FinCEN Proposes Overhaul of AML/CFT Regime: Focus Shifts From Technical Compliance to Effectiveness
FinCEN's proposed rulemaking shifts supervisory assessment from 'do you have the controls' to 'do the controls work.' It changes how every BSA-obligated firm is evaluated.
FinCEN is consulting on proposed rules to fundamentally reform financial institutions' AML/CFT programs under the Bank Secrecy Act. The proposed overhaul shifts the focus of supervisory assessment and enforcement away from considerations of technical implementation and toward the overarching effectiveness of a firm's AML/CFT program.
This is a philosophical shift in how AML compliance will be evaluated. Under the current regime, regulators assess whether a firm has implemented specific controls — transaction monitoring rules, screening lists, training programs. Under the proposed regime, regulators will assess whether those controls actually work — whether they detect, prevent, and report illicit activity effectively.
The Practical Implications
The practical implication is that firms with technically compliant programs that fail to catch real threats will face enforcement action, while firms with less conventional approaches that demonstrate superior detection outcomes may receive favorable treatment. The emphasis is on results, not process.
For identity verification specifically, the shift reinforces the importance of verification systems that actually catch fraud — not just systems that check the compliance box. A verification system that passes iBeta testing but fails to detect deepfakes in production is technically compliant but ineffective. Under the proposed regime, that distinction matters.
What This Means for Compliance
Begin evaluating your AML program against effectiveness metrics, not just implementation checklists. Track detection rates, false positive volumes, SAR quality, and the outcome of filed reports. The regulatory standard is moving from 'do you have the controls' to 'do the controls work.'
FinCEN Effectiveness-Based AML FAQ
- What is the fundamental shift in FinCEN's proposal?
- Supervisory assessment moves from evaluating whether specific controls are implemented (technical compliance) to evaluating whether those controls actually detect, prevent, and report illicit activity (effectiveness).
- What effectiveness metrics should firms track?
- Detection rates, false positive volumes, alert-to-SAR conversion ratios, SAR quality scores, average investigation time, and the outcome of filed reports (law enforcement follow-up).
- How does this affect identity verification?
- The shift reinforces that verification must actually catch fraud — not just pass iBeta testing. A system that is technically compliant but fails to detect deepfakes in production will fail the effectiveness standard.
- When do the new rules take effect?
- FinCEN is currently consulting on the proposed rules. The final rulemaking timeline will depend on public comment processing, but firms should begin tracking effectiveness metrics now.
Relevant Articles
FinCEN/OFAC Stablecoin AML Rules
Same regulator, parallel rulemaking.
Apr 14, 2026
Bithumb Fined for 6.65 Million KYC Violations
What happens when controls do not work.
Apr 5, 2026
CLARITY Act Enters Final Sprint
Parallel US regulatory expansion.
Apr 14, 2026
What is deepidv?
Not everyone loves compliance — but we do. deepidv is the AI-native verification engine and agentic compliance suite built from scratch. No third-party APIs, no legacy stack. We verify users across 211+ countries in under 150 milliseconds, catch deepfakes that liveness checks miss, and let honest users through while keeping bad actors out.
Learn More