FinCEN published eight AML priorities in 2021. Two of them haven't aged well.

Issue #4 | May 19, 2026 | 6 min read

In June 2021, FinCEN published the first ever national AML/CFT priorities list, which was a requirement under the Anti-Money Laundering Act of 2020. Eight categories were detailed: corruption, cybercrime and virtual currency, terrorist financing, fraud, transnational criminal organization activity, drug trafficking, human trafficking and smuggling, and proliferation financing.

Four years of enforcement data is enough to score them. Some held up. Two didn't deliver what the framing promised. One evolved into something the document didn't anticipate. This issue breaks down which is which and what that means for your risk assessment today.

REGULATORY UPDATE

The list was right about most things. The two it got wrong are the ones that matter most for compliance programs right now.

The 2021 priorities document wasn't framed as a description of current threats, it was framed as a signal of where regulatory and enforcement attention would concentrate. Banks were expected to incorporate the priorities into their enterprise-wide risk assessments and be prepared to explain how their programs addressed each one. That framing matters when you're scoring the list, because the question isn't just whether the threats were real. It's whether the priority designation changed anything.

Corruption: Right Diagnosis, Incomplete Treatment

Corruption appeared on the list because the gap was real. Financial institutions were not consistently identifying proceeds of foreign and domestic public corruption, and the beneficial ownership structures that corruption money typically moves through were not being scrutinized aggressively enough. The intent was to push banks toward harder PEP screening, more consistent adverse media review, and closer attention to complex ownership chains.

The enforcement record suggests the tools improved. The follow-through didn't always match.

The Epstein case documented years of SAR filings across multiple institutions, with the accounts remaining open throughout. TD Bank's 2024 consent order included internal communications where managers actively discouraged scrutiny because the accounts were profitable. Both cases illustrate the same failure: corruption detection worked as designed, and the institutional response to what was detected didn't. FinCEN can name a priority and banks can build screening programs around it. What neither can fully address is whether a compliance escalation gets acted on once it reaches someone whose performance metrics run in the other direction.

The corruption priority was accurate about the problem. It hasn't closed the gap between detection and action.

Cybercrime and Virtual Currency: Outpaced by the Threat

This was always going to be the most dynamic entry, and it's the one that's aged the worst, not because it was wrong in 2021, but because the threat evolved faster than the regulatory and institutional response.

Binance's 2023 settlement established the baseline: the largest crypto exchange in the world had filed zero SARs for years while processing transactions for sanctioned entities and terrorist-linked counterparties. The regulatory framework for virtual assets has been playing catch-up since FinCEN's 2013 guidance on money services businesses, and the gap between market development and examination standards remained wide through the settlement period.

The AI dimension wasn't on the 2021 radar at all. AI-enabled fraud schemes, synthetic identity construction at scale, and AI-automated transaction layering are now active typologies. None of them appear in the priority document. A forward-looking designation in 2021 is now describing a landscape that has shifted considerably, and the institutions that took the original framing at face value may have built programs that are current to 2021, not 2026.

The Six That Held Up, Because They Always Hold Up

Terrorist financing, drug trafficking, transnational criminal organizations, human trafficking and smuggling, proliferation financing, and fraud all appear on the list. The enforcement record supports all six. DOJ prosecutions, OFAC designation activity, and SAR filing patterns consistently reflect these categories.

The candid observation is that these six would appear on any national priority list, regardless of what FinCEN wrote in 2021. They represent the persistent core of what AML programs have always been built around. The priority designation didn't change the threat landscape, it described it.

Fraud is worth a separate note. It belongs on the list, and the enforcement record confirms it. But the fraud threat in 2026 looks different from 2021. AI-enabled schemes, state-level government fraud cases, and synthetic identity fraud at scale have shifted the specific typologies considerably while the category itself held steady. Fraud was right as a priority. The texture of what fraud actually looks like now wasn't anticipated in the document.

What This Means for Your Risk Assessment

The 2021 priorities are still referenced in examination frameworks. BSA/AML risk assessments are expected to address them. But a risk assessment that treats all eight priorities as equally weighted is misallocating attention.

Corruption and cybercrime/virtual currency warrant disproportionate scrutiny precisely because the execution gaps are largest there. Detection tooling for corruption has improved; the institutional response to detection findings has not consistently followed. Virtual asset typologies are moving faster than most transaction monitoring programs are tracking. Both categories have a documented distance between where programs are and where examiners will eventually test.

The six perennial threats are real. They're also the categories where most banks have the deepest operational history. The 2021 document was more valuable as a corrective on corruption and virtual currency than it was on the threats banks already knew how to address.

A priorities list tells you where the regulator is looking. Four years of enforcement actions tell you what they actually found.

Source: FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism National Priorities, June 30, 2021 | DOJ, United States v. Binance Holdings Ltd., November 2023 | OCC / FinCEN / DOJ, TD Bank Consent Orders, October 2024

INTELLIGENCE BRIEFING

DOJ — Two Pennsylvania men pleaded guilty to defrauding Minnesota's Housing Stabilization Services program of approximately $3.5 million by billing Medicaid for services never rendered and using ChatGPT to generate fake client notes when insurers requested supporting documentation. DOJ described it as the first AI-assisted healthcare fraud prosecution in Minnesota. The mechanism is worth noting for SAR narratives: the fraud itself wasn't novel, but AI-generated documentation significantly extended how long it ran before detection. Source: DOJ, "Fraud Tourists Plead Guilty to Minneapolis Medicaid Fraud," 2026.

OFAC — OFAC redesignated Russian cryptocurrency exchange Garantex Europe OU and simultaneously designated its successor entity Grinex, along with three executives and six associated companies. Garantex had processed more than $100 million in transactions for ransomware actors and cybercriminals before its original designation. The Grinex action is a standard successor-entity move, where the exchange rebranded after designation to continue operating. A sanctions screening program that catches Garantex but hasn't added Grinex has a gap. Source: U.S. Department of the Treasury, press release, 2026.

FinCEN — FinCEN issued a Geographic Targeting Order requiring banks and money transmitters in Hennepin and Ramsey Counties, Minnesota to file reports on international transfers of $3,000 or more. The order targets proceeds from state government benefits fraud, including the Feeding Our Future and Housing Stabilization schemes being laundered internationally. GTOs operate under 31 U.S.C. § 5326 and impose temporary reporting requirements below standard BSA thresholds. Institutions covered by this order need to confirm their reporting workflows are calibrated to the lower threshold; the GTO supersedes normal transaction reporting cutoffs for the covered geography and transaction type. Source: FinCEN, Minnesota Fraud Geographic Targeting Order, January 2026.

FROM THE SOURCE

That sentence is doing more work than it appears to. "Consider the extent to which these priorities are relevant" gives institutions some latitude to weight the list against their actual business. A community bank with no virtual asset exposure can reasonably deprioritize the cybercrime category relative to a money services business or a correspondent bank. What it doesn't give institutions is permission to ignore a priority entirely. Examiners will ask how each priority was addressed in the risk assessment. "Not relevant to our customer base" is a defensible answer with documented rationale. Silence on the question is not.

If someone forwarded this to you, welcome.

The AML Brief goes out every Tuesday. Subscribe for free and get the Top 10 AML Red Flags cheat sheet as a thank-you:
[Subscribe → theamlbrief.com]

Already subscribed? Forward this to one colleague who works in financial crimes. That's how we grow.

The AML Brief | theamlbrief.com/posts

Disclaimer: The AML Brief is an independent financial crimes intelligence publication. All content is sourced from publicly available regulatory documents, enforcement actions, and published research. Nothing published here constitutes legal, compliance, or regulatory advice. The AML Brief is not affiliated with any financial institution, regulator, law firm, or employer. For advice specific to your situation, consult a qualified attorney or compliance professional.