FinCEN's Whistleblower Program Doesn't Exist — And That's a Problem for Every Bank

In January 2022, Congress enacted the Anti-Money Laundering Whistleblower Improvement Act as part of broader AML reform. The law authorized the Financial Crimes Enforcement Network to establish a formal whistleblower program — modeled on the SEC's highly successful program — that would pay financial rewards to individuals who report money laundering, sanctions violations, and other financial crimes.

Four years later, FinCEN has not written a single rule implementing the program. No regulations. No procedures. No intake system. No reward framework. Nothing.

The agency charged with protecting the U.S. financial system from illicit finance has failed to stand up one of the most powerful tools Congress gave it. And the cost of that failure falls on every bank in the country.

Why Whistleblower Programs Work

The SEC's whistleblower program, established under Dodd-Frank in 2010, has been remarkably effective. Since inception, it has awarded over $2.2 billion to whistleblowers whose tips led to enforcement actions recovering more than $7 billion. The program has received over 90,000 tips, many of which identified fraud, market manipulation, and reporting violations that the SEC's own surveillance systems missed.

The economics are simple: insiders see things that regulators can't. A compliance officer at a bank, a teller who notices unusual transaction patterns, a wire room operator who recognizes structured transfers — these people have front-row seats to financial crime. But reporting it is risky. Without financial incentives and retaliation protections, most stay quiet.

The SEC program solved this by offering awards of 10–30% of sanctions collected in enforcement actions exceeding $1 million, combined with robust anti-retaliation protections. The result: a steady pipeline of high-quality intelligence that supplements the SEC's own detection capabilities.

FinCEN's authorized program would apply the same model to BSA/AML enforcement — potentially the largest enforcement area in banking regulation.

What the Gap Means

Without a functioning whistleblower program, FinCEN relies on three primary intelligence sources for detecting financial crime:

1. Suspicious Activity Reports (SARs): Banks file approximately 4.6 million SARs per year. The volume is staggering — and that's the problem. Most SARs are defensive filings designed to protect the bank from regulatory criticism, not actionable intelligence. FinCEN lacks the resources to meaningfully analyze even a fraction of them.

2. Law enforcement referrals: Federal and state law enforcement agencies refer cases to FinCEN when their investigations uncover potential AML violations. This is inherently reactive — the crime has already occurred and been discovered through other means.

3. International intelligence sharing: FinCEN participates in the Egmont Group and bilateral information-sharing arrangements with foreign financial intelligence units. This is valuable for cross-border cases but provides limited insight into domestic financial crime.

What's missing? Human intelligence. The bank employee who knows that the branch manager is looking the other way on cash structuring. The compliance officer who discovered that the bank's transaction monitoring system has a blind spot but was told not to escalate it. The wire transfer operator who noticed that a series of outgoing wires to shell companies all originated from the same customer relationship.

These people exist at every bank in the country. Without a formal program that incentivizes and protects them, their knowledge stays locked in their heads — or worse, they leave the bank and the knowledge leaves with them.

The Bank Compliance Angle

For community bank compliance officers, FinCEN's failure to implement the whistleblower program has direct operational implications:

Your employees are unprotected. Without the formal anti-retaliation framework that a FinCEN whistleblower program would provide, bank employees who report concerns about BSA/AML compliance failures within their institution have limited legal protections. Yes, general whistleblower statutes exist, but they're not tailored to the specific dynamics of financial crime reporting in banking.

This matters because the first person to notice a BSA/AML compliance gap at your bank is almost always an employee. If that employee fears retaliation — being passed over for promotion, reassigned, or terminated — they won't report. And if they don't report, the gap persists until an examiner finds it, which could be years later, with exposure accumulating the entire time.

The intelligence vacuum creates enforcement risk. When FinCEN eventually gets this program running — and it will, because the statutory mandate isn't going away — there will be a flood of pent-up tips from years of accumulated grievances and observations. Some of those tips will concern your bank. And some of those tips will describe issues that have been festering for years, making the eventual enforcement action more severe than it would have been if the tip had been received and acted on promptly.

Other agencies are filling the gap. The absence of a FinCEN-specific program doesn't mean whistleblowers have nowhere to go. They're filing tips with the SEC (if the bank is publicly traded), the OCC, the FDIC, state regulators, and even Congress. These agencies have their own intake processes, but they lack FinCEN's specific mandate and expertise in financial crime. The result is fragmented intelligence and inconsistent enforcement — which is worse for everyone.

The Broader AML Intelligence Failure

FinCEN's whistleblower delay is part of a pattern of underinvestment in the agency's capabilities that affects the entire banking system.

The AML Act of 2020 — the most comprehensive reform of the Bank Secrecy Act in decades — mandated several major improvements:

• Beneficial ownership database: Operational but plagued by low compliance rates among covered entities
• SAR modernization: Still using essentially the same FinCEN Form 109 format that has existed for decades
• Whistleblower program: Not implemented
• Technology upgrades: Partially funded but not yet delivering improved analytics on SARs
• Information sharing (Section 314(b)): Marginally improved but still cumbersome for community banks

The cumulative effect: banks spend billions on BSA/AML compliance — an estimated $25 billion annually across the industry — but the system that's supposed to use that intelligence to catch criminals remains underfunded, understaffed, and technologically behind.

For community banks, the cost is disproportionate. A $1 billion community bank might spend $2–4 million per year on BSA/AML compliance — 1–2% of operating expenses. That's money not spent on loan officers, technology, or customer service. And the return on that investment, measured by the system's ability to actually prevent financial crime, is questionable at best.

The Internal Compliance Opportunity

While waiting for FinCEN to act, smart community banks are building their own internal whistleblower frameworks.

An internal hotline — anonymous, accessible, and actively monitored — serves multiple purposes:

• Early detection: Employees who report compliance concerns through internal channels give the bank the opportunity to self-identify and self-correct before an examiner or external whistleblower does.
• Regulatory credit: Regulators explicitly consider self-identification and self-correction as mitigating factors in enforcement actions. A bank that discovers a BSA/AML gap through its internal hotline and remediates it promptly will receive significantly more favorable treatment than one where the same gap is discovered by an examiner.
• Culture signal: An active, trusted internal reporting program signals to employees that compliance is taken seriously. This matters for hiring, retention, and the overall quality of your compliance function.
• Legal protection: Documenting that the bank actively encouraged internal reporting can be valuable in litigation, regulatory proceedings, and board liability contexts.

What Your Board Should Do

1. Establish an internal BSA/AML reporting hotline. If you don't have one, create one. If you have one, test it. Have your internal audit team submit an anonymous test tip and track how long it takes to be received, escalated, and investigated. Many banks have hotlines that nobody uses because nobody trusts them.

2. Protect internal reporters. Adopt a formal anti-retaliation policy specific to BSA/AML reporting. Make it part of your employee handbook, your compliance training, and your board-approved BSA/AML program. When an employee reports a concern, protect them — visibly.

3. Monitor the FinCEN rulemaking. The whistleblower program will eventually be implemented. When it is, the rules will likely include provisions affecting how banks handle tips, cooperate with investigations, and protect employees. Your compliance team should be tracking FinCEN's rulemaking calendar and preparing to comment when proposed rules are published.

4. Audit your current BSA/AML blind spots. The gaps that an internal whistleblower would report are the same gaps that an external whistleblower would report to FinCEN. Conduct a self-assessment: where are your transaction monitoring blind spots? Which customer relationships get less scrutiny than they should? Where has your compliance team flagged concerns that weren't fully addressed?

5. Budget for the eventual mandate. When the FinCEN program launches, banks will face new compliance obligations — potentially including requirements to inform employees about the program, facilitate reporting, and cooperate with FinCEN investigations. Budget for incremental compliance costs in your 2027–2028 planning.

The Bottom Line

Congress gave FinCEN a powerful tool to fight financial crime. Four years later, that tool is still in the box. The intelligence gap this creates makes every bank's BSA/AML program less effective, every compliance dollar less productive, and every financial crime harder to detect.

Your bank can't fix FinCEN's bureaucratic failures. But it can build the internal reporting infrastructure, the cultural commitment to compliance, and the proactive monitoring capabilities that will serve you well — both now, in the intelligence vacuum, and later, when the program finally launches and the tips start flowing.

The banks that prepared will be fine. The ones that relied on the system being broken to hide their own weaknesses? They'll have a bad day.