For two decades, U.S. banks have been told to measure anti-money-laundering compliance the same way: by coverage. File the suspicious activity report. Check the box. Keep the program’s five pillars documented. Volume was the proof of work. A program that flagged everything and caught little still passed exam, because the exam graded process, not result.
FinCEN now wants to grade the result.
On 7 April 2026 the Treasury’s Financial Crimes Enforcement Network issued a notice of proposed rulemaking that it calls a fundamental reform of how financial institutions run AML and counter-terrorist-financing programs under the Bank Secrecy Act (FinCEN, Federal Register). The comment period closed on 9 June. The headline framing is relief: less paperwork, fewer low-value filings, a regime that finally targets serious crime instead of churning reports nobody reads.
“For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats,” Treasury Secretary Scott Bessent said in announcing the rule.
That is the right diagnosis. It is also the harder standard. “Effectiveness” is not a lighter version of compliance. It is a different burden of proof — and most banks are not built to carry it.
What actually changes
The current rule asks whether a program exists and is documented. The proposed rule splits the question in two: whether an institution has established an adequate program, and whether it maintains one “in all material respects” (Sullivan & Cromwell). Both prongs are graded against outcomes, not the existence of a binder.
The 2024 draft had tried to require programs that were “effective, risk-based, and reasonably designed.” Commenters told FinCEN nobody knew what those words meant (Mayer Brown). The 2026 version keeps the ambition and tries to make it measurable. The metrics regulators float are concrete: false-positive rates on alerts, how long investigations take, and what share of suspicious activity reports actually feed a law-enforcement action.
Risk assessments would also have to fold in FinCEN’s national AML/CFT priorities — the agency’s published list of what it most wants institutions hunting for. The reform turns the government’s threat list into an input the bank must demonstrably act on, not a document it acknowledges.
The catch nobody is pricing
Read the metric again: the share of SARs that lead to a law-enforcement action. A bank cannot see that number. It files the report into a government database and the trail goes dark. Whether a SAR ever helped an investigation is known to the FBI, to Treasury, to the prosecutors who pull it — not to the compliance officer who wrote it.
So the single cleanest measure of “effectiveness” is held by the grader, not the graded. Under a process standard, a bank could prove compliance with its own records. Under an effectiveness standard, the proof partly lives outside the building. That inverts who holds the evidence in an exam, and it does so in a regime where the penalty for getting it wrong is still a consent order and a nine-figure fine.
Banks have spent twenty years optimizing for the old metric. Transaction-monitoring systems were tuned to over-alert, because a missed filing is an enforcement risk and an extra filing is free. That produced the false-positive problem FinCEN now wants reduced — rates above 90 percent are routine across the industry. Telling banks to cut false positives is telling them to alert less. Telling them to be effective is telling them to catch more. Those instructions point in opposite directions, and the rule does not say how to hold both.
Congress wants the same thing, faster
The legislative push runs alongside. A bipartisan group of lawmakers urged FinCEN to refocus the BSA on identifying real money-laundering risk rather than reporting failures “that have little relevance to law enforcement,” and to raise the currency-transaction and suspicious-activity reporting thresholds for the first time in decades to account for inflation (PYMNTS). They called the current system “box checking and low-value reporting.”
They also asked FinCEN to encourage banks to adopt AI-based monitoring tools — and on that point the agency has gone further than usual, signaling that responsible experimentation with such tools adds no supervisory or enforcement risk simply from using them (Napier). That is a notable inversion of the EU posture, where AI in high-stakes finance arrives wrapped in obligation. But it is a side door, not the building. The core of this rule is the standard, not the software.
Implications
The reform’s political logic is sound and its operational logic is unfinished. Three things follow.
First, the relief is conditional. A bank that reads “effectiveness” as permission to file less is exposed if its remaining program cannot show outcomes. The safe move under ambiguity is to keep filing while building measurement — more cost, not less, until the final rule lands.
Second, the winners are institutions that can instrument their own programs: tie alerts to investigations, investigations to filings, filings to feedback, and produce that chain on demand. That is a data-engineering problem before it is a compliance one. Large banks with mature analytics will adapt; smaller institutions running vendor black boxes will struggle to prove a number they cannot compute.
Third, “effectiveness” only becomes a real standard if FinCEN closes the feedback loop — telling banks which SARs mattered. Without that, institutions are graded on an outcome they cannot observe, and the exam becomes a negotiation over proxies. The most important line in the final rule will not be the definition of effectiveness. It will be whether the government agrees to show its work.
The comment file is closed. What FinCEN does with it will decide whether this is the biggest modernization of U.S. AML in a generation, or a new vocabulary stretched over the same machine.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.