I wrote about the future of compliance 15 years ago. That future is finally here.
In 2011, I wrote a piece for Bank Compliance Magazine with what seemed like a provocative opening: Imagine an examination where your regulators arrive on site with foreknowledge of every single technical compliance violation in your lending portfolio.
The CFPB had just issued an RFP for a tool that would automate technical compliance review across 100 percent of a loan portfolio – all before an examiner even showed up. Banks, I argued, needed to start preparing because their regulators were about to have a better view of their loan books than they did.
In the end, the tool didn't happen. Not the way the RFP described. Agency priorities shifted, the vendor selection got bogged down, the CFPB's political situation changed. Automated examination quietly disappeared into the rearview.
But the thesis, as it turns out, was right. It was just early.
Fast-forward to April 2026. FinCEN released a notice of proposed rulemaking that, buried inside a dense framework for BSA program effectiveness, included something unexpected.
Inside a subsection of the proposed rulemaking, FinCEN had offered explicit technological safe harbor endorsement for machine learning, generative AI, blockchain analytics, and APIs when used for meeting AML/CFT obligations.
Fifteen years ago, when I wrote that article, I was serving as a regulator. I largely viewed the financial system through the lens of consumer protection. Through my eyes, things in the financial industry were difficult, but largely clear-cut.
A few years after that, however, I joined Circle as Director of Compliance and found my focus fully shifted to the AML side of the house. Suddenly I was thinking about sanctions screening, transaction monitoring, SAR filings, the 314(b) information-sharing framework, and the ways criminal networks actually move value through a financial system.
Everything was suddenly very messy.
In the decade that followed, I was forced to confront what I now believe to be the central tension at the heart of compliance. A decade of experience taught me that we could automate the plumbing of compliance (data intake, alert enrichment, case documentation, narrative generation, etc.) and see real efficiency gains. But no matter how good the tooling got, the core of the work – the investigation – stubbornly refused to automate.
It took me a while to articulate why, but when the answer finally did present itself, it was refreshingly clear.
Technically, compliance is a data problem.
But actually fighting financial crime?
That’s a conflict.
Once I viewed compliance as a discipline split between data problems on the one hand, and the conflict between crime and justice on the other, I realized that compliance today is really two entirely different activities flying under the same banner.
The first activity is technical compliance – making sure that the financial institution’s BSA policy and program operations are in alignment. The second activity is managing the conflict of illicit financial activity coming from people outside of the institution.
This work isn't technical. It is active. Every defense you deploy, an adversary studies, adapts to, and routes around. The typology that worked last quarter fails next quarter because the people you're chasing read the same FinCEN advisories you do.
These two categories are almost never distinguished in compliance conversations, but they behave nothing alike. One is a data problem – where inputs and outputs are clear-cut. The other is an adversarial grudge match with no rules and with no mercy.
Law enforcement will never be fully automated. Not because the technology isn't good enough, but because the other side adapts. You can deploy perfect sanctions screening, but the smurfing networks restructure. Chainalysis can trace a flow, but the mixers, bridges, and decentralized exchanges will immediately sprout up afterward.
This is why the AML function will never look like automated APR calculation. Because you cannot automate the human judgment call at the center. Entirely remove the human investigator and you've handed the adversary a static target.
Technical compliance is the category where automation isn't just possible but inevitable, because the only thing resisting it is organizational habit.
Congress has given the regulators statutory cover for compliance automation – they gave it six years ago with AMLA 2020! The AMLA gave the Treasury a directive to measure BSA effectiveness, to create a mandate for cross-institutional pattern recognition, and to put forward an innovation program to help bring these new initiatives together.
What's been missing in all of this isn’t the knowledge, or the means. It’s implementation.
My solution for this is simple: compliance essentials (things such as transparency, auditability, etc.) need to be built into the products that serve the practice area, rather than depending on human effort to orchestrate. Embedded supervision from the regulator side and embedded compliance from the institution side? They’re the same motion viewed from opposite ends of the telescope.
The implication of all of this is the same one I tried to deliver in 2011: if at the end of an exam your regulator ends up with a better view of your technical compliance posture than you yourself have internally, that is a structural problem.
The institutions that move proactively — building their own continuous monitoring in the same architectural direction as embedded supervision — will be the ones turning regulatory visibility from a constant concern into a non-event.
For regulators, the opportunity is to reallocate the precious and scarce commodity of experienced human judgment away from technical box-checking and toward the adversary-facing work that actually moves the needle on financial crime. Every hour an examiner spends checking disclosures by hand is an hour not spent tackling the scam center problem, the trafficking problem, the sanctions evasion problem — the real-world problems where human judgment is the most irreplaceable asset.
For the compliance profession, the asymmetry between technical and conflict-focused compliance is a good thing. And with technological improvements to the products compliance teams use, step-level changes can finally happen. The category of work that shrinks is the category nobody wanted to be doing. The category that grows is the one that was always the point.
Fifteen years ago, I argued that compliance automation was coming whether the industry was ready or not. In the end, I was right about the direction – just wrong about the time. And I've spent the years since learning where that original argument needed qualifying.
The CFPB's 2011 tool never shipped. But the idea it was built around – about automating the technical aspects of compliance in order to make room for the work that makes a difference – is now showing up everywhere. It’s in FinCEN's rulemaking, in the BIS working papers, in the latest legislation.
And most important for implementation, it can be found in the architecture of every worthwhile regtech company out there.
Subscribe to receive new content from Hummingbird
