
Risk & Compliance
What Transaction Monitoring Actually Catches
Transaction monitoring catches structuring, layering, and mule activity, but the real exposure is the gap between alert and action. Here's what matters.
Your AML policy is what you say you do. Your program is what you actually do, and only the program holds up under regulator and bank-partner scrutiny.

A compliance binder on a shared drive has never stopped an enforcement action. Neither has a polished AML policy copied from a law firm template and filed away.
In February 2025, the cryptocurrency exchange OKX pleaded guilty to operating an unlicensed money transmitting business and failing to maintain an effective anti-money laundering (AML) program. The penalty reached $504 million. OKX was not a garage startup cutting corners. It had written AML policies on the books. What it lacked was the program those policies described.
That gap is the whole story. A policy is what you say you do. A program is what you actually do. When a regulator, bank partner, or auditor arrives, they read the policy, then they test it against the record. An AML policy holds up under scrutiny only when a functioning program stands behind it.What makes an AML policy hold up under scrutiny
An AML policy holds up under scrutiny when an operating program supports every commitment it makes. Examiners and bank partners reconcile the written policy against the execution record: screening logs, case files, tuning records, training attestations, and audit trails. Where the document and the day-to-day diverge, that gap becomes a finding.
Ryan Landin, BSA/AML and sanctions officer at Coinflow, says your policy is the easy part. The hard part is what happens day to day, and whether you can prove it.
Examiners look for the seams. If the policy commits to sanctions screening every 24 hours but the logs show a 96-hour gap, that is a finding. If the policy requires a suspicious activity report (SAR) filed within 30 days of detection but the median filing time is 58 days, that is a finding. The binder is not the defense. The execution record is.
On April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) that reframes AML and countering the financing of terrorism (CFT) program requirements under the Bank Secrecy Act (BSA). The comment period closed June 9, 2026, and a final rule would take effect 12 months after issuance.
The proposal supersedes FinCEN’s 2024 version and shifts the standard from programs that are merely “reasonably designed” toward demonstrable effectiveness. The clearest signal sits in the structure. FinCEN now separates two questions: did you establish the program, and did you maintain it. As Covington’s analysis notes, establishment is the design, while maintenance is implementation in all material respects.
That split is the regulator’s own version of policy versus program. A well-designed program on paper is necessary and nowhere near sufficient. It has to run, continuously, and the institution has to show that it runs.
Under the proposal, every AML program rests on five required pillars. The pillars are familiar. What examiners and bank partners weigh is the evidence behind each one.
The broadest pillar. It covers documented controls and a formal risk assessment, which the 2026 proposal writes directly into this pillar rather than leaving it as an unstated expectation.
A structurally independent party, not the compliance officer’s own team, tests the program on a defined cadence.
The proposal requires a named compliance officer located in the United States and accessible to FinCEN and the relevant supervisor. Personnel outside the US may still perform certain support functions, but offshore-only leadership does not satisfy the rule.
A recurring, documented training program tailored by risk profile and role. A one-time onboarding module does not count.
The fifth pillar, added by FinCEN's 2018 CDD Rule and carried into the 2026 proposal. It requires risk-based procedures to identify and verify customers, understand the purpose of each relationship, and monitor it over time. For legal-entity customers, that extends to identifying the beneficial owners behind the account.
Almost every AML article uses the word “risk-based” without defining it. The proposal is explicit: a risk-based program scales scrutiny to actual risk by customer segment, geography, product, and transaction pattern. It does not apply the same controls to every account.
The documented risk assessment is the linchpin. It sets monitoring thresholds, CDD depth, and where resources go, and it gets refreshed on a cadence and whenever the risk profile shifts.
As Landin frames it, a risk-based approach means you have done your own internal review and reached your own conclusions about your customers, your geographies, and your transaction flows. It is the difference between compliance as a checklist and compliance as real risk management.
Risk tolerance is not uniform. A small retailer operating only domestically carries a different profile than a remittance company pushing high cross-border volume. Risk-based AML mirrors risk-based merchant underwriting: both ask what the real risk of this customer or business is, then scale controls to match.
When a sponsor bank runs diligence on a fintech’s AML program, the request is specific. Sponsor banks carry their own regulatory exposure for the partners they support, so gaps in your program become gaps in theirs. Expect to produce, at minimum:
If any item is missing or stale, expect the bank partner to escalate.
Cross-border remittance is among the most AML-sensitive corridors in payments. Every transaction carries sanctions screening, CDD on both sender and receiver, jurisdictional risk by corridor, and monitoring tuned for structuring and layering.
Félix runs US-to-Latin America remittance over WhatsApp, with stablecoin settlement underneath. The experience is simple. The compliance load is not.
Coinflow carries that load so Félix can focus on the customer experience and growth. The program architecture, sanctions screening, and transaction monitoring run beneath the product.
Over four months on Coinflow, Félix’s acceptance rate climbed from 98.16% to 99.14%, bank and issuer declines fell from 188 to 45, and the average decline rate settled near 1.15%. When compliance infrastructure works, it disappears from view for both the end user and the operations team.
Write the policy. Every program needs one, and a clean, current, board-approved document matters. But the document is the floor, not the finish. What survives regulator and bank-partner scrutiny is the program: the governance, the testing and tuning, and the audit trail that proves the policy is live.
This is where infrastructure changes the math. Building transaction monitoring, sanctions screening, and SAR workflows in-house is a heavy lift, and maintaining them to a standard that holds under audit is heavier still. Building on a payments partner that already runs that program means you carry your policy and your own risk decisions, not the entire program underneath them.
At Coinflow, we run a compliance program built to hold up to bank audit and regulatory scrutiny. When you build on our infrastructure, you’re not carrying the burden alone, and you’ll never be caught flat-footed when regulators come knocking.
To talk through how Coinflow’s compliance infrastructure holds up in your corridor or vertical, get in touch with our team.
If you’re building in agentic commerce and want to explore how Coinflow can support your roadmap, let's talk.
Talk to our team
Ryan Landin, CAMS is a contributor at Coinflow, a global payments platform enabling businesses to accept and send payments worldwide.



