On 7 April 2026, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking that would substantially overhaul anti-money laundering (AML) and countering the financing of terrorism (CFT) programme requirements under the Bank Secrecy Act.
According to AiPrise, with the comment window closing on 9 June 2026, the agency has been explicit: this is not a minor update. FinCEN says it intends to fundamentally reform how financial institutions design and operate these programmes — and that distinction matters enormously for the industry.
AiPrise recently detailed what FinCEN’s proposed rule really means for AI in the areas of KYB and AML.
The old compliance bargain is breaking down
For years, the implicit understanding in compliance was straightforward. If a team followed the right processes, documented their steps, and kept the machinery turning, they could at least claim prudence. But that bargain has been eroding for some time. Process-heavy programmes can still drown in false positives. Analysts manually stitching together registry data, PDFs, sanctions hits, and case notes can still miss the cases that matter most. More controls on paper does not automatically mean better outcomes in practice. FinCEN’s proposal pulls that contradiction into the open. The agency is centering programme effectiveness, risk-based design, and useful outcomes for law enforcement — not procedural compliance for its own sake.
The proposed rule is explicit that AML and CFT programmes should be effective, risk-based, and reasonably designed, directing more attention and resources toward higher-risk customers and activities rather than spreading the same level of manual effort uniformly across everything. That is not a philosophical tweak. It changes the economics of compliance fundamentally. If the standard is effectiveness, then preserving manual processes simply because they feel familiar is no longer the conservative option — in many cases, it becomes the weaker one.
What FinCEN actually said about AI
The line that carries the most weight for the market comes from FinCEN’s own fact sheet. When deciding whether to pursue or review an enforcement or significant supervisory action, the Director would consider whether a bank is employing innovative tools — including artificial intelligence — that demonstrate the effectiveness of its AML and CFT programme. This is a substantial signal, and it is important to read it carefully.
FinCEN is not endorsing every AI product on the market, nor granting innovation a free pass. What it is saying is more consequential: where innovative tools genuinely improve programme effectiveness, that improvement counts in an institution’s favour. For years, many compliance teams treated AI as something to experiment with only once they were confident regulators would not view it with suspicion. This proposal inverts that posture. The more pressing question is no longer simply whether AI carries regulatory risk. It is why, if AI can make a programme more effective, more consistent, and more genuinely risk-focused, institutions would continue to default to slower manual workflows.
This is also a KYB story
Most commentary on the proposed rule will remain at the AML programme level, which is understandable. But there is a practical dimension that deserves greater attention: this is equally a know-your-business (KYB) story. Business verification is still where a significant proportion of compliance time is spent. Registry data is fragmented. Beneficial ownership information varies across jurisdictions. Website reviews are conducted manually. Documents travel back and forth. Analysts spend considerable time assembling facts before they can begin assessing risk.
That is precisely the type of workflow an effectiveness-based regulatory regime should compel institutions to reconsider. A KYB process that requires analysts to toggle between vendors, pull corporate records individually, read documents by hand, and consolidate everything into case notes is not conservative — it is inefficient, inconsistent, and increasingly difficult to defend. Weak business verification allows risk to enter the system earlier, leaving downstream AML controls to resolve problems at substantially higher cost. FinCEN’s shift toward risk-based resource allocation makes that dynamic harder to ignore.
Context, not AI, is the real differentiator
Some vendors will read this proposal as a licence to market themselves as FinCEN-approved. That reading is lazy and misleading. What FinCEN is rewarding is effective innovation — and effective innovation in compliance does not come from adding a chatbot to a brittle existing workflow.
It comes from systems that genuinely improve decision quality: systems capable of reasoning across registries, documents, websites, ownership structures, sanctions hits, and policy thresholds simultaneously; systems that can distinguish signal from noise; systems that leave behind a record a human reviewer can understand and defend. Firms that benefit most from this regulatory shift will be those that stop evaluating compliance technology by features and start evaluating it by outcomes. Fragmented point solutions — one for name screening, another for document review, another for registry checks — with analysts still doing the synthesis in their heads, do not constitute an effective programme. They constitute expensive workflow fragmentation.
The proposal also reduces the political cost of modernising
There is another important dimension buried in the fact sheet. FinCEN indicates that, where a bank has established its programme under the proposed rule, the agency would generally not pursue an enforcement or significant supervisory action unless there is a significant or systemic failure. The intention is clearly to distinguish a genuinely broken programme from one that is well-designed but imperfect in isolated respects. This should meaningfully reduce the concern among compliance leaders that deploying new technology automatically creates enforcement exposure. The standard being proposed is not perfection — it is effectiveness, sound design, and responsible implementation.
What compliance teams should do now
The practical steps are clear. First, audit where current workflows remain manual for the wrong reasons — not where human judgement is genuinely required, but where people are functioning as connective tissue between systems that should communicate directly. Second, pressure-test existing vendors against an outcomes standard: do they help teams make better, more consistent, and more explainable decisions, or do they simply add another review step?
Third, evaluate AI systems the way FinCEN is implicitly instructing institutions to evaluate them — by effectiveness. Can the system reduce false positives? Can it direct effort toward higher-risk activity? Can it improve decision consistency and leave behind a defensible audit trail?
If the answer is no, the problem is not regulatory readiness. The problem is that the tool is not sufficiently capable.
The direction of travel is now clear
Even the most cautious reading of FinCEN’s proposal is consequential. The agency is telling the market that effective, risk-based programmes matter more than box-ticking. It is signalling that institutions should concentrate resources on higher-risk customers and activities. It is acknowledging that innovative tools — including AI — can strengthen a programme’s regulatory standing when they demonstrably improve effectiveness. And it is focusing enforcement attention on significant or systemic failures rather than isolated technical imperfections.
That is not a signal to slow down. It is a signal to modernise properly. If a compliance programme still relies on analysts manually assembling registries, PDFs, and screening results, that is not caution. It is a weaker programme being built at a higher cost. The future of compliance is not more paperwork. It is better outcomes.
Read the full AiPrise post here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
