Related Questions
FinCEN has proposed a rule that would represent the most comprehensive reform of anti-money laundering program requirements since the Bank Secrecy Act was enacted over fifty years ago. For banks, the headline is clear. For the broader payments ecosystem (acquirers, PayFacs, ISOs, and the platforms that sit between institutions and merchants), the implications are just as significant, and less widely discussed.
Here is what the rule actually proposes, why it matters to your program today, and where the pressure is going to come from.
FinCEN has proposed the most significant overhaul of AML/CFT program requirements in over fifty years. The rule shifts the compliance standard from process-based checklists to outcome-based effectiveness. Risk assessments are elevated to a formally required program component. AI and machine learning tools are explicitly encouraged by the regulator. While the rule directly governs banks and financial institutions, the compliance pressure flows downstream to acquirers, PayFacs, and ISOs through their sponsor bank relationships. Companies that take action now, before the rule finalizes, will be in a materially stronger position than those that wait.
The Notice of Proposed Rulemaking (NPRM), filed under Docket FINCEN-2026-0034, would amend AML program rules across all covered financial institution types, including banks, MSBs, broker-dealers, operators of credit card systems, and others. The proposed changes operate on several levels.
Outcome-based effectiveness replaces process compliance. The existing framework has long been criticized as a checklist exercise: maintain the four pillars, file your SARs, pass your exam. The NPRM formally reorients the standard. An "effective" program is one that is properly established and maintained in all material respects. Examiners will be evaluating whether your controls actually function, not just whether they exist on paper. FinCEN explicitly signals that institutions should focus on achieving effective outcomes rather than following prescribed processes to reach them.
Risk assessment becomes a codified program component. Under the current framework, risk assessments are expected but not formally required as a defined structural element of the program. The NPRM changes that. Risk assessment processes are enumerated as a required component of program establishment alongside the traditional four pillars. For acquirers and PayFacs, this means the way you segment and assess your merchant portfolio is no longer just a risk management preference. It is a compliance obligation.
AI and technology get direct encouragement from the regulator. This is notable. The NPRM explicitly names machine learning, generative AI, digital identity, blockchain analytics, and APIs as tools FinCEN encourages institutions to evaluate. Citing the 2024 National Illicit Finance Strategy and multiple executive orders, the rule reflects a regulatory posture that actively supports innovation as a compliance strategy, not as a risk to be managed. For vendors and internal teams that have been cautious about deploying AI tools in compliance workflows, this removes a significant objection.
Programs must be written, accessible, and board-approved. The NPRM codifies requirements for programs to be documented and formally approved by leadership. Verbal policies and informal practices will not hold up under examination.
The rule as proposed directly governs financial institutions: banks, MSBs, and operators of credit card systems. But the practical pressure cascades downstream almost immediately.
Sponsor banks are going to face heightened scrutiny on the effectiveness of their own programs. The single question that examiners will be asking is whether the bank's AML/CFT program actually works, which means the bank will be asking whether the programs of the entities it sponsors or enables actually work. That question lands on ISOs, PayFacs, and acquiring processors.
If your bank sponsor cannot point to how your onboarding decisions, your merchant monitoring, and your escalation workflows contribute to their program's effectiveness, you become a liability in their examination posture.
This is not a new dynamic, but the rule formalizes the stakes in a way that should prompt action now, before examiners are applying the new standard.
One of the most consequential elements of the proposed rule for payment companies is the formal elevation of risk assessment to a required program component.
Most acquirers and PayFacs do some version of merchant risk assessment at onboarding. Far fewer do it in a structured, documented, repeatable way that can be demonstrated to a regulator or a sponsor bank's compliance team. Even fewer have a framework that continuously incorporates the kind of risk signals such as digital footprint changes, descriptor anomalies, and chargeback trend shifts that would make a risk assessment genuinely dynamic rather than a point-in-time snapshot.
The proposed rule pushes institutions toward exactly this kind of ongoing, calibrated risk management. For payment companies, that means the merchant lifecycle matters. It is not just who you onboard, but how you monitor and re-assess them over time.
The NPRM's explicit endorsement of AI and ML as AML/CFT tools is a meaningful regulatory development. For years, compliance teams at banks and processors have approached AI adoption cautiously, partly out of concern about regulatory reception.
That concern is now directly addressed. FinCEN cites generative AI, machine learning, and digital identity as areas where institutions are actively encouraged to evaluate whether new technology might help more effectively combat financial crime. The 2024 National Illicit Finance Strategy is cited explicitly, noting that ML and large language models have potential to help institutions "more rapidly and effectively analyze data to identify patterns, risks, trends, and typologies."
For payments companies, this opens a defensible path to deploying AI-assisted merchant monitoring and risk decisioning tools. For those building out technology roadmaps, it is a signal that the regulatory environment is ready for it.
The comment period is open (60 days from Federal Register publication). The final rule is not yet in effect. But the direction is clear, and the expectation-setting has already begun. A few practical steps:
Audit your risk assessment documentation. If your merchant segmentation and underwriting criteria exist primarily in institutional knowledge or informal practice, now is the time to formalize them. The standard being proposed is documented, maintained, and demonstrable.
Map your monitoring program to the effectiveness standard. Ask the question FinCEN will eventually ask: does your current monitoring actually detect what it's supposed to detect? If the answer is "we hope so," that is not sufficient.
Engage your sponsor bank proactively. The institutions above you in the chain are going to face examination pressure tied to this rule. Getting ahead of those conversations, and being able to demonstrate that your program contributes to rather than undermines their effectiveness posture, is a competitive and relationship advantage.
Evaluate your technology stack honestly. The rule removes one of the most common objections to AI-assisted compliance tooling. If you have been waiting for a regulatory green light to evaluate machine learning and digital identity tools in your risk program, this is it.
The FinCEN NPRM is not a small procedural change. It is a substantive reorientation of what AML/CFT compliance means: from "do you have a program" to "does your program work." For the payments companies that take that question seriously before examiners start asking it, the gap between their programs and everyone else's is about to get a lot wider.
Ballerine is an AI-native platform built for financial crime and merchant risk management, purpose-designed for the kind of continuous, documented, and demonstrable risk oversight the NPRM now requires. For acquirers and PayFacs, Ballerine covers the full merchant lifecycle: structured KYB and onboarding workflows, ongoing transaction and behavioral monitoring, and dynamic risk re-assessment that captures the signals most legacy systems miss. Risk decisions are traceable, auditable, and built to withstand sponsor bank scrutiny. On the technology side, Ballerine’s AI agents replace rule-based logic with adaptive models that improve detection while reducing false positives. For payment companies looking to align their programs with the outcome-based effectiveness standard FinCEN is moving toward, Ballerine provides the infrastructure to get there.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.png)
edited%205.webp)
.png)
