On the public record · FINCEN-2026-0034 / OCC-2024-0005

The Evidence Gap Index

How the major AML/CFT program-rule letters answer the question none of them asked.

Compiled by Sviatoslav Zhuravlev · notary/cloud · 2026-06-12 · download as PDF

The comment period on FinCEN's AML/CFT program-rule docket closed on June 9, 2026, with 112 comments filed; the parallel agencies' docket, OCC-2024-0005, holds 41 more. Banks, associations, and vendors will be parsing these letters until the final rule. This index maps the major ones.

It is a reading of the load-bearing letters, not a census: we did not read all the filings on both dockets. What we read, we scored on a 0-5 evidence-proximity scale, and each score links to the public letter on regulations.gov - check our reading in one click. One comment ID is still being confirmed; its row says so.

Methodology · the evidence-proximity scale

Nearly every industry letter on FINCEN-2026-0034 and the parallel agencies' docket OCC-2024-0005 asks regulators to defer to documented risk-based decisions. This index measures how close each letter comes to the question underneath that ask: what makes the documentation itself trustworthy as evidence at examination time, years later, after the systems that produced it have changed.

0does not engage documentation at all

1asks for deference to documented decisions (states the premise only)

2additionally names documentation quality, burden, or the check-the-box risk

3additionally engages evidence properties (auditability, reconstruction, structured records as the proof substrate)

4additionally asks who verifies the record, or how records stay reliable across system and vendor change

5proposes a mechanism for evidence integrity (custody, verification, durability)

Scoring rules: a letter earns a level only if it engages that layer explicitly; flattering inference is not allowed - including for letters whose authors we like. One illustrative paraphrase per letter; no verbatim quotes over 15 words; one quote max per source.

Counting caveat: several letters (the BPI and The Clearing House joint letter among them) were filed to both dockets, so the per-docket counts double-count cross-filers. The OCC docket also spans two comment rounds (2024 and 2026).

The index

#LetterSignatory / voiceCore askClosest approach to the evidence questionScore

1LetterBPI + The Clearing Housejoint letter, filed to both dockets, 22ppOCC-2024-0005-0041Signatory / voiceClara Kim, SVP BPI; Rodney Abele, TCHCore askDocumented decisions must not be second-guessed with hindsight; examiner consistencyClosest approachDemands deference to the document; never asks what makes the document holdScore1

2LetterAmerican Bankers AssociationFINCEN-2026-0034-0078Signatory / voiceHeather Trew, SVP & Counsel (Illicit Finance), Financial Institution Policy and Regulatory AffairsCore askProtect documented risk-based judgment; innovation without penaltyClosest approachDeference premise; documentation as shield, not as objectScore1

3LetterGECU FCUFINCEN-2026-0034-0089Signatory / voiceNicole Bradford, Sr. VP ComplianceCore askGuidance on how to assess and demonstrate effectivenessClosest approachAsks regulators how to demonstrate; does not ask what makes the demonstration durableScore2

4LetterSunwest BankFINCEN-2026-0034-0043Signatory / voiceHarry Cupp, SVP BSA & OFAC OfficerCore askRetire check-the-box; documented rationale + governance oversightClosest approachNames the documentation-driven trap from the operator seat (quality layer)Score2

5LetterForbright BankFINCEN-2026-0034-0076Signatory / voiceJessica Nichele, BSA OfficerCore askIndependent testing must not substitute hindsight judgment for documented decisionsClosest approachNames the hindsight-vs-documentation tension in the testing relationshipScore2

6LetterWolfsberg GroupFINCEN-2026-0034-0055Signatory / voiceAssociation of global banksCore askDefine systemic/significant failure; internal QA should preempt second-guessingClosest approachCites its own Principles for Auditing for Effectiveness (March 2024): audit as evidence layerScore3

7LetterRoyal Business BankFINCEN-2026-0034-0012Signatory / voiceBSA Officer (post-remediation voice)Core askDocument actions taken against identified risk, not promptly re-papered assessmentsClosest approachClosest practitioner articulation of living evidence vs paperwork; stops before verificationScore3

8LetterNasdaq VerafinFINCEN-2026-0034-0068Signatory / voiceVendorCore askEffectiveness measured from operational records and outcomesClosest approachTreats operational records as the proof substrate; vendor-held, no custody questionScore3

9LetterUnit21Signatory / voiceVendorCore askLog every action, preserve reasoning behind decisionsClosest approachNames evidence properties (completeness, reasoning capture); no who-verifies layerScore3

10LetterARC Regulatory15ppFINCEN-2026-0034-0033Signatory / voiceRyan Aballe, PrincipalCore askFormal safe harbor for documented risk-based decisions incl. SAR/no-SAR dispositionsClosest approachBuilds the most structured evidentiary test in the docket (decision documented in governance records + internal review + disposition records referencing criteria) - but the test ends at internal review; nobody outside the institution ever verifies, and nothing addresses records surviving system changeScore3

11Lettera16z17ppFINCEN-2026-0034-0088Signatory / voiceRamaswamy CLO, Walker CCO, Rathod-Papier, Mina Kim BSA/OFAC OfficerCore askResolve MRM uncertainty for AI-enabled AML/CFT toolsClosest approachDeepest model-governance engagement: documentation/validation burden, re-validation cycles, governance of design choices; still inside the institution's own wallsScore3

† Unit21: Reviewed from the public docket; the regulations.gov comment ID is pending confirmation, so this row carries no source link yet.

Conclusion

The docket tops out at level 3. In the major industry letters reviewed for this index - the ones banks, associations, and vendors themselves treat as load-bearing - and in our scan of the docket's late wave, no letter reaches level 4 or 5: none asks who can verify a documented decision, and none proposes a mechanism by which the record remains verifiable after the models, vendors, and log systems that produced it have been replaced. We have not read all filings on both dockets (112 + 41, with cross-filers double-counted); we read the ones the industry put its weight behind. That is the open question the docket states by omission.

Take it with you

The index as a PDF, no email required: evidence-gap-index-2026-06-12.pdf. Leave an email if you want one update when the final rule drops - that is the whole list.

Notary Cloud builds externally verifiable records for AI decisions in regulated workflows.

Compiled by Sviatoslav Zhuravlev · published 2026-06-12 · scores reflect our reading; the letters are linked - check us. Corrections: [email protected]