Regulators are stepping up their efforts to enhance banks’ anti-money laundering and combating the financing of terrorism (AML/CFT) programs with new rules and greater scrutiny.

The Financial Crimes Enforcement Network (FinCEN) in October assessed a record $1.3 billion penalty against TD Bank for violations of the Bank Secrecy Act—the largest penalty against a depository institution in U.S. Treasury and FinCEN history. FinCEN also imposed a four-year independent monitorship to oversee TD Bank’s required remediation.

What do community banks need to know to ensure their AML/CFT practices are in line with regulators’ expectations?

Strengthening AML/CFT programs

In addition to increased enforcement activities, FinCEN and four other federal financial regulators in July proposed rules to strengthen and “modernize” financial institutions’ AML/CFT programs. 

The proposed amendments are based on changes to the Bank Secrecy Act as enacted by the Anti-Money Laundering Act of 2020 and are “a key component of Treasury’s objective of building a more effective and risk-based AML/CFT regulatory and supervisory regime,” according to the interagency statement.

Among other new requirements, the AML Act requires financial institutions to review FinCEN’s published “priorities” and incorporate them into their AML/CFT programs, as appropriate: corruption; cybercrime, including relevant cybersecurity and virtual currency considerations; foreign and domestic terrorist financing; fraud; transnational criminal organization activity; drug trafficking organization activity; human trafficking and human smuggling; and proliferation financing.

While ICBA supports the modernization of AML/CFT and BSA programs, the proposal is ambiguous and creates additional burden on community banks without any demonstrable benefit to combating money laundering or terror financing, says Rhonda Thomas-Whitley, senior vice president and senior regulatory counsel.

Before a final rule is issued, ICBA is urging FinCEN to amend the current list of priorities to include guidance that entails examples, typologies, case studies, and both transactional and behavioral red flags.

“If FinCEN wants institutions to really risk-weight these priorities, it just seems like they would be willing to incorporate some of our recommendations so that banks have a very good chance of conducting a good, comprehensive risk assessment,” Thomas-Whitley says. “Even if those priorities do not exist within their institutions, banks need intel from FinCEN to know what they're looking for.”

The proposed rules also would require institutions to develop AML/CFT programs that are “effective.” At a baseline, “effectiveness” should be defined by FinCEN, and the definition should move banks toward a true principles-based, institution-specific program, Thomas-Whitley says.

Moving to risk-based strategies

The proposed rules also reflect a shift to risk-based strategies, “targeting resources where they matter most,” says Kristin Parker, vice president of compliance and operations at BSA-focused fintech RiskScout in Austin, Texas.

“Every bank faces unique threats based on its customers, products and geographic footprint,” Parker says. “Customization ensures resources are focused where the risks are highest, rather than wasted on low-risk areas.”

She says community banks should explore evolving strategies that enable them to develop more dynamic and responsive compliance programs.

“Technology, coupled with useful data analytics, are the driving force behind modern, agile AML/CFT programs,” Parker says. “They help banks spot patterns, flag risks faster, and focus their efforts where it counts.”

She notes that the proposed “effectiveness” requirement would create a new challenge for institutions: demonstrating that their programs genuinely mitigate risks and prevent financial crime.

To meet these standards, community banks should focus on three key steps: 

  • Conducting comprehensive risk assessments to tailor their programs

  • Using technology to enhance detection and reporting capabilities

  • Fostering a compliance culture that empowers staff to identify and address risks confidently

“Effectiveness isn’t a one-time achievement; it’s an ongoing process of adaptation and improvement, ensuring programs stay sharp and aligned with regulatory and operational realities,” Parker says.

A data-driven approach

Quick Stat

$1.3B

The largest penalty against a depository institution in U.S. Treasury and FinCEN history, which was against TD Bank for violations of the Bank Secrecy Act

Source: FinCen

To develop more dynamic and responsive AFT/CFT compliance programs, $1.1 billion-asset United Bankers’ Bank is developing several strategies, says Mary Williams, executive vice president and COO of the Bloomington, Minn., community bank.

Williams and her team have adopted a data-driven approach to risk management using advanced analytics to monitor transactions, which enables them to identify and respond to alerts on suspicious activities. Regular training and audits help ensure that compliance is embedded in the bank’s daily operations.

“Technology and data analytics play a significant role in enhancing these strategies,” Williams says. “By leveraging big data and machine learning algorithms, vast amounts of transaction data can be analyzed to detect patterns and trends that might indicate money laundering or terrorist financing.”

Moreover, collaborative analytics with other financial institutions and vendors enables Williams and her team to share insights and improve their collective understanding of emerging risks.

Still, defining and achieving “effectiveness” in United Bankers’ Bank’s AML/CFT programs is not without challenges, she says.

“The constantly evolving nature of financial crimes means that we must continuously update our systems and processes to stay ahead of the curve,” Williams says. “Regulatory changes and new compliance requirements can also pose difficulties, requiring us to adapt quickly and ensure that our programs remain compliant.”

To meet these standards, Williams and her team have taken several practical steps. First, they conduct regular internal audits to assess the effectiveness of the bank’s compliance programs and identify areas for improvement. The community bank also engages in ongoing training for employees to keep them informed about the latest threats and regulatory requirements.

Williams and her team also collaborate with industry peers to share best practices and stay current on the latest developments in AML/CFT compliance.

“By tailoring our AML/CFT program to our unique threats and continuously improving our strategies,” she says, “we aim to create a robust and effective compliance framework that protects our bank and contributes to the overall integrity of the financial system.”