Old Wine, New Bottles? FinCEN Proposes to Codify AML/CFT Program Standards for Financial Institutions

On April 7, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued a Notice of Proposed Rulemaking (“NPRM”) that would formalize and, in certain respects, update the requirements for financial institutions’ anti-money laundering and countering the financing of terrorism (“AML/CFT”) programs under the Bank Secrecy Act (“BSA”).  While FinCEN has characterized the proposed rule as the centerpiece of Treasury’s broader effort to modernize the U.S. AML/CFT regulatory and supervisory framework, many of its core elements reflect longstanding statutory requirements and supervisory expectations.  The proposed rule fully supersedes a prior proposed rule FinCEN published on July 3, 2024, which the agency is withdrawing.  Concurrently, the Office of the Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), and the National Credit Union Administration (“NCUA”) (collectively, the “Agencies”) issued their own joint NPRM proposing substantially aligned amendments to their respective AML/CFT program rules for banks they supervise.  Public comments are due 60 days after publication in the Federal Register.

This alert summarizes the key provisions of both proposals, describes the proposed changes to bank supervision and enforcement, and identifies practical implications for financial institutions and compliance professionals.  As discussed below, many of the proposed requirements may be familiar to institutions with mature, risk-based AML/CFT programs. 

Key Takeaways

Financial institutions subject to AML/CFT program requirements should be aware of the following potential impacts to their compliance frameworks:

• Both NPRMs frame AML/CFT compliance in terms of effectiveness rather than technical, process-oriented compliance—a shift in regulatory emphasis, though one that aligns with the direction supervisory guidance has been moving for some time.
• Both proposed rules introduce a two-pronged framework distinguishing between program establishment (i.e., design) and program maintenance (i.e., day-to-day implementation).  For banks, this distinction carries enforcement consequences: once a bank has properly established an AML/CFT program, FinCEN generally would not bring an enforcement action or significant supervisory action unless the bank has a “significant or systemic failure” to implement its program, including through updates as the risk profile changes.  Isolated, technical, or immaterial implementation deficiencies would not warrant such actions.  Notably, however, the enforcement-only-for-significant-deficiencies position is not entirely new.  FinCEN leadership has long articulated a similar posture.  For example, in 2014, then-FinCEN Director Jennifer Shasky Calvery stated that FinCEN would bring civil enforcement actions “where we see pervasive and systemic, or egregious, failures.”  The proposed rule would, for the first time, codify this longstanding enforcement philosophy into regulatory text.
• The proposed rules would codify the principle already reflected in the AML Act and existing supervisory expectations that financial institutions should direct more attention and resources toward higher-risk customers and activities rather than toward lower-risk ones.  The rules would formalize risk-based resource allocation as a core program requirement and explicitly protect institutions from supervisory criticism for doing so.
• FinCEN would assume a greater role in bank supervision through a new notice and consultation framework, requiring federal banking regulators to provide the FinCEN Director with at least 30 days’ advance written notice before initiating a significant AML/CFT supervisory action under delegated authority.
• Both NPRMs arrive against the backdrop of FinCEN’s recently proposed whistleblower reward program, which would create financial incentives for insiders – including AML and sanctions compliance personnel – to report compliance deficiencies directly to the government.  Taken together, the two proposals underscore that while FinCEN intends to reduce unnecessary regulatory burden, it is simultaneously expanding the mechanisms through which compliance failures may be identified and reported.

The Proposed Framework

FinCEN’s proposed rule would explicitly define when a financial institution has an “effective” AML/CFT program: when it both establishes and maintains the program.  The Agencies’ parallel proposal adopts the same two-pronged framework for banks.  Notably, FinCEN acknowledges that a program can be effective without detecting every illicit transaction – a position consistent with longstanding supervisory practice.  

Establishing a program requires designing a risk-based framework with the familiar four pillars of an effective AML program: (1) internal policies, procedures, and controls, including risk assessment processes and, where applicable, ongoing customer due diligence (“CDD”), to ensure compliance; (2) independent testing; (3) a U.S.-based compliance officer; and (4) ongoing employee training.  Maintaining a program requires implementing it “in all material respects” on an ongoing basis.  Importantly, a failure to update the program to reflect significant changes in the institution’s risk profile may result in it no longer meeting the establishment requirements, thereby removing the potential protection from enforcement that would apply to properly established programs.

Current rules do not uniformly require risk assessment processes across institution types.  The proposed rule would standardize this requirement, providing that risk assessment processes must: (1) evaluate money laundering and terrorist financing risks across business activities, including products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate FinCEN’s AML/CFT Priorities; and (3) be updated promptly upon any change that significantly alters the institution’s money laundering and terrorist financing risks.  FinCEN is not prescribing any particular methodology, and institutions will be examined on the totality of their processes rather than any single assessment.

The proposed rule codifies the AML Act’s directive that institutions should direct “more attention and resources toward higher-risk customers and activities . . . rather than toward lower-risk customers and activities.”  FinCEN views this as “an important departure from the status quo,” enabling institutions to deploy resources flexibly “without fear of supervisory criticism.”  That said, the statutory framework already requires AML/CFT programs to be “reasonably designed” and “risk-based,” including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.  As a practical matter, banks with mature, risk-based programs may find that the proposed rule largely validates their existing approach rather than requiring significant operational changes.  Examiners will still assess whether resource allocation decisions are consistent with reasonably designed risk assessment processes.

The proposed rule would standardize requirements for a designated U.S.-based AML/CFT compliance officer across all institution types.  FinCEN views the officer’s authority, independence, and access to resources as critical to effective program implementation, and an officer with conflicting responsibilities that adversely impact day-to-day AML/CFT compliance would generally not satisfy this requirement.  Non-U.S. personnel may still perform certain AML/CFT functions, subject to existing SAR-sharing restrictions.

The proposed rule clarifies that independent testing should assess, using objective criteria, whether a program has been effectively established, implemented, and resourced.  Notably, “auditors should not substitute their own subjective judgment in place of the financial institution.”  Testing must be conducted by individuals or parties who are independent of the AML/CFT program, including its oversight, and who are free from conflicts of interest.

FinCEN encourages institutions to evaluate whether innovative technologies – including AI, machine learning, digital identity tools, and blockchain analytics – could improve AML/CFT outcomes.  

The Agencies’ proposal is substantively aligned with FinCEN’s NPRM and adopts the same framework.

Practical Implications and Recommendations

The NPRM carries practical implications for financial institutions, boards and senior management, compliance professionals, and their advisors, though the degree of change required will depend on the maturity of each institution’s existing program.  Institutions may consider evaluating the following areas as this rulemaking advances.

• Reassess AML/CFT program architecture.  Financial institutions should begin evaluating whether their current programs align with the proposed two-pronged framework of program establishment and maintenance.  The proposed rule would require risk-based internal policies, procedures, and controls that are “reasonably designed” rather than focused on strict procedural compliance.  As signaled above, as a practical matter, financial institutions with mature AML/CFT programs may not see a need to change course.
• Evaluate risk assessment processes.  The proposed rule would codify and standardize the explicit risk assessment processes for banks, casinos, money service businesses (“MSBs”), broker-dealers, mutual funds, futures commission merchants (“FCMs”), and introducing brokers in commodities (“IBCs”).  Even institutions that already conduct risk assessments should evaluate whether their processes satisfy the proposed rule’s three-part requirement: evaluating money laundering and terrorist financing risks across business activities, reviewing, and as appropriate, incorporating AML/CFT Priorities, and updating processes promptly upon significant changes.
• Recalibrate resource allocation.  The proposed rule’s explicit authorization for institutions to direct resources toward higher-risk areas and away from lower-risk areas represents an opportunity to reallocate compliance resources in a manner that may reduce costs while improving effectiveness.  
• Review compliance officer positioning.  Institutions should assess whether their current compliance officer arrangements, including organizational reporting lines, staffing, and technology resources, are consistent with the proposed rule’s expectations.

Open Questions and Areas of Uncertainty

While purporting to make program implementation easier, inevitably compliance departments will face countless decisions, likely resulting in sentiments captured by a former FinCEN director: “Our AML regime is risk-based, because each and every financial institution – from its products, to its customers, to its internal procedures – is different.  And because of these differences, it would be impossible to have a one-size-fits-all approach.  I can appreciate that a prescriptive yes-or-no/check-the-box exercise may seem easier.  I can also appreciate that a risk-based approach can create some uncertainty.”

In line with that view, several aspects of the proposed rule remain uncertain and warrant continued monitoring:

• “Significant or systemic failure” standard.  The proposed rule would limit enforcement and significant supervisory actions for banks with properly established programs to cases involving a “significant or systemic failure” to implement the program.  FinCEN has not defined this standard with precision, and its application in practice could vary considerably depending on the facts and circumstances.  Notably, FinCEN itself is soliciting comment on whether further clarification is needed for financial institutions to determine what constitutes a “significant or systemic failure” and, separately, what constitutes a “failure to establish an AML/CFT program.”  The distinction matters: a failure to establish a program is not subject to the heightened enforcement threshold, but a failure to maintain an established program is.  Although this enforcement posture echoes longstanding agency statements, the proposed rule would formalize it in the regulatory, raising the question whether supervisory approaches will change.  
• Scope of the consultation requirement.  FinCEN is soliciting comment on whether the proposed consultation process between federal banking regulators and the FinCEN Director should include an asset threshold or whether banks should have the option to request that their regulator consult with FinCEN before initiating a significant action.  Additionally, the proposed definition of “significant AML/CFT supervisory action” includes the term “any written communication,” and FinCEN has asked whether that term is too broad or should be more clearly defined.
• Interaction with the FinCEN whistleblower program.  The proposed rule arrives just eight days after FinCEN proposed its whistleblower reward program on March 30, 2026, which would permit AML and sanctions compliance personnel to receive awards for reporting compliance deficiencies externally.  How the proposed enforcement safe harbor for properly established programs will interact with whistleblower-reported deficiencies remains unclear.
• Federal banking agency parallel rulemaking.  As described above, the OCC, FDIC, and NCUA have already issued their joint NPRM in substantive alignment with FinCEN’s proposal.  The Board of Governors of the Federal Reserve System is expected to issue its own proposed rule as well.  While the Agencies’ proposal closely tracks FinCEN’s framework, any differences that emerge in final rules, or in supervisory implementation, could affect the consistency of expectations across regulators.  The degree to which FinCEN’s enhanced consultation role translates into uniform supervisory outcomes remains to be seen.
• Practical impact on existing programs.  Several of FinCEN’s comment solicitations focus on whether the proposed rule would actually change how financial institutions operate.  FinCEN asks whether institutions expect any changes to their existing internal policies, procedures, and controls, and whether the proposed rule’s distinction between “establishing” and “maintaining” a program is useful.  For banks with mature, risk-based programs, the practical impact may be modest, particularly given that the core requirements largely track existing obligations.  The proposed rule’s emphasis on “reasonably designed” programs and risk-based resource allocation also mirrors the statutory mandate already set forth in 31 U.S.C. § 5318(h), which requires programs to be both reasonably designed and risk-based.
• Risk assessment update triggers.  The proposed rule would require financial institutions to update their risk assessment processes “promptly” upon any change that the institution knows or has reason to know “significantly changes” its money laundering and terrorist financing risks.  FinCEN is seeking comment on whether this update requirement would change existing practices, whether the term “promptly” needs further clarification, and whether an alternative standard—such as “materially changes”—would be clearer than “significantly changes.”
• Program approval requirements.  FinCEN is soliciting comment on whether to further clarify which aspects of an AML/CFT program must be subject to board or senior management approval, whether material revisions to program components should require re-approval, and whether FinCEN should eliminate the specified approval requirement altogether in favor of allowing institutions flexibility in structuring leadership oversight of their AML/CFT programs.

Conclusion

FinCEN’s proposed AML/CFT program rule represents a notable effort to formalize and standardize the U.S. approach to combating illicit finance.  By framing compliance obligations around program effectiveness and risk-based resource allocation, and by providing a degree of enforcement protection for institutions that properly establish their programs, the proposal offers a regulatory framework more aligned with how many institutions already operate, and may reduce the process-oriented, “check-the-box” approach that many have argued has defined AML/CFT compliance for decades.  However, the proposal does introduce certain new obligations, including formalized risk assessment processes and the incorporation of AML/CFT Priorities, and raises the stakes for program design by tying enforcement exposure directly to whether a program has been properly “established.”  Financial institutions should treat this NPRM as an occasion to: (1) evaluate whether their current AML/CFT programs are positioned to satisfy the proposed establishment and maintenance framework and (2) identify opportunities to reallocate compliance resources toward higher-risk areas.

McGuireWoods will continue to monitor developments related to FinCEN’s proposed AML/CFT program rule, including the comment period, the issuance of a final rule, and the parallel rulemaking by the federal banking agencies.  For questions about AML/CFT program design, risk assessment processes, compliance strategy, or regulatory enforcement response, please contact the authors of this article or another McGuireWoods attorney with whom you work.