Back to BlogRisk & Compliance

How to Build an AML Policy That Actually Holds Up Under Scrutiny

Your AML policy is what you say you do. Your program is what you actually do, and only the program holds up under regulator and bank-partner scrutiny.

Ryan Landin, CAMSRyan Landin, CAMS··6 min read
How to Build an AML Policy That Actually Holds Up Under Scrutiny
How to Build an AML Policy That Actually Holds Up Under Scrutiny

A compliance binder on a shared drive has never stopped an enforcement action. Neither has a polished AML policy copied from a law firm template and filed away.

In February 2025, the cryptocurrency exchange OKX pleaded guilty to operating an unlicensed money transmitting business and failing to maintain an effective anti-money laundering (AML) program. The penalty reached $504 million. OKX was not a garage startup cutting corners. It had written AML policies on the books. What it lacked was the program those policies described.

That gap is the whole story. A policy is what you say you do. A program is what you actually do. When a regulator, bank partner, or auditor arrives, they read the policy, then they test it against the record. An AML policy holds up under scrutiny only when a functioning program stands behind it.What makes an AML policy hold up under scrutiny

What makes an AML policy hold up under scrutiny

An AML policy holds up under scrutiny when an operating program supports every commitment it makes. Examiners and bank partners reconcile the written policy against the execution record: screening logs, case files, tuning records, training attestations, and audit trails. Where the document and the day-to-day diverge, that gap becomes a finding.

Ryan Landin, BSA/AML and sanctions officer at Coinflow, says your policy is the easy part. The hard part is what happens day to day, and whether you can prove it.

Examiners look for the seams. If the policy commits to sanctions screening every 24 hours but the logs show a 96-hour gap, that is a finding. If the policy requires a suspicious activity report (SAR) filed within 30 days of detection but the median filing time is 58 days, that is a finding. The binder is not the defense. The execution record is.

What the April 2026 FinCEN proposal changed, and what it didn’t

On April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) that reframes AML and countering the financing of terrorism (CFT) program requirements under the Bank Secrecy Act (BSA). The comment period closed June 9, 2026, and a final rule would take effect 12 months after issuance.

The proposal supersedes FinCEN’s 2024 version and shifts the standard from programs that are merely “reasonably designed” toward demonstrable effectiveness. The clearest signal sits in the structure. FinCEN now separates two questions: did you establish the program, and did you maintain it. As Covington’s analysis notes, establishment is the design, while maintenance is implementation in all material respects.

That split is the regulator’s own version of policy versus program. A well-designed program on paper is necessary and nowhere near sufficient. It has to run, continuously, and the institution has to show that it runs.

The five pillars, and what good versus weak looks like

Under the proposal, every AML program rests on five required pillars. The pillars are familiar. What examiners and bank partners weigh is the evidence behind each one.

Pillar 1: Internal policies, procedures, and controls

The broadest pillar. It covers documented controls and a formal risk assessment, which the 2026 proposal writes directly into this pillar rather than leaving it as an unstated expectation.

  • What good looks like: A risk assessment refreshed annually and whenever a new product, geography, or customer segment launches, documented clearly enough to show where you concentrate monitoring and why.
  • What fails: A single, undated risk assessment that has not been touched since the second product line launched.

Pillar 2: Independent testing

A structurally independent party, not the compliance officer’s own team, tests the program on a defined cadence.

  • What good looks like: An annual or biannual external audit scoped to each pillar, with findings tracked to remediation deadlines.
  • What fails: A self-assessment run by the same team that built the controls.

Pillar 3: Designated US-based compliance officer

The proposal requires a named compliance officer located in the United States and accessible to FinCEN and the relevant supervisor. Personnel outside the US may still perform certain support functions, but offshore-only leadership does not satisfy the rule.

  • What good looks like: A named officer with documented authority to escalate findings, pause onboarding, and file SARs without executive override.
  • What fails: A compliance function run entirely from a foreign subsidiary with no US decision-maker.

Pillar 4: Ongoing employee training

A recurring, documented training program tailored by risk profile and role. A one-time onboarding module does not count.

  • What good looks like: Quarterly, role-specific training with completion tracking and signed attestations.
  • What fails: A single slide deck sent at onboarding, with no refresh and no record of completion.

Pillar 5: Customer due diligence (CDD)

The fifth pillar, added by FinCEN's 2018 CDD Rule and carried into the 2026 proposal. It requires risk-based procedures to identify and verify customers, understand the purpose of each relationship, and monitor it over time. For legal-entity customers, that extends to identifying the beneficial owners behind the account.

  • What good looks like: A tiered program that establishes a baseline for normal activity, escalates to enhanced due diligence (EDD) for higher-risk accounts, and refreshes customer profiles when behavior or ownership changes.
  • What fails: Identity collected once at onboarding and never revisited, with no beneficial-ownership check and no trigger to re-examine a customer whose risk profile shifts.

What “risk-based” actually means

Almost every AML article uses the word “risk-based” without defining it. The proposal is explicit: a risk-based program scales scrutiny to actual risk by customer segment, geography, product, and transaction pattern. It does not apply the same controls to every account.

The documented risk assessment is the linchpin. It sets monitoring thresholds, CDD depth, and where resources go, and it gets refreshed on a cadence and whenever the risk profile shifts.

As Landin frames it, a risk-based approach means you have done your own internal review and reached your own conclusions about your customers, your geographies, and your transaction flows. It is the difference between compliance as a checklist and compliance as real risk management.

Risk tolerance is not uniform. A small retailer operating only domestically carries a different profile than a remittance company pushing high cross-border volume. Risk-based AML mirrors risk-based merchant underwriting: both ask what the real risk of this customer or business is, then scale controls to match.

What your bank partner will actually ask for

When a sponsor bank runs diligence on a fintech’s AML program, the request is specific. Sponsor banks carry their own regulatory exposure for the partners they support, so gaps in your program become gaps in theirs. Expect to produce, at minimum:

  1. The BSA/AML policy with version history and board or senior-management approval
  2. A risk assessment refreshed within the last 12 months
  3. Sanctions-screening procedures with vendor documentation and match-disposition logs
  4. Transaction-monitoring rules with tuning records and alert-disposition metrics
  5. SAR-filing logs with time-from-detection-to-filing metrics
  6. Training records with role-based content, completion rates, and signed attestation
  7. The most recent independent-testing report, plus CDD and enhanced due diligence procedures with sample case files

If any item is missing or stale, expect the bank partner to escalate.

How this looks in practice

Cross-border remittance is among the most AML-sensitive corridors in payments. Every transaction carries sanctions screening, CDD on both sender and receiver, jurisdictional risk by corridor, and monitoring tuned for structuring and layering.

Félix runs US-to-Latin America remittance over WhatsApp, with stablecoin settlement underneath. The experience is simple. The compliance load is not.

Coinflow carries that load so Félix can focus on the customer experience and growth. The program architecture, sanctions screening, and transaction monitoring run beneath the product.

Over four months on Coinflow, Félix’s acceptance rate climbed from 98.16% to 99.14%, bank and issuer declines fell from 188 to 45, and the average decline rate settled near 1.15%. When compliance infrastructure works, it disappears from view for both the end user and the operations team.

The policy is the easy part

Write the policy. Every program needs one, and a clean, current, board-approved document matters. But the document is the floor, not the finish. What survives regulator and bank-partner scrutiny is the program: the governance, the testing and tuning, and the audit trail that proves the policy is live.

This is where infrastructure changes the math. Building transaction monitoring, sanctions screening, and SAR workflows in-house is a heavy lift, and maintaining them to a standard that holds under audit is heavier still. Building on a payments partner that already runs that program means you carry your policy and your own risk decisions, not the entire program underneath them.

At Coinflow, we run a compliance program built to hold up to bank audit and regulatory scrutiny. When you build on our infrastructure, you’re not carrying the burden alone, and you’ll never be caught flat-footed when regulators come knocking.

To talk through how Coinflow’s compliance infrastructure holds up in your corridor or vertical, get in touch with our team.

The future of agentic payments, delivered today.

If you’re building in agentic commerce and want to explore how Coinflow can support your roadmap, let's talk.

Talk to our team
Ryan Landin, CAMS

Ryan Landin, CAMS

Ryan Landin, CAMS is a contributor at Coinflow, a global payments platform enabling businesses to accept and send payments worldwide.