Lessons From Recent BSA/AML Enforcement Actions

As financial services organizations and financial technology companies well know, U.S. regulators enforce Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance, and they impose significant fines and regulatory actions for deficiencies related to the implementation and use of financial crime detection models. Combined with the evolving risk landscape for AML, including managing third-party fintech relationships or crypto asset-enabled AML threats, the consequences of noncompliance are increasingly significant.

In 2024 and 2025, BSA/AML enforcement actions began to increasingly target model-centric deficiencies in response to the rapid adoption of advanced financial crime detection models within financial crime programs. As financial services organizations deployed more complex models, supervisory bodies continued scrutinizing the governance, integrity, and performance of these models. Over the past two years, the Office of the Comptroller of the Currency, Financial Crimes Enforcement Network, and Consumer Financial Protection Bureau issued 18 enforcement actions centered on critical failures in data integrity, governance, and ongoing monitoring of financial crime models – all issues that affect model performance and can expose financial services organizations to regulatory penalties and reputational harm.

Understanding these enforcement trends and the lessons they provide is critical to managing an organization’s approach to financial crime risk management. Following are three of the most common model-related BSA/AML compliance program enhancements from our recent enforcement action analysis.

Accurate and complete data are the foundation of strong model performance. Yet, several enforcement actions revealed that organizations were relying on faulty, incomplete, or inconsistent data as inputs to their BSA/AML models. These cases reflect a broader regulatory concern: Financial services organizations cannot rely on outdated or inaccurate data to inform risk-based compliance decisions. The consequences of poor data integrity extend beyond compliance risks. They also weaken an organization’s ability to detect and prevent financial crime effectively.

Regulators primarily attributed these source data-related model deficiencies to two factors:

• Undocumented source system integration points, which left financial services organizations unable to track where critical source data originates from. Unknown source system feeds present coverage risk and inhibit an organization’s ability to identify the true source of data irregularities.
• Deficient data quality that caused financial crime models to create conclusions based on inaccurate, out-of-date, or incomplete data. Poor data quality can lead to decreased model performance or a failure to detect suspicious activity altogether.

Risk mitigation measures

• Establish robust data governance practices to support the transfer of accurate and complete data to the financial crime model. Document all source systems that feed into the financial crime models and regularly review the source systems to confirm that no unintended changes have occurred.
• Perform periodic data lineage testing to verify the integrity of data sources and document how data flows through AML models. Data lineage testing includes comparing key data points, such as transaction amount or customer demographic information, including name or account number, from source systems to corresponding records in the model and investigating any discrepancies. If discrepancies are discovered, investigate the root cause and document any assumptions, limitations, or exclusions related to the data ingestion process, along with any mitigating controls developed by the organization.
• Review the output of financial crime models and confirm that data is accurate and complete. Consider reviewing a sample of transaction and customer records to confirm that all key data elements, such as transaction amount for transaction monitoring models and customer name and address for watchlist screening models, are accounted for.
• Enhance internal controls around data accuracy by implementing proactive monitoring processes that identify and remediate data inconsistencies before negative model impacts occur. Reconciling source data feeds with the model’s output can support an understanding of the type and volume of data that is imported on a regular basis. Consider creating balancing procedures that would notify model stakeholders if expected model data is not exporting successfully or if there is a material difference in the volume of data sent to the model and the data received by the model.

Improving governance and model oversight

Another recurring theme in recent enforcement actions was the failure of financial services organizations to implement effective governance frameworks for overseeing their AML models.

Governance weaknesses included:

• Delays in addressing known deficiencies that left financial services organizations vulnerable to systemic breakdowns in BSA/AML compliance and an inability to effectively detect and report suspicious activity.
• AML models that did not align with an organization’s risk profile, which led to inadequate model functionality and a misaligned BSA/AML compliance team. Multiple enforcement actions cited untrained or insufficient staff to support risk-based alert disposition as well as gaps in third-party oversight. When AML models are not aligned with an organization’s risk profile, emerging risks related to customers, products, services, and geographic exposures might go undetected.
• Lack of governance over model changes, which meant that important modifications to transaction monitoring systems were not properly documented or reported to key stakeholders.

Risk mitigation measures

• Strengthen model risk governance frameworks to enable remediation of identified deficiencies in AML models. Supporting compliance teams with adequate training and resources, along with drafting formal timelines and remediation principles for model owners, can help facilitate the effective resolution of noted issues.
• Confirm that AML models are updated regularly to reflect evolving financial crime risks that might be facing the organization. Periodic risk assessments and coverage assessments can identify gaps that might go unnoticed during day-to-day operations.
• Consider performing an independent validation of AML models to assess whether models align with the organization’s risk profile and regulatory expectations.

Ongoing monitoring of model performance

Once an AML system is implemented, ongoing performance monitoring is essential to establish its continued effectiveness. Recent enforcement actions identified that many financial services organizations failed to properly test, tune, and validate their models on a regular basis.

Common compliance failures included:

• Ineffective model configurations that led to gaps in the model’s ability to detect and alert for suspicious activity. Such configurations might include outdated or misrepresented dynamic lists (such as country or jurisdiction lists), which can serve as a monitoring blind spot if left ungoverned.
• A lack of ongoing performance monitoring that prevents financial services organizations from confirming that their AML models are functioning as intended. A lapse in ongoing monitoring might lead to missing warning signs that indicate model deterioration is occurring, such as inaccurate conversion rates of alerts to suspicious activity reports. A high false-negative rate, which indicates that truly suspicious activity is not being identified, indicates that the model’s monitoring efforts might have gaps.
• Inadequate executive and board-level oversight of AML model performance and absence of director-level review of key indicators, such as sudden declines in overall alert volume, scenario hit-rates, or lack of senior management review and approval of critical model changes, can erode accountability and heighten exposure to regulatory enforcement.

Risk mitigation measures

• Conduct regular tuning exercises to confirm thresholds and alert scenarios align with current risk trends. AML models should not be static. Instead, they must be dynamic and continually reviewed, refined, and recalibrated to remain effective.
• Enhance governance over model changes to verify that all modifications to thresholds, parameters, and settings are properly documented, reviewed, risk assessed, and reported.
• Enhance internal controls to regularly assess the model output and detect any deficiencies in AML system performance. Directly reviewing the model output for quality can help organizations directly identify when the model can be enhanced.

Strengthening AML compliance

The current enforcement landscape sends a clear message that has only continued to increase in severity: Regulators expect financial services organizations to take a proactive, dynamic, and risk-based approach to BSA/AML compliance. Organizations that fail to address known compliance deficiencies or adapt to new financial crime risks could face significant regulatory penalties.

Financial services organizations should review the current state of their BSA/AML program as part of a maturing, risk-based compliance framework. Targeted enhancement or development of controls in the following four areas could include:

• Investing in data quality and governance to support financial crime detection models in receiving accurate and complete inputs
• Enhancing governance structures regarding AML models, targeting regular updates to documentation and alignment with the organization’s risk exposure
• Implementing continuous monitoring and validation of BSA/AML systems to maintain effectiveness and regulatory compliance
• Allocating sufficient resources to compliance teams to confirm that they can keep pace with evolving regulatory guidelines

By focusing on these priorities, financial services organizations can mitigate enforcement risks, improve financial crime detection capabilities, and strengthen their overall AML compliance programs. More importantly, they can demonstrate proactive leadership and resilience in combating money laundering and financial crime.

Financial services organizations can take the lessons learned from past enforcement actions and apply them to build more effective, resilient, and adaptable AML programs – not just to meet regulatory requirements, but to safeguard the integrity of the financial system itself.