Changeflow GovPing Banking & Finance Anti-Money Laundering and Countering the Financ...
Priority review Consultation Added Consultation

Anti-Money Laundering and Countering the Financing of Terrorism Programs

Favicon for www.federalregister.gov FR: Federal Deposit Insurance Corporation
Detected
Email

Summary

The OCC, FDIC, and NCUA have jointly published a proposed rule requiring banks and credit unions to establish formal Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) programs. The rule outlines minimum requirements for program design, implementation, and oversight. The agencies are seeking public comment for 60 days.

View original document View source feed page

What changed

The OCC, FDIC, and NCUA jointly propose requiring banks and credit unions to establish formal Anti-Money Laundering and Countering the Financing of Terrorism programs. The proposed rule would mandate written policies, procedures, and processes; an independent compliance function; ongoing employee training; and periodic testing of program effectiveness.\n\nAffected banks and credit unions should review the proposal and submit comments by June 9, 2026. Institutions should begin assessing whether their existing AML/CFT frameworks meet the proposed minimum requirements and prepare for potential program enhancements if the rule is finalized.

What to do next

  1. Review proposed AML/CFT program requirements
  2. Prepare and submit comments to regulatory agencies by June 9, 2026
  3. Assess current AML/CFT framework against proposed minimum standards

Archived snapshot

Apr 10, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Legal Status This site displays a prototype of a “Web 2.0” version of the daily
Federal Register. It is not an official legal edition of the Federal
Register, and does not replace the official print version or the official
electronic version on GPO’s govinfo.gov.

The documents posted on this site are XML renditions of published Federal
Register documents. Each document posted on the site includes a link to the
corresponding official PDF file on govinfo.gov. This prototype edition of the
daily Federal Register on FederalRegister.gov will remain an unofficial
informational resource until the Administrative Committee of the Federal
Register (ACFR) issues a regulation granting it official legal status.
For complete information about, and access to, our official publications
and services, go to About the Federal Register on NARA's archives.gov.

The OFR/GPO partnership is committed to presenting accurate and reliable
regulatory information on FederalRegister.gov with the objective of
establishing the XML-based Federal Register as an ACFR-sanctioned
publication in the future. While every effort has been made to ensure that
the material on FederalRegister.gov is accurately displayed, consistent with
the official SGML-based PDF version on govinfo.gov, those relying on it for
legal research should verify their results against an official edition of
the Federal Register. Until the ACFR grants it official status, the XML
rendition of the daily Federal Register on FederalRegister.gov does not
provide legal notice to the public or judicial notice to the courts.

Legal Status

Proposed Rule

You may be interested in this older document that published on 08/09/2024 with action 'Notice of proposed rulemaking.' View Document

Anti-Money Laundering and Countering the Financing of Terrorism Programs

A Proposed Rule by the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration on 04/10/2026

  • 1.

1.
This document has a comment period that ends in 60 days.
(06/09/2026) View Comment Instructions

Thank you for taking the time to create a comment. Your input is important.

Once you have filled in the required fields below you can preview and/or submit your comment to the Treasury Department for review. All comments are considered public and will be posted online once the Treasury Department has reviewed them.

You can view alternative ways to comment or you may also comment via Regulations.gov at /documents/2026/04/10/2026-06948/anti-money-laundering-and-countering-the-financing-of-terrorism-programs.

It appears that you have attempted to comment on this document before
so we've restored your progress.
Start over.
1.
2. Comment * What is your comment about? Upload File(s) Note: You can attach your comment as a file and/or attach supporting
documents to your comment. Attachment Requirements.

Email this will NOT be posted on regulations.gov

Opt to receive email confirmation of submission and tracking number? Tell us about yourself! I am... * An Individual An Organization Anonymous First Name * Last Name * City Region State Alabama Alaska American Samoa Arizona Arkansas California Colorado Connecticut Delaware District of Columbia Florida Georgia Guam Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Puerto Rico Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virgin Islands Virginia Washington West Virginia Wisconsin Wyoming Zip Country Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia, Plurinational State of Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, the Democratic Republic of the Cook Islands Costa Rica Côte d'Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands (Malvinas) Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See (Vatican City State) Honduras Hong Kong Hungary Iceland India Indonesia Iran, Islamic Republic of Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, Democratic People's Republic of Korea, Republic of Kuwait Kyrgyzstan Lao People's Democratic Republic Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macao Macedonia, the Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia, Federated States of Moldova, Republic of Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine, State of Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Barthélemy Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Martin (French part) Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Sint Maarten (Dutch part) Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Islands South Sudan Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan, Province of China Tajikistan Tanzania, United Republic of Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates United Kingdom United States United States Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela, Bolivarian Republic of Viet Nam Virgin Islands, British Virgin Islands, U.S. Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Phone Organization Type * Company Organization Federal State Local Tribal Regional Foreign U.S. House of Representatives U.S. Senate Organization Name * You are filing a document into an official docket. Any personal
information included in your comment text and/or uploaded
attachment(s) may be publicly viewable on the web. I read and understand the statement above.

  2. Preview Comment Please review the Regulations.gov privacy notice and user notice.
  3. Document Details Published Content - Document Details Agencies Department of the Treasury Office of the Comptroller of the Currency Federal Deposit Insurance Corporation National Credit Union Administration Agency/Docket Numbers Docket ID OCC-2024-0005 Docket ID NCUA-2024-0033 CFR 12 CFR 21 12 CFR 326 12 CFR 748 Document Citation 91 FR 18304 Document Number 2026-06948 Document Type Proposed Rule Pages 18304-18330 (27 pages) Publication Date 04/10/2026 RIN 1557-AF14 3064-AF34 3133-AG08 Published Content - Document Details

| Docket ID OCC-2024-0005
(2 Documents) | | | |
| --- | | | |
| Date | | Action | Title |
| | 2026-04-10 | Notice of proposed rulemaking. | Anti-Money Laundering and Countering the Financing of Terrorism Programs |
| | 2024-08-09 | Notice of proposed rulemaking. | Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements |

| Docket ID NCUA-2024-0033
(2 Documents) | | | |
| --- | | | |
| Date | | Action | Title |
| | 2026-04-10 | Notice of proposed rulemaking. | Anti-Money Laundering and Countering the Financing of Terrorism Programs |
| | 2024-08-09 | Notice of proposed rulemaking. | Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements |

Enhanced Content - Related Documents

Enhanced Content - Public Comments
- Regulations.gov Data Enhanced Content - Regulations.gov Data Additional information is not currently available for this document.

Enhanced Content - Regulations.gov Data

- Sharing Enhanced Content - Sharing Shorter Document URL https://www.federalregister.gov/d/2026-06948 Email Email this document to a friend Enhanced Content - Sharing

  • Print Enhanced Content - Print
  • Other Formats Enhanced Content - Other Formats This document is also available in the following formats:

JSON Normalized attributes and metadata XML Original full text XML MODS Government Publishing Office metadata More information and documentation can be found in our developer tools pages.

Enhanced Content - Other Formats
- Public Inspection Public Inspection This PDF is FR Doc. 2026-06948 as it appeared on Public Inspection on
04/09/2026 at 8:45 am.

It was viewed
67
times while on Public Inspection.

If you are using public inspection listings for legal research, you
should verify the contents of the documents against a final, official
edition of the Federal Register. Only official editions of the
Federal Register provide legal notice of publication to the public and judicial notice
to the courts under 44 U.S.C. 1503 & 1507. Learn more here.

Public Inspection
Published Document: 2026-06948 (91 FR 18304) This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Document Headings Document headings vary by document type but may contain
the following:

  1. the agency or agencies that issued and signed a document
  2. the number of the CFR title and the number of each part the document amends, proposes to amend, or is directly related to
  3. the agency docket number / agency internal file number
  4. the RIN which identifies each regulatory action listed in the Unified Agenda of Federal Regulatory and Deregulatory Actions See the Document Drafting Handbook for more details.
Department of the Treasury
Office of the Comptroller of the Currency
  1. 12 CFR Part 21
  2. [Docket ID OCC-2024-0005]
  3. RIN 1557-AF14
Federal Deposit Insurance Corporation
  1. 12 CFR Part 326
  2. RIN 3064-AF34
National Credit Union Administration
  1. 12 CFR Part 748
  2. [Docket ID NCUA-2024-0033]
  3. RIN 3133-AG08 ( printed page 18304) # AGENCY:

Office of the Comptroller of the Currency, Treasury; Federal Deposit Insurance Corporation; and the National Credit Union Administration.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

The Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, “the Agencies” or “Agency” when referencing the singular) are inviting comment on a proposed rule that would require banks to establish and maintain effective anti-money laundering and countering the financing of terrorism (AML/CFT) programs reasonably designed to identify, assess, and mitigate risks of illicit finance. The amendments are intended to align with changes that are being concurrently proposed by the Financial Crimes Enforcement Network (FinCEN) to implement provisions of the Anti-Money Laundering Act of 2020 (AML Act). Among other changes, this proposed rule would ensure that institutions establish and maintain effective AML/CFT programs that are intended to better achieve the purposes of the Bank Secrecy Act (BSA), culminating in the development of highly useful information related to illicit financial transactions for law enforcement and national security agencies. Through this rulemaking, the Agencies also intend to modernize and reform Federal supervision of AML/CFT programs by enhancing FinCEN's role in AML/CFT supervision and enforcement.

DATES:

Written comments may be submitted on or before June 9, 2026.

ADDRESSES:

Comments should be directed to:

OCC: Commenters are encouraged to submit comments through the Federal eRulemaking Portal. Please use the title “Anti-Money Laundering and Countering the Financing of Terrorism Programs” to facilitate the organization and distribution of the comments. You may submit comments by any of the following methods:

  • Federal eRulemaking Portal—Regulations.gov:
    Go to https://regulations.gov/. Enter Docket ID “OCC-2024-0005” in the Search Box and click “Search.” Public comments can be submitted via the “Comment” box below the displayed document information or by clicking on the document title and then clicking the “Comment” box on the top-left side of the screen. For help with submitting effective comments, please click on “Commenter's Checklist.” For assistance with the Regulations.gov site, please call 1-866-498-2945 (toll free) Monday-Friday, 9 a.m.-5 p.m. EST, or email regulationshelpdesk@gsa.gov.

  • Mail: Chief Counsel's Office, Attention: Comment Processing, Office of the Comptroller of the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.

  • Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
    Instructions: You must include “OCC” as the agency name and Docket ID “OCC-2024-0005” in your comment. In general, the OCC will enter all comments received into the docket and publish the comments on the Regulations.gov website without change, including any business or personal information provided such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

You may review comments and other related materials that pertain to this action by the following method:

  • Viewing Comments Electronically—Regulations.gov: Go to https://regulations.gov/. Enter Docket ID “OCC-2024-0005” in the Search Box and click “Search.” Click on the “Dockets” tab and then the document's title. After clicking the document's title, click the “Browse All Comments” tab. Comments can be viewed and filtered by clicking on the “Sort By” drop-down on the right side of the screen or the “Refine Comments Results” options on the left side of the screen. Supporting materials can be viewed by clicking on the “Browse Documents” tab. Click on the “Sort By” drop-down on the right side of the screen or the “Refine Results” options on the left side of the screen checking the “Supporting & Related Material” checkbox. For assistance with the Regulations.gov site, please call 1-866-498-2945 (toll free) Monday-Friday, 9 a.m.-5 p.m. EST, or email regulationshelpdesk@gsa.gov.

The docket may be viewed after the close of the comment period in the same manner as during the comment period.

FDIC: The FDIC encourages interested parties to submit written comments. Please include your name, affiliation, address, email address, and telephone number(s) in your comment. You may submit comments to the FDIC, identified by RIN 3064-AF34, by any of the following methods:

  • Agency Website: https://www.fdic.gov/​resources/​regulations/​federal-register-publications. Follow instructions for submitting comments on the FDIC's website.
  • Mail: Jennifer M. Jones, Deputy Executive Secretary, Attention: Comments/Legal OES (RIN 3064-AF34), Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429.
  • Hand Delivered/Courier: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street NW, building (located on F Street NW) ( printed page 18305) on business days between 7 a.m. and 5 p.m., eastern time.
  • Email: comments@fdic.gov. Include the RIN 3064-AF34 on the subject line of the message.

  • Public Inspection: Comments received, including any personal information provided, may be posted without change to https://www.fdic.gov/​resources/​regulations/​federal-register publications. Commenters should submit only information that the commenter wishes to make available publicly. The FDIC may review, redact, or refrain from posting all or any portion of any comment that it may deem to be inappropriate for publication, such as irrelevant or obscene material. The FDIC may post only a single representative example of identical or substantially identical comments, and in such cases will generally identify the number of identical or substantially identical comments represented by the posted example. All comments that have been redacted, as well as those that have not been posted, that contain comments on the merits of this document will be retained in the public comment file and will be considered as required under all applicable laws. All comments may be accessible under the Freedom of Information Act.
    NCUA: You may submit comments, identified by RIN 3133-AG08, by any of the following methods (please send comments by one method only):

  • Federal eRulemaking Portal: https://www.regulations.gov. The docket number for this proposed rule is NCUA-2024-0033. Follow the instructions for submitting comments. A plain language summary of the proposed rule is also available on the docket website.

  • Mail: Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

  • Hand Delivery/Courier: Same as mailing address.

  • Public Inspection: You may view all public comments on the Federal eRulemaking Portal at https://www.regulations.gov, as submitted, except for those we cannot post for technical reasons. The NCUA will not edit or remove any identifying or contact information from the public comments submitted. If you are unable to access public comments on the internet, you may contact the NCUA for alternative access by calling (703) 518-6540 or emailing OGCMail@ncua.gov.

FOR FURTHER INFORMATION CONTACT:

OCC: Kenneth Kohrs, BSA/AML Lead Expert, Office of the Chief National Bank Examiner; Jina Cheon, Assistant Director, Melissa Lisenbee, Counsel, Scott Burnett, Counsel, or Henry Barkhausen, Counsel, Bank Advisory Group, Chief Counsel's Office, (202) 649-5490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219. If you are deaf, hard of hearing, or have a speech disability, please dial 7-1-1 to access telecommunications relay services.

FDIC: Patricia Colohan, Deputy Director, (202) 898-7283, pcolohan@fdic.gov, Division of Risk Management Supervision; Chase Lubbock, Associate Director, (703) 254-0802, clubbock@fdic.gov, Division of Risk Management Supervision; Christy Cornell-Pape, Acting Chief, Financial Crimes, (415) 808-8090, acornell-pape@fdic.gov, Division of Risk Management Supervision; Deborah Tobolowsky, Counsel, (571) 309-2415, dtobolowsky@fdic.gov, Legal Division; Thomas Krepp, Senior Attorney, (678) 916-2265, tkrepp@fdic.gov, Legal Division; J. Spencer Culp, Senior Attorney, (816) 234-8049, jaculp@fdic.gov, Legal Division; Nicholas Kazmerski, Counsel, (571) 309-3136, nkazmerski@fdic.gov, Legal Division.

NCUA: Michael Dondarski, Associate Director, Office of Examination & Insurance, (703) 772-4751, mdondarski@ncua.gov; Janell Portare, Director, Fraud and Anti-Money Laundering Division, Office of Examination & Insurance, (703) 548-2752, jportare@ncua.gov; Gira Bose, Senior Staff Attorney, Office of General Counsel, (703) 518-6540, gbose@ncua.gov; Damon P. Frank, Senior Trial Attorney, Office of General Counsel, (703) 518-6540, dfrank@ncua.gov.

SUPPLEMENTARY INFORMATION:

I. Scope

The proposed rule would amend the Agencies' regulations that prescribe AML/CFT program requirements [1 ] for banks [2 ] supervised by each of the Agencies in a way that aligns with the rule concurrently proposed by FinCEN [3 ] under the BSA. [4 ] While FinCEN has delegated its authority to examine banks for compliance with the BSA to the Agencies, the Agencies also have independent authority to prescribe regulations requiring banks to establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, under 12 U.S.C. 1818(s) and 12 U.S.C. 1786(q) (Sections 8(s) of the Federal Deposit Insurance Act and 206(q) of the Federal Credit Union Act, respectively). The Agencies are proposing to amend their rules concurrently with FinCEN so that their program requirements for banks remain consistent with those imposed by FinCEN. Further, with consistent regulatory text, banks will not be subject to any additional burden or confusion from needing to comply with differing standards between FinCEN and the Agencies. The proposed changes are discussed in more detail below in the section-by-section analysis.

II. Background

A. Anti-Money Laundering Programs Under the Bank Secrecy Act and History of the BSA Compliance Program Rules for the Agencies

Enacted in 1970 and amended several times since, the BSA is designed to combat money laundering, the financing of terrorism, and other illicit finance activity risks (collectively, ML/TF risks). [5 ] Congress has authorized the Secretary of the Treasury (Secretary) to administer the BSA. The Secretary has in turn delegated the authority to implement, administer, and enforce ( printed page 18306) compliance with the BSA and its associated regulations to the Director of FinCEN (FinCEN Director). [6 ]

The Money Laundering Control Act of 1986 (MLCA) [7 ] amended 12 U.S.C. 1818(s) and 12 U.S.C. 1786(q) (sections 8(s) of the Federal Deposit Insurance Act and 206(q) of the Federal Credit Union Act, respectively) to require the Agencies and the Board of Governors of the Federal Reserve System (Federal Reserve Board) to issue regulations requiring their supervised banks to “establish and maintain procedures reasonably designed to assure and monitor their compliance” with the requirements of the BSA. Consistent with the MLCA, on January 27, 1987, all the then-Federal bank regulatory agencies issued substantially similar regulations requiring their supervised banks to develop procedures for BSA compliance. [8 ]

Since its original enactment, Congress has continued to address various aspects of AML/CFT compliance, including through expansion of the BSA. [9 ] In 1992, the Annunzio-Wylie Anti-Money Laundering Act [10 ] gave the Secretary authority to prescribe minimum standards for AML programs, including: “(A) the development of internal policies, procedures, and controls, (B) the designation of a compliance officer, (C) an ongoing employee training program, and (D) an independent audit function to test programs”—what are often called the “four pillars” of AML/CFT programs. [11 ] Later, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) further amended the BSA to include, among other things, customer identification program (CIP) requirements and the expansion of AML program rules to cover certain other financial industry participants (e.g., credit unions and futures commission merchants). [12 ] The USA PATRIOT Act also made it mandatory for financial institutions to maintain AML programs that meet minimum prescribed standards. [13 ] Through the exercise of its delegated authority, FinCEN is authorized to require each financial institution to establish an AML/CFT program to ensure compliance with the BSA and guard against ML/TF risks. [14 ] Over time, FinCEN, the Agencies, and the Federal Reserve Board incorporated many of these standards into their respective program rules, and FinCEN implemented additional requirements for certain covered financial institutions into their respective program rules. [15 ]

Although in practice the FinCEN AML program rule and the Agencies' compliance program rules for banks they supervise operate together, since the USA PATRIOT Act, banks under the Agencies' supervision have been required to maintain compliance programs under separate legal authorities administered by (i) FinCEN under Title 31 and (ii) the Agencies under sections 8(s) and 206(q). Because the authority for each Agency's BSA compliance program rule derives from and is required by sections 8(s) and 206(q), each Agency prescribes regulations requiring the banks they supervise to establish and maintain procedures reasonably designed to assure and monitor the compliance of such banks with the requirements of the BSA.

In 2003, FinCEN, the Agencies, the Federal Reserve Board, the Securities and Exchange Commission, and the Commodity Futures Trading Commission jointly issued final rules on CIP requirements, [16 ] which were mandated by amendments to the BSA under the USA PATRIOT Act requiring financial institutions to implement a CIP as part of their BSA compliance program. [17 ] The CIP requirements became part of the separate AML program rules for banks administered by FinCEN and each of the Agencies as well as the Federal Reserve Board, although the rules continued to function together by allowing banks to satisfy FinCEN's rule by complying with their Agency's rule or, as appropriate, the Federal Reserve Board's rule.

In 2016, FinCEN amended its AML compliance program rules to incorporate customer due diligence (CDD) requirements, including beneficial ownership information collection requirements for certain covered financial institutions, including banks. [18 ] Although the Agencies did not promulgate CDD requirements at that time, the Agencies examined supervised banks for compliance with those requirements under the authority of sections 8(s) and 206(q). [19 ] With the exception of the CDD requirement, FinCEN's rule was substantially similar to the rules of the Agencies and the Federal Reserve Board's rules, and banks must currently comply with both FinCEN's AML bank program rule and the BSA compliance rules of the Agencies and, as appropriate, the Federal Reserve Board.

B. The Anti-Money Laundering Act of 2020

On January 1, 2021, Congress enacted the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, of which the AML Act was a component. [20 ] With the passage of the AML Act, Congress stated that it was seeking to modernize and strengthen the AML/CFT regulatory framework, which “had not seen comprehensive reform or modernization” since the BSA was enacted in the 1970s. [21 ] Among other ( printed page 18307) objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication, and feedback among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better focusing bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” [22 ]

Section 6101(b) of the AML Act made several changes to the BSA's AML/CFT program requirements.

First, section 6101(b) amended the BSA at 31 U.S.C. 5318(h)(2)(B) to state that, “[i]n prescribing the minimum standards for [AML/CFT programs], and in supervising and examining compliance with those standards, the Secretary of the Treasury, and the appropriate Federal functional regulator (as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)) shall take into account” certain factors.

Second, section 6101(b) requires the Secretary, in consultation with the Attorney General, appropriate Federal functional regulators, relevant State financial regulators, and relevant national security agencies, to establish and make public government-wide AML/CFT priorities (AML/CFT Priorities). After consultation with the Federal functional regulators and relevant State financial regulators, the Secretary must promulgate regulations, as appropriate, to incorporate those priorities into revised program rules, and incorporation of the priorities must be included as a measure on which financial institutions are supervised and examined. FinCEN issued the first AML/CFT Priorities on June 30, 2021. [23 ]

Third, section 6101(b) expands the BSA's program rule requirement to formally include an express reference to CFT in addition to AML.

Fourth, section 6101(b) provides that the duty to establish, maintain, and enforce an AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator.

C. Prior BSA Modernization Efforts

The proposed rule also builds upon other recent efforts by FinCEN, the Agencies, and the Federal Reserve Board to modernize AML/CFT compliance program requirements for banks, both before and after the passage of the AML Act. These efforts include actions taken to revise the BSA regulatory regime through rulemakings, providing exemptive relief from regulatory requirements consistent with the purposes of the BSA, and clarifying regulatory requirements and supervisory standards through policy documents.

For example, on July 22, 2019, FinCEN, the Agencies, and the Federal Reserve Board issued a joint statement to clarify and explain their existing risk-focused approach to examinations of banks' BSA/AML compliance program. This statement was intended to increase transparency into the risk-focused approach used by the Agencies and the Federal Reserve Board for planning and performing BSA/AML examinations, which included clarifying that the Agencies and the Federal Reserve Board “generally allocate more resources to higher-risk areas, and fewer resources to lower-risk areas” based on the bank's unique risk profile. [24 ] FinCEN, the Agencies, and the Federal Reserve Board have also taken steps to highlight that customer relationships present varying levels of ML/TF risk and, in turn, to encourage banks to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers. [25 ] More recently, the Agencies and the Federal Reserve Board have, with FinCEN's concurrence, issued an order permitting banks, as part of their CIP obligations, to collect Taxpayer Identification Number information from a third party rather than directly from the bank's customer, subject to certain conditions. [26 ] FinCEN, the Agencies, and the Federal Reserve Board have also issued Frequently Asked Questions to clarify certain obligations related to filing a suspicious activity report (SAR) to help ensure banks are not needlessly expending resources on efforts that do not provide law enforcement and national security agencies with the critical information they need to detect, combat, and deter criminal activity, as well as to combat misconceptions that banks are required to terminate customer relationships based on the filing of a SAR. [27 ]

With respect to prior rulemaking efforts, prior to the enactment of the AML Act, FinCEN published an ANPRM seeking public comment on potential regulatory amendments intended to increase the effectiveness of program rule requirements (Effectiveness ANPRM), which was informed by recommendations of the AML Effectiveness Bank Secrecy Act Advisory Group working group. [28 ] While the Effectiveness ANPRM was issued by FinCEN on a standalone basis, the Agencies and Federal Reserve Board were consultative partners with FinCEN ( printed page 18308) when developing the proposal. More recently, on July 3, 2024, FinCEN published an NPRM proposing revisions to its AML/CFT program requirements for all financial institutions, including those applicable to banks, [29 ] and on August 9, 2024, the Agencies, along with the Federal Reserve Board, issued an NPRM proposing substantially similar amendments to their respective AML program rules applicable to banks they supervise (the 2024 Program NPRM). [30 ]

In proposing this rule in coordination with FinCEN, the Agencies considered applicable statutory requirements and prior feedback on these recent BSA modernization efforts, including comments provided on FinCEN's Effectiveness ANPRM and those received on the 2024 Program NPRMs. While building upon these prior modernization efforts, the proposed rule is distinct and separate from prior BSA modernization rulemaking efforts. [31 ]

III. Overview of the Proposed Rule

A central objective of the Agencies' BSA modernization efforts is to create an AML/CFT supervisory and regulatory regime that is more effective in achieving the purposes of the BSA and culminating in the development of highly useful information related to illicit financial transactions for law enforcement and national security agencies. [32 ] The proposed rule would further that objective by explicitly defining the requirements for a bank to establish and maintain an effective AML/CFT program. It would also adopt into regulations the AML Act's expectation that AML/CFT programs should be risk-based, including ensuring that banks direct more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the bank, rather than toward lower-risk customers and activities. [33 ]

The proposed rule would also revise the AML/CFT supervisory and examination process for banks by enhancing FinCEN's role in the Agencies' AML/CFT-related supervision and enforcement process. In support of this objective, the proposed rule would establish a mechanism in which FinCEN—as the statutory administrator of the BSA—has an opportunity to review and provide feedback to the Agencies prior to certain AML/CFT-related enforcement and supervisory actions. This change will promote consistent approaches to AML/CFT supervision, culminating in the development of highly useful information related to illicit financial transactions for both banks and the law enforcement and national security agencies that depend upon those banks' critical BSA reporting. The enforcement requirements only apply to actions by the Agencies.

Proposed Rule

As noted above, the proposed rule would require banks to establish and maintain effective AML/CFT programs and define the requirements for doing so. In order for an AML/CFT program to be effective, the proposed rule would require a bank to establish an AML/CFT program and then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT program.

As described in more detail in section IV.D a bank would be required to establish a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the BSA and its implementing regulations, 31 CFR chapter X. The risk-based set of internal policies, procedures, and controls must also be reasonably designed to (1) identify, assess, and document the bank's ML/TF risks through risk assessment processes that evaluate the risks of the bank's business activities, review and, as appropriate, incorporate the AML/CFT Priorities, and are updated promptly upon any change that the bank knows or has reason to know significantly changes the bank's ML/TF risks; (2) mitigate the bank's ML/TF risks consistent with the bank's risk assessment processes including by directing more attention and resources toward higher-risk customers and activities, rather than toward lower-risk customers and activities; and (3) conduct ongoing customer due diligence.

The proposed rule would also require a bank to establish an ongoing employee training program and independent AML/CFT program testing as part of its AML/CFT program. Finally, the proposed rule would require a bank to designate an individual responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; that individual would be required to be located in the United States and accessible to, and subject to oversight and supervision by, FinCEN or its designee and the appropriate Agency.

Under the proposed rule, in addition to establishing an AML/CFT program, the bank would be required to maintain that program by implementing, in all material respects, its established AML/CFT program. By structuring the requirement to have an effective AML/CFT program as distinct obligations to establish and maintain (via implementation) an AML/CFT program, the proposed rule is intended to clarify and reinforce the distinction between failures to establish an AML/CFT program and failures to implement a properly established program.

The distinction between establishing a program and maintaining a program by implementing it in all material respects is particularly important under the proposed rule for potential supervisory and enforcement actions. The proposed rule would not limit enforcement or supervisory actions for failures to establish an AML/CFT program. However, once a bank has properly established an AML/CFT program, the proposed rule would raise the threshold for significant supervisory or enforcement actions based solely on implementation deficiencies. Only significant or systemic failures by a bank to implement in all material respects an established program would warrant an “AML/CFT enforcement action” or a “significant AML/CFT supervisory action,” as these terms are defined in the proposed rule. In this way, the proposed rule is intended to clarify and reinforce a supervisory and enforcement focus on addressing significant or systemic failures to implement a properly established AML/CFT program, rather than on isolated, technical, or immaterial implementation issues. [34 ]

Importantly, under the proposed regulations, having an effective AML/CFT program would be more than a one-time adoption of a risk-based set of internal policies, procedures, and controls. Rather, a bank would be required to keep its risk-based set of internal policies, procedures, and controls—and the risk assessment processes that inform them—current as the bank's risk profile changes. For example, while a bank's risk-based set ( printed page 18309) of internal policies, procedures, and controls may, at one time, have been reasonably designed, they may no longer be reasonably designed given changes to the bank's risk profile. Similarly, an AML/CFT program would be more than a one-time creation of an employee training program or initiation of an independent testing mechanism: the bank would be required to keep such aspects of the AML/CFT program current as the bank's risk profile changes. Thus, even where a bank has previously established an AML/CFT program in accordance with the proposed rule, a failure to update the program to reflect significant changes in the bank's risk profile may result in the program no longer meeting the program establishment requirements, and the bank may accordingly be subject to supervisory or enforcement action for a failure to establish an effective AML/CFT program.

The proposed rule would also provide FinCEN with a greater role in the Agencies' supervisory process. To better ensure that the Agencies are performing “risk-focused” BSA supervision, the proposed rule would require that the Agencies consult with FinCEN prior to taking an AML/CFT enforcement action or a significant AML/CFT supervisory action. The Agencies would be required to give FinCEN written notice at least 30 days prior to taking such an action. FinCEN would have an opportunity to review the action and the relevant underlying information giving rise to it, and the Agencies would be required to consider any input offered by FinCEN concerning the effectiveness of the bank's AML/CFT program.

By explicitly defining the requirements for a bank to establish and maintain an effective AML/CFT program, and by standardizing the AML/CFT supervision and enforcement process for banks and across the Agencies, the proposed rule is expected to better achieve the purposes of the BSA, culminating in the development of highly useful information related to illicit financial transactions for banks and law enforcement and national security agencies. However, the Agencies do not intend for the proposed rule to provide banks permission to establish an AML/CFT program that might be interpreted as meeting the proposed rule's technical requirements on their face, but do not effectively detect and prevent ML/TF activity. To establish a compliant AML/CFT program under the proposed rule, a bank must, among other things, establish a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the BSA and 31 CFR chapter X, including through the adoption of risk assessment processes. A critical element of this requirement is that the bank's s risk-based set of internal policies, procedures, and controls be “reasonably designed.” For example, if a bank's program testing reveals that a new customer type or new activity is high risk, but the bank does not take any action to revise the design of its risk-based set of internal policies, procedures, and controls and therefore treats the customer or activity as presenting low risk, then its program should not be considered reasonably designed. The Agencies believe that banks have a better understanding of their customer bases and businesses and are best positioned to identify and evaluate their ML/TF risks. Therefore, under this proposed rule banks will continue to have significant flexibility and discretion in their decisions and determinations related to risk identification and resource allocation. The Agencies will assess whether: (1) a bank's resource allocation decisions are consistent with a reasonably designed risk assessment processes; and (2) with respect to implementation, specifically, whether the bank knows or should know of resource-related issues involving its risk-based set of internal policies, procedures, and controls that may result in the bank failing to implement its AML/CFT program in all material respects and has failed to address such issues.

Similarly, the Agencies expect a bank to be examined for its implementation of the established AML/CFT program in all material respects. Merely designating an individual responsible for establishing and implementing the AML/CFT program and having that individual establish risk-based internal policies, procedures, and controls, an ongoing employee training program, and an independent AML/CFT program testing program, are not sufficient to satisfy the proposed rule's obligations for a bank to have an effective AML/CFT program. Rather, a bank would be examined for the implementation, in all material aspects, of its established AML/CFT program, including the determination that the bank is, in fact, allocating resources commensurate with its established AML/CFT program, which the proposed rule would require to be consistent with and its reasonably designed risk assessment processes.

IV. Section-by-Section Analysis

This section-by-section analysis describes the specific proposed changes to the Agencies' BSA compliance program rules. Section IV.A addresses the proposed incorporation of CFT into the program rules. Section IV.B discusses the requirements for an “effective” AML/CFT program to comply with the requirements of the proposed rule. Section IV.C explains what it means to “establish” and “maintain” an effective AML/CFT program. Section IV.D describes the components of program establishment, including (1) a risk-based set of internal policies, procedures, and controls (including risk assessment processes); (2) independent program testing; (3) an individual, located in the United States and accessible to FinCEN and the Agencies, responsible for establishing and maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing employee training. Section IV.E discusses the requirements that the AML/CFT program be written, accessible, and approved by a bank's Board of Directors, an equivalent governing body within the bank, or appropriate senior management. Section IV.F addresses the Customer Identification Program, Section IV.G addresses the supervision and enforcement section of the proposed rule, and Section IV.H discusses technical changes that the proposal makes to the existing rules to improve clarity and consistency across the program rules. Lastly, Section IV.I discusses disclosure of supervisory information.

A. Inserting the Term “CFT” Into the Program Rules

Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to reference “countering the financing of terrorism” [35 ] in addition to “anti-money laundering” when describing the requirement to establish an AML/CFT program. The Agencies propose to update the AML/CFT program rules to reflect this new statutory language. For example, the proposed rule would change the title of the Agencies' program rules from “Bank Secrecy Act compliance” to “Anti-Money Laundering/Countering the Financing of Terrorism Compliance, Supervision, and Enforcement.” Similar changes would apply to the titles of relevant parts and subparts.

The inclusion of “CFT” in the BSA compliance program rule would not create new obligations for banks, insofar as the USA PATRIOT Act already requires them to account for risks ( printed page 18310) related to terrorist financing. Accordingly, the Agencies expect any changes to existing AML/CFT programs from the amendments described in this subsection to be technical and therefore not have any substantive impact on banks' compliance obligations.

B. An “Effective” AML/CFT Program

In prescribing the minimum standards for an AML/CFT program and in supervising and examining compliance with those standards, the AML Act requires the Secretary and the appropriate Federal functional regulator to take into account that effective AML/CFT programs safeguard national security and help law enforcement prevent the flow of illicit funds in the financial system. [36 ] Further, the AML Act contemplates AML/CFT requirements focusing on achieving effective outcomes rather than dictating the processes used to reach those outcomes, an orientation the Agencies intend to reflect in the proposed rule. Consistent with the Agencies' long-standing expectations regarding what effective outcomes entail, the Agencies believe that, as a practical matter, it is not possible for a bank's AML/CFT program to detect and report all potentially illicit transactions that flow through the institution. [37 ] Similarly, a bank's AML/CFT program can be effective without preventing every minor instance of a bank falling prey to illicit finance misuse. Accordingly, the proposed rule would set out that, from a supervisory and enforcement perspective, an AML/CFT program is “effective” and complies with the Agencies' regulatory requirements promulgated under 12 U.S.C. 1818(s) or 12 U.S.C. 1786(q), as applicable, so long as it is established and maintained in accordance with applicable requirements.

The proposed rule would provide that a bank has an “effective” program if it (1) is established in accordance with the proposed rule's establishment requirements; and (2) is maintained, meaning that a properly established AML/CFT program is implemented in all material respects.

One of the AML Act's key purposes is to “encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and financing of terrorism.” [38 ] Consistent with this purpose, the Agencies encourage banks to evaluate whether new technology or innovative approaches in other resources might help to combat financial crime more effectively. Innovative approaches could involve machine learning, generative artificial intelligence (GenAI), digital identity, blockchain monitoring and analytics, or application programming interfaces (APIs).

The Agencies recognize that adopting new technologies for BSA compliance may not be suitable for all banks, particularly smaller ones, and the proposed rule therefore does not reference or require the use of any particular technology. A bank may find it beneficial to consider whether its AML/CFT program appropriately uses the bank's existing resources, including technology and data. However, consistent with longstanding guidance, the Agencies encourage banks to engage in responsible AML/CFT innovation. [39 ] Banks that responsibly incorporate innovative technologies into their AML/CFT programs will not incur on that basis any additional risk of being subject to a significant supervisory action or enforcement action solely based on the use of innovative technologies.

C. Establishing and Maintaining an AML/CFT Program

The requirement that a bank establish and maintain an AML/CFT program is not new, although over time various formulations of this requirement have developed in statutes and regulations. [40 ]

The proposed rule would harmonize and delineate the regulatory requirements that must be met for banks to have an effective AML/CFT program. That is, the proposed rule would create a two-pronged framework under which a bank's AML/CFT program would be deemed to be effective if the bank establishes and maintains its program. Under the proposed rule, a bank maintains its properly established AML/CFT program by implementing it in all material respects.

1. Establishing Versus Maintaining an AML/CFT Program

For a bank to have an effective AML/CFT program, the proposed rule would require a bank to establish an AML/CFT program and then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT program. The proposed rule describes the requirements for an effective AML/CFT program to be established and maintained. The AML/CFT program minimum components constituting program establishment, and described in further detail in Section V.D below, are: (1) a risk-based set of internal policies, procedures, and controls (including risk assessment processes); (2) independent program testing; (3) an individual, located in the United States and accessible to FinCEN and the appropriate Agency, responsible for establishing and maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing employee training.

“Establishing” an AML/CFT program involves designing an AML/CFT program that incorporates all of the required components. “Maintaining,” by contrast, addresses whether the bank is implementing that program in practice. The regulation uses the term “implement” to describe this second prong. The distinction between establishing a program and maintaining a program by implementation matters because the proposed rule ties the availability of AML/CFT enforcement and significant supervisory actions based on the program rule for an established bank program to a significant or systemic failure to “implement” the properly established AML/CFT program. The distinction between establishing and “maintaining” an AML/CFT program is intended to make transparent how the individual elements of the proposed rule work together.

Separating program establishment from program maintenance therefore provides needed clarity regarding whether a supervisory concern relates to deficiencies stemming from the program's design, on the one hand, or failures in the program's operation, on the other. This two-prong framework would help promote consistent articulation of supervisory expectations and prevent conflating criticisms of program design—the remediation of ( printed page 18311) which would likely be different in kind—with criticisms of day-to-day implementation. The proposed distinction does not change the substantive obligations for the bank.

As noted previously, the Agencies intend for the requirements of this proposed rule to not be limited to a one-time adoption of the elements required for program establishment, such as a risk-based set of internal policies, procedures, and controls. Rather, the Agencies intend a bank's establishment of its AML/CFT program to require the bank's risk-based set of internal policies, procedures, and controls—and the risk assessment processes that inform them—to remain current as the bank's risk profile changes. For example, if a bank begins providing a new product or service—or changes how it provides an existing product or service, such as operating in a new geographic location—under this proposed rule, a bank would need to incorporate its new product or service as part of its risk assessment processes. The proposed rule would require a bank to make a risk determination and, as appropriate, redesign its risk-based set of internal policies, procedures, and controls to account for the risks that it did not previously encounter prior to offering the new product or service, or operating in the new geographic location. Thus, under the proposed rule, even where a bank has previously established an AML/CFT program in accordance with the proposed rule, a failure to update the program to reflect significant changes in the bank's risk profile may result in the program no longer satisfying the proposed rule's requirements regarding establishment.

2. Implementation of an AML/CFT Program

Once a bank has properly “established” an AML/CFT program, the bank must “maintain” the program by implementing it, in all material respects. Minor deficiencies of an AML/CFT program would not necessarily mean that a bank has failed to implement the program.

Although there are a variety of ways that a bank may not be implementing its program “in all material respects,” in the Agencies' experience, commonly observed examples may include, but would not be limited to: (1) internal policies, procedures, and controls are not being performed or not being performed on a consistent, regular, and timely basis (e.g., consistently ignored warnings or red flags that a program was seriously deficient) due to the nature or extent of required resources becoming inadequate; (2) gaps in the risk assessment processes that result in the bank's program internal policies, procedures, and controls missing or inadequately covering higher ML/TF risks (e.g., systems used to monitor for potentially suspicious activity failing to capture material volumes or types of transactions); or (3) deficiencies or weaknesses in the risk assessment processes that have a material impact on the bank's mitigation of ML/TF risks through its risk-based set of internal policies, procedures, and controls, including due to data-related issues involving relevant processes and systems.

Similarly, the Agencies expect that a bank could become aware of such implementation-related concerns through a variety of mechanisms, including but not limited to: (1) independent testing of the AML/CFT program; (2) examiner observations, suggestions, or other informal comments about the AML/CFT program;, (3) management information systems and related reports or other outputs (e.g., key performance indicators or key risk indicators, such as monitoring for potentially material backlogs in relevant AML/CFT processes), and (4) issues identified by personnel involved in the operation of the bank's AML/CFT program.

D. Program Establishment

As noted earlier, pursuant to 31 U.S.C. 5318(h), the Agencies' AML/CFT program requirements for banks currently require certain minimum elements, including: (1) a risk-based set of internal policies, procedures, and controls; (2) an independent audit function to test programs; (3) a designated compliance officer; and (4) an ongoing employee training program. The majority of the proposed rule's AML/CFT program components are substantially similar to the existing regulatory requirements for banks. However, the Agencies are proposing certain additions and modifications to modernize and strengthen banks' AML/CFT programs to allow banks to better mitigate illicit finance risks.

1. Internal Policies, Procedures, and Controls

The Agencies' rules currently require banks to develop “a system of internal controls to assure ongoing compliance” with the requirements of the BSA as part of their AML/CFT programs. [41 ] The Agencies' existing program rules, however, do not clearly articulate what it means to establish such a system of internal policies, procedures, and controls to ensure compliance.

Under the proposal, the Agencies are amending and clarifying the current internal control pillar requirements. Specifically, the proposal provides that banks must establish a risk-based set of internal policies, procedures, and controls that is reasonably designed to: (1) identify, assess, and document ML/TF risks through risk assessment processes; (2) mitigate ML/TF risks consistent with the risk assessment processes, including by directing more attention and resources toward higher-risk customers and activities rather than toward lower-risk customers and activities; and, (3) conduct ongoing CDD. The preamble addresses each of these features below.

Under this proposal, a bank's risk-based set of internal policies, procedures, and controls should be based upon, informed by, and consistent with a bank's risk assessment processes. The internal policies, procedures, and controls should be commensurate with the size, structure, risk profile, and complexity of the bank. The requirement that a bank's risk-based set of internal policies, procedures, and controls be “reasonably designed” gives banks flexibility in how they achieve compliance with the BSA and the proposed rule's other requirements. As part of having a risk-based set of internal policies, procedures, and controls, reasonably designed to ensure compliance, banks may choose to responsibly adopt new technologies or innovative approaches to comply with BSA requirements. Consistent with this purpose, the Agencies encourage banks to evaluate whether new technology or innovative approaches in other resources might help to more effectively combat financial crime. Innovative approaches could involve machine learning, GenAI, digital identity, blockchain monitoring and analytics, or APIs.

i. Risk Assessment Processes

The Agencies are proposing that, as part of a bank's risk-based set of internal policies, procedures, and controls, the bank identify, assess, and document the bank's ML/TF risk through risk assessment processes that: (1) evaluate the ML/TF risks of the bank's business activities, including products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate the AML/CFT Priorities; and (3) update promptly upon any change that the bank knows or has reason to know significantly changes the bank's ML/TF risks. ( printed page 18312)

The Agencies have traditionally viewed risk assessment processes as a critical tool of a reasonably designed BSA compliance program; a bank cannot implement a reasonably designed program to achieve compliance with the BSA unless it understands its risk profile. [42 ] Most banks already use risk assessments or risk assessment processes to structure their risk-based compliance programs. Despite being viewed as a critical tool, the Agencies' regulations do not currently explicitly require such risk assessment processes nor outline mandatory considerations for such processes. Thus, the proposed rule would codify into regulations the requirement for banks to establish risk assessment processes, thereby clarifying existing expectations and practices, as well as require specific factors for consideration that are responsive to the AML Act.

Importantly, the proposed rule requires, as a part of a bank's risk-based set of internal policies, procedures and controls, that it identify, assess, and document its ML/TF risks using risk assessment processes. A bank would retain flexibility in how it would document the results of its risk assessment processes. As proposed, banks would not be required to establish a single, consolidated risk assessment document solely to comply with the proposed rule. While such a document may be appropriate under the proposal, the use of the term “risk assessment processes” is intended to reflect that a financial institution may rely on multiple processes—applied as appropriate within its AML/CFT program—to identify, assess, and document its ML/TF risks and will be examined based on the totality of these processes rather than the sufficiency of a single, standalone risk assessment document.

The Agencies believe banks are best positioned to identify and evaluate their ML/TF risk and are therefore not prescribing any particular risk assessment processes or methodologies other than the critical elements described in this proposed rule. Under the proposed rule, banks would be examined for whether they have established and maintained, in all material respects, reasonably designed risk assessment processes—which need not be in the form of a singular risk assessment process. Furthermore, the Agencies are not prescribing any particular time frame for banks to update their risk assessment processes.

The Agencies recognize that banks vary significantly in size, structure, complexity, and risk profile. Under the proposed rule, bank's risk-based set of internal policies, procedures, and controls—including its risk assessment processes—should be commensurate with the bank's size, structure, risk profile, and complexity. Accordingly, banks with broader product offerings, more complex corporate structures, or greater exposure to higher-risk customers, products, services, or geographic locations would be expected to establish correspondingly more formalized or analytically complex internal policies, procedures, and controls—including risk assessment processes. By contrast, many community banks operate with more limited business activities, traditional lending and deposit services, a narrower geographic footprint, and customer bases concentrated within defined local communities. For such banks, risk assessment processes may appropriately be more streamlined or qualitative in nature, and a risk-based set of internal policies, procedures, and controls that is reasonably designed for a large, complex financial organization would not necessarily be required or appropriate for a community bank with a more limited risk profile.

As noted previously, most banks already design their BSA compliance programs based on their assessment of ML/TF risks under existing risk assessment processes. The Agencies expect that most banks will be able to leverage their existing risk assessment processes to satisfy the proposed requirement without making significant changes.

a. ML/TF Risks

The proposed rule would require banks' risk assessment processes to evaluate the ML/TF risks of the bank's business activities, including products, services, distribution channels, customers, and geographic locations. These factors are generally well known and often incorporated into current risk assessment processes of banks. While most banks are generally familiar with these concepts, “distribution channels” may be a newer term for some banks. For purposes of this rule, the Agencies consider “distribution channels” to refer to the methods and tools through which a bank opens accounts and provides products or services, including, for example, through remote or other non-face-to-face means.

Banks may use a variety of sources to inform their risk assessment processes. Such sources may include information obtained from other financial institutions, such as emerging risks and typologies identified through section 314(b) information sharing or payment transactions that other financial institutions returned or flagged due to ML/TF risks. [43 ] Information a bank generates or maintains could be another source. Internal information may include, for example, customer internet protocol addresses or device logins and related geolocation information.

Feedback from FinCEN, law enforcement, and financial regulators may also inform risk assessment processes. For example, if a bank receives feedback from law enforcement about a report it has filed or potential risks at the bank, the bank may incorporate that information into its risk assessment processes. Similarly, banks may consider information identified from responding to section 314(a) requests.

In addition to feedback, reports and analyses published by Treasury and FinCEN may be particularly relevant to a bank's business activities, thereby warranting consideration when evaluating ML/TF risks. For example, Treasury describes changes in the illicit finance risk environment in its biennial National Money Laundering Risk Assessment, National Terrorist Financing Risk Assessment, and National Proliferation Financing Risk Assessment, which highlight significant illicit finance threats, vulnerabilities, and risks. [44 ] Regardless of the source, banks should take measures in their risk assessment processes to ensure this ( printed page 18313) information is reasonably current, complete, and accurate.

b. AML/CFT Priorities

The AML/CFT Priorities set out the priorities for the U.S. government's AML/CFT policy as required by the AML Act and are designed to ensure that banks' AML/CFT programs are aligned with those priorities. Recognizing the diverse nature of ML/TF threats facing the U.S. financial system and national security, and that bank AML/CFT programs benefit U.S. national security by safeguarding the financial system from ML/TF risk, the AML/CFT Priorities are intended to ensure that banks are focusing on the greatest threats to U.S. national security, as defined by Treasury.

Section 6101 of the AML Act requires that a financial institution's review and appropriate incorporation of the AML/CFT Priorities into its AML/CFT program be subject to supervision and examination for compliance with the BSA and other AML/CFT laws and regulations. [45 ] The Agencies are implementing this statutory requirement by proposing that, as part of their risk assessment processes, banks must review and, as appropriate, incorporate the AML/CFT Priorities. The inclusion of the AML/CFT Priorities in risk assessment processes is meant to help ensure that banks understand their exposure to risks in areas that are of particular importance nationally, which may help banks develop risk-based and reasonably designed AML/CFT programs.

The Agencies understand that the AML/CFT Priorities may not always be applicable to a bank's risk profile and activities. Therefore, the Agencies require the incorporation of the AML/CFT Priorities in a bank's risk assessment processes, as appropriate. This means that, having reviewed the AML/CFT Priorities, a bank may determine the extent to which a particular Priority is applicable and whether and how a particular AML/CFT Priority should be appropriately incorporated into its risk assessment processes.

Further, a bank may use its judgment and apply a reasonable, risk-based determination on whether to focus on a specific aspect of an AML/CFT Priority, rather than addressing all aspects of a Priority that may either not be applicable or pose lower risks to the bank. However, the Agencies caution that a surface-level, perfunctory review of an AML/CFT Priority by a bank and of the foreseeable ways in which it may manifest itself within the bank's customers, products and services, geographies, and distribution channels would not satisfy this requirement. For example, patterns of transactions that may be consistent with potential structuring should not automatically be dismissed as lower value to law enforcement and untethered to an AML/CFT Priority without determining whether there is a potential connection to various types of other illicit finance activity (e.g., structuring or similar patterns involving transactions in narcotics trafficking proceeds).

Whenever the AML/CFT Priorities are updated, banks would no longer be required to incorporate prior versions of the AML/CFT Priorities. Banks would only be required, as appropriate, to incorporate the most recent AML/CFT Priorities into their risk-based AML/CFT programs.

The Agencies anticipate that some banks, such as community banks, may ultimately determine that their business models and risk profiles have limited exposure to some of the threats addressed in the AML/CFT Priorities but instead have greater exposure to other ML/TF risks. Additionally, some banks' risk assessment processes may determine that their AML/CFT programs already sufficiently incorporate to some extent, the AML/CFT Priorities. In either case, any changes to banks' AML/CFT program, such as internal policies, procedures, or controls would be based on the results of risk assessment processes and their impact on the AML/CFT program, including how to review and, as appropriate, incorporate the AML/CFT Priorities before making these determinations. [46 ] The Agencies request comment from the public on whether additional guidance related to the consideration of the AML/CFT Priorities as part of an institution's risk assessment processes would be warranted.

c. Updates to Risk Assessment Processes

The proposed rule would require banks to update their risk assessment processes promptly upon any change that the bank would know or have reason to know would significantly change their ML/TF risk profile. For example, a bank may need to update its risk assessment when new products, services, and customer types are introduced; existing products, services, and customer types undergo significant changes; when the bank adopts new risk mitigation technology; or the bank as a whole expands or contracts through mergers, acquisitions, and divestitures. Banks may also need to update their risk assessment processes based on factors external to their operations that they know or have reason to know significantly change their ML/TF risk profiles. The Agencies welcome comments on whether it should further clarify when banks must review or update their risk assessment processes.

ii. Mitigate ML/TF Risks Through Risk-Based Allocation of Attention and Resources

Section 6101(b) of the AML Act states that the AML/CFT programs of financial institutions should be “risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.” [47 ] The proposed rule would adopt this formulation as part of a bank's obligation to establish a risk-based set of internal policies, procedures, and controls. Under the proposed rule, a bank's efforts to mitigate its ML/TF risks would involve “directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of [a bank], rather than toward lower-risk customers and activities.”

The Agencies view risk-based allocation of resources as a critical step in realizing the AML Act's BSA modernization and reform ambitions, and consistent with the Agencies' ongoing efforts to modernize AML/CFT compliance and supervision. The proposed rule envisions banks exercising more flexibility in deploying attention and resources in accordance with the proposed rule without fear of supervisory criticism or action from examiners for directing more attention and resources on higher risk customers and activities, rather than toward lower risk customers and activities.

The goal of risk-based resource allocation is for banks to spend less time, energy, and resources on lower priority activities that may result in less resources devoted to and potentially distract from more serious threats. The proposed rule would enable banks to focus more on higher risk customers and activities, which the Agencies have determined should result in banks being more effective at detecting, reporting, and preventing the flow of illicit funds and providing law enforcement with more valuable BSA reporting. ( printed page 18314)

As noted above, the Agencies believe that banks are best positioned to identify and evaluate their ML/TF risk and to make decisions related to risk identification and resource allocation in accordance with risk identification. The proposed rule, therefore, does not contemplate second-guessing of a bank's reasonable determinations regarding appropriate resource allocation or conclusions regarding specific risks. However, while the Agencies do not believe that an examiner should substitute his or her own subjective judgment in place of the bank's, examiners will be expected to assess whether (1) a bank's resource allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes; and (2) with respect to implementation, specifically, whether the bank knows or should know of resource-related issues involving its internal policies, procedures, and controls and other mandatory elements that may result in the bank failing to implement its AML/CFT program in all material respects and has failed to address such issues.

iii. Conduct Ongoing Customer Due Diligence

The proposed rule would add CDD as a required component of the Agencies' AML/CFT program rule. Appropriate risk-based procedures for conducting ongoing CDD—in the form of understanding the nature and purpose of customer relationships and conducting ongoing monitoring—is currently a required component in FinCEN's AML program rule, [48 ] and, therefore, banks are already required to comply with these ongoing CDD requirements under FinCEN's rule. The inclusion of risk-based procedures for conducting ongoing CDD in the Agencies' proposed rules would mirror FinCEN's existing rule and reflect the Agencies' long-standing supervisory expectations. Long before FinCEN amended its AML program rule to expressly include the CDD component requirement, the Agencies had considered CDD an integral component of a risk-based program, enabling the bank to understand its customers and its customers' activity to better identify suspicious activity. Adding the CDD component to the Agencies' AML/CFT program rule will eliminate confusion for banks concerning the current differences with FinCEN's rule. Because banks must already comply with FinCEN's CDD component requirement, the proposed change should not alter current compliance practices.

The proposed rule would incorporate CDD requirements not as a standalone pillar, but instead by making them part of the requirement that banks establish a risk-based and reasonably designed set of internal policies, procedures, and controls. As noted previously, the activities required to conduct ongoing CDD, such as monitoring customer relationships, maintaining and updating customer information on a risk basis, and identifying and reporting suspicious transactions are, in practice, subsumed by the obligation for a bank to have a risk-based and reasonably designed set of internal policies, procedures, and controls and have long been viewed by the Agencies as integral to component of a bank's internal controls. Accordingly, establishing these requirements within this pillar more accurately reflects how banks operationalize ongoing customer due diligence as part of their overall AML programs.

2. Independent Testing

The Agencies have required banks to perform independent testing since the original adoption of their BSA compliance program rules. The AML Act did not change the BSA's separate requirement that each bank must independently test its AML/CFT program. [49 ] The proposed rule therefore retains the existing requirement for banks to establish independent AML/CFT program testing to be conducted by bank personnel or an outside party with minor, non-substantive clarifications that are not intended to change regulatory requirements.

The purpose of independent testing is to assess the bank's compliance with AML/CFT statutory and regulatory requirements, relative to its risk profile. The independent AML/CFT program testing should be focused on whether the AML/CFT program is effective, and it should identify issues and areas for remediation accordingly.

To support the effective implementations of an AML/CFT program, independent testing should be based on objective criteria designed to assess whether a bank has established and implemented an effective AML/CFT program and allocated resources consistent with its risk assessment processes. These criteria should also assess whether related project governance is sufficient to manage risks and apply compensating controls where necessary, particularly in areas where remediation is underway. This evaluation helps to inform the bank's board of directors and senior management of weaknesses or areas in need of enhancement or stronger controls. Typically, this evaluation includes a conclusion about the bank's overall compliance with AML/CFT statutory and regulatory requirements and sufficient information for the reviewer (e.g., board of directors, senior management, AML/CFT officer, outside auditor, or an examiner) to reach a conclusion about whether the set of internal policies, procedures, and controls is reasonably-designed, and resources are well-allocated consistent with the bank's risk assessment processes.

Additionally, while banks retain some flexibility regarding who conducts the audit or testing, the proposed rule would continue to require that testing be independent. Banks that do not employ outside auditors or consultants or that do not have internal audit departments may comply with this requirement by using internal staff who are not involved in the function being tested. For these banks and banks with other types of arrangements for independent testing, the AML/CFT officer or any party who directly, and in some cases indirectly, reports to the AML/CFT officer, or an equivalent role, would generally not be considered sufficiently independent. Any individual conducting the testing, whether internal or external, would be required to be independent of other parts of the bank's AML/CFT program, including its oversight. For banks that engage outside auditors or consultants, the bank would be required to ensure that the outside parties conducting the independent testing are not involved in functions related to the AML/CFT program at the bank that may present a conflict of interest or lack of independence, such as AML/CFT training or the development or enhancement of internal policies, procedures, and controls. Additionally, for the purposes of the independent testing component, outside parties would not include government agencies, entities, or instrumentalities, such as a bank's Federal or state functional regulators. Banks with less complex operations and lower risk profiles may consider utilizing a shared resource as part of a collaborative arrangement to conduct testing, as long as the testing is independent. [50 ]

( printed page 18315)

3. Designate an AML/CFT Officer Located in the United States

i. Duties of the AML/CFT Officer

The Agencies have required banks to “designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance” since the inception of their program requirements. The BSA separately requires that banks with AML/CFT program obligations must have a designated compliance officer, which was not altered by the AML Act. As in the Agencies' current BSA compliance program rules, the proposed rule would provide that an AML/CFT program must designate an individual(s) (referred to as an AML/CFT officer) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance with the requirements and prohibitions of the BSA and FinCEN's implementing regulations. The Agencies' view is that the individual serving as the AML/CFT officer must be qualified for that role and not overburdened with other responsibilities at the institution. The Agencies are proposing clarifying and technical changes to the AML/CFT officer requirement, as well as changes to incorporate to FinCEN's interpretation of 31 U.S.C. 5318(h)(5), as discussed below. These changes are generally not expected to impose new obligations on banks.

Consistent with current requirements, the proposed rule is not intended to be primarily concerned about the formal title of the individual(s) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; instead, the proposed rule focuses on the AML/CFT officer's position in the bank's organizational structure that enables the AML/CFT officer to effectively establish and implement the bank's AML/CFT program. The AML/CFT officer's authority, independence, and access to resources within the bank are critical. An AML/CFT officer should have decision-making capability regarding the AML/CFT program and sufficient functional stature within the organization to ensure that the program meets BSA requirements.

The AML/CFT officer's access to resources may include: adequate compliance funds and staffing with the skills and expertise appropriate to the bank's risk profile, size, and complexity; an organizational structure that supports compliance and effectiveness; and sufficient technology and systems to support the timely identification, measurement, monitoring, reporting, and management of the bank's ML/TF risks. An AML/CFT officer with conflicting responsibilities that adversely impact the officer's ability to effectively coordinate and monitor day-to-day AML/CFT compliance generally would not fulfill this requirement. The addition of the explicit requirement that the AML/CFT officer be responsible for “establishing and implementing the AML/CFT program” in the proposed rule would make explicit a long-standing supervisory expectation, rather than changing current supervisory expectations.

ii. The AML/CFT Officer Must Be Located in the United States and Accessible to Regulators

The AML Act provides that the duty to establish, maintain, and enforce a bank's AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator. [51 ] Because this is a new requirement under the AML Act, it is not currently reflected in the Agencies' program rule requirements. FinCEN's concurrently proposed revisions to its AML/CFT program rules interpret this requirement as applying to the AML/CFT officer, so the Agencies' proposed rule would amend the existing compliance officer requirements to align with FinCEN's proposal.

The Agencies recognize banks may currently have AML/CFT staff and operations outside of the United States, or they may contract out or delegate parts of their AML/CFT operations to third-party providers located outside of the United States. These arrangements may serve to improve cost efficiencies; to enhance coordination, particularly with respect to cross-border operations; or serve other purposes not in conflict with goals underlying the BSA. Consequently, under the proposed rule, while the AML/CFT officer must be located in the United States, personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. This language does not alter existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States, other than in limited circumstances such as a bank's foreign head office or controlling company. [52 ] The Agencies request comment on whether any further clarifications on this point would be useful.

4. Ongoing Employee Training Program

The BSA requires AML/CFT programs to include an “ongoing employee training program.” [53 ] This statutory requirement is reflected in all current Agency program rules employing different wording. [54 ] The proposed rule would harmonize the Agencies' program rules with that of other financial regulators by adopting the BSA's “ongoing employee training program” language uniformly. [55 ] This change is clarifying, not substantive.

The Agencies would generally expect training to cover a bank's internal policies, procedures, and controls, which should in turn reflect the results of the bank's risk assessment processes, the latest AML/CFT regulatory requirements, and other relevant information. The frequency with which the training would occur, and the content of the training, would depend on the bank's ML/TF risk profile and the roles and responsibilities of the persons receiving the training. The Agencies welcome comment on whether any further clarifications of the proposed training requirement are needed and recognize that banks may have employees and non-employees who may have a variety of roles and responsibilities in relation to the AML/CFT program. The risk-based nature of an AML/CFT program provides flexibility for financial institutions to identify both employees and non-employees who must be trained on an ongoing basis.

E. Access to and Approval of a Written AML/CFT Program

1. Written AML/CFT Programs Must Be Made Available Upon Request

The Agencies' current BSA compliance program rule generally requires a bank to have a written AML/CFT program that is approved by the ( printed page 18316) bank's board of directors. [56 ] The proposed rule would modify these requirements and move them to a separate subsection and add clarifying text to harmonize the language with FinCEN's proposed rule. The Agencies request comment on whether further clarification on this point would be useful.

2. Bank Approval of a Written AML/CFT Program

Banks subject to Agency supervision currently must have board approval for their AML/CFT programs under the Agencies' rules. The proposed rule would continue to require that a bank's written AML/CFT program be approved, though the proposal will expand the options available for a bank to obtain such approval. Specifically, the proposed rule will require that the AML/CFT program be approved by the bank's board of directors or an equivalent governing body within the bank, or appropriate senior management. The proposed rule specifies that approval encompasses each of the components of the AML/CFT program.

With respect to the new “equivalent governing body” language, FinCEN's current rule requires a bank lacking a Federal functional regulator to obtain approval of the bank's written AML program from either the bank's board or an equivalent governing body. [57 ] The Agencies' proposed rule would also add a reference to an “equivalent governing body” to clarify that a bank can satisfy the requirement by having an equivalent governing body approve the program. The equivalent governing body can take different forms. For example, for the U.S. branch of a foreign bank, the equivalent governing body may be the foreign banking organization's board of directors or delegates acting under the board's express authority. Similarly, banks that do have a board of directors might instead reasonably delegate the approval requirement to a board committee exercising targeted oversight, such as a compliance committee, which would similarly qualify as an “equivalent governing body” under the proposal.

Finally, the rule would also permit a bank's senior management to approve the AML/CFT program. Such individuals may include Chief Executive Officer, Chief Financial Officer, Chief Operations Officer, Chief Legal Officer, Chief Compliance Officer, Director, and individuals with similar status or functions. Also, banks may establish or utilize existing senior committees of appropriate senior management officials to perform these functions. The Agencies propose permitting approval by senior management to reflect the division of roles and responsibilities between a bank's board of directors and senior management with respect to establishing and implementing an AML/CFT program, as a bank's senior management is charged with the actual role of establishing and implementing the AML/CFT program.

While the proposed rule will no longer require the bank's board to approve the AML/CFT program, this would not alter the Agencies' expectations regarding the responsibilities of a bank's board of directors for providing appropriate oversight of the bank's AML/CFT compliance. The Agencies have always expected bank boards, both as a whole or through appropriate committees, to provide appropriate oversight of senior management to maintain the bank's operations in a safe and sound manner, oversee compliance with applicable laws and regulations, and establish appropriate risk governance frameworks. A bank's board might reasonably permit appropriate senior management to have AML/CFT program approval authority to provide more effective, timely oversight on a day-to-day basis, while still fulfilling the board's obligations through other appropriate means.

F. Customer Identification Program

The proposed rule would maintain the current Customer Identification Program requirements but would move them to a separate section. The Agencies propose minor, non-substantive updates to reference the “AML/CFT” terminology and harmonize the language between the Agencies to “require a customer identification program to be implemented as part of the AML/CFT program.” These technical changes are not anticipated to establish new obligations.

G. Supervision and Enforcement

The proposed rule would add new supervision and enforcement frameworks for banks' AML/CFT programs that are aligned with the AML Act's emphasis on effectiveness and risk-based supervision. The proposed rule defines key terms, describes the Agencies' enforcement and supervision policy with respect to AML/CFT program implementation failures, and establishes a consultation process between FinCEN and the Agencies relating to AML/CFT enforcement actions or significant AML/CFT supervisory actions. The enforcement requirements only apply to actions by the Agencies.

1. Definitions

Proposed section (a) would define several terms used throughout the section. The term “AML/CFT requirement” would mean a requirement of the Bank Secrecy Act (as that term is defined in 31 CFR 1010.100) or of the regulations in title 31, chapter X, or a requirement prescribed under the proposed definition.

The term “AML/CFT enforcement action” would mean any formal or informal action taken by one of the Agencies under authority of 12 U.S.C. 1818, 1786, or other applicable law that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes a cease-and-desist order, written agreement, consent order, or memorandum of understanding, or the assessment of a civil money penalty.

The term “significant AML/CFT supervisory action” would mean any written communication or other formal supervisory determination issued by one of the Agencies that identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement; communicates supervisory expectations to a bank regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and contemplates significant or programmatic actions or remedial measures to be taken by the bank. The term does not include examiner observations, suggestions, or other informal comments.

The FDIC is also adding a definition that is currently in 12 CFR 326.1. Previously, the FDIC's text referred to the definitions section in Subpart A of Part 326. This proposal would include a definitions section within Subpart B, and so FDIC is adding one definition needed from the section in Subpart A. This is not a substantive change.

2. Enforcement and Supervision Policy

The proposed rule would articulate the Agencies' enforcement and supervision policy as it relates to AML/CFT requirements. [58 ] Except with respect to a significant or systemic ( printed page 18317) failure to implement in all material respects an established AML/CFT program in accordance with the proposed rule, a bank that has properly established an AML/CFT program would not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory action based on the program rule. At the same time, the proposed rule would clarify that nothing in this policy would restrict an AML/CFT enforcement action or a significant AML/CFT supervisory action with respect to a failure to establish an AML/CFT program. The proposal is only intended to affect actions by the Agencies.

3. FinCEN Consultation

The proposed rule would establish a notice and consultation framework applicable when one of the Agencies intends to initiate an AML/CFT enforcement action or a significant AML/CFT supervisory action, as those terms are defined in the proposed regulation. Before initiating such an action, the Agency would provide the Director of FinCEN with an opportunity to review the action and would consider any input offered by the Director of FinCEN, which may include any view as to the effectiveness of the bank's AML/CFT program. To facilitate that review, the Agency would be required to provide written notice to the Director of FinCEN of the Agency's intent to take the action at least 30 days in advance of the proposed action, unless a shorter period is necessary, at the sole discretion of the Agency, to remedy, prevent, or respond to an unsafe or unsound practice or condition.

The notice would be accompanied by the relevant AML/CFT information underlying the proposed action. Relevant AML/CFT information may include, but is not limited to, relevant portions of draft report of examination; relevant portions of a draft enforcement action; examination workpapers supporting the proposed action; and the relevant AML/CFT information submitted by the bank to the Agency. The Agency would not be obligated to provide information over which the bank may claim privilege under Federal or State law. The Agency would also respond, to the extent reasonably practicable, to requests for additional AML/CFT information from the Director of FinCEN regarding the proposed action.

H. Other Changes for Modernization, Clarification, and Consistency

In addition to the previously described changes, the proposed rule would make other revisions to increase clarity and consistency in the program rules. Most of these changes are technical, such as renumbering provisions, amending cross-references, and updating statutory references based on changes to the BSA by the AML Act. For example, along with FinCEN, references to “BSA/AML programs” are being updated to “AML/CFT programs” for financial institutions. This technical change is not anticipated to establish new obligations.

I. Disclosure of Supervisory Information

Each Agency has issued regulations that generally prohibit the disclosure of the Agency's non-public information, except as provided under such regulations. [59 ] This prohibition generally applies to disclosure of any portion of a report of examination, supervisory correspondence, and any representations concerning such reports or supervisory correspondence, or their findings, including conclusions regarding compliance with AML/CFT compliance program requirements.

Consistent with the proposed rule's goal of enhancing FinCEN's role in the AML/CFT enforcement and supervisory process, the proposed rule would clarify that banks may share any information with the FinCEN Director that relates to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action. This proposed rule specifically provides that this authorization to share information includes information that would ordinarily be considered non-public information under the Agencies' respective rules. To qualify for this information sharing, the information at issue must have an appropriate nexus to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action. The Agencies are proposing this clarification to ensure that banks can share appropriate information with the FinCEN Director, including in the context of actions subject to the newly established consultation requirement. Otherwise, banks may be unable to provide thorough information to the FinCEN Director, whether proactively or in response to the Director's requests.

While the proposed rule intends to permit such sharing, the Agencies are proposing two alternative methods for permitting such information sharing with the FinCEN Director. Under the first approach, referred to as Option 1 in the amendatory text below, the Agency would authorize the disclosure of covered information on the Agency's behalf to the FinCEN Director and separately permit the FinCEN Director to use such information. This phrasing is intended to mirror the permissible scope of information sharing by the Agencies under 12 U.S.C. 1821(t), which provides that a “covered agency, in any capacity, shall not be deemed to have waived any privilege applicable to any information by transferring that information to or permitting that information to be used by” another Federal agency.

Under the alternative approach, referred to as Option 2 in the amendatory text below, the Agency would similarly authorize the disclosure of covered information on the Agency's behalf, as well as similarly authorize the use of such information by the FinCEN Director. The Agencies, however, would expressly require that any such information shared on the Agency's behalf be contemporaneously disclosed by the bank to the Agency. While the Agency will necessarily already have access to its own non-public information, this additional requirement is potentially more consistent with the retention of privilege contemplated under 12 U.S.C. 1821(t) and, therefore, potentially provides a greater safeguard against the unintended destruction of privilege. The Agencies also recognize that banks' willingness to share timely, thorough information with the FinCEN Director is essential to the success of the consultation framework; and requiring banks to contemporaneously disclose to an Agency the same non-public information they provide to FinCEN may discourage proactive reporting and thereby undermine the rule's objective of enhancing FinCEN's role.

Importantly, both of the options outlined above only permit the FinCEN Director to use the Agencies' non-public information. This authorization to use the information does not include an authorization by the Agencies to further disclose the received non-public information. Any dissemination by a bank to a party other than the FinCEN Director or by the FinCEN Director to any party would be subject to the Agencies' respective rules governing disclosure of non-public information.

Regardless, the proposed rule would include additional clarifying text intended to preserve all applicable privileges. The destruction of privilege over non-public supervisory information could prove harmful both to the Agency and the bank, so the additional language is intended to prevent such consequences.

The Agencies invite comment on these options for permitting greater information sharing with the FinCEN ( printed page 18318) Director regarding existing or potential AML/CFT enforcement actions or significant AML/CFT supervisory actions, including possible alternative methods of accomplishing the rule's objectives without unintentionally impeding applicable privileges.

IV. Severability

The Agencies propose that if one portion of the proposed rule, if finalized, is found to be invalid, the invalidated portion of the regulation should be severed with the other portions of the proposed rule remaining in full force and effect. The Agencies' position is that invalidation of any one provision, or application thereof to any one person or circumstance, does not, and should not, affect any other provision in this proposed regulation or other existing regulations. Each provision serves an important, related, but distinct purpose and application, designed to benefit the public by protecting the U.S. financial system from illicit financial activity. The Agencies accordingly propose incorporating this into their respective rules, such that invalidating one provision would not undermine the operability or usefulness of the other provisions.

V. Final Rule Effective Date

The Agencies are proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient time for banks to review and implement the requirements of the proposed rule. The Agencies solicit comment on the proposed effective date.

VI. Request for Comment

The Agencies welcome comment on all aspects of the proposed amendments but specifically seek comment on the questions below. The Agencies encourage commenters to reference specific question numbers when responding.

An “Effective” AML/CFT Program (IV.B)

  1. The proposed rule sets forth the conditions for an effective AML/CFT program. Is the description of an effective program sufficiently clear or is there anything further that the Agencies should consider in the final rule adding to clarify program effectiveness?

  2. The proposed rule reflects a determination by the Agencies that banks are best placed to identify risks and allocate resources, and that providing them with greater discretion in these areas will improve the quality of AML/CFT compliance and reporting to law enforcement. Is this correct or should the Agencies consider adding more requirements regarding allocation of resources? How might banks assess changes in the total allocation of resources devoted to an AML/CFT program in a changing risk and cost environment?

Establishing and Maintaining an AML/CFT Program (IV.C)

  1. Do banks distinguish between establishing a program and maintaining a program by implementing the program? Do banks distinguish between establishing a program and maintaining a program by implementing the program? If so, how? Should the Agencies add anything to further define these terms in the final rule?

  2. Should the proposed rule's distinction between “establishing” and “maintaining” a program be modified? Is the distinction between “establishing” and “maintaining” a compliance program useful for banks?

  3. Should the proposed rule distinguish between “establishing” and “maintaining” at the program level and “establishing” and “maintaining” each individual element? For example, should the final rule more clearly differentiate between a failure to establish the program, as a whole, versus a failure to establish an individual mandatory component of the program?

  4. Is clarification needed for banks to determine what constitutes a “significant or systemic failure” to implement in all material respects a properly established AML/CFT program?

  5. Is clarification needed for banks to determine what constitutes a “failure to establish an AML/CFT program”?

  6. How should the proposed rule ensure that the regulations issued by FinCEN and the appropriate Agencies function harmoniously? How should the proposed rule differentiate between the Secretary of the Treasury's responsibility for regulations on establishing AML/CFT programs and the Agencies' responsibilities for regulations on establishing and maintaining programs?

Internal Policies, Procedures, and Controls (IV.D.1)

  1. Do banks expect any changes to their existing internal policies, procedures, and controls under the proposed rule, which requires that internal policies, procedures, and controls be “risk-based” and “reasonably designed” to ensure compliance with the BSA?

Risk Assessment Processes (Generally) (IV.D.1.i)

  1. The proposed rule refers to risk assessment processes rather than a risk assessment process. This leaves banks free to use findings from one or more processes to assess their ML/TF risk. Does this description of how banks assess their ML/TF risk provide sufficient flexibility? How should the Agencies describe “risk assessment processes” to better reflect how banks assess ML/TF risks?

  2. Should risk assessment processes be required to take into account additional or different criteria or risks than those listed in the proposed rule? If so, what additional factors should the Agencies consider requiring?

  3. How long does it generally take a bank to incorporate the results of a risk assessment into its AML/CFT program? What factors determine this time frame?

Risk Assessment Processes (AML/CFT Priorities) (IV.D.1.i.b)

  1. What, if any, difficulties do banks anticipate when incorporating the AML/CFT Priorities as part of their risk assessment processes?

  2. What additional guidance on how to incorporate the AML/CFT Priorities into a bank's risk assessment processes would it be useful for the Agencies to provide?

Risk Assessment Processes (Updates) (IV.D.1.i.c)

  1. The proposed rule requires that risk assessment processes are updated promptly upon any change that the bank knows or has reason to know significantly changes the bank's money laundering, terrorist financing, and other illicit finance activity risks. Would the proposed update requirement change the way banks currently update their risk assessment processes, and if so how? Is additional explanation needed concerning when a financial institution would be required to update its risk assessment? In particular, how might the Agencies clarify how risk assessment processes would be updated “promptly”? Would an alternative approach, such as periodic updates or a set schedule for updates, be preferable? Would an alternative standard, such as “materially changes,” be clearer than “significantly changes”?

  2. How do a bank's ML/TF risks and its risk assessment processes affect one another? Put differently, if there is a feedback loop between the two, please describe it, including the typical amount of time between discovering new risks and incorporating those findings into risk assessment processes. ( printed page 18319)

Independent AML/CFT Program Testing To Be Conducted by Bank Personnel or by an Outside Party (IV.D.2)

  1. Under the proposed rule, a bank is required to conduct independent AML/CFT program testing. This requirement is already reflected in existing AML program rule requirements as is the requirement to include “an independent audit function to test programs.” [60 ] The Agencies solicit comment on how financial institutions may interpret and carry out this requirement, based on the proposed rule's description of an effective AML/CFT program. Are further clarifications on the independent AML/CFT program testing requirement necessary to ensure that audits carried out by bank personnel or outside third parties are well-tailored, risk-based, and focused on effectiveness?

AML/CFT Officer Located in the United States (IV.D.3.ii)

  1. Under the proposed rule, while the AML/CFT officer must be located in the United States, personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. This language does not alter existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States other than limited circumstances such as a bank's foreign head office or controlling company. Are any further clarifications on this issue needed?

Written AML/CFT Program and Approval (IV.E)

  1. The proposed rule standardizes the long-standing requirement that an AML/CFT program be written. Should the Agencies further clarify which specific elements of an institution's AML/CFT program must be written, or is this requirement generally understood in its current form? In particular: (a) which program components—such as risk assessment processes; internal policies, procedures, and controls; transaction monitoring rules and parameters; escalation and reporting protocols; independent testing results; training materials; and documentation of designated personnel—should be required in writing; (b) what form (e.g., narrative descriptions, checklists, system configurations, or electronic records) such documentation should take; and (c) what level of detail is appropriate for each component? Should the Agencies instead alter the requirement that an AML/CFT program be expressly required to be “written”? What would be the benefits or drawbacks of any such alterations to this requirement?

  2. The proposed rule would require that a bank's written AML/CFT program be approved by its board of directors, an equivalent governing body within the bank, or appropriate senior management. Should the Agencies further clarify which aspects of the AML/CFT program must be subject to such approval? In particular: (a) should approval be required for each of the core program components (e.g., the risk assessment processes framework; internal policies, procedures, and controls; transaction-monitoring and escalation frameworks; independent testing structure; training program; and designation of responsible personnel), or would approval of the overall program framework be sufficient; (b) should material revisions to particular components (such as significant changes to the institution's risk assessment methodology, monitoring architecture, or governance structure) require re-approval at the same level; and, (c) what level of specificity should the approving body be required to review and approve (e.g., high-level program architecture versus detailed procedures or parameter-level settings)? Should the Agencies instead eliminate the specified approval requirement, allowing banks flexibility in determining how leadership oversight of the AML/CFT program is structured? What would be the benefits or drawbacks of not prescribing a mandatory approval requirement in the regulation? If the Agencies do not eliminate the specified approval requirement, should the Agencies consider amending the requirement? Are there alternatives to board of directors or an equivalent governing body, such as “appropriate senior management” that would be more appropriate?

Supervision and Enforcement (IV.G)

  1. Is clarification needed for banks to determine what constitutes a “significant or systemic failure” to implement an established AML/CFT program?

  2. Is clarification needed for banks to determine what constitutes a “failure to establish an AML/CFT program”?

  3. The proposed rule would add a requirement for an agency to notify and consider information provided by FinCEN before initiating a significant AML/CFT supervisory action when acting pursuant to authority delegated under this chapter. Should the proposed consultation process include an asset threshold— e.g., consultation is required for any significant AML/CFT supervisory actions involving banks with $10 billion or more in assets? In addition, or as an alternative, should the proposed rule not require but instead provide the option for banks to request their agency consult with FinCEN prior to initiating a significant AML/CFT supervisory action?

  4. The definition of significant AML/CFT supervisory action includes the term “any written communication.” Is the term “any written communication” too broad? Are there downsides and negative consequences to including the term “any written communication” in the proposed regulatory text? If so, please describe. Should the term “any written communication” be more clearly defined or removed altogether?

  5. As described above, the purpose of the FinCEN consultation requirement is to ensure consistency in BSA/AML enforcement and supervision across banks, and for FinCEN to provide relevant information on the effectiveness and impact of an institution's AML/CFT program. While Treasury, FinCEN, and the Agencies believe the benefits of a required consultation process outweigh the costs, the parties recognize this adds additional layers of review for banks and the Agencies during an examination. Are there any avenues, communication channels, or methods in which FinCEN and the Agencies can streamline the consultation process and prevent logistical burdens for banks or delays in exam report issuance?

  6. Is the definition of the term “significant AML/CFT supervisory action” sufficiently clear? Does the inclusion of “unsafe or unsound practices or conditions” introduce confusion about what types of supervisory actions would be subject to the FinCEN consultation requirement, since those terms are not found in the BSA?

Disclosure of Supervisory Information (IV.I)

  1. The Agencies invite comment on the two options for permitting greater information sharing with the FinCEN Director regarding AML/CFT enforcement actions or significant AML/CFT supervisory actions. In particular, would the disclosure of confidential supervisory information to FinCEN compromise attorney-client privilege, other applicable privileges, or otherwise undermine the preservation of privilege in 12 U.S.C. 1821(t)?

Other Topics

  1. Should the rule be revised to tailor program requirements or ( printed page 18320) implementation timelines to the size, complexity, or risk profile of the bank?

Final Rule Effective Date (V.)

  1. The Agencies are proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient time for financial institutions to review and implement their requirements. The Agencies solicit comment on the proposed effective date.

VII. Regulatory Impact Analysis

The proposed rule, if finalized, would modernize and align the Agencies' AML/CFT program requirements at 12 CFR parts 21 (OCC), 326 (FDIC), and 748 (NCUA) with the rule concurrently proposed by FinCEN under the BSA, as amended by the AML Act. [61 ] As described in Sections I-V of this SUPPLEMENTARY INFORMATION, the proposed rule would: clarify the elements of an effective, risk-based, and reasonably designed AML/CFT program; codify risk-assessment processes; distinguish program establishment from program implementation; and enhance FinCEN's role in supervision and enforcement through a structured consultation mechanism. As a result of these changes, the Agencies expect that banks would recalibrate their AML/CFT programs to concentrate on higher-risk activities and deprioritize lower-risk activities, resulting in greater overall efficiency in their AML/CFT programs.

In accordance with OMB Circular A-4, the Agencies estimate the annual effect of the proposed rule as the difference in estimated economic outcomes between a state of the world in which the proposed rule is adopted and a baseline state of the world in which the proposed rule is not adopted. This analysis assumes that in both states of the world, all other relevant regulations and financial conditions data for all banks supervised by each of the Agencies as of the quarter ending September 30, 2025, with one exception: because the proposed rule is being promulgated simultaneously with a rulemaking by FinCEN that will modify rules regarding AML/CFT for a broader set of institutions regulated by FinCEN, the analysis assumes FinCEN's rulemaking is finalized under both the baseline and under the proposed rule. This assumption allows the analysis to focus on the effects specific to the proposed rule. Because banks supervised by each of the Agencies are required to comply with the BSA, the proposed rule would apply to approximately 3,775 banks supervised by the FDIC and the OCC and another 4,331 credit unions supervised by the NCUA for an approximate total population of 8,100 banks. [62 ]

Under the baseline, banks must establish and maintain effective AML/CFT programs. These programs must include risk-based internal policies, procedures, and controls; a designated compliance officer; ongoing employee training; and independent testing. Banks also must meet FinCEN's CDD requirements. The analysis below evaluates incremental impacts of the proposal against that baseline.

Overall, the proposed rule is expected to provide direct benefits to banks through increased clarity of rules and increased consistency of enforcement for banks across financial regulators. The rule also codifies the general practice among banks to calibrate their AML/CFT programs to concentrate on higher-risk activities and deprioritize lower-risk activities. This recalibration would provide indirect benefits including the potential for reductions in crime due to greater deterrence and restriction of the flow of illicit funds as well as potentially increased access to financial services by low-risk members of the public. [63 ] The Agencies expect that the proposed rule would impose relatively small one-time adjustment costs on banks to update their AML/CFT programs to align with the newly-clarified requirements. Compliance costs are not anticipated to increase on an on-going basis, as overall program requirements have been clarified rather than increased and banks already maintain robust AML/CFT programs. The remainder of this section discusses these effects in turn.

A. Benefits

1. Benefit to the Public: Reduction in Money Laundering and Terrorist Financing

Effective AML/CFT programs can deter illicit behavior by preventing the flow of illicit funds and assisting law enforcement and national security efforts to identify and prosecute criminals. By clarifying banks' AML/CFT obligations, the proposed rule may improve the effectiveness of AML/CFT programs for banks, relative to the baseline, by enabling them to reallocate AML/CFT resources toward higher-risk customers and activities. This recalibration may reduce the frequency and severity of harm caused by criminal activity.

Reductions in illicit financial activities from effective AML/CFT programs have several benefits, both for affected banks as well as for the broader society. For banks, effective AML/CFT programs may result in direct cost savings due to a decreased likelihood that they will be subject to illicit schemes, which in turn decreases the probability of disruptions to a bank's normal business operations. It could result in other potential cost savings due to a decreased probability that a bank may need to make victimized customer accounts whole, conduct internal investigations of successful illicit schemes, or implement remediation steps to address and prevent future recurrences of previously successful illicit schemes. [64 ]

In terms of broader societal benefits, AML/CFT activities are often tied to other illicit activities such as but not limited to drug, weapons, wildlife, or human trafficking as well as terrorist activities. Any reduction in money laundering or terrorist financing is a benefit to society given the nature of the illegal activities that AML/CFT programs are designed to prevent. While it is inherently difficult to estimate the annual reduction in crime generally or financial crime specifically that could result from more effective AML/CFT programs, recent estimates suggest that those illicit activities run to the billions or trillions of dollars [65 ] and affect millions of Americans, [66 ] and given that ( printed page 18321) scale, even a very small percentage decrease would result in a meaningful benefit.

2. Benefit to the Public: Increased Access to Financial Services

An additional benefit of a recalibration of AML/CFT programs towards higher-risk activities under the proposed rule is that fewer low-risk clients or customers, or potential clients and customers, of banks would be inadvertently or accidentally denied access to banking services due to their non-illicit transactions being incorrectly flagged by an AML/CFT program. The Agencies lack the data to quantify the scale of this benefit.

3. Benefit to Banks: Increased Clarity, Supervisory Coherence, and More Effective AML/CFT Programs

The proposed rule would generate additional qualitative benefits from increased clarity and supervisory coherence, relative to the baseline. These benefits include: reducing regulatory fragmentation by harmonizing the Agencies' regulations with FinCEN's corresponding regulations and eliminating overlap pertaining to the CDD requirements; providing clarity regarding supervisory expectations, which will promote consistent supervisory outcomes across Agencies; enhancing outcomes related to national security and law enforcement by reinforcing risk-based approaches; and enabling more consistent identification and reporting of higher-priority illicit activity.

Having an effective AML/CFT program also reduces a bank's probability of regulatory and legal consequences, which may otherwise increase a bank's costs and adversely affect earnings. For example, ineffective programs that lead to significant AML/CFT activities may result in subsequent higher: operational risk capital requirements for larger banks currently subject to operational risk regulations; compliance costs from increased regulatory monitoring; or legal costs and financial penalties if program deficiencies result in violations of law, such as potential enforcement actions and civil money penalties.

Although these benefits are not readily quantifiable, they are expected to improve the focus of (1) AML/CFT supervision on mitigating significant or systemic failures in a bank's AML/CFT program and (2) bank compliance programs on higher-risk customers and activities.

B. Costs

1. One-Time Adjustment Costs to Banks

If adopted, the proposed rule would require alignment of existing AML/CFT programs to the clarified requirements. However, these costs are expected to be minimal. Possible one-time costs include:

—Labor costs associated with updating policy, procedure, and documentation to reflect risk-assessment processes, to codify definitions of “establish,” “maintain,” and “implement”, and to comply with the requirement that the program be written, accessible upon request, and approved by the board (or equivalent governance).

—Potential labor costs or transitional productivity reductions associated with ensuring that the designated AML/CFT officer is located in the United States and has sufficient authority, stature, independence, and resourcing to comply with the requirements of the proposed rule.

—Training costs to refresh relevant personnel to reflect the revised expectations, risk prioritization, updated governance roles, and program documentation.

Given that most banks maintain AML/CFT programs that adhere with current regulations and supervisory expectations and given that the proposed rulemaking sets forth requirements that banks are already generally in compliance with, these incremental costs are expected to be minimal relative to current AML/CFT compliance costs. The Agencies do not have data available to estimate the one-time transition costs listed. In addition, the Agencies recognize that these costs vary across banks based on their size, complexity, and the specific activities they engage in, as well as the sophistication of their current BSA compliance program. [67 ] Based on supervisory experience, Agency staff believe that banks are already generally in compliance with the proposed requirements based on longstanding regulatory and supervisory expectations. Therefore, the Agencies anticipate that banks would expend de minimis incremental costs to update their AML/CFT compliance programs in conformance with the proposed requirements.

2. Ongoing Costs to Banks

While the Agencies lack the data necessary to estimate how compliance costs for banks would change under the proposed rule, several factors suggest that ongoing compliance costs would be similar to the baseline. [68 ] First, banks already maintain extensive AML/CFT programs, in many cases exceeding the minimum requirements under current rules. Second, the proposed rule would clarify existing requirements rather than imposing new ones, which suggests that banks may not find it necessary to devote additional resources to AML/CFT programs relative to the baseline.

As a result, the Agencies anticipate no increase in ongoing compliance costs resulting from the proposed rule. Given the economic effects described above, the Agencies expect the benefits of the proposed rule would justify the costs.

The Agencies invite comments on all aspects of the economic analysis provided in this supplemental information. What, if any, additional significant benefits or costs should the Agencies consider and why?

VIII. Alternatives Considered

The Agencies have considered several alternatives to the proposed rule which could meet the objectives of this rulemaking. For the reasons described, the Agencies view the proposed rule as the most appropriate and effective means of achieving their policy objectives with respect to the Anti-Money Laundering Act of 2020.

The Agencies considered taking no regulatory action. Under this alternative, banks would remain subject to separate, partially overlapping, and in some cases ( printed page 18322) inconsistent AML/CFT program requirements across FinCEN and the Agencies. This would perpetuate regulatory fragmentation, increase compliance uncertainty, and risk inefficient resource allocation contrary to the AML Act's emphasis on risk-based programs. It would also fail to implement the AML Act's requirement that the AML/CFT Priorities be incorporated into program rules and examined accordingly, and it would not establish a uniform framework for distinguishing between program establishment and implementation. The Agencies therefore rejected this alternative.

The Agencies considered reissuing or finalizing the 2024 Notice of Proposed Rulemaking (2024 NPRM), which previously addressed these issues. However, public comments in response to the 2024 NPRM suggested that the 2024 NRPM did not adequately emphasize the increased flexibility of banks to recalibrate their BSA/AML programs to concentrate on higher-risk activities. In contrast, the proposed rule would provide such flexibility, and as discussed in this section, result in greater benefits to the public. The proposed rule also includes provisions requiring FinCEN's consultation on supervisory actions and other measures to refocus supervision on substantive issues with banks' BSA/AML programs rather than on procedural compliance. The Agencies therefore chose to issue the proposed rule.

The Agencies considered developing more prescriptive program requirements, such as mandatory risk-assessment methodologies, specific governance structures, required technologies, or defined timelines for updating risk assessments. Such an approach would conflict with the AML Act's emphasis on risk-based, flexible, and outcome-oriented AML/CFT programs, and would be inconsistent with the Agencies' stated view that banks are best positioned to identify and evaluate their own risks. The Agencies therefore rejected this alternative in favor of a flexible framework aligned with statutory intent.

The Agencies considered extending the implementation period beyond the proposed 12 months. A longer period would reduce near-term adjustment costs for some banks but would delay the benefits of improved clarity, harmonization, and risk-based supervision. Given that most banks already maintain programs substantially consistent with the proposed requirements, the Agencies believe a 12-month period appropriately balances transition needs and timely realization of benefits.

The Agencies considered whether the proposed rule should apply only to larger or more complex banks or include tailored requirements by size or business model. Because all banks must comply with the BSA, and because the proposal is inherently risk-based and scalable to each bank's risk profile, the Agencies determined that formal tailoring was unnecessary. Explicit tailoring could also undermine consistency and create cliff effects as banks restrict their growth to remain under regulatory thresholds. Therefore, the Agencies retained full applicability while emphasizing flexibility in program design.

The Agencies invite comments on possible alternatives to the proposed rule.

IX. Administrative Law Matters

A. Regulatory Flexibility Act (RFA)

OCC RFA

The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., requires an agency, in connection with a proposed rule, to prepare an initial Regulatory Flexibility Analysis describing the impact of the rule on small entities (defined by the U.S. Small Business Administration (SBA) for purposes of the RFA to include commercial banks and savings institutions with total assets of $850 million or less and trust companies with total assets of $47 million or less) or to certify that the rule will not have a significant economic impact on a substantial number of small entities. The OCC currently supervises approximately 609 small entities, all of which would be subject to the proposed rule. In general, the OCC classifies the economic impact on an individual small entity as significant if the total estimated impact in one year is greater than 5 percent of the small entity's total annual salaries and benefits or greater than 2.5 percent of the small entity's total non-interest expense. Furthermore, the OCC considers 5 percent or more of OCC-supervised small entities to be a substantial number. Thus, at present, 30 OCC-supervised small entities would constitute a substantial number.

The OCC's proposed rulemaking imposes no additional mandates, and thus no incremental direct costs beyond FinCEN's proposed rule, on affected OCC-supervised institutions. [69 ] Therefore, the OCC certifies that the proposed rule would not have a significant economic impact on a substantial number of OCC-supervised small entities.

FDIC

The RFA generally requires an agency, in connection with a proposed rule, to prepare and make available for public comment an initial regulatory flexibility analysis that describes the impact of the proposed rule on small entities. [70 ] However, an initial regulatory flexibility analysis is not required if the agency certifies that the proposed rule will not, if promulgated, have a significant economic impact on a substantial number of small entities. The SBA has defined “small entities” to include banking organizations with total assets of less than or equal to $850 million. [71 ] Generally, the FDIC considers a significant economic impact to be a quantified effect in excess of 5 percent of total annual salaries and benefits or 2.5 percent of total noninterest expenses. The FDIC believes that effects in excess of one or more of these thresholds typically represent significant economic impacts for FDIC-supervised institutions. For the reasons provided below, the FDIC certifies that the proposed rule would not have a significant economic impact on a substantial number of small banking organizations. Accordingly, a regulatory flexibility analysis is not required.

As previously discussed, the proposed rule, if finalized, would modernize and align the Agencies' AML/CFT program requirements with FinCEN's concurrently proposed BSA ( printed page 18323) rule, as amended by the AML Act. [72 ] It would clarify the components of an effective, risk based AML/CFT program; codify risk assessment processes; distinguish program establishment from implementation; and strengthen FinCEN's supervisory and enforcement role through structured consultation, if adopted. All FDIC-supervised Insured Depository Institutions (IDIs) are required to comply with AML/CFT program requirements. As of the quarter ending September 30, 2025, the FDIC supervised 2,778 institutions, [73 ] of which 2,064 are considered small entities for the purposes of RFA. [74 ] Therefore, the FDIC estimates that the proposed rule would directly affect 2,064 small, FDIC-supervised IDIs.

As noted in section VII, the FDIC estimates the effect of the proposed rule on each small FDIC-supervised IDI as the difference in estimated economic outcomes between a state of the world in which the proposed rule is adopted and a baseline state of the world in which the proposed rule is not adopted. This analysis assumes that in both states all other relevant statutes and regulations applicable to IDIs that existed as of September 30, 2025 would be in place, with one exception: because the proposed rule is being promulgated simultaneously with a rulemaking by FinCEN that will modify rules regarding AML/CFT for a broader set of institutions regulated by FinCEN, the analysis assumes FinCEN's rulemaking is finalized under both the baseline and under the proposed rule. This assumption allows the analysis to focus on the effects specific to the proposed rule. Under the baseline, small, FDIC-supervised IDIs would continue to be required to maintain AML/CFT programs that adhere to current regulations and supervisory expectations. These requirements include internal policies, procedures, and controls; a designated compliance officer; ongoing employee training; and independent testing. Small, FDIC-supervised institutions would also continue to be required to meet FinCEN's CDD requirements and are expected, though not uniformly codified, to maintain risk assessment processes.

The proposed rule introduces changes that are unlikely to result in significant direct effects to small, FDIC-supervised IDIs. As discussed in section VII, small, FDIC-supervised IDIs are already generally in compliance with the proposed requirements based on longstanding regulatory and supervisory expectations. Therefore, small, FDIC-supervised IDIs would incur de minimis incremental costs to update their AML/CFT compliance programs to conform with the proposed requirements. In addition, the FDIC anticipates no small, FDIC-supervised IDI would incur a significant increase in ongoing compliance costs as a result of the proposed rule. [75 ]

As a result, the FDIC certifies that the rule would not have a significant economic impact on a substantial number of small entities.

The FDIC invites comments on all aspects of the supporting information provided in this section, and in particular, whether the proposed rule would have any significant effects on small entities that the FDIC has not identified.

NCUA

The Regulatory Flexibility Act generally requires an agency to conduct a regulatory flexibility analysis of any rule subject to notice and comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. [76 ] If the agency makes such a certification, it shall publish the certification at the time of publication of either the proposed rule or the final rule, along with a statement providing the factual basis for such certification. [77 ] For purposes of this analysis, the NCUA considers small credit unions to be those having under $100 million in assets. [78 ]

As of September 30, 2025, the NCUA supervised 4,331 Federally insured credit unions (FICUs. Typically, credit unions are much smaller than commercial banks. For example, median asset size for those 4,331 credit unions was $63.63 million; the comparable figure for FDIC-insured banks was $370.84 million (nearly six times the FICU figure). [79 ] The NCUA considers FICUs with fewer than $100 million in assets to be small entities for RFA purposes. As of 2025: Q3, 2,553 FICUs, or 58.9 percent of supervised institutions, qualified as small. Median asset size for small FICUs was $21.24 million. The median number of full-time equivalent employees (FTEs) for small credit unions was five. Because this rule applies to FICUs of all sizes, it will undoubtedly affect small credit unions. Both qualitative and quantitative evidence, however, point to an economically insignificant impact on small FICUs.

As for qualitative evidence, the NCUA already expects FICUs to maintain robust BSA-AML policies, consistent with the size and scope of the credit union. Because the agency believes the proposed rule largely codifies existing supervisory expectations, it should not prove a burden for most FICUs. Some credit unions, however, may find supervisory expectations marginally tighter relative to the current regime. Of course, adapting to marginal changes could still challenge credit unions with as few as five FTEs. For that reason, the NCUA makes resources available to help small credit unions meet such challenges and, more broadly, support overall growth and development.

As for quantitative evidence, the OCC and FDIC present analysis showing the number of supervised institutions for whom compliance will potentially be burdensome. Their threshold for “burdensome” is a compliance cost exceeding five percent of compensation expense or 2.5 percent of total non-interest expense. The NCUA believes these hurdles do not automatically carry over to FICUs because of the significant differences between the size, structure, and operating models of banks and credit unions. Unlike commercial banks, for example, credit unions are cooperatives. On average, credit-union compensation expense per employee is lower than bank compensation expense. Finally, many small credit unions have relied historically on volunteers and sponsor support to contain expenses. These factors collectively suggest the materiality threshold should be higher for credit unions. But even assuming every small credit union needs 32 hours to comply with the rule, that all credit unions pay the average hourly wage for ( printed page 18324) FICUs with fewer than $100 million in assets, and the bank thresholds for materiality are appropriate, the number of credit unions facing a significant compliance burden is roughly in line with the figures obtained by the FDIC.

B. Paperwork Reduction Act (PRA)

The Paperwork Reduction Act of 1995 80 states that no agency may conduct or sponsor, nor is the respondent required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OCC and FDIC have reviewed this proposed rule and determined that it does not create any information collection.

The NCUA is proposing to extend for three years, with revision, its information collection. This revision will be submitted to OMB for approval under the PRA.

Title of Information Collection: Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements.

OMB Control Number: 3133-0108.

Respondents: All federal insured credit unions.

Estimated Annual Burden: 80,856.

| Information collection
(obligation to respond) | Type of
burden
(frequency of response) | Number of
respondents | Number of
responses per
respondent | Average
time per
response
(hours) | Total
estimated
annual
burden
(hours) |
| --- | --- | --- | --- | --- | --- |
| 1. Establish AML/CFT Program. (Implementation) 12 CFR 748.2(b) and (c) (Mandatory) | Recordkeeping (One Time) | 4,331 | .3 | 32 | 46,208 |
| 2. Maintain AML/CFT Program. (Ongoing) 12 CFR 748.2(b) and (c) (Mandatory) | Recordkeeping (Annual) | 4,331 | 1 | 8 | 34,648 |
| Total Estimated Annual Burden (Hours) | | | | | 80,856 |
The NCUA invites comments on:

(a) Whether the collections of information are necessary for the proper performance of the Agencies' functions, including whether the information has practical utility;

(b) The accuracy of the Agencies estimates of the burden of the information collections, including the validity of the methodology and assumptions used;

(c) Ways to enhance the quality, utility, and clarity of the information to be collected;

(d) Ways to minimize the burden of the information collections on respondents, including through the use of automated collection techniques or other forms of information technology; and

(e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

Comments on aspects of this document that may affect reporting, recordkeeping, or disclosure requirements and burden estimates should be sent to the addresses listed in the ADDRESSES section of this document. Written comments and recommendations for these information collections also should be sent within 30 days of publication of this document to www.reginfo.gov/​public/​do/​PRAMain. Find this particular information collection by selecting “Currently under 30-day Review—Open for Public Comments” or by using the search function.

C. Riegle Community Development and Regulatory Improvement Act

Pursuant to section 302(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 (RCDRIA), [81 ] in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on IDIs, each Federal banking agency must consider, consistent with principles of safety and soundness and the public interest, any administrative burdens that such regulations would place on affected depository institutions, including small depository institutions, and customers of depository institutions, as well as the benefits of such regulations. In addition, section 302(b) of the RCDRIA requires new regulations and amendments to regulations that impose additional reporting, disclosures, or other new requirements on IDIs generally to take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in final form. The Agencies invite comments that further will inform their consideration of the RCDRIA. [82 ]

D. Plain Language

Section 722 of the Gramm-Leach-Bliley Act [83 ] requires the Federal banking Agencies to use plain language in all proposed and final rulemakings published in the Federal Register after January 1, 2000. The Agencies invite your comments on how to make this proposed rule easier to understand. For example:

  • Have the Agencies organized the material to suit your needs? If not, how could the proposed rule be more clearly stated?
  • Are the requirements in the proposed rule clearly stated? If not, how could the proposed rule be more clearly stated?
  • Does the proposed rule contain language or jargon that is not clear? If so, which language requires clarification?
  • Would a different format (grouping and order of sections, use of headings, paragraphing) make the proposed rule easier to understand? If so, what changes to the format would make the proposed rule easier to understand?
  • What else could the Agencies do to make the proposed rule easier to understand?

E. Providing Accountability Through Transparency Act of 2023

The Providing Accountability Through Transparency Act of 2023 requires that a notice of proposed rulemaking include the internet address of a summary of not more than 100 words in length of a proposed rule, in plain language, that shall be posted on the internet website under section ( printed page 18325) 206(d) of the E-Government Act of 2002. [84 ]

The proposal and the required summary can be found for the Agencies at https://www.regulations.gov by searching for Docket ID OCC-2024-0005 and https://occ.gov/​topics/​laws-and-regulations/​occ-regulations/​proposed-issuances/​index-proposed-issuances.html, https://www.fdic.gov/​resources/​regulations/​federal-register-publications/​index.html #, and https://www.regulations.gov by searching for Docket ID NCUA-2024-0033.

F. Executive Orders 12866, 13563, and 14192

Executive Order 12866, as affirmed and supplemented by Executive Order 13563, directs agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits. This proposed rule was drafted and reviewed in accordance with Executive Order 12866. Within OMB, the Office of Information and Regulatory Affairs (OIRA) has determined that this rulemaking is an “economically significant regulatory action” pursuant to Executive Order 12866 section 3(f)(1). Accordingly, the draft rule was submitted to OIRA for review. As noted in other sections of the SUPPLEMENTARY INFORMATION of this document, the Agencies have assessed the costs and benefits of this rulemaking and have made a reasoned determination that the benefits of this rulemaking justify its costs. This proposed rule, if finalized as proposed, is not expected to be a regulatory action under Executive Order 14192 because it imposes no more than de minimis costs.

G. Unfunded Mandates Reform Act

The OCC has analyzed the proposed rule under the factors in the Unfunded Mandates Reform Act of 1995 (UMRA). Under this analysis, the OCC considered whether the proposed rule includes a Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year ($187 million as adjusted annually for inflation). Pursuant to section 202 of the UMRA, if a proposed rule meets this UMRA threshold, the OCC would need to prepare a written statement that includes, among other things, a cost-benefit analysis of the proposal. The UMRA does not apply to regulations that incorporate requirements specifically set forth in law.

The OCC estimates that the proposed rule would not require additional expenditures from OCC regulated entities. As noted earlier, there are no additional mandated costs associated with the OCC's proposed rule beyond those required by FinCEN's concurrently issued proposal. Therefore, there are no UMRA costs associated with the OCC's proposal. The OCC's proposed rule would not result in an expenditure of $187 million or more annually by State, local, and tribal governments, or by the private sector.

H. NCUA Analysis on Executive Order 13132 on Federalism

Executive Order 13132 encourages certain regulatory agencies to consider the impact of their actions on State and local interests. The NCUA, an agency as defined in 44 U.S.C. 3502(5), complies with the executive order to adhere to fundamental Federalism principles. This proposed rule would apply to all Federally insured credit unions, including State-chartered credit unions. This scope is set by statute. The NCUA works cooperatively with State regulatory agencies on all supervisory matters, including AML/CFT matters, and will continue to do so. The NCUA expects that any effect on States or on the distribution of power and responsibilities among the various levels of government will be minor. The NCUA welcomes comments on ways to eliminate, or at least minimize, any potential impact in this area.

I. NCUA Assessment of Federal Regulations and Policies on Families

The NCUA has determined that this proposed rule would not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999. [85 ] The proposed rule relates to Federally insured credit unions' AML/CFT programs, and any effect on family well-being is expected to be indirect.

List of Subjects

12 CFR Part 21

  • Crime
  • Currency
  • National banks
  • Reporting and recordkeeping requirements
  • Security measures

12 CFR Part 326

  • Banks
  • Banking
  • Currency
  • Reporting and recordkeeping requirements
  • Security measures

12 CFR Part 748

  • Computer technology
  • Confidential business information
  • Credit unions
  • Crime
  • Currency
  • Internet
  • Personally identifiable information
  • Privacy
  • Reporting and recordkeeping requirements
  • Security measures

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

Authority and Issuance

For the reasons set forth in the preamble, the Office of the Comptroller of the Currency proposes to amend 12 CFR part 21 as follows:

PART 21—MINIMUM SECURITY DEVICES AND PROCEDURES AND ANTI-MONEY LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE

  1. The authority citation for part 21 continues to read as follows:

Authority: 12 U.S.C. 1, 93a, 161, 1462a, 1463, 1464, 1818, 1881-1884, and 3401- 3422; 31 U.S.C. 5318.

  1. The heading of part 21 is revised to read as set forth above.

  2. Revise and republish subpart C to read as follows:

Subpart C—Procedures for Anti-Money Laundering/Countering the Financing of Terrorism Compliance

§ 21.21 Anti-Money Laundering/Countering the Financing of Terrorism Compliance, Supervision, and Enforcement. (a) Definitions. For purposes of this section:

(1) AML/CFT enforcement action means any formal or informal action taken by the OCC under authority of 12 U.S.C. 1818 or other applicable law, that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes—

(i) A cease-and-desist order, written agreement, consent order, or memorandum of understanding; or

(ii) The assessment of a civil money penalty.

(2) AML/CFT requirement means:

(i) A requirement of the Bank Secrecy Act or the implementing regulations at 31 CFR chapter X; or

(ii) A requirement prescribed under 12 U.S.C. 1818(s) or this section.

(3) Bank Secrecy Act has the meaning given that term in 31 CFR 1010.100

(4) Significant AML/CFT supervisory action means any written communication or other formal supervisory determination that—

(i) Identifies one or more alleged deficiencies, weaknesses, violations of ( printed page 18326) law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement;

(ii) Communicates supervisory expectations to a national bank or Federal savings association regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and

(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the national bank or Federal savings association.

The term does not include examiner observations, suggestions, or other informal comments.

(b) AML/CFT program in general. Each national bank or Federal savings association must establish and maintain an effective AML/CFT program. A national bank or Federal savings association complies with this requirement if it:

(1) Establishes an AML/CFT program in accordance with paragraph (c) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (d) of this section.

(c) AML/CFT program establishment. A national bank or Federal savings association establishes an AML/CFT program in accordance with this paragraph if it:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and the implementing regulations at 31 CFR chapter X and to:

(i) Identify, assess, and document the national bank's or Federal savings association's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the national bank's or Federal savings association's business activities, including its products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities as that term is defined in 31 CFR 1010.100; and

(C) Are updated promptly upon any change that the national bank or Federal savings association knows or has reason to know significantly changes the national bank's or Federal savings association's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the national bank's or Federal savings association's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (c)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the national bank or Federal savings association, rather than toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including information regarding the beneficial owners of legal entity customers, as defined in 31 CFR 1010.230);

(2) Establishes independent AML/CFT program testing to be conducted by bank or savings-association personnel or by an outside party;

(3) Designates an individual, who is (i) located in the United States; (ii) accessible to, and subject to oversight and supervision by, FinCEN and the OCC; and (iii) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(d) AML/CFT program implementation. A national bank or Federal savings association implements an AML/CFT program in accordance with this paragraph if the national bank or Federal savings association implements, in all material respects, the AML/CFT program required under paragraph (c) of this section.

(e) Written AML/CFT program and approval. A national bank's or Federal savings association's AML/CFT program must be written, and it must be approved by the national bank's or Federal savings association's board of directors, an equivalent governing body within the national bank or Federal savings association, or appropriate senior management within the national bank or Federal savings association.

(f) Customer identification program. Each national bank or Federal savings association shall implement a customer identification program in accordance with 31 CFR 1020.220.

(g) Enforcement and supervision policy.

(1) In general. Except with respect to a significant or systemic failure to implement the AML/CFT program in accordance with paragraph (d) of this section, a national bank or Federal savings association that has established an AML/CFT program in accordance with paragraph (c) of this section will not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory action related to the requirements of 12 U.S.C. 1818(s), 31 U.S.C. 5318(h)(1), this section, or 31 CFR 1020.210.

(2) Program establishment violations. Nothing in this paragraph (g) may be construed to restrict an AML/CFT enforcement action or a significant AML/CFT supervisory action with respect to any failure to establish an AML/CFT program in accordance with paragraph (c)of this section.

(3) Criminal Enforcement Unaffected. Nothing in this subpart may be construed to affect criminal enforcement under the BSA.

(h) FinCEN consultation.

(1) Consultation and consideration requirement. Before initiating an AML/CFT enforcement action or a significant AML/CFT supervisory action, the OCC will provide the FinCEN Director an opportunity to review the action and consider any input offered by the FinCEN Director on the action, which may include any view as to the effectiveness of the national bank's or Federal savings association's AML/CFT program.

(2) Notice requirement. To provide the FinCEN Director an opportunity to provide a view under paragraph (h)(1) of this section, the OCC will:

(i) Send written notice to the FinCEN Director of its intent to take that action at least 30 days before taking the action (unless a shorter period of time is necessary, in the sole discretion of the Comptroller of the Currency, to remedy, prevent, or respond to an unsafe or unsound practice or condition), accompanied by the relevant AML/CFT information underlying the proposed action, including the relevant portions of the draft report or enforcement action, the relevant examination workpapers supporting the proposed action, and the relevant AML/CFT information submitted by the national bank or Federal savings association to the OCC, other than information over which the national bank or Federal savings association may claim privilege under Federal or State law; and

(ii) Respond to the extent reasonably practicable to requests for additional information from the FinCEN Director regarding the proposed action.

(i) Disclosure of supervisory information to FinCEN. ( printed page 18327)

[OPTION 1 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 4, the OCC permits a national bank or Federal savings associations, on behalf of OCC, to disclose to the FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action to which the national bank or Federal savings association has access.

[OPTION 2 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 4, the OCC permits a national bank or Federal savings association, on behalf of the OCC, to disclose to the FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action to which the national bank or Federal savings association has access upon the contemporaneous disclosure of such information to the OCC.

(2) A national bank's or Federal savings association's disclosure of information to the FinCEN Director under paragraph (i)(1) of this section does not waive, invalidate, destroy, or otherwise affect any privilege or protection available under Federal or State law, including the attorney-client privilege, the work-product doctrine, the bank-examination privilege, or any other confidentiality or evidentiary privilege.

(3) Any disclosure made by a national bank or Federal savings association under paragraph (i)(1) of this section is made on behalf of the OCC pursuant to the OCC's authorization under 12 U.S.C. 1821(t).

(j) Severability.

The provisions of this subpart are separate and severable from one another. If any provision of this subpart is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

Authority and Issuance

For the reasons set forth in the preamble, the Federal Deposit Insurance Corporation proposes to amend 12 CFR part 326 as follows:

PART 326—MINIMUM SECURITY DEVICES AND PROCEDURES AND ANTI-MONEY LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE

  1. The authority citation for part 326 is revised to read as follows:

Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 1829b, 1881-1883, 5412; 31 U.S.C. 5311-5314, 5316-5336.

  1. The heading of part 326 is revised to read as set forth above.

  2. Revise and republish subpart B to read as follows:

Subpart B—Procedures for Monitoring Anti-Money Laundering/Countering the Financing of Terrorism Compliance

§ 326.8 Anti-Money Laundering/Countering the Financing of Terrorism Compliance, Supervision, and Enforcement. (a) Definitions. For purposes of this section:

(1) AML/CFT enforcement action means any formal or informal action taken by the FDIC under authority of 12 U.S.C. 1818 or other applicable law, that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes—

(i) A cease-and-desist order, written agreement, consent order, or memorandum of understanding; or

(ii) The assessment of a civil money penalty.

(2) AML/CFT requirement means:

(i) A requirement of the Bank Secrecy Act or the implementing regulations at 31 CFR chapter X; or

(ii) A requirement prescribed under 12 U.S.C. 1818(s) or this section.

(3) Bank Secrecy Act has the meaning given that term in 31 CFR 1010.100.

(4) Significant AML/CFT supervisory action means any written communication or other formal supervisory determination that—

(i) Identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement;

(ii) Communicates supervisory expectations to an FDIC-supervised institution regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and

(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the FDIC-supervised institution.

The term does not include examiner observations, suggestions, or other informal comments.

(5) FDIC-supervised institution or institution means any entity for which the Federal Deposit Insurance Corporation is the appropriate Federal banking agency pursuant to section 3(q) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(q).

(b) AML/CFT program in general. Each FDIC-supervised institution must establish and maintain an effective AML/CFT program. A FDIC-supervised institution complies with this requirement if it:

(1) Establishes an AML/CFT program in accordance with paragraph (c) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (d) of this section.

(c) AML/CFT program establishment. An FDIC-supervised institution establishes an AML/CFT program in accordance with this paragraph if it:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and the implementing regulations at 31 CFR chapter X and to:

(i) Identify, assess, and document the FDIC-supervised institution's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the FDIC-supervised institution's business activities, including its products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities as that term is defined in 31 CFR 1010.100; and

(C) Are updated promptly upon any change that the FDIC-supervised institution knows or has reason to know significantly changes the FDIC-supervised institution's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the FDIC-supervised institution's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (c)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the FDIC-supervised institution, rather than toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to: ( printed page 18328)

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including information regarding the beneficial owners of legal entity customers, as defined in 31 CFR 1010.230);

(2) Establishes independent AML/CFT program testing to be conducted by institution personnel or by an outside party;

(3) Designates an individual, who is (i) located in the United States, (ii) accessible to, and subject to oversight and supervision by, FinCEN and the FDIC, and (iii) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(d) AML/CFT program implementation. An FDIC-supervised institution implements an AML/CFT program in accordance with this paragraph if the FDIC-supervised institution implements, in all material respects, the AML/CFT program required under paragraph (c) of this section.

(e) Written AML/CFT program and approval. A FDIC-supervised institution's AML/CFT program must be written and it must be approved by the FDIC-supervised institution's board of directors, an equivalent governing body within the FDIC-supervised institution, or appropriate senior management within the FDIC-supervised institution.

(f) Customer identification program. Each FDIC-supervised institution shall implement a customer identification program in accordance with 31 CFR 1020.220.

(g) Enforcement and supervision policy.

(1) In general. Except with respect to a significant or systemic failure to implement the AML/CFT program in accordance with paragraph (d) of this section, an FDIC-supervised institution that has established an AML/CFT program in accordance with paragraph (c) of this section will not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory action related to the requirements of 12 U.S.C. 1818(s), 31 U.S.C. 5318(h)(1), this section, or 31 CFR 1020.210.

(2) Program establishment violations. Nothing in this paragraph (g) may be construed to restrict an AML/CFT enforcement action or a significant AML/CFT supervisory action with respect to any failure to establish an AML/CFT program in accordance with paragraph (c) of this section.

(3) Criminal Enforcement Unaffected. Nothing in this subpart may be construed to affect criminal enforcement under the BSA.

(h) FinCEN consultation.

(1) Consultation and consideration requirement. Before initiating an AML/CFT enforcement action or a significant AML/CFT supervisory action, the FDIC will provide the FinCEN Director an opportunity to review the action and consider any input offered by the FinCEN Director on the action, which may include any view as to the effectiveness of the FDIC-supervised institution's AML/CFT program.

(2) Notice requirement. To provide the FinCEN Director an opportunity to provide a view under paragraph (h)(1) of this section, the FDIC will:

(i) Send written notice to the FinCEN Director of its intent to take that action at least 30 days before taking the action (unless a shorter period of time is necessary, in the sole discretion of the FDIC, to remedy, prevent, or respond to an unsafe or unsound practice or condition), accompanied by the relevant AML/CFT information underlying the proposed action, including the relevant portions of the draft report or enforcement action, the relevant examination workpapers supporting the proposed action, and the relevant AML/CFT information submitted by the FDIC-supervised institution to the FDIC, other than information over which the FDIC-supervised institution may claim privilege under Federal or State law; and

(ii) Respond to the extent reasonably practicable to requests for additional information from the FinCEN Director regarding the proposed action.

(i) Disclosure of supervisory information to FinCEN.

[OPTION 1 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 309, the FDIC permits an FDIC-supervised institution, on behalf of FDIC, to disclose to the FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action to which the FDIC-supervised institution has access.

[OPTION 2 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 309, the FDIC permits an FDIC-supervised institution, on behalf of the FDIC, to disclose to the FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action to which the FDIC-supervised institution has access upon the contemporaneous disclosure of such information to the FDIC.

(2) An FDIC-supervised institution's disclosure of information to the FinCEN Director under paragraph (i)(1) of this section does not waive, invalidate, destroy, or otherwise affect any privilege or protection available under Federal or State law, including the attorney-client privilege, the work-product doctrine, the bank-examination privilege, or any other confidentiality or evidentiary privilege.

(3) Any disclosure made by an FDIC-supervised institution under paragraph (i)(1) of this section is made on behalf of the FDIC pursuant to the FDIC's authorization under 12 U.S.C. 1821(t).

(j) Severability.

The provisions of this subpart are separate and severable from one another. If any provision of this subpart is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

Authority and Issuance

For the reasons set forth in the preamble, the National Credit Union Administration proposes to amend 12 CFR part 748 as follows:

PART 748—SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC ACTS, CYBER INCIDENTS, AND ANTI-MONEY LAUNDERING/COUNTERING THE FINANCING OF TERRORISM PROGRAM

  1. The authority citation for part 748 continues to read as follows:

Authority: 12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11); 15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.

  1. The heading of part 748 is revised to read as set forth above.

  2. Revise § 748.2 and republish to read as follows:

§ 748.2 Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Program Requirements. (a) Definitions. For purposes of this section: ( printed page 18329)

(1) AML/CFT enforcement action means any formal or informal action taken by the NCUA under authority of 12 U.S.C. 1786 or other applicable law, that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes—

(i) A cease-and-desist order, written agreement, consent order, or memorandum of understanding; or

(ii) The assessment of a civil money penalty.

(2) AML/CFT requirement means:

(i) A requirement of the Bank Secrecy Act or the implementing regulations at 31 CFR chapter X; or

(ii) A requirement prescribed under 12 U.S.C. 1786(q) or this section.

(3) Credit union for the purposes of this section means a federally insured credit union.

(4) Bank Secrecy Act has the meaning given that term in 31 CFR 1010.100.

(5) Significant AML/CFT supervisory action means any written communication or other formal supervisory determination that—

(i) Identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement;

(ii) Communicates supervisory expectations to a credit union regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice, or condition; and

(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the credit union.

The term does not include examiner observations, suggestions, or other informal comments.

(b) AML/CFT program in general. Each credit union must establish and maintain an effective AML/CFT program. A credit union complies with this requirement if it:

(1) Establishes an AML/CFT program in accordance with paragraph (c) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (d) of this section.

(c) AML/CFT program establishment. A credit union establishes an AML/CFT program in accordance with this paragraph if it:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and the implementing regulations at 31 CFR Chapter X and to:

(i) Identify, assess, and document the credit union's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the credit union's business activities, including its products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities as that term is defined in 31 CFR 1010.100; and

(C) Are updated promptly upon any change that the credit union knows or has reason to know significantly changes the credit union's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the credit union's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (c)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the credit union, rather than toward lower-risk customers and activities; and

(iii) Conduct ongoing customer-due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including information regarding the beneficial owners of legal entity customers, as defined in 31 CFR 1010.230);

(2) Establishes independent AML/CFT program testing to be conducted by credit union personnel or by an outside party;

(3) Designates an individual, who is (i) located in the United States, (ii) accessible to, and subject to oversight and supervision by, FinCEN and the NCUA, and (iii) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(d) AML/CFT program implementation. A credit union implements an AML/CFT program in accordance with this paragraph if the credit union implements, in all material respects, the AML/CFT program required under paragraph (c) of this section.

(e) Written AML/CFT program and approval. Acredit union's AML/CFT program must be written, and it must be approved by the credit union's board of directors, an equivalent governing body within the credit union, or appropriate senior management within the credit union.

(f) Customer identification program. Each credit union shall implement a customer identification program in accordance with 31 CFR 1020.220.

(g) Enforcement and supervision policy.

(1) In general. Except with respect to a significant or systemic failure to implement the AML/CFT program in accordance with paragraph (d) of this section, a credit union that has established an AML/CFT program in accordance with paragraph (c) of this section will not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory action related to the requirements of 12 U.S.C. 1786(q), 31 U.S.C. 5318(h)(1), this section, or 31 CFR 1020.210.

(2) Program establishment violations. Nothing in this paragraph (g) may be construed to restrict an AML/CFT enforcement action or a significant AML/CFT supervisory action with respect to any failure to establish an AML/CFT program in accordance with paragraph (c) of this section.

(3) Criminal Enforcement Unaffected. Nothing in this subpart may be construed to affect criminal enforcement under the BSA.

(h) FinCEN consultation.

(1) Consultation and consideration requirement. Before initiating an AML/CFT enforcement action or a significant AML/CFT supervisory action, the NCUA will provide the FinCEN Director an opportunity to review the action and will consider any input offered by the FinCEN Director on the action, which may include any view as to the effectiveness of the credit union's AML/CFT program.

(2) Notice requirement. To provide the FinCEN Director with an opportunity to provide a view under paragraph (h)(1) of this section, the NCUA will:

(i) Send written notice to the FinCEN Director of its intent to take that action at least 30 days before taking the action (unless a shorter period of time is necessary, in the sole discretion of the Chairman or his/her designee, to remedy, prevent, or respond to an unsafe or unsound practice or condition), accompanied by the relevant AML/CFT information underlying the proposed action, including the relevant portions of the draft report or ( printed page 18330) enforcement action, the relevant examination workpapers supporting the proposed action, and the relevant AML/CFT information submitted by the credit union to the NCUA, other than information over which the credit union may claim privilege under Federal or state law; and

(ii) Respond to the extent reasonably practicable to requests for additional information from the FinCEN Director regarding the proposed action.

(i) Disclosure of supervisory information to FinCEN.

[OPTION 1 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 792, the NCUA permits a credit union, on behalf of the NCUA, to disclose to the FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action to which the credit union has access.

[OPTION 2 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 792, the NCUA permits a credit union, on behalf of the NCUA, to disclose to the FinCEN Director, and permits the FinCEN Director to use, any information relating to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action to which the credit union has access upon the contemporaneous disclosure of such information to the NCUA.

(2) A credit union's disclosure of information to the FinCEN Director, under paragraph (i)(1) of this section does not waive, invalidate, destroy, or otherwise affect any privilege or protection available under Federal or state law, including the attorney-client privilege, the work-product doctrine, the bank-examination privilege, or any other confidentiality or evidentiary privilege.

(3) Any disclosure made by a credit union under paragraph (i)(1) of this section is made on behalf of the NCUA pursuant to the NCUA's authorization under 12 U.S.C. 1821(t).

(j) Severability.

The provisions of this subpart are separate and severable from one another. If any provision of this subpart is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

Jonathan V. Gould,

Comptroller of the Currency.

Federal Deposit Insurance Corporation.

By order of the Board of Directors.

Dated at Washington, DC, on April 7, 2026.

Jennifer M. Jones,

Deputy Executive Secretary.

By the National Credit Union Administration Board, this 7th day of April 2026.

Melane Conyers-Ausbrooks,

Secretary of the Board.

Footnotes

1.

                     In Section V.A., the Agencies describe the express incorporation of the countering the financing of terrorism (CFT) requirements as part of a bank's anti-money laundering (AML) program requirements. For consistency throughout this proposed rule, AML program requirements will be described as AML/CFT program requirements.

Back to Citation 2.

                     The term “bank” is defined in regulations implementing the BSA, [31 CFR 1010.100(d)](https://www.ecfr.gov/current/title-31/section-1010.100#p-1010.100(d)), and includes each agent, agency, branch, or office within the United States of banks, savings associations, credit unions, and foreign banks. For purposes of this proposed rule, the term bank solely refers to institutions whose primary regulator is one of the Agencies. The proposed rule would remove language in [12 CFR 21.21](https://www.ecfr.gov/current/title-12/section-21.21), which contains the OCC's program rule requirements, applicable to state savings associations. This language was adopted as part of the transfer of authorities from the Office of Thrift Supervision. In 2020, the FDIC issued a final rule making [12 CFR part 326](https://www.ecfr.gov/current/title-12/part-326) applicable to State savings associations, meaning it is no longer necessary to cover State savings associations in [12 CFR 21.21](https://www.ecfr.gov/current/title-12/section-21.21).

Back to Citation 3.

                     FinCEN is requesting comment on proposed amendments to its AML/CFT program rule for banks at the same time as this proposed rule from the Agencies. FinCEN's bank program rule is located at [31 CFR 1020.210](https://www.ecfr.gov/current/title-31/section-1020.210), while each Agency has its own implementing regulation. 
                    See [12 CFR 21.21 (OCC)](https://www.ecfr.gov/current/title-12/section-21.21#p-21.21(OCC)); [12 CFR 326.8](https://www.ecfr.gov/current/title-12/section-326.8) (FDIC); and [12 CFR 748.2](https://www.ecfr.gov/current/title-12/section-748.2) (NCUA).

Back to Citation 4.

                     FinCEN currently defines this term in [31 CFR 1010.100(e)](https://www.ecfr.gov/current/title-31/section-1010.100#p-1010.100(e)). However, FinCEN notes in the preamble to its concurrently issued rule that the proposed rule also would make minor changes to the definitions in FinCEN regulations. These changes include the definition of “Bank Secrecy Act” at [31 CFR 1010.100(e)](https://www.ecfr.gov/current/title-31/section-1010.100#p-1010.100(e)), adding statutory references to the Anti-Money Laundering Act of 2020 (AML Act) and the Corporate Transparency Act, and removing the reference to “collection of statutes commonly referred to as . . . .” Certain criminal statutes—namely, [18 U.S.C. 1956](https://www.govinfo.gov/link/uscode/18/1956), [1957](https://www.govinfo.gov/link/uscode/18/1957), and [1960](https://www.govinfo.gov/link/uscode/18/1960) —are currently included in the BSA definition at [31 CFR 1010.100(e)](https://www.ecfr.gov/current/title-31/section-1010.100#p-1010.100(e)). Section 6003 of the AML Act, however, does not include these provisions in its BSA definition, and thus FinCEN is not considering them part of the BSA for the purposes of its proposed rule.

Back to Citation 5. 31 U.S.C. 5311(1).

Back to Citation 6.

                     Treasury Order 180-01 (Jan. 14, 2020), paragraph 3; *see also* [31 U.S.C. 310(b)(2)(I)](https://www.govinfo.gov/link/uscode/31/310) (providing that the Director of FinCEN shall “[a]dminister the requirements of subchapter II of chapter 53 of this title, chapter 2 of title I of Public Law 91-508, and section 21 of the Federal Deposit Insurance Act, to the extent delegated such authority by the Secretary of the Treasury.”).

Back to Citation 7.

                     Public Law 99-570, section 5318, 100 Stat. 3207, 3207-29 (1986).

Back to Citation 8. 52 FR 2858 (Jan. 27, 1987).

Back to Citation 9.

                     Most recently, Congress enacted the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act on July 18, 2025. [Public Law 119-27](https://www.govinfo.gov/link/plaw/119/public/27), codified at [12 U.S.C. 5901](https://www.govinfo.gov/link/uscode/12/5901) *et seq.* The GENIUS Act requires that permitted payment stablecoin issuers (PPSIs) be treated as financial institutions under the BSA, including being required to maintain “an effective anti-money laundering program.” 
                    See [12 U.S.C. 5903(a)(5)(i)](https://www.govinfo.gov/link/uscode/12/5903). The GENIUS Act also requires the primary Federal payment stablecoin regulators, which are the Agencies and the Federal Reserve Board to issue regulations relating to PPSIs, including Bank Secrecy Act and sanctions compliance standards. These AML/CFT standards for PPSIs will be addressed separately from this rulemaking.

Back to Citation 10.

                     Section 1517 of the Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992) (Annunzio-Wylie).

Back to Citation 11. 31 U.S.C. 5318(h)(1), as added by section 1517(b) of Annunzio-Wylie. The Agencies note the proposed rule modifies the current sequencing of AML/CFT program components; however, the Agencies do not intend the change in sequencing to modify or signify changes in any substantive requirements.

Back to Citation 12. 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272 (Oct. 26, 2001) (USA PATRIOT Act).

Back to Citation 13. 31 U.S.C. 5318(h), as added by section 352 of the USA PATRIOT Act.

Back to Citation 14. 31 U.S.C. 5318(a)(2), (h)(1), and (h)(2).

Back to Citation 15.

                     
                    See 
                     FinCEN, Customer Due Diligence Requirements for Financial Institutions, [81 FR 29398](https://www.federalregister.gov/citation/81-FR-29398) (May 11, 2016).

Back to Citation 16. 68 FR 25090 (May 9, 2003).

Back to Citation 17. 31 U.S.C. 5318(l), as added by section 326 of the USA PATRIOT Act.

Back to Citation 18. 81 FR 29398 (May 11, 2016).

Back to Citation 19.

                     Press Release, Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (Aug. 13, 2020), *[https://www.occ.gov/​news-issuances/​bulletins/​2020/​bulletin-2020-75.html](https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-75.html) and [https://www.fdic.gov/​news/​press-releases/​2020/​pr20091a.pdf](https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf).*

Back to Citation 20.

                     William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, [Public Law 116-283](https://www.govinfo.gov/link/plaw/116/public/283), 134 Stat. 3388 (Jan. 1, 2021).

Back to Citation 21.

                     Congress noted in its Joint Explanatory Statement (JES) of the Committee of Conference accompanying the FY21 NDAA that: “the current [AML/CFT] regulatory framework is an amalgamation of statutes and regulations that are grounded in the [BSA], which the Congress enacted in 1970. This decades-old regime, which has not seen comprehensive reform and modernization since its inception, is generally built on individual reporting mechanisms (*i.e.,* currency transaction reports (CTRs) and suspicious activity reports (SARs)) and contemplates aging, decades-old 

                    technology, rather than the current, sophisticated AML compliance systems now managed by most financial institutions.” Congress further stated that the AML Act “comprehensively update[s] the BSA for the first time in decades and provide[s] for the establishment of a coherent set of risk-based priorities.” Among other objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication, and feedback among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better focusing bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory Statement of the Committee of Conference).

Back to Citation 22.

                     H.R. Rep. No. 6395 (2020) at 732 (Joint Explanatory Statement of the Committee of Conference), *[https://docs.house.gov/​billsthisweek/​20201207/​116hrpt617-JointExplanatoryStatement.pdf](https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf).*

Back to Citation 23.

                     
                    See 
                     AML/CFT Priorities (June 30, 2021). As required by [31 U.S.C. 5318(h)(4)(C)](https://www.govinfo.gov/link/uscode/31/5318), the AML/CFT Priorities are consistent with Treasury's National Strategy for Combating Terrorist and Other Illicit Financing (May 16, 2024). The AML/CFT Priorities are supported by Treasury's National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing (Mar. 2026). Additionally, Treasury is required to consult with the Agencies on the National Illicit Finance Strategy, which must include a risk assessment. 
                    See 
                     Combating Terrorism and Illicit Financing, [Public Law 115-44](https://www.govinfo.gov/link/plaw/115/public/44), 131 Stat. 934 (2017). As also required by [31 U.S.C. 5318(h)(4)(B)](https://www.govinfo.gov/link/uscode/31/5318), the Secretary, in consultation with the Attorney General, Federal functional regulators, relevant State financial regulators, and relevant national security agencies, must update the AML/CFT Priorities not less frequently than once every four years.

Back to Citation 24.

                     
                    See 
                     OCC Bulletin 23019-33, Bank Secrecy Act/Anti-Money Laundering: Joint Statement on the Risk-Focused Approach to BSA/AML Supervision (July 22, 2019).

Back to Citation 25. See, e.g., Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence (July 6, 2022) (“Customer relationships present varying levels of money laundering, terrorist financing, and other illicit financial activity risks. The potential risk to a bank depends on the presence or absence of numerous factors, including facts and circumstances specific to the customer relationship. The Agencies continue to encourage banks to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers.”)

Back to Citation 26.

                     OCC, FDIC, NCUA, FinCEN, Agencies Issue Exemption Order to Customer Identification Program Requirements, (Jun. 27, 2025), *[https://www.occ.gov/​news-issuances/​news-releases/​2025/​nr-ia-2025-60.html](https://www.occ.gov/news-issuances/news-releases/2025/nr-ia-2025-60.html).*

Back to Citation 27.

                     FinCEN et. al, Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other Anti-Money Laundering Considerations (Jan. 19, 2021) (clarifying, among other things, that there is no BSA regulatory requirement to terminate a customer relationship after the filing of a SAR or any specific number of SARs). *See also* FinCEN et. al, Frequently Asked Questions Regarding Suspicious Activity Reporting Requirements (Oct. 9, 2025), *[https://www.fincen.gov/​system/​files/​2025-10/​SAR-FAQs-October-2025.pdf](https://www.fincen.gov/system/files/2025-10/SAR-FAQs-October-2025.pdf)* (clarifying filing requirements related to potential structuring-related activity, documentation requirements related to not filing a SAR on potentially suspicious activity, and certain aspects of continuing activity reporting).

Back to Citation 28.

                     FinCEN, Anti-Money Laundering Program Effectiveness, [85 FR 58023](https://www.federalregister.gov/citation/85-FR-58023) (Sept. 17, 2020).

Back to Citation 29.

                     FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Requirements, [89 FR 55428](https://www.federalregister.gov/citation/89-FR-55428) (Jul. 3, 2024).

Back to Citation 30.

                     OCC, Federal Reserve Board, FDIC and the NCUA, Anti-Money Laundering and Countering the Financing of Terrorism Requirements, [89 FR 65242](https://www.federalregister.gov/citation/89-FR-65242) (Aug. 9, 2024).

Back to Citation 31.

                     For an overview of the content of the Effectiveness ANPRM and the 2024 Program NPRM, and for an overview of comments received on both, refer to FinCEN's proposed revisions to its AML/CFT program requirements, issued concurrently with this NPRM.

Back to Citation 32. 31 U.S.C. 5311.

Back to Citation 33. 31 U.S.C. 5318(h)(2).

Back to Citation 34.

                     Federal Reserve Board, FDIC, NCUA, OCC, Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements, (Aug. 13, 2020), *[https://www.federalreserve.gov/​frrs/​regulations/​statement-on-bank-secrecy-act-anti-money-laundering-enforcement.htm](https://www.federalreserve.gov/frrs/regulations/statement-on-bank-secrecy-act-anti-money-laundering-enforcement.htm).*

Back to Citation 35.

                     Countering the financing of terrorism (CFT) includes laws, rules, regulations, or other measures intended to detect and disrupt the solicitation, collection, or provision of funds to support terrorist acts or terrorist organizations, or other violent extremist groups.

Back to Citation 36.

                     
                    See [31 U.S.C. 5318(h)(2)(B)(iii)](https://www.govinfo.gov/link/uscode/31/5318).

Back to Citation 37.

                     Federal Financial Institution Examination Council, BSA/AML Assessing Compliance with BSA Regulatory Requirements — Suspicious Activity Reporting, h *ttps://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04.*

Back to Citation 38.

                     William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, [Public Law 116-283](https://www.govinfo.gov/link/plaw/116/public/283), 134 Stat. 4547 at section 6002(3) (Jan. 1, 2021).

Back to Citation 39.

                     Federal Reserve Board, FDIC, FinCEN, NCUA, OCC, Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing, (Dec. 3, 2018), *[https://www.fincen.gov/​system/​files/​2018-12/​Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_​508.pdf](https://www.fincen.gov/system/files/2018-12/Joint%2520Statement%2520on%2520Innovation%2520Statement%2520%2528Final%252011-30-18%2529_508.pdf).*

Back to Citation 40.

                     For instance, the provision of the BSA which requires financial institutions to have AML/CFT program rules states that “each financial institution shall *establish”* (emphasis added) such programs, including certain requirements as specified. 
                    See [31 U.S.C. 5318(h)(1)](https://www.govinfo.gov/link/uscode/31/5318). The corresponding Federal statute requiring each appropriate Federal banking agency to prescribe regulations requiring their supervised institutions to have BSA compliance programs states that these banks must “establish and maintain procedures reasonably designed to assure and monitor the compliance” with the requirements of the BSA. [12 U.S.C. 1818(s)(1)](https://www.govinfo.gov/link/uscode/12/1818).

Back to Citation 41. See, 12 CFR 21.21(d)(1) (OCC); 12 CFR 326.8(c)(1) (FDIC); and 12 CFR 748.2(c)(1) (NCUA).

Back to Citation 42.

                     Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision (July 22, 2019), *[https://www.fdic.gov/​sites/​default/​files/​2024-03/​pr19065a.pdf](https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf).* The Joint Statement on Risk Focused BSA/AML Supervision, July 22, 2019, clarifies the Agencies' and the Federal Reserve Board's long-standing supervisory approach to examining for compliance with the BSA considers a financial institution's risk profile and notes that “[a] risk-based [AML] compliance program enables a bank to allocate compliance resources commensurate with its risk.” It further clarifies that a well-developed risk assessment process assists examiners in understanding a bank's risk profile and evaluating the adequacy of its AML program. The statement also explains that, as part of their risk-focused approach, examiners review a bank's risk management practices to evaluate whether a bank has developed and implemented a reasonable and effective process to identify, measure, monitor, and control risks.

Back to Citation 43.

                     See FinCEN, Section 314(b) Fact Sheet, (Dec. 2020), *[www.fincen.gov/​system/​files/​shared/​314bfactsheet.pdf](http://www.fincen.gov/system/files/shared/314bfactsheet.pdf).*

Back to Citation 44.

                     
                    See 
                     U.S. Dep't of Treasury, 2026 Nat. Money Laundering Risk Assess. (Mar. 2026), *[https://home.treasury.gov/​system/​files/​246/​2026-NMLRA.pdf](https://home.treasury.gov/system/files/246/2026-NMLRA.pdf);* U.S. Dep't of Treasury, 2026 Nat. Terrorist Financing Risk Assess. (Mar. 2026), *[https://home.treasury.gov/​system/​files/​246/​2026-NTFRA.pdf](https://home.treasury.gov/system/files/246/2026-NTFRA.pdf);* U.S. Dep't of Treasury, 2026 Nat. Proliferation Financing Risk Assess. (Mar. 2026), *[https://home.treasury.gov/​system/​files/​246/​2026-NPFRA.pdf](https://home.treasury.gov/system/files/246/2026-NPFRA.pdf).*

Back to Citation 45. 31 U.S.C. 5318(h)(4)(E).

Back to Citation 46.

                     FinCEN's concurrently issued proposal provides additional clarity on how FinCEN anticipates addressing the AML/CFT Priorities.

Back to Citation 47. 31 U.S.C. 5318(h)(2)(B)(iv)(II).

Back to Citation 48.

                     
                    See [31 CFR 1020.210(a)(2)(v)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(v)) and [(b)(2)(v)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(v)).

Back to Citation 49. 31 U.S.C. 5318(h)(1)(D).

Back to Citation 50.

                     
                    See 
                     Federal Reserve Board, FDIC, NCUA, OCC, and FinCEN, Interagency Statement on Sharing Bank Secrecy Act Resources (Oct. 3, 2018), *[https://www.fincen.gov/​news/​news-releases/​interagency-statement-sharing-bank-secrecy-act-resources](https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources).*

Back to Citation 51. 31 U.S.C. 5318(h)(5).

Back to Citation 52. See, e.g., FinCEN, Financial Crimes Enforcement Network; Confidentiality of Suspicious Activity Reports, 75 FR 75593 (Dec. 3, 2010); see also FinCEN, Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies (Jan. 20, 2006), https://www.fincen.gov/​system/​files/​guidance/​sarsharingguidance01122006.pdf.

Back to Citation 53. 31 U.S.C. 5318(h)(1)(C).

Back to Citation 54. 12 CFR 21.21(d) (OCC); 12 CFR 326.8 (FDIC); and 12 CFR 748.2 (NCUA).

Back to Citation 55.

                     Other financial regulators with stakeholders subject to the BSA currently utilize their own versions of this requirement. 
                    See [31 CFR 1020.210(a)(2)(iv)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(iv)), [(b)(2)(iv)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(iv)) (banks); 1021.210(b)(2)(iii) (casinos); 1022.210(d)(3) (MSBs); 1023.210(b)(4) (broker-dealers); 1024.210(b)(4) (mutual funds); 1025.210(b)(3) (insurance companies); 1026.210(b)(4) (FCMs and IBCs); 1027.210(b)(3) (DPMSJs); 1028.210(b)(3) (operators of credit card systems); 1029.210(b)(3) (loan or finance companies); 1030.210(b)(3) (housing GSEs).

Back to Citation 56.

                     
                    See [12 CFR 21.21(c)(1) (OCC)](https://www.ecfr.gov/current/title-12/section-21.21#p-21.21(c)(1)(OCC)), [326.8(b)(1)](https://www.ecfr.gov/current/title-12/section-326.8#p-326.8(b)(1)) (FDIC), and 748.2(b)(1) (NCUA).

Back to Citation 57.

                     
                    See [12 CFR 1020.210(b)(3)](https://www.ecfr.gov/current/title-12/section-1020.210#p-1020.210(b)(3)).

Back to Citation 58.

                     The proposal would not be intended to affect or restrict criminal enforcement under the BSA or the authority of the Department of Justice to pursue such actions.

Back to Citation 59. 12 CFR part 4, subpart C (OCC); 12 CFR 309.6 (FDIC); and 12 CFR part 792, subpart C (NCUA).

Back to Citation 60. 12 CFR 21.21(d)(2) (OCC); 12 CFR 326.8(c)(2) (FDIC); and 12 CFR 748.2(c)(2) (NCUA).

Back to Citation 61. 31 U.S.C. 5311-5336.

Back to Citation 62.

                     Consolidated Reports of Condition and Income (September 30, 2025).

Back to Citation 63.

                     For example, there is at least some anecdotal evidence that otherwise normal (low risk) customers could have reduced access as a result of BSA compliance. *See [https://www.banking.senate.gov/​imo/​media/​doc/​klein_​testimony_​2-5-25.pdf](https://www.banking.senate.gov/imo/media/doc/klein_testimony_2-5-25.pdf)* at 4.

Back to Citation 64.

                     
                    See 
                     Citizens Rulemaking Alliance comment letter (Nov. 17, 2025), p. 2, submitted in context of the recent proposed rulemaking [90 FR 48835](https://www.federalregister.gov/citation/90-FR-48835): Unsafe or Unsound Practices; Matters Requiring Attention. The letter provided conservative estimates for general burden to community banks to address matters sufficiently deficient to warrant a supervisory action of a Matters Requiring Attention. Their provided estimates suggested 120 internal staff hours per MRA to scope, draft, implement, and document a written remediation plan; 20 board/committee hours for oversight and attestation; and $15,000 in external advisory/legal services for complex MRAs. Agency staff expect that costs would be even greater for larger, more complex banks to remediate significant deficiencies or system failures in their AML/CFT programs.

Back to Citation 65.

                     The net annual cost of crime in the U.S. was estimated at approximately $3-4 trillion net of transfers in David A. Anderson, “The Aggregate Cost of Crime in the United States,” The Journal of Law and Economics, vol 64 no. 4 (2021). One specific type of financial crime, fraud, resulted in over $12 billion in reported losses in 2024 (*see* the Federal Trade Commission, *Consumer Sentinel Network Data Book 2024* (Mar. 2025), *[https://www.ftc.gov/​system/​files/​ftc_​gov/​pdf/​csn-annual-data-book-2024.pdf](https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf).*

Back to Citation 66.

                     There were over 6 million reports according to the Consumer Sentinel Network in 2024 (*see* Federal Trade Commission, Consumer Sentinel Network Data Book 2024 (Mar. 2025), *[https://www.ftc.gov/​system/​files/​ftc_​gov/​pdf/​csn-annual-data-book-2024.pdf](https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf).*

Back to Citation 67.

                     The Agencies expect there would be variation in the magnitude of these transition costs among affected institutions, depending on bank size, complexity of business model, transaction volume, and scope and nature of products, customers, services, and geographical operations. Smaller institutions would be expected to have significantly less transition costs to update policies, procedures, and documentation than larger institutions with more complex risk profiles, higher transaction volume, and greater diversity and volume of products, customers, services, and geographical operations. Smaller institutions also tend to have significantly less staff dedicated to AML/CFT compliance than larger institutions. As such, these smaller institutions would need to train fewer staff on the proposed rule's requirements than larger institutions, requiring them to allocate fewer total dollars to training. Furthermore, smaller institutions generally already have a designated AML/CFT officer domiciled in the United States whereas larger, internationally active institutions may not. This would result in no expected labor opportunity costs for smaller institutions, but possibly one-time costs for larger internationally active institutions that do not currently have a U.S. domiciled AML/CFT officer.

Back to Citation 68.

                     The Agencies acknowledge that banks would have to incorporate any future AML/CFT priorities FinCEN issues as part of their ongoing costs. However, the Agencies believe that banks have already incorporated the current AML/CFT priorities into their BSA compliance programs because these “[p]riorities reflect longstanding and continuing AML/CFT concerns previously identified by FinCEN and other Treasury components and U.S. government departments and agencies” (*see* AML/CFT Priorities, page 3 (June 30, 2021)).

Back to Citation 69.

                     A 2018 study considering compliance costs in community banks found that small bank compliance costs typically were about 10 percent of noninterest expense and the portion of this attributable to BSA was about 22 percent. This implies that total BSA compliance costs for small banks are 22 percent; this would need to increase more than two-fold in order for the rule to have a significant economic impact on small institutions because of the OCC's methodology of using a 2.5 percent noninterest expense threshold to establish significant impact on small entities. However, because the rule generally reinforces and codifies existing practices, the OCC expects the rule would not have a significant economic impact on a substantial number of small entities. *See [https://www.communitybanking.org/​-/​media/​files/​communitybanking/​compliance-costs-economies-of-scale-and-compliance-performance.pdf](https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf)* for details.

Back to Citation 70. 5 U.S.C. 601 et seq.

Back to Citation 71.

                     Assets for purposes of classifying “small entities” are determined by averaging the assets reported on its four quarterly financial statements for the preceding year. 
                    See [13 CFR 121.201](https://www.ecfr.gov/current/title-13/section-121.201) (as amended by [87 FR 69118](https://www.federalregister.gov/citation/87-FR-69118), effective Dec. 19, 2022). In its determination, the “SBA counts the receipts, employees, or other measure of size of the concern whose size is at issue and all of its domestic and foreign affiliates.” 
                    See [13 CFR 121.103](https://www.ecfr.gov/current/title-13/section-121.103). Following these regulations, the FDIC uses an insured depository institution's affiliated and acquired assets, averaged over the preceding four quarters, to determine whether the FDIC insured depository institution is “small” for the purposes of RFA.

Back to Citation 72.

                     
                    See 
                     William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, [Public Law 116-283](https://www.govinfo.gov/link/plaw/116/public/283), 134 Stat. 3388 (Jan. 1, 2021).

Back to Citation 73.

                     FDIC-supervised institutions are set forth in [12 U.S.C. 1813(q)(2)](https://www.govinfo.gov/link/uscode/12/1813).

Back to Citation 74.

                     Consolidated Reports of Condition and Income (Sept. 30, 2025).

Back to Citation 75.

                     A 2018 study considering compliance costs in community banks found that small bank compliance costs typically were about 10 percent of noninterest expenses, and the portion of this attributable to BSA was about 22 percent. This implies that total BSA compliance costs for small banks are approximately 2.2 percent of noninterest expenses. For the proposed rule to have a significant impact on a small FDIC-supervised IDI, that IDI's BSA compliance costs would need to increase more than two-fold under the proposed rule. Because the proposed rule generally reinforces and codifies existing practices, the FDIC expects such an increase to be implausible. *See [https://www.communitybanking.org/​-/​media/​files/​communitybanking/​compliance-costs-economies-of-scale-and-compliance-performance.pdf](https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf).*

Back to Citation 76. 5 U.S.C. 601 et seq.

Back to Citation 77. 5 U.S.C. 605(b).

Back to Citation 78. 80 FR 57512 (Sept. 24, 2015).

Back to Citation 79.

                     Viewed another way, the FDIC considers small entities to be those holding fewer than $850 million in assets—88.0 percent of FICUs are smaller than that threshold.

Back to Citation 80. 44 U.S.C. 3501-3521.

Back to Citation 81. 12 U.S.C. 4802(a).

Back to Citation 82. 12 U.S.C. 4802(b).

Back to Citation 83. Public Law 106-102, section 722, 113 Stat. 1338, 1471 (1999), 12 U.S.C. 4809.

Back to Citation 84. 44 U.S.C. 3501 note.

Back to Citation 85. Public Law 105-277, section 654, 112 Stat. 2681, 2681-528 (1998).

Back to Citation [FR Doc. 2026-06948 Filed 4-9-26; 8:45 am]

BILLING CODE 4810-33-P; 6714-01-P; 7535-01-P

Published Document: 2026-06948 (91 FR 18304)

CFR references

12 CFR 21 12 CFR 326 12 CFR 748

Related changes

Favicon for www.federalregister.gov Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Requirements
Priority review Apr 10, 2026 FR: Foreign Assets Control Office Trade & Sanctions
Favicon for www.regulations.gov OCC Anti-Money Laundering Rule Comment Form
Priority review Apr 11, 2026 Regs.gov: Comptroller of the Currency Banking & Finance
Favicon for www.regulations.gov AML/CFT Programs for Banks Proposed Rule
Priority review Apr 11, 2026 Regs.gov: Comptroller of the Currency Banking & Finance

Get daily alerts for FR: Federal Deposit Insurance Corporation

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.federalregister.gov
FR: Federal Deposit Insurance Corporation federalregister.gov/documents/search?conditions%5Bagencies%5D%5B%5D=federal-deposit-insurance-corporation&order=newest
Banking & Finance

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from Treasury Department.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
Treasury Department
Comment period closes
June 9th, 2026 (59 days)
Compliance deadline
June 9th, 2026 (59 days)
Instrument
Consultation
Legal weight
Non-binding
Stage
Consultation
Change scope
Substantive
Document ID
91 FR 18304 / Docket ID OCC-2024-0005
Docket
Docket ID OCC-2024-0005 Docket ID NCUA-2024-0033

Who this affects

Applies to
Banks Insurers
Industry sector
5221 Commercial Banking
Activity scope
AML program establishment CFT program compliance Regulatory comment submission
Geographic scope
United States US

Taxonomy

Primary area
Anti-Money Laundering
Operational domain
Compliance
Compliance frameworks
BSA/AML
Topics
Banking Financial Services Computer technology Confidential business information Credit unions

Browse Categories

Agriculture & Food Safety 64 AI Regulation 3 Banking & Finance 292 Consumer Protection 44 Courts & Legal 362 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 19 Energy 101 Environment 86 Environmental Regulation 8 Financial Regulation 2 Government & Legislation 280 Healthcare 136 Housing 16 Immigration 8 Insurance 58 Labor & Employment 113 Pharma & Drug Safety 104 Public Health 3 Securities & Markets 104 Securities Regulation 9 Tax 66 Telecom & Technology 47 Trade & Sanctions 136 Transportation 57

Get alerts for this source

We'll email you when FR: Federal Deposit Insurance Corporation publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!