By Viktor Ha | April 2026 | AML-CAMS Blog
TL;DR: On 7 April 2026, FinCEN proposed sweeping reforms to US AML programs — less paperwork, more flexibility, higher threshold for enforcement action. Meanwhile, AUSTRAC has spent the past six months ordering compulsory audits, running sector-wide enforcement campaigns, and putting entire industries on notice. Both regulators are responding to the same underlying problem: compliance programs that generate volume without producing intelligence. They’ve arrived at opposite solutions. This post examines what each approach gets right, what each risks getting wrong, and what it means if you’re sitting at an Australian compliance desk.
The Announcement Nobody in Australia Is Talking About
On 7 April 2026, the US Department of the Treasury’s Financial Crimes Enforcement Network dropped what may be the most significant proposed reform to American AML regulation in a generation.
FinCEN announced a proposed rule to “fundamentally reform” how US financial institutions build and maintain their AML/CFT programs under the Bank Secrecy Act. Treasury Secretary Scott Bessent framed it in blunt terms: “For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats.”
The headline changes: less prescriptive compliance, more institutional discretion, a higher bar before regulators can take significant enforcement action, and an explicit acknowledgment that no AML program can detect every suspicious transaction — and that’s acceptable, as long as the program is genuinely risk-based and effective.
It’s a significant moment. And from where Australian AML practitioners are sitting, it reads like a dispatch from a parallel universe.
What FinCEN Is Actually Proposing
To understand why this matters, it helps to understand what the proposed rule actually contains — beyond the headline framing.
The core shift is from technical compliance to demonstrable effectiveness. Under the current US framework, financial institutions are evaluated largely on whether they have the required program components in place: policies, procedures, training, independent testing, a designated compliance officer. The proposed rule keeps those four pillars but fundamentally changes how they’re evaluated. The question moves from “do you have this?” to “does it work?”
FinCEN is proposing to formally define what an “effective” AML/CFT program looks like — and critically, to acknowledge explicitly that effectiveness does not mean perfection. The proposed rule states that it is not possible for a financial institution to detect and report all potentially illicit transactions, and that a program can be effective without preventing every minor compliance lapse. What matters is whether the program is reasonably designed to manage actual risk, and whether it generates intelligence that is genuinely useful to law enforcement.
On enforcement, the shift is equally significant. Under the proposal, regulators would generally only take significant supervisory or enforcement action where there is a significant or systemic failure to maintain an established AML program — not for isolated or technical issues. Federal banking supervisors would also be required to give FinCEN 30 days’ advance notice before initiating significant AML enforcement action, giving FinCEN a gatekeeper role it has not previously held.
The FDIC, OCC and NCUA issued a joint proposal on the same day to align their own rules with FinCEN’s framework. Comments on both proposals close 9 June 2026.
The Reaction: Cautious Optimism, Pointed Criticism
The industry response has been broadly positive. PwC described the shift as consistent with the direction of travel from Treasury and banking agency leadership — “focusing on material risk, deprioritizing check-the-box requirements, and allowing financial institutions to define, based on a risk view, what ‘good’ looks like.”
Law firm analysis has been more measured. WilmerHale noted that making FinCEN the gatekeeper for enforcement actions might temper regulatory overreach — or it might simply mean FinCEN joins more cases and adds its own penalties on top of other regulators’. That’s a real risk. FinCEN concluded just two independent AML enforcement actions in 2025. If it becomes a mandatory participant in every significant bank AML action, the aggregate penalty exposure could actually increase, not decrease.
The sharpest criticism came from Transparency International, which warned that the proposal would make it harder for regulators to step in when banks have weak AML controls, with serious action reserved only for the largest or most widespread failures. They also flagged that the rule backs away from some of the clearer risk-assessment features in the prior 2024 version — including more explicit attention to professional enablers of money laundering, corruption intermediaries, and kleptocracy-linked flows.
That’s not a minor criticism. It goes to the heart of what AML programs are actually for.
Meanwhile, in Australia
While FinCEN is proposing to reduce compliance burden and raise the enforcement threshold, AUSTRAC has spent the past six months moving in the opposite direction with considerable force.
In November 2025, AUSTRAC concluded a sector-wide supervisory campaign targeting online payment platforms, finding low suspicious matter reporting, inadequate transaction monitoring, and systematic failures to identify and exit high-risk customers. AUSTRAC’s own team ran a transaction monitoring simulation using known child sexual exploitation typologies — and easily identified customers that the platforms themselves had missed. WorldRemit was directed to appoint an external auditor. Letters of concern went to five others. Several more were placed under investigation.
In January 2026, Airwallex — Australia’s highest-profile fintech and one of its few genuine unicorn companies — received a compulsory section 162 audit order. The failures identified: transaction monitoring not calibrated to actual risk, inadequate customer understanding at scale, and insufficient SMR oversight at the senior management level. We covered the Airwallex case in detail here.
In April 2026, MHITS Limited became the next payment platform directed to appoint an external auditor — the third such order stemming from the same campaign. AUSTRAC CEO Brendan Thomas sent a direct message to the sector: “Don’t wait for us to knock on your door to get your house in order.”
This follows AUSTRAC’s earlier enforcement actions against Bendigo Bank — a joint APRA/AUSTRAC action involving a $50 million capital add-on — and Mounties, which became the first registered club to face civil penalty proceedings for AML/CTF failures. AUSTRAC is operating with its largest budget and staffing numbers to date, and it is using both.
Two regulators. One problem. Opposite answers.
The Tension at the Heart of Both Approaches
Here’s the honest version of what both regulators are grappling with.
The FinCEN critique of the current US framework is legitimate. There is a real problem with AML programs that generate massive volumes of suspicious activity reports without producing intelligence that is genuinely useful to law enforcement. The US files hundreds of thousands of SARs annually. A meaningful proportion are filed defensively — to demonstrate compliance activity — rather than because they reflect genuine suspicion of illicit conduct. Box-checking is a real phenomenon, and it consumes enormous compliance resources that could be directed toward higher-risk activity.
The argument for moving toward effectiveness and risk-based design is not wrong in principle. An AML program that correctly identifies and manages the highest-risk customers and transactions, even if it misses some lower-risk activity, is arguably more useful to financial intelligence than one that flags everything and produces noise.
But here’s where the Australian position looks stronger.
The problem with reducing the enforcement threshold — reserving action only for “significant or systemic” failures — is that it creates a much wider space for institutions to self-certify their own effectiveness before regulators can intervene. AUSTRAC’s payment platforms campaign exposed exactly this risk: platforms that presumably believed their programs were adequate, that may have passed their own internal reviews, but whose transaction monitoring simulation by AUSTRAC’s own team identified child sexual exploitation-linked payments in a matter of days.
If a regulator can only act on significant or systemic failures, what happens to the institution whose program is genuinely inadequate but not yet catastrophically so? The answer, under the FinCEN proposal, is: not much, until it tips into systemic territory.
AUSTRAC’s approach — sector-wide campaigns, compulsory audits, public enforcement, letters of concern to multiple entities simultaneously — is explicitly designed to catch that gap before it becomes a crisis. The Airwallex audit didn’t wait for a systemic failure. It moved when AUSTRAC’s intelligence indicated serious concerns about specific program components. That’s a proactive posture, and the CSAM detection rate increase of 264% across the payment platforms sector suggests it’s working.
The Question of Who Decides “Effective”
The deepest tension between the two approaches is about who gets to define what an effective AML program looks like.
FinCEN’s proposed rule explicitly reinforces the view that financial institutions are best positioned to identify and evaluate their own illicit finance risks. Institutions would have discretion in how they design and resource their programs, provided they can demonstrate the program is risk-based and reasonably designed.
That’s a reasonable starting premise — financial institutions do understand their own customer base and transaction flows better than any regulator. But the track record of self-assessed effectiveness in the AML space is not especially encouraging. Airwallex had an independent review in 2025 that found controls adequate. AUSTRAC disagreed, substantially, six months later. CBA’s intelligent deposit machines were assessed as manageable risk internally — the eventual penalty was $700 million.
The AUSTRAC model places greater weight on independent verification and regulatory intelligence as a check on institutional self-assessment. It’s more interventionist, and it carries compliance costs. But when the underlying risk includes payments linked to child sexual exploitation, the cost of getting it wrong falls on people who never consented to be part of the equation.
What This Means for Australian Practitioners
For Australian compliance teams, the FinCEN reform is worth watching for a few reasons — not because AUSTRAC is likely to follow, but because the debate it surfaces is one the Australian industry will increasingly have to engage with.
The “effectiveness over paperwork” argument is going to be used in submissions, board presentations, and compliance investment conversations in Australian institutions. Understanding its strengths and its limits is part of being an informed practitioner.
The limits, from a practitioner perspective, are real. Effectiveness is harder to define and harder to audit than process compliance. An institution that believes its program is effective, but whose transaction monitoring simulation would fail an AUSTRAC-style test, is not actually effective — it just hasn’t been tested yet. AUSTRAC’s enforcement posture ensures the test comes sooner rather than later.
For entities preparing to come under the expanded AML/CTF regime from July 2026 — lawyers, accountants, real estate agents — this debate matters too. Building a program from scratch under a “demonstrate effectiveness” standard, without the prescriptive guidance that comes with a more rules-based framework, is considerably more difficult than it sounds.
AUSTRAC has been clear about what it expects. The question is whether the programs being built will survive the kind of supervisory campaign it’s already running against the payment platforms sector.
Two Roads
The FinCEN reform is a genuine attempt to fix a real problem. The US AML system generates compliance activity at enormous scale and questionable intelligence yield. The shift toward effectiveness is philosophically defensible, and the risk-based approach has strong support in the FATF recommendations that underpin global AML standards.
But effectiveness without accountability is just self-assessment. And in a sector where the consequences of inadequate controls include facilitated exploitation of children and the movement of proceeds of serious crime, self-assessment is not sufficient assurance.
AUSTRAC’s model — assertive, sector-targeted, intelligence-led, publicly visible — imposes higher costs on compliant institutions. It also imposes higher costs on non-compliant ones, which is precisely the point.
Both regulators are right that the goal is genuine risk management, not paperwork. Where they diverge is on who bears the burden of proof.
In Australia, the regulator does the testing. In the US, the institution does.
That’s a significant difference. And for now, the Australian approach looks better calibrated to the actual risk landscape it’s operating in.
Viktor Ha is a Senior Financial Crime Analyst with experience in AML/CTF compliance across the Australian banking sector. The views expressed here are his own.
Links referenced in this post:
Leave a Reply