.svg)
The test is changing
The test for a U.S. AML program has, in practice, been the same for decades: prove your program exists. Write the policies, appoint the officer, train the staff, complete the independent review. Have the components, pass the exam.
FinCEN's April 7 proposal aims to replace that test with effectiveness, and it names artificial intelligence directly in its enforcement considerations. Comments closed June 9. FinCEN proposes a 12-month effective date from issuance of the final rule, though the final timing and implementation period are not fixed.
What the rule says
The mechanism is a two-part standard. A program counts as effective if the institution establishes it (risk-based, with the national AML/CFT priorities incorporated, as appropriate) and maintains it.
The program standard applies across covered financial institutions. The supervision and enforcement framework is narrower as proposed: for banks, significant supervisory or enforcement action would be reserved for failures to establish a program or significant, systemic failures to implement it, rather than isolated technical gaps. FinCEN asks whether that framework should extend to other institution types, and several industry commenters asked for exactly that.
What the proposal says about AI
The proposal lists factors FinCEN's Director would weigh before pursuing an enforcement action. Among them: whether the bank advances the AML/CFT priorities through innovative activities that produce demonstrable outputs, including effective use of artificial intelligence and advanced monitoring tools. The proposal also states that responsible experimentation with these technologies adds no supervisory or enforcement risk solely from use of the technology, and that no particular technology is required.
FinCEN goes further on the blocker that has kept many institutions on the sidelines. It says it shares industry concerns about applying model risk management principles to AML programs and plans to work through them with the banking supervisors. Separately, Treasury published the Financial Services AI Risk Management Framework in February, which adapts the NIST AI framework to financial services, third-party tools included.
Regulators have encouraged innovation before; a 2018 joint statement said AI pilots would not automatically draw supervisory criticism. This proposal goes further. It writes the credit into proposed enforcement factors and names the model risk problem it intends to fix. The written signal now favors responsible, risk-appropriate use.
What earns the credit
The operative word in those factors is demonstrable. The credit attaches to measurable outputs, and a tool that produces none earns none.
That raises the question every compliance team should be asking: what does evidence of effectiveness look like? The evidence of existence is familiar: policies, minutes, training records, audit reports. Effectiveness evidence is different material: monitoring coverage mapped to the risk assessment, screening thresholds calibrated with documented rationale aligned to your known inherent risks, testing that probes what the rules miss, tuning history, reporting that holds up as useful to law enforcement, and detection outcomes tracked over time.
Most program metrics today count activity. Alerts worked, SLAs met, SARs filed, training completed. Activity proves effort; this proposal asks for proof of outcomes.
The caveat
Much of this sits in the proposal's preamble rather than its regulatory text, and preamble language binds no examiner. The comment record asked FinCEN repeatedly to move the protections into the text, and pressed for explicit technology neutrality so the absence of AI never becomes a finding. The final rule may well deliver both. Neither outcome changes the operating reality: whatever the final text says about tools, the standard underneath is demonstrated outcomes.
The clock
Then there is the clock. FinCEN proposes a 12-month effective date from issuance of the final rule. Commenters asked for more time, and the final period is not set. The planning math holds either way: twelve months is enough time to document a capability that already exists and a short window for building one. Coverage mapping and a credible testing baseline alone can run past a year at a complex institution, which means the building starts before the final rule.
Five moves to make before the final rule
- Map monitoring and screening coverage to the risk assessment, and document the gaps.
- Baseline your testing. Know your detection performance before an examiner asks for it.
- Document tuning and threshold decisions with the rationale attached.
- Govern AI use against Treasury's FS AI RMF so the evidence trail exists from day one.
- Track outcomes over time, and report them the way you report activity today.
Producing that evidence is an infrastructure question: monitoring and screening you can test and retune on demand, and explain when the examiner asks. Building that is the work we do at Napier AI.
Explore how Napier AI helps compliance teams build, test, tune, and evidence AML controls that are designed for effectiveness.
