Overview
On April 7, 2026, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) announced a notice of proposed rulemaking (the FinCEN Proposed Rule) that would fundamentally reform the anti-money laundering and countering the financing of terrorism (AML/CFT) program requirements applicable to financial institutions under the Bank Secrecy Act (BSA) as amended by the USA PATRIOT Act and the Anti-Money Laundering Act of 2020 (AML Act). The FinCEN Proposed Rule, which implements key provisions of the AML Act of 2020. The FinCEN Proposed Rule includes proposed rules revising the AML/CFT program requirements for each type of financial institution with a BSA program obligation, including banks, casinos, money services businesses (MSBs), broker-dealers, mutual funds, insurance companies, and futures commission merchants (FCMs), introducing brokers in commodities (IBCs); dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government-sponsored enterprises. The FinCEN Proposed Rule does not yet apply to investment advisers.
On the same day, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration (collectively, the Agencies) issued a companion notice of proposed rulemaking (the Federal Banking Agencies’ Proposed Rule) that proposes conforming amendments to their respective BSA program rules. Both proposed rules are open for public comment through June 9, 2026.
In Depth
Background on the FinCEN Proposed Rule
The FinCEN Proposed Rule implements the AML Act’s directive that AML/CFT programs be risk-based. It also builds on FinCEN’s prior modernization efforts, including the AML Act’s mandate that FinCEN establish government-wide AML/CFT priorities – first issued on June 30, 2021 – for financial institutions to review and, as appropriate, incorporate into their risk assessment processes. The FinCEN Proposed Rule supersedes and withdraws FinCEN’s July 3, 2024, proposed rulemaking on AML/CFT program requirements and reflects FinCEN’s BSA modernization priorities, including reducing unnecessary compliance burdens, enabling institutions to concentrate resources on higher-risk activities, and elevating FinCEN’s role in bank AML/CFT supervision.
FinCEN’s key proposed changes
The FinCEN Proposed Rule introduces a two-part framework that distinguishes between establishing an AML/CFT program and maintaining one. An AML/CFT program is deemed effective if it (1) establishes a program meeting the requirements of the FinCEN Proposed Rule and (2) maintains that program by implementing it in all material respects. What does this mean for financial institutions?
- Establishing an effective AML/CFT program requires designing a risk-based framework that incorporates four core pillars: (1) internal policies, procedures, and controls, including risk assessment processes and, for certain institutions, ongoing customer due diligence ; (2) independent program testing; (3) designation of a US-based AML/CFT compliance officer; and (4) an ongoing employee training program. Establishment of an AML/CFT program includes an ongoing obligation to update the program to reflect significant changes to the financial institution’s risk profile, such as new products or services, geographic markets, or customer types.
- Maintaining an effective AML/CFT program means implementing it in all material respects. FinCEN identifies circumstances that would reflect a material AML/CFT program failure, including (1) consistently failing to execute internal controls because of resource inadequacy, (2) gaps in risk assessment processes that leave higher money laundering and terrorist financing (ML/TF) risks inadequately covered, and (3) data-related issues that materially impair the institution’s ability to mitigate ML/TF risks. Minor AML/CFT program deficiencies would not automatically constitute a failure to maintain an effective program. For banks, a properly established program will not be subject to an AML/CFT enforcement action or significant supervisory action from FinCEN or the federal banking agencies, absent a significant or systemic failure to maintain such a program.
Internal risk-based policies and risk assessment: The FinCEN Proposed Rule requires financial institutions to establish and maintain risk assessment processes as part of their internal policies, procedures, and controls. These processes must (1) evaluate the AML/CFT risks of the institution’s business activities, including products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate the AML/CFT priorities; and (3) be updated promptly upon any change the institution knows or has reason to know significantly alters its AML/CFT risk profile.
The FinCEN Proposed Rule requires institutions to direct more resources toward higher-risk customers and activities than lower-risk ones. The risk assessment process should evaluate the ML/TF risks of the financial institution’s business activities, including evaluating the risks from the institution’s products and services, distribution channels, customers, and geographic locations. The internal risk-based policies should be promptly updated if the financial institution knows or has reason to know of significant changes to its ML/TF risks. FinCEN does not prescribe any particular methodology and acknowledges that community banks may use more streamlined, qualitative approaches commensurate with their size, structure, and complexity.
AML/CFT compliance officers: The FinCEN Proposed Rule requires that an institution’s AML/CFT compliance officer be located in the United States and accessible to FinCEN and the appropriate federal regulators to coordinate and monitor day-to-day compliance with the requirements and prohibitions of the BSA and FinCEN’s implementing regulations. Personnel outside the US may continue to perform certain AML/CFT functions. The FinCEN Proposed Rule does not alter existing guidance prohibiting the sharing of suspicious activity reports (SARs) with overseas personnel except in limited circumstances, such as sharing with a bank’s foreign head office or controlling company for purposes of enterprise-wide AML program management.
Independent program testing: The FinCEN Proposed Rule retains the BSA requirement for an independent audit function to test AML/CFT programs but clarifies that auditors should not substitute their own subjective judgment for the institution’s risk-based program design decisions. Testing must focus on AML/CFT program effectiveness, be conducted by parties truly independent of the AML/CFT function, and avoid conflicts of interest.
Ongoing employee training: The FinCEN Proposed Rule standardizes the AML/CFT training requirement across all financial institutions subject to AML/CFT program rules by adopting the BSA’s statutory language requiring an “ongoing employee training program,” with frequency and content tailored to the institution’s risk profile and personnel roles.
Written AML/CFT program and approval: The written AML/CFT program must be approved by a financial institution’s board of directors, equivalent governing body, or appropriate senior management and made available to FinCEN or its designee upon request. This is a new obligation for casinos and MSBs, which currently have no explicit AML/CFT program approval requirement.
Enforcement and supervisory policy: The FinCEN Proposed Rule indicates that a financial institution with a properly established AML/CFT program, if maintained in all material respects, would generally not be subject to related enforcement action, absent a significant or systemic failure to maintain the program. This limitation does not apply to failures to establish an AML/CFT program or comply with other BSA violations, such as SAR filings or criminal violations of the BSA. The FinCEN Proposed Rule defines “significant AML/CFT supervisory action” broadly but expressly excludes examiner observations, suggestions, and other informal comments.
FinCEN notice and consultation for banks: The FinCEN Proposed Rule requires that, before initiating a significant AML/CFT supervisory action under delegated authority, the federal banking agencies must each give FinCEN’s director at least 30 days’ written notice, accompanied by relevant examination workpapers, the draft supervisory report or proposed public enforcement disclosure, and AML/CFT information submitted by the bank. In determining whether to take enforcement or supervisory action or in reviewing a proposed action, FinCEN’s director must consider (1) the four core pillars of an AML/CFT program; (2) whether the bank has advanced the AML/CFT priorities by providing highly useful information to law enforcement authorities or national security officials, conducting proactive analytics, or performing other innovative activities that demonstrate the effectiveness of the bank’s AML/CFT program; and (3) any other factor the director deems appropriate, including the bank’s size, complexity, and risk profile. No similar FinCEN consultation or advance notice framework applies to supervisory or enforcement actions involving other financial institutions.
The Federal Banking Agencies’ Proposed Rule
The Federal Banking Agencies’ Proposed Rule is designed to align with FinCEN’s Proposed Rule and to eliminate any confusion regarding prior differences in requirements and expectations. The Federal Banking Agencies’ Proposed Rule consolidates various requirements and long-standing expectations into a single written rule. While they generally do not intend to make substantive changes to existing requirements, some new requirements, including that the AML/CFT officer be located in the US, are noteworthy. Like FinCEN’s Proposed Rule, the Federal Banking Agencies’ Proposed Rule adopts a two-pronged framework distinguishing between establishing an AML/CFT program (program design) and maintaining the program (implementation in practice) and identifies achieving effective outcomes as the overarching goal. To that end, the agencies emphasize the importance of appropriate resource allocation – including funds, personnel, and technology – based on the institution’s risk assessment. They also expect more resources to be directed toward higher-risk customers and activities to achieve the purposes of the BSA. Consistent with FinCEN’s approach, a bank with a properly established AML/CFT program would only be subject to enforcement action or significant supervisory action based on the program rule for a “significant or systemic failure” to implement the program – not for isolated, technical, or immaterial deficiencies. The outcome-based rule puts more of the onus on the institutions to effectively identify and manage their risks than check-the-box requirements.
Considerations for financial institutions
While both proposed rules have been described as a sweeping overhaul of the AML/CFT framework, it is not clear whether it will have that effect in practice. As drafted, the proposed rules do not appear to fundamentally change the US AML/CFT regime or materially reduce financial institutions’ compliance burdens. Although it would appear to raise the threshold for AML/CFT supervisory actions – and perhaps enforcement actions – it does not eliminate any BSA obligations, and the standards largely track existing regulatory expectations and guidance. We expect there will be a significant review of the factors considered in risk assessments. But the real significance of the proposed rules will likely turn on how they are applied once they are finalized and implemented.