In this week’s This Week in AML, Elliot Berman and John Byrne break down FinCEN’s newly released notice of proposed rulemaking to modernize the AML/CFT program rule—its first major rethink in two decades. They explore what a risk-based refocus could mean in practice, including new requirements for risk assessments, changes to the four pillars, examiner discretion, and the unprecedented requirement that bank regulators consult with FinCEN before certain enforcement actions.
The conversation also covers a flurry of regulatory and enforcement developments: the OCC’s GENIUS Act proposal on stablecoins, the removal of reputation risk from bank examinations, and what both could mean for smaller financial institutions. Elliot and John look back at the 10-year anniversary of the Panama Papers, review the FBI’s 2025 Internet Crime Report, and discuss global enforcement challenges—from scam centers in Southeast Asia to resource constraints at foreign FIUs.
FinCEN’s AML Program Rule Overhaul, Stablecoins, and the 10-Year Legacy of the Panama Papers - Transcript
Elliot Berman: Hey John, how are you today?
John Byrne: Good morning, Elliot. As we record this, we took a pause and suggesting we're gonna blow Iran back to the Stone Age, so there's a couple more weeks, so that's a good thing. Besides that, a lot has happened in the AML space and we've had a number of notices. Where would you like to start?
Elliot Berman: I think the elephant in the room is the announcement, so we're recording on Wednesday, yesterday FinCEN and the banking agencies each posted their notice of proposed rulemaking for an update to the program rule. And people will remember that back in 2004 a notice of proposed rulemaking was issued for the program rule.
There was a comment period and then, we didn't see anything. Then there was a change of administration and now we have the new take on the program rule. There's a lot in there. I'll let you talk about the high points that you want to talk about. And we're gonna be doing some other programming around this and there'll be lots of other sources of programming and insights.
Obviously, everybody should take a look at it. And I'm gonna steal your usual line, which is, this is an opportunity for practitioners to comment. And the more comments that FinCEN and the bank regulators get, the more insight hopefully they receive, and the possibility for changes between the proposal and the final are always there. So I'd encourage people to read it in detail and make comments.
John Byrne: The key here is with FinCEN's proposal and a similar proposal from the banking agencies is over a hundred pages, so you gotta read through everything. We're gonna make some references to the fact sheet and the key changes, but understand some of that wording is, I won't say it's subjective, but clearly it's more opinion than it is what's in the proposed rule.
So that I think is important. But there are a couple of things in here that are relatively unique to say the least. And one is, and i'm reading from a document called the Key Changes. The key changes to the proposed rule that they're arguing is a refocusing on higher risk activity while reducing unnecessary burdens.
That's the fact sheet but here's a couple of highlights from that. The proposed rule quoting here, the proposed rule for the first time require federal banking regulators to consult with FinCEN prior to taking certain types of supervisory or enforcement actions related to AML/CFT programs of banks.
That's never happened before, so that's going to be fascinating to see how it's operating in real time, if you will. Right before that, they say that the flexibility of this proposed rule will shift programs away from purely again, quoting, check the box exercise that's unnecessarily burdensome.
So both of those items are interesting. We all know that FinCEN lacks sufficient resources to do some items. If they're going to be having to run enforcement actions or other formal criticisms through FinCEN that process is gonna be fascinating to watch. So that's one item that's there.
It also for the first time will require a risk assessment by financial institutions. Now, from a practical standpoint, I don't think we know any financial institution that doesn't have a risk assessment process of some sort. So that's going to be in the rule. It's new, but again, how it's supervised is gonna be interesting. And then one more item, I'll mention that, throw it back to you.
They're gonna be incorporating the priorities, which came out in November of 2021, I believe, in both the program requirements and considerations involving significant supervisory or enforcement actions. Meaning I think that if it's not a priority, and remember the priorities are pretty broad, if it's not a priority, the expectations for the institution will be different than if it was under the umbrella of one of the priorities.
Elliot Berman: Biggest comment I have and I agree with the things you highlighted in there other things we're gonna go back to four pillars and a whole bunch of other stuff. But the thing that you know, and you and I have had this experience over a long period of time and so have many of our friends and colleagues.
The devil in all of this is still going to be in the exam procedures. Whether we get an an FFIEC exam manual update that takes the final rule into account or whether they're gonna do it a different way, I think when they, came out with the unified exam manual, that was very helpful for the community.
But that's a fairly long way off. This notice has a 60 day comment period. So we're talking about early to mid-June when the comment period will expire. There'll be a lot of comments and a lot of work to be done, and then to generate the final rule. And then presumably the final rule's gonna have at least a six month implementation period. So as a practical matter, they won't start working on an exam manual until late this year at the earliest, and we won't see it until, I would guess a year from now at a minimum. So those first exams, without an exam, any will be very interesting.
John Byrne: Yeah I agree with that. And just one other item, and again, people should look through everything. Something that sort of caught my eye about the four pillars that we're well aware of on the training pillar. This language was interesting, and I'm not reading from the actual proposal, I'm reading from the fact sheet.
And this is the requirement for an ongoing employee training program. And they say that the proposed rule is gonna standardize the training requirements. And based on the risk-based approach that will allow institutions quoting here, flexibility in determining which employees and non-employees require ongoing training, unquote.
So it's gonna be curious to see, does that mean that you could make the decision that certain parts of an institution don't require training on a regular basis perhaps unless there's a major change in law and regulation? And how is that overseen? So there's a lot of, I won't even call it nuance. There's a lot of issues within the rule that it'll be very interesting to see how our clients respond.
And I know we're gonna talk about this later in terms of what's coming up. I'm gonna sit down today, which is the eighth. And so you might see this by the time our conversation posts. I'm gonna sit down with Dan Stipano, who is a former OCC enforcement lawyer. He's a partner in a law firm and is doing extensive work on AML for his entire career. We're gonna sit down with Dan this afternoon and get his initial take. This is his first thoughts as he reads the proposal before we get some of the weighing in from clients and other issues, whether they be operational challenges or legal challenges.
And we will do additional content work on this throughout the 60 days and beyond of course, because this has the potential of being an extremely dramatic adjustment to the AML infrastructure.
Elliot Berman: Agreed. So a couple of other quick things from US regulators. The OCC issued a notice of proposed rulemaking related to the GENIUS Act. Why the OCC? Because in the Act, , this responsibility was delegated specifically to the OCC. I think whether that's the right place for it or not, you could have a long conversation, but it needed to go somewhere. And so they've done that. That proposed rule is now out for comment as well.
Comments are due by May 1. I urge everybody to take a look at this. The regulations to implement the GENIUS Act will be important for insured depository institutions in terms of how they might offer stablecoin related products. How, and how the issuance or availability of stablecoin related products from any source will be impacting insured deposits.
People should take a look at that. And then the OCC announced yesterday, they were busy this week the publication of the final rule that takes reputation risk out of the examination process. Again, take a look at it. This has been going on for a while. I think that one of the challenges going forward will be to see as banks do their risk assessment, how they assess generally their reputation risk maybe not directly related to AML, but from more of a systemic or even existential perspective. How do you do all the things you have to do and keep your reputation positive so as not to impact your deposit base and things like that.
John Byrne: I'll just add that according to the OCC, this rule responds to the executive order that we've talked about in the past. And again, reading from the description, they say the executive order says that the use of reputation risk can be a pretext for restricting law abiding individuals and businesses access to financial services on the basis of political or religious or lawful business activities. I think that particular phrasing is suspect in my opinion.
And I think what's gonna happen here, Elliot, is we may rue the day that we told institutions not to factor in reputation in terms of how they handle business going forward. We'll see what happens. This is gonna be an interesting area of focus and I do think, I have not seen enough conversation about the potential challenges in a few years when we see institutions, in some cases forced to do business with entities that they might have considered either high risk or not appropriate for the type of business that the bank provides.
Elliot Berman: Yeah I think about how this might play out for medium and small size financial institutions who don't have the resources to manage the risk of customers that are outside, what I'll call the mainstream of their customer base. And will they be able to say we can't provide services to you? Not 'cause we don't trust you, but you do things that we don't really know enough about to manage that risk. It's it's a funny twist on the same issue of smaller banks that early on got into banking as a service and didn't understand what they were getting themselves into.
John Byrne: Yeah, that's right. Going back just very quickly to the GENIUS Act, our friends at the Charity and Security Network, the week that we're recording are doing a program on what they're calling potential opportunities for NPOs under the GENIUS Act. And so as we know, the humanitarian groups have struggled to get financial access and in some cases have been de-risked inappropriately.
They're gonna have the conversation about whether or not the GENIUS Act opens up new opportunities such as the ability to operate in regulated financial channels while cutting out intermediaries. This is, again, stablecoins. A shift in how cryptocurrency is perceived they think could happen. Moving it from a higher risk investment to a compliance driven, reliable way to engage in charitable donations. And finally, comfort for donors in using stablecoins due to their now having a legal definition, believing there's now enhanced transparency, interesting angle. One that I, I'm not as familiar with, but our friends in that area are working hard to determine what can help get money to conflict zones for medicine and water and all those sorts of things,
Elliot Berman: I know you wanted to talk about something from the OCCRP on the Panama Papers.
John Byrne: Yeah. So the OCCRP, they have posted, it's the 10 year anniversary of the Panama Papers, and so they have an interesting, it's like a PowerPoint, but also it goes back into some of the issues previously covered through the Panama Papers.
It's a 13 page quick document to look through, but it's interesting and they tell you how it started. They also say how the investigative journalists, many of them were involved in exposing hundreds of thousands of offshore companies that were set up by that Panamanian law firm, Mossack Fonseca, at least $1.3 billion had been recouped by authorities around the world.
Some of the key findings in there were one of Putin's closest friends cellist, Sergey Dugin was connected to a group of companies that controlled significant shares of a secret business empire. They also found that he received money from an offshore company about the same time it was being used to steal money from the Russian government and the Magnitsky case.
So a real interesting look back at the 10 year anniversary of a great amount of investigative journalism by journalists under the umbrella of the OCCRP.
Elliot Berman: I'd love to say on the 10th anniversary we could also say that shell companies are no, and offshore companies are no longer a problem. But I can't say that.
John Byrne: No, we can't.
Elliot Berman: So speaking of an onshore bank the Chief US District Judge in the District of Columbia has told the Justice Department again that, there is no basis for them issuing the subpoenas to Chairman Powell. I read the opinion and it was a lot like, no, I wasn't kidding. Couched in very nice judicial terms. So I'm sure the next step from here will be to the DC circuit to see if they'll take the case and, then maybe the Supremes will get to add it to their greatest hits down the road. But we'll have to see.
John Byrne: The FBI released their 2025 Internet Crime Report and they received over 1 million complaints with losses surpassing $20 billion. That's a new record. Investment fraud remains the costliest scam, followed by business email compromise and tech support scams. And they also highlighted some FBI successes, including Operation Level Up, which countered crypto investment scams and reduced potential losses by more than $500 million since 2024.
So that document the report is available, it's 65 66 pages on the FBI website.
Elliot Berman: And a lot of information in there from the IC3, the Internet Crime C omplaint Center. So it's a lot of good statistics, as you already mentioned as well as some topologies and things like that. Again, a worthwhile report to read and pieces of it would be good training materials. We recommend that one.
I have two things from overseas. One is that we have reported or talked about several times the scam centers in Southeast Asia and particularly Cambodia. The Cambodian Parliament has passed the first law dedicated to targeting scam centers that are accused of bilking international victims out of billions of dollars. And this action, I think in part, is because there is growing international pressure from other countries for a crackdown.
This law needs to be signed by Cambodia's king, which is expected, and then it will go into effect. It creates, identified penalties for participating in online scams and other things, but it's a step in the right direction.
The other one that I saw, which kind of caught my eye it's been reported that South Korea's FIU only carries out detailed reviews on approximately 3% of the STRs that it received, and this is data from 2025. It received about 1.33 million STRs, but only did a detailed review of a little under 45,000. Now granted that's a big pile of needles and you're trying to find the needle in a pile of needles, but it was interesting.
In the report, they talked about the fact that, they have only 42 staff members at their FIU that do analytical work on the STRs, they compared that to AUSTRAC, Australia's FIU, that has 600 staff and the German FIU that has over 700 staff. Clearly there's some resource challenges. You and I talk often about the fact that FinCEN needs more resources. Their staffing has shrunk while the amount of fraud in the United States has continued to grow at a very prodigious rate.
John Byrne: A couple things coming up. I'll have you mention the webinar on elder abuse and other frauds. I'll be moderating that, but I also wanted to mention that I just had a conversation this week with, one of our first persons we ever interviewed for the podcast, Paul Camacho. Who works for a tribal gaming organization on the West Coast, and he's a former IRS agent. And Paul and I are gonna sit down next week and talk about that industry, that part of the AML community and what their challenges are. Definitely looking forward to that. And then as we said, we're gonna have the April webinar, which will be on the now hold me to this, the 24th.
Elliot Berman: 23rd.
John Byrne: The 23rd of April. It's always Thursdays to cover a variety of fraud issues. Look for that, sign up for that when you have the opportunity.
Elliot Berman: Yep. Sign up still available on our website. So John you have a great rest of the week and I will talk to you next week.
John Byrne: Stay safe. Take care.
Elliot Berman: You too. Bye-bye.