FinCEN and Federal Banking Agencies Propose Major Shift in AML/CFT Program Requirements

The Financial Crimes Enforcement Network (FinCEN) issued a sweeping proposed rule that would significantly overhaul anti-money laundering and countering the financing of terrorism (AML/CFT) program requirements under the Bank Secrecy Act (BSA). The proposal was released in parallel with a separate proposed rule issued by the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and National Credit Union Administration (NCUA) (the Banking Agencies), applicable to national banks, state nonmember banks, and federal credit unions, intended to align the Banking Agencies' supervisory frameworks and enforcement processes with FinCEN's proposed new standard to ensure consistent standards between FinCEN and the Banking Agencies.

FinCEN's new proposed rule withdraws and supersedes the prior 2024 Notice of Proposed Rulemaking.

The proposed rules represent one of the most consequential efforts to modernize the BSA framework, implementing key provisions of the Anti-Money Laundering Act of 2020 (AML Act) while seeking to recalibrate supervisory expectations toward program effectiveness rather than technical compliance. For banks, money services businesses (MSBs), broker dealers, and other covered financial institutions, the proposed rules signal a meaningful shift in how AML/CFT programs would be designed, evaluated, and enforced.

FinCEN and the Banking Agencies propose that the new rules become effective 12 months from the date of issuance of final rules. Comments on both proposed rules and their proposed effective dates are due by June 9, 2026.

Key Takeaways

• Refocus on "effectiveness" over technical compliance: The proposed rules are designed to refocus compliance obligations and supervisory expectations on effectiveness. This shift reflects the view of Treasury Secretary Scott Bessent that past supervision of AML/CFT programs had "too often involved a 'zero tolerance focus on process and documentation … and judgments that were not always consistent with the law or our national security priorities,'" and that financial institutions are best positioned to identify and evaluate risk and make decisions in accordance with their risk identification and resource allocation.
• More attention and resources spent on higher-risk customers and activities: The proposed rules emphasize that AML/CFT programs should be risk-based, with more attention and resources directed toward high-risk customers and activities rather than toward lower-risk customers and activities. The proposals would allow financial institutions more flexibility to allocate their focus and resources as they deem appropriate, without concern for supervisory criticism or regulatory action from examiners.
• Opportunity to leverage technology and innovation: FinCEN's and the Banking Agencies' explicit acknowledgement of the use of new technologies and innovative approaches, including effective use of artificial intelligence, to combat financial crime is notable. FinCEN and the Banking Agencies indicate that banks that responsibly incorporate technologies into their AML/CFT programs would not incur any additional risk of being subject to a significant supervisory action or enforcement action solely based on the effective use of innovative technologies including AI and other advanced monitoring tools.
• U.S.-based AML/CFT Officer: The proposals would implement the AML Act's requirement that financial institutions have an AML/CFT Officer located in the United States and accessible to FinCEN and its designee. However, the proposed rules would still allow personnel located outside of the United States to perform certain AML/CFT functions. This would grant financial institutions with cross-border operations latitude in determine how to best structure and staff its AML/CFT program.
• Increased centralization of AML/CFT oversight: FinCEN's enhanced role in the supervisory process—particularly through the proposed notice and consultation framework—signals an intention to move toward greater national consistency in AML/CFT enforcement. This may benefit institutions operating across multiple jurisdictions, including large banks and other national financial institutions.

Key Elements of the Proposed Rules

A number of the changes to the existing AML/CFT program requirements in the proposed rules are intended to standardize language across the various existing regulations applicable to different types of financial institutions. Among the more significant elements of the proposed rules are the following:

An Effective, Risk-Based, and Written AML/CFT Program

The proposals would focus existing program requirements on effectiveness and clarify the standards for an effective AML/CFT program.

The proposed rules would require financial institutions to establish and maintain an effective, risk-based AML/CFT framework incorporating the four existing required BSA components:

1. Internal policies, procedures, and controls including risk assessment processes and, when applicable, ongoing customer due diligence;
2. Independent program testing;
3. Designation of a U.S.-based compliance officer; and
4. Ongoing employee training.

A program would be deemed "effective" if it is: (1) "established" in accordance with the proposed rules' establishment requirements, meaning that the AML/CFT program incorporates all of the required components; and (2) "maintained," meaning that a properly established program is implemented in all material respects.

Under the proposed rules' establishment requirements, one-time adoption of the elements for program establishment would be insufficient. The proposed rules would require financial institutions to keep their programs current as its risk profile evolves.

Finally, the proposed rules would standardize the generally applicable requirements in AML/CFT program rules that financial institutions maintain a written AML/CFT program—approved by the board of directors, an equivalent governing body, or appropriate senior management—and make a copy of it available upon request to FinCEN, appropriate federal regulators, or their designees.

Internal Policies, Procedures, and Controls

The proposals would require financial institutions to establish risk-based internal policies, procedures, and controls that are reasonably designed to:

1. Identify, assess, and document the financial institution's money laundering, the financing of terrorism, and other illicit finance risks (ML/TF risks) through risk assessment processes;
2. Mitigate the financial institution's ML/TF risks consistent with the financial institution's risk assessment processes, including by allocating more attention and resources toward higher-risk customers and activities rather than toward lower-risk customers and activities; and
3. For banks, broker dealers, mutual funds, and futures commission merchants and introducing brokers in commodities, conduct ongoing customer due diligence, including understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

The Preambles to both proposals note that the internal policies, procedures, and controls of a financial institution should align with its size, structure, risk profile, and overall complexity.

Risk Assessment Processes

The proposed rules would make explicit that financial institutions must establish and maintain risk assessment processes as part of their internal policies, procedures, and controls. Risk assessment processes would have to:

1. Evaluate the ML/TF risks of the financial institution's business activities, including products, services, distribution channels, customers, and geographic locations;
2. Review and, as appropriate, incorporate the AML/CFT Priorities issued by FinCEN under the AML Act; and
3. Be updated promptly upon any change that the financial institution knows or has reason to know significantly changes the institution's ML/TF risks.

If adopted as proposed, an explicit risk assessment process would be a new requirement for many financial institutions, including banks, MSBs, and broker dealers.

Independent Testing

The proposed rules would retain the existing requirement that financial institutions have an independent audit function to test their AML/CFT programs.

The Preambles provide that independent program testing should be focused on whether the AML/CFT program is effective and identify issues and areas for remediation.

They further clarify that independent testing should be based on objective criteria designed to assess whether a financial institution has effectively established and maintained an AML/CFT program and allocated resources consistent with its risk assessment processes, and related program governance is sufficient to manage risks and apply compensating controls where necessary. FinCEN and the Banking Agencies would expect auditors to be sufficiently independent, have expertise and experience necessary to perform testing effectively, and not substitute their own subjective judgment in place of the financial institution.

U.S.-Based AML/CFT Compliance Officer

The proposed rules retain the existing requirement that financial institutions must have a designated compliance officer (the AML/CFT Officer) responsible for establishing and implementing the AML/CFT program and overseeing day-to-day compliance with the requirements and prohibitions of the BSA and FinCEN's implementing regulations. However, the proposals would also require that the AML/CFT Officer be located in the United States and be accessible and subject to oversight and supervision by FinCEN and the appropriate federal regulators.

The Preambles recognize that currently financial institutions may perform certain AML/CFT tasks outside of the United States. This would continue to be permitted under the proposed rules. However, financial institutions would still generally be prohibited in most cases from sharing suspicious activity reports with personnel located outside of the United States.

Ongoing Employee Training Program

The proposed rules would standardize existing training requirements for appropriate personnel by uniformly adopting the BSA's statutory language requiring an "ongoing employee training program," a nonsubstantive clarification. FinCEN and the Banking Agencies would generally expect training to address the institution's internal policies, procedures, and controls, risk assessment results, and current regulatory requirements. They would also expect the frequency and content of trainings to be consistent with the institution's risk profile and the roles and responsibilities of the personnel receiving the training.

Supervision and Enforcement Framework of Banks' AML/CFT Programs

The proposed rules would introduce a new FinCEN enforcement and supervisory policy for banks. Specifically, if a bank has properly established its AML/CFT program under the proposed rules, FinCEN would not take an enforcement action and FinCEN, or one of the federal banking agencies acting under delegated supervisory authority, would not take a significant supervisory action against the bank, except with respect to a significant or systemic failure to implement the AML/CFT program.

The proposed rules would also centralize FinCEN's role in AML/CFT supervision by requiring the federal banking agencies, when acting under delegated supervisory authority, to provide the FinCEN Director with least 30 days' advance written notice, absent urgent circumstances, to review and provide input before initiating a significant AML/CFT supervisory action.

The proposals would establish that, in determining whether to pursue an enforcement action or a significant supervisory action, or when reviewing a proposed supervisory action by a federal banking supervisor, FinCEN's Director must consider:

1. The four statutory factors that the AML Act requires FinCEN to take into account when prescribing minimum AML/CFT program standards (codified at 31 U.S.C. § 5318(h)(2)(B));
2. The extent to which the bank, where appropriate in light of its size, complexity, and risk profile, has advanced AML/CFT Priorities by providing highly useful information to law enforcement or national security officials, conducting proactive analytics, or employing innovative tools such as artificial intelligence that demonstrate the effectiveness of the bank's AML/CFT program; and
3. Any other factor that FinCEN's Director may deem appropriate.

Request for Comments

FinCEN and the Banking Agencies pose 29 questions for comment and solicit comments on all other aspects of the proposed rule, including the proposed effective date.

Looking Ahead

The proposed rulemakings reflect a philosophical shift in how AML/CFT regulation should be conceived and supervised in the United States. By prioritizing effectiveness, risk-based decision-making, and innovation, FinCEN and the Banking Agencies are signaling a move toward a more flexible compliance environment, without losing touch with the responsibility of a financial institution to establish and maintain an effective AML/CFT program.

Covered financial institutions should consider engaging in the rulemaking process and begin assessing how their existing programs align with the proposed framework—particularly with respect to risk assessment, allocation of AML/CFT responsibilities, and implementation of new technologies and innovative approaches.

+++

Eric Goldberg is a partner in the Seattle office, Andy Lorentz is a partner in the Washington, D.C. office, and Michael Treves is an associate in the Washington, D.C. office of DWT. For questions or more insights, reach out to the authors or another member of our financial services team and sign up for our alerts.