The FFIEC BSA/AML Examination Manual frames institutional risk assessment across four pillars: products and services, customers, transactions, and geographic locations. Most compliance programs invest heavily in the first three. Geography, despite being explicitly called out as a core risk dimension, remains the least developed.

That gap is getting harder to defend. In the first quarter of 2026 alone, FinCEN issued an expanded Southwest Border Geographic Targeting Order covering counties and zip codes across Arizona, California, New Mexico, and Texas, imposed a separate GTO on banks and money transmitters in Hennepin and Ramsey Counties in Minnesota tied to a $300 million child nutrition fraud ring, and published advisories on Chinese money laundering networks facilitating cartel proceeds. Every one of these enforcement actions is geographic at its core. And every one exposes institutions that treat geography as a checkbox rather than a data-driven risk dimension.

The Binary Flag Problem

Most banks assess geographic risk using county-level HIDTA designations. A county is either HIDTA or it is not. This approach has two problems.

First, it is too coarse. A county can contain dozens of zip codes with wildly different risk profiles. Flagging an entire county as high-risk generates thousands of unnecessary alerts on low-risk activity, while missing concentrated pockets of risk in counties that fall just outside the designation. The result is noise — and noise erodes analyst trust in the system.

Second, it is static. County-level flags change infrequently. Drug trafficking patterns, MSB concentrations, and financial crime typologies shift faster than county designations can keep up. Institutions relying on binary flags are always looking at yesterday's risk landscape.

The alternative is machine-learning-driven risk scoring at the zip code level. Instead of a binary flag, each zip code receives a five-tier classification — Very Low through Very High — derived from over a billion data points across government, financial, and proprietary sources. The result is up to 67 percent reduction in false positive alerts compared to county-level flagging, because the scoring isolates actual risk concentrations rather than painting entire regions with a single brush.

Why Geography Matters More Now

Three recent FinCEN actions illustrate why geographic intelligence has moved from "nice to have" to regulatory expectation.

The first is the expanded Southwest Border GTO, effective March 7, 2026. FinCEN now requires MSBs in designated counties and zip codes across four states to file Currency Transaction Reports for cash transactions between $1,000 and $10,000. The March 2026 expansion added Maricopa and Pima Counties in Arizona along with Bernalillo, Doña Ana, and San Juan Counties in New Mexico — areas not covered by the 2025 orders. FinCEN explicitly tied the expansion to evolving patterns in cartel-related cash movement and fentanyl trafficking proceeds. The key detail: the GTO targets specific zip codes within those counties, not the counties wholesale. FinCEN itself is operating at the zip code level.

The second is the Minnesota fraud GTO issued in January 2026. Fraud rings operating through the Feeding Our Future program stole at least $300 million from federal child nutrition funds, laundering proceeds through shell companies, MSBs, and wire transfers to foreign jurisdictions. FinCEN responded with a GTO covering Hennepin and Ramsey Counties, requiring reporting on transactions of $3,000 or more sent outside the United States. The agency also issued four notices of investigation to Minnesota MSBs and published an alert with red flag indicators for financial institutions. The geographic concentration of the fraud — centered in Minneapolis and St. Paul — was itself a detectable signal that traditional transaction monitoring missed because it was not looking at geographic clustering.

The third is FinCEN's December 2025 announcement of a "data-driven border operation" using advanced data processing to identify illicit networks along the Southwest border. FinCEN signaled that geographic targeting is not a temporary tool but a scalable enforcement model that could be replicated in other regions. The Minnesota GTO, issued weeks later, proved the point.

Cross-Attribute Mismatch: The Signal Not Everyone Is Looking For

Geographic risk is not just about where a transaction occurs. It is about whether the geographic attributes of a transaction are internally consistent.

When a customer's address is in Ohio, their phone area code maps to New York, their IP address geolocates to Eastern Europe, and their counterparty banks through a Florida institution with no branches within 500 miles of the counterparty's stated address — that constellation of mismatches is itself a risk signal, independent of whether any single attribute triggers an alert.

This is cross-attribute anomaly detection: comparing address to phone, address to IP, phone to IP, customer to counterparty, and counterparty to their financial institution. Each comparison yields a match flag and a distance. When multiple dimensions disagree, the probability of legitimate activity drops sharply.

Traditional monitoring systems evaluate each attribute in isolation. They check whether an IP is on a blocklist. They check whether a phone number is valid. They check whether an address matches KYC records. What they do not check is whether all of those attributes point to the same geography. That gap is where money mules, shell companies, and synthetic identities hide — because the individual data points pass validation even when the composite picture is incoherent.

What "Know Your Geography" Actually Means

KYG is the geographic parallel to KYC. Just as Know Your Customer requires understanding who is transacting, Know Your Geography requires understanding where — and whether "where" is consistent across every data point in a transaction.

In practice, KYG means collecting over a billion data points from government sources (DEA, FinCEN, Census, ONDCP, FDIC), normalizing them across zip code, county, CBSA, state, and country layers, engineering predictive features, and applying machine learning to produce risk scores at the zip code level. The output is not a single flag but a multi-dimensional risk profile: drug trafficking tier, industry risk concentration, border proximity, TBML vulnerability, elderly population concentration, MSB density, and more.

This matters operationally in three places.

At onboarding, geographic risk scores feed directly into CDD risk rating. A customer in a Very High drug trafficking zip with elevated MSB concentration gets proportionate enhanced due diligence — not because the county is flagged, but because the specific zip code warrants it.

In transaction monitoring, geographic enrichment provides new rule dimensions. A wire to a high-elderly-concentration zip from a distant, unknown sender triggers differently than local activity. A counterparty banking 400 miles from their stated address triggers differently than one banking locally. These are signals that do not exist without geographic enrichment.

In investigations, geographic context turns a suspicious activity report from a narrative into a map. When an analyst can see that five SARs in a quarter all involve counterparties in the same three zip codes, and those zip codes sit in a HIDTA region with elevated TBML vulnerability, the investigation has a geographic thesis before the first interview.

The Regulatory Direction Is Clear

FinCEN's actions in 2025 and 2026 are not subtle. The agency is issuing geographic targeting orders with increasing frequency, expanding their geographic scope, and explicitly stating that this model is scalable. The Southwest border GTO has been renewed and expanded three times in twelve months. The Minnesota GTO applied the same framework to benefits fraud in the Midwest. FinCEN's healthcare fraud advisory published in March 2026 noted a 330 percent increase in BSA reporting on healthcare fraud since the pandemic, with geographic concentration as a key detection indicator.

For financial institutions, the question is no longer whether geographic risk matters. It is whether your program can demonstrate that it assesses geographic risk with the same rigor it applies to customer, product, and transaction risk. If your geographic risk assessment still consists of county-level HIDTA flags and a few lines in your BSA/AML risk assessment, you are behind where regulators expect you to be — and behind where the data can take you.

Geography is not a checkbox. It is a risk dimension. And it is time to start treating it like one.