The BSA/AML landscape is shifting, and strong programs are the best defense
The BSA/AML compliance landscape is undergoing meaningful change, from examination flexibility to AI governance and the GENIUS Act. Federal regulators are changing their approach to supervision, debanking scrutiny is intensifying, and AI is being embedded into financial crimes operations.
In a recent webinar, The new compliance playbook: Best practices for BSA/AML in a changing landscape, Wolters Kluwer compliance experts Jeff Fox, Associate Director of US Regulatory Consulting, and Jo Brown, Senior Regulatory Consultant, walked compliance leaders through each of these developments and what they mean for BSA/AML programs today.
One theme ran throughout the conversation: in a period of regulatory change, having a strong, well-documented, risk-based program is a strategic advantage.
1. Examination priorities: Flexibility for financial institutions with strong testing programs
In November 2025, the OCC issued updated community bank BSA/AML examination procedures with a stated goal of reducing unnecessary regulatory burden on community banks while maintaining strong BSA/AML oversight.
The central theme of the bulletin is targeted flexibility, giving examiners room to tailor their approach based on an institution's actual risk profile and the quality of its existing controls. So far, agencies are moving toward more risk-focused, less prescriptive supervision, particularly for smaller institutions.
The most significant change involves independent testing reliance. Examiners now have explicit discretion to rely on a bank's independent testing, provided it has been performed to a high standard. For institutions with thorough, risk-aligned, and well-documented testing programs, this could reduce the testing that examiners need to perform.
"Effective independent testing programs are going to see the most benefit out of this," Fox said. "Not only is that going to directly help your institution identify and manage risks, but it actually might also decrease the level of effort required of you when you have a regulatory exam coming up."
The bulletin also introduces flexibility around the training and BSA compliance officer pillars, allowing examiners to carry forward prior exam conclusions for up to one cycle where a bank's risk profile has not materially changed. Examiners are also given discretion to scale transaction testing based on risk and the strength of an institution’s existing monitoring systems.
What this means for your program: Institutions that invest in qualified, independent testing, sound and well-documented risk assessments, and clear evidence of AML involvement in change management will be best positioned to take advantage of this flexibility. Everything should tell a coherent story to outside parties about how risks are understood and managed.
2. FinCEN SAR FAQs and what they mean for your BSA program
In October 2025, the Financial Crimes Enforcement Network (FinCEN) issued four Suspicious Activity Report (SAR) FAQs with a clear purpose: to clarify existing regulatory requirements, not to change them, expand them, or create new supervisory expectations.
In the month before release, John K. Hurley, Undersecretary of the Treasury for Terrorism and Financial Intelligence (TFI), acknowledged a growing challenge. Increasing regulatory and supervisory pressure had led to a higher volume of SARs, many of which, in his words, were "not so useful to law enforcement." The FAQs are designed to help institutions focus resources on producing SARs that are meaningful, targeted, and actionable.
The four FAQs address:
- SAR filings for potential structuring-related activity
Transactions near the $10,000 CTR reporting threshold do not automatically indicate structuring and do not by themselves trigger a SAR filing requirement. Routine, legitimate activity (e.g., a restaurant's weekend deposit, a gas station's morning and evening deposits, an individual withdrawing cash to purchase a vehicle), is not inherently suspicious. - Continuing activity reviews
Financial institutions are not required to perform a separate manual review every 90 days after filing a SAR. Institutions may rely on their risk-based internal policies, procedures, and controls if those controls are reasonably designed to detect and report ongoing suspicious activity. - Continuing activity timelines
For institutions that elect to file continuing activity SARs in line with prior guidance, the deadline to file a SAR with an identified subject and continued suspicious activity is day 150. - No SAR documentation
There is no regulatory requirement or expectation to create a memo, a no-SAR log, or any other formal documentation solely to explain why a SAR was not filed. If an institution chooses to document these decisions, the level of documentation should be risk-based and proportional.
Brown emphasized that the FAQs should not be treated as a green light for program changes without careful consideration.
Institutions should ask whether their risk assessment supports any changes, transaction monitoring rules and systems are well-tuned, and frontline staff are trained to recognize behavioral indicators of potential structuring.
"A strong risk-based program remains your anchor," Brown said. "Understanding customer behavior, tuning monitoring systems, effectively training staff, and documenting decisions in alignment with your risk profile, all of this ensures your program stays compliant and operationally sound."
3. Debanking concerns and regulatory scrutiny
Debanking is a term that has been in the news a lot this year. It refers to the allegation that banks and federal regulators unfairly denied banking services to individuals or businesses due to political or religious reasons.
Fox provided historical context, tracing the current conversation back to de-risking: the exit from embassy accounts following the Riggs Bank failure, the closure of MSB accounts due to perceived AML risks, and the broader industry response to Operation Choke Point in the mid-2010s.
Each of these occurrences shows a repeating pattern: institutions responding to regulatory pressure or reputational risks by restricting or stepping back from banking certain categories of customers.
Today's regulatory environment makes clear that this approach is no longer acceptable.
Executive Order 14331 directed all regulators to remove reputation risk and similar factors from exam guidance and supervisory materials. It also directed financial institutions to identify and remediate past instances of debanking.
In December 2025, the OCC reviewed the nine largest banks and issued some preliminary findings, finding that most institutions had restricted banking services for certain industry sectors, including oil and gas, coal, payday lending, and firearms-related businesses. Reputation risk and negative media were sometimes cited by the nine banks as the reason for having these restrictions.
For compliance leaders, the message is clear: every customer decision must be grounded in objective, individualized, risk-based analysis, not category-level assumptions, not brand perception, and not reputation risk.
"Reputation risk must be excluded as a decision driver," Fox said. "Your decisions really need to be rooted in regulatory requirements and managing financial crime risk, not brand perception."
Practical steps include revisiting policies and procedures to confirm they reflect individualized assessments, conducting a deep dive on account closure processes to ensure documented rationale supports each exit decision, training frontline teams to apply the framework consistently, and leveraging complaint data as an early warning system to identify whether certain customer types are being impacted more than others.
4. AI process automation: Opportunity with accountability
During the webinar, Brown walked through four core use cases where AI-driven automation is increasingly being adopted across financial crime programs, along with the specific compliance risks that come with each of them.
The four use cases are:
- Sanctions screening
AI tools are being used to support or partially automate alert adjudication. The key risk is incorrectly decisioning an alert, either clearing a true match or escalating a false positive. A missed true hit can directly result in an Office of Foreign Assets Control (OFAC) violation with regulatory, financial, and reputational consequences.
- Transaction monitoring
AI may be used to classify or disposition alerts. Incorrect dispositioning can result in unreported suspicious activity, triggering enforcement actions, remediation requirements, or civil money penalties.
- Customer risk scoring
AI-driven models analyze customer attributes, behaviors, and patterns to assign risk ratings. The risk is failing to identify a high-risk customer and subsequently failing to perform Enhanced Due Diligence and apply appropriate controls. - Case and SAR narrative generation
AI drafts narratives based on investigation data. Risks include hallucinated facts, omission of critical details, bias from poor training data, and reduced analyst oversight, any of which can weaken investigations, produce inaccurate filings, and invite regulatory scrutiny.
The governance framework for deploying AI sits on four pillars:
- Model governance
Any AI system used for alert adjudication or risk scoring should be governed under the institution's model risk management framework, with defined ownership, validation protocols, ongoing monitoring, and data quality testing.
- "Human-in-the-loop" controls
Analysts must review and confirm AI-generated outputs, particularly at high-risk decision points like OFAC adjudication or SAR determinations, with no fully autonomous decisions made without compensating controls.
- Explainability and documentation
Institutions must be able to explain how the model works, the logic behind its outputs, and the data it relies upon. As Brown asked: "If I can't explain the model's reasoning, can I defend it?"
- Vendor risk oversight
Third-party AI tools carry the same accountability obligations as internally built models, requiring due diligence, ongoing monitoring, and SLAs that cover accuracy, updates, security controls, and contingency planning.
"Regulators have made clear through guidance, examinations, and enforcement actions that automation does not reduce accountability," Brown said. "In fact, as AI becomes more sophisticated, oversight expectations increase."
5. The GENIUS Act implications
The GENIUS Act eliminates the legal ambiguity that was associated with payment stablecoins and establishes the first federal framework specifically designed for them, effective January 18, 2027, or potentially sooner.
For BSA/AML compliance leaders, the most important aspect is straightforward. Federally licensed payment stablecoin issuers will be explicitly treated as financial institutions for BSA purposes. The full BSA program applies: CIP, CDD, EDD, suspicious activity reporting, a designated BSA officer, and everything that comes with it.
"This is really going to bring payment stablecoin issuers into the same regulatory framework as other financial services providers," Fox said, noting that the GENIUS Act follows a familiar pattern of extending BSA coverage to non-traditional financial entities as their activity grows, from MSBs and pawn shops to insurance companies and precious metals dealers.
For institutions considering stablecoin issuance, the choice of operating model carries significant compliance implications:
Fully permissioned models
Only pre-approved, KYC-verified wallets can transact with one another. They present the lowest AML and sanctions risk.
Semi-permissioned models
Offer more flexibility but also more risk compared to fully-permissioned models. They allow more usability but require enhanced controls.
Open models
Any compatible wallet can transact with each other, dramatically increasing exposure to illicit activity and sanctions risk. Even with the most significant amount of controls, it becomes almost impossible to meet the GENIUS Act compliance and oversight expectations.
For institutions in the early stages of evaluating whether to pursue stablecoin issuance, Fox outlined the foundational steps:
- Running the decision through the new products and governance process
- Assembling the right cross-functional team across compliance, legal, AML, and product
- Completing a risk assessment tailored specifically to payment stablecoin activity
- Planning ahead for the application process, which regulators will expect to be supported by a fully functioning compliance program before any issuance begins
Conclusion: Stay ahead of the changing BSA/AML landscape with strong compliance programs
Across all five topics, one consistent message can be seen: regulatory change does not reduce the need for strong compliance programs. It raises the stakes for institutions that haven't built them.
Fox summarized the takeaways simply:
- Use a risk-based approach
- Integrate AML into change management
- Keep employee training updated
- Update documentation as you go
- Stay ready for more change
Modernizing the BSA continues to be a high priority for regulators, and additional issuances and rules are expected.
For compliance leaders, the goal is not to react to each new development in isolation, but to build the kind of program that can absorb change, one that is well-documented, independently tested, risk-aligned, and resilient enough to hold up under scrutiny from any direction.