Your AI-assisted compliance program may be more exposed than you know. This assessment maps your institution's obligation profile across every active federal standard.
BSA / Title 31
FinCEN Effectiveness Standard
EU AI Act Art. 6 / Annex III
FinCEN April 2026 NPRM
OCC Model Risk Guidance
FATF Rec. 10 / 16
Triage · Question 1 of 50%
✦ ✦ ✦
AML · Regulatory Readiness
FinCEN's standard has shifted. Has your program?
The April 7, 2026 FinCEN proposed rulemaking completed a decade-long migration from rule-based compliance to effectiveness-based compliance. Every financial institution deploying AI in transaction monitoring, SAR generation, customer risk scoring, or model governance is now operating under a more demanding and more personal liability framework. This assessment surfaces where your program stands.
Tier One · ~3 Minutes
Triage Assessment
Five questions. Immediate risk tier. Flags your most urgent obligation gaps.
Tier Two · ~15 Minutes
Full Deep Dive
Nineteen questions across six compliance domains. Complete scored analysis with regulatory citations and a ROSÉ Mitigation Spotlight.
Responses are used solely to generate your personalized assessment. No data is stored or transmitted.
Which best describes your institution's primary regulatory relationship with FinCEN?
BSA obligations differ substantially by charter type and product scope. Misclassification is itself a compliance risk.
Triage · Section 2 · AI Deployment
Triage 02 / 05
Does your institution use AI or machine learning models in any of the following compliance-adjacent functions?
Even partial or vendor-supplied AI use triggers BSA model governance obligations.
OCC Bulletin 2011-12 (SR 11-7): Model risk management applies to any quantitative method used to support decisions. AI transaction monitoring systems are models. · FinCEN April 2026 NPRM: Institutions using automated systems to generate SAR narratives or filter alerts must demonstrate effectiveness, not merely deployment.
Triage · Section 3 · Effectiveness Documentation
Triage 03 / 05
Can your compliance team produce documented evidence — today — that your AML program is effective, not merely implemented?
The FinCEN April 2026 NPRM moves the legal standard from "did you have a program" to "did the program work." This is the single most consequential shift in BSA enforcement in two decades.
FinCEN NPRM April 7, 2026: Proposed Section 1010.210 requires institutions to document that their AML program is reasonably designed and effective. "Effective" is defined by outcomes, not the presence of policies. · DOJ prosecution guidance: Aligns with how DOJ assessed AML culpability in BNP Paribas and Goldman Sachs enforcement actions.
Triage · Section 4 · Model Governance
Triage 04 / 05
If your institution uses a third-party AML or transaction monitoring platform, who is accountable when the model produces a false negative — a missed SAR?
OCC SR 11-7: Model risk management responsibility cannot be outsourced. The institution remains accountable for validating third-party models. · FinCEN Guidance FIN-2014-G001: Institutions cannot use vendor reliance as a defense in SAR failure enforcement actions. · EU AI Act Art. 25: The deploying institution shares high-risk AI compliance obligations with the provider.
Triage · Section 5 · Exam Readiness
Triage 05 / 05
In your most recent regulatory examination, did examiners comment on your AML model governance, AI documentation, or the quality of your SAR narratives?
FFIEC BSA/AML Examination Manual (2023 rev.): Examiners now assess whether institutions can demonstrate program effectiveness, not just presence. AI and model governance is a named examination focus area. · FinCEN 314(a) / 314(b): Automated 314 responses must be documented as to how they were generated.
Triage Complete · Your Risk Profile
This triage result reflects your immediate exposure across the five highest-signal indicators. The full assessment maps nineteen obligation dimensions with specific regulatory citations and a ROSÉ Mitigation Spotlight.
Continue to Deep Dive
Nineteen questions. Complete scoring across six domains. Your full compliance obligation map.
Speak With ROSÉ
A ROSÉ compliance architect can review your triage findings and walk through your proof architecture in a single working session.
Does your AML/BSA compliance program have a documented, board-approved written policy updated within the past 12 months?
31 U.S.C. Section 5318(h): Every covered financial institution must maintain an AML program with internal controls, a compliance officer, employee training, and independent testing. · FinCEN CDD Final Rule (2018): Customer due diligence is the fifth pillar. Written programs must reflect all five.
Section 1 · Program Foundation
Deep Dive 02 / 19
Is your designated BSA/AML Compliance Officer empowered with independent reporting authority and adequate resources to challenge business-line decisions?
31 CFR Section 1020.210: BSA Officer must have sufficient authority, independence, and resources. · DOJ Evaluation of Corporate Compliance Programs (2023): Prosecutors assess whether compliance had genuine power to escalate and override — or was merely ceremonial.
Section 1 · Program Foundation
Deep Dive 03 / 19
Does your institution conduct independent AML program testing by a qualified party at least annually?
BSA Five Pillars — Pillar 4: Independent testing is a non-negotiable structural requirement. · FFIEC Exam Manual: Testing must cover BSA record-keeping, SAR filing, CTR filing, customer identification, and must now address model governance for AI-assisted programs.
Section 2 · Customer Due Diligence
Deep Dive 04 / 19
Does your CIP Customer Identification Program and CDD Customer Due Diligence process collect and verify beneficial ownership information for legal entity customers?
FinCEN CDD Final Rule — 31 CFR Section 1010.230: Covered institutions must identify and verify beneficial owners (25% threshold) of legal entity customers. · Corporate Transparency Act (2024): FinCEN's beneficial ownership database is operational; financial institution reliance is permitted but does not replace CDD obligations.
Section 2 · Customer Due Diligence
Deep Dive 05 / 19
When your institution uses AI to assign a customer risk score, is the basis for that score explainable and preserved in your records?
FinCEN April 2026 NPRM Section 1010.210: Risk-rating decisions must be documented as to basis, not merely outcome. An AI-assigned score without an explainability trail is a documentation failure. · EU AI Act Art. 13: Customer risk scoring AI is a named high-risk application; transparency and human oversight are mandatory.
Section 3 · Transaction Monitoring
Deep Dive 06 / 19
How does your institution validate that your transaction monitoring system is calibrated correctly and detecting the activity it should be detecting?
FFIEC BSA/AML Exam Manual (2023): Institutions must demonstrate monitoring thresholds are reviewed and validated periodically. · FinCEN April 2026 NPRM: "Effectiveness" includes whether the monitoring system is appropriately tuned — overly broad or overly narrow are both findings.
Section 3 · Transaction Monitoring
Deep Dive 07 / 19
If an AI model used in transaction monitoring is updated or replaced by your vendor, does your institution have a documented process to validate the new version before deployment?
OCC SR 11-7: Model changes — including vendor-issued updates — require validation before production deployment. · FinCEN FIN-2014-G001: Vendor reliance is not a defense. A model that performed well at deployment may degrade silently after an update — what ROSE calls invisible drift.
Section 3 · Transaction Monitoring
Deep Dive 08 / 19
Do you maintain a cryptographically reliable, tamper-evident audit trail of what each transaction monitoring decision was based on — and which model version produced it?
FinCEN April 2026 NPRM: Documented effectiveness must include the ability to reconstruct why a transaction was flagged, de-prioritized, or dismissed. · DOJ DPA practice: Regulators have required institutions to produce decision-level audit trails for specific suspicious transactions going back three to five years.
Section 4 · SAR and CTR Obligations
Deep Dive 09 / 19
If AI is used to draft or pre-populate SAR narratives, does a qualified human reviewer make the final SAR filing decision — and is that human review documented?
31 CFR Section 1020.320: The SAR filing decision is the institution's — not the system's. AI-assisted SAR drafting is permissible; AI-autonomous SAR decisions are not. · FinCEN SAR Filing Guidance (2012, reaffirmed 2024): Narrative quality is an examination focus. AI-generated narratives that are conclusory or template-driven are a finding.
Section 4 · SAR and CTR Obligations
Deep Dive 10 / 19
For Currency Transaction Reports (CTRs), does your institution have an automated CTR aggregation system — and has that system been tested for accuracy within the past 12 months?
31 CFR Section 1010.311: CTRs must be filed for currency transactions exceeding $10,000. Aggregation errors are among the most common BSA examination findings. · FFIEC Exam Manual: CTR aggregation logic, particularly in AI-enhanced systems, must be tested and documented.
Section 5 · EU AI Act and Cross-Border Obligations
Deep Dive 11 / 19
Does your institution have operations, customers, or correspondent banking relationships within the European Union — or process transactions involving EU-regulated counterparties?
EU AI Act obligations attach to the deploying institution if the AI system affects persons within the EU, regardless of where the institution is headquartered.
EU AI Act Art. 2(1)(c): The Act applies to deployers of AI systems whose output is used in the EU, even if the deployer is established outside the EU. · EU AI Act Annex III, Section 5(b): AI used in credit scoring and risk assessment is explicitly classified as high-risk — including correspondent banking risk scoring.
Section 5 · EU AI Act and Cross-Border Obligations
Deep Dive 12 / 19
For AI systems within EU AI Act scope, has your institution conducted a conformity assessment and designated a responsible person within the EU?
EU AI Act Art. 43: High-risk AI systems require a conformity assessment before deployment in the EU market. · EU AI Act Art. 22: Non-EU deployers of high-risk AI affecting EU persons must designate an authorized EU representative.
Section 5 · EU AI Act and Cross-Border Obligations
Deep Dive 13 / 19
Are your AI-assisted wire transfer screening systems compliant with the FATF Travel Rule — and is compliance documented?
FATF Recommendation 16 (Travel Rule): Originating institutions must transmit beneficiary information for wire transfers over $1,000. · FinCEN Travel Rule — 31 CFR Section 1010.410: AI systems processing wire transfers must preserve and transmit required information without suppression or truncation.
Section 6 · Model Governance and Proof Architecture
Deep Dive 14 / 19
Does your institution maintain a model inventory — a complete registry of every AI and quantitative model used in compliance, risk, or customer-facing decisions?
OCC SR 11-7: Model risk management begins with a complete model inventory. Incomplete inventories cannot demonstrate that model governance covers all material models. · FFIEC Exam Manual (2023 update): Examiners now specifically request the model inventory as part of BSA/AML examination opening procedures.
Section 6 · Model Governance and Proof Architecture
Deep Dive 15 / 19
Can your institution detect, in near real-time, whether an AI model's behavior has shifted from its validated baseline — what governance professionals call model drift?
OCC SR 11-7: Model validation is not a one-time event. Ongoing monitoring is required to detect performance degradation. · FinCEN April 2026 NPRM: The proposed effectiveness standard creates ongoing performance monitoring obligations for all automated compliance systems.
Section 6 · Model Governance and Proof Architecture
Deep Dive 16 / 19
If a regulator requested reconstruction of a specific compliance decision made 18 months ago — what data was used, what model version decided it, and what the outcome was — how long would it take your team to produce that evidence?
Section 6 · Model Governance and Proof Architecture
Deep Dive 17 / 19
Does your institution have a documented process for managing third-party vendor risk as it relates to AI model updates and vendor-driven configuration changes to compliance systems?
OCC Third-Party Risk Management Guidance (2023): Comprehensive vendor risk management includes ongoing monitoring of third parties that provide model-related services. · FFIEC IT Examination Handbook: AI-specific vendor risk management is a named gap in examinations of institutions that adopted cloud-based AML platforms after 2020.
Section 6 · Model Governance and Proof Architecture
Deep Dive 18 / 19
Is your institution's AML compliance team aware of the April 7, 2026 FinCEN NPRM, and has your program begun the internal assessment needed to respond to its proposed effectiveness standard?
Section 6 · Model Governance and Proof Architecture
Deep Dive 19 / 19
Finally: who within your institution would be personally accountable — by name and title — if a regulator determined that your AML program was ineffective?
The April 2026 NPRM and recent enforcement trends suggest individual accountability is expanding beyond the BSA Officer.
DOJ Individual Accountability Guidance (Yates Memo, reaffirmed 2022): Regulators increasingly seek individual accountability in AML failures. · FinCEN Enforcement (2024-2025): Recent consent orders have included personal liability provisions for CCOs and BSA Officers whose programs lacked documented effectiveness.
OVERALL COMPLIANCE RISK TIER
✦ ✦ ✦
Program Foundation
Customer Due Diligence and Risk Scoring
Transaction Monitoring and Audit Infrastructure
SAR and CTR Obligations
EU AI Act and Cross-Border Obligations
Model Governance and Proof Architecture
ROSÉ · Mitigation Spotlight
The Proof Architecture Your Program Is Missing
Every gap surfaced in this assessment shares a structural root: compliance programs built on process attestation rather than execution proof. Policies exist. Procedures are written. But when a regulator asks whether your AML program was effective at a specific decision, on a specific date, under a specific model version, the answer depends on whether you have cryptographic, tamper-evident evidence of what actually happened.
ROSÉ's governance infrastructure wraps every AI-assisted compliance decision in a time-stamped, version-anchored proof record. Not a log. A proof. One that satisfies FinCEN's April 2026 NPRM effectiveness standard, OCC's SR 11-7 model governance requirements, and the EU AI Act's Art. 13 transparency mandate simultaneously, without requiring your compliance team to build separate documentation workflows for each framework.
One proof layer. Every framework. Every decision. Defensible on the day it is made — and three years later, in front of a regulator.
Recommended Immediate Actions
Receive Your Full Assessment Report
A ROSÉ compliance architect will send your scored findings, specific regulatory citations, and a prioritized remediation roadmap within one business day.