new names for things, but has profound implications for supervisory and enforcement actions. Under the proposed rules, if a financial service provider has properly established a competent compliance program, it won’t be subject to enforcement for minor, non-systemic errors in that program’s implementation.  

In other words, the Treasury is now acknowledging that a financial institution can't really be expected to catch every single little anomalous transaction, and that a program can still be legally adequate even if it doesn't prevent each minor instance of financial misuse or “minor technical issues”. 

This regulatory reset aligns closely with the current U.S. administration’s broader deregulatory agenda, specifically Executive Order 14192.  

Signed into existence only 11 days into President Trump’s second term, it has the characteristically demure headline of UNLEASHING PROSPERITY THROUGH DEREGULATION and broadly seeks to end the “ever-expanding morass of complicated Federal regulation” and reduce compliance burdens. It also came with a rule that “whenever an executive department or agency …promulgates a new regulation, it shall identify at least 10 existing regulations to be repealed.”  

FinCEN’s aim is to grant financial institutions some much-desired flexibility to divert their resources away from low-risk, high-volume admin tasks and concentrate their capital and workhours on higher-risk customers, complex cross-border distribution channels, and new national security priorities.  

For the transatlantic financial sector, this signals an end to the recent zero-tolerance era for compliance infractions, reframing what ‘effective’ compliance looks like by prioritizing actionable intelligence over data-complete records. 

Optimistic commentary would say this is common sense measure, leaving the banks to get on delivering customer value without worrying about constantly covering for themselves. Cynical commentary might suggest that this is giving financial institutions a pass for their own misdeeds as long as they continue to deliver the administration with information on more headline-friendly targets.  

Contextualizing the new AML Framework

A shift of this scale doesn’t come out of the blue, and we can trace this one back to the 2020 Anti-Money Laundering Act (AMLA), which was itself the biggest update to the U.S. regulatory landscape since 2001 with the painfully backronym’d Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act…also known as the USA PATRIOT Act.  

A lot of the wording in both the 2001 and 2020 Acts has carried over to the new one, particularly that banking agencies are encouraged to modernize their architecture, focus on areas critical to law enforcement, and actively encourage technological innovation. This year’s rules intend to make these inherited goals effective by introducing a new formal AML risk assessment framework.  

While risk assessments are nothing new to sophisticated financial institutions, having been long accepted as standard best-practice, the new rules codify this as a uniform, non-negotiable requirement across all financial service types. This forces businesses to rigorously evaluate money laundering and terrorist financing risks across all stages of their customer funnel and operations, for all their product offerings, specific services, diverse distribution channels, varied customer bases, and geographic locations.  

The goal is to make obsolete the static, generic compliance overlays that could be easily gamed or circumvented and replace them with dynamic ongoing assessments that requires immediate notification whenever an institution knows, or reasonably suspects, that a risk has emerged. 

Now that speed and full-disclosure is the priority over ‘minor technical issues’ in compliance, the success of this rapid-response AML environment hinges on financial service providers being able to match up their risk criteria with the government-decreed National AML/CFT Priorities.  

Originally published by FinCEN in 2021 and theoretically updated at least every four years, this list is America’s Most Wanted of finance threats, divided up into eight specific flavors, including ‘corruption’, ‘cybercrime’, and ‘transnational criminal organizations’.  

Under the new rules, institutions are explicitly required to implement structural vigilance against these listed threats, organizations and individuals into their operational risk assessment processes. 

This is largely how American regulators will measure success going forwards. During audit, while determining whether to pursue enforcement actions, the office of FinCEN’s Director will evaluate the extent to which a business’s compliance program advances those national priorities.  

Success is defined not by forensic data-completeness but by an institution's ability to provide what is deemed "highly useful information" to law enforcement. By explicitly linking the effectiveness of a business’s compliance resources to how much they can contribute to national security, FinCEN is directing institutions to replace their granular cover-all security methodologies with highly specific, top-level intelligence operations. 

The Challenge of Complexity and Accountability

While this results-orientated shift promises long-term operational relief for businesses, the short term mostly holds more CapEx, complexity, heightened executive accountability, and significant legal friction for transatlantic businesses.  

The 2026 Notice of Proposed Rulemaking might ultimately mean less work for individual businesses, but it also puts FinCEN at the absolute center of the compliance ecosystem.  

It makes it mandatory for all other previously autonomous national authorities, from the Office of the Comptroller of the Currency (OCC) to the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA), to clear it with FinCEN before initiating any supervisory or enforcement actions.  

If this seems like a straightforward transfer of power, it’s not that simple. Neither the Federal Reserve, America’s own central banking system, nor its Board of Governors are subject to the NPRM and its new compliance rules. The legal and constitutional rational for this are so opaque that they serve only to illustrate how complex and ongoing the inter-agency wrestling match between federal supervisors still is. 

What global financial institutions can expect is that governance and board-level oversight is about to reach a new level of individual scrutiny. The NPRM says that a covered business’s written compliance program must be formally approved and personally signed by its Board of Directors (or equivalent) and that those signatories have the ultimate duty to establish, maintain, and enforce the program – along with a designated Compliance Officer “…who is located in the US, and accessible to FinCEN and appropriate federal regulators”. 

While this doesn’t mean that transatlantic institutions will have to onshore their entire compliance operation, as many analytical and investigative functions can still be performed abroad, the ultimate legal accountability and accessibility must remain firmly within American borders. For European banks operating U.S. branches, this is going to require some very thoughtful restructuring to ensure that senior oversight has sufficient presence to comply with the geographic mandates without disrupting global workflows. 

What makes the situation exponentially more complex, and dangerous to businesses with international scope, is where FinCEN’s new NPRM overlaps with the 2020 Anti-Money Laundering Act. The trouble comes from the parts of the AML Act that concerns cross-border data flows and how that affects international legal jurisdictions.  

What at first glance it doesn’t seem like a very important line, all the way down at Section 6308, with just six lines of text effectively made the U.S. Department of Justice (DOJ) and the Treasury's subpoena powers over foreign businesses go global. If a financial service provider anywhere maintains a single account in the United States, then U.S. prosecutors can now subpoena all and any records of that foreign bank, even if those specific records are maintained entirely outside the United States.  

This gleefully aggressive and extraordinary extraterritorial reach places European and financial service providers in a bind between the American authorities and their local obligations under EU data privacy laws, such as the General Data Protection Regulation (GDPR).  

Consequently, European businesses find themselves caught between U.S. regulatory pressure and domestic legal constraints, transforming compliance from a localized operational function into a geopolitical balancing act that seems bound to antagonize someone, somewhere. 

Towards Intelligence-led Compliance

Faced with scary demands to have to be able to prove their compliance effectiveness, or else face severe extraterritorial enforcement, the global financial sector has been scuttling to overhaul its tech infrastructure.  

While regulators rarely name any specific hardware, software or policy and claim to be ‘technologically neutral’ when it comes to solutions, multiple recent enforcement actions repeatedly cite manual bottlenecks as the primary contributing factor to largescale compliance failures. The integration of advanced AI and LLM tech is now a de facto regulatory necessity for any hope of reaching the required standard. 

To give credit where it’s due, the speed and scale of the industry's response in climbing out of their entrenched systems and pivoting toward intelligence-led compliance has been impressive.  

Traditionally, compliance teams depended on lexicon-based surveillance and rigid transaction monitoring rules, a system that was at heart designed for when landline telephone calls were the primary medium of doing business. Brute-force lexicon searches are notoriously inefficient, with PWC reporting that they’d often generate false positive rates exceeding 99%, leading to chronic alert fatigue and masking the signals of genuinely suspicious activity behind a wall of irrelevant noise.  

In the face of the exponentially accelerating speed and volume of interactions and transactions, as well as all the regulatory pressure, institutions are now transitioning toward dynamic, predictive behavioral monitoring systems.  

By employing machine learning algorithms, banks can rapidly establish baselines ‘scores’ of normal customer behavior through unsupervised learning, allowing systems to flag anomalous deviations without requiring a list of predefined (and therefore almost immediately obsolete) rules. Simultaneously, supervised learning models are trained on vast historical datasets to recognize the intricate, evolving typologies of market manipulation, synthetic fraud, and money laundering. 

This combination leverages both sophisticated AML automation and targeted analytics to digest huge pools of unstructured data at scale and speed. 

Natural Language Processing (NLP) tools are now widely deployed to conduct deep semantic analysis on silos of comms data that would take humans years to process, including sentiment analysis to identify context, subtext and coercion. Meanwhile, features like Named Entity Recognition (NER) automatically remembers and recognizes individual speakers, so conversations can be cross-referenced across time and platforms to build complex relational maps that would take human investigators weeks and huge quantities of red string to compile manually. 

Predictably, the mass deployment of AI in a highly regulated environment comes with its own complex and novel set of governance challenges.  

Regulators harbor a deep-seated suspicion of ‘black box technology’ where the decision-making process is entirely opaque. As AI now matures from the experimental into full adoption, institutions must get to grips with rigorous, explicitly documented governance, regardless of what the US Treasury might be currently brushing off as ‘minor technical issues’. 

Certainly, on the European side of the Atlantic, this requires comprehensive audit trails, ongoing validation mechanisms, and absolute explainability. If an AI system flags a transaction or spikes a customer's risk score, businesses need to be able to clearly defend the algorithmic reasoning and not just shrug and claim the inscrutable computer did it with unknowable technomagic.   

Expanding Scope and Expectations

One of the main reasons why it’s currently such an exciting time for compliance and financial crime prevention tech is that the boundaries between industries are coming down. Compliance, recording and transcription analysis used to have their own distinct niches - but now with the digitization of the global economy, the same disciplines are suddenly relevant across sectors and at all levels of commerce and communication.  

The digital ecosphere we all now live within is a dynamic cross-pollination of telco, social networks, fintech, government, and online identity management. Our data connectivity is integrated into our banking, which is integrated into our biometric ID which is linked to our social networks which are accessible by law enforcement.  

Meanwhile the predators in this ecosphere have adapted just as fast and profoundly, including cyber-enabled fraud, AI-driven ID deepfakes, and massive decentralized finance (DeFi) scams which, just four years after first being identified, were already stealing an estimated $51billion annually by 2024.  

These kinds of threats mean financial institutions have to integrate cyber intelligence, and continuous identity verification into traditional transaction monitoring to build a unified defense.  

What were until very recently exciting regulatory grey areas are getting the ‘honor’ of being recognized as proper grown-up financial services by regulators, and therefore subject to all the usual regulatory obligations. Crypto-asset service providers, buy-now-pay-later platforms, and 3^rd-party tech vendors are all now being pulled into the regulatory net, with all the same rigorous standards expected of a 100-year-old Tier 1 global bank. 

How this cross-sector convergence has played out in Europe has parallels, but also some divergent regulatory directions. 

While the US pursues a strategy of risk-based deregulation and outcome-focused modernization, the EU regulators are undergoing their most significant structural overhaul in over a decade with the launch of their own Anti-Money Laundering Authority (AMLA).  

Based in Frankfurt, the EU AMLA only just formally opened its doors in the summer of 2025 and has promised a big shift toward centralization and has introduced the AMLR - the Anti-Money Laundering Regulation. This has been written to be the single definitive rulebook that “establishes harmonized obligations for all entities subject to AML/CFT rules…[and] covers essential aspects such as customer due diligence, beneficial ownership identification, record-keeping, and internal control mechanisms.” 

By January 2028, AMLA will be the supreme supervisory authority for what it identifies as the 40 biggest, most complex and highest-risk international financial institutions operating within the entire Union. 

Meanwhile, national regulators are tightening their grips either out of nervousness about growing cybercrime or losing influence to Brussels, depending on who you ask. Germany’s Federal Financial Supervisory Authority (BaFin) implemented its updated Interpretation and Application Guidance (AuA 2.0) in 2025, introducing even stricter new requirements including ‘continuous adverse media screening’ which is the financial equivalent of having to constantly stalk someone's Insta for weird behavior. The Guidance also dramatically expands the scope of what constitutes a ‘regulated business relationship’ and significantly heightens the detection and enforcement standards for financial crime compliance solutions. 

For transatlantic business, building up a holistic compliance posture means navigating these varied and distinct geopolitical regimes.  

On one side, institutions must satisfy FinCEN's demand for intelligence-led, results-based effectiveness and manage the aggressive reach of U.S. subpoenas.  

On the other side, they must adhere to a classically rigid standardized single EU rulebook, and the centralized, expanding scrutiny of AMLA, all while strictly protecting consumer data under occasionally contradictory European privacy laws.  

Success in this environment depends on dumping the old siloed regional operations and quickly implementing highly adaptable, tech-driven architecture capable of bridging these regulatory divides and squaring the legal circles without compromising local jurisdiction adherence. 

1GLOBAL enables Next-Gen Compliance 

As regulatory expectations swing between sacrosanct written policies on one side, and performatively naming names on the other, the infrastructure needed to sustain compliance for any business with more than purely local ambitions is now a defining competitive advantage.  

It isn't enough to simply monitor traditional wire transfers and double-check that neither party are named terrorists or operating from North Korea. The proliferation of mobile comms and instant messaging has shifted immense regulatory risk directly to off-channel platforms. To even begin to keep these channels within their control, organizations urgently require a hyper-scalable ecosystem that combines telco connectivity with sophisticated autonomous analytics. 

This critical intersection of telco and regulatory adherence is the fulcrum from which 1GLOBAL has reshaped the technological landscape. Trusted by the world’s largest investment banks, 1GLOBAL has pioneered a uniquely integrated Mobile Compliance & Recording platform that leverages eSIM technology to maintain network-level compliance on all devices, whether corporate or BYOD. 

The sheer complexity of enforcing a unified compliance strategy in any one jurisdiction, let alone transatlanticly, is due to the technical demands of capturing and analyzing multi-channel interactions. Regulators like the SEC and the UK’s FCA have levied billions in fines for unmonitored SMS and WhatsApp interactions, regardless of whether any harm or a single penny of loss ever came from them.  

To meet this escalating threat, 1GLOBAL's Message+ service is a secure, network-agnostic complete solution that compliantly captures and records SMS and WhatsApp interactions, integrating them seamlessly into environments like Microsoft Teams. By routing these interactions through a centralized, secure cloud architecture, financial service providers can definitively eliminate their blind spots and legal vulnerabilities.  

Naturally, actually capturing the data is only the first step. All those telephone-era lexicon-search models had no problem creating vast silos of data, but what matters is what you do with it. 1GLOBAL has led the way in effectively embedding AI directly into compliance architecture. Partnering with surveillance technology leaders like Verint, this unique platform replaces outdated dictionary-scraping with sophisticated, autonomous speech-to-text transcription and communication analytics. 

These integrated systems utilize LLMs and AI specifically trained on the unique vernacular (and frankly impenetrable slang) of the financial industry. As an analyst reviews a captured interaction, the AI automatically condenses voice calls into searchable transcripts, executes topic modelling to summarize dialogues, and applies expert NLP to detect anomalies 

Despite all their deep philosophic and legislative differences, the 1GLOBAL solution provides exactly what both FinCEN's April 2026 NPRM and the EU's AMLA demand - an intelligent, scalable infrastructure that actively and demonstrably manages its specific risk profile.  

By fusing resilient global connectivity with cutting-edge, AI-enhanced surveillance, 1GLOBAL empowers financial service providers to move beyond their old, purely reactive defense bulwarks and achieve the effectiveness and agility required to compete in the new global digital market. 

Contact a 1GLOBAL Compliance expert today to learn more.