AML/CFT Programs for Banks Proposed Rule

Content

ACTION:

Notice of proposed rulemaking.

SUMMARY:

The Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the National Credit
Union Administration (NCUA) (collectively, “the Agencies” or “Agency” when referencing the singular) are inviting comment
on a proposed rule that would require banks to establish and maintain effective anti-money laundering and countering the financing
of terrorism (AML/CFT) programs reasonably designed to identify, assess, and mitigate risks of illicit finance. The amendments
are intended to align with changes that are being concurrently proposed by the Financial Crimes Enforcement Network (FinCEN)
to implement provisions of the Anti-Money Laundering Act of 2020 (AML Act). Among other changes, this proposed rule would
ensure that institutions establish and maintain effective AML/CFT programs that are intended to better achieve the purposes
of the Bank Secrecy Act (BSA), culminating in the development of highly useful information related to illicit financial transactions
for law enforcement and national security agencies. Through this rulemaking, the Agencies also intend to modernize and reform
Federal supervision of AML/CFT programs by enhancing FinCEN's role in AML/CFT supervision and enforcement.

DATES:

Written comments may be submitted on or before June 9, 2026.

ADDRESSES:

Comments should be directed to:

OCC: Commenters are encouraged to submit comments through the Federal eRulemaking Portal. Please use the title “Anti-Money Laundering
and Countering the Financing of Terrorism Programs” to facilitate the organization and distribution of the comments. You may
submit comments by any of the following methods:

• Federal eRulemaking Portal—Regulations.gov:

Go to https://regulations.gov/. Enter Docket ID “OCC-2024-0005” in the Search Box and click “Search.” Public comments can be submitted via the “Comment” box
below the displayed document information or by clicking on the document title and then clicking the “Comment” box on the top-left
side of the screen. For help with submitting effective comments, please click on “Commenter's Checklist.” For assistance with
the Regulations.gov site, please call 1-866-498-2945 (toll free) Monday-Friday, 9 a.m.-5 p.m. EST, or email regulationshelpdesk@gsa.gov.

• Mail: Chief Counsel's Office, Attention: Comment Processing, Office of the Comptroller of the Currency, 400 7th Street SW, Suite
3E-218, Washington, DC 20219.

• Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, Washington, DC 20219.

Instructions: You must include “OCC” as the agency name and Docket ID “OCC-2024-0005” in your comment. In general, the OCC will enter all
comments received into the docket and publish the comments on the Regulations.gov website without change, including any business or personal information provided such as name and address information, email
addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public
record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider
confidential or inappropriate for public disclosure.

You may review comments and other related materials that pertain to this action by the following method:

• Viewing Comments Electronically—Regulations.gov:

Go to https://regulations.gov/. Enter Docket ID “OCC-2024-0005” in the Search Box and click “Search.” Click on the “Dockets” tab and then the document's title.
After clicking the document's title, click the “Browse All Comments” tab. Comments can be viewed and filtered by clicking
on the “Sort By” drop-down on the right side of the screen or the “Refine Comments Results” options on the left side of the
screen. Supporting materials can be viewed by clicking on the “Browse Documents” tab. Click on the “Sort By” drop-down on
the right side of the screen or the “Refine Results” options on the left side of the screen checking the “Supporting & Related
Material” checkbox. For assistance with the Regulations.gov site, please call 1-866-498-2945 (toll free) Monday-Friday, 9 a.m.-5 p.m. EST, or email regulationshelpdesk@gsa.gov.

The docket may be viewed after the close of the comment period in the same manner as during the comment period.

FDIC: The FDIC encourages interested parties to submit written comments. Please include your name, affiliation, address, email address,
and telephone number(s) in your comment. You may submit comments to the FDIC, identified by RIN 3064-AF34, by any of the following
methods:

• Agency Website: https://www.fdic.gov/resources/regulations/federal-register-publications. Follow instructions for submitting comments on the FDIC's website.

• Mail: Jennifer M. Jones, Deputy Executive Secretary, Attention: Comments/Legal OES (RIN 3064-AF34), Federal Deposit Insurance Corporation,
550 17th Street NW, Washington, DC 20429.

• Hand Delivered/Courier: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street NW, building (located on F Street NW)

     on business days between 7 a.m. and 5 p.m., eastern time.

• Email: comments@fdic.gov. Include the RIN 3064-AF34 on the subject line of the message.

• Public Inspection: Comments received, including any personal information provided, may be posted without change to https://www.fdic.gov/resources/regulations/federal-register publications. Commenters should submit only information that the commenter wishes to make available publicly. The FDIC may review, redact,
or refrain from posting all or any portion of any comment that it may deem to be inappropriate for publication, such as irrelevant
or obscene material. The FDIC may post only a single representative example of identical or substantially identical comments,
and in such cases will generally identify the number of identical or substantially identical comments represented by the posted
example. All comments that have been redacted, as well as those that have not been posted, that contain comments on the merits
of this document will be retained in the public comment file and will be considered as required under all applicable laws.
All comments may be accessible under the Freedom of Information Act.

NCUA: You may submit comments, identified by RIN 3133-AG08, by any of the following methods (please send comments by one method
only):

• Federal eRulemaking Portal: https://www.regulations.gov. The docket number for this proposed rule is NCUA-2024-0033. Follow the instructions for submitting comments. A plain language
summary of the proposed rule is also available on the docket website.

• Mail: Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria,
Virginia 22314-3428.

• Hand Delivery/Courier: Same as mailing address.

• Public Inspection: You may view all public comments on the Federal eRulemaking Portal at https://www.regulations.gov, as submitted, except for those we cannot post for technical reasons. The NCUA will not edit or remove any identifying or contact
information from the public comments submitted. If you are unable to access public comments on the internet, you may contact
the NCUA for alternative access by calling (703) 518-6540 or emailing OGCMail@ncua.gov.

FOR FURTHER INFORMATION CONTACT:

OCC: Kenneth Kohrs, BSA/AML Lead Expert, Office of the Chief National Bank Examiner; Jina Cheon, Assistant Director, Melissa Lisenbee,
Counsel, Scott Burnett, Counsel, or Henry Barkhausen, Counsel, Bank Advisory Group, Chief Counsel's Office, (202) 649-5490,
Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219. If you are deaf, hard of hearing, or have
a speech disability, please dial 7-1-1 to access telecommunications relay services.

FDIC: Patricia Colohan, Deputy Director, (202) 898-7283, pcolohan@fdic.gov, Division of Risk Management Supervision; Chase Lubbock, Associate Director, (703) 254-0802, clubbock@fdic.gov, Division of Risk Management Supervision; Christy Cornell-Pape, Acting Chief, Financial Crimes, (415) 808-8090, acornell-pape@fdic.gov, Division of Risk Management Supervision; Deborah Tobolowsky, Counsel, (571) 309-2415, dtobolowsky@fdic.gov, Legal Division; Thomas Krepp, Senior Attorney, (678) 916-2265, tkrepp@fdic.gov, Legal Division; J. Spencer Culp, Senior Attorney, (816) 234-8049, jaculp@fdic.gov, Legal Division; Nicholas Kazmerski, Counsel, (571) 309-3136, nkazmerski@fdic.gov, Legal Division.

NCUA: Michael Dondarski, Associate Director, Office of Examination & Insurance, (703) 772-4751, mdondarski@ncua.gov; Janell Portare, Director, Fraud and Anti-Money Laundering Division, Office of Examination & Insurance, (703) 548-2752, jportare@ncua.gov; Gira Bose, Senior Staff Attorney, Office of General Counsel, (703) 518-6540, gbose@ncua.gov; Damon P. Frank, Senior Trial Attorney, Office of General Counsel, (703) 518-6540, dfrank@ncua.gov.

SUPPLEMENTARY INFORMATION:

I. Scope

The proposed rule would amend the Agencies' regulations that prescribe AML/CFT program requirements (1) for banks (2) supervised by each of the Agencies in a way that aligns with the rule concurrently proposed by FinCEN (3) under the BSA. (4) While FinCEN has delegated its authority to examine banks for compliance with the BSA to the Agencies, the Agencies also have
independent authority to prescribe regulations requiring banks to establish and maintain procedures reasonably designed to
assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, under 12 U.S.C. 1818(s)
and 12 U.S.C. 1786(q) (Sections 8(s) of the Federal Deposit Insurance Act and 206(q) of the Federal Credit Union Act, respectively).
The Agencies are proposing to amend their rules concurrently with FinCEN so that their program requirements for banks remain
consistent with those imposed by FinCEN. Further, with consistent regulatory text, banks will not be subject to any additional
burden or confusion from needing to comply with differing standards between FinCEN and the Agencies. The proposed changes
are discussed in more detail below in the section-by-section analysis.

II. Background

A. Anti-Money Laundering Programs Under the Bank Secrecy Act and History of the BSA Compliance Program Rules for the Agencies

Enacted in 1970 and amended several times since, the BSA is designed to combat money laundering, the financing of terrorism,
and other illicit finance activity risks (collectively, ML/TF risks). (5) Congress has authorized the Secretary of the Treasury (Secretary) to administer the BSA. The Secretary has in turn delegated
the authority to implement, administer, and enforce

  compliance with the BSA and its associated regulations to the Director of FinCEN (FinCEN Director). [(6)]()

The Money Laundering Control Act of 1986 (MLCA) (7) amended 12 U.S.C. 1818(s) and 12 U.S.C. 1786(q) (sections 8(s) of the Federal Deposit Insurance Act and 206(q) of the Federal
Credit Union Act, respectively) to require the Agencies and the Board of Governors of the Federal Reserve System (Federal
Reserve Board) to issue regulations requiring their supervised banks to “establish and maintain procedures reasonably designed
to assure and monitor their compliance” with the requirements of the BSA. Consistent with the MLCA, on January 27, 1987, all
the then-Federal bank regulatory agencies issued substantially similar regulations requiring their supervised banks to develop
procedures for BSA compliance. (8)

Since its original enactment, Congress has continued to address various aspects of AML/CFT compliance, including through expansion
of the BSA. (9) In 1992, the Annunzio-Wylie Anti-Money Laundering Act (10) gave the Secretary authority to prescribe minimum standards for AML programs, including: “(A) the development of internal
policies, procedures, and controls, (B) the designation of a compliance officer, (C) an ongoing employee training program,
and (D) an independent audit function to test programs”—what are often called the “four pillars” of AML/CFT programs. (11) Later, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
of 2001 (USA PATRIOT Act) further amended the BSA to include, among other things, customer identification program (CIP) requirements
and the expansion of AML program rules to cover certain other financial industry participants (e.g., credit unions and futures commission merchants). (12) The USA PATRIOT Act also made it mandatory for financial institutions to maintain AML programs that meet minimum prescribed
standards. (13) Through the exercise of its delegated authority, FinCEN is authorized to require each financial institution to establish an
AML/CFT program to ensure compliance with the BSA and guard against ML/TF risks. (14) Over time, FinCEN, the Agencies, and the Federal Reserve Board incorporated many of these standards into their respective
program rules, and FinCEN implemented additional requirements for certain covered financial institutions into their respective
program rules. (15)

Although in practice the FinCEN AML program rule and the Agencies' compliance program rules for banks they supervise operate
together, since the USA PATRIOT Act, banks under the Agencies' supervision have been required to maintain compliance programs
under separate legal authorities administered by (i) FinCEN under Title 31 and (ii) the Agencies under sections 8(s) and 206(q).
Because the authority for each Agency's BSA compliance program rule derives from and is required by sections 8(s) and 206(q),
each Agency prescribes regulations requiring the banks they supervise to establish and maintain procedures reasonably designed
to assure and monitor the compliance of such banks with the requirements of the BSA.

In 2003, FinCEN, the Agencies, the Federal Reserve Board, the Securities and Exchange Commission, and the Commodity Futures
Trading Commission jointly issued final rules on CIP requirements, (16) which were mandated by amendments to the BSA under the USA PATRIOT Act requiring financial institutions to implement a CIP
as part of their BSA compliance program. (17) The CIP requirements became part of the separate AML program rules for banks administered by FinCEN and each of the Agencies
as well as the Federal Reserve Board, although the rules continued to function together by allowing banks to satisfy FinCEN's
rule by complying with their Agency's rule or, as appropriate, the Federal Reserve Board's rule.

In 2016, FinCEN amended its AML compliance program rules to incorporate customer due diligence (CDD) requirements, including
beneficial ownership information collection requirements for certain covered financial institutions, including banks. (18) Although the Agencies did not promulgate CDD requirements at that time, the Agencies examined supervised banks for compliance
with those requirements under the authority of sections 8(s) and 206(q). (19) With the exception of the CDD requirement, FinCEN's rule was substantially similar to the rules of the Agencies and the Federal
Reserve Board's rules, and banks must currently comply with both FinCEN's AML bank program rule and the BSA compliance rules
of the Agencies and, as appropriate, the Federal Reserve Board.

B. The Anti-Money Laundering Act of 2020

On January 1, 2021, Congress enacted the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021,
of which the AML Act was a component. (20) With the passage of the AML Act, Congress stated that it was seeking to modernize and strengthen the AML/CFT regulatory framework,
which “had not seen comprehensive reform or modernization” since the BSA was enacted in the 1970s. (21) Among other

  objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication, and feedback
  among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better focusing
  bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” [(22)]()

Section 6101(b) of the AML Act made several changes to the BSA's AML/CFT program requirements.

First, section 6101(b) amended the BSA at 31 U.S.C. 5318(h)(2)(B) to state that, “[i]n prescribing the minimum standards for
[AML/CFT programs], and in supervising and examining compliance with those standards, the Secretary of the Treasury, and the
appropriate Federal functional regulator (as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)) shall
take into account” certain factors.

Second, section 6101(b) requires the Secretary, in consultation with the Attorney General, appropriate Federal functional
regulators, relevant State financial regulators, and relevant national security agencies, to establish and make public government-wide
AML/CFT priorities (AML/CFT Priorities). After consultation with the Federal functional regulators and relevant State financial
regulators, the Secretary must promulgate regulations, as appropriate, to incorporate those priorities into revised program
rules, and incorporation of the priorities must be included as a measure on which financial institutions are supervised and
examined. FinCEN issued the first AML/CFT Priorities on June 30, 2021. (23)

Third, section 6101(b) expands the BSA's program rule requirement to formally include an express reference to CFT in addition
to AML.

Fourth, section 6101(b) provides that the duty to establish, maintain, and enforce an AML/CFT program shall remain the responsibility
of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by,
the Secretary and the appropriate Federal functional regulator.

C. Prior BSA Modernization Efforts

The proposed rule also builds upon other recent efforts by FinCEN, the Agencies, and the Federal Reserve Board to modernize
AML/CFT compliance program requirements for banks, both before and after the passage of the AML Act. These efforts include
actions taken to revise the BSA regulatory regime through rulemakings, providing exemptive relief from regulatory requirements
consistent with the purposes of the BSA, and clarifying regulatory requirements and supervisory standards through policy documents.

For example, on July 22, 2019, FinCEN, the Agencies, and the Federal Reserve Board issued a joint statement to clarify and
explain their existing risk-focused approach to examinations of banks' BSA/AML compliance program. This statement was intended
to increase transparency into the risk-focused approach used by the Agencies and the Federal Reserve Board for planning and
performing BSA/AML examinations, which included clarifying that the Agencies and the Federal Reserve Board “generally allocate
more resources to higher-risk areas, and fewer resources to lower-risk areas” based on the bank's unique risk profile. (24) FinCEN, the Agencies, and the Federal Reserve Board have also taken steps to highlight that customer relationships present
varying levels of ML/TF risk and, in turn, to encourage banks to manage customer relationships and mitigate risks based on
customer relationships, rather than decline to provide banking services to entire categories of customers. (25) More recently, the Agencies and the Federal Reserve Board have, with FinCEN's concurrence, issued an order permitting banks,
as part of their CIP obligations, to collect Taxpayer Identification Number information from a third party rather than directly
from the bank's customer, subject to certain conditions. (26) FinCEN, the Agencies, and the Federal Reserve Board have also issued Frequently Asked Questions to clarify certain obligations
related to filing a suspicious activity report (SAR) to help ensure banks are not needlessly expending resources on efforts
that do not provide law enforcement and national security agencies with the critical information they need to detect, combat,
and deter criminal activity, as well as to combat misconceptions that banks are required to terminate customer relationships
based on the filing of a SAR. (27)

With respect to prior rulemaking efforts, prior to the enactment of the AML Act, FinCEN published an ANPRM seeking public
comment on potential regulatory amendments intended to increase the effectiveness of program rule requirements (Effectiveness
ANPRM), which was informed by recommendations of the AML Effectiveness Bank Secrecy Act Advisory Group working group. (28) While the Effectiveness ANPRM was issued by FinCEN on a standalone basis, the Agencies and Federal Reserve Board were consultative
partners with FinCEN

  when developing the proposal. More recently, on July 3, 2024, FinCEN published an NPRM proposing revisions to its AML/CFT
  program requirements for all financial institutions, including those applicable to banks, [(29)]() and on August 9, 2024, the Agencies, along with the Federal Reserve Board, issued an NPRM proposing substantially similar
  amendments to their respective AML program rules applicable to banks they supervise (the 2024 Program NPRM). [(30)]()

In proposing this rule in coordination with FinCEN, the Agencies considered applicable statutory requirements and prior feedback
on these recent BSA modernization efforts, including comments provided on FinCEN's Effectiveness ANPRM and those received
on the 2024 Program NPRMs. While building upon these prior modernization efforts, the proposed rule is distinct and separate
from prior BSA modernization rulemaking efforts. (31)

III. Overview of the Proposed Rule

A central objective of the Agencies' BSA modernization efforts is to create an AML/CFT supervisory and regulatory regime that
is more effective in achieving the purposes of the BSA and culminating in the development of highly useful information related
to illicit financial transactions for law enforcement and national security agencies. (32) The proposed rule would further that objective by explicitly defining the requirements for a bank to establish and maintain
an effective AML/CFT program. It would also adopt into regulations the AML Act's expectation that AML/CFT programs should
be risk-based, including ensuring that banks direct more attention and resources toward higher-risk customers and activities,
consistent with the risk profile of the bank, rather than toward lower-risk customers and activities. (33)

The proposed rule would also revise the AML/CFT supervisory and examination process for banks by enhancing FinCEN's role in
the Agencies' AML/CFT-related supervision and enforcement process. In support of this objective, the proposed rule would establish
a mechanism in which FinCEN—as the statutory administrator of the BSA—has an opportunity to review and provide feedback to
the Agencies prior to certain AML/CFT-related enforcement and supervisory actions. This change will promote consistent approaches
to AML/CFT supervision, culminating in the development of highly useful information related to illicit financial transactions
for both banks and the law enforcement and national security agencies that depend upon those banks' critical BSA reporting.
The enforcement requirements only apply to actions by the Agencies.

Proposed Rule

As noted above, the proposed rule would require banks to establish and maintain effective AML/CFT programs and define the
requirements for doing so. In order for an AML/CFT program to be effective, the proposed rule would require a bank to establish
an AML/CFT program and then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT
program.

As described in more detail in section IV.D a bank would be required to establish a risk-based set of internal policies, procedures,
and controls that is reasonably designed to ensure compliance with the BSA and its implementing regulations, 31 CFR chapter
X. The risk-based set of internal policies, procedures, and controls must also be reasonably designed to (1) identify, assess,
and document the bank's ML/TF risks through risk assessment processes that evaluate the risks of the bank's business activities,
review and, as appropriate, incorporate the AML/CFT Priorities, and are updated promptly upon any change that the bank knows
or has reason to know significantly changes the bank's ML/TF risks; (2) mitigate the bank's ML/TF risks consistent with the
bank's risk assessment processes including by directing more attention and resources toward higher-risk customers and activities,
rather than toward lower-risk customers and activities; and (3) conduct ongoing customer due diligence.

The proposed rule would also require a bank to establish an ongoing employee training program and independent AML/CFT program
testing as part of its AML/CFT program. Finally, the proposed rule would require a bank to designate an individual responsible
for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; that individual
would be required to be located in the United States and accessible to, and subject to oversight and supervision by, FinCEN
or its designee and the appropriate Agency.

Under the proposed rule, in addition to establishing an AML/CFT program, the bank would be required to maintain that program
by implementing, in all material respects, its established AML/CFT program. By structuring the requirement to have an effective
AML/CFT program as distinct obligations to establish and maintain (via implementation) an AML/CFT program, the proposed rule
is intended to clarify and reinforce the distinction between failures to establish an AML/CFT program and failures to implement
a properly established program.

The distinction between establishing a program and maintaining a program by implementing it in all material respects is particularly
important under the proposed rule for potential supervisory and enforcement actions. The proposed rule would not limit enforcement
or supervisory actions for failures to establish an AML/CFT program. However, once a bank has properly established an AML/CFT
program, the proposed rule would raise the threshold for significant supervisory or enforcement actions based solely on implementation
deficiencies. Only significant or systemic failures by a bank to implement in all material respects an established program
would warrant an “AML/CFT enforcement action” or a “significant AML/CFT supervisory action,” as these terms are defined in
the proposed rule. In this way, the proposed rule is intended to clarify and reinforce a supervisory and enforcement focus
on addressing significant or systemic failures to implement a properly established AML/CFT program, rather than on isolated,
technical, or immaterial implementation issues. (34)

Importantly, under the proposed regulations, having an effective AML/CFT program would be more than a one-time adoption of
a risk-based set of internal policies, procedures, and controls. Rather, a bank would be required to keep its risk-based set
of internal policies, procedures, and controls—and the risk assessment processes that inform them—current as the bank's risk
profile changes. For example, while a bank's risk-based set

  of internal policies, procedures, and controls may, at one time, have been reasonably designed, they may no longer be reasonably
  designed given changes to the bank's risk profile. Similarly, an AML/CFT program would be more than a one-time creation of
  an employee training program or initiation of an independent testing mechanism: the bank would be required to keep such aspects
  of the AML/CFT program current as the bank's risk profile changes. Thus, even where a bank has previously established an AML/CFT
  program in accordance with the proposed rule, a failure to update the program to reflect significant changes in the bank's
  risk profile may result in the program no longer meeting the program establishment requirements, and the bank may accordingly
  be subject to supervisory or enforcement action for a failure to establish an effective AML/CFT program.

The proposed rule would also provide FinCEN with a greater role in the Agencies' supervisory process. To better ensure that
the Agencies are performing “risk-focused” BSA supervision, the proposed rule would require that the Agencies consult with
FinCEN prior to taking an AML/CFT enforcement action or a significant AML/CFT supervisory action. The Agencies would be required
to give FinCEN written notice at least 30 days prior to taking such an action. FinCEN would have an opportunity to review
the action and the relevant underlying information giving rise to it, and the Agencies would be required to consider any input
offered by FinCEN concerning the effectiveness of the bank's AML/CFT program.

By explicitly defining the requirements for a bank to establish and maintain an effective AML/CFT program, and by standardizing
the AML/CFT supervision and enforcement process for banks and across the Agencies, the proposed rule is expected to better
achieve the purposes of the BSA, culminating in the development of highly useful information related to illicit financial
transactions for banks and law enforcement and national security agencies. However, the Agencies do not intend for the proposed
rule to provide banks permission to establish an AML/CFT program that might be interpreted as meeting the proposed rule's
technical requirements on their face, but do not effectively detect and prevent ML/TF activity. To establish a compliant AML/CFT
program under the proposed rule, a bank must, among other things, establish a risk-based set of internal policies, procedures,
and controls that is reasonably designed to ensure compliance with the BSA and 31 CFR chapter X, including through the adoption
of risk assessment processes. A critical element of this requirement is that the bank's s risk-based set of internal policies,
procedures, and controls be “reasonably designed.” For example, if a bank's program testing reveals that a new customer type
or new activity is high risk, but the bank does not take any action to revise the design of its risk-based set of internal
policies, procedures, and controls and therefore treats the customer or activity as presenting low risk, then its program
should not be considered reasonably designed. The Agencies believe that banks have a better understanding of their customer
bases and businesses and are best positioned to identify and evaluate their ML/TF risks. Therefore, under this proposed rule
banks will continue to have significant flexibility and discretion in their decisions and determinations related to risk identification
and resource allocation. The Agencies will assess whether: (1) a bank's resource allocation decisions are consistent with
a reasonably designed risk assessment processes; and (2) with respect to implementation, specifically, whether the bank knows
or should know of resource-related issues involving its risk-based set of internal policies, procedures, and controls that
may result in the bank failing to implement its AML/CFT program in all material respects and has failed to address such issues.

Similarly, the Agencies expect a bank to be examined for its implementation of the established AML/CFT program in all material
respects. Merely designating an individual responsible for establishing and implementing the AML/CFT program and having that
individual establish risk-based internal policies, procedures, and controls, an ongoing employee training program, and an
independent AML/CFT program testing program, are not sufficient to satisfy the proposed rule's obligations for a bank to have
an effective AML/CFT program. Rather, a bank would be examined for the implementation, in all material aspects, of its established
AML/CFT program, including the determination that the bank is, in fact, allocating resources commensurate with its established
AML/CFT program, which the proposed rule would require to be consistent with and its reasonably designed risk assessment processes.

IV. Section-by-Section Analysis

This section-by-section analysis describes the specific proposed changes to the Agencies' BSA compliance program rules. Section
IV.A addresses the proposed incorporation of CFT into the program rules. Section IV.B discusses the requirements for an “effective”
AML/CFT program to comply with the requirements of the proposed rule. Section IV.C explains what it means to “establish” and
“maintain” an effective AML/CFT program. Section IV.D describes the components of program establishment, including (1) a risk-based
set of internal policies, procedures, and controls (including risk assessment processes); (2) independent program testing;
(3) an individual, located in the United States and accessible to FinCEN and the Agencies, responsible for establishing and
maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing employee training. Section
IV.E discusses the requirements that the AML/CFT program be written, accessible, and approved by a bank's Board of Directors,
an equivalent governing body within the bank, or appropriate senior management. Section IV.F addresses the Customer Identification
Program, Section IV.G addresses the supervision and enforcement section of the proposed rule, and Section IV.H discusses technical
changes that the proposal makes to the existing rules to improve clarity and consistency across the program rules. Lastly,
Section IV.I discusses disclosure of supervisory information.

A. Inserting the Term “CFT” Into the Program Rules

Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to reference “countering the financing of terrorism” (35) in addition to “anti-money laundering” when describing the requirement to establish an AML/CFT program. The Agencies propose
to update the AML/CFT program rules to reflect this new statutory language. For example, the proposed rule would change the
title of the Agencies' program rules from “Bank Secrecy Act compliance” to “Anti-Money Laundering/Countering the Financing
of Terrorism Compliance, Supervision, and Enforcement.” Similar changes would apply to the titles of relevant parts and subparts.

The inclusion of “CFT” in the BSA compliance program rule would not create new obligations for banks, insofar as the USA PATRIOT
Act already requires them to account for risks

  related to terrorist financing. Accordingly, the Agencies expect any changes to existing AML/CFT programs from the amendments
  described in this subsection to be technical and therefore not have any substantive impact on banks' compliance obligations.

B. An “Effective” AML/CFT Program

In prescribing the minimum standards for an AML/CFT program and in supervising and examining compliance with those standards,
the AML Act requires the Secretary and the appropriate Federal functional regulator to take into account that effective AML/CFT
programs safeguard national security and help law enforcement prevent the flow of illicit funds in the financial system. (36) Further, the AML Act contemplates AML/CFT requirements focusing on achieving effective outcomes rather than dictating the
processes used to reach those outcomes, an orientation the Agencies intend to reflect in the proposed rule. Consistent with
the Agencies' long-standing expectations regarding what effective outcomes entail, the Agencies believe that, as a practical
matter, it is not possible for a bank's AML/CFT program to detect and report all potentially illicit transactions that flow
through the institution. (37) Similarly, a bank's AML/CFT program can be effective without preventing every minor instance of a bank falling prey to illicit
finance misuse. Accordingly, the proposed rule would set out that, from a supervisory and enforcement perspective, an AML/CFT
program is “effective” and complies with the Agencies' regulatory requirements promulgated under 12 U.S.C. 1818(s) or 12 U.S.C.
1786(q), as applicable, so long as it is established and maintained in accordance with applicable requirements.

The proposed rule would provide that a bank has an “effective” program if it (1) is established in accordance with the proposed
rule's establishment requirements; and (2) is maintained, meaning that a properly established AML/CFT program is implemented
in all material respects.

One of the AML Act's key purposes is to “encourage technological innovation and the adoption of new technology by financial
institutions to more effectively counter money laundering and financing of terrorism.” (38) Consistent with this purpose, the Agencies encourage banks to evaluate whether new technology or innovative approaches in
other resources might help to combat financial crime more effectively. Innovative approaches could involve machine learning,
generative artificial intelligence (GenAI), digital identity, blockchain monitoring and analytics, or application programming
interfaces (APIs).

The Agencies recognize that adopting new technologies for BSA compliance may not be suitable for all banks, particularly smaller
ones, and the proposed rule therefore does not reference or require the use of any particular technology. A bank may find
it beneficial to consider whether its AML/CFT program appropriately uses the bank's existing resources, including technology
and data. However, consistent with longstanding guidance, the Agencies encourage banks to engage in responsible AML/CFT innovation. (39) Banks that responsibly incorporate innovative technologies into their AML/CFT programs will not incur on that basis any additional
risk of being subject to a significant supervisory action or enforcement action solely based on the use of innovative technologies.

C. Establishing and Maintaining an AML/CFT Program

The requirement that a bank establish and maintain an AML/CFT program is not new, although over time various formulations
of this requirement have developed in statutes and regulations. (40)

The proposed rule would harmonize and delineate the regulatory requirements that must be met for banks to have an effective
AML/CFT program. That is, the proposed rule would create a two-pronged framework under which a bank's AML/CFT program would
be deemed to be effective if the bank establishes and maintains its program. Under the proposed rule, a bank maintains its
properly established AML/CFT program by implementing it in all material respects.

1. Establishing Versus Maintaining an AML/CFT Program

For a bank to have an effective AML/CFT program, the proposed rule would require a bank to establish an AML/CFT program and
then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT program. The proposed
rule describes the requirements for an effective AML/CFT program to be established and maintained. The AML/CFT program minimum
components constituting program establishment, and described in further detail in Section V.D below, are: (1) a risk-based
set of internal policies, procedures, and controls (including risk assessment processes); (2) independent program testing;
(3) an individual, located in the United States and accessible to FinCEN and the appropriate Agency, responsible for establishing
and maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing employee training.

“Establishing” an AML/CFT program involves designing an AML/CFT program that incorporates all of the required components.
“Maintaining,” by contrast, addresses whether the bank is implementing that program in practice. The regulation uses the term
“implement” to describe this second prong. The distinction between establishing a program and maintaining a program by implementation
matters because the proposed rule ties the availability of AML/CFT enforcement and significant supervisory actions based on
the program rule for an established bank program to a significant or systemic failure to “implement” the properly established
AML/CFT program. The distinction between establishing and “maintaining” an AML/CFT program is intended to make transparent
how the individual elements of the proposed rule work together.

Separating program establishment from program maintenance therefore provides needed clarity regarding whether a supervisory
concern relates to deficiencies stemming from the program's design, on the one hand, or failures in the program's operation,
on the other. This two-prong framework would help promote consistent articulation of supervisory expectations and prevent
conflating criticisms of program design—the remediation of

  which would likely be different in kind—with criticisms of day-to-day implementation. The proposed distinction does not change
  the substantive obligations for the bank.

As noted previously, the Agencies intend for the requirements of this proposed rule to not be limited to a one-time adoption
of the elements required for program establishment, such as a risk-based set of internal policies, procedures, and controls.
Rather, the Agencies intend a bank's establishment of its AML/CFT program to require the bank's risk-based set of internal
policies, procedures, and controls—and the risk assessment processes that inform them—to remain current as the bank's risk
profile changes. For example, if a bank begins providing a new product or service—or changes how it provides an existing product
or service, such as operating in a new geographic location—under this proposed rule, a bank would need to incorporate its
new product or service as part of its risk assessment processes. The proposed rule would require a bank to make a risk determination
and, as appropriate, redesign its risk-based set of internal policies, procedures, and controls to account for the risks that
it did not previously encounter prior to offering the new product or service, or operating in the new geographic location.
Thus, under the proposed rule, even where a bank has previously established an AML/CFT program in accordance with the proposed
rule, a failure to update the program to reflect significant changes in the bank's risk profile may result in the program
no longer satisfying the proposed rule's requirements regarding establishment.

2. Implementation of an AML/CFT Program

Once a bank has properly “established” an AML/CFT program, the bank must “maintain” the program by implementing it, in all
material respects. Minor deficiencies of an AML/CFT program would not necessarily mean that a bank has failed to implement
the program.

Although there are a variety of ways that a bank may not be implementing its program “in all material respects,” in the Agencies'
experience, commonly observed examples may include, but would not be limited to: (1) internal policies, procedures, and controls
are not being performed or not being performed on a consistent, regular, and timely basis (e.g., consistently ignored warnings or red flags that a program was seriously deficient) due to the nature or extent of required
resources becoming inadequate; (2) gaps in the risk assessment processes that result in the bank's program internal policies,
procedures, and controls missing or inadequately covering higher ML/TF risks (e.g., systems used to monitor for potentially suspicious activity failing to capture material volumes or types of transactions);
or (3) deficiencies or weaknesses in the risk assessment processes that have a material impact on the bank's mitigation of
ML/TF risks through its risk-based set of internal policies, procedures, and controls, including due to data-related issues
involving relevant processes and systems.

Similarly, the Agencies expect that a bank could become aware of such implementation-related concerns through a variety of
mechanisms, including but not limited to: (1) independent testing of the AML/CFT program; (2) examiner observations, suggestions,
or other informal comments about the AML/CFT program;, (3) management information systems and related reports or other outputs
(e.g., key performance indicators or key risk indicators, such as monitoring for potentially material backlogs in relevant AML/CFT
processes), and (4) issues identified by personnel involved in the operation of the bank's AML/CFT program.

D. Program Establishment

As noted earlier, pursuant to 31 U.S.C. 5318(h), the Agencies' AML/CFT program requirements for banks currently require certain
minimum elements, including: (1) a risk-based set of internal policies, procedures, and controls; (2) an independent audit
function to test programs; (3) a designated compliance officer; and (4) an ongoing employee training program. The majority
of the proposed rule's AML/CFT program components are substantially similar to the existing regulatory requirements for banks.
However, the Agencies are proposing certain additions and modifications to modernize and strengthen banks' AML/CFT programs
to allow banks to better mitigate illicit finance risks.

1. Internal Policies, Procedures, and Controls

The Agencies' rules currently require banks to develop “a system of internal controls to assure ongoing compliance” with the
requirements of the BSA as part of their AML/CFT programs. (41) The Agencies' existing program rules, however, do not clearly articulate what it means to establish such a system of internal
policies, procedures, and controls to ensure compliance.

Under the proposal, the Agencies are amending and clarifying the current internal control pillar requirements. Specifically,
the proposal provides that banks must establish a risk-based set of internal policies, procedures, and controls that is reasonably
designed to: (1) identify, assess, and document ML/TF risks through risk assessment processes; (2) mitigate ML/TF risks consistent
with the risk assessment processes, including by directing more attention and resources toward higher-risk customers and activities
rather than toward lower-risk customers and activities; and, (3) conduct ongoing CDD. The preamble addresses each of these
features below.

Under this proposal, a bank's risk-based set of internal policies, procedures, and controls should be based upon, informed
by, and consistent with a bank's risk assessment processes. The internal policies, procedures, and controls should be commensurate
with the size, structure, risk profile, and complexity of the bank. The requirement that a bank's risk-based set of internal
policies, procedures, and controls be “reasonably designed” gives banks flexibility in how they achieve compliance with the
BSA and the proposed rule's other requirements. As part of having a risk-based set of internal policies, procedures, and controls,
reasonably designed to ensure compliance, banks may choose to responsibly adopt new technologies or innovative approaches
to comply with BSA requirements. Consistent with this purpose, the Agencies encourage banks to evaluate whether new technology
or innovative approaches in other resources might help to more effectively combat financial crime. Innovative approaches could
involve machine learning, GenAI, digital identity, blockchain monitoring and analytics, or APIs.

i. Risk Assessment Processes

The Agencies are proposing that, as part of a bank's risk-based set of internal policies, procedures, and controls, the bank
identify, assess, and document the bank's ML/TF risk through risk assessment processes that: (1) evaluate the ML/TF risks
of the bank's business activities, including products, services, distribution channels, customers, and geographic locations;
(2) review and, as appropriate, incorporate the AML/CFT Priorities; and (3) update promptly upon any change that the bank
knows or has reason to know significantly changes the bank's ML/TF risks.

The Agencies have traditionally viewed risk assessment processes as a critical tool of a reasonably designed BSA compliance
program; a bank cannot implement a reasonably designed program to achieve compliance with the BSA unless it understands its
risk profile. (42) Most banks already use risk assessments or risk assessment processes to structure their risk-based compliance programs. Despite
being viewed as a critical tool, the Agencies' regulations do not currently explicitly require such risk assessment processes
nor outline mandatory considerations for such processes. Thus, the proposed rule would codify into regulations the requirement
for banks to establish risk assessment processes, thereby clarifying existing expectations and practices, as well as require
specific factors for consideration that are responsive to the AML Act.

Importantly, the proposed rule requires, as a part of a bank's risk-based set of internal policies, procedures and controls,
that it identify, assess, and document its ML/TF risks using risk assessment processes. A bank would retain flexibility in
how it would document the results of its risk assessment processes. As proposed, banks would not be required to establish
a single, consolidated risk assessment document solely to comply with the proposed rule. While such a document may be appropriate
under the proposal, the use of the term “risk assessment processes” is intended to reflect that a financial institution may
rely on multiple processes—applied as appropriate within its AML/CFT program—to identify, assess, and document its ML/TF risks
and will be examined based on the totality of these processes rather than the sufficiency of a single, standalone risk assessment
document.

The Agencies believe banks are best positioned to identify and evaluate their ML/TF risk and are therefore not prescribing
any particular risk assessment processes or methodologies other than the critical elements described in this proposed rule.
Under the proposed rule, banks would be examined for whether they have established and maintained, in all material respects,
reasonably designed risk assessment processes—which need not be in the form of a singular risk assessment process. Furthermore,
the Agencies are not prescribing any particular time frame for banks to update their risk assessment processes.

The Agencies recognize that banks vary significantly in size, structure, complexity, and risk profile. Under the proposed
rule, bank's risk-based set of internal policies, procedures, and controls—including its risk assessment processes—should
be commensurate with the bank's size, structure, risk profile, and complexity. Accordingly, banks with broader product offerings,
more complex corporate structures, or greater exposure to higher-risk customers, products, services, or geographic locations
would be expected to establish correspondingly more formalized or analytically complex internal policies, procedures, and
controls—including risk assessment processes. By contrast, many community banks operate with more limited business activities,
traditional lending and deposit services, a narrower geographic footprint, and customer bases concentrated within defined
local communities. For such banks, risk assessment processes may appropriately be more streamlined or qualitative in nature,
and a risk-based set of internal policies, procedures, and controls that is reasonably designed for a large, complex financial
organization would not necessarily be required or appropriate for a community bank with a more limited risk profile.

As noted previously, most banks already design their BSA compliance programs based on their assessment of ML/TF risks under
existing risk assessment processes. The Agencies expect that most banks will be able to leverage their existing risk assessment
processes to satisfy the proposed requirement without making significant changes.

a. ML/TF Risks

The proposed rule would require banks' risk assessment processes to evaluate the ML/TF risks of the bank's business activities,
including products, services, distribution channels, customers, and geographic locations. These factors are generally well
known and often incorporated into current risk assessment processes of banks. While most banks are generally familiar with
these concepts, “distribution channels” may be a newer term for some banks. For purposes of this rule, the Agencies consider
“distribution channels” to refer to the methods and tools through which a bank opens accounts and provides products or services,
including, for example, through remote or other non-face-to-face means.

Banks may use a variety of sources to inform their risk assessment processes. Such sources may include information obtained
from other financial institutions, such as emerging risks and typologies identified through section 314(b) information sharing
or payment transactions that other financial institutions returned or flagged due to ML/TF risks. (43) Information a bank generates or maintains could be another source. Internal information may include, for example, customer
internet protocol addresses or device logins and related geolocation information.

Feedback from FinCEN, law enforcement, and financial regulators may also inform risk assessment processes. For example, if
a bank receives feedback from law enforcement about a report it has filed or potential risks at the bank, the bank may incorporate
that information into its risk assessment processes. Similarly, banks may consider information identified from responding
to section 314(a) requests.

In addition to feedback, reports and analyses published by Treasury and FinCEN may be particularly relevant to a bank's business
activities, thereby warranting consideration when evaluating ML/TF risks. For example, Treasury describes changes in the illicit
finance risk environment in its biennial National Money Laundering Risk Assessment, National Terrorist Financing Risk Assessment,
and National Proliferation Financing Risk Assessment, which highlight significant illicit finance threats, vulnerabilities,
and risks. (44) Regardless of the source, banks should take measures in their risk assessment processes to ensure this

  information is reasonably current, complete, and accurate.

b. AML/CFT Priorities

The AML/CFT Priorities set out the priorities for the U.S. government's AML/CFT policy as required by the AML Act and are
designed to ensure that banks' AML/CFT programs are aligned with those priorities. Recognizing the diverse nature of ML/TF
threats facing the U.S. financial system and national security, and that bank AML/CFT programs benefit U.S. national security
by safeguarding the financial system from ML/TF risk, the AML/CFT Priorities are intended to ensure that banks are focusing
on the greatest threats to U.S. national security, as defined by Treasury.

Section 6101 of the AML Act requires that a financial institution's review and appropriate incorporation of the AML/CFT Priorities
into its AML/CFT program be subject to supervision and examination for compliance with the BSA and other AML/CFT laws and
regulations. (45) The Agencies are implementing this statutory requirement by proposing that, as part of their risk assessment processes, banks
must review and, as appropriate, incorporate the AML/CFT Priorities. The inclusion of the AML/CFT Priorities in risk assessment
processes is meant to help ensure that banks understand their exposure to risks in areas that are of particular importance
nationally, which may help banks develop risk-based and reasonably designed AML/CFT programs.

The Agencies understand that the AML/CFT Priorities may not always be applicable to a bank's risk profile and activities.
Therefore, the Agencies require the incorporation of the AML/CFT Priorities in a bank's risk assessment processes, as appropriate.
This means that, having reviewed the AML/CFT Priorities, a bank may determine the extent to which a particular Priority is
applicable and whether and how a particular AML/CFT Priority should be appropriately incorporated into its risk assessment
processes.

Further, a bank may use its judgment and apply a reasonable, risk-based determination on whether to focus on a specific aspect
of an AML/CFT Priority, rather than addressing all aspects of a Priority that may either not be applicable or pose lower risks
to the bank. However, the Agencies caution that a surface-level, perfunctory review of an AML/CFT Priority by a bank and of
the foreseeable ways in which it may manifest itself within the bank's customers, products and services, geographies, and
distribution channels would not satisfy this requirement. For example, patterns of transactions that may be consistent with
potential structuring should not automatically be dismissed as lower value to law enforcement and untethered to an AML/CFT
Priority without determining whether there is a potential connection to various types of other illicit finance activity (e.g., structuring or similar patterns involving transactions in narcotics trafficking proceeds).

Whenever the AML/CFT Priorities are updated, banks would no longer be required to incorporate prior versions of the AML/CFT
Priorities. Banks would only be required, as appropriate, to incorporate the most recent AML/CFT Priorities into their risk-based
AML/CFT programs.

The Agencies anticipate that some banks, such as community banks, may ultimately determine that their business models and
risk profiles have limited exposure to some of the threats addressed in the AML/CFT Priorities but instead have greater exposure
to other ML/TF risks. Additionally, some banks' risk assessment processes may determine that their AML/CFT programs already
sufficiently incorporate to some extent, the AML/CFT Priorities. In either case, any changes to banks' AML/CFT program, such
as internal policies, procedures, or controls would be based on the results of risk assessment processes and their impact
on the AML/CFT program, including how to review and, as appropriate, incorporate the AML/CFT Priorities before making these
determinations. (46) The Agencies request comment from the public on whether additional guidance related to the consideration of the AML/CFT Priorities
as part of an institution's risk assessment processes would be warranted.

c. Updates to Risk Assessment Processes

The proposed rule would require banks to update their risk assessment processes promptly upon any change that the bank would
know or have reason to know would significantly change their ML/TF risk profile. For example, a bank may need to update its
risk assessment when new products, services, and customer types are introduced; existing products, services, and customer
types undergo significant changes; when the bank adopts new risk mitigation technology; or the bank as a whole expands or
contracts through mergers, acquisitions, and divestitures. Banks may also need to update their risk assessment processes based
on factors external to their operations that they know or have reason to know significantly change their ML/TF risk profiles.
The Agencies welcome comments on whether it should further clarify when banks must review or update their risk assessment
processes.

ii. Mitigate ML/TF Risks Through Risk-Based Allocation of Attention and Resources

Section 6101(b) of the AML Act states that the AML/CFT programs of financial institutions should be “risk-based, including
ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities,
consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.” (47) The proposed rule would adopt this formulation as part of a bank's obligation to establish a risk-based set of internal policies,
procedures, and controls. Under the proposed rule, a bank's efforts to mitigate its ML/TF risks would involve “directing more
attention and resources toward higher-risk customers and activities, consistent with the risk profile of [a bank], rather
than toward lower-risk customers and activities.”

The Agencies view risk-based allocation of resources as a critical step in realizing the AML Act's BSA modernization and reform
ambitions, and consistent with the Agencies' ongoing efforts to modernize AML/CFT compliance and supervision. The proposed
rule envisions banks exercising more flexibility in deploying attention and resources in accordance with the proposed rule
without fear of supervisory criticism or action from examiners for directing more attention and resources on higher risk customers
and activities, rather than toward lower risk customers and activities.

The goal of risk-based resource allocation is for banks to spend less time, energy, and resources on lower priority activities
that may result in less resources devoted to and potentially distract from more serious threats. The proposed rule would enable
banks to focus more on higher risk customers and activities, which the Agencies have determined should result in banks being
more effective at detecting, reporting, and preventing the flow of illicit funds and providing law enforcement with more valuable
BSA reporting.

As noted above, the Agencies believe that banks are best positioned to identify and evaluate their ML/TF risk and to make
decisions related to risk identification and resource allocation in accordance with risk identification. The proposed rule,
therefore, does not contemplate second-guessing of a bank's reasonable determinations regarding appropriate resource allocation
or conclusions regarding specific risks. However, while the Agencies do not believe that an examiner should substitute his
or her own subjective judgment in place of the bank's, examiners will be expected to assess whether (1) a bank's resource
allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes; and (2) with respect
to implementation, specifically, whether the bank knows or should know of resource-related issues involving its internal policies,
procedures, and controls and other mandatory elements that may result in the bank failing to implement its AML/CFT program
in all material respects and has failed to address such issues.

iii. Conduct Ongoing Customer Due Diligence

The proposed rule would add CDD as a required component of the Agencies' AML/CFT program rule. Appropriate risk-based procedures
for conducting ongoing CDD—in the form of understanding the nature and purpose of customer relationships and conducting ongoing
monitoring—is currently a required component in FinCEN's AML program rule, (48) and, therefore, banks are already required to comply with these ongoing CDD requirements under FinCEN's rule. The inclusion
of risk-based procedures for conducting ongoing CDD in the Agencies' proposed rules would mirror FinCEN's existing rule and
reflect the Agencies' long-standing supervisory expectations. Long before FinCEN amended its AML program rule to expressly
include the CDD component requirement, the Agencies had considered CDD an integral component of a risk-based program, enabling
the bank to understand its customers and its customers' activity to better identify suspicious activity. Adding the CDD component
to the Agencies' AML/CFT program rule will eliminate confusion for banks concerning the current differences with FinCEN's
rule. Because banks must already comply with FinCEN's CDD component requirement, the proposed change should not alter current
compliance practices.

The proposed rule would incorporate CDD requirements not as a standalone pillar, but instead by making them part of the requirement
that banks establish a risk-based and reasonably designed set of internal policies, procedures, and controls. As noted previously,
the activities required to conduct ongoing CDD, such as monitoring customer relationships, maintaining and updating customer
information on a risk basis, and identifying and reporting suspicious transactions are, in practice, subsumed by the obligation
for a bank to have a risk-based and reasonably designed set of internal policies, procedures, and controls and have long been
viewed by the Agencies as integral to component of a bank's internal controls. Accordingly, establishing these requirements
within this pillar more accurately reflects how banks operationalize ongoing customer due diligence as part of their overall
AML programs.

2. Independent Testing

The Agencies have required banks to perform independent testing since the original adoption of their BSA compliance program
rules. The AML Act did not change the BSA's separate requirement that each bank must independently test its AML/CFT program. (49) The proposed rule therefore retains the existing requirement for banks to establish independent AML/CFT program testing to
be conducted by bank personnel or an outside party with minor, non-substantive clarifications that are not intended to change
regulatory requirements.

The purpose of independent testing is to assess the bank's compliance with AML/CFT statutory and regulatory requirements,
relative to its risk profile. The independent AML/CFT program testing should be focused on whether the AML/CFT program is
effective, and it should identify issues and areas for remediation accordingly.

To support the effective implementations of an AML/CFT program, independent testing should be based on objective criteria
designed to assess whether a bank has established and implemented an effective AML/CFT program and allocated resources consistent
with its risk assessment processes. These criteria should also assess whether related project governance is sufficient to
manage risks and apply compensating controls where necessary, particularly in areas where remediation is underway. This evaluation
helps to inform the bank's board of directors and senior management of weaknesses or areas in need of enhancement or stronger
controls. Typically, this evaluation includes a conclusion about the bank's overall compliance with AML/CFT statutory and
regulatory requirements and sufficient information for the reviewer (e.g., board of directors, senior management, AML/CFT officer, outside auditor, or an examiner) to reach a conclusion about whether
the set of internal policies, procedures, and controls is reasonably-designed, and resources are well-allocated consistent
with the bank's risk assessment processes.

Additionally, while banks retain some flexibility regarding who conducts the audit or testing, the proposed rule would continue
to require that testing be independent. Banks that do not employ outside auditors or consultants or that do not have internal
audit departments may comply with this requirement by using internal staff who are not involved in the function being tested.
For these banks and banks with other types of arrangements for independent testing, the AML/CFT officer or any party who directly,
and in some cases indirectly, reports to the AML/CFT officer, or an equivalent role, would generally not be considered sufficiently
independent. Any individual conducting the testing, whether internal or external, would be required to be independent of other
parts of the bank's AML/CFT program, including its oversight. For banks that engage outside auditors or consultants, the bank
would be required to ensure that the outside parties conducting the independent testing are not involved in functions related
to the AML/CFT program at the bank that may present a conflict of interest or lack of independence, such as AML/CFT training
or the development or enhancement of internal policies, procedures, and controls. Additionally, for the purposes of the independent
testing component, outside parties would not include government agencies, entities, or instrumentalities, such as a bank's
Federal or state functional regulators. Banks with less complex operations and lower risk profiles may consider utilizing
a shared resource as part of a collaborative arrangement to conduct testing, as long as the testing is independent. (50)

3. Designate an AML/CFT Officer Located in the United States

i. Duties of the AML/CFT Officer

The Agencies have required banks to “designate an individual or individuals responsible for coordinating and monitoring day-to-day
compliance” since the inception of their program requirements. The BSA separately requires that banks with AML/CFT program
obligations must have a designated compliance officer, which was not altered by the AML Act. As in the Agencies' current BSA
compliance program rules, the proposed rule would provide that an AML/CFT program must designate an individual(s) (referred
to as an AML/CFT officer) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring
day-to-day compliance with the requirements and prohibitions of the BSA and FinCEN's implementing regulations. The Agencies'
view is that the individual serving as the AML/CFT officer must be qualified for that role and not overburdened with other
responsibilities at the institution. The Agencies are proposing clarifying and technical changes to the AML/CFT officer requirement,
as well as changes to incorporate to FinCEN's interpretation of 31 U.S.C. 5318(h)(5), as discussed below. These changes are
generally not expected to impose new obligations on banks.

Consistent with current requirements, the proposed rule is not intended to be primarily concerned about the formal title of
the individual(s) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day
compliance; instead, the proposed rule focuses on the AML/CFT officer's position in the bank's organizational structure that
enables the AML/CFT officer to effectively establish and implement the bank's AML/CFT program. The AML/CFT officer's authority,
independence, and access to resources within the bank are critical. An AML/CFT officer should have decision-making capability
regarding the AML/CFT program and sufficient functional stature within the organization to ensure that the program meets BSA
requirements.

The AML/CFT officer's access to resources may include: adequate compliance funds and staffing with the skills and expertise
appropriate to the bank's risk profile, size, and complexity; an organizational structure that supports compliance and effectiveness;
and sufficient technology and systems to support the timely identification, measurement, monitoring, reporting, and management
of the bank's ML/TF risks. An AML/CFT officer with conflicting responsibilities that adversely impact the officer's ability
to effectively coordinate and monitor day-to-day AML/CFT compliance generally would not fulfill this requirement. The addition
of the explicit requirement that the AML/CFT officer be responsible for “establishing and implementing the AML/CFT program”
in the proposed rule would make explicit a long-standing supervisory expectation, rather than changing current supervisory
expectations.

ii. The AML/CFT Officer Must Be Located in the United States and Accessible to Regulators

The AML Act provides that the duty to establish, maintain, and enforce a bank's AML/CFT program shall remain the responsibility
of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by,
the Secretary and the appropriate Federal functional regulator. (51) Because this is a new requirement under the AML Act, it is not currently reflected in the Agencies' program rule requirements.
FinCEN's concurrently proposed revisions to its AML/CFT program rules interpret this requirement as applying to the AML/CFT
officer, so the Agencies' proposed rule would amend the existing compliance officer requirements to align with FinCEN's proposal.

The Agencies recognize banks may currently have AML/CFT staff and operations outside of the United States, or they may contract
out or delegate parts of their AML/CFT operations to third-party providers located outside of the United States. These arrangements
may serve to improve cost efficiencies; to enhance coordination, particularly with respect to cross-border operations; or
serve other purposes not in conflict with goals underlying the BSA. Consequently, under the proposed rule, while the AML/CFT
officer must be located in the United States, personnel located outside of the United States would still be permitted to perform
certain AML/CFT functions. This language does not alter existing regulations and guidance that generally prohibit the sharing
of SARs with personnel located outside of the United States, other than in limited circumstances such as a bank's foreign
head office or controlling company. (52) The Agencies request comment on whether any further clarifications on this point would be useful.

4. Ongoing Employee Training Program

The BSA requires AML/CFT programs to include an “ongoing employee training program.” (53) This statutory requirement is reflected in all current Agency program rules employing different wording. (54) The proposed rule would harmonize the Agencies' program rules with that of other financial regulators by adopting the BSA's
“ongoing employee training program” language uniformly. (55) This change is clarifying, not substantive.

The Agencies would generally expect training to cover a bank's internal policies, procedures, and controls, which should in
turn reflect the results of the bank's risk assessment processes, the latest AML/CFT regulatory requirements, and other relevant
information. The frequency with which the training would occur, and the content of the training, would depend on the bank's
ML/TF risk profile and the roles and responsibilities of the persons receiving the training. The Agencies welcome comment
on whether any further clarifications of the proposed training requirement are needed and recognize that banks may have employees
and non-employees who may have a variety of roles and responsibilities in relation to the AML/CFT program. The risk-based
nature of an AML/CFT program provides flexibility for financial institutions to identify both employees and non-employees
who must be trained on an ongoing basis.

E. Access to and Approval of a Written AML/CFT Program

1. Written AML/CFT Programs Must Be Made Available Upon Request

The Agencies' current BSA compliance program rule generally requires a bank to have a written AML/CFT program that is approved
by the

  bank's board of directors. [(56)]() The proposed rule would modify these requirements and move them to a separate subsection and add clarifying text to harmonize
  the language with FinCEN's proposed rule. The Agencies request comment on whether further clarification on this point would
  be useful.

2. Bank Approval of a Written AML/CFT Program

Banks subject to Agency supervision currently must have board approval for their AML/CFT programs under the Agencies' rules.
The proposed rule would continue to require that a bank's written AML/CFT program be approved, though the proposal will expand
the options available for a bank to obtain such approval. Specifically, the proposed rule will require that the AML/CFT program
be approved by the bank's board of directors or an equivalent governing body within the bank, or appropriate senior management.
The proposed rule specifies that approval encompasses each of the components of the AML/CFT program.

With respect to the new “equivalent governing body” language, FinCEN's current rule requires a bank lacking a Federal functional
regulator to obtain approval of the bank's written AML program from either the bank's board or an equivalent governing body. (57) The Agencies' proposed rule would also add a reference to an “equivalent governing body” to clarify that a bank can satisfy
the requirement by having an equivalent governing body approve the program. The equivalent governing body can take different
forms. For example, for the U.S. branch of a foreign bank, the equivalent governing body may be the foreign banking organization's
board of directors or delegates acting under the board's express authority. Similarly, banks that do have a board of directors
might instead reasonably delegate the approval requirement to a board committee exercising targeted oversight, such as a compliance
committee, which would similarly qualify as an “equivalent governing body” under the proposal.

Finally, the rule would also permit a bank's senior management to approve the AML/CFT program. Such individuals may include
Chief Executive Officer, Chief Financial Officer, Chief Operations Officer, Chief Legal Officer, Chief Compliance Officer,
Director, and individuals with similar status or functions. Also, banks may establish or utilize existing senior committees
of appropriate senior management officials to perform these functions. The Agencies propose permitting approval by senior
management to reflect the division of roles and responsibilities between a bank's board of directors and senior management
with respect to establishing and implementing an AML/CFT program, as a bank's senior management is charged with the actual
role of establishing and implementing the AML/CFT program.

While the proposed rule will no longer require the bank's board to approve the AML/CFT program, this would not alter the Agencies'
expectations regarding the responsibilities of a bank's board of directors for providing appropriate oversight of the bank's
AML/CFT compliance. The Agencies have always expected bank boards, both as a whole or through appropriate committees, to provide
appropriate oversight of senior management to maintain the bank's operations in a safe and sound manner, oversee compliance
with applicable laws and regulations, and establish appropriate risk governance frameworks. A bank's board might reasonably
permit appropriate senior management to have AML/CFT program approval authority to provide more effective, timely oversight
on a day-to-day basis, while still fulfilling the board's obligations through other appropriate means.

F. Customer Identification Program

The proposed rule would maintain the current Customer Identification Program requirements but would move them to a separate
section. The Agencies propose minor, non-substantive updates to reference the “AML/CFT” terminology and harmonize the language
between the Agencies to “require a customer identification program to be implemented as part of the AML/CFT program.” These
technical changes are not anticipated to establish new obligations.

G. Supervision and Enforcement

The proposed rule would add new supervision and enforcement frameworks for banks' AML/CFT programs that are aligned with the
AML Act's emphasis on effectiveness and risk-based supervision. The proposed rule defines key terms, describes the Agencies'
enforcement and supervision policy with respect to AML/CFT program implementation failures, and establishes a consultation
process between FinCEN and the Agencies relating to AML/CFT enforcement actions or significant AML/CFT supervisory actions.
The enforcement requirements only apply to actions by the Agencies.

1. Definitions

Proposed section (a) would define several terms used throughout the section. The term “AML/CFT requirement” would mean a requirement
of the Bank Secrecy Act (as that term is defined in 31 CFR 1010.100) or of the regulations in title 31, chapter X, or a requirement
prescribed under the proposed definition.

The term “AML/CFT enforcement action” would mean any formal or informal action taken by one of the Agencies under authority
of 12 U.S.C. 1818, 1786, or other applicable law that seeks to penalize, remedy, prevent, or respond to noncompliance with
past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes a cease-and-desist
order, written agreement, consent order, or memorandum of understanding, or the assessment of a civil money penalty.

The term “significant AML/CFT supervisory action” would mean any written communication or other formal supervisory determination
issued by one of the Agencies that identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or
unsound practices or conditions relating to an AML/CFT requirement; communicates supervisory expectations to a bank regarding
actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and contemplates
significant or programmatic actions or remedial measures to be taken by the bank. The term does not include examiner observations,
suggestions, or other informal comments.

The FDIC is also adding a definition that is currently in 12 CFR 326.1. Previously, the FDIC's text referred to the definitions
section in Subpart A of Part 326. This proposal would include a definitions section within Subpart B, and so FDIC is adding
one definition needed from the section in Subpart A. This is not a substantive change.

2. Enforcement and Supervision Policy

The proposed rule would articulate the Agencies' enforcement and supervision policy as it relates to AML/CFT requirements. (58) Except with respect to a significant or systemic

  failure to implement in all material respects an established AML/CFT program in accordance with the proposed rule, a bank
  that has properly established an AML/CFT program would not be subject to an AML/CFT enforcement action or to a significant
  AML/CFT supervisory action based on the program rule. At the same time, the proposed rule would clarify that nothing in this
  policy would restrict an AML/CFT enforcement action or a significant AML/CFT supervisory action with respect to a failure
  to establish an AML/CFT program. The proposal is only intended to affect actions by the Agencies.

3. FinCEN Consultation

The proposed rule would establish a notice and consultation framework applicable when one of the Agencies intends to initiate
an AML/CFT enforcement action or a significant AML/CFT supervisory action, as those terms are defined in the proposed regulation.
Before initiating such an action, the Agency would provide the Director of FinCEN with an opportunity to review the action
and would consider any input offered by the Director of FinCEN, which may include any view as to the effectiveness of the
bank's AML/CFT program. To facilitate that review, the Agency would be required to provide written notice to the Director
of FinCEN of the Agency's intent to take the action at least 30 days in advance of the proposed action, unless a shorter period
is necessary, at the sole discretion of the Agency, to remedy, prevent, or respond to an unsafe or unsound practice or condition.

The notice would be accompanied by the relevant AML/CFT information underlying the proposed action. Relevant AML/CFT information
may include, but is not limited to, relevant portions of draft report of examination; relevant portions of a draft enforcement
action; examination workpapers supporting the proposed action; and the relevant AML/CFT information submitted by the bank
to the Agency. The Agency would not be obligated to provide information over which the bank may claim privilege under Federal
or State law. The Agency would also respond, to the extent reasonably practicable, to requests for additional AML/CFT information
from the Director of FinCEN regarding the proposed action.

H. Other Changes for Modernization, Clarification, and Consistency

In addition to the previously described changes, the proposed rule would make other revisions to increase clarity and consistency
in the program rules. Most of these changes are technical, such as renumbering provisions, amending cross-references, and
updating statutory references based on changes to the BSA by the AML Act. For example, along with FinCEN, references to “BSA/AML
programs” are being updated to “AML/CFT programs” for financial institutions. This technical change is not anticipated to
establish new obligations.

I. Disclosure of Supervisory Information

Each Agency has issued regulations that generally prohibit the disclosure of the Agency's non-public information, except as
provided under such regulations. (59) This prohibition generally applies to disclosure of any portion of a report of examination, supervisory correspondence, and
any representations concerning such reports or supervisory correspondence, or their findings, including conclusions regarding
compliance with AML/CFT compliance program requirements.

Consistent with the proposed rule's goal of enhancing FinCEN's role in the AML/CFT enforcement and supervisory process, the
proposed rule would clarify that banks may share any information with the FinCEN Director that relates to an existing or potential
AML/CFT enforcement action or significant AML/CFT supervisory action. This proposed rule specifically provides that this authorization
to share information includes information that would ordinarily be considered non-public information under the Agencies' respective
rules. To qualify for this information sharing, the information at issue must have an appropriate nexus to an existing or
potential AML/CFT enforcement action or significant AML/CFT supervisory action. The Agencies are proposing this clarification
to ensure that banks can share appropriate information with the FinCEN Director, including in the context of actions subject
to the newly established consultation requirement. Otherwise, banks may be unable to provide thorough information to the FinCEN
Director, whether proactively or in response to the Director's requests.

While the proposed rule intends to permit such sharing, the Agencies are proposing two alternative methods for permitting
such information sharing with the FinCEN Director. Under the first approach, referred to as Option 1 in the amendatory text
below, the Agency would authorize the disclosure of covered information on the Agency's behalf to the FinCEN Director and
separately permit the FinCEN Director to use such information. This phrasing is intended to mirror the permissible scope of
information sharing by the Agencies under 12 U.S.C. 1821(t), which provides that a “covered agency, in any capacity, shall
not be deemed to have waived any privilege applicable to any information by transferring that information to or permitting
that information to be used by” another Federal agency.

Under the alternative approach, referred to as Option 2 in the amendatory text below, the Agency would similarly authorize
the disclosure of covered information on the Agency's behalf, as well as similarly authorize the use of such information by
the FinCEN Director. The Agencies, however, would expressly require that any such information shared on the Agency's behalf
be contemporaneously disclosed by the bank to the Agency. While the Agency will necessarily already have access to its own
non-public information, this additional requirement is potentially more consistent with the retention of privilege contemplated
under 12 U.S.C. 1821(t) and, therefore, potentially provides a greater safeguard against the unintended destruction of privilege.
The Agencies also recognize that banks' willingness to share timely, thorough information with the FinCEN Director is essential
to the success of the consultation framework; and requiring banks to contemporaneously disclose to an Agency the same non-public
information they provide to FinCEN may discourage proactive reporting and thereby undermine the rule's objective of enhancing
FinCEN's role.

Importantly, both of the options outlined above only permit the FinCEN Director to use the Agencies' non-public information.
This authorization to use the information does not include an authorization by the Agencies to further disclose the received
non-public information. Any dissemination by a bank to a party other than the FinCEN Director or by the FinCEN Director to
any party would be subject to the Agencies' respective rules governing disclosure of non-public information.

Regardless, the proposed rule would include additional clarifying text intended to preserve all applicable privileges. The
destruction of privilege over non-public supervisory information could prove harmful both to the Agency and the bank, so the
additional language is intended to prevent such consequences.

The Agencies invite comment on these options for permitting greater information sharing with the FinCEN

  Director regarding existing or potential AML/CFT enforcement actions or significant AML/CFT supervisory actions, including
  possible alternative methods of accomplishing the rule's objectives without unintentionally impeding applicable privileges.

IV. Severability

The Agencies propose that if one portion of the proposed rule, if finalized, is found to be invalid, the invalidated portion
of the regulation should be severed with the other portions of the proposed rule remaining in full force and effect. The Agencies'
position is that invalidation of any one provision, or application thereof to any one person or circumstance, does not, and
should not, affect any other provision in this proposed regulation or other existing regulations. Each provision serves an
important, related, but distinct purpose and application, designed to benefit the public by protecting the U.S. financial
system from illicit financial activity. The Agencies accordingly propose incorporating this into their respective rules, such
that invalidating one provision would not undermine the operability or usefulness of the other provisions.

V. Final Rule Effective Date

The Agencies are proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient
time for banks to review and implement the requirements of the proposed rule. The Agencies solicit comment on the proposed
effective date.

VI. Request for Comment

The Agencies welcome comment on all aspects of the proposed amendments but specifically seek comment on the questions below.
The Agencies encourage commenters to reference specific question numbers when responding.

An “Effective” AML/CFT Program (IV.B)

1. The proposed rule sets forth the conditions for an effective AML/CFT program. Is the description of an effective program
   sufficiently clear or is there anything further that the Agencies should consider in the final rule adding to clarify program
   effectiveness?

2. The proposed rule reflects a determination by the Agencies that banks are best placed to identify risks and allocate resources,
   and that providing them with greater discretion in these areas will improve the quality of AML/CFT compliance and reporting
   to law enforcement. Is this correct or should the Agencies consider adding more requirements regarding allocation of resources?
   How might banks assess changes in the total allocation of resources devoted to an AML/CFT program in a changing risk and cost
   environment?

Establishing and Maintaining an AML/CFT Program (IV.C)

1. Do banks distinguish between establishing a program and maintaining a program by implementing the program? Do banks distinguish
   between establishing a program and maintaining a program by implementing the program? If so, how? Should the Agencies add
   anything to further define these terms in the final rule?

2. Should the proposed rule's distinction between “establishing” and “maintaining” a program be modified? Is the distinction
   between “establishing” and “maintaining” a compliance program useful for banks?

3. Should the proposed rule distinguish between “establishing” and “maintaining” at the program level and “establishing” and
   “maintaining” each individual element? For example, should the final rule more clearly differentiate between a failure to
   establish the program, as a whole, versus a failure to establish an individual mandatory component of the program?

4. Is clarification needed for banks to determine what constitutes a “significant or systemic failure” to implement in all
   material respects a properly established AML/CFT program?

5. Is clarification needed for banks to determine what constitutes a “failure to establish an AML/CFT program”?

6. How should the proposed rule ensure that the regulations issued by FinCEN and the appropriate Agencies function harmoniously?
   How should the proposed rule differentiate between the Secretary of the Treasury's responsibility for regulations on establishing
   AML/CFT programs and the Agencies' responsibilities for regulations on establishing and maintaining programs?

Internal Policies, Procedures, and Controls (IV.D.1)

1. Do banks expect any changes to their existing internal policies, procedures, and controls under the proposed rule, which requires that internal policies, procedures, and controls be “risk-based” and “reasonably designed” to ensure compliance with the BSA?

Risk Assessment Processes (Generally) (IV.D.1.i)

1. The proposed rule refers to risk assessment processes rather than a risk assessment process. This leaves banks free to
   use findings from one or more processes to assess their ML/TF risk. Does this description of how banks assess their ML/TF
   risk provide sufficient flexibility? How should the Agencies describe “risk assessment processes” to better reflect how banks
   assess ML/TF risks?

2. Should risk assessment processes be required to take into account additional or different criteria or risks than those
   listed in the proposed rule? If so, what additional factors should the Agencies consider requiring?

3. How long does it generally take a bank to incorporate the results of a risk assessment into its AML/CFT program? What
   factors determine this time frame?

Risk Assessment Processes (AML/CFT Priorities) (IV.D.1.i.b)

1. What, if any, difficulties do banks anticipate when incorporating the AML/CFT Priorities as part of their risk assessment
   processes?

2. What additional guidance on how to incorporate the AML/CFT Priorities into a bank's risk assessment processes would it
   be useful for the Agencies to provide?

Risk Assessment Processes (Updates) (IV.D.1.i.c)

1. The proposed rule requires that risk assessment processes are updated promptly upon any change that the bank knows or
   has reason to know significantly changes the bank's money laundering, terrorist financing, and other illicit finance activity
   risks. Would the proposed update requirement change the way banks currently update their risk assessment processes, and if
   so how? Is additional explanation needed concerning when a financial institution would be required to update its risk assessment?
   In particular, how might the Agencies clarify how risk assessment processes would be updated “promptly”? Would an alternative
   approach, such as periodic updates or a set schedule for updates, be preferable? Would an alternative standard, such as “materially
   changes,” be clearer than “significantly changes”?

2. How do a bank's ML/TF risks and its risk assessment processes affect one another? Put differently, if there is a feedback
   loop between the two, please describe it, including the typical amount of time between discovering new risks and incorporating
   those findings into risk assessment processes.

Independent AML/CFT Program Testing To Be Conducted by Bank Personnel or by an Outside Party (IV.D.2)

1. Under the proposed rule, a bank is required to conduct independent AML/CFT program testing. This requirement is already reflected in existing AML program rule requirements as is the requirement to include “an independent audit function to test programs.” (60) The Agencies solicit comment on how financial institutions may interpret and carry out this requirement, based on the proposed rule's description of an effective AML/CFT program. Are further clarifications on the independent AML/CFT program testing requirement necessary to ensure that audits carried out by bank personnel or outside third parties are well-tailored, risk-based, and focused on effectiveness?

AML/CFT Officer Located in the United States (IV.D.3.ii)

1. Under the proposed rule, while the AML/CFT officer must be located in the United States, personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. This language does not alter existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States other than limited circumstances such as a bank's foreign head office or controlling company. Are any further clarifications on this issue needed?

Written AML/CFT Program and Approval (IV.E)

1. The proposed rule standardizes the long-standing requirement that an AML/CFT program be written. Should the Agencies further
   clarify which specific elements of an institution's AML/CFT program must be written, or is this requirement generally understood
   in its current form? In particular: (a) which program components—such as risk assessment processes; internal policies, procedures,
   and controls; transaction monitoring rules and parameters; escalation and reporting protocols; independent testing results;
   training materials; and documentation of designated personnel—should be required in writing; (b) what form (e.g., narrative descriptions, checklists, system configurations, or electronic records) such documentation should take; and (c)
   what level of detail is appropriate for each component? Should the Agencies instead alter the requirement that an AML/CFT
   program be expressly required to be “written”? What would be the benefits or drawbacks of any such alterations to this requirement?

2. The proposed rule would require that a bank's written AML/CFT program be approved by its board of directors, an equivalent
   governing body within the bank, or appropriate senior management. Should the Agencies further clarify which aspects of the
   AML/CFT program must be subject to such approval? In particular: (a) should approval be required for each of the core program
   components (e.g., the risk assessment processes framework; internal policies, procedures, and controls; transaction-monitoring and escalation
   frameworks; independent testing structure; training program; and designation of responsible personnel), or would approval
   of the overall program framework be sufficient; (b) should material revisions to particular components (such as significant
   changes to the institution's risk assessment methodology, monitoring architecture, or governance structure) require re-approval
   at the same level; and, (c) what level of specificity should the approving body be required to review and approve (e.g., high-level program architecture versus detailed procedures or parameter-level settings)? Should the Agencies instead eliminate
   the specified approval requirement, allowing banks flexibility in determining how leadership oversight of the AML/CFT program
   is structured? What would be the benefits or drawbacks of not prescribing a mandatory approval requirement in the regulation?
   If the Agencies do not eliminate the specified approval requirement, should the Agencies consider amending the requirement?
   Are there alternatives to board of directors or an equivalent governing body, such as “appropriate senior management” that
   would be more appropriate?

Supervision and Enforcement (IV.G)

1. Is clarification needed for banks to determine what constitutes a “significant or systemic failure” to implement an established
   AML/CFT program?

2. Is clarification needed for banks to determine what constitutes a “failure to establish an AML/CFT program”?

3. The proposed rule would add a requirement for an agency to notify and consider information provided by FinCEN before initiating
   a significant AML/CFT supervisory action when acting pursuant to authority delegated under this chapter. Should the proposed
   consultation process include an asset threshold— e.g., consultation is required for any significant AML/CFT supervisory actions involving banks with $10 billion or more in assets?
   In addition, or as an alternative, should the proposed rule not require but instead provide the option for banks to request
   their agency consult with FinCEN prior to initiating a significant AML/CFT supervisory action?

4. The definition of significant AML/CFT supervisory action includes the term “any written communication.” Is the term “any
   written communication” too broad? Are there downsides and negative consequences to including the term “any written communication”
   in the proposed regulatory text? If so, please describe. Should the term “any written communication” be more clearly defined
   or removed altogether?

5. As described above, the purpose of the FinCEN consultation requirement is to ensure consistency in BSA/AML enforcement
   and supervision across banks, and for FinCEN to provide relevant information on the effectiveness and impact of an institution's
   AML/CFT program. While Treasury, FinCEN, and the Agencies believe the benefits of a required consultation process outweigh
   the costs, the parties recognize this adds additional layers of review for banks and the Agencies during an examination. Are
   there any avenues, communication channels, or methods in which FinCEN and the Agencies can streamline the consultation process
   and prevent logistical burdens for banks or delays in exam report issuance?

6. Is the definition of the term “significant AML/CFT supervisory action” sufficiently clear? Does the inclusion of “unsafe
   or unsound practices or conditions” introduce confusion about what types of supervisory actions would be subject to the FinCEN
   consultation requirement, since those terms are not found in the BSA?

Disclosure of Supervisory Information (IV.I)

1. The Agencies invite comment on the two options for permitting greater information sharing with the FinCEN Director regarding AML/CFT enforcement actions or significant AML/CFT supervisory actions. In particular, would the disclosure of confidential supervisory information to FinCEN compromise attorney-client privilege, other applicable privileges, or otherwise undermine the preservation of privilege in 12 U.S.C. 1821(t)?

Other Topics

1. Should the rule be revised to tailor program requirements or

   implementation timelines to the size, complexity, or risk profile of the bank?

Final Rule Effective Date (V.)

1. The Agencies are proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient time for financial institutions to review and implement their requirements. The Agencies solicit comment on the proposed effective date.

VII. Regulatory Impact Analysis

The proposed rule, if finalized, would modernize and align the Agencies' AML/CFT program requirements at 12 CFR parts 21 (OCC),
326 (FDIC), and 748 (NCUA) with the rule concurrently proposed by FinCEN under the BSA, as amended by the AML Act. (61) As described in Sections I-V of this
SUPPLEMENTARY INFORMATION
, the proposed rule would: clarify the elements of an effective, risk-based, and reasonably designed AML/CFT program; codify
risk-assessment processes; distinguish program establishment from program implementation; and enhance FinCEN's role in supervision
and enforcement through a structured consultation mechanism. As a result of these changes, the Agencies expect that banks
would recalibrate their AML/CFT programs to concentrate on higher-risk activities and deprioritize lower-risk activities,
resulting in greater overall efficiency in their AML/CFT programs.

In accordance with OMB Circular A-4, the Agencies estimate the annual effect of the proposed rule as the difference in estimated
economic outcomes between a state of the world in which the proposed rule is adopted and a baseline state of the world in
which the proposed rule is not adopted. This analysis assumes that in both states of the world, all other relevant regulations
and financial conditions data for all banks supervised by each of the Agencies as of the quarter ending September 30, 2025,
with one exception: because the proposed rule is being promulgated simultaneously with a rulemaking by FinCEN that will modify
rules regarding AML/CFT for a broader set of institutions regulated by FinCEN, the analysis assumes FinCEN's rulemaking is
finalized under both the baseline and under the proposed rule. This assumption allows the analysis to focus on the effects
specific to the proposed rule. Because banks supervised by each of the Agencies are required to comply with the BSA, the proposed
rule would apply to approximately 3,775 banks supervised by the FDIC and the OCC and another 4,331 credit unions supervised
by the NCUA for an approximate total population of 8,100 banks. (62)

Under the baseline, banks must establish and maintain effective AML/CFT programs. These programs must include risk-based internal
policies, procedures, and controls; a designated compliance officer; ongoing employee training; and independent testing. Banks
also must meet FinCEN's CDD requirements. The analysis below evaluates incremental impacts of the proposal against that baseline.

Overall, the proposed rule is expected to provide direct benefits to banks through increased clarity of rules and increased
consistency of enforcement for banks across financial regulators. The rule also codifies the general practice among banks
to calibrate their AML/CFT programs to concentrate on higher-risk activities and deprioritize lower-risk activities. This
recalibration would provide indirect benefits including the potential for reductions in crime due to greater deterrence and
restriction of the flow of illicit funds as well as potentially increased access to financial services by low-risk members
of the public. (63) The Agencies expect that the proposed rule would impose relatively small one-time adjustment costs on banks to update their
AML/CFT programs to align with the newly-clarified requirements. Compliance costs are not anticipated to increase on an on-going
basis, as overall program requirements have been clarified rather than increased and banks already maintain robust AML/CFT
programs. The remainder of this section discusses these effects in turn.

A. Benefits

1. Benefit to the Public: Reduction in Money Laundering and Terrorist Financing

Effective AML/CFT programs can deter illicit behavior by preventing the flow of illicit funds and assisting law enforcement
and national security efforts to identify and prosecute criminals. By clarifying banks' AML/CFT obligations, the proposed
rule may improve the effectiveness of AML/CFT programs for banks, relative to the baseline, by enabling them to reallocate
AML/CFT resources toward higher-risk customers and activities. This recalibration may reduce the frequency and severity of
harm caused by criminal activity.

Reductions in illicit financial activities from effective AML/CFT programs have several benefits, both for affected banks
as well as for the broader society. For banks, effective AML/CFT programs may result in direct cost savings due to a decreased
likelihood that they will be subject to illicit schemes, which in turn decreases the probability of disruptions to a bank's
normal business operations. It could result in other potential cost savings due to a decreased probability that a bank may
need to make victimized customer accounts whole, conduct internal investigations of successful illicit schemes, or implement
remediation steps to address and prevent future recurrences of previously successful illicit schemes. (64)

In terms of broader societal benefits, AML/CFT activities are often tied to other illicit activities such as but not limited
to drug, weapons, wildlife, or human trafficking as well as terrorist activities. Any reduction in money laundering or terrorist
financing is a benefit to society given the nature of the illegal activities that AML/CFT programs are designed to prevent.
While it is inherently difficult to estimate the annual reduction in crime generally or financial crime specifically that
could result from more effective AML/CFT programs, recent estimates suggest that those illicit activities run to the billions
or trillions of dollars (65) and affect millions of Americans, (66) and given that

  scale, even a very small percentage decrease would result in a meaningful benefit.

2. Benefit to the Public: Increased Access to Financial Services

An additional benefit of a recalibration of AML/CFT programs towards higher-risk activities under the proposed rule is that
fewer low-risk clients or customers, or potential clients and customers, of banks would be inadvertently or accidentally denied
access to banking services due to their non-illicit transactions being incorrectly flagged by an AML/CFT program. The Agencies
lack the data to quantify the scale of this benefit.

3. Benefit to Banks: Increased Clarity, Supervisory Coherence, and More Effective AML/CFT Programs

The proposed rule would generate additional qualitative benefits from increased clarity and supervisory coherence, relative
to the baseline. These benefits include: reducing regulatory fragmentation by harmonizing the Agencies' regulations with FinCEN's
corresponding regulations and eliminating overlap pertaining to the CDD requirements; providing clarity regarding supervisory
expectations, which will promote consistent supervisory outcomes across Agencies; enhancing outcomes related to national security
and law enforcement by reinforcing risk-based approaches; and enabling more consistent identification and reporting of higher-priority
illicit activity.

Having an effective AML/CFT program also reduces a bank's probability of regulatory and legal consequences, which may otherwise
increase a bank's costs and adversely affect earnings. For example, ineffective programs that lead to significant AML/CFT
activities may result in subsequent higher: operational risk capital requirements for larger banks currently subject to operational
risk regulations; compliance costs from increased regulatory monitoring; or legal costs and financial penalties if program
deficiencies result in violations of law, such as potential enforcement actions and civil money penalties.

Although these benefits are not readily quantifiable, they are expected to improve the focus of (1) AML/CFT supervision on
mitigating significant or systemic failures in a bank's AML/CFT program and (2) bank compliance programs on higher-risk customers
and activities.

B. Costs

1. One-Time Adjustment Costs to Banks

If adopted, the proposed rule would require alignment of existing AML/CFT programs to the clarified requirements. However,
these costs are expected to be minimal. Possible one-time costs include:

—Labor costs associated with updating policy, procedure, and documentation to reflect risk-assessment processes, to codify
definitions of “establish,” “maintain,” and “implement”, and to comply with the requirement that the program be written, accessible
upon request, and approved by the board (or equivalent governance).

—Potential labor costs or transitional productivity reductions associated with ensuring that the designated AML/CFT officer
is located in the United States and has sufficient authority, stature, independence, and resourcing to comply with the requirements
of the proposed rule.

—Training costs to refresh relevant personnel to reflect the revised expectations, risk prioritization, updated governance
roles, and program documentation.

Given that most banks maintain AML/CFT programs that adhere with current regulations and supervisory expectations and given
that the proposed rulemaking sets forth requirements that banks are already generally in compliance with, these incremental
costs are expected to be minimal relative to current AML/CFT compliance costs. The Agencies do not have data available to
estimate the one-time transition costs listed. In addition, the Agencies recognize that these costs vary across banks based
on their size, complexity, and the specific activities they engage in, as well as the sophistication of their current BSA
compliance program. (67) Based on supervisory experience, Agency staff believe that banks are already generally in compliance with the proposed requirements
based on longstanding regulatory and supervisory expectations. Therefore, the Agencies anticipate that banks would expend de minimis incremental costs to update their AML/CFT compliance programs in conformance with the proposed requirements.

2. Ongoing Costs to Banks

While the Agencies lack the data necessary to estimate how compliance costs for banks would change under the proposed rule,
several factors suggest that ongoing compliance costs would be similar to the baseline. (68) First, banks already maintain extensive AML/CFT programs, in many cases exceeding the minimum requirements under current rules.
Second, the proposed rule would clarify existing requirements rather than imposing new ones, which suggests that banks may
not find it necessary to devote additional resources to AML/CFT programs relative to the baseline.

As a result, the Agencies anticipate no increase in ongoing compliance costs resulting from the proposed rule. Given the economic
effects described above, the Agencies expect the benefits of the proposed rule would justify the costs.

The Agencies invite comments on all aspects of the economic analysis provided in this supplemental information. What, if any,
additional significant benefits or costs should the Agencies consider and why?

VIII. Alternatives Considered

The Agencies have considered several alternatives to the proposed rule which could meet the objectives of this rulemaking.
For the reasons described, the Agencies view the proposed rule as the most appropriate and effective means of achieving their
policy objectives with respect to the Anti-Money Laundering Act of 2020.

The Agencies considered taking no regulatory action. Under this alternative, banks would remain subject to separate, partially
overlapping, and in some cases

  inconsistent AML/CFT program requirements across FinCEN and the Agencies. This would perpetuate regulatory fragmentation,
  increase compliance uncertainty, and risk inefficient resource allocation contrary to the AML Act's emphasis on risk-based
  programs. It would also fail to implement the AML Act's requirement that the AML/CFT Priorities be incorporated into program
  rules and examined accordingly, and it would not establish a uniform framework for distinguishing between program establishment
  and implementation. The Agencies therefore rejected this alternative.

The Agencies considered reissuing or finalizing the 2024 Notice of Proposed Rulemaking (2024 NPRM), which previously addressed
these issues. However, public comments in response to the 2024 NPRM suggested that the 2024 NRPM did not adequately emphasize
the increased flexibility of banks to recalibrate their BSA/AML programs to concentrate on higher-risk activities. In contrast,
the proposed rule would provide such flexibility, and as discussed in this section, result in greater benefits to the public.
The proposed rule also includes provisions requiring FinCEN's consultation on supervisory actions and other measures to refocus
supervision on substantive issues with banks' BSA/AML programs rather than on procedural compliance. The Agencies therefore
chose to issue the proposed rule.

The Agencies considered developing more prescriptive program requirements, such as mandatory risk-assessment methodologies,
specific governance structures, required technologies, or defined timelines for updating risk assessments. Such an approach
would conflict with the AML Act's emphasis on risk-based, flexible, and outcome-oriented AML/CFT programs, and would be inconsistent
with the Agencies' stated view that banks are best positioned to identify and evaluate their own risks. The Agencies therefore
rejected this alternative in favor of a flexible framework aligned with statutory intent.

The Agencies considered extending the implementation period beyond the proposed 12 months. A longer period would reduce near-term
adjustment costs for some banks but would delay the benefits of improved clarity, harmonization, and risk-based supervision.
Given that most banks already maintain programs substantially consistent with the proposed requirements, the Agencies believe
a 12-month period appropriately balances transition needs and timely realization of benefits.

The Agencies considered whether the proposed rule should apply only to larger or more complex banks or include tailored requirements
by size or business model. Because all banks must comply with the BSA, and because the proposal is inherently risk-based and
scalable to each bank's risk profile, the Agencies determined that formal tailoring was unnecessary. Explicit tailoring could
also undermine consistency and create cliff effects as banks restrict their growth to remain under regulatory thresholds.
Therefore, the Agencies retained full applicability while emphasizing flexibility in program design.

The Agencies invite comments on possible alternatives to the proposed rule.

IX. Administrative Law Matters

A. Regulatory Flexibility Act (RFA)

OCC RFA

The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., requires an agency, in connection with a proposed rule, to prepare an initial Regulatory Flexibility Analysis describing the
impact of the rule on small entities (defined by the U.S. Small Business Administration (SBA) for purposes of the RFA to include
commercial banks and savings institutions with total assets of $850 million or less and trust companies with total assets
of $47 million or less) or to certify that the rule will not have a significant economic impact on a substantial number of
small entities. The OCC currently supervises approximately 609 small entities, all of which would be subject to the proposed
rule. In general, the OCC classifies the economic impact on an individual small entity as significant if the total estimated
impact in one year is greater than 5 percent of the small entity's total annual salaries and benefits or greater than 2.5
percent of the small entity's total non-interest expense. Furthermore, the OCC considers 5 percent or more of OCC-supervised
small entities to be a substantial number. Thus, at present, 30 OCC-supervised small entities would constitute a substantial
number.

The OCC's proposed rulemaking imposes no additional mandates, and thus no incremental direct costs beyond FinCEN's proposed
rule, on affected OCC-supervised institutions. (69) Therefore, the OCC certifies that the proposed rule would not have a significant economic impact on a substantial number of
OCC-supervised small entities.

FDIC

The RFA generally requires an agency, in connection with a proposed rule, to prepare and make available for public comment
an initial regulatory flexibility analysis that describes the impact of the proposed rule on small entities. (70) However, an initial regulatory flexibility analysis is not required if the agency certifies that the proposed rule will not,
if promulgated, have a significant economic impact on a substantial number of small entities. The SBA has defined “small entities”
to include banking organizations with total assets of less than or equal to $850 million. (71) Generally, the FDIC considers a significant economic impact to be a quantified effect in excess of 5 percent of total annual
salaries and benefits or 2.5 percent of total noninterest expenses. The FDIC believes that effects in excess of one or more
of these thresholds typically represent significant economic impacts for FDIC-supervised institutions. For the reasons provided
below, the FDIC certifies that the proposed rule would not have a significant economic impact on a substantial number of small
banking organizations. Accordingly, a regulatory flexibility analysis is not required.

As previously discussed, the proposed rule, if finalized, would modernize and align the Agencies' AML/CFT program requirements
with FinCEN's concurrently proposed BSA

  rule, as amended by the AML Act. [(72)]() It would clarify the components of an effective, risk based AML/CFT program; codify risk assessment processes; distinguish
  program establishment from implementation; and strengthen FinCEN's supervisory and enforcement role through structured consultation,
  if adopted. All FDIC-supervised Insured Depository Institutions (IDIs) are required to comply with AML/CFT program requirements.
  As of the quarter ending September 30, 2025, the FDIC supervised 2,778 institutions, [(73)]() of which 2,064 are considered small entities for the purposes of RFA. [(74)]() Therefore, the FDIC estimates that the proposed rule would directly affect 2,064 small, FDIC-supervised IDIs.

As noted in section VII, the FDIC estimates the effect of the proposed rule on each small FDIC-supervised IDI as the difference
in estimated economic outcomes between a state of the world in which the proposed rule is adopted and a baseline state of
the world in which the proposed rule is not adopted. This analysis assumes that in both states all other relevant statutes
and regulations applicable to IDIs that existed as of September 30, 2025 would be in place, with one exception: because the
proposed rule is being promulgated simultaneously with a rulemaking by FinCEN that will modify rules regarding AML/CFT for
a broader set of institutions regulated by FinCEN, the analysis assumes FinCEN's rulemaking is finalized under both the baseline
and under the proposed rule. This assumption allows the analysis to focus on the effects specific to the proposed rule. Under
the baseline, small, FDIC-supervised IDIs would continue to be required to maintain AML/CFT programs that adhere to current
regulations and supervisory expectations. These requirements include internal policies, procedures, and controls; a designated
compliance officer; ongoing employee training; and independent testing. Small, FDIC-supervised institutions would also continue
to be required to meet FinCEN's CDD requirements and are expected, though not uniformly codified, to maintain risk assessment
processes.

The proposed rule introduces changes that are unlikely to result in significant direct effects to small, FDIC-supervised IDIs.
As discussed in section VII, small, FDIC-supervised IDIs are already generally in compliance with the proposed requirements
based on longstanding regulatory and supervisory expectations. Therefore, small, FDIC-supervised IDIs would incur de minimis incremental costs to update their AML/CFT compliance programs to conform with the proposed requirements. In addition, the
FDIC anticipates no small, FDIC-supervised IDI would incur a significant increase in ongoing compliance costs as a result
of the proposed rule. (75)

As a result, the FDIC certifies that the rule would not have a significant economic impact on a substantial number of small
entities.

The FDIC invites comments on all aspects of the supporting information provided in this section, and in particular, whether
the proposed rule would have any significant effects on small entities that the FDIC has not identified.

NCUA

The Regulatory Flexibility Act generally requires an agency to conduct a regulatory flexibility analysis of any rule subject
to notice and comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic
impact on a substantial number of small entities. (76) If the agency makes such a certification, it shall publish the certification at the time of publication of either the proposed
rule or the final rule, along with a statement providing the factual basis for such certification. (77) For purposes of this analysis, the NCUA considers small credit unions to be those having under $100 million in assets. (78)

As of September 30, 2025, the NCUA supervised 4,331 Federally insured credit unions (FICUs. Typically, credit unions are much
smaller than commercial banks. For example, median asset size for those 4,331 credit unions was $63.63 million; the comparable
figure for FDIC-insured banks was $370.84 million (nearly six times the FICU figure). (79) The NCUA considers FICUs with fewer than $100 million in assets to be small entities for RFA purposes. As of 2025: Q3, 2,553
FICUs, or 58.9 percent of supervised institutions, qualified as small. Median asset size for small FICUs was $21.24 million.
The median number of full-time equivalent employees (FTEs) for small credit unions was five. Because this rule applies to
FICUs of all sizes, it will undoubtedly affect small credit unions. Both qualitative and quantitative evidence, however, point
to an economically insignificant impact on small FICUs.

As for qualitative evidence, the NCUA already expects FICUs to maintain robust BSA-AML policies, consistent with the size
and scope of the credit union. Because the agency believes the proposed rule largely codifies existing supervisory expectations,
it should not prove a burden for most FICUs. Some credit unions, however, may find supervisory expectations marginally tighter
relative to the current regime. Of course, adapting to marginal changes could still challenge credit unions with as few as
five FTEs. For that reason, the NCUA makes resources available to help small credit unions meet such challenges and, more
broadly, support overall growth and development.

As for quantitative evidence, the OCC and FDIC present analysis showing the number of supervised institutions for whom compliance
will potentially be burdensome. Their threshold for “burdensome” is a compliance cost exceeding five percent of compensation
expense or 2.5 percent of total non-interest expense. The NCUA believes these hurdles do not automatically carry over to FICUs
because of the significant differences between the size, structure, and operating models of banks and credit unions. Unlike
commercial banks, for example, credit unions are cooperatives. On average, credit-union compensation expense per employee
is lower than bank compensation expense. Finally, many small credit unions have relied historically on volunteers and sponsor
support to contain expenses. These factors collectively suggest the materiality threshold should be higher for credit unions.
But even assuming every small credit union needs 32 hours to comply with the rule, that all credit unions pay the average
hourly wage for

  FICUs with fewer than $100 million in assets, and the bank thresholds for materiality are appropriate, the number of credit
  unions facing a significant compliance burden is roughly in line with the figures obtained by the FDIC.

B. Paperwork Reduction Act (PRA)

The Paperwork Reduction Act of 1995 (80) (PRA) states that no agency may conduct or sponsor, nor is the respondent required to respond to, an information collection
unless it displays a currently valid Office of Management and Budget (OMB) control number. The OCC and FDIC have reviewed
this proposed rule and determined that it does not create any information collection.

The NCUA is proposing to extend for three years, with revision, its information collection. This revision will be submitted
to OMB for approval under the PRA.

Title of Information Collection: Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements.

OMB Control Number: 3133-0108.

Respondents: All federal insured credit unions.

Estimated Annual Burden: 80,856.

| Information collection
(obligation to respond) | Type of
burden(frequency of response) | Number of
respondents | Number of
responses perrespondent | Average
time perresponse(hours) | Total
estimatedannualburden(hours) |
| --- | --- | --- | --- | --- | --- |
| 1. Establish AML/CFT Program. (Implementation) 12 CFR 748.2(b) and (c) (Mandatory) | Recordkeeping (One Time) | 4,331 | .3 | 32 | 46,208 |
| 2. Maintain AML/CFT Program. (Ongoing) 12 CFR 748.2(b) and (c) (Mandatory) | Recordkeeping (Annual) | 4,331 | 1 | 8 | 34,648 |
| Total Estimated Annual Burden (Hours) | | | | | 80,856 |
The NCUA invites comments on:

(a) Whether the collections of information are necessary for the proper performance of the Agencies' functions, including
whether the information has practical utility;

(b) The accuracy of the Agencies estimates of the burden of the information collections, including the validity of the methodology
and assumptions used;

(c) Ways to enhance the quality, utility, and clarity of the information to be collected;

(d) Ways to minimize the burden of the information collections on respondents, including through the use of automated collection
techniques or other forms of information technology; and

(e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

Comments on aspects of this document that may affect reporting, recordkeeping, or disclosure requirements and burden estimates
should be sent to the addresses listed in the
ADDRESSES
section of this document. Written comments and recommendations for these information collections also should be sent within
30 days of publication of this document to www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting “Currently under 30-day Review—Open for Public Comments” or by using
the search function.

C. Riegle Community Development and Regulatory Improvement Act

Pursuant to section 302(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 (RCDRIA), (81) in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting,
disclosure, or other requirements on IDIs, each Federal banking agency must consider, consistent with principles of safety
and soundness and the public interest, any administrative burdens that such regulations would place on affected depository
institutions, including small depository institutions, and customers of depository institutions, as well as the benefits of
such regulations. In addition, section 302(b) of the RCDRIA requires new regulations and amendments to regulations that impose
additional reporting, disclosures, or other new requirements on IDIs generally to take effect on the first day of a calendar
quarter that begins on or after the date on which the regulations are published in final form. The Agencies invite comments
that further will inform their consideration of the RCDRIA. (82)

D. Plain Language

Section 722 of the Gramm-Leach-Bliley Act (83) requires the Federal banking Agencies to use plain language in all proposed and final rulemakings published in the
Federal Register
after January 1, 2000. The Agencies invite your comments on how to make this proposed rule easier to understand. For example:

• Have the Agencies organized the material to suit your needs? If not, how could the proposed rule be more clearly stated?
• Are the requirements in the proposed rule clearly stated? If not, how could the proposed rule be more clearly stated?
• Does the proposed rule contain language or jargon that is not clear? If so, which language requires clarification?
• Would a different format (grouping and order of sections, use of headings, paragraphing) make the proposed rule easier to understand? If so, what changes to the format would make the proposed rule easier to understand?
• What else could the Agencies do to make the proposed rule easier to understand?

E. Providing Accountability Through Transparency Act of 2023

The Providing Accountability Through Transparency Act of 2023 requires that a notice of proposed rulemaking include the internet
address of a summary of not more than 100 words in length of a proposed rule, in plain language, that shall be posted on the
internet website under section

  206(d) of the E-Government Act of 2002. [(84)]()

The proposal and the required summary can be found for the Agencies at https://www.regulations.gov by searching for Docket ID OCC-2024-0005 and https://occ.gov/topics/laws-and-regulations/occ-regulations/proposed-issuances/index-proposed-issuances.html, https://www.fdic.gov/resources/regulations/federal-register-publications/index.html#, and https://www.regulations.gov by searching for Docket ID NCUA-2024-0033.

F. Executive Orders 12866, 13563, and 14192

Executive Order 12866, as affirmed and supplemented by Executive Order 13563, directs agencies to assess the costs and benefits
of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits.
This proposed rule was drafted and reviewed in accordance with Executive Order 12866. Within OMB, the Office of Information
and Regulatory Affairs (OIRA) has determined that this rulemaking is an “economically significant regulatory action” pursuant
to Executive Order 12866 section 3(f)(1). Accordingly, the draft rule was submitted to OIRA for review. As noted in other
sections of the
SUPPLEMENTARY INFORMATION
of this document, the Agencies have assessed the costs and benefits of this rulemaking and have made a reasoned determination
that the benefits of this rulemaking justify its costs. This proposed rule, if finalized as proposed, is not expected to be
a regulatory action under Executive Order 14192 because it imposes no more than de minimis costs.

G. Unfunded Mandates Reform Act

The OCC has analyzed the proposed rule under the factors in the Unfunded Mandates Reform Act of 1995 (UMRA). Under this analysis,
the OCC considered whether the proposed rule includes a Federal mandate that may result in the expenditure by State, local,
and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year ($187 million
as adjusted annually for inflation). Pursuant to section 202 of the UMRA, if a proposed rule meets this UMRA threshold, the
OCC would need to prepare a written statement that includes, among other things, a cost-benefit analysis of the proposal.
The UMRA does not apply to regulations that incorporate requirements specifically set forth in law.

The OCC estimates that the proposed rule would not require additional expenditures from OCC regulated entities. As noted earlier,
there are no additional mandated costs associated with the OCC's proposed rule beyond those required by FinCEN's concurrently
issued proposal. Therefore, there are no UMRA costs associated with the OCC's proposal. The OCC's proposed rule would not
result in an expenditure of $187 million or more annually by State, local, and tribal governments, or by the private sector.

H. NCUA Analysis on Executive Order 13132 on Federalism

Executive Order 13132 encourages certain regulatory agencies to consider the impact of their actions on State and local interests.
The NCUA, an agency as defined in 44 U.S.C. 3502(5), complies with the executive order to adhere to fundamental Federalism
principles. This proposed rule would apply to all Federally insured credit unions, including State-chartered credit unions.
This scope is set by statute. The NCUA works cooperatively with State regulatory agencies on all supervisory matters, including
AML/CFT matters, and will continue to do so. The NCUA expects that any effect on States or on the distribution of power and
responsibilities among the various levels of government will be minor. The NCUA welcomes comments on ways to eliminate, or
at least minimize, any potential impact in this area.

I. NCUA Assessment of Federal Regulations and Policies on Families

The NCUA has determined that this proposed rule would not affect family well-being within the meaning of section 654 of the
Treasury and General Government Appropriations Act, 1999. (85) The proposed rule relates to Federally insured credit unions' AML/CFT programs, and any effect on family well-being is expected
to be indirect.

List of Subjects

Crime, Currency, National banks, Reporting and recordkeeping requirements, Security measures.

Banks, Banking, Currency, Reporting and recordkeeping requirements, Security measures.

Computer technology, Confidential business information, Credit unions, Crime, Currency, Internet, Personally identifiable
information, Privacy, Reporting and recordkeeping requirements, Security measures.

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

Authority and Issuance

For the reasons set forth in the preamble, the Office of the Comptroller of the Currency proposes to amend 12 CFR part 21
as follows:

PART 21—MINIMUM SECURITY DEVICES AND PROCEDURES AND ANTI-MONEY LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE

1. The authority citation for part 21 continues to read as follows:

Authority:

12 U.S.C. 1, 93a, 161, 1462a, 1463, 1464, 1818, 1881-1884, and 3401- 3422; 31 U.S.C. 5318.

1. The heading of part 21 is revised to read as set forth above.

2. Revise and republish subpart C to read as follows:

Subpart C—Procedures for Anti-Money Laundering/Countering the Financing of Terrorism Compliance

§ 21.21 Anti-Money Laundering/Countering the Financing of Terrorism Compliance, Supervision, and Enforcement. (a) Definitions. For purposes of this section:

(1) AML/CFT enforcement action means any formal or informal action taken by the OCC under authority of 12 U.S.C. 1818 or other applicable law, that seeks
to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies
relating to, an AML/CFT requirement. The term includes—

(i) A cease-and-desist order, written agreement, consent order, or memorandum of understanding; or

(ii) The assessment of a civil money penalty.

(2) AML/CFT requirement means:

(i) A requirement of the Bank Secrecy Act or the implementing regulations at 31 CFR chapter X; or

(ii) A requirement prescribed under 12 U.S.C. 1818(s) or this section.

(3) Bank Secrecy Act has the meaning given that term in 31 CFR 1010.100

(4) Significant AML/CFT supervisory action means any written communication or other formal supervisory determination that—

(i) Identifies one or more alleged deficiencies, weaknesses, violations of

  law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement;

(ii) Communicates supervisory expectations to a national bank or Federal savings association regarding actions or remedial
measures required to correct the deficiency, weakness, violation, or practice or condition; and

(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the national bank or Federal savings
association.

The term does not include examiner observations, suggestions, or other informal comments.

(b) AML/CFT program in general. Each national bank or Federal savings association must establish and maintain an effective AML/CFT program. A national bank
or Federal savings association complies with this requirement if it:

(1) Establishes an AML/CFT program in accordance with paragraph (c) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (d) of this section.

(c) AML/CFT program establishment. A national bank or Federal savings association establishes an AML/CFT program in accordance with this paragraph if it:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and the implementing regulations at 31 CFR chapter X and to:

(i) Identify, assess, and document the national bank's or Federal savings association's money laundering, terrorist financing,
and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the national bank's or
Federal savings association's business activities, including its products, services, distribution channels, customers, and
geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities as that term is defined in 31 CFR 1010.100; and

(C) Are updated promptly upon any change that the national bank or Federal savings association knows or has reason to know
significantly changes the national bank's or Federal savings association's money laundering, terrorist financing, and other
illicit finance activity risks;

(ii) Mitigate the national bank's or Federal savings association's money laundering, terrorist financing, and other illicit
finance activity risks consistent with the risk assessment processes required under paragraph (c)(1)(i) of this section, including
by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of
the national bank or Federal savings association, rather than toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update
customer information (including information regarding the beneficial owners of legal entity customers, as defined in 31 CFR
1010.230);

(2) Establishes independent AML/CFT program testing to be conducted by bank or savings-association personnel or by an outside
party;

(3) Designates an individual, who is (i) located in the United States; (ii) accessible to, and subject to oversight and supervision
by, FinCEN and the OCC; and (iii) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring
day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(d) AML/CFT program implementation. A national bank or Federal savings association implements an AML/CFT program in accordance with this paragraph if the national
bank or Federal savings association implements, in all material respects, the AML/CFT program required under paragraph (c)
of this section.

(e) Written AML/CFT program and approval. A national bank's or Federal savings association's AML/CFT program must be written, and it must be approved by the national
bank's or Federal savings association's board of directors, an equivalent governing body within the national bank or Federal
savings association, or appropriate senior management within the national bank or Federal savings association.

(f) Customer identification program. Each national bank or Federal savings association shall implement a customer identification program in accordance with 31
CFR 1020.220.

(g) Enforcement and supervision policy.

(1) In general. Except with respect to a significant or systemic failure to implement the AML/CFT program in accordance with paragraph (d)
of this section, a national bank or Federal savings association that has established an AML/CFT program in accordance with
paragraph (c) of this section will not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory
action related to the requirements of 12 U.S.C. 1818(s), 31 U.S.C. 5318(h)(1), this section, or 31 CFR 1020.210.

(2) Program establishment violations. Nothing in this paragraph (g) may be construed to restrict an AML/CFT enforcement action or a significant AML/CFT supervisory
action with respect to any failure to establish an AML/CFT program in accordance with paragraph (c)of this section.

(3) Criminal Enforcement Unaffected. Nothing in this subpart may be construed to affect criminal enforcement under the BSA.

(h) FinCEN consultation.

(1) Consultation and consideration requirement. Before initiating an AML/CFT enforcement action or a significant AML/CFT supervisory action, the OCC will provide the FinCEN
Director an opportunity to review the action and consider any input offered by the FinCEN Director on the action, which may
include any view as to the effectiveness of the national bank's or Federal savings association's AML/CFT program.

(2) Notice requirement. To provide the FinCEN Director an opportunity to provide a view under paragraph (h)(1) of this section, the OCC will:

(i) Send written notice to the FinCEN Director of its intent to take that action at least 30 days before taking the action
(unless a shorter period of time is necessary, in the sole discretion of the Comptroller of the Currency, to remedy, prevent,
or respond to an unsafe or unsound practice or condition), accompanied by the relevant AML/CFT information underlying the
proposed action, including the relevant portions of the draft report or enforcement action, the relevant examination workpapers
supporting the proposed action, and the relevant AML/CFT information submitted by the national bank or Federal savings association
to the OCC, other than information over which the national bank or Federal savings association may claim privilege under Federal
or State law; and

(ii) Respond to the extent reasonably practicable to requests for additional information from the FinCEN Director regarding
the proposed action.

(i) Disclosure of supervisory information to FinCEN.

[OPTION 1 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 4, the OCC permits a national bank or Federal savings associations, on behalf of OCC, to disclose
to the FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT
enforcement action or significant AML/CFT supervisory action to which the national bank or Federal savings association has
access.

[OPTION 2 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 4, the OCC permits a national bank or Federal savings association, on behalf of the OCC, to
disclose to the FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential
AML/CFT enforcement action or significant AML/CFT supervisory action to which the national bank or Federal savings association
has access upon the contemporaneous disclosure of such information to the OCC.

(2) A national bank's or Federal savings association's disclosure of information to the FinCEN Director under paragraph (i)(1)
of this section does not waive, invalidate, destroy, or otherwise affect any privilege or protection available under Federal
or State law, including the attorney-client privilege, the work-product doctrine, the bank-examination privilege, or any other
confidentiality or evidentiary privilege.

(3) Any disclosure made by a national bank or Federal savings association under paragraph (i)(1) of this section is made on
behalf of the OCC pursuant to the OCC's authorization under 12 U.S.C. 1821(t).

(j) Severability.

The provisions of this subpart are separate and severable from one another. If any provision of this subpart is held to be
invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect
other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the
invalid provision or application.

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

Authority and Issuance

For the reasons set forth in the preamble, the Federal Deposit Insurance Corporation proposes to amend 12 CFR part 326 as
follows:

PART 326—MINIMUM SECURITY DEVICES AND PROCEDURES AND ANTI-MONEY LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE

1. The authority citation for part 326 is revised to read as follows:

Authority:

12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 1829b, 1881-1883, 5412; 31 U.S.C. 5311-5314, 5316-5336.

1. The heading of part 326 is revised to read as set forth above.

2. Revise and republish subpart B to read as follows:

Subpart B—Procedures for Monitoring Anti-Money Laundering/Countering the Financing of Terrorism Compliance

§ 326.8 Anti-Money Laundering/Countering the Financing of Terrorism Compliance, Supervision, and Enforcement. (a) Definitions. For purposes of this section:

(1) AML/CFT enforcement action means any formal or informal action taken by the FDIC under authority of 12 U.S.C. 1818 or other applicable law, that seeks
to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies
relating to, an AML/CFT requirement. The term includes—

(i) A cease-and-desist order, written agreement, consent order, or memorandum of understanding; or

(ii) The assessment of a civil money penalty.

(2) AML/CFT requirement means:

(i) A requirement of the Bank Secrecy Act or the implementing regulations at 31 CFR chapter X; or

(ii) A requirement prescribed under 12 U.S.C. 1818(s) or this section.

(3) Bank Secrecy Act has the meaning given that term in 31 CFR 1010.100.

(4) Significant AML/CFT supervisory action means any written communication or other formal supervisory determination that—

(i) Identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions
relating to an AML/CFT requirement;

(ii) Communicates supervisory expectations to an FDIC-supervised institution regarding actions or remedial measures required
to correct the deficiency, weakness, violation, or practice or condition; and

(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the FDIC-supervised institution.

The term does not include examiner observations, suggestions, or other informal comments.

(5) FDIC-supervised institution or institution means any entity for which the Federal Deposit Insurance Corporation is the appropriate Federal banking agency pursuant to
section 3(q) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(q).

(b) AML/CFT program in general. Each FDIC-supervised institution must establish and maintain an effective AML/CFT program. A FDIC-supervised institution complies
with this requirement if it:

(1) Establishes an AML/CFT program in accordance with paragraph (c) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (d) of this section.

(c) AML/CFT program establishment. An FDIC-supervised institution establishes an AML/CFT program in accordance with this paragraph if it:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and the implementing regulations at 31 CFR chapter X and to:

(i) Identify, assess, and document the FDIC-supervised institution's money laundering, terrorist financing, and other illicit
finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the FDIC-supervised institution's
business activities, including its products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities as that term is defined in 31 CFR 1010.100; and

(C) Are updated promptly upon any change that the FDIC-supervised institution knows or has reason to know significantly changes
the FDIC-supervised institution's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the FDIC-supervised institution's money laundering, terrorist financing, and other illicit finance activity
risks consistent with the risk assessment processes required under paragraph (c)(1)(i) of this section, including by directing
more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the FDIC-supervised
institution, rather than toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update
customer information (including information regarding the beneficial owners of legal entity customers, as defined in 31 CFR
1010.230);

(2) Establishes independent AML/CFT program testing to be conducted by institution personnel or by an outside party;

(3) Designates an individual, who is (i) located in the United States, (ii) accessible to, and subject to oversight and supervision
by, FinCEN and the FDIC, and (iii) responsible for establishing and implementing the AML/CFT program and coordinating and
monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(d) AML/CFT program implementation. An FDIC-supervised institution implements an AML/CFT program in accordance with this paragraph if the FDIC-supervised institution
implements, in all material respects, the AML/CFT program required under paragraph (c) of this section.

(e) Written AML/CFT program and approval. A FDIC-supervised institution's AML/CFT program must be written and it must be approved by the FDIC-supervised institution's
board of directors, an equivalent governing body within the FDIC-supervised institution, or appropriate senior management
within the FDIC-supervised institution.

(f) Customer identification program. Each FDIC-supervised institution shall implement a customer identification program in accordance with 31 CFR 1020.220.

(g) Enforcement and supervision policy.

(1) In general. Except with respect to a significant or systemic failure to implement the AML/CFT program in accordance with paragraph (d)
of this section, an FDIC-supervised institution that has established an AML/CFT program in accordance with paragraph (c) of
this section will not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory action related to
the requirements of 12 U.S.C. 1818(s), 31 U.S.C. 5318(h)(1), this section, or 31 CFR 1020.210.

(2) Program establishment violations. Nothing in this paragraph (g) may be construed to restrict an AML/CFT enforcement action or a significant AML/CFT supervisory
action with respect to any failure to establish an AML/CFT program in accordance with paragraph (c) of this section.

(3) Criminal Enforcement Unaffected. Nothing in this subpart may be construed to affect criminal enforcement under the BSA.

(h) FinCEN consultation.

(1) Consultation and consideration requirement. Before initiating an AML/CFT enforcement action or a significant AML/CFT supervisory action, the FDIC will provide the FinCEN
Director an opportunity to review the action and consider any input offered by the FinCEN Director on the action, which may
include any view as to the effectiveness of the FDIC-supervised institution's AML/CFT program.

(2) Notice requirement. To provide the FinCEN Director an opportunity to provide a view under paragraph (h)(1) of this section, the FDIC will:

(i) Send written notice to the FinCEN Director of its intent to take that action at least 30 days before taking the action
(unless a shorter period of time is necessary, in the sole discretion of the FDIC, to remedy, prevent, or respond to an unsafe
or unsound practice or condition), accompanied by the relevant AML/CFT information underlying the proposed action, including
the relevant portions of the draft report or enforcement action, the relevant examination workpapers supporting the proposed
action, and the relevant AML/CFT information submitted by the FDIC-supervised institution to the FDIC, other than information
over which the FDIC-supervised institution may claim privilege under Federal or State law; and

(ii) Respond to the extent reasonably practicable to requests for additional information from the FinCEN Director regarding
the proposed action.

(i) Disclosure of supervisory information to FinCEN.

[OPTION 1 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 309, the FDIC permits an FDIC-supervised institution, on behalf of FDIC, to disclose to the
FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT enforcement
action or significant AML/CFT supervisory action to which the FDIC-supervised institution has access.

[OPTION 2 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 309, the FDIC permits an FDIC-supervised institution, on behalf of the FDIC, to disclose to
the FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT
enforcement action or significant AML/CFT supervisory action to which the FDIC-supervised institution has access upon the
contemporaneous disclosure of such information to the FDIC.

(2) An FDIC-supervised institution's disclosure of information to the FinCEN Director under paragraph (i)(1) of this section
does not waive, invalidate, destroy, or otherwise affect any privilege or protection available under Federal or State law,
including the attorney-client privilege, the work-product doctrine, the bank-examination privilege, or any other confidentiality
or evidentiary privilege.

(3) Any disclosure made by an FDIC-supervised institution under paragraph (i)(1) of this section is made on behalf of the
FDIC pursuant to the FDIC's authorization under 12 U.S.C. 1821(t).

(j) Severability.

The provisions of this subpart are separate and severable from one another. If any provision of this subpart is held to be
invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect
other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the
invalid provision or application.

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

Authority and Issuance

For the reasons set forth in the preamble, the National Credit Union Administration proposes to amend 12 CFR part 748 as follows:

PART 748—SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC ACTS, CYBER INCIDENTS, AND ANTI-MONEY LAUNDERING/COUNTERING

THE FINANCING OF TERRORISM PROGRAM

1. The authority citation for part 748 continues to read as follows:

Authority:

12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11); 15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.

1. The heading of part 748 is revised to read as set forth above.

2. Revise § 748.2 and republish to read as follows:

§ 748.2 Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Program Requirements. (a) Definitions. For purposes of this section:

(1) AML/CFT enforcement action means any formal or informal action taken by the NCUA under authority of 12 U.S.C. 1786 or other applicable law, that seeks
to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies
relating to, an AML/CFT requirement. The term includes—

(i) A cease-and-desist order, written agreement, consent order, or memorandum of understanding; or

(ii) The assessment of a civil money penalty.

(2) AML/CFT requirement means:

(i) A requirement of the Bank Secrecy Act or the implementing regulations at 31 CFR chapter X; or

(ii) A requirement prescribed under 12 U.S.C. 1786(q) or this section.

(3) Credit union for the purposes of this section means a federally insured credit union.

(4) Bank Secrecy Act has the meaning given that term in 31 CFR 1010.100.

(5) Significant AML/CFT supervisory action means any written communication or other formal supervisory determination that—

(i) Identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions
relating to an AML/CFT requirement;

(ii) Communicates supervisory expectations to a credit union regarding actions or remedial measures required to correct the
deficiency, weakness, violation, or practice, or condition; and

(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the credit union.

The term does not include examiner observations, suggestions, or other informal comments.

(b) AML/CFT program in general. Each credit union must establish and maintain an effective AML/CFT program. A credit union complies with this requirement
if it:

(1) Establishes an AML/CFT program in accordance with paragraph (c) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (d) of this section.

(c) AML/CFT program establishment. A credit union establishes an AML/CFT program in accordance with this paragraph if it:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and the implementing regulations at 31 CFR Chapter X and to:

(i) Identify, assess, and document the credit union's money laundering, terrorist financing, and other illicit finance activity
risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the credit union's business
activities, including its products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities as that term is defined in 31 CFR 1010.100; and

(C) Are updated promptly upon any change that the credit union knows or has reason to know significantly changes the credit
union's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the credit union's money laundering, terrorist financing, and other illicit finance activity risks consistent
with the risk assessment processes required under paragraph (c)(1)(i) of this section, including by directing more attention
and resources toward higher-risk customers and activities, consistent with the risk profile of the credit union, rather than
toward lower-risk customers and activities; and

(iii) Conduct ongoing customer-due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update
customer information (including information regarding the beneficial owners of legal entity customers, as defined in 31 CFR
1010.230);

(2) Establishes independent AML/CFT program testing to be conducted by credit union personnel or by an outside party;

(3) Designates an individual, who is (i) located in the United States, (ii) accessible to, and subject to oversight and supervision
by, FinCEN and the NCUA, and (iii) responsible for establishing and implementing the AML/CFT program and coordinating and
monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(d) AML/CFT program implementation. A credit union implements an AML/CFT program in accordance with this paragraph if the credit union implements, in all material
respects, the AML/CFT program required under paragraph (c) of this section.

(e) Written AML/CFT program and approval. Acredit union's AML/CFT program must be written, and it must be approved by the credit union's board of directors, an equivalent
governing body within the credit union, or appropriate senior management within the credit union.

(f) Customer identification program. Each credit union shall implement a customer identification program in accordance with 31 CFR 1020.220.

(g) Enforcement and supervision policy.

(1) In general. Except with respect to a significant or systemic failure to implement the AML/CFT program in accordance with paragraph (d)
of this section, a credit union that has established an AML/CFT program in accordance with paragraph (c) of this section will
not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory action related to the requirements
of 12 U.S.C. 1786(q), 31 U.S.C. 5318(h)(1), this section, or 31 CFR 1020.210.

(2) Program establishment violations. Nothing in this paragraph (g) may be construed to restrict an AML/CFT enforcement action or a significant AML/CFT supervisory
action with respect to any failure to establish an AML/CFT program in accordance with paragraph (c) of this section.

(3) Criminal Enforcement Unaffected. Nothing in this subpart may be construed to affect criminal enforcement under the BSA.

(h) FinCEN consultation.

(1) Consultation and consideration requirement. Before initiating an AML/CFT enforcement action or a significant AML/CFT supervisory action, the NCUA will provide the FinCEN
Director an opportunity to review the action and will consider any input offered by the FinCEN Director on the action, which
may include any view as to the effectiveness of the credit union's AML/CFT program.

(2) Notice requirement. To provide the FinCEN Director with an opportunity to provide a view under paragraph (h)(1) of this section, the NCUA will:

(i) Send written notice to the FinCEN Director of its intent to take that action at least 30 days before taking the action
(unless a shorter period of time is necessary, in the sole discretion of the Chairman or his/her designee, to remedy, prevent,
or respond to an unsafe or unsound practice or condition), accompanied by the relevant AML/CFT information underlying the
proposed action, including the relevant portions of the draft report or

  enforcement action, the relevant examination workpapers supporting the proposed action, and the relevant AML/CFT information
  submitted by the credit union to the NCUA, other than information over which the credit union may claim privilege under Federal
  or state law; and

(ii) Respond to the extent reasonably practicable to requests for additional information from the FinCEN Director regarding
the proposed action.

(i) Disclosure of supervisory information to FinCEN.

[OPTION 1 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 792, the NCUA permits a credit union, on behalf of the NCUA, to disclose to the FinCEN Director,
and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT enforcement action or
significant AML/CFT supervisory action to which the credit union has access.

[OPTION 2 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 792, the NCUA permits a credit union, on behalf of the NCUA, to disclose to the FinCEN Director,
and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT enforcement action or
significant AML/CFT supervisory action to which the credit union has access upon the contemporaneous disclosure of such information
to the NCUA.

(2) A credit union's disclosure of information to the FinCEN Director, under paragraph (i)(1) of this section does not waive,
invalidate, destroy, or otherwise affect any privilege or protection available under Federal or state law, including the attorney-client
privilege, the work-product doctrine, the bank-examination privilege, or any other confidentiality or evidentiary privilege.

(3) Any disclosure made by a credit union under paragraph (i)(1) of this section is made on behalf of the NCUA pursuant to
the NCUA's authorization under 12 U.S.C. 1821(t).

(j) Severability.

The provisions of this subpart are separate and severable from one another. If any provision of this subpart is held to be
invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect
other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the
invalid provision or application.

Jonathan V. Gould, Comptroller of the Currency. Federal Deposit Insurance Corporation.

By order of the Board of Directors.

Dated at Washington, DC, on April 7, 2026. Jennifer M. Jones, Deputy Executive Secretary. By the National Credit Union Administration Board, this 7th day of April 2026. Melane Conyers-Ausbrooks, Secretary of the Board. [FR Doc. 2026-06948 Filed 4-9-26; 8:45 am] BILLING CODE 4810-33-P; 6714-01-P; 7535-01-P

Footnotes

(1) In Section V.A., the Agencies describe the express incorporation of the countering the financing of terrorism (CFT) requirements
as part of a bank's anti-money laundering (AML) program requirements. For consistency throughout this proposed rule, AML program
requirements will be described as AML/CFT program requirements.

(2) The term “bank” is defined in regulations implementing the BSA, 31 CFR 1010.100(d), and includes each agent, agency, branch,
or office within the United States of banks, savings associations, credit unions, and foreign banks. For purposes of this
proposed rule, the term bank solely refers to institutions whose primary regulator is one of the Agencies. The proposed rule
would remove language in 12 CFR 21.21, which contains the OCC's program rule requirements, applicable to state savings associations.
This language was adopted as part of the transfer of authorities from the Office of Thrift Supervision. In 2020, the FDIC
issued a final rule making 12 CFR part 326 applicable to State savings associations, meaning it is no longer necessary to
cover State savings associations in 12 CFR 21.21.

(3) FinCEN is requesting comment on proposed amendments to its AML/CFT program rule for banks at the same time as this proposed
rule from the Agencies. FinCEN's bank program rule is located at 31 CFR 1020.210, while each Agency has its own implementing
regulation. See 12 CFR 21.21 (OCC); 12 CFR 326.8 (FDIC); and 12 CFR 748.2 (NCUA).

(4) FinCEN currently defines this term in 31 CFR 1010.100(e). However, FinCEN notes in the preamble to its concurrently issued
rule that the proposed rule also would make minor changes to the definitions in FinCEN regulations. These changes include
the definition of “Bank Secrecy Act” at 31 CFR 1010.100(e), adding statutory references to the Anti-Money Laundering Act of
2020 (AML Act) and the Corporate Transparency Act, and removing the reference to “collection of statutes commonly referred
to as . . . .” Certain criminal statutes—namely, 18 U.S.C. 1956, 1957, and 1960—are currently included in the BSA definition
at 31 CFR 1010.100(e). Section 6003 of the AML Act, however, does not include these provisions in its BSA definition, and
thus FinCEN is not considering them part of the BSA for the purposes of its proposed rule.

(5) 31 U.S.C. 5311(1).

(6) Treasury Order 180-01 (Jan. 14, 2020), paragraph 3; see also 31 U.S.C. 310(b)(2)(I) (providing that the Director of FinCEN shall “[a]dminister the requirements of subchapter II of chapter
53 of this title, chapter 2 of title I of Public Law 91-508, and section 21 of the Federal Deposit Insurance Act, to the extent
delegated such authority by the Secretary of the Treasury.”).

(7) Public Law 99-570, section 5318, 100 Stat. 3207, 3207-29 (1986).

(8) 52 FR 2858 (Jan. 27, 1987).

(9) Most recently, Congress enacted the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act on July
18, 2025. Public Law 119-27, codified at 12 U.S.C. 5901 et seq. The GENIUS Act requires that permitted payment stablecoin issuers (PPSIs) be treated as financial institutions under the BSA,
including being required to maintain “an effective anti-money laundering program.” See 12 U.S.C. 5903(a)(5)(i). The GENIUS Act also requires the primary Federal payment stablecoin regulators, which are the Agencies
and the Federal Reserve Board to issue regulations relating to PPSIs, including Bank Secrecy Act and sanctions compliance
standards. These AML/CFT standards for PPSIs will be addressed separately from this rulemaking.

(10) Section 1517 of the Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992) (Annunzio-Wylie).

(11) 31 U.S.C. 5318(h)(1), as added by section 1517(b) of Annunzio-Wylie. The Agencies note the proposed rule modifies the current
sequencing of AML/CFT program components; however, the Agencies do not intend the change in sequencing to modify or signify
changes in any substantive requirements.

(12) 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat.
272 (Oct. 26, 2001) (USA PATRIOT Act).

(13) 31 U.S.C. 5318(h), as added by section 352 of the USA PATRIOT Act.

(14) 31 U.S.C. 5318(a)(2), (h)(1), and (h)(2).

(15) See FinCEN, Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398 (May 11, 2016).

(16) 68 FR 25090 (May 9, 2003).

(17) 31 U.S.C. 5318(l), as added by section 326 of the USA PATRIOT Act.

(18) 81 FR 29398 (May 11, 2016).

(19) Press Release, Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (Aug. 13, 2020), https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-75.html and https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf.

(20) William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388 (Jan.
1, 2021).

(21) Congress noted in its Joint Explanatory Statement (JES) of the Committee of Conference accompanying the FY21 NDAA that: “the
current [AML/CFT] regulatory framework is an amalgamation of statutes and regulations that are grounded in the [BSA], which
the Congress enacted in 1970. This decades-old regime, which has not seen comprehensive reform and modernization since its
inception, is generally built on individual reporting mechanisms (i.e., currency transaction reports (CTRs) and suspicious activity reports (SARs)) and contemplates aging, decades-old

  technology, rather than the current, sophisticated AML compliance systems now managed by most financial institutions.” Congress
  further stated that the AML Act “comprehensively update[s] the BSA for the first time in decades and provide[s] for the establishment
  of a coherent set of risk-based priorities.” Among other objectives, Congress intended for the AML Act to require “more routine
  and systemic coordination, communication, and feedback among financial institutions, regulators, and law enforcement to identify
  suspicious financial activities, better focusing bank resources to the AML task, which will increase the likelihood for better
  law enforcement outcomes.” H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory Statement of the Committee of Conference).

(22) H.R. Rep. No. 6395 (2020) at 732 (Joint Explanatory Statement of the Committee of Conference), https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf.

(23) See AML/CFT Priorities (June 30, 2021). As required by 31 U.S.C. 5318(h)(4)(C), the AML/CFT Priorities are consistent with Treasury's
National Strategy for Combating Terrorist and Other Illicit Financing (May 16, 2024). The AML/CFT Priorities are supported
by Treasury's National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing (Mar. 2026).
Additionally, Treasury is required to consult with the Agencies on the National Illicit Finance Strategy, which must include
a risk assessment. See Combating Terrorism and Illicit Financing, Public Law 115-44, 131 Stat. 934 (2017). As also required by 31 U.S.C. 5318(h)(4)(B),
the Secretary, in consultation with the Attorney General, Federal functional regulators, relevant State financial regulators,
and relevant national security agencies, must update the AML/CFT Priorities not less frequently than once every four years.

(24) See OCC Bulletin 23019-33, Bank Secrecy Act/Anti-Money Laundering: Joint Statement on the Risk-Focused Approach to BSA/AML Supervision
(July 22, 2019).

(25) See, e.g., Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence (July
6, 2022) (“Customer relationships present varying levels of money laundering, terrorist financing, and other illicit financial
activity risks. The potential risk to a bank depends on the presence or absence of numerous factors, including facts and circumstances
specific to the customer relationship. The Agencies continue to encourage banks to manage customer relationships and mitigate
risks based on customer relationships, rather than decline to provide banking services to entire categories of customers.”)

(26) OCC, FDIC, NCUA, FinCEN, Agencies Issue Exemption Order to Customer Identification Program Requirements, (Jun. 27, 2025), https://www.occ.gov/news-issuances/news-releases/2025/nr-ia-2025-60.html.

(27) FinCEN et. al, Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other Anti-Money Laundering
Considerations (Jan. 19, 2021) (clarifying, among other things, that there is no BSA regulatory requirement to terminate a
customer relationship after the filing of a SAR or any specific number of SARs). See also FinCEN et. al, Frequently Asked Questions Regarding Suspicious Activity Reporting Requirements (Oct. 9, 2025), https://www.fincen.gov/system/files/2025-10/SAR-FAQs-October-2025.pdf (clarifying filing requirements related to potential structuring-related activity, documentation requirements related to not
filing a SAR on potentially suspicious activity, and certain aspects of continuing activity reporting).

(28) FinCEN, Anti-Money Laundering Program Effectiveness, 85 FR 58023 (Sept. 17, 2020).

(29) FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Requirements, 89 FR 55428 (Jul. 3, 2024).

(30) OCC, Federal Reserve Board, FDIC and the NCUA, Anti-Money Laundering and Countering the Financing of Terrorism Requirements,
89 FR 65242 (Aug. 9, 2024).

(31) For an overview of the content of the Effectiveness ANPRM and the 2024 Program NPRM, and for an overview of comments received
on both, refer to FinCEN's proposed revisions to its AML/CFT program requirements, issued concurrently with this NPRM.

(32) 31 U.S.C. 5311.

(33) 31 U.S.C. 5318(h)(2).

(34) Federal Reserve Board, FDIC, NCUA, OCC, Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements,
(Aug. 13, 2020), https://www.federalreserve.gov/frrs/regulations/statement-on-bank-secrecy-act-anti-money-laundering-enforcement.htm.

(35) Countering the financing of terrorism (CFT) includes laws, rules, regulations, or other measures intended to detect and disrupt
the solicitation, collection, or provision of funds to support terrorist acts or terrorist organizations, or other violent
extremist groups.

(36) See 31 U.S.C. 5318(h)(2)(B)(iii).

(37) Federal Financial Institution Examination Council, BSA/AML Assessing Compliance with BSA Regulatory Requirements — Suspicious
Activity Reporting, h ttps://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04.

(38) William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 4547 at
section 6002(3) (Jan. 1, 2021).

(39) Federal Reserve Board, FDIC, FinCEN, NCUA, OCC, Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist
Financing, (Dec. 3, 2018), https://www.fincen.gov/system/files/2018-12/Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_508.pdf.

(40) For instance, the provision of the BSA which requires financial institutions to have AML/CFT program rules states that “each
financial institution shall establish” (emphasis added) such programs, including certain requirements as specified. See 31 U.S.C. 5318(h)(1). The corresponding Federal statute requiring each appropriate Federal banking agency to prescribe regulations
requiring their supervised institutions to have BSA compliance programs states that these banks must “establish and maintain
procedures reasonably designed to assure and monitor the compliance” with the requirements of the BSA. 12 U.S.C. 1818(s)(1).

(41) See, 12 CFR 21.21(d)(1) (OCC); 12 CFR 326.8(c)(1) (FDIC); and 12 CFR 748.2(c)(1) (NCUA).

(42) Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision (July 22, 2019), https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf. The Joint Statement on Risk Focused BSA/AML Supervision, July 22, 2019, clarifies the Agencies' and the Federal Reserve Board's
long-standing supervisory approach to examining for compliance with the BSA considers a financial institution's risk profile
and notes that “[a] risk-based [AML] compliance program enables a bank to allocate compliance resources commensurate with
its risk.” It further clarifies that a well-developed risk assessment process assists examiners in understanding a bank's
risk profile and evaluating the adequacy of its AML program. The statement also explains that, as part of their risk-focused
approach, examiners review a bank's risk management practices to evaluate whether a bank has developed and implemented a reasonable
and effective process to identify, measure, monitor, and control risks.

(43) See FinCEN, Section 314(b) Fact Sheet, (Dec. 2020), www.fincen.gov/system/files/shared/314bfactsheet.pdf.

(44) See U.S. Dep't of Treasury, 2026 Nat. Money Laundering Risk Assess. (Mar. 2026), https://home.treasury.gov/system/files/246/2026-NMLRA.pdf; U.S. Dep't of Treasury, 2026 Nat. Terrorist Financing Risk Assess. (Mar. 2026), https://home.treasury.gov/system/files/246/2026-NTFRA.pdf; U.S. Dep't of Treasury, 2026 Nat. Proliferation Financing Risk Assess. (Mar. 2026), https://home.treasury.gov/system/files/246/2026-NPFRA.pdf.

(45) 31 U.S.C. 5318(h)(4)(E).

(46) FinCEN's concurrently issued proposal provides additional clarity on how FinCEN anticipates addressing the AML/CFT Priorities.

(47) 31 U.S.C. 5318(h)(2)(B)(iv)(II).

(48) See 31 CFR 1020.210(a)(2)(v) and (b)(2)(v).

(49) 31 U.S.C. 5318(h)(1)(D).

(50) See Federal Reserve Board, FDIC, NCUA, OCC, and FinCEN, Interagency Statement on Sharing Bank Secrecy Act Resources (Oct. 3, 2018), https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources.

(51) 31 U.S.C. 5318(h)(5).

(52) See, e.g., FinCEN, Financial Crimes Enforcement Network; Confidentiality of Suspicious Activity Reports, 75 FR 75593 (Dec. 3, 2010); see also FinCEN, Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies (Jan. 20,
2006), https://www.fincen.gov/system/files/guidance/sarsharingguidance01122006.pdf.

(53) 31 U.S.C. 5318(h)(1)(C).

(54) 12 CFR 21.21(d) (OCC); 12 CFR 326.8 (FDIC); and 12 CFR 748.2 (NCUA).

(55) Other financial regulators with stakeholders subject to the BSA currently utilize their own versions of this requirement. See 31 CFR 1020.210(a)(2)(iv), (b)(2)(iv) (banks); 1021.210(b)(2)(iii) (casinos); 1022.210(d)(3) (MSBs); 1023.210(b)(4) (broker-dealers);
1024.210(b)(4) (mutual funds); 1025.210(b)(3) (insurance companies); 1026.210(b)(4) (FCMs and IBCs); 1027.210(b)(3) (DPMSJs);
1028.210(b)(3) (operators of credit card systems); 1029.210(b)(3) (loan or finance companies); 1030.210(b)(3) (housing GSEs).

(56) See 12 CFR 21.21(c)(1) (OCC), 326.8(b)(1) (FDIC), and 748.2(b)(1) (NCUA).

(57) See 12 CFR 1020.210(b)(3).

(58) The proposal would not be intended to affect or restrict criminal enforcement under the BSA or the authority of the Department
of Justice to pursue such actions.

(59) 12 CFR part 4, subpart C (OCC); 12 CFR 309.6 (FDIC); and 12 CFR part 792, subpart C (NCUA).

(60) 12 CFR 21.21(d)(2) (OCC); 12 CFR 326.8(c)(2) (FDIC); and 12 CFR 748.2(c)(2) (NCUA).

(61) 31 U.S.C. 5311-5336.

(62) Consolidated Reports of Condition and Income (September 30, 2025).

(63) For example, there is at least some anecdotal evidence that otherwise normal (low risk) customers could have reduced access
as a result of BSA compliance. See https://www.banking.senate.gov/imo/media/doc/klein_testimony_2-5-25.pdf at 4.

(64) See Citizens Rulemaking Alliance comment letter (Nov. 17, 2025), p. 2, submitted in context of the recent proposed rulemaking
90 FR 48835: Unsafe or Unsound Practices; Matters Requiring Attention. The letter provided conservative estimates for general
burden to community banks to address matters sufficiently deficient to warrant a supervisory action of a Matters Requiring
Attention. Their provided estimates suggested 120 internal staff hours per MRA to scope, draft, implement, and document a
written remediation plan; 20 board/committee hours for oversight and attestation; and $15,000 in external advisory/legal services
for complex MRAs. Agency staff expect that costs would be even greater for larger, more complex banks to remediate significant
deficiencies or system failures in their AML/CFT programs.

(65) The net annual cost of crime in the U.S. was estimated at approximately $3-4 trillion net of transfers in David A. Anderson,
“The Aggregate Cost of Crime in the United States,” The Journal of Law and Economics, vol 64 no. 4 (2021). One specific type
of financial crime, fraud, resulted in over $12 billion in reported losses in 2024 (see the Federal Trade Commission, Consumer Sentinel Network Data Book 2024 (Mar. 2025), https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf.

(66) There were over 6 million reports according to the Consumer Sentinel Network in 2024 (see Federal Trade Commission, Consumer Sentinel Network Data Book 2024 (Mar. 2025), https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf.

(67) The Agencies expect there would be variation in the magnitude of these transition costs among affected institutions, depending
on bank size, complexity of business model, transaction volume, and scope and nature of products, customers, services, and
geographical operations. Smaller institutions would be expected to have significantly less transition costs to update policies,
procedures, and documentation than larger institutions with more complex risk profiles, higher transaction volume, and greater
diversity and volume of products, customers, services, and geographical operations. Smaller institutions also tend to have
significantly less staff dedicated to AML/CFT compliance than larger institutions. As such, these smaller institutions would
need to train fewer staff on the proposed rule's requirements than larger institutions, requiring them to allocate fewer total
dollars to training. Furthermore, smaller institutions generally already have a designated AML/CFT officer domiciled in the
United States whereas larger, internationally active institutions may not. This would result in no expected labor opportunity
costs for smaller institutions, but possibly one-time costs for larger internationally active institutions that do not currently
have a U.S. domiciled AML/CFT officer.

(68) The Agencies acknowledge that banks would have to incorporate any future AML/CFT priorities FinCEN issues as part of their
ongoing costs. However, the Agencies believe that banks have already incorporated the current AML/CFT priorities into their
BSA compliance programs because these “[p]riorities reflect longstanding and continuing AML/CFT concerns previously identified
by FinCEN and other Treasury components and U.S. government departments and agencies” (see AML/CFT Priorities, page 3 (June 30, 2021)).

(69) A 2018 study considering compliance costs in community banks found that small bank compliance costs typically were about
10 percent of noninterest expense and the portion of this attributable to BSA was about 22 percent. This implies that total
BSA compliance costs for small banks are 22 percent; this would need to increase more than two-fold in order for the rule
to have a significant economic impact on small institutions because of the OCC's methodology of using a 2.5 percent noninterest
expense threshold to establish significant impact on small entities. However, because the rule generally reinforces and codifies
existing practices, the OCC expects the rule would not have a significant economic impact on a substantial number of small
entities. See https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf for details.

(70) 5 U.S.C. 601 et seq.

(71) Assets for purposes of classifying “small entities” are determined by averaging the assets reported on its four quarterly
financial statements for the preceding year. See 13 CFR 121.201 (as amended by 87 FR 69118, effective Dec. 19, 2022). In its determination, the “SBA counts the receipts, employees,
or other measure of size of the concern whose size is at issue and all of its domestic and foreign affiliates.” See 13 CFR 121.103. Following these regulations, the FDIC uses an insured depository institution's affiliated and acquired assets,
averaged over the preceding four quarters, to determine whether the FDIC insured depository institution is “small” for the
purposes of RFA.

(72) See William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388 (Jan.
1, 2021).

(73) FDIC-supervised institutions are set forth in 12 U.S.C. 1813(q)(2).

(74) Consolidated Reports of Condition and Income (Sept. 30, 2025).

(75) A 2018 study considering compliance costs in community banks found that small bank compliance costs typically were about
10 percent of noninterest expenses, and the portion of this attributable to BSA was about 22 percent. This implies that total
BSA compliance costs for small banks are approximately 2.2 percent of noninterest expenses. For the proposed rule to have
a significant impact on a small FDIC-supervised IDI, that IDI's BSA compliance costs would need to increase more than two-fold
under the proposed rule. Because the proposed rule generally reinforces and codifies existing practices, the FDIC expects
such an increase to be implausible. See https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf.

(76) 5 U.S.C. 601 et seq.

(77) 5 U.S.C. 605(b).

(78) 80 FR 57512 (Sept. 24, 2015).

(79) Viewed another way, the FDIC considers small entities to be those holding fewer than $850 million in assets—88.0 percent
of FICUs are smaller than that threshold.

(80) 44 U.S.C. 3501-3521.

(81) 12 U.S.C. 4802(a).

(82) 12 U.S.C. 4802(b).

(83) Public Law 106-102, section 722, 113 Stat. 1338, 1471 (1999), 12 U.S.C. 4809.

(84) 44 U.S.C. 3501 note.

(85) Public Law 105-277, section 654, 112 Stat. 2681, 2681-528 (1998).

Download File

Download