Summary
On April 7, the Financial Crimes Enforcement Network (“FinCEN”) issued a Notice of Proposed Rulemaking (“NPRM”) that, if implemented, would reform the requirements for financial institutions to maintain an “effective” AML/CFT program under the Bank Secrecy Act (“BSA”).[1] Certain Federal Financial Institutions Regulatory Agencies (“FFIRAs”),[2] including the Office of the Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), and the National Credit Union Administration (“NCUA”), released a corresponding NPRM that would apply to banks subject to their jurisdiction that is “intended to align with changes that are being concurrently proposed by [FinCEN].”[3] Notably, one FFIRA, the Board of Governors of the Federal Reserve (“FRB”), did not join the NPRM or issue its own NPRM.
The proposed rules intend to facilitate the refocusing of financial institutions’ BSA compliance obligations on effective, risk-based AML programs rather than, in the words of Secretary of the Treasury Scott Bessent, the “volume of paperwork” those programs currently generate.[4] A new role proposed for FinCEN in overseeing supervisory actions by the FFIRAs signals particular interest in maintaining that refocused emphasis with respect to banks. Below are key proposed changes that banks and other financial institutions should be aware of, as well as related observations. Comments on these NPRMs are due by June 9, 2026.
Important Proposed Changes
- FinCEN’s proposed rule would create a “two-pronged framework” under which a financial institution’s “establishment” of its AML/CFT program would be evaluated separately from its “implementation.”[5]
- The proposed rule appears intended to lead to reduced scrutiny for non-material or de minimis deficiencies in implementation. According to the preamble, once a bank has properly established its AML/CFT program, the proposed rule would “raise the threshold for significant supervisory or enforcement actions based solely on implementation deficiencies.”[6]
- Banks would only face an AML/CFT enforcement action or significant supervisory action for implementation of its AML/CFT program if there were “significant or systemic failure[s] … in all material respects” in its implementation.[7]
- This change is designed to shift focus away from merely “isolated, technical, or immaterial implementation deficiencies.”[8]
- Consistent with the AML Act of 2020, FinCEN’s proposed rule would codify the requirement that financial institutions’ AML/CFT programs be risk-based and “direct more attention and resources toward higher-risk customers and activities … rather than toward lower-risk customers and activities.”[9]
- Consistent with prior statements, FinCEN emphasized in the preamble that “it is not possible for a financial institution to detect and report all potentially illicit transactions that flow through the institution.”[10]
- This broad change is intended to shift the supervisory framework away from “mere technical compliance” toward allowing financial institutions to focus their limited compliance resources on “combatting and preventing ML/TF.”[11]
- FinCEN’s proposed rule would codify the requirement that financial institutions establish risk assessment processes to facilitate the adoption of a true risk-based approach that allocates greater resources toward higher-risk areas. Indeed, the acceptability of shifting resources from lower-risk activity to higher-risk activity may depend in some measure on the quality of a financial institution’s risk assessment.
- These risk assessment processes should: “(1) evaluate the ML/TF risks of the financial institution’s business activities, including products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate the AML/CFT Priorities [promulgated by the Treasury Department]; and (3) be updated promptly upon any change that the financial institution knows or has reason to know significantly changes the institution’s ML/TF risks.”[12]
- This requirement would reflect FinCEN’s belief that “financial institutions are best positioned to identify their ML/TF risks”[13] and would largely align with the administration’s desire to “significantly reduce the private expenditures required to comply with Federal regulations.”[14]
- FinCEN in part intends for this more deferential approach to mitigate the risk that financial institutions will be “inappropriately pressured into closing customer accounts,”[15] which is consistent with the administration’s broader efforts to address the perceived ills of debanking.
- In a notable shift, FinCEN’s proposed rule, if implemented, would provide FinCEN, as the statutory administrator of the BSA, with an opportunity to review before an FFIRA institutes a “significant AML/CFT supervisory action”[16] against a bank when acting pursuant to authority delegated by FinCEN.
- The proposed rule would require FFIRAs, when acting under supervisory authority delegated by FinCEN, to provide FinCEN with written notice at least 30 days prior to taking a significant supervisory action. The regulator would be required to consider FinCEN’s input.[17]
- FinCEN stated that this proposed opportunity to review is intended to promote “consistent approaches to AML/CFT supervision” and better outcomes for both banks and law enforcement.[18]
- FinCEN’s proposed rule also sets out the factors that the Director of FinCEN should consider before pursuing an enforcement action or significant supervisory action.
- These factors include: “(i) the four statutory factors required by the AML Act, (ii) the extent to which the bank advances AML/CFT Priorities by providing highly useful information to law enforcement or national security officials, (iii) and whether the bank is employing innovative tools such as artificial intelligence that demonstrate the effectiveness of the bank’s AML/CFT program.”[19]
- The FFIRA NPRM largely mirrors the requirements set forth in FinCEN’s NPRM. Notably, the FFIRA NPRM specifies that FinCEN’s opportunity to review would also apply to any “AML/CFT enforcement action” brought by an FFIRA “under authority of 12 U.S.C. 1818, 1786, or other applicable law.”[20]
Observations
These NPRMs signal an effort to shift away from technical, “check-the-box” requirements for AML/CFT programs toward a more deferential, “effectiveness”-based enforcement approach—aligning AML/CFT supervision with Treasury’s stated goal of producing more “useful” information for national security and law enforcement purposes. In that sense, the proposals are not just regulatory changes, but part of a broader reorientation of the BSA framework back to its original purpose, which has been a focus for the Trump Administration.
The proposed emphasis on financial institution discretion and risk-based design could represent a meaningful recalibration of the supervisory dynamic. If implemented as written, institutions may have stronger footing to challenge hindsight-driven critiques or expectations untethered from their documented risk assessments. The “two-pronged” establishment-versus-implementation framework also has the potential to materially raise the threshold for enforcement, particularly for isolated or technical deficiencies. A key open question will be how regulators interpret “significant or systemic failures … in all material respects,” and whether that standard is applied consistently across agencies.
The codification of risk assessment requirements—while largely consistent with existing expectations—may increase scrutiny on documentation, governance, and the linkage between risk assessments and program design. Financial institutions should continue to ensure their risk assessment processes can effectively identify higher-risk activity and distinguish it from lower-risk activity. In particular, the proposal makes clear that financial institutions are expected to orient their AML/CFT programs around identifying higher-risk activity, even if that means drawing resources away from lower-risk areas. This, in turn, places significant weight on the ability of financial institutions’ risk assessment processes to distinguish higher-risk activity from lower-risk activity and to align controls accordingly. The quality of a bank’s risk assessments could become an important protection against regulatory scrutiny. Conversely, if inadequate, the risk assessment could open up the program as a whole to significant criticism. Although banks have long conducted risk assessments, the proposal reflects a shift in how those assessments are expected to function—i.e., as a central mechanism for allocating resources and prioritizing risk.
The proposed role given to FinCEN by these NPRMs may signal efforts by FinCEN to promote cross-agency consistency and could be impactful for banks, depending on how it is operationalized. At the same time, the review process may call attention to AML/CFT program weaknesses that historically would have been resolved exclusively through FFIRA supervisory processes. Importantly, FinCEN’s proposed supervisory role would only apply to supervisory and enforcement actions brought against banks.
Notably, the FRB, one of the FFIRAs, did not join the NPRM with the OCC, FDIC, and NCUA. This could signify the FRB’s disagreement with FinCEN’s proposed changes, including its new oversight role with respect to supervisory actions. The FRB joined the previous NPRM issued by the FFIRAs on August 9, 2024.[21] A central objective of AML/CFT reform has been to ensure alignment among FinCEN and all of the FFIRAs—any divergence by the FRB could complicate that goal and introduce fragmentation into the supervisory framework. Despite the FRB’s absence, FinCEN’s Fact Sheet[22] and “Key Changes” document,[23] released along with the NPRM, both state that the proposed rule was prepared “in consultation with” the FRB (along with the other FFIRAs).
This rulemaking arrives against the backdrop of heightened DOJ and Treasury focus on fraud—particularly fraud involving federal programs and benefits. Recent initiatives—including the creation of a DOJ national fraud enforcement function[24] and FinCEN advisories targeting benefits-related fraud[25]—underscore that even as regulators emphasize flexibility and reduced burden, expectations around identifying high-impact illicit activity may increase in practice.
Overall, while the NPRMs articulate a more flexible, risk-based framework, their practical impact, if implemented as proposed, would depend heavily on implementation—particularly whether examination and enforcement practices evolve in parallel with the stated policy shift. An approach that continues to rely heavily on implementation may ultimately result in only a limited shift to the existing paradigm.
[2] In its NPRM, FinCEN proposes defining the OCC, FDIC, NCUA, and FRB as the FFIRAs.
[3] Anti-Money Laundering and Countering the Financing of Terrorism Programs, 91 Fed. Reg. 18304 (Apr. 10, 2026).
[5] See, e.g., Anti-Money Laundering and Countering the Financing of Terrorism Programs, 91 Fed. Reg. 18704, 18752 (Apr. 10, 2026).
[10] Anti-Money Laundering and Countering the Financing of Terrorism Programs, 91 Fed. Reg. 18704, 18712 (Apr. 10, 2026).
[14] See id. at 18708 (quoting Exec. Order No. 14192, 90 Fed. Reg. 9065 (Feb. 6, 2025)).
[15] Anti-Money Laundering and Countering the Financing of Terrorism Programs, 91 Fed. Reg. 18704, 18709 (Apr. 10, 2026).
[16] A “significant AML/CFT supervisory action” is defined as “any written communication or other formal supervisory determination issued by FinCEN or a Federal Financial Institutions Regulatory Agency when acting pursuant to authority delegated under this chapter that, in either case—(i) Identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement; (ii) Communicates supervisory expectations to a bank regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and (iii) Contemplates significant or programmatic actions or remedial measures to be taken by the bank.” Id. at 18753. The term does not include “examiner observations, suggestions, or other informal comments.” Id.
[19] Fin. Crimes Enf’t Network, Fact Sheet: Proposed Rule to Fundamentally Reform Financial Institution AML/CFT Programs, at 5, available at https://www.fincen.gov/system/files/2026-04/Program-NPRM-FactSheet.pdf (Apr. 7, 2026). The statutory factors required by the AML Act include that (i) “financial institutions subject to AML/CFT program requirements are spending private compliance funds for public and private benefit”; (ii) “the AML Act has a policy goal of extending financial services to the underbanked and facilitating their financial transactions while preventing criminal persons from abusing formal or informal financial services networks”; (iii) “effective AML/CFT programs safeguard national security and generate significant public benefits, and that such programs should be reasonably designed to ensure compliance with the BSA and the regulations promulgated by FinCEN”; and (iv) “AML/CFT programs should be risk-based, with more financial institution attention and resources toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.” Id. at 2.
[20] See, e.g., Anti-Money Laundering and Countering the Financing of Terrorism Programs, 91 Fed. Reg. 18304, 18316 (Apr. 10, 2026). The FFIRA NPRM defines an “AML/CFT enforcement action” as “any formal or informal action taken by [an FFIRA] under authority of 12 U.S.C. 1818, 1786, or other applicable law, that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement,” which includes “a cease-and-desist order, written agreement, consent order, or memorandum of understanding, or the assessment of a civil money penalty.” Id.
[21] Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements, 89 Fed. Reg. 65242 (Aug. 9, 2024).