What your compliance team writes is what examiners read first.

Issue #6 | June 2, 2026 | 7 min read

The three largest AML enforcement actions of the past decade each produced a detail that doesn't fit the standard narrative about compliance failures. In each case, the institution's own internal documentation was among the most damaging evidence in the enforcement record. Not communications obtained through third-party subpoena, not reconstructed timelines from transaction data, but the records compliance teams created as part of normal program operations.

This issue breaks down how internal documentation functioned as evidence in the Binance, TD Bank, and Capital One cases, and what it means for how compliance programs document decisions going forward.

PRACTITIONER INTELLIGENCE

Internal documentation demonstrates that a compliance program exists. It also establishes a contemporaneous record of what the institution knew and what it decided.

Binance: the CCO's own risk assessment

When Binance Holdings Limited pleaded guilty in November 2023 to charges including failure to maintain an effective AML program, the DOJ's statement of facts included internal communications from compliance leadership. The Chief Compliance Officer had assessed the company's regulatory position in writing. One message from 2018 described Binance as operating as an unlicensed securities exchange in the U.S. Another documented the risk of criminal exposure.

These weren't intercepted. They were Binance's own records. The compliance team's written assessment of regulatory risk appeared in a federal criminal filing because the assessments were accurate — and because what followed them was a decision to continue operating rather than exit the U.S. market or come into compliance. The documentation didn't create the problem. It created the record of the problem.

TD Bank: the documented culture

TD Bank's October 2024 settlement totaled $3.09 billion across FinCEN, DOJ, OCC, and the Federal Reserve. The OCC's findings referenced internal communications showing that compliance concerns were treated as obstacles to business growth. The consent order documented that this posture was known internally, discussed internally, and continued. "Convenience over compliance" reflected a documented internal culture, not a regulator's characterization. Internal records made that characterization possible.

Capital One: documented knowledge

FinCEN's 2021 consent order against Capital One used a specific phrase: documented knowledge. The bank's own internal records, the Genovese associate's conviction and the Check Cashing Group's high-risk classification, were what elevated the SAR failures from negligent to willful. Without the documentation, FinCEN would have had a harder case for willfulness. The documentation proved Capital One couldn't credibly claim it didn't know.

What this means for your program

The instinct after reading these three cases is sometimes to document less. That gets it backwards.

Undocumented decisions leave you unable to demonstrate a functioning program. A risk assessment with no written record of follow-up action looks like a risk assessment that produced no action. A compliance concern raised in a meeting but not documented looks, in retrospect, like a concern that was never raised. Regulators and internal auditors evaluate programs through their documentation; it's the primary evidence of what a program actually does.

What Binance, TD Bank, and Capital One share isn't that compliance teams documented too much. It's that the documentation reflected programs that identified risk and didn't act on it. The CCO's message was damaging not because it was candid, but because the candid assessment was followed by a business-as-usual response. TD Bank's internal communications were damaging because compliance concerns were documented and then set aside. Capital One's risk files were damaging because their thoroughness produced a willful finding when the SARs didn't follow.

The practical discipline is about the relationship between documentation and action. A written finding that a customer is high-risk, paired with no documented escalation or SAR decision, creates a record of knowledge without response. An escalation memo that stalls without a documented resolution looks like a program that routed risk upward and stopped there. Meeting notes that capture a compliance concern but not the decision made about it tell half the story and the half that's missing is often what regulators want most.

Document the decision, not just the identification. What was found, what was escalated, what was decided, and by whom.

Sources: DOJ Statement of Facts, United States v. Binance Holdings Limited (November 2023) | OCC Formal Agreement, TD Bank, N.A. (October 2024) | FinCEN Consent Order, In the Matter of Capital One, N.A. (January 2021)

INTELLIGENCE BRIEFING

FinCEN — The comment period on FinCEN's proposed AML/CFT program reform rule closes June 9. The NPRM, published in April 2026, would require financial institutions to demonstrate that programs are "effective, risk-based, and reasonably designed", shifting the exam standard from structural compliance to demonstrated effectiveness. The rule would also require AML officers to be U.S.-based and accessible to regulators. If your institution hasn't reviewed the proposed rule, this week is the last window to submit comments. Source: FinCEN, Notice of Proposed Rulemaking, April 2026.

FinCEN / OFAC — In April 2026, Treasury proposed a rule implementing AML/CFT requirements for permitted payment stablecoin issuers (PPSIs) under the GENIUS Act. The rule would treat stablecoin issuers as financial institutions under the BSA — requiring AML programs, customer identification procedures, and sanctions compliance. For traditional banks and crypto-adjacent institutions, the practical implication is that stablecoin issuers will eventually be subject to the same SAR filing and CIP obligations. Correspondent and counterparty risk assessments for entities that touch stablecoins should account for where those obligations currently stand and where they're heading. Source: FinCEN, Notice of Proposed Rulemaking, April 2026.

FinCEN — On May 11, 2026, FinCEN issued an alert identifying how the Iranian Revolutionary Guard Corps launders proceeds from illicit oil sales through networks of shell companies, exchange houses, and digital assets; specifically flagging stablecoins as a preferred settlement tool due to liquidity and exchange rate stability. The alert provides red flags for institutions with exposure to commodity trading counterparties, exchange houses, or digital asset flows. Iranian oil is sometimes blended with oil from third-country shipments or relabeled with falsified documents — making trade finance and commodity-linked transactions a specific risk vector the alert addresses. Source: FinCEN Alert, May 11, 2026.

FROM THE SOURCE

The significance of this quote isn't the language. It's the timeline. This message was sent in 2018. Binance continued operating in the U.S. for years afterward, filing zero SARs throughout that period. The CCO's written assessment was accurate about the regulatory risk and that accuracy, combined with the decision to continue, was exactly what made the documentation damaging. Regulators didn't need to establish that Binance knew it was out of compliance. The CCO established it.

*Source: DOJ Statement of Facts, United States v. Binance Holdings Limited, November 21, 2023

If someone forwarded this to you, welcome.

The AML Brief goes out every Tuesday. Subscribe for free and get the Top 10 AML Red Flags cheat sheet as a thank you:
[Subscribe → theamlbrief.com]

Already subscribed? Forward this to one colleague who works in financial crimes. That's how we grow.

The AML Brief | theamlbrief.com/posts

Disclaimer: The AML Brief is an independent financial crimes intelligence publication. All content is sourced from publicly available regulatory documents, enforcement actions, and published research. Nothing published here constitutes legal, compliance, or regulatory advice. The AML Brief is not affiliated with any financial institution, regulator, law firm, or employer. For advice specific to your situation, consult a qualified attorney or compliance professional.