For decades, passing a US anti-money laundering (AML) audit meant proving a programme existed. Write the policies, appoint the officer, train the staff, complete the review. If the components were present, you passed.
RegTech firm Napier AI warns that era is drawing to a close. FinCEN’s April 2026 proposed rule would replace that box-ticking standard with one built around demonstrable effectiveness, and it names artificial intelligence directly in its enforcement considerations.
What the proposed rule changes
The proposal introduces a two-part standard. A programme qualifies as effective if the institution both establishes it on a risk-based footing, incorporating national AML/CFT priorities, and actively maintains it over time.
For banks, significant supervisory or enforcement action would be reserved for outright failures to establish a programme or for significant, systemic failures to implement one, rather than isolated technical shortfalls. FinCEN has asked whether that same framework should apply to other institution types, and several industry commenters have pushed for exactly that. Comments closed on 9 June; FinCEN proposes a 12-month implementation window from issuance of the final rule, though that timeline is not yet fixed.
Where AI fits into the enforcement calculus
The proposal lists factors FinCEN’s director would weigh before pursuing enforcement. Among them: whether the institution advances AML/CFT priorities through innovative activities that produce measurable outputs, including effective use of AI and advanced monitoring tools.
Crucially, the proposal states that responsible experimentation with these technologies carries no additional supervisory or enforcement risk purely from the use of the technology, and that no particular tool is mandated. Regulators have signalled openness to innovation before, a 2018 joint statement noted that AI pilots would not automatically attract supervisory criticism, but this proposal goes further by writing that credit into proposed enforcement factors directly.
The proposal also acknowledges a persistent barrier: uncertainty over how model risk management principles apply to AML programmes. FinCEN says it intends to work through those concerns with banking supervisors, it said.
Outcomes, not activity
The operative word, as Napier AI highlights, is demonstrable. The credit attaches to measurable outputs. A tool that produces none earns none.
Most programme metrics today count activity, alerts worked, SARs filed, training completed. That proves effort. The new standard asks for proof of outcomes: monitoring coverage mapped to the risk assessment, screening thresholds calibrated with documented rationale, tuning history, and detection results tracked over time.
The clock is already running
Much of the forward-looking language sits in the preamble rather than the regulatory text, and preamble language does not bind examiners, Napier said. Commenters have pressed FinCEN to move the technology protections into the text and to confirm that the absence of AI will never itself become a finding.
Whatever the final text says, the underlying shift is the same: demonstrated outcomes will matter, and building the evidence infrastructure to support them takes time. Coverage mapping and a credible testing baseline alone can run well past a year at a complex institution.
Napier AI outlines five moves institutions should make before the final rule lands: map monitoring and screening coverage to the risk assessment and document the gaps; establish a detection performance baseline before an examiner asks for it; attach rationale to tuning and threshold decisions; govern AI use against Treasury’s Financial Services AI Risk Management Framework from day one; and begin tracking outcomes with the same rigour applied to activity metrics today.
For more, read the full story here.
Copyright © 2026 FinTech Global
