r/ComplianceOps

The proposed rule drops uniform monitoring requirements across the board. sounds like a win until you read what replaces them.

Now you need a documented risk tiering framework that's defensible under exam, connects directly to how you allocate analysts and TM resources, and stays current as a living artifact. examiners aren't checking whether your policies exist anymore. they're pulling outcome metrics like unreviewed alert rates and unfiled SAR counts.

The 400 low-risk alerts i was clearing every week? sure, maybe those go away. but somebody at my shop has to build the tiering methodology that justifies why those customers are low-risk in the first place, map it to our TM rule thresholds, and keep updating it every time our product mix or customer base shifts.

We don't have a risk modeling team. that somebody is me and my manager with an Excel file.

Comment period closes June 9 and I don't think most regional banks have even started thinking about what this actually requires on the ground.

FinCEN and the FDIC/OCC/NCUA dropped an NPRM on April 7 that's getting summarized everywhere as shift to risk-based AML programs but the ops implications are way bigger than the headlines suggest. Comment period closes June 9.

the core change is the order of operations. right now most programs were built checkbox-first, you design your procedures, apply them broadly, and layer a risk assessment on top to show examiners you thought about it and the new rule flips that. you run the risk assessment first, then design the program around those findings.

different customers get different levels of scrutiny and you have to document why.

sounds like flexibility, and it is, but it also means every resource allocation decision needs a justification trail. why did you set this alert threshold here and not there? why does this customer segment get enhanced due diligence and this one doesn't?

the examiner isn't looking for technical violations anymore, what they're looking for is whether your reasoning holds up.

material or systemic failures are the new enforcement standard, which means isolated gaps matter less but your overall logic better be airtight.

i've been thinking about what this actually changes day to day. our TM thresholds were set back in 2023 based on vendor defaults and nobody's touched them since. our customer segmentation uses like 4 categories.

if an examiner asks me to show the risk assessment that drove those decisions i genuinely don't have one that would survive scrutiny.

the rebuild from checkbox to risk-based is a re-architecture, and i think a lot of teams are going to underestimate how long that takes.

Asking because we’re running into this now. we’ve got a few workloads that don’t really feel right in shared cloud anymore, but going full private / locked-down core feels like too much either. security wants tighter control, app teams still need the flexibility of public cloud, and finance is tired of usage-based spikes.

Nexcess / specialty cloud came up while we were looking at that middle ground. curious what other teams are actually doing here.

Does this coincide with your experience in the FinCrime / AML / KYC space?

On Thursday this week, KPMG hosted a RegTech conference. The event description sounded promising, so I applied for a seat and was approved a couple of days later. I had high expectations and was genuinely interested in learning about cutting-edge AI in the field, especially with respect to explainability, which aligns with my research focus.

Unfortunately, the technical side fell far short. The talks were mostly centered on regulation, and apart from a few exceptions, the content was unengaging. Either it wasn’t new to me, wasn’t relevant to the areas I’m interested in, or wasn’t technical at all.

There was one company, Hawk AI, that I paid particular attention to, as they are a notable player in explainable AI for AML in the DACH region. Surprisingly, the CEO was unable to answer a relatively straightforward question from someone in the audience. Instead, he resorted to vague, evasive responses that anyone with some domain knowledge could recognize as such.

After the main sessions, during the networking part (rooftop, good food), I spoke with several panel speakers. Interestingly, they all seemed to recognize the weaknesses in others’ talks, but not in their own. None of them demonstrated solid AI expertise, yet they presented their solutions as state of the art. In reality, they did not appear capable of distinguishing between strong and weak approaches.

I was interested in discussing topics like explainability methods, logic programming, knowledge graphs, deontic logic, real-time KYC/AML, and data integration. With one exception, a KPMG representative who advised me not to apply for a job there (lol), no one even seemed to understand why I brought these topics up.

As an AML subject matter expert looking to learn AI, what roadmap would you recommend? What courses should I take and which technical skills should I build?

Hey r/Compliance 👋

I'll keep this straight — we built Eulex because we kept hearing the same frustration from compliance teams:

"EU regulatory research takes forever, and I can't trust AI tools that don't tell me where the answer is coming from."

Sound familiar?

Eulex is an AI research platform built specifically for EU legislation and case law. Every answer comes with exact citations pulled directly from EU law — so you always know the source, and you can always verify it yourself.

It's built for the questions compliance teams actually deal with:

• AML/KYC obligations and client onboarding requirements
• EU AI Act compliance — high risk classifications and obligations
• GDPR and data protection requirements
• Financial regulation and reporting obligations

And it's built with compliance-grade security:

• EU-only hosting
• Zero-knowledge architecture
• Full GDPR compliance
• We never train on your data. Ever.

We're early and we're actively looking for feedback from people who do this work every day. You know better than anyone what's missing from the tools out there right now.

It's completely free to try. No credit card. No catch.

👉 https://eulex.ai/

Happy to answer any questions in the comments. 🙌