Carole House testifies to House Financial Services Committee on modernizing illicit finance frameworks for the twenty-first century

On May 21, Senior Fellow Carole House testified to the House Committee on Financial Services Subcommittee on National Security, Illicit Finance, and International Financial Institutions at a hearing titled, “Modernizing the BSA for Financial Crime in the 21st Century.” Below are her prepared remarks.

Thank you, chairman, ranking member, and distinguished members of the subcommittee, for holding this hearing and the honor of the invitation to testify on modernizing critical illicit finance frameworks in the face of an ever-dynamic threat, technology, and policy landscape. I applaud your leadership in convening the subcommittee on this important issue. I have spent my career at the intersection of national security, emerging technology, and economic statecraft, including through service in three tours at the White House, at the US Treasury Department, US Senate Homeland Security Committee, chairing and advising three regulatory agency committees on emerging tech, and as a US Army captain. I hope my testimony will be helpful in considering some of the most important aspects of anti-money laundering and countering financing of terrorism (AML/CFT) reform, as you navigate the incredibly complex issues at play here relating to security, innovation, and personal liberty.

The financial integrity architecture the United States built over the past five decades is not, at its core, a compliance structure. It is the infrastructure through which this country defends its citizens, projects economic power, and holds adversaries accountable. It is what enables the United States to freeze the assets of a sanctions evader, trace the proceeds of a fentanyl network back to its source, recover funds stolen from fraud victims, and deny revenue to the state actors funding weapons of mass destruction proliferation programs with stolen funds. Every major threat identified in Treasury’s National Money Laundering Risk Assessment, in the Office of the Director of National Intelligence Annual Threat Assessment, and in the bipartisan work of the House Select Committee on China runs, at some point, through the financial system.

The architecture built to track and disrupt the activity of these threats—whether Chinese infiltration of AI supply chains, narco- and human-trafficking networks, or arms control circumvention—runs in mutual support of rule-of-law systems with benefits that extend well beyond national security. Sanctions enforcement, civil fraud recovery, credit decisions, tax administration, and counter-fraud programs all depend on a common underlying principle: that certain financial activity is documented and available to those with lawful authority to access it, under conditions appropriate to the purpose. Remove that principle and the result is not just weakened AML enforcement. It weakens every accountability system built on top of it.

These frameworks also implicate genuine democratic values that demand honest engagement: privacy, personal liberty, and the burden that compliance obligations place on individuals and institutions. Getting modernization right means taking those values seriously, not treating them as obstacles to security but recognizing that well-calibrated financial integrity frameworks advance all of them simultaneously. Privacy protection in this context means ensuring sensitive financial information reaches only those with lawful authority to access it and defining what those conditions should be, not that records cease to exist. Liberty protection means ensuring the system targets wrongdoing rather than imposing indiscriminate burdens on law-abiding Americans. And burden reduction done right (e.g., through better infrastructure, smarter data architecture, and clearer regulatory standards) can improve both outcomes and access at the same time. The tensions here are real but narrower than the current debate suggests, and the connective tissue between security, accountability, and financial inclusion is stronger than is often recognized.

A few key messages I hope to underscore with my testimony:

• The risk environment (across every component of risk—threat, vulnerability, and mitigation) has genuinely changed, and demands frameworks accounting for these evolutions. Transnational criminal organizations, state actors, and professional enablers are more sophisticated, better resourced, and more technologically capable than at any prior point. Generative artificial intelligence (AI), digital assets, and agentic financial systems are present operational realities being exploited now, and the quantum moment (whether in super-charging compute capability or threatening cryptographic security) is fast approaching. If the United States invests in the right infrastructure and policy levers, these technologies also create genuine opportunities for more effective detection and disruption. Ongoing policymaker interest in focusing on leveraging emerging technologies for benefit and desire to drive greater prioritization for more targeted use of limited resources in high-impact ways can be important steps in addressing this dynamic risk environment.
• Our adversaries are actively exploiting the seams in US visibility into corporate ownership, commercial relationships, and financial system coverage at growing scale and sophistication. Congress recognized this trajectory and acted by building authorities and tools specifically designed to gain visibility at the critical junctures adversaries exploit. Those tools remain unfinished five years on, and in some areas are being actively reversed. The result is a growing gap between the sophistication of the threats Americans face and the capability of the frameworks designed to address them; a gap that is widening precisely as the window to close it narrows.
• Genuine modernization requires an honest evaluation of the existing system’s strengths and challenges and the nature of shifts driven in capacity and threat by an evolving technology landscape—though conflating burden reduction with modernization, without meaningful steps toward efficacy, does not benefit Americans or national security. Reducing compliance friction by building better infrastructure (i.e., authoritative identity verification, machine-readable and structured intelligence sharing, risk-based examination methodology, etc.) improves outcomes while reducing burden. This is a noble aspiration and precisely how we should be thinking about illicit finance framework modernization. However, reducing visibility and dismantling the accountability apparatus without improving underlying infrastructure and without understanding and improving efficacy is not modernization; its effect will be a reduction in capability and opening the door to adversaries seeking to harm Americans and US national security interests.

To meet the dynamic and sophisticated threats facing the US financial system, the United States must pivot from a model of retrospective compliance to one of proactive, operational disruption. Achieving this requires a synchronized effort to eliminate structural blind spots, dismantle artificial data silos, and deploy modern digital identity infrastructure. The following targeted recommendations provide Congress and regulatory agencies with a strategic roadmap to deliver on the promise of the AML Act (AMLA), restore accountability, and safeguard American national security:

• Restore accountability where adversaries exploit opacity: Corporate and supply chain transparency—restore and implement the Corporate Transparency Act (CTA) and beneficial ownership transparency as envisioned by Congress and with a framework that benefits financial institutions and the national security ecosystem; Enabler coverage—finalize investment adviser obligations; finalize the real estate AML rule and extend targeted AML obligations to professional enablers.
• Modernize financial intelligence sharing: Suspicious Activity Report (SAR) and cross-institution sharing—finalize the SAR sharing pilot established under the AMLA; expand 314(b) protections in the statute to explicitly cover information related to underlying predicate offenses for money laundering to include fraud, cybercrime, and sanctions violations; broaden information-sharing liability coverage beyond financial institutions to include financial service providers and other entities for purposes of combating financial crime and fraud (i.e., resembling Cybersecurity Information Sharing Act coverage); Data standards and architecture—develop structured machine-readable financial crime data standards (e.g., adopt lessons from cybersecurity with the STIX/TAXII standards for real-time sharing of machine-readable cyber and digital footprint indicators) and feedback loops to integrate into domestic and international reporting and information sharing channels.
• Build digital-era identity and compliance infrastructure: Identity pilots and infrastructure—direct FinCEN to establish clear pathways for exceptive relief pilots and measurements of efficacy with roadmaps to approval; launch pilots and public-private partnership initiatives for digital identity services and reliance, privacy-enhancing technology (PET)-enabled information sharing and AI-training, typology- and threat-specific SAR attachment data structures, and for programmable compliance features using existing FinCEN authorities like exceptive relief; modernize customer verification and beneficial ownership infrastructure, ensuring value for national security/law enforcement community and industry stakeholders. Governance frameworks for emerging technology—establish governance frameworks for AI-enabled and agentic financial systems; publish AI governance and examiner guidance for AML compliance related to use of and combating threats presented by emerging technologies (e.g., digital identity, digital assets and blockchain, AI, quantum). Evaluate paradigm shifts and regulatory perimeter adjustments—evaluate gaps in understanding and traceability of financial flows to assess regulatory guidance or rulemaking measures needed to move the regulatory perimeter elsewhere in the ecosystem or payment technology infrastructure to address key gaps or changes in the role or visibility of intermediaries (e.g., payment processors, DeFi, etc.).
• Shift from retrospective compliance to operational disruption: Supervision and enforcement—define measurable outcomes-oriented supervision standards tied to specific operational results rather than procedural proxies; direct strategic enforcement alignment that improves FinCEN’s access to critical information as well as enforcement action timeliness and calibration based on risk tiers, extent of violations, and sector-shaping (not sector-breaking) objectives; prioritize and scale FinCEN’s Rapid Response Program for automation, expansion to fintech and crypto, and real-time coordination to boost interdiction of fraud proceeds; resource FinCEN appropriately with budgeting and hiring authorities commensurate with its mission scope. Authorities and coordination—modernize special measures authorities for digital-era threats (i.e., Section 311 of the USA PATRIOT Act and Section 9714 special measure expansion) to reach primary money laundering concerns operating through fintech and digital asset infrastructure outside traditional correspondent banking frameworks; restore interagency coordination capacity for sanctions and kleptocracy enforcement.

The threat landscape: sophisticated, converging, and actively exploiting the gaps left open

The financial integrity architecture exists to address a set of threats that are not static. Assessing the current threat environment is essential for evaluating any proposed change to the framework designed to address it. Transnational criminal organizations, state-linked proxies and crime groups like cyber and fraud syndicates, and professional enabler networks have systematically mapped the gaps in American financial oversight (e.g., anonymous and obfuscated corporate structures, unregulated investment channels, fragmented digital asset compliance, delayed enforcement, etc.) and built their operations around them. The system fails in a few key ways: The system cannot identify who is involved, it cannot connect what institutions know, and/or it cannot act in time to matter. Below are some of the ways major threat actors exploit at least one (if not all three) of those dimensions, illustrating why some of the specific tools discussed in this testimony exist.

The paradigm shifts: what is actually new, what the risk is, and where opportunity lies

Not every emerging technology creates a fundamentally new policy problem. Some accelerate existing risks, some shift the threat landscape while opening new defensive opportunities, and some change far less than their advocates or critics claim. The best regulatory approaches to emerging technology (like the best AML programs) are risk-based: demanding that institutions own and understand the specific risk profile of not only their business and their customers, but their use of—and how they are targeted with—emerging technologies, not simply apply uniform obligations across the board. Risk-based approaches should not mean inherently permissive, but should mean precise and honed for the unique circumstances of that institution, customer, or technology. Several developments are materially changing both the tech-enabled threat environment and the tools available for defense. The policy response must account for both dimensions rather than treating new technology as either uniformly threatening or uniformly beneficial.

These technology-driven shifts are reshaping where accountability attaches, what detection requires, and how fast exploitation can occur. The governance challenge is not whether to embrace or resist these technologies; that debate is largely settled by market reality. The question is whether the United States shapes their integration into the financial system on terms that preserve accountability and democratic oversight, or cedes that shaping to actors with different interests. Governance built into architecture at the design stage is orders of magnitude cheaper and more effective than governance retrofitted after exploitation has already occurred. That principle is not unique to finance, but sits at the heart of every major technology transition the national security community has experienced.

The framework in practice: who participates, what can be seen, and what can be done

Effective AML/CFT frameworks rely upon policy, technological, and operational measures being implemented around core areas such as identity and trust; data, analytics, and detection; and operational coordination and enforcement. These underscore how the key failures in illicit finance frameworks tend to occur when either (1) we do not know who owns or controls something; (2) we cannot connect what different institutions are seeing; or (3) we cannot act on what we know in time to matter. Below I walk through some of the critical elements for each of these areas, along with a specific note on the value of BSA data that is central to this hearing.

Who participates: identity, accountability, and the beneficial ownership gap
A foundational question of any financial integrity framework is whether we know who is actually in the system and understand their risk profile. Increasingly, the answer is no, and the tools Congress built to address that gap are being suspended or reversed, and without corresponding or compensating measures to help address the gaps they are creating.

Beneficial ownership and the Corporate Transparency Act
In March 2025, FinCEN’s interim final rule effectively suspended beneficial ownership information (BOI) reporting for approximately 99.98 percent of domestic entities Congress intended to cover. The formation jurisdiction remains the primary vulnerability, not the nationality of the ultimate owner. Shell companies are formed under US state law, by US registered agents, to obscure the identities of those who benefit from and control them.

The severe national security consequences are well documented by both congressional offices as well as government agencies. The House Select Committee on China found US chips subject to export controls were potentially funneled to Chinese military programs through US-registered shell companies, a median of 140,000 chips to People’s Republic of China (PRC)-linked entities in 2024 alone. The Select Committee’s DeepSeek report found the AI system was reportedly built using chips acquired through shell structures circumventing export controls. Without BOI data on US-formed entities, the BIS enforces export controls largely blind on the corporate structuring side.

Crucially, this blind spot directly paralyzes the ability to disrupt the supply chain of deadly synthetic opioids. FinCEN’s analytics reveal that financial institutions reported over $312 billion in suspicious activity tied to decentralized, horizontal Chinese money laundering organizations (CMLOs) operating as a service for Mexican cartels like Sinaloa and Cartel Jalisco Nueva Generación (CJNG). These networks heavily rely on networks of US-registered front and shell companies to execute near-real-time mirror transactions and trade-based laundering schemes, effectively washing fentanyl proceeds outside formal banking channels before law enforcement can trace the source.

Especially in light of the CTA’s constitutionality being upheld, Congress could act to make its intent unambiguous: the CTA was enacted with broad bipartisan support precisely to address the shell company vulnerability I’ve discussed and noted in assessments by this and prior administrations and this Congress. Congress maintains the authority to require its implementation and consider whether statutory clarification or refinements are needed to ensure the law operates as Congress intended.

Investment advisers, real estate, and professional enablers
Investment advisers manage approximately $146 trillion in assets yet remain substantially outside BSA AML program and SAR filing requirements, a gap that has been flagged repeatedly by the FATF and detailed by the US Treasury as a primary kleptocracy and sanctions evasion vector. The US Treasury’s delay on the investment advisers rule implementation and signaling of forthcoming changes leaves uncertainty to the extent that these controls will take effect. Similarly, the residential real estate sector remains one of the most extensively documented gateways for foreign illicit money to penetrate the US financial system. A landmark study by Global Financial Integrity (GFI), the FACT Coalition, and Anti-Corruption Data Collective analyzed a fraction of known cases, identifying illicit and suspicious funds funneled directly through US real estate across twenty-five cases with total property value exceeding $2.6 billion. Yet, the regulatory path forward for many of these enablers remains deeply unstable after both postponements and a federal district court vacating the rule.

Sophisticated illicit finance rarely operates without professional facilitation (e.g., lawyers, accountants, formation agents, and real estate professionals), yet these gatekeepers and enablers remain inconsistently covered despite longstanding FATF and national security concerns. The operational friction we have seen surrounding these frameworks signals that Congress could leverage this opportunity to actively review and reframe how these authorities are designed, ensuring future implementation is tailored, predictable, and aligned with the practicalities of American commerce. Yet, we cannot mistake administrative or judicial complexity for a lack of strategic threat; yielding to compliance fatigue by entirely abdicating oversight over these multi-trillion-dollar sectors is not a policy solution, but an open invitation for adversaries to exploit the systemic blind spots left undefended.

“Knowing your customer” and digital identity as infrastructure
A significant share of compliance burden is a symptom of broken identity infrastructure, not an inherent feature of AML requirements. Institutions are repeatedly verifying information the US government already knows authoritatively, often through manual document review and layered self-certification that is simultaneously expensive and unreliable. The KYC obligation is not the problem. The mechanism by which it is discharged is, and that distinction requires precision.

• “Fixing” KYC and the nuance it demands: “KYC” is a colloquial term covering a layered set of obligations that operate differently and present different modernization challenges. At the foundation is identity verification (i.e., establishing that an identity is real, that it belongs to the person or entity asserting it, and that the assertion can be trusted). On top of that sits risk assessment and potential obligations like enhanced due diligence (EDD): understanding a customer’s profile well enough to evaluate not only AML/CFT exposure but the broader business risk of the relationship. Then comes ongoing monitoring—continuous reassessment of that profile as behavior, relationships, and circumstances evolve. None of these is a binary yes-or-no check, nor are the elements needed for one of these pieces of KYC the same for the others. Each involves judgment, dynamic data, and contextual analysis that no static credential or point-in-time verification can fully satisfy.
• When practitioners say KYC needs to be fixed, the honest answer is: which part, and fixed how? The obligation to know your customer is not likely going away under any serious reform framework (and should not). What is going to change (and should) includes the identity infrastructure and trust framework institutions rely on to satisfy it, as well as considering more nuanced and tiered frameworks for what information (or “attributes”) different financial institutions and intermediary or infrastructure providers need to know about their customer to adequately assess and mitigate their risk profile. The question worth asking is not whether to know your customer but what attributes and credentials, asserted through what trust framework, most reliably establish the things that are more important for risk assessment. A reformed system built on authoritative, interoperable identity infrastructure reduces burden precisely because it makes that determination more reliable and more targeted—not because it asks less of institutions, but because it gives them better tools to answer the right questions.
• The privacy and data security symmetry: Within this infrastructure debate, data collection and data minimization are often pitted against accountability. A common critique from DeFi and digital asset advocates highlights the risk of “honeypots” (i.e., centralized data repositories containing highly sensitive personal data that can become prime targets for cybercriminals and state-sponsored hackers). Data minimization is a deeply valid concern; care must be taken to ensure that only the specific information required to support legal accountability is collected and stored. However, a structural inconsistency often undermines a one-vector approach to this argument: the premise that users should comfortably trust firms like digital asset companies to custody millions of dollars in sovereign wealth or digital assets, yet simultaneously claim these same firms are fundamentally incapable of safeguarding the basic customer data required to enable due process, consumer protection, and legal accountability, (or that they should face no issues sending money to counterparties in jurisdictions where they are unwilling to send information to allow for counterparty institutions to understand their own AML/CFT risk exposure) lacks internal logic. Financial integrity cannot be a one-way street where firms claim the sophisticated technical capacity to manage automated global value transfer, yet plead operational poverty when it comes to standard data security and governance.
• Smart privacy and PETs: Real privacy doesn’t mean a complete absence of records; it means calibrated discoverability—ensuring sensitive financial details are only exposed to lawful authorities under specific, legal conditions. We already have the tech (e.g., zero-knowledge proofs, homomorphic encryption, multi-party computation, and other PETs) to basically mathematically prove certain facts without exposing the underlying data (think of the ability to screen whether certain attributes of an identity are on a sanctions list). The catch is operational with PETs, which haven’t yet really presented real-world frameworks that allow financial institutions banks, regulators, and law enforcement to conduct their relevant level of continuous, real-time risk monitoring, or provided a secure, legally backed way to unmask an identity under conditions like when a valid court warrant is issued. But PETs are likely to be a critical component of future financial systems; the remaining issues to be worked out are around the technology but especially the governance.
• The deepfake and AI authenticity crisis: Digital identity matters far beyond standard compliance concerns. The United States, along with the rest of the globe, is facing a massive identity authenticity crisis because generative AI and deepfakes can now easily trick traditional, document-based KYC checks. However, the United States is backfooted compared to other parts of the globe because it has not invested in secure, interoperable, trustworthy, privacy-preserving digital identity infrastructure, such as verifiable credentials and privacy-preserving attribute validation services. Even the measures from President Biden’s last cybersecurity Executive Order for improving US government acceptance of standards-compliant and privacy-preserving digital identity credentials to improve integrity of and fight fraud in government benefits programs were rescinded in 2025. In the absence of any widely scaled “trust-tech” infrastructure at the identity layer, the US financial system is vulnerable to highly automated and industrialized fraud. Solving this identity layer is an absolute prerequisite not only to address AML/CFT and cybercrime (where identity compromise is an extremely common vector of compromise—FinCEN even identified $212 billion in identity-compromise enabled suspicious activity in 2021 alone), but also for unlocking agentic commerce. As major institutions, governments, and Fortune 500 companies embrace the upcoming wave of autonomous AI agents buying and selling things on behalf of humans, these agents will inherently be reliant on some kind of infrastructure to determine human and legal person identity and permissions. Without a secure identity foundation, AI agents will simply scale up fraud at a speed and volume that human investigators cannot possibly track, destroying trust in the whole system

Congress can direct some concrete steps to make meaningful progress in laying a stronger, more trustworthy identity foundation in AML/CFT. For example, you could direct FinCEN and banking regulators to use their existing tools, such as FinCEN’s exceptive relief authority, to launch formal, clear regulatory pilot programs with established on-ramps and off-ramps for approval, measurements for efficacy, frameworks for identity information interoperability, sharing, and reliance. Congress could also ensure that federal policy promotes targeted measures like Treasury- and DHS-led grant programs to support state-level adoption of secure digital credentials that meet NIST standards. Furthermore, Congress could reinstate the specific public benefits and anti-fraud protections that were lost when the previous administration’s cybersecurity directives regarding systemic public benefits fraud were rescinded, to include pilots for alerting Americans when their identity is used in federal benefits applications and privacy-preserving attribute validation services to support financial institution identity verification processes.

What can be seen: intelligence architecture, BSA data, and the data imperative
Modern financial crime is networked, which demands that the financial intelligence architecture become equally networked. The most sophisticated criminal operations are specifically designed to remain below the detection threshold of any single institution, distributing activity across platforms, payment rails, and jurisdictions precisely because fragmented visibility protects them. We need to preserve and strengthen the ability of public and private sectors to better put those pieces of fragmented visibility together.

The value of BSA data and why it should not be casually reduced
Before accepting arguments that BSA reporting obligations should be substantially reduced, the operational record deserves direct examination. Critics frequently rely on shortsighted metrics that evaluate BSA utility solely by the number of new investigations directly initiated by a single report. This misunderstands the lifecycle of financial intelligence. For example, IRS Criminal Investigation’s February 2026 BSA metrics report documented that in FY2025, 94 percent of IRS-CI cases were searched against BSA data, generating more than 3.9 million database searches, and nearly 67 percent of investigations had primary subjects associated with currency transaction reports (CTRs).

IRS-CI’s report demonstrates how significant value from BSA data is often retrospective and compound, serving as a critical investigative accelerant that maps out networks, identifies hidden assets, and hardens evidence in thousands of existing or late-stage investigations long after a report is filed. Furthermore, focusing strictly on individual case-matching ignores the strategic power of aggregate data. FinCEN and law enforcement rely on macro-level BSA datasets to conduct financial trend analyses and build complex illicit finance typologies. This aggregate intelligence allows agencies to map systemic vulnerabilities, identify emerging threat vectors, and strategically deploy finite law enforcement resources to high-risk sectors. DEA and FBI financial intelligence functions similarly depend on BSA reporting as foundational investigative infrastructure. The detection signal embedded in that data (including in currency reporting at current thresholds) reflects transaction patterns that have become more anomalous, not less, in an increasingly digital economy.

The case for maintaining the current reporting architecture is not that the system is optimal as designed. It is that the intelligence value embedded in BSA data is demonstrably high, currently irreplaceable by alternative mechanisms, and would be degraded by threshold increases or volume reductions before any substitute detection infrastructure exists to address those shifts in a way that meaningfully works to improve efficacy. Any reduction in reporting obligations should be in consideration of demonstrated law enforcement utility metrics and evidence that alternative detection capabilities are in place where that information would be of national security and law enforcement value, not simply on compliance cost reduction. The operational record supports maintaining the existing framework while investing in the quality and interoperability of the data it generates, not dismantling it.

Cross-institutional intelligence sharing
The SAR sharing pilot authorized under AML Act Section 6212 produced an NPRM in January 2022 and has not been finalized in over four years. This is a high-value yet unfulfilled AMLA promise for driving improved operational financial intelligence. And while there is a great amount of opportunity for liability protections like 314(b) to be used more fulsomely by the financial sector, the 314(b) voluntary sharing framework should also be modernized to keep pace with the scale and sophistication of threats and the complexity of infrastructure and service offerings in modern payments—extending it in the statute to explicitly cover information related to the money laundering predicate offenses such as cyber intrusion, fraud, and sanctions violations, and broadening eligibility beyond traditional financial institutions to the compliance and investigative firms often best positioned to detect early warning of coordinated illicit activity. With Congress’s intent via 314(b) being to enable information sharing for prevention and detection of money laundering, I posit that sharing of the underlying criminal activity appear should reasonably and clearly be covered under the scope of the information sharing protection. The Cybersecurity Information Sharing Act succeeded precisely because collective defense requires broad participation. Financial crime defense requires the same logic.

Structured financial crime data standards and OSINT
The development of STIX/TAXII transformed cybersecurity’s collective defense capability by creating standardized, machine-readable, timely threat intelligence sharing. As Natalie Loebner has argued in her Open Banker framework, BSA data is a public good currently trapped in private silos. Shared taxonomies, common data dictionaries, machine-readable typology frameworks, and real-time intelligence exchange would multiply investigative capacity across institutions and agencies. Without this architectural investment, each institution builds detection capability in isolation and the system remains less than the sum of its parts. Congress also should urge Treasury to make clear expectations for integrating valuable, openly available information (open source intelligence or OSINT) into their AML/CFT programs, and especially offer valuable guidance on high-impact types of data related to particular typology or priority threat detection. There are vast opportunities for this integration—corporate registry records, open blockchain data, commercial data, social media and news—that similarly function as a force multiplier the current framework has not enabled through safe harbors or structured access mechanisms. And finally, feedback loops on the utility of specific data and reporting, especially SARs, remains an under-delivered hope from the AMLA that Treasury could prioritize to improve value and reduce effort by both investigators and industry.

Digital assets and offshore stablecoin coverage
I testified to the House Financial Services Committee Subcommittee on Digital Assets, Financial Technology, and Inclusion in February 2024 on cryptocurrency crime issues. For consideration by this Subcommittee, I shall relay some of those same elements, which generally remain unchanged in my assessment:

• Blockchain analytics utility: “One important distinction between most cryptocurrency systems and traditional financial systems is cryptocurrency’s often public and transparent nature—SWIFT, FedWIRE, and cash movements do not publish transactions to public ledgers or records that anyone can see. Cryptocurrency systems offer unprecedented public visibility of certain financial activity. This public visibility has played an important role in mitigating risks in cryptocurrency illicit finance, enabling the rise of cryptocurrency analytics firms and investigative tools and techniques to better and more timely trace and interdict crypto crime proceeds. However, there are limitations to this transparency, such as in that off-chain data and transactions are not visible publicly, as well as the use of methods like mixing, chain-hopping, and encryption to obscure the ledger or system of record. There are also disagreements amongst analytic firms on attributions made using proprietary analytic methods and AI/ML clustering models, as well as ongoing concerns with auditability, corroboration, explainability of some of these proprietary solutions that could present serious challenges to best leveraging what information is public on blockchain ledgers. Public transparency of financial information also inherently presents challenges for consumer privacy, especially when considering the pace of open source AI/ML technologies that may increase public attribution of transactions on unobscured ledgers.” There are immense opportunities to leverage this unprecedented financial transparency to improve systemic compliance across the cryptocurrency industry—the industry just has not gotten there yet with the combined state of RegTech, operational coordination, and compliance.
• Cryptocurrency illicit finance metrics: “While it is difficult to accurately assess the amount of illicit finance in any financial system, including in cryptocurrency ecosystems, regulatory technology (RegTech) firms as well as financial and law enforcement networks shed some light on the scale of the problem. Some analytics firms estimate less than 1 percent of cryptocurrency transaction volume to be illicit. However, while these and other RegTech firms are critical to enable investigations by industry and law enforcement, this figure and others from blockchain analytics firms likely underestimate illicit activity. While the figures would represent best estimations from the firms based on information available to them, the numbers would not be comprehensive. They would not account for off-chain data and only include activity already known to the RegTech firms as having been identified to be illicit. In 2020, FinCEN highlighted that it received suspicious activity reporting (SARs) in 2019 associated with cryptocurrency activity amounting to $119 billion, or 11.9 percent of the total cryptocurrency market. Of course, this number may likely be overestimated, as ‘suspicious’ activity does not mean it is necessarily illicit. However, the FinCEN SAR figure also only accounted for reporting from compliant, US cryptocurrency service providers, implicating that global suspicious activity metrics would be much higher, especially if global compliance were in a better state to address pervasive underreporting issues.” Governance frameworks should not be calibrated to the most favorable estimate of the problem.
• Off-shore USD stablecoin challenges: Legislative and regulatory design choices have left a massive, peer-to-peer dollar-denominated ecosystem operating entirely outside direct US jurisdictional hooks. This regime effectively allows offshore issuers to generate billions in a kind of “shadow” dollar liquidity, establishing an unchecked secondary market that expands access to the US financial system in some cases to the most critical state and non-state adversaries—including the Iranian Revolutionary Guard Corps (IRGC), the ruble-backed stablecoin A7A5 (run by sanctioned oligarch Ilan Shor, and the virtual opening for which President Vladimir Putin reportedly attended), and the DPRK (all of which are subject to US sanctions designations). A major challenge presented by this parallel architecture is that it systematically undermines the core mechanics of economic statecraft. Sanctions regimes—especially strict secondary sanctions frameworks—only function when the United States can effectively close off alternative relief valves of global dollar access. If billions of dollars are allowed to circulate peer-to-peer via uninterdicted offshore rails, those relief valves remain wide open.

While recent retroactive, multi-hundred-million-dollar asset freezes by offshore issuers are often cited as compliance successes (and it is a positive indicator to see such freezes), they still signal a deeper, structural failure. Freezing an historically unprecedented volume of assets after the fact does not demonstrate proactive, system-wide compliance; it would instead confirm that a massive, historic scale of the illicit activity that was already permitted to flow through that infrastructure. It is also fundamentally not the role (nor should it be) of the United States government or federal law enforcement to serve as the outsourced, retroactive compliance department for highly profitable offshore entities that choose to build their business models by providing unmonitored dollar-equivalent access to high-risk and even US-sanctioned actors. Evolutions are needed to shift global approaches, and US expectations, from simply retroactive compliance with lawful orders to meeting proactive, continuous compliance obligations.

What can be done: enforcement, outcomes, and operational capacity
Even the best intelligence architecture fails if institutions and governments cannot act quickly enough to impose meaningful consequences. Modernization is not just about rule and policy but also critically relies upon operationalizing capabilities and incentives to deter bad actors—a capability that is eroding but which can be course-corrected for the better of industry, Americans, and US national security interests.

Enforcement timeliness, calibration, and the deterrence problem
FinCEN has historically operated with resources that have not kept pace with its expanding mandate. An agency with such a critically important mission must be adequately supported to safeguard the financial integrity framework that the national security apparatus, and consequently the American public, relies upon. Even under baseline operational conditions, FinCEN and the federal banking agencies already face acute statutory delays, frequently executing enforcement actions so many years after a violation occurs that their deterrent and sector-shaping impact is severely degraded. Civil enforcement achieves its compounding national security objectives only when it is early, iterative, calibrated, and based on clear, enforced expectations before compliance failures mature into systemic vulnerabilities.

The structural changes introduced in the April 2026 Notice of Proposed Rulemaking (NPRM) governing AML/CFT compliance programs could potentially risk institutionalizing administrative paralysis unless deliberate and accelerating measures to meet this new system of supervision and approval are emplaced. The proposed framework of routing federal banking agencies (FBAs)—which possess independent statutory authority to enforce compliance—through a new consultation process through FinCEN before bringing significant supervisory actions could improve interagency coordination on enforcement but could also inadvertently create a kind of gatekeeping that would further reduce timely oversight and enforcement unless resources are properly committed to the Bureau and broader enforcement regimes. Separately, on support to asset recovery, FinCEN’s Rapid Response Program has demonstrated the value of real-time coordination in fraud interdiction to recover funds stolen and defrauded from Americans. That model deserves expansion and sustained resourcing by Congress.

Outcomes-oriented supervision: defined, not assumed
Stakeholders broadly support a transition toward risk-based, outcomes-oriented AML supervision. However, the practical challenges of implementing this paradigm shift without sacrificing regulatory clarity remain a primary concern across both regulatory bodies and industry. The current system still lacks actionable, standardized definitions of what an “effective outcome” actually is, too often defaulting back to legacy, forensic check-the-box exercises that neither public nor private sectors are happy with.

There is an immediate opportunity for Congress and regulatory agencies to bridge this gap through steps shifting from rigid, static rules to dynamic behavioral science models. By leveraging next-generation data architecture (e.g., specifically privacy-preserving technologies like federated learning), financial institutions can collaboratively train machine learning models to detect complex illicit behavior patterns across separate entities without compromising consumer privacy or violating data localization laws.

On a tactical level, Treasury could lead a public-private research initiative tasked with establishing concrete, quantifiable performance metrics that move beyond mere transaction volumes. True structural efficacy would be best measured through explicit operational indicators. Some options Laurence Hamilton at Consilient published for consideration: coverage, or the scope of exposure surfaced; precision, or the elimination of false positives; prioritization, meaning ensuring the highest behavioral risks rise to the top of review queues first; and case aging, to measure the latency between detection and law enforcement utility. Dropping false negatives, interdiction and investigative utility and rate could also be valuable. Additionally, regulators should publish clear, sector-specific examination guidance that hones the Federal Financial Institutions Examination Council (FFIEC) manual, establishes predictable safe harbors for model validation, and partners with international standards bodies to turn outcomes-oriented theory into repeatable, inspectable supervisory realities.

International coordination and the FATF mutual evaluation
The United States is undergoing FATF’s fifth-round mutual evaluation, with the on-site visit completed in early 2026 and the report expected later this year. Several areas may present concerns given historical issues raised by the FATF in evaluations of the US frameworks, including the effective suspension of CTA BOI functionality, unresolved investment adviser and real estate gaps, declining enforcement intensity, and reduced emphasis on professional enablers. A poor FATF evaluation could present tangible challenges to the United States economically and diplomatically. For example, it could give foreign correspondent banks formal grounds to apply enhanced due diligence to US-related transactions, reducing US leverage in multilateral financial diplomacy, and providing adversaries a ready-made argument for alternative financial architectures that could reduce US visibility and sanctions reach.

Dollar primacy does not rest on military power alone. It rests on confidence that dollar-denominated transactions occur within a system governed by rules that are consistently enforced. The AML/CFT architecture and the sanctions toolkit are not separable from that confidence. The US Treasury has continued to engage in the FATF Plenary, and the mutual evaluation process that Treasury has been leading engagement under will have been a good opportunity to demonstrate continued commitment to that framework. This Subcommittee should treat the FATF evaluation report as a priority oversight document and hold a dedicated hearing on its findings once released as part of your deliberations on trying AML/CFT reform.

Conclusion

Our adversaries watching this hearing are not hoping the United States modernizes successfully. They are hoping the United States reduces visibility without improving infrastructure, coordination, or operational effectiveness. They benefit when accountability gaps widen, when enforcement becomes fragmented, and when democratic governments fail to adapt quickly enough to preserve operational advantage.

Congress has already done substantial bipartisan work in response. The task now is to finish that modernization—restoring accountability where visibility has been weakened, building digital-era identity infrastructure, modernizing intelligence sharing frameworks, and ensuring enforcement capacity keeps pace with technological change.

Thank you. I welcome the subcommittee’s questions.

Carole House is a nonresident senior fellow at the Atlantic Council’s GeoEconomics Center and a distinguished senior fellow at ACAMS. She previously served as the White House National Security Council (NSC) special advisor for cybersecurity and critical infrastructure policy and Chair of the US Commodity Futures Trading Commission’s Technology Advisory Committee.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

Further reading

Wed, Mar 12, 2025

Carole House testifies to House Committee on Financial Services on regulation and security in stablecoins and digital payments

Testimony By Carole House

On March 11, Senior Fellow Carole House testified to the House Committee on Financial Services at a hearing titled, "Examining a Federal Framework for Payment Stablecoins and Consequences of a US Central Bank Digital Currency."

Digital Currencies Digital Policy

Thu, May 22, 2025

Gold’s geopolitical comeback: How physical and digital gold can be used to evade US sanctions

New Atlanticist By Kimberly Donovan, Maia Nikoladze

The rise of gold-backed currencies that circumvent the US banking system could create a massive blind spot for US sanctions enforcement efforts.

Economy & Business Financial Crimes & Illicit Trade

Mon, Apr 28, 2025

Modernizing the tools of economic statecraft to meet the challenges of today

Issue Brief By Lesley Chavkin, Eitan Danon, Kimberly Donovan, Andrew Gallucci, and Caroline Hill

As the current administration revisits the functions and mechanics of government, near-term steps can be taken, under existing statutory authorities, to modernize how the United States uses its economic strength to combat national security threats and promote American interests.

Economy & Business Financial Crimes & Illicit Trade

Image: The United States Capitol Building against a clearing blue sky viewed from the east front of the U.S. Capitol building in Washington, DC.