3 posts tagged with "AML/BSA"

PCI-DSS 4.0 became the mandatory standard on March 31, 2024. Version 3.2.1 is retired. Among the significant changes in v4.0: expanded requirements for automated and AI-driven systems operating within or adjacent to the Cardholder Data Environment (CDE).

If your AI agent handles, routes, processes, or queries payment card data — primary account numbers (PANs), CVVs, cardholder names, expiration dates — PCI-DSS 4.0 applies to both the agent and its infrastructure.

MiCA — the EU's Markets in Crypto-Assets Regulation — became fully applicable to Crypto-Asset Service Providers (CASPs) on December 30, 2024. If you operate a crypto exchange, custody service, or trading platform in the EU, you are now subject to MiCA's full requirements.

AI agents that automate crypto transfers, execute trades, manage wallets, or provide investment advice on crypto assets are in scope. MiCA doesn't have an exemption for "it's just an algorithm."

The Bank Secrecy Act has been around since 1970. FinCEN's expectations for AI-assisted transaction monitoring are not new — the 2021 guidance on AML program effectiveness explicitly called out model risk management and audit trail requirements for automated transaction monitoring systems.

If your AI agent initiates, approves, routes, or monitors financial transactions, AML/BSA requirements apply. There's no AI carve-out.