Recently, I had the absolute pleasure of participating in a panel discussion at an industry conference. While that experience was amazing on its own, the other panelists shared such valuable insights that I couldn’t help but fill pages of my notebook.
Here are some key takeaways from the recent Back-To-Basics conference.
1) TD Bank
TD Bank was recently fined the largest BSA/AML fine in history — a staggering $3 billion.
I’ve long said that incorrect, incomplete, or missing CTRs are low-hanging fruit for examiners. How true this proved for TD. The bank was found to have violated the BSA by failing to maintain an effective AML program, laundering monetary instruments, and — drumroll please — filing inaccurate CTRs.
In this case, TD filed CTRs that did not include the actual conductor of the transactions. Between 2019 and 2023, the criminal organization involved moved more than $670 million through the bank.
The findings didn’t stop there. TD was also cited for inadequately trained staff, and in some cases, frontline employees actively aided the launderers in their schemes.
From a monitoring perspective, one of the most alarming findings was that TD intentionally excluded all domestic ACH transactions from its automated monitoring system. That gap represented 92% of its transaction volume — totaling $18.3 trillion.
Key Takeaways:
- Train your staff.
- Don’t erroneously exclude transactions from monitoring.
- Include insiders in your risk assessment.
2) The Current Landscape
Regulatory scrutiny continues to evolve.
Recent GTOs issued in Minneapolis and St. Paul are targeting MSBs. If you are an MSB — or you bank MSBs — expect heightened scrutiny. The region recently experienced an alleged fraud case involving childcare facilities that collected government funding without providing services, putting additional attention on financial flows in that area.
Debanking high-risk industries remains a complicated issue. In December, the Office of the Comptroller of the Currency released preliminary findings following a review to comply with the executive order, “Guaranteeing Fair Banking for All Americans.” In the report, nine banks were found to have “made inappropriate distinctions among customers in the provision of financial services on the basis of their lawful business activities,” creating barriers to maintaining banking relationships.
Industries cited as examples of debanking included oil and gas exploration, coal mining, firearms, private prisons, tobacco and e-cigarette manufacturers, adult entertainment, and digital assets.
The phrase of the day? “Don’t get too caught up in the moment” when deciding to exit relationships. Reactive decisions can create just as much risk as the relationships themselves.
Looking ahead, cryptocurrency — particularly stablecoin — may soon operate more like its own currency class. And then there’s AI. It “could decimate what we do or increase output” in the AML monitoring space. The direction depends entirely on how thoughtfully we implement it.
Key Takeaways:
- If you bank MSBs, expect increased scrutiny — especially in regions under GTO focus.
- Be cautious and well-documented when exiting high-risk industries; avoid reactive debanking.
- Ensure decisions are risk-based and supported by clear policies and governance.
- Prepare for the growing role of stablecoin and digital assets in the financial system.
- Develop a proactive AI strategy — don’t wait for disruption to force change.
3) Third-Party Risk Management
One of the most important clarifications from the conference: third-party risk management is not vendor management.
Third-party risk management is a risk-based, ongoing process to identify, monitor, and manage third parties that provide services to your organization. This includes vendors, partners, contractors, and any third party that could impact operations or compliance.
Vendor management, on the other hand, focuses more narrowly on vendors providing goods and services — negotiating contracts, controlling costs, and ensuring delivery.
There are several types of third parties in today’s ecosystem:
- Fintech – Focused on user experience and innovation.
- Regtech – Focused on compliance, fraud detection, and regulatory reporting.
- BaaS (Banking as a Service) – Focused on infrastructure.
Fintechs, in particular, are often the most likely to use AI, move quickly, and “break things.” That reality requires a heightened level of diligence and a strong risk management framework.
One of the most practical pieces of advice shared was this: make your regulator your “co-conspirator” when onboarding new Fintechs. (Side note: regulators HATE surprises.)
Institutions that successfully onboard Fintech partners consistently bring regulators in early and include them in governance discussions. And ideally, Fintechs themselves should already be communicating with regulators.
Key Takeaways:
- Understand the difference between vendor management and third-party risk management.
- Apply a risk-based, ongoing oversight model — not a one-time onboarding checklist.
- Tailor due diligence based on the type of third party (Fintech, Regtech, BaaS).
- Increase scrutiny for Fintech partnerships, especially those leveraging AI.
- Engage regulators early and avoid surprises by incorporating them into governance conversations.
Final Thoughts
If this conference reinforced anything, it’s that the fundamentals still matter.
Strong training. Complete and accurate reporting. Thoughtful monitoring. Balanced decision-making. Risk-based third-party oversight.
In a world of AI, cryptocurrency, and rapidly evolving partnerships, getting back to basics may be the most strategic move of all.
If your institution is evaluating its AML program, reassessing third-party risk, preparing for digital assets, or simply trying to strengthen its compliance framework, I can help. I work with organizations to build practical, risk-based compliance programs that stand up to regulatory scrutiny while supporting business growth.
Let’s connect and talk about how to turn regulatory expectations into a strategic advantage — not just a requirement.