AML Program Effectiveness: What Regulators Expect to See

In April 2026, the U.S. Financial Crimes Enforcement Network (FinCEN) published a proposed rule with a clear message. In the words of Treasury Secretary Scott Bessent, the current system asks financial institutions to measure success "by the volume of paperwork rather than their ability to stop illicit finance threats."

The proposed rule calls for AML/CFT programs that are "risk-based" and "reasonably designed," and puts supervisory focus squarely on effectiveness - on whether programs actually work, not whether they exist on paper.

If you are reading this from outside the United States, you might be tempted to file this under "American regulatory news." No, it’s not.

This is happening everywhere

FinCEN put it in writing first. But the same shift is underway across multiple jurisdictions at the same time. The language differs. The enforcement calendars differ. The direction does not.

Regulators are no longer satisfied with documentation that describes a program. They want evidence that the program runs and that is effective.

In the EU, AMLA completed its formal takeover of all AML/CFT mandates from the EBA on 1 January 2026. It arrived with a supervisory philosophy built around measurable outcomes. AMLA's first multi-year plan, published in February 2026, centres on completing the AML/CFT Single Rulebook and converging supervisory practices across financial and non-financial sectors.

The EBA's supervisory reports, now handed over to AMLA, told a consistent story across years of monitoring: the gap between what institutions say they do and what they actually do is the primary driver of findings. AMLA aims to close that gap.

What does "operational proof" look like in practice?

Think of it this way. A regulator sits down to review your AML program. In the old world, they checked the boxes. Policy? Yes. Risk assessment? Yes. Training records? Yes. Independent audit? Yes. Now, they go further.

They ask whether your risk assessment reflects your actual customer base today - or the one you had when the document was last approved. They look at your transaction monitoring and ask whether it can detect the typologies your own risk assessment says are relevant. They look at your independent testing and ask what findings it produced, and if the answer is "none," that is increasingly a red flag, not a compliment.

And they look at your Board. What information does it receive about AML risk? Can it show that genuine oversight is happening, or does the paper trail show a dashboard that says everything is fine, every quarter, without exception?

That last point catches more institutions off guard than anything else. Governance failures at board level are now treated as program failures. AMLA's framework draws that line explicitly. So does FinCEN's proposed rule, which flags the need to ensure that independent testing and audit functions are doing real work.

Three things to look at right now

1. Your risk assessment:

If it has not been updated in the last twelve months, the gap between what it says and what your business actually looks like is probably wider than you think. Regulators will assess your risk profile against your controls. If those two things were calibrated at different points in time, that gap will show.

2.     Your transaction monitoring: 

Alert volumes, closure rates, and the logic behind your tuning are now supervisory data points. Institutions that cannot explain why their systems are set up the way they are - in the context of their own risk profile - are exposed. The question regulators ask is simple: does your monitoring reflect your risk? Can you demonstrate it?

3.     Your audit and testing outcomes: 

A clean independent audit report used to feel like good news. In several recent EU enforcement cases, regulators pointed to testing functions that consistently found no significant issues, and treated that as a sign that the scope was too narrow, not that the program was strong.

A genuinely rigorous review finds something to improve. If yours never does, that is worth examining.

The practical question for leadership

For a CEO or board member, the question is straightforward. Does your compliance function have the mandate, the data, and the standing to surface real risk, and does it report that risk? Regulators are examining board minutes and management information for signs of genuine oversight.

A board that has been receiving reassuring summaries will find it difficult to argue it did not know when something surfaces.

For a compliance officer, the pressure is more immediate. The institutions that move in the next twelve to eighteen months - that close the gap between what their frameworks say and what their programs actually do - will be ready when an examiner or a direct supervision selection process arrives.

The ones that wait will be closing that gap under scrutiny.

A final thought on AML program

FinCEN said it in April 2026. AMLA is operationalising the same standard across the EU in parallel. The window to get ahead of this is open.

The question every institution should be asking right now is simple: if a regulator walked in tomorrow and asked us to prove our program works - could we?