AML/CFT Program Reform NPRM - Effectiveness-Based Compliance

Fact Sheet: Proposed Rule to Fundamentally Reform Financial Institution AML/CFT Programs

On April 7, 2026, the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) intended to fundamentally reform

financial institutions' anti-money laundering and countering the financing of terrorism

(AML/CFT) programs under the Bank Secrecy Act (BSA). The proposed rule (AML/CFT Program Rule NPRM) is part of Treasury's broader effort to modernize the U.S. AML/CFT regulatory and supervisory framework to better achieve the purposes of the BSA, and is intended to lead to more effective outcomes for financial institutions, as well as law enforcement and national security agencies. The proposed rule sets forth several fundamental reforms to the AML/CFT program requirements and associated supervisory expectations for financial institutions, including:

• refocusing compliance obligations and expectations on effectiveness by distinguishing between deficiencies stemming from program design ("establishment") and program

implementation ("maintenance");

• reinforcing Treasury's belief that financial institutions are best positioned to identify and
  evaluate their money laundering, terrorist financing, and illicit finance risks;

• empowering financial institutions to direct more attention and resources toward higher-
  risk customers and activities rather than toward lower-risk customers and activities;

• clarifying expectations related to certain program requirements and functions--including
  independent testing and audit functions--to ensure that examiners and auditors do not substitute their subjective judgment in place of financial institutions' risk-based and reasonably designed AML/CFT programs;

• affirming FinCEN's central role in AML/CFT supervision, including through the
  introduction of a notice and consultation framework between Federal banking supervisors and FinCEN with respect to significant AML/CFT supervisory actions;

• incorporating the AML/CFT Priorities in both AML/CFT program requirements and
  considerations involving significant supervisory or enforcement actions; The AML/CFT Program NPRM also proposes to revise FinCEN's regulations to reflect statutory changes made by the Anti-Money Laundering (AML) Act of 2020 (AML Act). The AML/CFT Program NPRM fully supersedes a prior proposed rule FinCEN published on July 3, 2024, and FinCEN is withdrawing that proposed rule.

The following is a general overview of key elements of the AML/CFT Program NPRM. Public comments on the proposed rule must be received 60 days after publication of the NPRM in the Federal Register, and the text of the proposed rule is available here.

AML/CFT Program Requirements and BSA Modernization and AML/CFT Program Requirements

The proposed rule represents a cornerstone of Treasury's ongoing efforts to modernize the BSA, which the Secretary of the Treasury has identified as a key priority. The BSA requires financial institutions to establish AML/CFT programs and the proposed rule recenters the regulations implementing this requirement around the purposes of the BSA: identifying, preventing, and reporting financial crime. The proposed rule would help ensure that supervisory and enforcement actions related to bank AML/CFT programs are focused on significant or systematic failures to implement an effective program. This reflects FinCEN's key role, in accordance with its statutory authority as the administrator of the BSA, in ensuring a consistent and holistic approach to enforcement and supervision of banks' AML/CFT programs that focuses on program effectiveness rather than mere technical compliance. The proposal follows a series of recent actions that FinCEN has taken to advance BSA modernization efforts, including, for example, FinCEN's release of Frequently Asked Questions regarding Suspicious Activity Reporting Requirements and Exceptive Relief from Requirement to Identify and Verify Beneficial Owners at Each Account Opening. The proposed rule furthers Treasury's BSA modernization efforts, in addition to implementing the AML Act's amendments to the BSA. The AML Act amended the BSA by, among other things, requiring FinCEN and the appropriate Federal functional regulators to consider specific factors when prescribing minimum standards for AML/CFT programs and examining for compliance with those standards--namely that:

• financial institutions subject to AML/CFT program requirements are spending private
  compliance funds for public and private benefit;

• the AML Act has a policy goal of extending financial services to the underbanked and
  facilitating their financial transactions while preventing criminal persons from abusing formal or informal financial services networks;

• effective AML/CFT programs safeguard national security and generate significant public
  benefits, and that such programs should be reasonably designed to ensure compliance with the BSA and the regulations promulgated by FinCEN; and

• AML/CFT programs should be risk-based, with more financial institution attention and
  resources directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.

The proposed rule has taken these statutorily required factors into account. In addition, the preamble rule notes that FinCEN is aware of and shares industry concerns about the appropriateness of applying Model Risk Management Principles to AML/CFT programs and

related burden, solicits feedback on this issue, and highlights FinCEN's plans to work with

Federal banking supervisors to address associated industry concerns.

AML/CFT Priorities

The AML Act mandates that FinCEN establish public government-wide AML/CFT Priorities and to issue regulations incorporating the AML/CFT Priorities into revised program requirements. This AML/CFT Program NPRM proposes requiring financial institutions to review these AML/CFT Priorities and, as appropriate, incorporate them into their risk assessment processes. Notably, financial institutions will not be required to incorporate the AML/CFT Priorities into their risk-based AML/CFT programs until the final rule comes into effect.

Establishing and Maintaining an AML/CFT Program

The proposed rule also refocuses supervisory expectations on effectiveness by distinguishing between deficiencies stemming from the program's design ("establishment") on the one hand, or failures in the program's operation ("maintenance") on the other. FinCEN intends this two-prong framework to help promote consistent articulation of supervisory expectations and prevent conflating criticisms of program design with criticisms of day-to-day implementation. Under the proposed rule, establishing a program would require a financial institution to design a risk-based AML/CFT framework incorporating four core required pillars: (1) internal policies, procedures, and controls including risk assessment processes and, when applicable, ongoing customer due diligence; (2) independent program testing; (3) designation of a U.S.-based compliance officer; and (4) ongoing employee training. Establishing an AML/CFT program would also require keeping the program current as a financial institution's risk profile evolves. Maintaining an AML/CFT program would require an institution to implement its program in all material respects--in other words, to execute the program in practice.

Internal Policies, Procedures, and Controls

As noted, the BSA requires financial institutions to develop "internal policies, procedures, and controls" as part of their AML/CFT programs. This component of an AML/CFT program, often referred to as the first pillar, plays a significant role in the proposed rule. First, the proposed rule would require that a financial institution's internal policies, procedures, and controls be reasonably designed to identify, assess, and document money laundering, the financing of terrorism, and other illicit finance risks (ML/TF risks) through risk assessment processes, as described in more detail below. Second, a financial institution would be required to mitigate ML/TF risks consistent with its risk assessment processes, including by allocating more attention and resources toward higher-risk

customers and activities rather than toward lower-risk customers and activities. And third, the proposed rule would place existing requirements for certain financial institutions to conduct ongoing Customer Due Diligence (CDD) under the internal policies, procedures, and controls pillar. FinCEN believes that including the ongoing CDD obligation under this pillar more accurately reflects how financial institutions operationalize ongoing CDD as part of their overall AML/CFT programs. This organizational change, however, is not intended to have any effect on the substance of ongoing CDD obligations.

Risk Assessment Processes

Although financial institutions commonly maintain risk assessment processes, current AML/CFT program rules do not require them in a uniform manner across institution types. The proposed rule would use consistent language to require risk assessment processes as part of a financial institution's internal policies, procedures, and controls. Risk assessment processes would have to: (1) evaluate the ML/TF risks of the financial institution's business activities, including products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate the AML/CFT Priorities; and (3) be updated promptly upon any change that the financial institution knows or has reason to know significantly changes the institution's ML/TF risks.

Independent Testing

The proposed rule would retain the BSA requirement that financial institutions have an independent audit function to test their AML/CFT programs. The proposal clarifies the expectation that independent testing should be based on objective criteria designed to assess whether a financial institution has effectively established, implemented, and resourced an AML/CFT program consistent with its risk assessment processes; auditors should not substitute their own subjective judgment in place of the financial institution when carrying out this requirement. Independent testing must assess compliance, focus on program effectiveness, be conducted by individuals or parties who are truly independent of the AML/CFT function, and avoid conflicts of interest. Financial institutions would retain flexibility in how they meet this requirement.

AML/CFT Program Compliance Officer Located in the United States

The proposed rule includes the BSA requirement that financial institutions must have a designated compliance officer. The existing AML/CFT program rules contain variations in the description of this requirement, so the proposed rule would provide clarifying language. The proposed rule would require that financial institutions designate a person responsible for establishing, implementing, and overseeing day-to-day compliance with BSA requirements (the AML/CFT Officer). Consistent with the AML Act, the proposed rule would require that the AML/CFT Officer must be located in the United States and accessible to FinCEN and the appropriate Federal regulators. However, while the AML/CFT Officer must be located in the United States, personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. The proposed rule would not alter existing regulations and guidance that generally prohibit the

sharing of suspicious activity reports (SARs) with personnel located outside of the United States other than in limited circumstances, such as sharing with a bank's foreign head office or controlling company.

Ongoing Employee Training Program

The proposed rule would standardize the AML/CFT training requirement across all program rules by uniformly adopting the BSA's statutory language requiring an "ongoing employee training program," a clarifying rather than substantive change. FinCEN would generally expect training to reflect the institution's internal controls, risk assessment results, and current regulatory requirements, with frequency and content tailored to the institution's risk profile and personnel roles. The risk-based approach allows institutions flexibility in determining which employees and non-employees require ongoing training.

Access to and Approval of a Written AML/CFT Program

The proposed rule would standardize the generally applicable requirement in AML/CFT program rules that financial institutions maintain a written AML/CFT program and make it available upon request to FinCEN, appropriate Federal regulators, or their designees. The proposed rule would also require the program to be approved by the board of directors, an equivalent governing body, or appropriate senior management, clarifying and harmonizing existing approval requirements while allowing flexibility based on an institution's structure. These proposed changes are intended to promote consistency and strengthen oversight without creating new substantive documentation obligations.

Supervision and Enforcement of Banks' AML/CFT Programs

The proposed rule outlines a potential FinCEN enforcement and supervisory policy for banks' AML/CFT programs. Specifically, if a bank has established its AML/CFT program under the proposed rule, FinCEN generally would not take an enforcement action. FinCEN, or other agencies acting on its behalf, generally would not take a significant supervisory action against the bank, unless the bank has a significant or systemic failure to maintain that program. The proposed rule enhances FinCEN's role in AML/CFT supervision by introducing a notice and consultation framework requiring Federal banking supervisors, before initiating a significant AML/CFT supervisory action under delegated authority, to give FinCEN's Director at least 30 days' advance written notice, absent urgent circumstances, to review and provide input on the potential action. In determining whether to pursue an enforcement action or a significant supervisory action, or when reviewing a proposed supervisory action by a Federal banking supervisor, FinCEN's Director would consider (i) the four statutory factors noted above that are required by the AML Act, (ii) the extent to which the bank advances AML/CFT Priorities by providing highly useful information to law enforcement or national security officials, (iii) and whether the bank is employing innovative tools such as artificial intelligence that demonstrate the effectiveness of the bank's AML/CFT program, among other considerations that FinCEN's Director may deem appropriate.

Other Changes to AML/CFT Programs

The proposed rule would make technical and clarifying revisions to FinCEN's AML/CFT program regulations to improve consistency across financial institution types. These changes include renumbering provisions, updating cross-references and statutory citations to reflect the AML Act and Corporate Transparency Act, revising definitions (such as "Bank Secrecy Act" and "Federal functional regulator"), adding a definition of "AML/CFT Priorities," and replacing references to AML programs with "AML/CFT programs" where appropriate. The proposed rule would consolidate separate bank program rules into a single standard applicable to all banks, harmonize and modernize requirements for casinos and money services businesses (MSBs) while retaining certain MSB-specific provisions, and remove outdated compliance dates and unnecessary cross-references to other regulations. The rule would also provide greater flexibility regarding AML/CFT program approval for most financial institutions, streamline provisions requiring compliance with other applicable rules, and maintain certain self- regulatory organization requirements for broker-dealers and futures commission merchants. Overall, the changes are intended to enhance clarity, consistency, and efficiency without altering substantive compliance obligations.

The Role of the Federal Banking Supervisors

The AML/CFT Program NPRM was prepared in consultation with the Federal Banking Agencies, comprised of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency. The Federal banking supervisors will also issue their own proposed AML/CFT program rules, applicable to the financial institutions they supervise, in substantive alignment with the NPRM published today.

Next Steps

FinCEN welcomes public comment on all aspects of the proposed rule. Public comments on the proposed rule must be received 60 days after publication of the NPRM in the Federal Register. Comments must be submitted in one of the following two ways (please choose only one of the ways listed):

• Electronically at https://www.regulations.gov. Follow the "Submit a comment"
  instructions. If you are reading this document on federalregister.gov, you may use the green "SUBMIT A PUBLIC COMMENT" button beneath this rulemaking's title to submit a comment to the regulations.gov docket. Refer to Docket Number FINCEN- 2026-0034 and RIN 1506-AB72.

• You may mail written comments to the following address: Regulatory and Strategic
  Affairs Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA

1. Refer to Docket Number FINCEN-2026-0034 and RIN 1506-AB72. Mailed comments must be received by the close of the comment period. Do not include any personally identifiable information (such as name, address, or other contact information) or confidential business information that you do not want publicly disclosed. All

comments are public records; they are publicly displayed exactly as received, and will not be deleted, modified, or redacted. Comments may be submitted anonymously. Follow the search instructions on https://www.regulations.gov to view public comments. In accordance with 5 U.S.C. 553(b)(4), a summary of this rule may be found at www.regulations.gov under Docket FINCEN-2026-0034

For Further Information

Financial institutions should send questions or comments regarding the contents of this fact sheet to the FinCEN Regulatory Support Section at www.fincen.gov/contact.