AML Innovation and Whistleblower Provisions of the NDAA Mean Important Changes Ahead

By Matthew Van Buskirk

Over the years, priorities of anti-money laundering programs have accumulated without any serious consideration as to whether monitoring for some older crime patterns may have become redundant. Compliance teams are spread thin, making it difficult to think about investing in innovation or keeping up with evolving trends.

This accumulation is a byproduct of the mismatch between continuous innovation by criminals and a regulatory approach created decades ago that keeps up by layering on new expectations. Until recently, regulators did not have the tools to realistically consider methods for deploying outcomes-oriented regulation and have thus had to rely on inputs like policies, procedures and processes in the hope that the program will achieve the desired result.

Back in September, FinCEN took a significant first step toward building a next-generation framework for anti-money laundering regulation with the release of an advanced notice of proposed rulemaking focused on re-orienting our approach to AML to focus on effectiveness. Enacted on Jan. 1 over a presidential veto as part of the National Defense Authorization Act, the Anti-Money Laundering Act of 2020, or AMLA, reinforces and expands FinCEN’s efforts. It is the most significant overhaul to the anti-money laundering regime in the United States since the Patriot Act, and includes several improvements to anti-money laundering rules long-advocated by American Bankers Association.

There are three important themes in the legislation:

  • Unlocking innovation, for regulators and banks.
  • Collaboration and better information.
  • Reinforcing culture

Unlocking innovation at regulators

The AMLA acknowledges the challenges FinCEN and the other regulators face in modernizing AML and increases resources committed to innovation and exploring new technologies accordingly.

The AMLA creates a new subcommittee on innovation in the Treasury Bank Secrecy Act Advisory Group, adds new BSA innovation and information security officers at FinCEN and the other primary regulators, and issues a mandate to convene global financial crimes symposia. Through these actions, the AMLA charges regulators to “encourage and support” innovation and “reduce obstacles” to technological innovation. These new formalized roles dedicated to innovation at the regulators and a focus on cross-agency collaboration could significantly accelerate the pace of policy change.

Actions.—The intent behind the innovation officer roles and related committees is to improve collaboration and engagement with financial institutions and facilitate increased consistency across agencies. Banks of all sizes should prioritize engagement with these new positions. Be sure to consider the potential benefits presented by modernization together with the challenges and convey both to your regulator’s innovation lead.

Unlocking innovation at banks

The creation of the innovation leads at the regulators, and the mandate to promulgate rules and standards for testing AML technology, should go a long way to removing the cloud of uncertainty that often exists when experimenting with new technologies.

Historically, this uncertainty has led banks to default to focus more heavily on the risks presented by the latest technology without accurately considering the risks inherent in sticking with the status quo. In many cases, the solutions in place at banks fall far below some of the new technologies out there if they are measured side-by-side. Unfortunately, it is much more common for a novel solution to be compared with a fictional perfect version of the tech in place today, leading to a status-quo bias. The initiatives defined in the AMLA, taken together with signals from other regulators, suggest that a shift in focus away from the risks associated with adopting new technology to the risk of doing nothing is underway. In two or three years, exam teams may be asking why your program has not changed instead of focusing on the changes from your last review.

Actions.—Expect new guidelines for experimenting with AML technology. Factor these guidelines into your risk assessment process and consider how to create safe spaces for experimenting with new technology with the goal of gathering sufficient data to demonstrate that the benefits outweigh the risks and costs of adoption.

When considering new technology, be sure to ask the “compared to what?” questions when comparing the potential benefits and risks presented. Perform a side-by-side comparison of any new solution against your existing systems using the same metrics. This will help ensure that you compare the new tech against an accurate assessment of your current stack without any rose-tinted glasses.

In addition to clearing the air for innovation, the AMLA is likely to free up resources in compliance teams through a directive to regulators to review existing regulations to identify outdated and redundant rules. Monitor these efforts closely to stay on top of opportunities to pull people off of redundant tasks.

Collaboration and information sharing

Woven throughout the AMLA is an enhanced focus on coordination and sharing information between law enforcement, regulators and financial institutions to help everyone better understand what to look for and create feedback loops. These efforts include the creation of a FinCEN exchange to promote public/private partnerships, a mandate for FinCEN to share threat patterns regularly and a requirement that the Treasury Department produce national AML priorities periodically.

The AMLA also encourages resource sharing between financial institutions by codifying the 2018 interagency statement on sharing BSA resources in law.

Taken together, all of these initiatives should go a long way to helping banks avoid operating in the dark, as is often the case today. Clear cut guidance on what to look for will help ensure efficient allocation of resources and produce more certainty in regulatory exams.

Action.—Take a look at your AML program and consider how well it would handle frequent adjustments in focus. Are you maintaining rigid rule sets that require manual updates, or do you have adaptive systems in place? Does your organizational structure have hierarchical bottlenecks, or is it built on agile, cross-functional concepts? Can your team pivot between priorities every week, or would it take months to retool everything? Do you have your own engineers and data scientists, or are you relying on vendors to do everything for you? The AMLA will lead to much more rapid changes in AML priorities than have been seen previously. Be sure that your team is ready to adapt.

Reinforcing culture

The modernization efforts highlighted above come with commensurate changes that are likely to lead to increased enforcement activity. BSA whistleblower provisions have been modified to more closely resemble the SEC program that has resulted in more than 40,000 tips since its inception. Increased penalties now specifically include any profits made as a result of the violation. Repeat violations can lead to fines up to three times the profit gained. It is more important than ever for compliance programs to stay on top of AML risks then identify and close gaps as soon as possible.

Actions.—A strong culture of compliance will be more critical than ever. Take steps to ensure that employees at your bank know what they are supposed to do and feel that people listen when they raise questions.


The banking industry tends to, often fairly, view new regulations as likely to add additional burdens, but we encourage an open-minded approach to the forthcoming changes. The AMLA represents a meaningful opportunity to improve effectiveness in blocking financial crime and terrorist financing while simultaneously reducing the regulatory cost to the financial industry. This is possibly the first time in regulatory history that it has been possible to achieve both goals simultaneously.

Matthew Van Buskirk is the co-founder and co-CEO of Hummingbird, a RegTech Company. He can be reached at [email protected]