On April 7, 2026, the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPRM) designed to reform anti-money laundering (AML) and countering the financing of terrorism (CFT) programs under the Bank Secrecy Act (BSA).
As FinCEN explains in the preamble to the NPRM, the proposed rule would materially reshape AML/CFT compliance by replacing a largely technical compliance model with a more effectiveness-based, risk-driven framework. The proposal elevates enterprise risk assessment, clarifies core program expectations, expands FinCEN’s role in major bank supervisory actions, and signals that regulators should focus on significant or systemic failures rather than minor technical issues. Financial institutions should view the NPRM as a modernization proposal that may require updates to governance, risk assessment methodology, testing, officer structure, and documentation.
Consistent with the objective of modernizing the AML/CFT framework, the proposed rule appears to be designed to provide financial institutions with greater flexibility and discretion in mitigating illicit finance risks and to enable them to direct resources toward higher-risk areas rather than lower-risk activities. The proposed rule makes the risk-based approach much more explicit. Institutions are expected to give more attention and resources to higher-risk customers and activities and not spend the same level of effort on lower-risk areas. FinCEN presents that as both better policy and a way to reduce unnecessary compliance burden.
The direction of this proposed rule was foreshadowed in remarks by Treasury Secretary Scott Bessent in April 2025, indicating that Treasury would pursue changes to the AML/CFT framework to focus more squarely on national security priorities and higher-risk activity. As part of its announcement, FinCEN also expressly tied the proposal to Executive Order 14192, Unleashing Prosperity Through Deregulation, issued on January 31, 2025, framing it as a priority of the administration.
The proposed rule would revise FinCEN’s regulations to reflect statutory changes enacted under the Anti-Money Laundering Act of 2020 (the “AML Act”). The AML Act represented the first major overhaul of the U.S. AML regime since the USA PATRIOT Act of 2001, and it included an expansion of FinCEN’s authorities and enhancements to BSA/AML program requirements.
In the proposed rule, FinCEN implements several key amendments made by the AML Act to the BSA framework. First, the AML Act, as codified at 31 U.S.C. § 5318(h)(2)(B), sets out the factors that the Secretary of the Treasury and federal banking regulators must consider when prescribing and supervising AML/CFT program standards. In summary, those factors include: (1) financial institutions expend private compliance resources for both a public and private benefit; (2) access to financial services—including for the underbanked—while preventing illicit use of the financial system is a core policy objective; (3) effective AML/CFT programs advance national security and generate substantial public benefits by preventing illicit finance and supporting law enforcement; and (4) AML/CFT programs should be reasonably designed and risk-based, including directing greater attention and resources to higher-risk customers and activities. These factors are reflected throughout the NPRM, and in the proposed changes to the BSA compliance framework, including that under the proposed rule, minimum standards for AML/CFT program design must be built around them.
Second, the AML Act also requires the Secretary of the Treasury, working with the Attorney General, federal and state regulators, and national security agencies, to establish and publish government-wide AML/CFT priorities. The proposed rule emphasizes these AML/CFT priorities, to include safeguarding the financial system from money laundering and terrorist financing risks, and requires financial institutions to incorporate them into program requirements. Two other AML Act provisions, and their corresponding implementation, in the proposed rule relate to the role of the AML/CFT Officer and nomenclature.
Historically, the BSA has required financial institutions to establish and maintain an AML/CFT program. FinCEN is now drawing a sharp line between “establishment” and “maintenance.” “Establishment” is program design; “maintenance” is actual execution in practice. That distinction is meant to stop regulators from blurring deficiencies in the compliance framework with day-to-day implementation issues. While these concepts are similar, FinCEN draws a distinction between deficiencies in a program’s design (i.e., its establishment) and deficiencies in a program’s implementation (i.e., its maintenance). As to the compliance program, under the proposed rule, AML/CFT programs will still be required to be built around the existing four pillars: (1) internal policies, procedures, and controls including risk assessment processes and, when applicable, ongoing customer due diligence; (2) independent program testing; (3) designation of a U.S.-based compliance officer; and (4) ongoing employee training. As to maintenance, the proposed rule focuses on the financial institutions’ implementation of their established AML/CFT programs and how they work in practice. FinCEN notes that under the proposed rule, forthcoming bank enforcement actions relating to AML/CFT programs will be focused on operational failures to implement the program, rather than criticisms of the program design.
The proposed rule reintroduces the expectation that financial institutions have “effective” AML/CFT programs and clarifies what it means to be “effective,” based on comments received in prior rulemakings. “Effective” core program architecture requires implementation of: risk-based internal policies/procedures/controls (including risk assessment processes and, where applicable, ongoing customer due diligence), independent testing, a U.S.-based AML/CFT officer, ongoing employee training, and a written program approved by the board, equivalent body, or appropriate senior management.
FinCEN is also signaling more room for responsible innovation. The NPRM expressly discusses the use of machine learning, generative AI, digital identity, and blockchain analytics, and says innovation can help show program effectiveness. To improve effectiveness, the proposed rule seeks to encourage financial institutions to consider incorporating new technology or innovative approaches (e.g., machine learning, generative AI, blockchain monitoring, and analytics) to help it more effectively combat financial crime and gives it significant protection to do so. The proposed rule explicitly states that institutions that responsibly experiment with innovative technologies in their AML/CFT programs will not incur any additional risk of being subject to a significant supervisory AML/CFT action or AML/CFT enforcement action solely based on the use of innovative technologies. That said, FinCEN also recognizes that adopting new technologies may not be feasible for every financial institution, and for this reason, it does not require the use of any particular technology.
The NPRM would advance FinCEN’s role in bank AML/CFT supervision by requiring consultation before major supervisory/enforcement actions, while also narrowing those actions to significant or systemic failures. The proposed rule would, for the first time, require federal banking regulators to notify and consult with FinCEN prior to taking certain types of supervisory or enforcement actions related to AML/CFT programs of banks. The proposed rule clarifies that such enforcement requirements do not apply to and in no way affect criminal enforcement under the BSA.
For banks, the enforcement and supervision piece is one of the most significant changes. Once a bank has properly established its AML/CFT program, major supervisory or enforcement actions for implementation issues are necessarily reserved for significant or systemic failures, not isolated, technical, or immaterial problems. FinCEN would also get a larger consultation role before certain major bank supervisory actions. Once a bank has properly established an AML/CFT program, bank regulators would be able to bring certain supervisory or enforcement actions only for the most serious deficiencies in the bank’s implementation of its program. For clarity, the proposed rule does not restrict bank regulators from bringing supervisory or enforcement actions for a failure to establish an effective AML/CFT program.
On April 7, 2026, three federal functional bank regulators (the FDIC, OCC, and NCUA) (collectively, the “Agencies”) issued a joint NPRM to revise their respective BSA/AML program requirements to align with FinCEN’s proposed framework (so far, there has been no NPRM from the Federal Reserve). The Agencies’ proposed rule also increases FinCEN’s role in AML/CFT supervision and enforcement as contemplated in FinCEN’s proposed rule. Given that the Agencies have statutory authority through the Federal Deposit Insurance Act and the Federal Credit Union Act to prescribe regulations requiring banks to establish and maintain compliance programs, the Agencies appear to intend for their parallel proposed rule to reduce any additional burden or confusion for banks that may arise from the standards set out in FinCEN’s proposed rule under the BSA.
Risk assessment becomes the backbone of AML/CFT programs under the NPRM. The proposal standardizes that expectation across institution types by expressly requiring all financial institutions to have risk assessment processes. Currently, despite being a common practice, there is no explicit requirement for banks, casinos, money services businesses (MSBs), broker-dealers, mutual funds, futures commission merchants (FCMs), and introducing brokers in commodities to have risk assessment processes.
Specifically, the proposed rule requires risk assessment processes to: (1) evaluate money laundering/terrorist financing (ML/TF) risks from business activities; (2) consider AML/CFT priorities; and (3) update promptly in response to significant changes to ML/TF risks. Financial institutions are also required to identify, assess, and document their ML/TF risks using risk assessment processes when preparing a risk-based set of internal policies, procedures, and controls. The proposed rule does not limit financial institutions to a single risk assessment process, giving financial institutions flexibility to incorporate various risk assessment processes and methodologies; consistent with the proposed rule, each institution’s risk assessment must evaluate risks from the institution’s products, services, distribution channels, customers, and geographies, and be updated promptly with material risk changes. To be clear, the proposed rule expressly states that FinCEN is not prescribing any specific time frame for financial institutions to update their risk assessment processes.
The AML/CFT priorities now matter operationally. Under the proposed rule, financial institutions need to review FinCEN’s national AML/CFT priorities and incorporate them as appropriate into their risk assessment processes, rather than treating them as a generic overlay.
The proposed rule makes the risk-based approach much more explicit. Institutions are expected to give more attention and resources to higher-risk customers and activities and not spend the same level of effort on lower-risk areas. FinCEN presents that as both better policy and a way to reduce unnecessary compliance burden. This is intended to give financial institutions more flexibility to focus resources and attention on areas that may be more effective at detecting, reporting, and preventing the flow of illicit funds, as financial institutions are best positioned to identify and evaluate their ML/TF risks. Such attention and resource allocation decisions are expected to be informed by the financial institution’s reasonably designed risk assessment processes.
The AML Act clarifies that the responsibility to establish, maintain, and enforce an AML/CFT program must remain with persons located in the United States who are accessible to, and subject to oversight by, the Treasury and the appropriate federal functional regulators. The U.S.-based AML/CFT officer requirement is important for global institutions, but the proposal does not require all AML staff to sit in the United States. Other personnel can still perform certain AML/CFT functions abroad, while existing limits on sharing Suspicious Activity Reports outside the United States generally remain in place.
The proposed rule would also require that the written AML/CFT program is approved by the financial institution’s board of directors or an equivalent governing body within the financial institution, or appropriate senior management. This proposed update to the approval requirement will allow some financial institutions to elect to have their board of directors approve their written program and others to meet the approval requirement with other types of governing bodies or individuals with similar status (e.g., a sole proprietor, senior officers, a trustee). With respect to foreign banks with a U.S. branch, the “equivalent governing body” to the board of directors may be the foreign bank’s board of directors or delegates acting under the board’s express authority. This requirement under the proposed rule remains consistent with the compliance program approval requirement under Regulation K, which governs the U.S. operations of foreign banks.
Section 6101(b) of the AML Acts amends the BSA to expressly incorporate “countering the financing of terrorism” alongside traditional AML obligations in the statutory program requirements. The proposed rule would update the regulations to reflect this new statutory language. FinCEN clarifies that this change does not impose new programmatic requirements, but rather seeks to standardize terminology, as the USA PATRIOT Act already requires financial institutions to consider terrorist financing risks.
The proposed rule makes several additional changes for the sake of clarity and consistency in the AML program rules. Most, but not all, are technical and with minimal substantive effect. Of note, the proposed rule would define “AML/CFT priorities” at 31 C.F.R. 1010.100(nnn) to mean “the most recent statement of Anti-Money Laundering and Countering the Financing of Terrorism National Priorities issued pursuant to 31 U.S.C. 5318(h)(4).”
Overall, FinCEN is seeking a more modern, flexible, and effectiveness-oriented AML/CFT regime that places greater responsibility on institutions to assess their own risks, allocate compliance resources proportionately, and demonstrate that their programs produce useful outcomes for law enforcement and national security.
In practical terms, near-term homework for financial institutions includes starting with a gap assessment now on risk-assessment methodology, examining how resources are allocated by risk. Financial institutions should also start to assess their governance approvals, officer location/authority, and how to actually evidence “effectiveness.”
The proposed rule expressly supersedes FinCEN’s prior proposed rule issued on July 3, 2024, which has now been withdrawn. The public comment will be open through June 9, 2026, and the agency proposed a 12-month implementation period after issuance of the final rule.