From Volume to Judgment as FinCEN Forces AML Into Its Next Phase

Key Takeaways

• Accountability Replaces Activity: FinCEN’s shift moves AML programs away from proving activity and toward proving effectiveness, raising the bar for what constitutes a defensible compliance framework.
• Judgment Becomes Central: Institutions will need to exercise and evidence sharper risk-based decision-making, with less reliance on standardized approaches and more emphasis on tailored, defensible strategies.
• Resources Reallocated, Not Reduced: The burden does not disappear but shifts upstream into risk assessment, control design, governance, and ongoing program calibration.
• Effectiveness Must Be Demonstrable: Firms will need to connect risk identification, control implementation, and outcomes into a clear, evidence-backed narrative that regulators can evaluate.
• Materiality Becomes a Strategic Decision: The “significant or systemic failure” threshold introduces flexibility but requires institutions to define and manage aggregation risk before it becomes a supervisory issue.

Deep Dive

For decades, anti-money laundering compliance has been defined by accumulation. More alerts, more filings, more controls, more documentation. Each layer added with the quiet understanding that no one would be faulted for doing too much, only for doing too little. The result was not failure, exactly, but a kind of defensive equilibrium. Programs became expansive, but not necessarily incisive. Activity was measurable. Effectiveness was not.

The Financial Crimes Enforcement Network's (FinCEN) recent proposal now on the table unsettles that equilibrium. It does not simply ask institutions to do less paperwork. It asks them to stand behind the proposition that what remains actually works.

That is a far more consequential shift than it first appears.

The End of Safe Harbor by Volume

The traditional AML model offered an implicit form of protection. If a firm could demonstrate that it had followed the rules, produced the reports, and maintained the expected infrastructure, it had, in a sense, met its obligations. Whether those efforts materially disrupted illicit finance was often a secondary question.

That logic is now being quietly dismantled.

In its place emerges a standard that is both more rational and more demanding. Institutions are no longer being asked whether they have built a program that looks right. They are being asked whether they have built one that produces outcomes. Not theoretical outcomes, not aspirational ones, but demonstrable impact on the detection and prevention of financial crime.

Madhu Nadig, co-founder and CTO of Flagright, puts it plainly, “This is not a lighter-touch rule but a sharper accountability rule. The shift is from proving that every AML component exists on paper to proving that the program is effective, risk-based and reasonably designed for the institution’s actual risk profile. For compliance teams, that means stronger ownership of risk assessment, clearer resource allocation and a program that is kept current as risks change.”

This creates an uncomfortable reality for many organizations. Volume was always easier to defend. It could be counted, audited, benchmarked. Effectiveness, by contrast, resists simple measurement. It requires judgment, and judgment introduces risk.

The safe harbor is gone. In its place is exposure.

The Rebirth of Judgment

If the first-order effect of this shift is the erosion of volume-based compliance, the second is the reintroduction of professional judgment at the center of AML programs.

Risk-based approaches have long been embedded in regulatory language, including under the Bank Secrecy Act and reinforced through the Anti-Money Laundering Act of 2020. But in practice, that discretion has often been constrained by supervisory expectations and institutional caution.

What FinCEN is signaling is a recalibration of that dynamic. Institutions are being given permission, and indeed an obligation, to make sharper distinctions. To concentrate effort where risk is real, and to justify why resources are not being expended elsewhere.

This is not deregulation. It is a transfer of accountability. From a workload standpoint, that shift is unlikely to feel like relief.

As Nadig notes, “From a workload perspective, this is a reallocation of resources, not a relaxation. Teams should expect more effort upfront on risk assessment processes, control design, board or senior management approval, independent testing and change management when the risk profile moves. The upside is that, if the rule is applied consistently, institutions should spend less time firefighting immaterial checklist issues and more time on the risks that actually matter.”

For compliance leaders, the burden shifts from demonstrating adherence to demonstrating insight. Why this risk? Why this control? Why not another? These are questions that cannot be answered with policy language alone.

They require conviction, supported by evidence.

The Measurement Problem

All of this leads to a problem the industry has not yet fully solved. How do you measure effectiveness in financial crime compliance?

Detection rates are imperfect. Filing volumes are no longer a proxy. Law enforcement outcomes are distant and often opaque. Even well-calibrated monitoring systems operate in an environment where the true denominator is unknowable.

And yet, the direction of travel is clear. Programs will increasingly be judged on their ability to articulate and evidence their impact.

“The institutions that will handle this transition best are the ones that can connect risk assessment, control design, implementation, testing and remediation into one operating model,” Nadig says. “The ‘effectiveness’ standard sounds qualitative, but in practice it rewards firms that can show a clear chain from risk to decision to evidence.”

That chain, in many institutions, does not yet exist in a coherent form.

Documentation as Defense

One of the more subtle reversals in this new model is the role of documentation.

For years, documentation has been synonymous with burden. A necessary byproduct of compliance, often divorced from the underlying risk decisions it was meant to support. Under an effectiveness-based regime, that relationship changes.

“Documentation becomes more important under this model, not because FinCEN is asking for paperwork for paperwork’s sake, but because effectiveness has to be defensible,” Nadig explains. “If you cannot show why a risk was assessed the way it was, why controls were calibrated the way they were, or why resources were allocated the way they were, you will struggle to prove that the program is working as designed.”

The question is no longer whether a control exists, but whether its existence can be explained.

The Risk of Misreading Materiality

There is, finally, a risk embedded in the proposal’s language around enforcement thresholds.

“The ‘significant or systemic failure’ enforcement threshold is helpful, but it also creates a calibration challenge,” Nadig says. “Banks should not read that language as a free pass on smaller issues.”

This is where operational discipline will matter most.

“Repeated ‘minor’ breakdowns across products, geographies or operational queues can become systemic very quickly if escalation, remediation and governance are weak,” he adds. “The safest posture is to define internally what aggregation, duration or customer impact would make an issue material before an examiner does it for you.”

The implication is clear. Institutions will need to define, internally and with precision, what constitutes materiality.

The Shape of What Comes Next

What FinCEN has proposed is not a minor recalibration. It is a redefinition of what it means to run an effective AML program: Fewer performative exercises. Greater emphasis on risk understanding. A demand for evidence that controls are not only present, but purposeful.

For years, AML compliance has been shaped by a fear of omission. The new paradigm asks firms to embrace selection. To decide, with clarity and confidence, where their efforts matter most. And to prove, with equal clarity, that those decisions are working.

That is a more mature model. It is also a more demanding one. And for an industry long accustomed to proving that it has done enough, the challenge now is to prove that it has done what counts.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.