FinCEN Proposes Reforms to AML/CFT Program Requirements

On April 10, 2026, FinCEN published the Proposed Rule to implement provisions of the AML Act and amend FinCEN regulations prescribing the minimum requirements for AML/CFT programs for a broad range of financial institutions including banks, casinos and card clubs, money services businesses (MSBs), brokers or dealers in securities (broker-dealers), mutual funds, insurance companies, futures commission merchants (FCMs) and introducing brokers in commodities (IBCs).[1]

The Proposed Rule reflects Treasury’s priority of BSA reform and modernization and is consistent with Treasury Secretary Scott Bessent’s April 2025 remarks, where he indicated that Treasury would “advocate for changes to the AML/CFT framework to truly focus on national security priorities and higher-risk areas.”[2] The Proposed Rule would introduce several reforms to AML/CFT program compliance and supervision.

Key Proposed Changes

Supervisory Expectations Would Focus on AML/CFT Program Effectiveness

The Proposed Rule would refocus supervisory expectations on effectiveness by introducing a two-pronged framework that distinguishes between deficiencies stemming from the AML/CFT program’s design (i.e., establishment) from failures in the AML/CFT program’s operation (i.e., maintenance). FinCEN introduced this framework to help promote consistent articulation of supervisory expectations and prevent conflating criticisms of program design with criticisms of day-to-day implementation.

Under this framework, a financial institution would have an effective AML/CFT program – and would comply with the requirements of 31 U.S.C. § 5318(h)(1) – if it: (1) establishes and keeps current, on an ongoing basis as its risk profile evolves, a program that incorporates the traditional four core AML/CFT program pillars as described below; and (2) maintains the program by implementing it in all material respects.

FinCEN acknowledges that an effective program need not prevent every minor instance of illicit finance misuse and that it is not possible for a financial institution to detect and report all potentially illicit transactions.

AML/CFT Program Pillars

While the Proposed Rule retains the traditional four AML/CFT program pillars, some components are subject to change to align with the Proposed Rule’s focus on program “effectiveness.”

1. Risk-Based Internal Policies, Procedures, and Controls. As described in further detail below, policies, procedures, and controls must be reasonably designed to ensure the institution’s compliance with the BSA, and be informed by the institution’s risk assessment processes. Policies, procedures and controls should also review and incorporate, as appropriate, the AML/CFT priorities,[3] be updated “promptly” upon any changes that the institution knows significantly changes its AML/CFT risks, and mitigate risk by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the institution, rather than toward lower-risk customers and activities.[4] For covered financial institutions – banks, broker-dealers, mutual funds, FCMs, and IBCs – the Proposed Rule also retains and integrates ongoing customer due diligence as a component of internal policies, procedures, and controls.
2. Independent AML/CFT Program Testing. The Proposed Rule clarifies the expectation that independent testing should be based on objective criteria designed to assess whether a financial institution has effectively established, implemented, and resourced an AML/CFT program consistent with its risk assessment processes. AML/CFT program testing may be conducted by either institution personnel or an outside party, but in all cases must be independent, providing that AML/CFT officer, as well as personnel who report directly or indirectly to the AML/CFT officer, generally would not qualify as sufficiently independent.[5] Similarly, outside parties conducting testing must not perform other AML/CFT functions for the institution, as doing so would impair their ability to be independent.[6]
3. Designated AML/CFT Officer Located in the United States. The Proposed Rule would implement the AML Act’s requirement that the duty to establish, maintain, and enforce a financial institution’s AML/CFT program remains with persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate federal functional regulator.[7] While the Proposed Rule appears to address comments submitted during the 2024 Program NPRM comment period regarding the permissibility of foreign-located personnel performing AML/CFT support functions by noting that such personnel “would still be permitted to perform certain AML/CFT functions,” the scope and extent of these activities and functions remains unclear and subject to comments.[8]
4. Ongoing Employee Training Program. The Proposed Rule would standardize the training requirements across all financial institution types. Frequency and content of training should be commensurate with the institution’s ML/TF risk profile and the roles and responsibilities of those receiving training.

Codification of Risk Assessment Processes

Although financial institutions commonly maintain risk assessment processes, current AML/CFT program rules do not require them in a uniform manner across institution types. The Proposed Rule would adopt consistent language requiring such processes as part of an institution’s internal policies, procedures, and controls. FinCEN uses the plural term “risk assessment processes” intentionally, reflecting its recognition that institutions may employ multiple, continuous, or overlapping processes – rather than a single (commonly annual) risk assessment – to identify, assess, and document their ML/TF risks. Risk assessment processes must: (i) evaluate the ML/TF risks of the institution’s business activities, including products, services, distribution channels, customers, and geographic locations; (ii) review and, as appropriate, incorporate the AML/CFT priorities issued by FinCEN; and (iii) be updated promptly upon any change that the institution knows or has reason to know significantly changes its ML/TF risk profile.

FinCEN identifies several examples of events triggering updates to risk assessment processes, including: (i) the introduction of new products, services, or customer types; (ii) significant changes to existing products or services; (iii) adoption of new risk mitigation technology; and (iv) institutional changes, such as mergers, acquisitions, divestitures, or liquidations. External developments – such as new FinCEN advisories or emerging threat typologies – may also trigger an update where the institution knows, or has reason to know, that such development significantly changes its risk profile.

Incorporation of FinCEN’s AML/CFT Priorities

The Proposed Rule proposes requiring financial institutions to review the AML/CFT priorities and incorporate them into their risk assessment processes “as appropriate.”[9] A financial institution may, after reviewing the AML/CFT priorities, determine that a particular priority is not applicable to its business model or presents lower risk given its customer base and activities. However, FinCEN cautions that a “surface-level, perfunctory review” of the AML/CFT priorities will not satisfy this requirement.[10]

Codification of Risk-Based Resource Allocation

The Proposed Rule would adopt the AML Act’s statutory requirement that AML/CFT programs be “risk-based, including ensuring that more attention and resources of financial institutions…[are] directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.”[11] FinCEN envisions that financial institutions will have significant flexibility and discretion in their decisions and determinations related to risk identification and risk allocation. However, examiners would be expected to assess whether: (i) an institution’s resource allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes; and (2) with respect to implementation, whether the institution knows or should know of resource-related issues involving its internal policies, procedures and controls and other mandatory elements that may result in its failure to implement its AML/CFT program in all material respects and failing to address such issues.

Board or Senior Management Approval

The Proposed Rule would require that each financial institution’s written AML/CFT program be approved by its board of directors, an equivalent governing body, or appropriate senior management. An “equivalent governing body” may encompass a sole proprietor, general partner, trustee, or a grouping of owners, senior officers (including board committees), senior management, or other persons with functions and authority similar to a board.[12] This requirement would represent a new obligation for casinos and MSBs, which currently have no explicit program approval requirement under FinCEN’s rules.

New Supervision and Enforcement Framework for Banks

The most operationally significant change in the Proposed Rule for banks is the introduction of a formal supervision and enforcement framework. This framework would apply exclusively to banks and the federal banking agencies (OCC, Federal Reserve Board, FDIC, and NCUA) in their capacity as FinCEN’s delegated examiners.

The Proposed Rule would establish a mandatory consultation process requiring federal banking agencies to provide FinCEN with at least 30 days’ written notice prior to initiating a significant AML/CFT supervisory action.[13] The notice must be accompanied by the relevant AML/CFT information, including the relevant portions of the draft examination report or enforcement action, the relevant examination workpapers supporting the proposed action, and the relevant AML/CFT information submitted by the bank to the agency (except for privileged materials).

FinCEN would have an opportunity to review the proposed action and provide input – including its view as to the effectiveness of the bank’s AML/CFT program – before the action proceeded. The 30-day period may be shortened at the federal banking agency’s sole discretion when necessary to remedy an unsafe or unsound practice or condition.

When determining whether to take an AML/CFT enforcement action or significant supervisory action, or when reviewing a proposed action, FinCEN would consider factors including, among others, the financial institutions’ spending on compliance costs, the extension of financial services to the underbanked while preventing criminal abuse, the extent to which the bank has advanced the AML/CFT priorities by providing highly useful information to law enforcement, whether the institution has conducted proactive analytics, or performed other innovative activities producing demonstrable outputs evidencing effectiveness of the AML/CFT program.

Key Takeaways and Next Steps

The Proposed Rule seeks to revise the AML/CFT program framework to emphasize program effectiveness, promote clarity and consistency across FinCEN’s program rules for different types of institutions, and modernize federal supervision by enhancing FinCEN’s role in AML/CFT oversight and enforcement in coordination with the federal banking regulators. As drafted, the Proposed Rule would require institutions to reframe their compliance programs to focus on demonstrating effectiveness, enhance risk assessment processes and documentation of decision-making, ensure that program execution aligns with program design, and internal controls align with FinCEN’s AML/CFT priorities, as appropriate.

While the Proposed Rule’s objectives and direction are generally welcomed by the industry, its ultimate impact will depend on how key concepts are defined and applied in supervision and enforcement. Absent clear standards and consistent interagency implementation, there is a risk that the Proposed Rule could replicate the process-driven, “check the box” compliance model it seeks to replace. Therefore, financial institutions should consider engaging in the rulemaking process to help shape definitions and expectations that are clear, practical, and capable of effective implementation, while advancing the Proposed Rule’s stated objectives.

Comments on the Proposed Rule must be submitted to FinCEN by June 9, 2026.

[1] The 11 categories of financial institutions subject to AML/CFT program requirements are enumerated at 31 C.F.R. §§ 1020.210, 1021.210, 1022.210, 1023.210, 1024.210, 1025.210, 1026.210, 1027.210, 1028.210, 1029.210, and 1030.210.  The Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration, released a corresponding Notice of Proposed Rulemaking that would apply to banks subject to their jurisdiction and is intended to align with changes that are concurrently proposed by FinCEN.  Anti-Money Laundering and Countering the Financing of Terrorism Programs, 91 Fed. Reg. 18304 (Apr. 10, 2026). The Board of Governors of the Federal Reserve System did not join the Notice of Proposed Rulemaking and has not issued its own proposal yet.

[2] 91 Fed. Reg. at 18,708 (quoting Treasury Secretary Scott Bessent, Remarks before the Fed Community Bank Conference (Oct. 9, 2025)).

[3] FinCEN, AML and CFT Priorities (June 30, 2021).

[4] In the Proposed Rule, FinCEN also encouraged financial institutions to responsibly adopt innovative technologies – including machine learning, generative artificial intelligence, digital identity tools, blockchain analytics, and application programming interfaces (APIs) – as part of their reasonably designed internal policies, procedures, and controls. Pursuant to the Proposed Rule, institutions that experiment with such technologies will not face additional supervisory or enforcement risk solely as a result of that experimentation. 91 Fed. Reg. at 18,712-13.

[5] 91 Fed. Reg. at 18718.

[6] 91 Fed. Reg. at 18719.

[7] 31 U.S.C. § 5318(h)(5).

[8] 91 Fed. Reg. at 18720.

[9] Id. at 18718.

[10] FinCEN also notes that the AML/CFT Priorities – first published in June 2021 – may not always reflect the most current government concerns with respect to specific threat typologies. FinCEN’s Advisory Program, Financial Trend Analyses, and other published guidance serve as important supplemental sources that financial institutions should consult to ensure their risk assessment processes account for evolving threats. Id. at 18,716.

[11] 31 U.S.C. § 5318(h)(2)(B)(iv)(II); 91 Fed. Reg. at 18708.

[12] 91 Fed. Reg. at 18721.

[13] “Significant AML/CFT supervisory action” is defined as any written communication or formal supervisory determination that identifies alleged deficiencies, weaknesses, or violations relating to an AML/CFT requirement; communicates supervisory expectations requiring corrective measures; and contemplates significant or programmatic remediation to be taken by the bank. Examiner observations, suggestions, and informal comments are expressly excluded from this definition. Id. at 18721-22.