For two decades, the assumption within compliance departments was that a transaction monitoring system, once installed and tuned, would do its job in the background. Alerts would fire, analysts would clear them, and an annual independent test would satisfy the regulatory box. That assumption is gone.
In 2025, U.S. enforcement totaled more than $1.1 billion in anti-money laundering (AML) and counter-terrorist financing penalties, with crypto exchanges absorbing roughly $927 million of that figure and money transmitters another $161 million.[1] Notably, no major U.S. bank was hit with a headline AML penalty during the year, breaking a 20-year pattern, but the agencies have not slowed down.[1] They have shifted their attention to the systems doing the detection work and to whether anyone has independently verified that those systems are still fit for purpose.
That shift has put a once-obscure discipline at the center of the conversation: AML model validation.
What Does Validation Actually Mean?
In regulatory language, a model is any quantitative method that takes inputs and produces outputs used to make a decision. Within an AML program, that definition encompasses transaction monitoring scenarios, customer risk-rating engines, sanctions and watchlist screening tools, and increasingly, the machine-learning layers being bolted on top of legacy rule-based platforms.
Validation is the independent process of asking and proving on paper whether the model still does what it is supposed to do. It is not the same as model tuning, which adjusts thresholds. It is not the same as the annual independent Bank Secrecy Act (BSA) test, which examines the program as a whole. Validation is a deeper, narrower question: Are the assumptions, data inputs, logic, and outputs of this specific system defensible to a regulator who walks in tomorrow?
The discipline traces back to two foundational documents that examiners still regard as the canonical playbook: the Office of the Comptroller of the Currency’s Bulletin 2011-12[2] and the Federal Reserve’s parallel guidance, SR 11-7.[3] Both set the same expectation that institutions manage models with the same rigor applied to credit or capital risk, with the so-called “three lines of defense” insulating the validators from the model owners.
Layered on top is the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual,[4] which directs examiners to assess whether monitoring systems are reasonably designed and whether the assumptions underlying them have been tested and documented.
The Anatomy of a Regular Validation
A credible validation cycle reaches into four areas.
- Conceptual soundness asks whether the model’s logic aligns with the institution’s risk profile. A community bank in Vermont and a global money services business face different typologies; a scenario library pulled off the shelf and never revisited is, by definition, suspect.
- Data integrity testing asks whether the inputs feeding the model are complete, accurate, and arriving on time. This is where many programs quietly fail. The July 2025 settlement by Wise US, in which five state regulators jointly imposed a $4.2 million penalty for Suspicious Activity Report (SAR) deficiencies and transaction monitoring data integrity issues, was a clear illustration.[1] The detection logic was beside the point if the data never arrived intact.
- Outcomes analysis is the empirical heart of the work. Validators run above-the-line testing to confirm the model is capturing what it should and below-the-line testing to confirm that productive activity is not slipping below the threshold. Sample sizes are calculated, results are documented, and threshold recommendations flow back to model owners.
- Ongoing performance monitoring is the area most often shortchanged. A validation completed in January 2024 cannot speak to a customer base, product mix, or laundering typology that has shifted by 2026.
Why ‘Regular’ Is Not Negotiable
The case for periodic, typically annual, validation rests on four pressures, all of which have intensified.
The first is model drift. Every model is calibrated to a snapshot of the business as it existed at a moment in time. Customer behavior shifts. Product mixes evolve. Geographic footprints expand. Threshold logic that was conservative in 2023 may miss structuring patterns that emerged in 2025. Without periodic retesting, the institution has no defensible answer to the examiner’s first question: When did you last confirm this still works?
The second is typology evolution. Money laundering does not stand still. The June 2025 Financial Action Task Force (FATF) update flagged record virtual asset theft tied to Democratic People’s Republic of Korea (DPRK) actors, including a $1.46 billion incident,[5] and on-chain fraud activity reached an estimated $51 billion in 2024.[5] Cross-chain obfuscation, mixer use, and the convergence of fraud and laundering at the transaction layer are reshaping what suspicious activity looks like. A 2022 scenario library will not catch a 2026 mule network.
The third is regulatory escalation around AI. As institutions move from experimental machine learning to production AML monitoring, regulators have signaled they will accept these tools, but only if they meet a higher governance bar covering explainability, validation, and human oversight.[6] Vendor-supplied AI carries the same accountability obligations as in-house models, so due diligence, ongoing monitoring, and service-level commitments for accuracy and updates are now table stakes.[7]
The fourth is the enforcement record itself. The Block, Inc.’s $80 million joint settlement with eight state money transmission regulators in January 2025 was centered on AML program shortcomings.[1] The Robinhood Markets $29.75 million Financial Industry Regulatory Authority (FINRA) settlement in March 2025 included findings that signs of potential misconduct were not acted upon.[6] Across the Atlantic, the UK Financial Conduct Authority fined Nationwide Building Society £44 million for weaknesses in financial crime systems and controls.[6] These are not theoretical risks.
What Are Examiners Looking For?
Compliance leaders who have sat through recent BSA exams report a more pointed line of questioning than in prior cycles. Examiners want to see the validation report, the management response to its findings, the remediation timeline, and evidence that the second line is genuinely independent of the first. They want to see threshold tuning supported by documented analysis rather than by analyst judgment alone. They also want to see model inventories, a single document listing every model in scope, its owner, its last validation date, and its risk tier.
What they do not want to see is a validation more than a year old on a high-risk model, a tuning exercise mistaken for a validation, or a vendor’s certification offered in place of the institution’s own independent work.
The October 2025 FinCEN SAR FAQs[7] and the broader 2025-2026 BSA examination guidance both reinforced a point that has been building for years: Institutions that invest in qualified, independent testing and well-documented risk assessments are best positioned to benefit from any examiner flexibility.[7] Those that do not are best positioned to absorb the consequences.
The Quiet Cost of Doing It Wrong
The penalties make the headlines, but the operational drag is where most institutions feel the pain first. A poorly tuned monitoring system generates false positives at scale, and the analyst hours spent clearing noise are hours not spent investigating genuine risk. Industry estimates suggest that machine-learning-augmented monitoring can reduce false positives by up to 40%,[8] a number that translates directly into headcount, throughput, and SAR quality.
There is also the reputational tail. Consent orders are public. Lookback reviews, the regulator-mandated reexamination of historical transactions when a model is found deficient, routinely run into the tens of millions of dollars and can span multiple years. The cost of doing validation badly, or not at all, is rarely confined to the fine.
A Discipline Maturing Just in Time
The encouraging development is that AML model validation is becoming a recognized discipline in its own right rather than an afterthought tucked into the audit calendar.[9] Specialist firms, dedicated model risk officers in the second line, and structured validation methodologies are increasingly standard at mid-size and larger institutions. Smaller institutions that historically relied on a single annual independent test are now building or outsourcing the same capability because examiners are asking the same questions of them.
What is changing is the cadence and the rigor. Annual is the floor, not the ceiling. High-risk models, models supporting new products, and models incorporating AI components increasingly demand more frequent touchpoints, interim outcome reviews, shorter tuning cycles, and continuous data-quality monitoring.
The throughline across every recent enforcement action, every regulatory update, and every examiner conversation is the same: A financial institution is accountable for what its models do and for what they fail to do. The only credible answer to that accountability is the documented, independent, recurring exercise of proving that the model still works.
For compliance leaders who have not subjected their validation program to that level of scrutiny lately, the message from 2025’s enforcement record is clear. The grace period is over.
References
1. Institute for Financial Integrity. (2025). AML/CFT and sanctions enforcement actions in 2025. https://finintegrity.org/aml-cft-and-sanctions-enforcement-actions-in-2025/
2. Office of the Comptroller of the Currency. (2011). Supervisory guidance on model risk management (OCC Bulletin 2011-12). U.S. Department of the Treasury. https://www.occ.treas.gov/news-issuances/bulletins/2011/bulletin-2011-12.html
3. Board of Governors of the Federal Reserve System. (2011). Supervisory guidance on model risk management (SR 11-7). https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm
4. Federal Financial Institutions Examination Council. (n.d.). Bank Secrecy Act/Anti-Money Laundering examination manual. https://bsaaml.ffiec.gov/manual
5. Sanctions.io. (2026). AML trends 2026: OFAC enforcement, EU AMLA updates and more. https://www.sanctions.io/blog/aml-trends-2026
6. Sumsub. (2026). Transaction monitoring in AML: Ultimate guide for 2026. https://sumsub.com/blog/transaction-monitoring/
7. Wolters Kluwer. (2026). BSA/AML in 2025–2026: Five developments every compliance leader needs to know. https://www.wolterskluwer.com/en/expert-insights/bsa-aml-in-2025-2026
8. Silent Eight. (2025). 2025 trends in AML and financial crime compliance: A data-centric perspective and deep dive into transaction monitoring. https://www.silenteight.com/blog/2025-trends-in-aml-and-financial-crime-compliance-a-data-centric-perspective-and-deep-dive-into-transaction-monitoring
9. Association of Certified Anti-Money Laundering Specialists. (n.d.). AML model risk management and validation: Introduction to best practices. https://www.acams.org/en/opinion/introduction-to-best-practices
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC, its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
