FinCEN Proposes Program Rule to “Fundamentally Reform” BSA/AML Compliance

Introduction

On April 7, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) announced a Notice of Proposed Rulemaking (“NPRM” or “Proposed Rule”) intended to “fundamentally reform” financial institutions’ anti‑money laundering and countering the financing of terrorism (“AML/CFT”) programs under the Bank Secrecy Act (“BSA”), while “decreasing compliance burden.”[1] The proposal—which supersedes the version issued during the Biden Administration—is a much-anticipated milestone in this Administration’s efforts to modernize the BSA and implement the AML Act of 2020.

The Proposed Rule has four principal objectives. First, FinCEN stated that the Proposed Rule is intended “to ensure that financial institutions’ AML/CFT programs are appropriately risk‑based, such that compliance with their program obligations is focused on the goals of the BSA . . . rather than mere technical compliance.”[2] Treasury Secretary Scott Bessent stated that the proposal “restores common sense with a focus on keeping bad actors out of the financial system, not burying America’s banks in more red tape.”[3] Second, the Proposed Rule is intended to elevate FinCEN’s role in supervising banks’ AML programs, giving the agency an opportunity to provide input on certain bank supervisory actions by the federal banking agencies—the Federal Reserve Board of Governors (“Fed”), the Office of the Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), and the National Credit Union Administration (“NCUA”) (collectively, the “federal banking agencies”). Third, the Proposed Rule would focus FinCEN and federal banking agency enforcement and significant supervisory actions regarding banks on violations involving failures to establish an effective AML/CFT program, rather than failures to maintain an effective program, absent a “significant or systemic failure” in the program’s maintenance. Finally, the Proposed Rule is intended to incentivize financial institutions to “provide[e] highly useful information to law enforcement or national security officials,” such as through the FinCEN Exchange Program or responding to 314(a) requests, and to “conduct[] proactive analytics or perform[] other innovative activities producing demonstrable outputs evincing the effectiveness of the bank’s AML/CFT program,” including by effective use of “artificial intelligence, federated learning, or other advanced monitoring tools.”

In a coordinated regulatory effort, the OCC, FDIC, and NCUA concurrently issued their own proposed rules, which align with FinCEN’s NPRM.[4]

Public comments on the Proposed Rule must be received by June 9, 2026. FinCEN proposes an effective date of 12 months from the date of issuance of a final rule.

Background

In 2021, the AML Act of 2020 (“AML Act”) was enacted, which sought to “comprehensively reform[] and modernize[]” the BSA.[5] Pursuant to the AML Act, FinCEN issued a proposed program rule to modernize BSA regulations in 2024. That rule was subject to industry criticism and was never finalized.[6] The Proposed Rule withdraws and supersedes the 2024 NPRM.

One of the purposes of the Program Rule, in addition to implementing the AML Act, is to make more consistent the BSA program rule requirements that apply to different categories of financial institutions, including banks, broker-dealers, money services businesses, and casinos. The Proposed Rule accomplishes this by largely aligning the requirements across these categories.

The Proposed Rule’s Framework for Effective AML/CFT Programs

Under the Proposed Rule, a financial institution would have an “effective” AML/CFT program if it both “establishes” and “maintains” a program that satisfies the rule’s requirements. The Proposed Rule distinguishes between the requirements for establishment and maintenance and states that banks will not be subject to enforcement actions or “significant” supervisory actions by FinCEN or the federal banking agencies for failures to maintain their programs, absent “significant or systemic failure[s],” so long as the programs are established according to the NPRM’s requirements.[7]

Establishment: The Proposed Rule includes the BSA’s four pillars—(1) internal policies, procedures, and controls; (2) a designated compliance officer; (3) employee training programs; and (4) independent audit functions—as part of the “establishment” prong of the rule and defines the requirements for financial institutions to meet each pillar. Key requirements include:

• Risk-Based Internal Policies, Procedures and Controls
  • Reasonable Design: In order for a financial institution’s AML/CFT program to be considered “established” under the Proposed Rule, the program must include “a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act” (emphasis added). FinCEN emphasized that “reasonable design” would be a “critical element” of compliance. While FinCEN’s current regulations require “a system of internal controls,” the Proposed Rule would explicitly state that the internal controls should be “reasonably designed” and “risk-based,” which FinCEN notes “gives financial institutions flexibility in how they achieve compliance with the BSA and the proposed rule’s other requirements.” For example, according to the agency, “if a financial institution’s program testing reveals that a new customer type or new activity is high risk, but the financial institution does not take any action to revise the design of its internal policies, procedures, and controls and therefore treats the customer or activity as presenting low risk, then its program should not be considered reasonably designed.”
  • Risk Assessments: Under the Proposed Rule, all covered financial institutions would be required to conduct risk assessments that inform their policies, procedures, and controls. Although many financial institutions already conduct risk assessments, the Proposed Rule makes conducting risk assessments an explicit regulatory requirement. These assessments must evaluate money laundering and terrorist financing risks, including “products, services, distribution channels, customers, and geographic locations.” They must also incorporate FinCEN’s AML/CFT Priorities “as appropriate,” meaning that “a financial institution may determine the extent to which a particular priority is applicable” and whether and how to incorporate that priority into its risk assessments.[8] Finally, the assessments must be updated “promptly” when the financial institution “knows or has reason to know” that its risk profile has changed “significantly.” Such changes include new or updated “products, services, and customer types” that may change their risk profiles. The Proposed Rule states that financial institutions know their risks “better than their regulators” and therefore have “significant flexibility” and discretion in their processes for conducting risk assessments, apart from the “critical elements” described above. FinCEN explained that, if there are significant changes that affect a financial institution’s risk profile, the financial institution must “re-establish” its program accordingly. However, the Proposed Rule states that “financial institutions are best positioned to identify and evaluate their ML/TF risks and to make decisions related to risk identification and resource allocation in accordance with risk identification” and, as such, FinCEN “does not contemplate regulatory second-guessing of a financial institution’s reasonable determinations regarding appropriate resource allocation or conclusions regarding specific risks.”
  • Risk-Based Resource Allocation: The Proposed Rule requires financial institutions to devote “more attention and resources toward higher risk customers and activities, consistent with the risk profile of the bank, rather than toward lower-risk customers and activities.” FinCEN “views risk-based allocation of resources as a critical step in realizing the AML Act’s BSA modernization and reform ambitions” and as an “important departure from the status quo.” FinCEN explained that the goal of this requirement is for financial institutions “to spend less time, energy, and resources on lower priority activities that may result in fewer resources devoted to, and potentially distract from, more serious threats.”
  • Customer Due Diligence: The Proposed Rule requires certain categories of financial institutions[9] to conduct “ongoing customer due diligence” that includes customer risk profiles and ongoing monitoring to identify and report suspicious transactions. The Proposed Rule does not alter existing CDD obligations but places the requirement within the internal controls pillar.
• Independent Program Testing
  • The BSA requires “that financial institutions have an independent audit function to test their AML/CFT programs.”[10] The Proposed Rule does not alter this obligation but rather emphasizes the importance of having objective criteria and unconflicted auditors.
• Designated Compliance Officer
  • A U.S.-Based AML/CFT Officer: The Proposed Rule requires financial institutions to designate an AML/CFT officer based in the United States who is responsible for establishing and maintaining the AML/CFT program and overseeing day-to-day compliance. This implements the provision of the AML Act (codified at 31 U.S.C. 5318(h)(5)), which states that “[t]he duty to establish, maintain and enforce an anti-money laundering and countering the financing of terrorism program as required by this subsection shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator.” Some commenters responded to the 2024 NPRM with concerns about a broad requirement to keep BSA/AML staff in the United States and FinCEN acknowledged in the Proposed Rule that “[m]any commenters requested that FinCEN interpret this provision to allow financial institutions to maintain staff and operations in non-U.S. jurisdictions.” While the Proposed Rule would require the BSA/AML officer be located in the United States, it acknowledges that many financial institutions may “contract out or delegate parts of their AML/CFT operations to third-party providers located outside of the United States . . . [and] personnel located outside of the United States would still be permitted to perform certain AML/CFT functions.”
• Ongoing Employee Training
  • The NPRM adopts “the BSA’s ‘ongoing employee training program’ language uniformly” without substantively changing obligations under the existing rule. The frequency and scope of training depend on the institutions’ risk assessments.

Maintenance: Under the Proposed Rule, “maintenance” of an effective AML/CFT program means “implementing” the program, which includes the above requirements, “in all material respects.” The agency stated that “minor deficiencies” would not mean that a financial institution has failed to properly maintain a program, and that “significant or systemic” failures to maintain a program would be required for FinCEN or a federal banking agency to take enforcement or significant supervisory action against a bank for failing to maintain the program.

FinCEN included a non-exhaustive list of failures that could result in enforcement or supervisory action against a bank, including: failures to consistently and timely implement internal policies, procedures, and controls (“e.g., consistently ignor[ing] red flags that a program was seriously deficient” due to inadequate resources); “gaps in the risk assessment processes” causing the institution to miss higher ML/TF risks (such as failure of a monitoring system to capture “material volumes or types of transactions”); and “deficiencies or weaknesses” in risk-assessment processes that materially impact ML/TF risk mitigation, “including due to data-related issues involving relevant processes and systems.”

FinCEN’s Elevated Role and Priorities in Supervisory and Enforcement Actions Against Banks

The Proposed Rule elevates FinCEN’s role in the federal supervision of banks’ AML/CFT programs, establishing for the first time “a notice and consultation framework” between FinCEN and the federal banking agencies. Before initiating a significant AML/CFT supervisory action against a bank, the agencies, where “acting under supervisory authority delegated by FinCEN,” must first send written notice to the FinCEN Director “at least 30 days in advance of the proposed action.” The framework would require the agencies to “consider any input offered” by the FinCEN Director.

The Proposed Rule also sets forth factors that FinCEN would be required to consider in evaluating a potential enforcement action or significant supervisory action against banks, including:

• The factors prescribed by the AML Act, including (1) that financial institutions are spending private funds for a public and private benefit, (2) the United States’ policy goals of serving underbanked individuals and facilitating financial transactions including remittances in a manner that prevents criminal abuse of financial services networks, (3) that effective AML/CFT programs safeguard national security and generate public benefits including assisting law enforcement with AML prosecutions, and (4) that AML/CFT programs should be reasonably designed and risk-based.[11]
• Whether the bank “in light of its size, complexity, and risk profile—has advanced the AML/CFT Priorities” including by “providing highly useful information to law enforcement or national security officials.” The Proposed Rule notes multiple avenues for financial institutions to share information, such as by “responding to 314(a) requests,” and “elect[ing] to participate in the FinCEN Exchange Program, a voluntary public-private information sharing partnership among FinCEN, law enforcement agencies, national security agencies, and financial institutions.”
• Whether the bank is “conducting proactive analytics or performing other innovative activities producing demonstrable outputs evincing the effectiveness of the bank’s AML/CFT (including effective use of artificial intelligence, federated learning,[12] or other advanced monitoring tools)” (emphasis added). The Proposed Rule provides additional examples of “innovative approaches,” including: “machine learning, generative artificial intelligence (GenAI), digital identity, blockchain monitoring and analytics, or application programming interfaces (APIs).” The Proposed Rule provides a general endorsement of the use of artificial intelligence by financial institutions and suggests that the “effective use” of artificial intelligence would be a mitigating factor FinCEN considers in potential enforcement or supervisory actions. FinCEN noted that “[i]nstitutions that responsibly experiment with innovative technologies in their AML/CFT programs will not incur any additional risk of being subject to a significant supervisory AML/CFT action or AML/CFT enforcement action solely based on the use of innovative technologies. To the contrary, FinCEN recognizes that fostering the use of innovative technologies is vital to improving financial crime compliance and fighting illicit finance and strongly encourages their responsible use.”

FinCEN’s elevated role in enforcement could create a check on enforcement and supervisory actions by the federal banking agencies. Secretary Bessent had previously stated that the Proposed Rule is intended to “position FinCEN as a gatekeeper for AML/CFT enforcement.”[13] If finalized, it would remain to be seen how this consultation framework would be implemented in practice, and particularly in future administrations where FinCEN may have a more aggressive approach to BSA enforcement. In the Proposed Rule, FinCEN requests comments on whether the notice and consultation framework should be optional, thus “provid[ing] the option for banks to request their Agency consult with FinCEN,” rather than required.

Notably, as drafted, this consultation framework does not apply to other categories of financial institutions beyond banks and does not apply to state agencies that supervise and take enforcement actions against banks for BSA compliance. However, financial institutions in both categories would likely argue that, as a matter of consistency and fairness, the relevant agencies should consider similar factors before initiating enforcement or supervisory actions.

Key Takeaways

The Proposed Rule, if finalized, could create significant shifts in AML/CFT regulatory expectations and enforcement practices, primarily for banks that are principally supervised at the federal level. Financial institutions may wish to consider providing comments during the 60-day comment period closing on June 9, 2026, to provide their feedback and request clarification.

In preparing for a Final Rule, financial institutions should consider comparing their existing AML/CFT programs with the Proposed Rule’s new standards for effective programs and be prepared to implement program reforms in the event the rule is finalized. For example, financial institutions should begin to consider reviewing their risk-assessment processes to ensure that they are prepared to implement the Proposed Rule’s new requirements and make corresponding changes to their internal policies, procedures, and controls. Financial institutions way also wish to take into consideration the Proposed Rule’s strong emphasis on enhanced reporting, information sharing, and the use of innovative methods like AI in making decisions on ongoing investment and priorities.

We will continue to monitor developments related to FinCEN’s rulemaking and provide further updates as warranted.

* * *

[1] FinCEN, “FinCEN Proposes Rule to Fundamentally Reform Financial Institution Programs Designed to Fight Illicit Finance” (Apr. 7, 2026), available here. Unless otherwise noted, quotations are from the NPRM.

[2] FinCEN, “FinCEN Proposes Rule to Fundamentally Reform Financial Institution Programs Designed to Fight Illicit Finance: Fact Sheet” (Apr. 7, 2026), available here (the “Fact Sheet”); see also FinCEN, “Key Changes in FinCEN’s Proposed Rule to Refocus AML/CFT Programs on Higher-Risk Activity While Reducing Unnecessary Burden” (Apr. 7, 2026), available here.

[3] FinCEN, “FinCEN Proposes Rule to Fundamentally Reform Financial Institution Programs Designed to Fight Illicit Finance” (Apr. 7, 2026), available here.

[4] See, OCC, FDIC, and the NCUA, “Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements: Notice of Proposed Rulemaking” (Apr. 7, 2026), available here. The Federal Reserve has not yet issued its proposed rule.

[5] H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory Statement of the Committee of Conference).

[6] FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Programs, 89 FR 55428 (July 3, 2024).

[7] This provision on enforcement and significant supervisory actions is limited to the regulations pertaining to banks.

[8] The AML/CFT Priorities were issued in June 2021 and are required by statute to be updated every four years. 31 U.S.C. § 5318(h)(4)(B). The Proposed Rule notes that “the government’s priorities may have changed since the publication of the [2021 Priorities] due to emergent ML/TF typologies (e.g., sanctions evasions by Russian oligarchs) or ML/TF threats (e.g., pig butchering) not addressed specifically in the AML/CFT Priorities.”

[9] The types of financial institutions required to conduct ongoing customer due diligence are banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities.

[10] Fact Sheet at 4.

[11] 31 U.S.C. § 5318(h)(2)(B).

[12] Federated learning is “[a] type of machine learning in which a model is trained in a decentral­ized fashion using multiple data sources without pooling or combining the data in any centralized location. Federated learning allows entities or devices to collabo­ratively train a global model by exchanging model updates without directly sharing the data that each entity controls.”  National Institute of Standards and Technology, “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations” (Mar. 2025), available here.

[13] Press Release, Secretary Statements & Remarks, FinCEN, Remarks by Secretary of the Treasury Scott Bessent Before the Fed Community Bank Conference (Oct. 9, 2025), available here.