How Casinos Should Prepare for FinCEN's 2026 AML/CFT Overhaul

April 23, 2026

How Casinos Should Prepare for FinCEN’s 2026 AML/CFT Overhaul

Michael Fabius, Terence Grugan, Kelly Lenahan-Pfahlert Ballard Spahr LLP + Follow Contact LinkedIn Facebook X ;) Embed

Summary

FinCEN’s April 2026 proposal would significantly expand what casinos must demonstrate to maintain an effective Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) program under 31 CFR Part 1021. The Notice of Proposed Rulemaking (NPRM) introduces explicit risk‑assessment process requirements, integrates National Priorities into program design, and adds new governance expectations. Casinos should begin evaluating their current processes in light of a potentially tight implementation window.

The Upshot

• Risk assessment processes become an explicit regulatory requirement, and casinos must integrate AML/CFT National Priorities into those processes and into overall program design.
• Governance expectations increase, including approval of the written program by the casino’s governing body and a requirement that the designated AML/CFT officer be located in the United States.
• Effectiveness will be judged on how program components operate in practice, with greater scrutiny of methodologies, resource‑allocation decisions, and whether controls reflect the casino’s actual risk profile.

The Bottom Line

The NPRM signals a more structured and scrutinized approach to casino AML/CFT programs, with new expectations around risk‑assessment processes, governance, and how program components operate in practice. Casino operators should begin evaluating whether their current risk assessments function as true processes, whether governance structures can support board‑level approval and a U.S.‑based responsible officer, and whether resource‑allocation decisions can be defended under a risk‑based framework. Early preparation will help operators anticipate operational impacts if the rule is finalized on a compressed timeline.
FinCEN’s April 10, 2026 Notice of Proposed Rulemaking (NPRM) on Anti‑Money Laundering and Countering the Financing of Terrorism (AML/CFT) programs would materially reshape what it means for casinos and card clubs to maintain an effective program under 31 CFR Part 1021. The proposal introduces several structural changes: a new requirement for risk assessment processes, mandatory integration of AML/CFT National Priorities, and clearer governance and accountability expectations, including board‑level approval and a U.S.‑located responsible officer. Comments are due June 9, 2026.

For casino operators, the NPRM signals a shift toward a governance‑driven, risk‑engineering model. FinCEN intends to evaluate not only whether a casino has the required program components, but whether those components are implemented in ways that matter for risk mitigation. That framing will influence examinations, enforcement posture, and how operators document risk‑based decisions.

From ‘Compliance Program’ to an ‘Effective AML/CFT Program’

Proposed § 1021.210 would require each casino to develop and implement a written AML/CFT program that is risk-based and reasonably designed to prevent money laundering, terrorist financing, and other illicit finance activity. The NPRM separates program establishment from program implementation and introduces a distinct standard for assessing how the program operated in practice. Under the proposal, a casino must establish its AML/CFT program in accordance with the rule’s specific requirements and implement that program in “all material aspects”.

FinCEN is signaling that it will evaluate whether the casino has documented the required program components, built the core capabilities, and implemented those components in a way that aligns with the program’s stated design. Examiners will look closely at materials such as the risk assessment methodology, documented mitigation decisions, governance approvals, and version‑controlled program documents. Operators should expect more scrutiny of how these materials support the program’s structure and demonstrate that it is functioning as intended.

Risk Assessment Processes Become an Express Requirement

What the Rule Text Requires

Proposed § 1021.210(b)(1) would require casinos to maintain risk assessment processes that identify money laundering, terrorist financing, and other illicit finance risks arising from the casino’s business activities, including products, services, distribution channels, customers, and geographic locations. FinCEN notes that making risk assessment processes an explicit regulatory requirement represents a new obligation for casinos.

The same provision would require casinos to incorporate AML/CFT National Priorities, defined as the most recent priorities issued under 31 U.S.C. § 5318(h)(4), into their risk assessment processes and program design.

Operational Pressure Points

The NPRM shifts the focus from having a risk assessment to demonstrating a repeatable process. Casinos will need to show defined inputs and data sources, clear ownership and governance cadence, documented update triggers, and a defensible methodology for how risks are identified and weighted.

The proposed rule requires updates when the casino knows or has reason to know of a change in circumstances that materially changes risk. FinCEN is seeking comment on what constitutes a material change and what timing expectations should apply. Examples likely to qualify include new product launches, new distribution channels, shifts in customer segments, significant third‑party relationships, or property acquisitions that alter geographic exposure.

Internal Controls Reframed as Risk‑Based Policies, Procedures, and Controls

The NPRM replaces the familiar “system of internal controls” language with a requirement for risk‑based internal policies, procedures, and controls that reasonably mitigate identified risks and direct more attention and resources to higher‑risk customers and activities.

Resource Allocation Becomes Examinable

FinCEN is positioning resource allocation as part of the effectiveness analysis. Examiners will ask not only what controls exist, but why resources are distributed the way they are. Operators who can demonstrate a clear chain from risk assessment to mitigation strategy to staffing and technology decisions, and who can show how QA and testing feed back into that chain, will be better positioned.

Scope Expansion Through “Other Illicit Finance Activity”

The NPRM uses the phrase “other illicit finance activity” without defining it for Part 1021. This invites broader interpretations of what casinos must risk assess and mitigate. Operators may want to comment on whether FinCEN intends this phrase to expand the substantive scope of expected controls beyond traditional casino AML typologies.

Governance: Board Approval, a U.S.‑Located Responsible Officer, and Document Availability

Program Approval and Availability

Proposed § 1021.210(a) would require the written AML/CFT program to be approved by the casino’s board of directors or governing body, or, if neither exists, by senior management. Proposed § 1021.210(d) would require casinos to make a copy of the program available to FinCEN or its designee upon request.

This requirement is straightforward, but it creates governance records such as minutes, resolutions, and delegation matrices that will carry weight in an examination or investigation. Casinos with enterprise‑level programs should consider how approval mechanics will operate across properties and legal entities to ensure consistency and clear accountability.

A U.S.‑Located AML/CFT Officer

Proposed § 1021.210(b)(3) would require casinos to designate an individual responsible for day‑to‑day compliance who is located in the United States and accessible to, and subject to oversight and supervision by, FinCEN. This is a meaningful change from the existing rule, which requires a compliance officer but does not impose a location requirement.

FinCEN is requesting comment on how this requirement would affect institutions that rely on non‑U.S. personnel for certain compliance functions. The preamble highlights SAR confidentiality as a particular concern. Casino groups with centralized or shared‑services models should treat this as a high‑priority comment topic and begin evaluating how to structure compliance responsibilities without fragmenting accountability.

Independent Testing, Training, and a Subtle Technology Signal

Proposed § 1021.210(b)(2) and (b)(4) preserve existing expectations for independent testing and ongoing training.

FinCEN also proposes to remove language that expressly calls for automated programs to aid compliance in casinos with automated data processing systems. FinCEN states that the deletion is not intended to reduce substantive obligations, but to reflect a more risk‑based, institution‑specific approach. Less prescriptive text gives operators flexibility, but it also creates room for after‑the‑fact arguments about what a reasonably designed program required given the casino’s size, product mix, and risk profile.

Recordkeeping Alignment

The NPRM would revise § 1021.410(b)(10) to require retention of a copy of the AML/CFT program described in § 1021.210. This technical update reinforces the importance of version control and documented governance approvals, both of which will be central in examinations and enforcement actions.

Timing

FinCEN proposes a final‑rule effective date 12 months after issuance and requests comment on whether that timeline is appropriate. For multi‑property operators, 12 months may be tight, particularly where systems, analytics, and governance processes must be updated to support a defensible risk assessment and resource‑allocation framework.

Conclusion: Practical Steps for Compliance Teams

If finalized as proposed, the NPRM would move casino AML/CFT regulation toward a more formalized, governance‑driven model. In the near term, casino operators should evaluate whether existing risk assessment workpapers function as true processes with defined ownership and update triggers, map AML/CFT National Priorities to the casino’s risk taxonomy in a way that can be defended to examiners, and begin socializing board‑level approval mechanics and a U.S.‑located accountable officer model to avoid a last‑minute scramble if the 12‑month implementation window is adopted.

FinCEN’s direction indicates that casinos will need to demonstrate that required program components are in place and functioning in a manner that reflects a risk‑based allocation of attention and resources.

[View source.]

;) ;) Report

Latest Posts

• How Casinos Should Prepare for FinCEN’s 2026 AML/CFT Overhaul
• D.C. Circuit Showdown Over CFPB: Plaintiffs Oppose Effort to Fast-Track Agency Downsizing But Surprisingly Support Remand to District Court for it to First Consider Modifying the Preliminary Injunction as CFPB Urged in Motion
• Maryland Graduate Assistant Unionization Bill Passes: What Universities Should Know
• Fed transfers funds to CFPB for agency operations
• New Executive Order Targets “Racially Discriminatory DEI Activities” by Federal Contractors See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Ballard Spahr LLP

Written by:

Ballard Spahr LLP Contact + Follow Michael Fabius + Follow Terence Grugan + Follow Kelly Lenahan-Pfahlert + Follow more less

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

AML/CFT + Follow Anti-Money Laundering + Follow Casinos + Follow Compliance Management Systems + Follow FinCEN + Follow Money Laundering + Follow NPRM + Follow Proposed Rules + Follow Risk Assessment + Follow Risk Management + Follow Suspicious Activity Reports (SARs) + Follow Terrorist Financing Regulations + Follow Administrative Agency + Follow Art, Entertainment & Sports + Follow Finance & Banking + Follow more less

Ballard Spahr LLP on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide