FinCEN Proposes Rule Reforming AML/CFT Program Requirements Under Bank Secrecy Act

Proposed Rule

Anti-Money Laundering and Countering the Financing of Terrorism Programs

A Proposed Rule by the Financial Crimes Enforcement Network on 04/10/2026

• This document has a comment period that ends in 60 days.
  (06/09/2026) View Comment Instructions

• PDF

• Document Details

• Document Dates

- Table of Contents

• Public Comments
• Regulations.gov Data

- Sharing

• Print
• Other Formats
• Public Inspection Published Document: 2026-07033 (91 FR 18704) Document Headings ###### Department of the Treasury

Financial Crimes Enforcement Network

1. 31 CFR Parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, and 1030
2. RIN 1506-AB72 ( printed page 18704) # AGENCY:

Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION:

Proposed rule.

SUMMARY:

Pursuant to the Department of the Treasury (Treasury) and FinCEN's efforts to modernize the Bank Secrecy Act (BSA) and to implement provisions of the Anti-Money Laundering Act of 2020 (AML Act), FinCEN is proposing a rule to fundamentally reform the requirements for financial institutions' anti-money laundering and countering the financing of terrorism (AML/CFT) programs. Among other changes, this proposed rule aims to ensure that financial institutions establish and maintain effective AML/CFT programs that better achieve the purposes of the BSA and lead to more effective outcomes for financial institutions as well as law enforcement and national security agencies. Through this rulemaking, consistent with its statutory authority as the administrator of the BSA, FinCEN is also proposing measures to modernize and reform Federal supervision of AML/CFT programs by enhancing FinCEN's role in AML/CFT supervision and enforcement in coordination with Federal banking regulators. In addition, FinCEN is proposing regulatory amendments to promote clarity and consistency across FinCEN's program rules for different types of financial institutions.

DATES:

Comments must be received by June 9, 2026.

ADDRESSES:

Comments must be submitted in one of the following two ways (please choose only one of the ways listed):

• Electronically at https://www.regulations.gov. Follow the “Submit a comment” instructions. If you are reading this document on federalregister.gov, you may use the green “SUBMIT A PUBLIC COMMENT” button beneath this rulemaking's title to submit a comment to the regulations.gov docket. Refer to Docket Number FINCEN-2026-0034 and RIN 1506-AB72.
• You may mail written comments to the following address: Regulatory and Strategic Affairs Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-2026-0034 and RIN 1506-AB72. Mailed comments must be received by the close of the comment period. Do not include any personally identifiable information (such as name, address, or other contact information) or confidential business information that you do not want publicly disclosed. All comments are public records; they are publicly displayed exactly as received, and will not be deleted, modified, or redacted. Comments may be submitted anonymously.

Follow the search instructions on https://www.regulations.gov to view public comments. In accordance with 5 U.S.C. 553(b)(4), a summary of this rule may be found at www.regulations.gov under Docket FINCEN-2026-0034.

FOR FURTHER INFORMATION CONTACT:

The FinCEN Regulatory Support Section at www.fincen.gov/​contact.

SUPPLEMENTARY INFORMATION:

I. Scope

The proposed rule would amend FinCEN's regulations that prescribe anti-money laundering program requirements for financial institutions (AML program rules) [1 ] under the BSA. [2 ] For purposes of the AML program rules and this proposed rule, “financial institutions” are: (1) banks; (2) casinos and card clubs (casinos); (3) money services businesses (MSBs); (4) brokers or dealers in securities (broker-dealers); (5) mutual funds; (6) insurance companies; (7) futures commission merchants (FCMs) and introducing brokers in commodities (IBCs); (8) dealers in precious metals, precious stones, or jewels (DPMSJs); (9) operators of credit card systems; (10) loan or finance companies; and (11) housing government sponsored enterprises (housing GSEs).

II. Background

A. Anti-Money Laundering Programs Under the Bank Secrecy Act

Enacted in 1970 and amended several times since, the BSA is designed to combat money laundering, the financing of terrorism, and other illicit finance activity risks 3 . [4 ] Congress has authorized the Secretary of the Treasury (Secretary) to administer the BSA. The Secretary has in turn delegated the authority to implement, administer, and enforce compliance with the BSA and its associated regulations to the Director of FinCEN (Director). [5 ]

Since its original enactment, Congress has continued to address various aspects of AML/CFT compliance, including through expansion of the BSA. [6 ] In 1992, the Annunzio-Wylie Anti-Money Laundering Act [7 ] gave the Secretary authority to prescribe minimum standards for AML programs, including: “(A) the development of ( printed page 18705) internal policies, procedures, and controls, (B) the designation of a compliance officer, (C) an ongoing employee training program, and (D) an independent audit function to test programs”—what are often called the “four pillars” of AML programs. [8 ] Later, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) further amended the BSA to include, among other things, customer identification program (CIP) requirements and the expansion of AML program rules to cover certain other financial industry participants (e.g., credit unions and FCMs). [9 ] The USA PATRIOT Act also made it mandatory for financial institutions to maintain AML programs that meet minimum prescribed standards. [10 ] Through the exercise of its delegated authority, FinCEN is authorized to require each financial institution to establish an AML program to ensure compliance with the BSA and guard against ML/TF risks. [11 ] Over time, FinCEN incorporated these standards into the AML program rules and implemented additional requirements for certain covered financial institutions, such as customer due diligence (CDD) requirements (sometimes referred to as the “fifth pillar” of AML programs). [12 ]

On January 1, 2021, Congress enacted the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (FY21 NDAA), of which the AML Act was a component. [13 ] With the passage of the AML Act, Congress stated that it was seeking to modernize and strengthen the AML/CFT regulatory framework, which “had not seen comprehensive reform or modernization” since the BSA was enacted in the 1970s. [14 ] Among other objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication, and feedback among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better focusing bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” [15 ]

Section 6101(b) of the AML Act made several changes to the BSA's AML/CFT program requirements.

First, section 6101(b) amended the BSA at 31 U.S.C. 5318(h)(2)(B) to state that, “[i]n prescribing the minimum standards [for AML/CFT programs], and in supervising and examining compliance with those standards, the Secretary of the Treasury, and the appropriate Federal functional regulator (as defined in section 509 of the Gramm-Leach-Bliley Act) [16 ] shall take into account” certain factors, which are further described in section IV.A.

Second, section 6101(b) requires the Secretary, in consultation with the Attorney General, appropriate Federal functional regulators, relevant State financial regulators, and relevant national security agencies, to establish and make public government-wide AML/CFT priorities (AML/CFT Priorities). After consultation with the Federal functional regulators and relevant State financial regulators, the Secretary must promulgate regulations, as appropriate, to incorporate those priorities into revised program rules, and incorporation of the priorities must be included as a measure on which financial institutions are supervised and examined. FinCEN issued the first AML/CFT Priorities on June 30, 2021. [17 ]

Third, section 6101(b) expands the BSA's program rule requirement to formally include an express reference to CFT in addition to AML.

Fourth, section 6101(b) provides that the duty to establish, maintain, and enforce an AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to, oversight and supervision by, the Secretary and the appropriate Federal functional regulator.

B. FinCEN's Effectiveness Advance Notice of Proposed Rulemaking (ANPRM)

Prior to the enactment of the AML Act, and as informed by the recommendations of the AML Effectiveness Bank Secrecy Act Advisory Group working group, FinCEN published an ANPRM seeking public comment on potential regulatory amendments to increase the effectiveness of the current program rules (Effectiveness ANPRM). [18 ] The Effectiveness ANPRM sought public comment on a number of issues, including whether FinCEN should define an effective and reasonably designed AML program as one that: (1) identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity, including terrorist financing, money laundering, and other related financial crimes, consistent with both the institution's risk profile and the risks communicated by relevant government authorities as national AML ( printed page 18706) priorities; (2) assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and (3) provides information with a high degree of usefulness to government authorities consistent with both the financial institution's risk assessment and the risks communicated by relevant government authorities as national AML priorities. [19 ]

Additionally, the Effectiveness ANPRM sought comment on whether FinCEN should amend its regulations to explicitly require financial institutions to implement risk assessment processes and whether FinCEN should publish AML priorities that financial institutions would incorporate into their risk assessments. [20 ] Congress enacted the AML Act shortly after FinCEN received comments on the Effectiveness ANPRM. As a result, many of the Effectiveness ANPRM's proposals have been superseded by statutory amendments.

FinCEN received 111 comments in response to the Effectiveness ANPRM, many of which generally supported the goals underlying the ANPRM. Some comments covered specific topics that would later be addressed in section 6101 of the AML Act and that are related to the proposed rule. For example, many commenters supported the Effectiveness ANPRM's concepts of effective and reasonably designed AML programs. Commenters further noted that prioritizing and allocating resources can be challenging if there is regulatory ambiguity or if examiner expectations are unclear or inconsistent, and that requirements for effective and reasonably designed programs should be tailored based on a financial institution's size, activities, or other characteristics. Finally, commenters expressed widespread concern about added burden on financial institutions, especially burden related to updating AML programs to incorporate national AML priorities.

C. The 2024 Notice of Proposed Rulemaking Revising AML Programs

1. Summary of 2024 Program Notice of Proposed Rulemaking (NPRM)

On July 3, 2024, FinCEN published an NPRM proposing revisions to AML/CFT program requirements (2024 Program NPRM). [21 ] In issuing that proposed rule, FinCEN consulted with the Federal functional regulators, the Internal Revenue Service (IRS), and relevant State financial regulators, as required under section 6101(b) of the AML Act. Additionally, on August 9, 2024, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the “Agencies”) [22 ] issued an NPRM proposing amendments to their respective AML program rules applicable to the financial institutions they regulate. [23 ]

The 2024 Program NPRM proposed that financial institutions establish AML/CFT programs that would include, at minimum, the following components: (1) a risk assessment process; (2) reasonable management and mitigation of illicit finance risks through internal policies, procedures, and controls; (3) a qualified AML/CFT officer; (4) an ongoing employee training program; (5) independent, periodic testing conducted by qualified personnel of the financial institution or by a qualified outside party; and (6) other requirements (such as customer due diligence) depending on the type of financial institution.

The 2024 Program NPRM further proposed that financial institutions would be expected to base their AML/CFT program on the results of a risk assessment process. The risk assessment process would identify, evaluate, and document a financial institution's ML/TF risks, taking into account the following considerations: (1) the AML/CFT Priorities issued by FinCEN, as appropriate; (2) the ML/TF risks of the financial institution based on the institution's business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and (3) reports filed by the financial institution pursuant to FinCEN's regulations at 31 CFR chapter X. Additionally, the 2024 Program NPRM provided that financial institutions would have to review and update their risk assessments on a periodic basis, including, at a minimum, when there are material changes to a financial institution's illicit finance risks.

The 2024 Program NPRM would have also required a financial institution's AML/CFT program to be approved and overseen by the financial institution's board of directors (board) or equivalent governing body and would have made AML/CFT program approval and oversight requirements consistent across financial institution types. Furthermore, the 2024 Program NPRM reflected the requirement in the BSA, as amended by the AML Act, that the duty to establish, maintain, and enforce a financial institution's AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator.

FinCEN does not intend to finalize the 2024 Program NPRM, and it should be considered withdrawn and superseded by this proposed rule.

2. Comments FinCEN Received on the 2024 Program NPRM

In response to the 2024 Program NPRM, FinCEN received 86 comments from the public. Submissions came from a broad array of individuals and organizations, including members of Congress, the financial industry and related trade associations, groups representing small business interests, corporate transparency advocacy groups, regulatory associations, legal associations, and other interested groups and individuals.

A small number of commenters expressed support for the 2024 Program NPRM's effort to modernize and strengthen AML/CFT programs in line with the reform goals of the AML Act. Some supporters of the 2024 Program NPRM agreed with its emphasis on “effective, risk-based, and reasonably designed” AML/CFT programs that would promote “effectiveness, efficiency, innovation, and flexibility.” [24 ] Others commended FinCEN's efforts to emphasize the risk-based nature of AML/CFT programs and provide financial institutions with the flexibility to provide financial services based on their risk profile and capacity to manage customer relationships.

Commenters also expressed concerns with the 2024 Program NPRM, such as the proposed program requirements being excessively prescriptive and even redundant in light of the view that existing AML/CFT compliance programs were already intended to be risk-based. A number of commenters found the proposal to be an additive regulatory imposition that would increase costs and burdens, particularly to smaller financial institutions, without ( printed page 18707) any increase in program effectiveness, efficiency, or innovation.

On behalf of FinCEN, Treasury's Office of Tribal and Native Affairs (OTNA) also solicited comments and conducted Tribal consultations and coordination with Tribal Nations. OTNA received six comments from Tribal representatives during this process.

Taken together, the comments submitted to the Effectiveness ANPRM and 2024 Program NPRM provide helpful context that FinCEN has considered in developing the current NPRM.

i. Risk-Based Resource Allocation

The 2024 Program NPRM proposed a formulation of risk-based resource allocation as follows: “an effective, risk-based, and reasonably designed AML/CFT program focuses attention and resources in a manner consistent with the bank's risk profile that takes into account higher risk and lower-risk customers and activities.” [25 ] Commenters criticized this formulation of risk-based resource allocation in the NPRM and generally stated that this framing would not sufficiently enable financial institutions to reallocate resources in the manner intended by the AML Act by allowing financial institutions to direct more resources toward higher-risk customers and activity rather than lower-risk customers and activity, leaving open the concern that examiners may penalize financial institutions for doing so. Commenters strongly recommended that FinCEN adopt the statutory language from the AML Act concerning risk-based resource allocation. No commenters expressed support for the 2024 Program NPRM formulation.

ii. The Risk Assessment Process

Commenters to the 2024 Program NPRM were critical of the proposed risk assessment process. Commenters generally supported the idea of a risk assessment process requirement in the NPRM, as many financial institutions already conduct risk assessments. Commenters argued, however, that the proposal was insufficiently deferential to existing risk assessment practices and would impose new compliance costs by creating an additive “check-the-box” exercise for financial institutions that already conduct risk assessments. Commenters also stated that financial institutions should not be required to consider BSA reports, including SARs and CTRs, as part of their risk assessment process, noting language in the AML Act stating that BSA filings should be guided by risk-based compliance programs, rather than the opposite. [26 ] Commenters also argued that even the idea of making the risk assessment process serve as the basis of the AML/CFT program would be too prescriptive and not correspond to the various ways financial institutions incorporate these assessments into their programs. Finally, commenters objected to the description of a risk assessment process as a singular process that implied a one-time, annual exercise whereas financial institutions conduct numerous and often continuous risk assessments throughout the year.

iii. “Effective, Risk-Based, and Reasonably Designed” AML/CFT Programs

Commenters generally appreciated FinCEN's inclusion of the concept of “effective, risk-based, and reasonably designed” AML/CFT programs, but sought additional guidance on the meaning of these terms. Some commenters requested that FinCEN adopt specific regulatory definitions of these terms, while others requested principles or examples to clarify how FinCEN understands them. Several commenters urged that the final rule clarify that an “effective, risk-based, and reasonably designed” program does not mean one that is “perfect” and completely prevents financial crime.

iv. Other Provisions of the 2024 NPRM

Proposed § 1020.210(c) of the 2024 Program NPRM provided that “[t]he duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, FinCEN and the appropriate Federal functional regulator,” [27 ] pursuant to the statutory requirement set forth in section 6101 of the AML Act. [28 ] Many commenters discussed this provision. They generally stated that an appropriate interpretation of this provision is critical for many financial institutions since many have AML/CFT staff and operations overseas, and it would be extremely costly and disruptive to require relocation to the United States. Many commenters requested that FinCEN interpret this provision to allow financial institutions to maintain staff and operations in non-U.S. jurisdictions so long as the person with the “duty to establish, maintain, and enforce the AML/CFT program” is located in the United States. Some commenters also requested clarification on how this provision would apply to financial institutions with third-party service providers located outside the United States.

The 2024 Program NPRM also proposed requiring that a financial institution's board or an equivalent governing body approve and provide oversight of AML/CFT programs. [29 ] Commenters generally expressed reservations about the board approval and oversight provision of the NPRM. Some credit union commenters expressed concern that the requirement would impose significant new burdens on boards and noted that many credit union boards are volunteers. Commenters representing Native Tribes were most critical of the board oversight and approval requirement because of the potential impact on Tribal casinos and Tribal Councils. Several of these commenters stated that many Tribal gaming entities are not operated under the authority of a business board. Commenters expressed concern that the proposed rule may require Tribal Councils to approve and provide oversight of the AML/CFT program adopted by the casino, detracting from other responsibilities of the Tribal Council.

v. Effective Date

The 2024 Program NPRM proposed that financial institutions would have six months from the date of issuance of the final rule to comply with its requirements. A large number of commenters reacted negatively to the six-month implementation period in the 2024 Program NPRM, and they were nearly unanimous in requesting additional time. Some commenters asked for at least one year after issuance of the final rule to implement the rule, and other commenters requested two or more years. Some commenters representing larger financial institutions cited the need for additional time to review the final rule, make technological changes or other changes to existing processes, incorporate the AML/CFT Priorities into their risk assessment processes, reallocate resources from lower- to higher-risk areas, and provide training. ( printed page 18708)

III. BSA Modernization

The Secretary has identified BSA reform and modernization as one of Treasury's top priorities. In an April 2025 speech, the Secretary noted that Treasury “will advocate for changes to the AML/CFT framework to truly focus on national security priorities and higher-risk areas and explicitly permit financial institutions to de-prioritize lower risks.” [30 ] Additionally, the Secretary has noted that supervision of AML/CFT programs has too often involved a “zero-tolerance focus on process and documentation and wide latitude for supervisory expectations and judgments that are not always consistent with the law or our national security priorities.” [31 ] The Secretary noted that this proposed rule would ensure that financial institutions' AML/CFT programs are focused “on higher value activities [that] will also better serve our law enforcement and national security objectives.” [32 ]

In June 2025, Treasury identified its guiding principles for BSA reform, recognizing the urgent need to modernize the implementation of the AML/CFT regime in the United States so that it is effective, risk-based, and focused on the greatest threats to financial institutions and national security. [33 ] Treasury's vision of a modernized BSA regulatory and supervisory regime is one where financial institutions:

• comply with AML/CFT laws and regulations;
• are examined for the risk-based and reasonably designed nature of their AML/CFT programs and set of internal policies, procedures, and controls;
• direct more resources to higher-risk areas rather than to lower-risk areas; and
• generate highly useful information for law enforcement and national security agencies in priority areas defined by Treasury. Treasury and FinCEN, in coordination with the Agencies, have taken a number of steps to implement this vision of a modernized BSA regulatory and supervisory regime. In June and July 2025, the Agencies, with FinCEN's concurrence, issued an order permitting banks, as part of their CIP obligations, to collect Taxpayer Identification Number information from a third party rather than from the bank's customer. [34 ] In October 2025, FinCEN and the Agencies issued Frequently Asked Questions to clarify certain SAR obligations to help ensure financial institutions are not needlessly expending resources on efforts that do not provide law enforcement and national security agencies with the critical information they need to detect, combat, and deter criminal activity. [35 ] In February 2026, FinCEN issued an order granting exceptive relief to covered financial institutions from certain requirements under FinCEN's CDD Rule, supporting a more efficient, risk-based approach to customer due diligence and reducing unnecessary regulatory burden without weakening the foundational requirements that protect the U.S. financial system. [36 ]

In addition to advancing the goals of a modernized BSA regulatory and supervisory regime, Treasury and FinCEN have played a leading role in supporting Executive Order (E.O.) 14192, Unleashing Prosperity Through Deregulation. [37 ] The E.O. announced an Administration policy to “significantly reduce the private expenditures required to comply with Federal regulations to secure America's economic prosperity and national security and the highest possible quality of life for each citizen” and “alleviate unnecessary regulatory burdens placed on the American people.” [38 ] Consistent with E.O. 14192, FinCEN is issuing this proposed rule to ensure that financial institutions' AML/CFT programs are appropriately risk-based, such that compliance with their program obligations is focused on the goals of the BSA, including combatting and preventing ML/TF, rather than mere technical compliance. Furthermore, the proposed rule for banks would help ensure that supervisory and enforcement actions related to AML/CFT programs are focused on significant or systemic failures to implement an effective AML/CFT program (i.e., deficiencies or issues that arise from failing to implement, in all material respects, a properly established AML/CFT program). The proposal would also reflect FinCEN's key role, in accordance with its statutory authority as the administrator of the BSA, in ensuring a consistent and holistic approach to enforcement and supervision of banks' AML/CFT programs that focuses on program effectiveness rather than mere technical compliance. The Agencies have a long history of coordination with FinCEN in exercising its delegated supervisory authority, and FinCEN views this proposed rule as a way to further strengthen that relationship to promote more consistent supervision. FinCEN believes this enhanced coordination in AML/CFT supervision and enforcement will support the goals of E.O. 14192.

Fulfilling the AML Act's goals of BSA modernization and reform is a priority for Treasury and FinCEN, and this proposed rule is a major part of that effort.

IV. Overview of the Proposed Rule

A central objective of Treasury and FinCEN's BSA modernization efforts is to create an AML/CFT supervisory and regulatory regime that is more effective in achieving the purposes of the BSA and promoting better outcomes for law enforcement and national security agencies. [39 ] This proposed rule would further that objective by explicitly defining the requirements for a financial institution to establish and maintain an effective AML/CFT program. It would also adopt into regulations the AML Act's expectation that AML/CFT programs should be risk-based, including ensuring that financial institutions direct more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the financial institution, rather than toward lower-risk customers and activities. [40 ]

As noted in the previous section, the proposed rule would also revise the AML/CFT supervisory and examination process for banks by enhancing FinCEN's role in the supervision and enforcement process. In support of this objective, the proposed rule would establish a mechanism in which ( printed page 18709) FinCEN—as the statutory administrator of the BSA—has an opportunity to review and provide feedback to the Agencies prior to a significant supervisory action. This change will promote consistent approaches to AML/CFT supervision and better outcomes for both banks and the law enforcement and national security agencies that depend upon those financial institutions' critical BSA reporting.

A. Factors Rhat FinCEN Considered Pursuant to Section 6101(b)(2)(B) of the AML Act (31 U.S.C. 5318(h)(2)(B))

Section 6101(b)(2)(B)(ii) of the AML Act (codified at 31 U.S.C. 5318(h)(2)(B)) requires FinCEN to take into account certain factors when prescribing minimum AML/CFT program standards:

(i) Financial institutions are spending private compliance funds for a public and private benefit, including protecting the United States financial system from illicit finance risks.

(ii) The extension of financial services to the underbanked and the facilitation of financial transactions, including remittances, coming from the United States and abroad in ways that simultaneously prevent criminal persons from abusing formal or informal financial services networks are key policy goals of the United States.

(iii) Effective anti-money laundering and countering the financing of terrorism programs safeguard national security and generate significant public benefits by preventing the flow of illicit funds in the financial system and by assisting law enforcement and national security agencies with the identification and prosecution of persons attempting to launder money and undertake other illicit activity through the financial system.

(iv) Anti-money laundering and countering the financing of terrorism programs . . . should be—

(I) reasonably designed to assure and monitor compliance with the requirements of this subchapter and regulations promulgated under this subchapter; and

(II) risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.

FinCEN has considered all of these factors in developing this proposed rule.

First, as required by 31 U.S.C. 5318(h)(2)(B)(i), FinCEN has considered that, through their AML/CFT programs, financial institutions are spending private compliance funds for a public and private benefit. The proposed rule reflects this in several ways—especially in how it endeavors to avoid imposing unnecessary regulatory burdens and ensuring that financial institutions are able to tailor their AML/CFT programs to their risk profiles. In this way, FinCEN seeks to ensure that financial institutions are not required to expend private compliance funds without meaningful benefit to both the public and their own operations.

Second, section 5318(h)(2)(B)(ii) requires FinCEN to consider the extension of financial services to the underbanked and the facilitation of financial transactions, including remittances, while preventing criminal persons from abusing formal or informal financial services networks. Through its emphasis on risk-based AML/CFT programs, the proposed rule seeks to provide financial institutions with the flexibility to serve a broad range of customers and avoid one-size-fits-all approaches to customer risk that can lead to financial institutions declining to provide financial services to entire categories of customers. The proposed rule would help ensure that decisions taken by financial institutions with respect to closing customer accounts are based on legitimate ML/TF risks and informed by relevant facts and circumstances. The proposed rule is intended to mitigate the risks of financial institutions potentially being inappropriately pressured into closing customer accounts by emphasizing the risk-based nature of AML/CFT programs. In doing so, the proposed rule also furthers the objectives of E.O. 14331, Guaranteeing Fair Banking for All Americans, which seeks to combat “politicized or unlawful debanking.” [41 ]

Moreover, by establishing a risk-based AML/CFT program that takes into account a financial institution's specific business activities, the proposed rule will enable financial institutions to avoid debanking customers and extend financial services based on a financial institution's evaluation of the ML/TF risks and the financial institution's ability to manage those risks and customer relationships, among other considerations. This flexibility would allow such financial institutions to respond to changing circumstances and evolving risk profiles, including through the use of emerging technologies that support transparency and preserve privacy, which may deter debanking and enable financial institutions to reach underbanked individuals and facilitate financial transactions that simultaneously prevent criminal persons from abusing formal or informal financial services networks.

The proposed rule would also provide financial institutions with the ability to modernize their AML/CFT programs and to responsibly innovate while still managing ML/TF risks, as the financial services industry continues to innovate over time. Consistent with previous guidance, [42 ] FinCEN encourages financial institutions to manage customer relationships on a case-by-case basis, and the proposed rule would provide financial institutions with the framework to make such evaluations and provide financial services accordingly, without broad de-risking that can result in debanking that may increase the use of financial services that exist outside of the regulated financial system and complicate efforts to detect and deter illicit finance. FinCEN believes that effective AML/CFT programs are an important component in mitigating the effects of de-banking to national security and law enforcement interests.

Third, as stated in 31 U.S.C. 5318(h)(2)(B)(iii), effective AML/CFT programs safeguard national security and generate significant public benefits by preventing the flow of illicit funds in the financial system and by assisting law enforcement and national security agencies with the identification and prosecution of persons attempting to launder money or undertake other illicit activity through the financial system. [43 ] The proposed rule would advance the BSA modernization and reform goals of the AML Act by providing financial institutions and their regulators with clarity about the requirements to have effective AML/CFT programs.

Likewise, 31 U.S.C. 5318(h)(2)(B)(iv)(I) provides that AML/CFT programs should be “reasonably designed to assure and monitor compliance” with the BSA and its implementing regulations and be risk-based. As described in more detail in section IV, the proposed rule advances these objectives by explicitly requiring financial institutions to have effective AML/CFT programs and by describing the minimum components for an AML/CFT program to be effective. Specifically, as part of an effective AML/CFT program, the proposed rule ( printed page 18710) requires that a financial institution establish and maintain a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the BSA and FinCEN's regulations.

The internal policies, procedures, and controls requirement in the proposed rule also demonstrates FinCEN's consideration of 31 U.S.C. 5318(h)(2)(B)(iv)(II), which states that AML/CFT programs should be risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with a financial institution's risk profile, rather than toward lower-risk customers and activities. While FinCEN has previously expected financial institutions to adopt risk-based AML/CFT programs, the proposed rule incorporates this directive by explicitly requiring, as part of an institution's risk-based set of internal policies, procedures, and controls, that an institution identify, assess, and document its ML/TF risks through risk assessment processes. These risk assessment processes require a financial institution to evaluate ML/TF risks and review and, as appropriate, incorporate the AML/CFT Priorities, with updates to risk assessment processes promptly upon any change that the financial institution knows or has reason to know significantly changes the financial institution's ML/TF risks. These risk assessment processes are designed to help financial institutions mitigate ML/TF risks and ensure that they are allocating resources commensurate with their documented ML/TF risks, directing more attention and resources toward higher-risk customers rather than toward lower-risk customers and activities.

B. Proposed Rule

As noted above, the proposed rule would require financial institutions to establish and maintain effective AML/CFT programs and define the requirements for doing so. In order for an AML/CFT program to be effective, the proposed rule would require a financial institution to establish an AML/CFT program and then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT program.

As described in more detail in section V.D., a financial institution would be required to establish a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the BSA and 31 CFR chapter X. The risk-based set of internal policies, procedures, and controls must also be reasonably designed to: (1) identify, assess, and document the financial institution's ML/TF risks through risk assessment processes that evaluate the risks of the institution's business activities, review and, as appropriate, incorporate the AML/CFT Priorities, and are updated promptly upon any change that the financial institution knows or has reason to know significantly changes the institution's ML/TF risks; (2) mitigate the financial institution's ML/TF risks, consistent with the financial institution's risk assessment processes; and, for certain financial institutions, (3) conduct ongoing customer due diligence.

The proposed rule would also require a financial institution to establish an ongoing employee training program and independent AML/CFT program testing as part of its AML/CFT program. Finally, the proposed rule would require a financial institution to designate an individual responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; that individual would be required to be located in the United States and accessible to, and subject to oversight and supervision by, FinCEN and its designee, including the appropriate Federal functional regulator.

Under the proposed rule, in addition to establishing an AML/CFT program, the financial institution would be required to maintain that program by implementing, in all material respects, its established AML/CFT program. By structuring the requirement to have an effective AML/CFT program as distinct obligations to establish and maintain (via implementation) an AML/CFT program, the proposed rule is intended to clarify and reinforce the distinction between failures to establish an AML/CFT program and failures to implement a properly established program.

The distinction between establishing a program and implementing a program is particularly important under the proposed rule for potential supervisory and enforcement actions. The proposed rule would not limit enforcement or supervisory actions for failures to establish an AML/CFT program. However, with respect to banks, once a bank has properly established an AML/CFT program, the proposed rule would raise the threshold for significant actions based solely on implementation deficiencies so only significant or systemic failures by a bank to implement an effective AML/CFT program (i.e., deficiencies or issues that arise from failing to implement, in all material respects, a properly established AML/CFT program) would warrant an “AML/CFT enforcement action” or a “significant AML/CFT supervisory action,” as these terms are defined in the proposed rule. In this way, the proposed rule is intended to clarify and reinforce a supervisory and enforcement focus on addressing significant or systemic failures to implement an effective AML/CFT program, rather than on isolated, technical, or immaterial implementation issues. [44 ]

Importantly, under the proposed regulations, having an effective AML/CFT program would be more than a one-time adoption of a risk-based set of internal policies, procedures, and controls. Rather, a financial institution would be required to keep its risk-based set of internal policies, procedures, and controls—and the risk assessment processes that inform them—current as the financial institution's risk profile changes. For example, while a financial institution's risk-based set of internal policies, procedures, and controls may, at one time, have been reasonably designed, they may no longer be reasonably designed given changes to the financial institution's risk profile. Similarly, an effective AML/CFT program would involve more than a one-time creation of an employee training program or initiation of an independent testing mechanism: the financial institution would also be required to keep such aspects of the AML/CFT program current as the financial institution's risk profile changes. Thus, even where a financial institution has previously established an AML/CFT program in accordance with the proposed rule, a failure to update the program to reflect significant changes to the institution's risk profile may result in the program no longer meeting the program establishment requirements, and the financial institution may accordingly be subject to supervisory or enforcement action for a failure to establish an effective AML/CFT program.

The proposed rule would provide FinCEN with a greater role in the supervisory process with respect to banks and the relevant Agency. To better ensure that bank examiners are performing “risk focused” supervision, the proposed rule would require that the Agencies, when acting under supervisory authority delegated by FinCEN, consult with FinCEN prior to taking a significant AML/CFT ( printed page 18711) supervisory action. [45 ] FinCEN would require the Agencies, when acting pursuant to FinCEN's delegated authority, to provide FinCEN written notice at least 30 days prior to taking such an action. FinCEN would have an opportunity to review the action and the underlying information giving rise to it, and the Agencies would be required to consider any input offered by FinCEN concerning the effectiveness of the bank's AML/CFT program. [46 ]

By explicitly defining the requirements for an institution to establish and maintain an effective AML/CFT program, and by standardizing the AML/CFT supervision and enforcement process for banks and the Agencies, the proposed rule is expected to better achieve the purposes of the BSA and lead to better outcomes for financial institutions, law enforcement, and national security agencies. Treasury and FinCEN do not intend, however, for the proposed rule to provide permission for financial institutions to establish “paper programs” that might be interpreted as meeting the proposed rule's technical requirements on their face but do not achieve the desired outcomes of more effectively and efficiently detecting and preventing ML/TF activity. To establish a compliant AML/CFT program under the proposed rule, a financial institution must, among other things, establish a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the BSA and 31 CFR chapter X, including through the adoption of risk assessment processes. A critical element of this requirement is that the financial institution's internal policies, procedures, and controls be “reasonably designed.” For example, if a financial institution's program testing reveals that a new customer type or new activity is high risk, but the financial institution does not take any action to revise the design of its internal policies, procedures, and controls and therefore treats the customer or activity as presenting low risk, then its program should not be considered reasonably designed. Treasury and FinCEN believe that financial institutions know their customer base, businesses, and risks better than their regulators and the government; thus, financial institutions are best positioned to identify and evaluate their ML/TF risks. Financial institutions should therefore, and would under this proposed rule, have significant flexibility and discretion in their decisions and determinations related to risk identification and resource allocation. However, examiners would be expected to assess whether: (1) a financial institution's resource allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes; and (2) with respect to implementation, specifically, whether the financial institution knows or should know of resource-related issues involving its internal policies, procedures, and controls that may result in the financial institution failing to implement its AML/CFT program in all material respects and failing to address such issues.

Similarly, Treasury and FinCEN expect a financial institution to be examined for its implementation of the established AML/CFT program in all material respects. Merely designating an individual responsible for establishing and implementing the AML/CFT program, and having that individual establish internal policies, procedures, and controls, an employee training program, and an independent testing program, are not sufficient to satisfy the proposed rule's obligations for a financial institution to have an effective AML/CFT program. Rather, a financial institution would be examined for whether it has implemented, in all material respects, its established AML/CFT program, including whether the financial institution is, in fact, allocating resources as contemplated in its established AML/CFT program, which the proposed rule would require to be consistent with its reasonably designed risk assessment processes. Banks with significant or systemic failures to implement an effective AML/CFT program may be subject to a significant supervisory action or enforcement action, whereas isolated, technical, or immaterial implementation deficiencies would not be cause for such actions.

V. Section-by-Section Analysis

This section-by-section analysis describes the specific proposed changes to the program rules. Section V.A addresses the proposed incorporation of CFT into the program rules. Section V.B discusses the requirements for an “effective” AML/CFT program to comply with the requirements of 31 U.S.C. 5318(h)(1) and the proposed rule. Section V.C explains what it means to “establish,” “maintain,” and “implement” an effective AML/CFT program. Section V.D describes the components of program establishment, including: (1) internal policies, procedures, and controls (including risk assessment processes); (2) independent program testing; (3) an individual, located in the United States and accessible to FinCEN and the appropriate Federal functional regulator, responsible for establishing and maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing employee training. Section V.E discusses the requirements that the AML/CFT program be written, accessible, and approved by financial institution leadership. Section V.F addresses the supervision and enforcement section of the proposed rule for banks, and Section V.G describes several technical changes that the proposal makes to existing AML program rules.

A. Inserting the Term “CFT” Into the AML Program Rules

Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to reference “countering the financing of terrorism” [47 ] in addition to “anti-money laundering” when describing the requirement to establish an AML/CFT program. FinCEN proposes to update its regulations in 31 CFR chapter X to reflect this new statutory language. For example, the proposed rule would change the title of 31 CFR 1020.210 from “Anti-money laundering program requirements for banks” to “Anti-money laundering/countering the financing of terrorism program requirements for banks.” Similar changes would apply to the titles of the other program rules in chapter X.

The inclusion of “CFT” in the program rules would not create new obligations for financial institutions, insofar as the USA PATRIOT Act already requires them to account for risks related to terrorist financing. Accordingly, FinCEN expects any changes to existing AML/CFT programs from the amendments described in this subsection to be technical and therefore not have any substantive impact on financial institutions' BSA compliance obligations.

B. An “Effective” AML/CFT Program

As discussed above in section IV.A, in prescribing the minimum standards for ( printed page 18712) an AML/CFT program and in supervising and examining compliance with those standards, the AML Act requires the Secretary and the appropriate Federal functional regulator to take into account that effective AML/CFT programs safeguard national security and help law enforcement prevent the flow of illicit funds in the financial system. [48 ] Further, the AML Act instructs FinCEN to focus on achieving effective outcomes rather than dictating the processes used to reach those outcomes, an orientation reflected in the proposed rule. Consistent with FinCEN and the Agencies' longstanding expectations regarding what effective outcomes entail, FinCEN believes that, as a practical matter, it is not possible for a financial institution to detect and report all potentially illicit transactions that flow through the institution. [49 ] Similarly, a financial institution's AML/CFT program can be effective without preventing every minor instance of a financial institution falling prey to illicit finance misuse. Accordingly, the proposed rule would set out that an AML/CFT program is “effective” and complies with the requirements of 31 U.S.C. 5318(h)(1) so long as it is established and maintained in accordance with applicable requirements.

As noted in section II.B and section II.C, FinCEN has introduced the concept of an “effective” AML/CFT program in prior rulemakings, and the public has provided valuable feedback on this concept. For example, the Effectiveness ANPRM considered proposing a definition of an effective and reasonably designed program as one that: (1) identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity—including terrorist financing, money laundering, and other related financial crimes—consistent with both the institution's risk profile and the risks communicated by relevant government authorities as national AML priorities; (2) assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and (3) provides information with a high degree of usefulness to government authorities consistent with both the institution's risk assessment and the risks communicated by relevant government authorities as national AML priorities. [50 ]

The proposed rule would provide that a financial institution has an “effective” program if it (1) is established in accordance with the proposed rule's establishment requirements; and (2) is maintained, meaning that a properly established program is implemented in all material respects.

One of the AML Act's key purposes is to “encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and financing of terrorism.” [51 ] Consistent with this purpose and pursuant to the Executive order on Removing Barriers to American Leadership in Artificial Intelligence, the Winning the Race America's AI Action Plan, and the Executive order on Ensuring a National Policy Framework for Artificial Intelligence, Treasury has undertaken various efforts to research, promote, and take actions that reflect its commitment to the role of innovation as part of a modernized AML/CFT framework. [52 ]

Treasury has highlighted the potential for innovative technologies to strengthen AML/CFT programs in various strategies and public engagements. The 2024 National Illicit Finance Strategy highlighted how innovative technologies like machine learning and large language models have potential to strengthen financial institutions' AML/CFT programs, enabling financial institutions to more rapidly and effectively analyze data to identify patterns, risks, trends, and typologies. [53 ] In addition to discussion of specific types of and applications for technology, Treasury has expressed broad support for exploring areas where AI, blockchain analysis, digital identity, and other tools can produce a more efficient and more effective AML/CFT framework. [54 ]

FinCEN encourages financial institutions to evaluate whether new technology or innovative approaches might help to more effectively combat financial crime. Innovative approaches could involve machine learning, generative artificial intelligence (GenAI), digital identity, blockchain monitoring and analytics, or application programming interfaces (APIs). These technologies may be especially useful in countering illicit finance activity involving digital assets, an effort for which FinCEN supports financial institutions' responsible use of novel models, techniques, or strategies. To that end, FinCEN encourages financial institutions to review the White House report on Strengthening American Leadership in Digital Financial Technology as well as Treasury's report on Innovative Technologies to Counter Illicit Finance Involving Digital Assets. [55 ] This report explores how financial institutions can employ innovative and novel methods to detect and stop financial crime involving digital assets, and encourages the responsible use of novel tools and techniques that can improve the effectiveness of the U.S. AML/CFT regime.

FinCEN recognizes that adopting new technologies for BSA compliance may not be suitable for every financial institution, particularly smaller ones, and the proposed rule therefore does not reference or require the use of any particular technology. A financial institution may find it beneficial to consider whether its AML/CFT program appropriately uses the financial institution's existing resources, including technology and data. However, building on longstanding guidance, FinCEN encourages institutions to engage in responsible AML/CFT innovation. [56 ] Institutions that responsibly experiment with innovative technologies in their AML/CFT programs will not incur any additional risk of being subject to a significant supervisory AML/CFT action or AML/CFT enforcement action solely ( printed page 18713) based on the use of innovative technologies. To the contrary, FinCEN recognizes that fostering the use of innovative technologies is vital to improving financial crime compliance and fighting illicit finance and strongly encourages their responsible use.

In addition to new technology, FinCEN is aware of concerns surrounding model risk management at financial institutions. FinCEN has considered comments submitted in response to the 2021 Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements (RFI). [57 ] FinCEN received comments including concerns that supervisors may expect financial institutions to apply the Supervisory Guidance on Model Risk Management (MRMG) to AML/CFT and OFAC-related policies, procedures, and controls. [58 ]

While FinCEN has not issued or been party to any prior MRMG guidance, FinCEN shares certain concerns articulated in the comments to the RFI that these models, which are designed to assess different types of risks with different information input, processing, and reporting components may be overly burdensome and ill-fitted to address illicit finance risks. FinCEN welcomes comment on this position and intends to work with the Agencies to address these concerns.

C. Establishing and Maintaining an AML/CFT Program

The requirement that financial institutions establish and maintain an AML/CFT program is not new, although over time various formulations of this requirement have developed in statutes and regulations. [59 ] The proposed rule would set out uniform terms for an AML/CFT program across FinCEN's regulations for all types of financial institutions regulated under the BSA and delineate the requirements that must be met for financial institutions to have an effective AML/CFT program. That is, the proposed rule would create a two-pronged framework under which a financial institution's AML/CFT program would be deemed to be effective if the financial institution establishes and maintains their program. Under the proposed rule, a financial institution maintains its properly established AML/CFT program by implementing it in all material respects.

1. Proposed 31 CFR 10XX.210(b) —Establishing Versus Maintaining an AML/CFT Program

For a financial institution to have an effective AML/CFT program, the proposed 31 CFR 10XX.210(b) (“ 31 CFR 10XX ” refers to proposed changes to the AML program rules of all eleven financial institution types) would require a financial institution to establish an AML/CFT program and then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT program. The proposed rule describes the requirements for a financial institution to establish and maintain an effective AML/CFT program that complies with the requirements of 31 U.S.C. 5318(h)(1). The AML/CFT program minimum components constituting program establishment, and described in further detail in section V.D below, are: (1) internal policies, procedures, and controls (including risk assessment processes); (2) independent program testing; (3) an individual, located in the United States and accessible to FinCEN and the Agencies, responsible for establishing and maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing employee training. “Establishing” an AML/CFT program involves designing an AML/CFT program that incorporates all of the required components. “Implementation,” by contrast, addresses whether the financial institution is executing that program in practice. This distinction matters, particularly for banks, because proposed 31 CFR 1020.221(b) ties the availability of AML/CFT enforcement and significant supervisory actions based on the program rule for an established bank program to a significant or systemic failure to implement an effective AML/CFT program. The distinction between establishing and implementing an AML/CFT program is intended to make transparent how the individual elements of 31 CFR 1020.210 work together to satisfy 31 U.S.C. 5318(h)(1).

The concepts of program establishment and program maintenance are closely related to the supervision and enforcement provisions of the proposed program rule for banks. In particular, as explained in more detail in section V.F, a bank that has properly established an AML/CFT program (i.e., satisfied the proposed rule's requirements regarding establishment) will not be subject to an AML/CFT enforcement action or a significant supervisory action based on the program rule except with respect to a significant or systemic failure to implement an effective AML/CFT program (i.e., a failure to implement, in all material respects, a properly established AML/CFT program). [60 ]

Separating program establishment from program maintenance therefore provides needed clarity regarding whether a supervisory concern relates to deficiencies stemming from the program's design, on the one hand, or failures in the program's operation, on the other. This two-prong framework would help promote consistent articulation of supervisory expectations and prevent conflating criticisms of program design—the remediation of which would likely be different in kind—with criticisms of day-to-day implementation. The proposed distinction does not change the substantive obligations of 31 U.S.C. 5318(h)(1); rather, it clarifies how those obligations map onto the two statutory requirements at the core of section 5318(h)(1): having a risk-based and reasonably designed program and adhering to it in operation.

As noted previously, FinCEN intends for the requirements of this proposed rule to not be limited to a one-time adoption of the elements required for program establishment, such as internal policies, procedures, and controls. Rather, FinCEN intends a financial ( printed page 18714) institution's establishment of its AML/CFT program to require the financial institution's risk-based set of internal policies, procedures, and controls—and the risk assessment processes that inform them—to remain current as the financial institution's risk profile changes. For example, if a financial institution begins providing a new product or service—or changes how it provides an existing product or services, such as operating in a new geographic location—under this proposed rule, a financial institution would need to incorporate its new product or service as part of its risk assessment processes. The proposed rule would require a financial institution to make a risk determination and, as appropriate, redesign its internal policies, procedures, and controls to account for the risks that it did not previously encounter prior to offering the new product or service, or operating in the new geographic location. Thus, under the proposed rule, even where a financial institution has previously established an AML/CFT program in accordance with the proposed rule, a failure to update the program to reflect significant changes in the institution's risk profile may result in the program no longer satisfying the proposed rule's requirements regarding establishment.

2. Proposed 31 CFR 10XX.210(c) —Implementation of an AML/CFT Program

Once a financial institution has properly “established” an AML/CFT program, the institution must “maintain” the program by implementing it, in all material respects. Minor deficiencies of an AML/CFT program would not necessarily mean that a financial institution has failed to implement the program.

Although there are a variety of ways that a financial institution may not be implementing its program “in all material respects,” in FinCEN's experience, commonly observed examples may include, but would not be limited to: (1) internal policies, procedures, and controls are not being performed or not being performed on a consistent, regular, and timely basis (e.g., consistently ignored warnings or red flags that a program was seriously deficient) due to the nature or extent of required resources becoming inadequate; (2) gaps in the risk assessment processes that result in the financial institution's program missing or inadequately covering higher ML/TF risks (e.g., systems used to monitor for potentially suspicious activity failing to capture material volumes or types of transactions); or (3) deficiencies or weaknesses in the risk assessment processes that have a material impact on the financial institution's mitigation of ML/TF risks through its internal policies, procedures, and controls, including due to data-related issues involving relevant processes and systems.

Similarly, FinCEN expects that a financial institution could become aware of such implementation-related concerns through a variety of mechanisms, including, but not limited to: (1) independent testing of the AML/CFT program; (2) examiner observations, suggestions, or other informal comments about the AML/CFT program from FinCEN (or its designee, such as a Federal functional regulator); (3) management information systems and related reports or other outputs (e.g., key performance indicators or key risk indicators, such as monitoring for potentially material backlogs in relevant AML/CFT processes); and (4) issues identified by personnel involved in the operation of the financial institution's AML/CFT program. A bank that fails to reasonably address such warnings that its program is not being implemented would be at risk of being subject to a significant AML/CFT supervisory action, an AML/CFT enforcement action, or both.

D. Program Establishment

As noted earlier, pursuant to 31 U.S.C. 5318(h), the AML/CFT program requirements for financial institutions must have certain minimum elements comprised of: (1) internal policies, procedures, and controls; (2) an independent audit function to test programs; (3) a designated compliance officer; (4) an ongoing employee training program; and (5) other components, depending on the type of financial institution. The majority of the proposed rule's AML/CFT program components are substantially similar to the existing statutory and regulatory requirements for financial institutions. However, FinCEN is proposing certain additions and modifications to modernize and strengthen financial institutions' AML/CFT programs to enable financial institutions to better mitigate illicit finance risks.

1. Proposed 31 CFR 10XX.210(b)(1) —Internal Policies, Procedures, and Controls

The BSA requires financial institutions to develop “internal policies, procedures, and controls” as part of their AML/CFT programs. [61 ] Existing AML program rules already impose internal policies, procedures, and controls requirements to ensure compliance, but with differing formulations. The proposed rule would standardize these requirements for financial institutions required to comply with FinCEN's program rules to establish a risk-based set of internal policies, procedures, and controls in their AML/CFT programs.

Proposed 31 CFR 10XX.210(b)(1) provides that a financial institution's risk-based set of internal policies, procedures, and controls must be reasonably designed to: (1) identify, assess, and document ML/TF risks through risk assessment processes; (2) mitigate ML/TF risks consistent with the risk assessment processes, including by allocating more attention and resources toward higher-risk customers and activities rather than toward lower-risk customers and activities; and, for certain financial institutions (3) conduct ongoing CDD. The preamble addresses each of these features below.

Under this proposal, a financial institution's risk-based set of internal policies, procedures, and controls should be based upon, informed by, and consistent with the financial institution's risk assessment processes. The level of sophistication of the internal policies, procedures, and controls should be commensurate with the size, structure, risk profile, and complexity of the financial institution.

The requirement that a financial institution's risk-based set of internal policies, procedures, and controls be “reasonably designed” gives financial institutions flexibility in how they achieve compliance with the BSA and the proposed rule's other requirements. As part of having risk-based set of internal policies, procedures, and controls reasonably designed to ensure compliance with the BSA and FinCEN's regulations, financial institutions may choose to responsibly adopt new technologies or innovative approaches to comply with BSA requirements. Consistent with this purpose, FinCEN encourages financial institutions to evaluate whether new technology or innovative approaches in other resources might help to more effectively combat financial crime. Innovative approaches could involve machine learning, GenAI, digital identity, blockchain monitoring and analytics, or APIs. These technologies may be especially useful in countering illicit finance activity involving digital assets, an effort for which FinCEN supports the responsible use of novel models, techniques, or strategies. ( printed page 18715)

i. Proposed 31 CFR 10XX.210(b)(1)(i) —Risk Assessment Processes

FinCEN is proposing in 31 CFR 10XX.210(b)(1)(i) that, as part of a financial institution's risk-based set of internal policies, procedures, and controls, the financial institution establish and maintain risk assessment processes to: (1) evaluate the ML/TF risks of the financial institution's business activities, including products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate the AML/CFT Priorities; and (3) be updated promptly upon any change that the financial institution knows or has reason to know significantly changes the institution's ML/TF risks.

While it is common practice among many financial institutions to maintain a risk assessment process or processes, the requirement that financial institutions have risk assessment processes when developing their AML/CFT programs is not stated in a uniform manner for all financial institutions under the current AML program rules. Under some program rules, certain financial institutions—such as insurance companies and loan and finance companies—are explicitly required to “[i]ncorporate policies, procedures, and internal controls based upon . . . [an] assessment of the . . . risks associated with its products and services.” [62 ] Under other program rules, some financial institutions—such as casinos and MSBs—must develop internal policies, procedures, and controls, and independent testing “commensurate with the risks” posed by their products. [63 ] This latter requirement implicitly requires risk assessment processes, as an institution cannot develop a risk-based set of internal policies, procedures, and controls without first identifying the institution's risks by way of some process. Thus, the proposed rule would standardize the requirement for risk assessment processes across different types of financial institutions subject to program rules, thereby clarifying existing expectations and practices.

Importantly, the proposed rule requires, as part of a financial institution's risk-based set of internal policies, procedures and controls, that it identify, assess, and document its ML/TF risks using risk assessment processes. FinCEN understands that many financial institutions currently maintain a single, or standalone, risk assessment process either voluntarily or as required or expected by Federal regulators. This risk assessment process, generally conducted on an annual basis, results in a documented ML/TF risk assessment. While such a risk assessment process may be appropriate under the proposal, the use of the term “risk assessment processes” is intended to reflect that a financial institution may rely on multiple processes—applied as appropriate within its AML/CFT program—to identify, assess, and document its ML/TF risks and will be examined based on the totality of these processes rather than the sufficiency of a single, standalone risk assessment process.

FinCEN believes financial institutions are best positioned to identify and evaluate their ML/TF risks and is therefore not prescribing any particular risk assessment processes or methodologies other than the critical elements described in this proposed rule. Under the proposed rule, financial institutions will be examined for whether they have established and implemented, in all material respects, reasonably designed risk assessment processes—which need not be in the form of a singular risk assessment process. Furthermore, as discussed further below, FinCEN is not prescribing any particular timeframe for institutions to update their risk assessment processes.

The explicit requirement to have risk assessment processes will be new for banks, casinos, MSBs, broker-dealers, mutual funds, and FCMs and IBCs. [64 ]

a. Proposed 31 CFR 10XX.210(b)(1)(i)(A) —ML/TF Risks

Proposed 31 CFR 10XX.210(b)(1)(i)(A) would require a financial institution's risk assessment processes to evaluate the ML/TF risks of its business activities, including products, services, distribution channels, customers, and geographic locations. These factors are generally well known and often incorporated into current risk assessment processes of some financial institutions. FinCEN considers “distribution channels” to refer to the methods and tools through which a financial institution opens accounts and provides products or services, including, for example, through remote or other non-face-to-face means.

Financial institutions may use a variety of sources to inform their risk assessment processes. Such sources may include information obtained from other financial institutions, such as emerging risks and typologies identified through section 314(b) information sharing or payment transactions that other financial institutions returned or flagged due to ML/TF risks. [65 ] Information a financial institution generates or maintains could be another source. Such internal information may include, for example, customer internet protocol (IP) addresses or device logins and related geolocation information.

Feedback from FinCEN, law enforcement, and financial regulators may also inform risk assessment processes. For example, if a financial institution receives feedback from law enforcement about a report it has filed or potential risks at the financial institution, the financial institution may incorporate that information into its risk assessment processes. Similarly, a financial institution may consider information identified from responding to section 314(a) requests.

In addition to feedback, reports, and analyses published by Treasury and FinCEN, the Federal functional regulators, or self-regulatory organizations (SROs) may be particularly relevant to a financial institution's business activities, thereby warranting consideration when evaluating ML/TF risks. Treasury describes changes in the illicit finance risk environment in its biennial National Money Laundering Risk Assessment, National Terrorist Financing Risk Assessment, and National Proliferation Financing Risk Assessment, which highlight significant illicit finance threats, vulnerabilities, and risks. [66 ] FinCEN also publishes advisories and analyses on emerging risks and typologies, including Financial Trend Analyses issued pursuant to section 6206 of the AML Act. These reports contain threat pattern and trend information derived from BSA filings and may help inform financial institutions' understanding of ( printed page 18716) risks associated with different threats and vulnerabilities as they evolve. [67 ] Regardless of the source, financial institutions should take measures in their risk assessment processes to ensure this information is reasonably current, complete, and accurate.

b. Proposed 31 CFR 10XX.210(b)(1)(i)(B) —AML/CFT Priorities

Proposed 31 CFR 10XX.210(b)(1)(i)(B) would require financial institutions to review and incorporate the AML/CFT Priorities. The AML/CFT Priorities set out the priorities for the U.S. government's AML/CFT policy as required by the AML Act and are designed to ensure that financial institutions' AML/CFT programs are aligned with those priorities. Recognizing the diverse nature of ML/TF threats facing the U.S. financial system and national security, and that financial institution AML/CFT programs benefit U.S. national security by safeguarding the financial system from ML/TF risks, the AML/CFT Priorities are intended to ensure that financial institutions are focusing on the greatest threats to U.S. national security, as defined by Treasury.

Section 6101 of the AML Act requires that a financial institution's review and appropriate incorporation of the AML/CFT Priorities into its AML/CFT program be subject to supervision and examination for compliance with the BSA and other AML/CFT laws and regulations. [68 ] FinCEN is implementing this statutory requirement by proposing that, as part of their risk assessment processes, financial institutions must review and, as appropriate, incorporate the AML/CFT Priorities. The inclusion of the AML/CFT Priorities in risk assessment processes is meant to help ensure that financial institutions understand their exposure to risks in areas that are of particular importance nationally, which may help financial institutions develop risk-based and reasonably designed AML/CFT programs.

FinCEN understands that the AML/CFT Priorities may not always be applicable to a financial institution's risk profile and activities. Therefore, FinCEN requires the incorporation of the AML/CFT Priorities in financial institution's risk assessment processes as appropriate. This means that, having reviewed the AML/CFT Priorities, a financial institution may determine the extent to which a particular priority is applicable and whether and how a particular AML/CFT Priority should be incorporated into its risk assessment processes.

Further, a financial institution may use its judgment and apply a reasonable, risk-based determination on whether to focus on a specific aspect of an AML/CFT Priority (e.g., cyber-enabled fraud), rather than addressing all aspects of a AML/CFT Priority that may either not be applicable (e.g., digital assets cybercrime for a financial institution that does not offer any digital asset products or services, or have any digital asset customers) or pose lower risks to the financial institution (e.g., proliferation financing risks for a financial institution with no cross-border operations, customers, transactions, or activities). However, FinCEN cautions that a surface-level, perfunctory review of an AML/CFT Priority by a financial institution and the foreseeable ways in which it may manifest itself within the financial institution's customers, products and services, geographies, and distribution channels would not satisfy this requirement. For example, patterns of transactions that may be consistent with potential structuring should not automatically be dismissed as lower value to law enforcement and untethered to an AML/CFT Priority without determining whether there is a potential connection to various types of other illicit finance activity (e.g., structuring or similar patterns involving transactions in narcotics trafficking proceeds).

Under the AML Act, FinCEN is required to update the AML/CFT Priorities not less than once every four years. [69 ] Whenever the AML/CFT Priorities are updated, financial institutions would no longer be required to incorporate prior versions of the AML/CFT Priorities. Financial institutions would only be required to incorporate the most recent AML/CFT Priorities into their risk assessment processes.

FinCEN anticipates that some financial institutions may ultimately determine that their business models and risk profiles have limited exposure to some of the threats addressed in the AML/CFT Priorities but instead have greater exposure to other ML/TF risks not addressed in the AML/CFT Priorities. Additionally, some financial institutions' risk assessment processes may determine that their AML/CFT programs already sufficiently take into account some, or all, of the AML/CFT Priorities. In either case, any changes to financial institutions' AML/CFT programs, such as internal policies, procedures, or controls, would be based on the results of risk assessment processes and their impact on the AML/CFT program, including how to review and, as appropriate, incorporate the AML/CFT Priorities before making these determinations.

FinCEN recognizes that some AML/CFT Priorities describe threats at a high level, or at a point in time, and that financial institutions may lack the context or information necessary on which specific threats, or what time frames, to consider or focus on when conducting their risk assessments. For instance, the AML/CFT Priorities that FinCEN issued in June 2021 describes “fraud” as one of the eight priorities and discusses specific examples of fraud that were especially salient in 2021. However, the government's priorities may have changed since the publication of the AML/CFT Priorities due to emergent ML/TF typologies (e.g., sanctions evasions by Russian oligarchs) or ML/TF threats (e.g., pig butchering) not addressed specifically in the AML/CFT Priorities. For example, FinCEN's support to Treasury's efforts to combat rampant government benefits fraud is just one example of how the government's focus on specific types of fraud evolves over time. [70 ] This type of fraud may not have been a concern for a financial institution in prior risk assessment processes, but a financial institution may decide to conduct and apply risk assessment processes to identify whether such a risk is significant for a financial institution, and that determination may necessitate changes to a financial institution's AML/CFT program.

To assist financial institutions with their risk assessment processes, and to better identify activity related to the AML/CFT Priorities, FinCEN issues products under its Financial Institution Advisory Program (Advisory Program). [71 ] FinCEN's Advisory Program communicates priority ML/TF threats and vulnerabilities to the U.S. financial system. Financial institutions may use this information to support effective, risk-based, and reasonably designed AML/CFT programs and suspicious activity monitoring systems to help generate highly useful information for ( printed page 18717) law enforcement and national security agencies.

Relatedly, since 2021, FinCEN has published Financial Trends Analyses (FTA) highlighting threat pattern and trend information derived from BSA data on additional fraud-related topics, including an FTA on fraud schemes targeting digital identities, mail theft-related check fraud, and elder financial exploitation. [72 ] More recently, FinCEN issued an Alert on Fraud Rings and their Exploitation of Federal Child Nutrition programs in Minnesota given the rampant financial fraud and improper payments in Minnesota. [73 ] As noted in the alert, ongoing investigations into fraudsters in Minnesota by the U.S. Department of Justice have identified potentially billions of dollars stolen from the Federal child nutrition programs and other Federal and State government benefits programs, including Medicaid.

FinCEN requests comment from the public on whether additional guidance related to the consideration of the AML/CFT Priorities as part of an institution's risk assessment processes would be warranted.

c. Proposed 31 CFR 10XX.210(b)(1)(i)(C) —Updates to Risk Assessment Processes

Proposed 31 CFR 10XX.210(b)(1)(i)(C) would require financial institutions to update their risk assessment processes promptly upon any change that the financial institution knows or has reason to know significantly changes their ML/TF risk profiles. For example, a financial institution may need to update its risk assessment when new products, services, and customer types are introduced; if existing products, services, and customer types undergo significant changes; when the financial institution adopts new risk mitigation technology; or if the financial institution as a whole expands or contracts through mergers, acquisitions, divestitures, dissolutions, and liquidations. Financial institutions may also need to update their risk assessment processes based on factors external to their operations that they know or have reason to know significantly change their ML/TF risk profiles. FinCEN welcomes comments on whether it should further clarify when financial institutions must review or update their risk assessment processes.

ii. Proposed 31 CFR 10XX.210(b)(1)(ii) —Mitigate ML/TF Risks Through Risk-Based Allocation of Attention and Resources

Section 6101(b) of the AML Act states that the AML/CFT programs of financial institutions should be “risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.” [74 ] Proposed 31 CFR 10XX.210(b)(1)(ii) would adopt this formulation as part of a financial institution's obligation to establish a risk-based set of internal policies, procedures, and controls. Under the proposed rule, a financial institution's efforts to mitigate its ML/TF risks would involve “directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the [financial institution], rather than toward lower-risk customers and activities.”

FinCEN views risk-based allocation of resources as a critical step in realizing the AML Act's BSA modernization and reform ambitions, and an important departure from the status quo of AML/CFT compliance and supervision. The proposed rule envisions financial institutions exercising more flexibility in deploying attention and resources in accordance with the proposed rule without fear of supervisory criticism or action from examiners for directing more attention and resources on higher risk customers and activities rather than toward lower risk customers and activities.

The goal of risk-based resource allocation is for financial institutions to spend less time, energy, and resources on lower priority activities that may result in fewer resources devoted to, and potentially distract from, more serious threats. The proposed rule would thus enable financial institutions to focus more on higher risk customers and activities, which FinCEN has determined should result in financial institutions being more effective at detecting, reporting, and preventing the flow of illicit funds and providing law enforcement with more valuable BSA reporting.

As noted above, Treasury and FinCEN believe that financial institutions are best positioned to identify and evaluate their ML/TF risks and to make decisions related to risk identification and resource allocation in accordance with risk identification. The proposed rule, therefore, does not contemplate regulatory second-guessing of a financial institution's reasonable determinations regarding appropriate resource allocation or conclusions regarding specific risks. However, while Treasury and FinCEN do not believe that an examiner should substitute his or her own subjective judgment in place of the financial institution, examiners will be expected to assess whether: (1) a financial institution's resource allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes; and (2) with respect to implementation, specifically, whether the financial institution knows or should know of resource-related issues involving its internal policies, procedures, and controls and other mandatory elements that may result in the financial institution failing to implement its AML/CFT program in all material respects and failing to address such issues.

iii. Proposed 31 CFR 1020.210(b)(1)(iii), 1023.210(b)(1)(iii), 1024.210(b)(1)(iii), 1026.210(b)(1)(iii), and 1028.210(b)(1)(iii) —Conduct Ongoing Customer Due Diligence

The existing program rules for certain financial institutions, referred to here as covered financial institutions, contain CDD requirements that have commonly been referred to as the “fifth pillar” of AML program rules for those types of financial institutions. [75 ] Under these requirements, covered financial institutions must establish and maintain a written AML program that includes: “appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to: understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”

Proposed 31 CFR 1020.210(b)(1)(iii), 1023.210(b)(1)(iii), 1024.210(b)(1)(iii), 1026.210(b)(1)(iii), and 1028.210(b)(1)(iii) would retain these ongoing CDD obligations without alteration but would make them part of the requirement that covered financial institutions establish a risk-based set of internal policies, procedures, and controls that is reasonably designed. ( printed page 18718) FinCEN proposes this organizational change because the activities required by the CDD pillar are, in practice, subsumed by the obligation for a covered financial institution to have a risk-based set of internal policies, procedures, and controls that is reasonably designed. The organizational change more accurately reflects how covered financial institutions operationalize such ongoing customer due diligence as part of their overall AML programs. This organizational change, however, is not intended to have any substantive effect on existing obligations under 31 CFR 1010.230.

iv. Application to Community Banks

FinCEN recognizes that financial institutions vary significantly in size, structure, complexity, and risk profile. Under the proposed rule, the level of sophistication of a financial institution's internal policies, procedures, and controls—including its risk assessment processes—should be commensurate with the financial institution's size, structure, risk profile, and complexity. Accordingly, financial institutions with broader product offerings, more complex corporate structures, or greater exposure to higher-risk customers, products, services, or geographic locations would be expected to establish correspondingly more formalized or analytically complex internal policies, procedures, and controls—including risk assessment processes. By contrast, many community banks operate with more limited business activities, traditional lending and deposit services, a narrower geographic footprint, and customer bases concentrated within defined local communities. For such banks, risk assessment processes may appropriately be more streamlined or qualitative in nature, and a risk-based set of internal policies, procedures, and controls that is reasonably designed for a large, complex financial organization would not necessarily be required or appropriate for a community bank with a more limited risk profile.

The proposed rule does not prescribe any specific methodology for identifying, assessing, and documenting ML/TF risks. Community banks may use risk assessment processes that are tailored to their business model and operational scale, including processes that rely on direct knowledge of products, services, customers, and geographic locations rather than highly parameterized or model-driven approaches. Many community banks maintain longstanding customer relationships and operate within defined local markets, which may provide bank personnel with meaningful information relevant to identifying, assessing, and mitigating ML/TF risks. Familiarity with local businesses, direct interaction between bank staff and customers, and an understanding of ordinary patterns of activity within the bank's community may appropriately inform the bank's risk assessment processes and the design of reasonably designed internal policies, procedures, and controls. While such characteristics do not reduce a community bank's obligation to establish and maintain an effective AML/CFT program in accordance with the proposed rule, they may influence how a community bank documents its ML/TF risks and allocates attention and resources consistent with those risks.

Further, under the proposed rule's requirement that a financial institution review and, as appropriate, incorporate the AML/CFT Priorities, a community bank may determine, based on its risk assessment processes, that certain AML/CFT Priorities may not be applicable to its business activities. In such cases, the community bank would not be required to allocate attention or resources to risks for which it has no identified exposure. Rather, the bank would be expected to direct its attention and resources in a manner consistent with its documented ML/TF risks.

2. Proposed 31 CFR 10XX.210(b)(2) —Independent Testing

The AML Act did not change the BSA requirement that each financial institution include “an independent audit function to test programs,” [76 ] which is already reflected in AML/CFT program rule requirements, [77 ] and proposed 31 CFR 10XX.210(b)(2). The purpose of independent testing is to assess the financial institution's compliance with AML/CFT statutory and regulatory requirements, relative to its risk profile. The independent AML/CFT program testing should be focused on whether the AML/CFT program is effective, and it should identify issues and areas for remediation accordingly. Similar to the expectations outlined above for examiners, Treasury and FinCEN do not believe that an auditor should substitute his or her own subjective judgment in place of the financial institution. To support the effective implementation of an AML/CFT program, independent testing should be based on objective criteria designed to assess whether a financial institution has established and maintained an effective AML/CFT program and allocated resources consistent with its risk assessment processes. These criteria should also assess whether related program governance is sufficient to manage risks and apply compensating controls where necessary, particularly in areas where remediation is underway. This evaluation helps to inform the financial institution's senior management of weaknesses or areas in need of enhancement or stronger controls. Typically, this evaluation includes a conclusion about the financial institution's overall compliance with AML/CFT statutory and regulatory requirements and sufficient information for the reviewer (e.g., board of directors, senior management, AML/CFT officer, outside auditor, or an examiner) to reach a conclusion about whether the risk-based set of internal policies, procedures, and controls is reasonably designed and resources are well-allocated consistent with the institution's risk assessment processes.

Additionally, while financial institutions retain some flexibility regarding who conducts the audit or testing, the proposed rule would continue to require that testing be independent. Financial institutions that do not employ outside auditors or consultants or that do not have internal audit departments may comply with this requirement by using internal staff who are not involved in the function being tested. For these financial institutions and financial institutions with other types of arrangements for independent testing, the AML/CFT officer or any party who directly, and in some cases, indirectly reports to the AML/CFT officer, or an equivalent role, would generally not be considered sufficiently independent. [78 ] Any ( printed page 18719) individual conducting the testing, whether internal or external, would be required to be independent of other parts of the financial institution's AML/CFT program, including its oversight. For financial institutions that engage outside auditors or consultants, the financial institution would be required to ensure that the outside parties conducting the independent testing are not involved in functions related to the AML/CFT program at the financial institution that may present a conflict of interest or lack of independence, such as AML/CFT training or the development or enhancement of internal policies, procedures, and controls. Additionally, for the purposes of the independent testing component, outside parties would not include government agencies, entities, or instrumentalities, such as a financial institution's Federal or State functional regulators. Financial institutions with less complex operations, and lower risk profiles may consider utilizing a shared resource as part of a collaborative arrangement to conduct testing, as long as the testing is independent. [79 ]

While all financial institutions are required under existing regulations to establish independent testing, FinCEN is standardizing this requirement across all financial institution types. For example, the current rules for broker-dealers, mutual funds, and FCMs and IBCs require outside parties conducting the independent testing to be qualified; [80 ] however, FinCEN does not find it necessary to add this “qualified” description as it does not establish a new substantive requirement. FinCEN would generally expect, as with the AML/CFT officer component, independent testers to have the expertise and experience necessary to perform such testing effectively, including having sufficient knowledge of the financial institution's risk profile and AML/CFT laws and regulations.

3. Proposed 31 CFR 10XX.210(b)(3) —Designate an AML/CFT Officer Located in the United States

i. Duties of the AML/CFT Officer

The BSA requires that financial institutions with AML/CFT program obligations must have a designated compliance officer. While FinCEN has adopted this obligation—commonly referred to as the BSA/AML officer—in existing guidance and regulations, the program rules use slight variations in the specific language to describe this requirement for different types of financial institutions. The proposed rule provides technical changes to promote clarity and consistency.

As in the current program rules, proposed 31 CFR 10XX.210(b)(3) would provide that an AML/CFT program must designate an individual (referred to as an AML/CFT officer) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance with the requirements and prohibitions of the BSA and FinCEN's implementing regulations. FinCEN's view is that the individual serving as the AML/CFT officer must be qualified for that role and not overburdened with other responsibilities at the institution.

The proposed rule is not intended to be primarily concerned with the formal title of the individual responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; instead, the proposed rule focuses on the AML/CFT officer's position in the financial institution's organizational structure that enables the AML/CFT officer to effectively establish and implement the financial institution's AML/CFT program. The AML/CFT officer's authority, independence, and access to resources within the financial institution are critical. An AML/CFT officer should have decision-making capability regarding the AML/CFT program and sufficient functional stature within the organization to ensure that the program meets BSA requirements.

The AML/CFT officer's access to resources may include the following: adequate compliance funds and staffing with the skills and expertise appropriate to the financial institution's risk profile, size, and complexity; an organizational structure that supports compliance and effectiveness; and sufficient technology and systems to support the timely identification, measurement, monitoring, reporting, and management of the financial institution's ML/TF risks. An AML/CFT officer with conflicting responsibilities that adversely impact the officer's ability to effectively coordinate and monitor day-to-day AML/CFT compliance generally would not fulfill this requirement. The addition of the explicit requirement that the AML/CFT officer be responsible for “establishing and implementing the AML/CFT program” in the proposed rule would make explicit a long-standing supervisory expectation, rather than changing current supervisory or regulatory requirements or expectations.

To promote consistency and reduce redundancy, the proposed rule would remove some examples of what it means to coordinate and monitor day-to-day compliance with AML/CFT requirements that are currently listed in the AML program rules for MSBs; insurance companies; DPMSJs; operators of credit card systems; loan or finance companies; and housing GSEs. [81 ] For example, those AML program rules currently provide that an AML/CFT officer is responsible for updating the financial institution's AML program and ensuring that employees are educated or trained in accordance with the financial institution's AML program training obligation. Removing this type of language in the proposed rule does not indicate that an AML/CFT officer is not responsible for these activities, but rather reflects that such examples in the regulatory text are not necessary, and that each financial institution should decide for itself the specific activities that an AML/CFT officer should undertake to establish, maintain, and implement an AML/CFT program.

Likewise, the proposed rule would remove unnecessary provisions in certain current program rules—those applicable to DPMSJs; operators of credit card systems; loan or finance companies; and housing GSEs—requiring AML/CFT officers to ensure that a financial institution's AML/CFT program is implemented effectively. [82 ] That expectation is embedded in the proposed rule's requirement that AML/CFT officers coordinate and monitor day-to-day compliance.

Similarly, the proposed rule would delete an unnecessary reference from current 31 CFR 1022.210(d)(2)(i). That provision provides that an MSB's AML/CFT officer must ensure that the MSB properly files reports, and creates and retains records, in accordance with the ( printed page 18720) BSA. These activities are and remain part of the AML/CFT officer's duty to monitor and coordinate day-to-day compliance, and thus it is not necessary to separately list them in the rule. This deletion and the removal of the other redundant references will ensure consistent language across program rules.

ii. Proposed 31 CFR 10XX.210(b)(3) —The AML/CFT Officer Must Be Located in the United States and Accessible to Regulators

The AML Act provides that the duty to establish, maintain, and enforce a financial institution's AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator. [83 ] Proposed 31 CFR 10XX.210(b)(3) therefore requires the very same, noting that the designated individual must be accessible to, and subject to oversight and supervision by, FinCEN and its designee. FinCEN's designee, in this instance, includes any agency to which FinCEN has delegated examination authority or the appropriate SRO.

FinCEN recognizes financial institutions may currently have AML/CFT staff and operations outside of the United States, or they may contract out or delegate parts of their AML/CFT operations to third-party providers located outside of the United States. These arrangements may serve to improve cost efficiencies, to enhance coordination, particularly with respect to cross-border operations, or serve other purposes not in conflict with goals underlying the BSA. Consequently, under the proposed rule, while the AML/CFT officer must be located in the United States, personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. This language does not alter existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States other than in limited circumstances such as a bank's foreign head office or controlling company. [84 ] FinCEN requests comment on whether any further clarifications on this point would be useful.

4. Proposed 31 CFR 10XX.210(b)(4) —Ongoing Employee Training Program

The BSA requires AML/CFT programs to include an “ongoing employee training program.” [85 ] This statutory requirement is reflected in all current AML program rules, but in different formulations. [86 ] Proposed 31 CFR 10XX.210(b)(4) would eliminate inconsistency in the AML program rules' training requirement by adopting the BSA's “ongoing employee training program” language uniformly. This change is clarifying, not substantive.

FinCEN would generally expect training to cover the financial institution's internal policies, procedures, and controls, which should in turn reflect the results of the financial institution's risk assessment processes, the latest AML/CFT regulatory requirements, and other relevant information. The frequency with which the training would occur, and the content of the training, would depend on the financial institution's ML/TF risk profile and the roles and responsibilities of the persons receiving the training. FinCEN welcomes comment on whether any further clarifications of the proposed training requirement are needed. FinCEN recognizes that financial institutions may have employees and non-employees who may have a variety of roles and responsibilities in relation to the AML/CFT program. The risk-based nature of an AML/CFT program provides flexibility for financial institutions to identify both employees and non-employees who must be trained on an ongoing basis.

E. Access to and Approval of a Written AML/CFT Program

1. Proposed 31 CFR 10XX.210(d) —Written AML/CFT Programs Must Be Made Available Upon Request

Current program rules generally require financial institutions to have written AML/CFT programs, but there is variation in how the requirement is formulated in FinCEN's regulations for certain types of financial institutions. [87 ] Proposed 31 CFR 10XX.210(d) would provide a consistent standard by requiring that an AML/CFT program be written, and that a financial institution, upon request, make available a copy of its written AML/CFT program to FinCEN or its designee. FinCEN's designee, in this instance, includes any agency to which FinCEN has delegated examination authority or the appropriate SRO. It is thus assured that agencies with original or delegated examination authority over a financial institution, including for example an agency with examination authorities delegated by FinCEN [88 ] or the appropriate SRO [89 ] will be among the agencies able to access a financial institution's written AML/CFT program. In addition to promoting consistency across the program rules, these clarifications are intended to help financial institutions develop a structured AML/CFT program understood across the enterprise.

2. Proposed 31 CFR 10XX.210(d) —Financial Institution Approval of a Written AML/CFT Program

Proposed 31 CFR 10XX.210(d) would also require that a financial institution's written AML/CFT program be approved by the financial institution's board of directors or an equivalent governing body within the financial institution, or appropriate senior management.

Current program rules generally require a financial institution's board or an equivalent governing body within the institution, or appropriate senior management, to approve the financial institution's written AML program. However, the proposed rule ( printed page 18721) standardizes this language across all financial institution types and provides financial institutions with significant flexibility in its chosen approval method. While some financial institutions may choose to have their boards approve the written AML/CFT program, for others, an equivalent governing body might be a sole proprietor, general partner, or trustee, or a grouping of owners, senior officers (including board committees or other groups with oversight responsibilities), senior management, or other persons having functions and authority similar to that of a board. For the U.S. branch of a foreign bank, the equivalent governing body may be the foreign banking organization's board of directors or delegates acting under the board's express authority. [90 ]

Alternatively, some financial institutions might have other individuals or groups with similar status or functions as directors approve the AML/CFT program. Such individuals may include Chief Executive Officer, Chief Financial Officer, Chief Operations Officer, Chief Legal Officer, Chief Compliance Officer, Director, and individuals with similar status or functions. Also, groups with oversight responsibilities may include board committees such as compliance or audit committees as well as a group of some, or all of these individuals with aforementioned titles, as senior management that can provide effective oversight of the AML/CFT program to comply with the proposed rule.

Although some financial institutions must already obtain board approval for their AML/CFT programs or be subject to oversight by a board of directors, or an equivalent governing body, this board or senior management approval requirement will represent a change in requirements for other financial institutions. In some cases, the proposed rule would provide greater flexibility than current program rules provide. For example, a bank lacking a Federal functional regulator must have an AML/CFT program that is approved by the board or equivalent governing body within the bank. [91 ] Banks with a Federal functional regulator must also have board approval for their AML/CFT programs under their regulators' existing rules, although not FinCEN's. [92 ] On the other hand, broker-dealers; insurance companies; FCMs and IBCs; DPMSJs; operators of credit card systems; loan or finance companies; and housing GSEs, must currently obtain senior management level approval for their AML/CFT programs. [93 ] Board approval is not required for these entities currently, so the proposed rule would not be a change. The existing program rules for casinos and MSBs do not contain specific board or senior management approval requirements, so the proposed rule would constitute a change for these entities. [94 ]

In the case of some financial institutions, there may be existing statutes or regulations (other than the BSA and its implementing regulations) that will determine whether a financial institution must have its board approve its AML/CFT program. The proposed rule would not interfere with any such requirements. For instance, mutual funds must comply with Rule 38a-1 under the Investment Company Act of 1940 requiring board approval of a mutual fund's written policies and procedures, which would include its AML/CFT Program. [95 ] Because of this requirement, FinCEN understands that Rule 38a-1 would be controlling in practice and require a mutual fund's board to approve its AML/CFT program; needless to say, such approval would also satisfy FinCEN's proposed rule.

The proposed rule's provision requiring the approval of the AML/CFT program by a financial institution's board of directors, equivalent body, or appropriate senior management reflects the importance of a financial institution maintaining a strong culture of compliance. A culture of compliance involves demonstrable support and visible commitment from leadership, the dedication of adequate resources to AML/CFT compliance, effective information sharing throughout the financial institution, qualified and independent testing, and understanding across leadership and staff levels of the importance of BSA reports. Adherence to these principles is critical to ensuring that AML/CFT programs are effective.

At the same time, an alternative approach is to refrain from prescribing corporate-governance detail in the proposed rule, instead allowing financial institutions to determine the appropriate approving authority consistent with their legal structure and other regulatory and legal requirements. Leaving firm-level choices to financial institutions would preserve flexibility across differing corporate structures, avoid imposing a single model for allocating responsibilities, and reduce the risk of unintended conflict with other regulatory or legal requirements.

F. Proposed 31 CFR 1020.221 —Supervision and Enforcement

The proposed rule would add new 31 CFR 1020.221 to set forth a supervision and enforcement framework for banks' AML/CFT programs that is aligned with the AML Act's emphasis on effectiveness and risk-based supervision. The proposed section defines key terms, describes FinCEN's enforcement and supervision policy with respect to the requirements of the BSA or 31 CFR chapter X, establishes consultation requirements between FinCEN and the Agencies, when acting under supervisory authority delegated by FinCEN, and specifies factors that the Director would consider in determining whether to take, or in reviewing, an AML/CFT enforcement action or significant AML/CFT supervisory action. The supervision and enforcement requirements apply only to banks and the Agencies in the proposed rule, but FinCEN welcomes comment on whether these provisions should apply to other financial institutions. Likewise, the enforcement requirements do not apply to and in no way affect criminal enforcement liability under the Bank Secrecy Act.

1. Proposed 31 CFR 1020.221(a) —Definitions

Proposed 31 CFR 1020.221(a) would define several terms used throughout the section. The term “AML/CFT requirement” would mean a requirement of the BSA or 31 CFR chapter X.

The term “AML/CFT enforcement action” as proposed in 31 CFR 1020.211(a)(1) would mean any formal or informal action taken by FinCEN that seeks to penalize, remedy, prevent, or respond to noncompliance with, past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement.

The term “significant AML/CFT supervisory action” as proposed in 31 ( printed page 18722) CFR 1020.221(a)(3) would mean any written communication or other formal supervisory determination issued by FinCEN or an Agency, when acting under supervisory authority delegated by FinCEN, that identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement; communicates supervisory expectations regarding actions or remedial measures required to correct the issue; and contemplates significant or programmatic actions or remedial measures to be taken by the bank. Examiner observations, suggestions, or other informal comments would be expressly excluded from this definition.

2. Proposed 31 CFR 1020.221(b) —FinCEN Enforcement and Supervision Policy

Proposed 31 CFR 1020.221(b) would articulate FinCEN's enforcement and supervision policy as it relates to AML/CFT requirements applicable to banks. [96 ] Except with respect to a significant or systemic failure to implement an effective AML/CFT program (i.e., deficiencies or issues that arise from failing to implement, in all material respects, a properly established AML/CFT program), a bank that has properly established an AML/CFT program would not be subject to an AML/CFT enforcement action based on the program rule by FinCEN or to a significant AML/CFT supervisory action based on the program rule by FinCEN or by the Agencies, when acting under supervisory authority delegated by FinCEN.

At the same time, the proposed rule would clarify that nothing in this policy would restrict an AML/CFT enforcement action or a significant AML/CFT supervisory action with respect to a failure to properly establish an AML/CFT program. Moreover, the proposed rule would not affect the factors that FinCEN applies in the disposition of a violation [97 ] once FinCEN has determined that such violation involves either: (1) a failure to properly establish an AML/CFT program, or (2) a significant or systemic failure to implement an effective AML/CFT program.

3. 31 CFR 1020.221(c) —FinCEN Consultation

Proposed 31 CFR 1020.221(c) would establish a notice and consultation framework applicable when the Agencies, acting under supervisory authority delegated by FinCEN, intend to initiate a significant AML/CFT supervisory action. Before initiating such an action, the Agencies would be required to provide the Director with an opportunity to review the action and consider any input offered by the Director, which may include any view as to the effectiveness of the bank's AML/CFT program. To facilitate that review, the Agencies would be required to provide written notice to the Director of their intent to take the action at least 30 days in advance of the proposed action, unless a shorter period is necessary, in the sole discretion of the Agencies, to remedy, prevent, or respond to an unsafe or unsound practice or condition.

The notice would be accompanied by the relevant AML/CFT information underlying the proposed action. Relevant AML/CFT information may include, but is not limited to: the relevant portions of the draft report enforcement action; the relevant examination workpapers supporting the proposed action and the relevant AML/CFT information submitted by the bank to the Agency. FinCEN notes the Agencies would not be obligated to provide information over which the bank may claim privilege under Federal or State law. The Agencies would also be required to respond to requests for additional AML/CFT information from the Director regarding the proposed action.

4. 31 CFR 1020.221(d) —FinCEN Considerations

Proposed 31 CFR 1020.221(d) specifies the factors that the Director would consider in determining whether to take an enforcement action or significant supervisory action with respect to banks, or when reviewing a proposed action by the Agencies. [98 ] These factors would include the factors set forth in 31 U.S.C. 5318(h)(2)(B), as applicable; the extent, if any, to which the bank—where appropriate in light of its size, complexity, and risk profile—has advanced the AML/CFT Priorities by providing highly useful information to law enforcement or national security officials, conducting proactive analytics or performing other innovative activities producing demonstrable outputs evincing the effectiveness of the bank's AML/CFT program (including effective use of artificial intelligence, federated learning, or other advanced monitoring tools); and any other factor the Director deems appropriate, including the bank's size, complexity, and risk profile, and, as relevant, circumstances in which the bank's low-risk customers or limited business activities naturally limit the extent to which the bank can meaningfully contribute to AML/CFT Priorities.

The Director's consideration of the extent to which a bank has provided highly useful information to law enforcement or national security agencies reflects that FinCEN considers information sharing to be an important element of an effective AML/CFT program. Financial institutions may share useful information by responding to 314(a) requests or may use 314(b) authorities to share information with other financial institutions to identify and report to the Federal Government activities that may involve ML/TF. Financial institutions may also elect to participate in the FinCEN Exchange Program, a voluntary public-private information sharing partnership among FinCEN, law enforcement agencies, national security agencies, and financial institutions and other private sector entities that aims to support priority national security and counter-illicit finance objectives. [99 ] FinCEN strongly encourages information sharing for the purpose of advancing the AML/CFT Priorities.

The Director may consider the above alongside other factors, including those outlined in the FinCEN Statement on Enforcement of the Bank Secrecy Act, such as the nature and seriousness of violations, including the extent of possible harm to the public and amounts involved; impact or harm of the violations on FinCEN's mission to safeguard the financial system from illicit use, combat money laundering, and promote national security; or financial gain or other benefit resulting from, or attributable to, the violations, amongst others. [100 ]

G. Other Changes for Modernization, Clarification, and Consistency

In addition to the previously described changes, the proposed rule would make other revisions to increase ( printed page 18723) clarity and consistency in the program rules. Most of these changes are technical, such as renumbering provisions, amending cross-references, and updating statutory references based on changes to the BSA by the AML Act. For example, along with the Agencies, references to “BSA/AML programs” are being updated to “AML/CFT programs” for financial institutions subject to CIP requirements. [101 ] These technical changes are not anticipated to establish new obligations.

The proposed rule also would make minor changes to the definitions in FinCEN regulations, including the definition of “Bank Secrecy Act” at 31 CFR 1010.100(e). [102 ] The proposed rule would also amend the definition of “Federal functional regulator” at § 1010.100(r) to remove reference to the defunct Office of Thrift Supervision and insert “The Federal Deposit Insurance Corporation” in place of “The Board of Directors of the Federal Deposit Insurance Corporation.” The proposed rule would also add a definition of “AML/CFT priorities” at § 1010.100(nnn) to mean the most recent statement of Anti-Money Laundering and Countering the Financing of Terrorism National Priorities issued pursuant to 31 U.S.C. 5318(h)(4). Finally, as noted above, the proposed rule adds a definition of “Federal Financial Institutions Regulatory Agency” at § 1010.100(ooo). [103 ]

Additionally, as required under section 6101(b) of the AML Act, FinCEN consulted with Federal functional regulators, particularly the Agencies, to inform this rulemaking and coordinate updates to the bank program rule. The proposed rule is removing the provision in FinCEN's program rule for banks requiring them to comply with the parallel program rule for banks adopted by the Federal functional regulators since these program rules are consistent. As the delegated administrator of the BSA, FinCEN expects banks to adhere to FinCEN's rule as promulgated via the Secretary's explicit authority to prescribe minimum standards for AML/CFT programs.

The proposed rules for broker-dealers and FCMs and IBCs would retain requirements to comply with the rules, regulations, or requirements of their SROs, provided those rules, regulations, or requirements have been made effective under the Securities Exchange Act of 1934 for broker-dealers, [104 ] or the Commodity Exchange Act for FCMs and IBCs, [105 ] or by the appropriate Federal functional regulator in consultation with FinCEN.

The following subsections describe more significant changes.

1. Combining the Bank Rules

Since 2020, banks lacking a Federal functional regulator have been subject to substantially similar AML/CFT program requirements (31 CFR 1020.210(b)) as banks with a Federal functional regulator (31 CFR 1020.210(a)). [106 ] The proposed rule would combine the program rules for both bank types.

The most significant difference between the existing AML program rules is that 31 CFR 1020.210(b)(3) requires banks lacking a Federal functional regulator to: (1) have their AML programs approved by the board of directors or, if the bank does not have a board of directors, an equivalent governing body within the bank; and (2) make a copy of its AML program available to FinCEN or its designee upon request. FinCEN's designee, in this instance, includes any agency to which FinCEN has delegated examination authority or the appropriate SRO. As previously discussed, the proposed rule would require banks to obtain the approval of their AML/CFT programs from the board of directors, an equivalent governing body within the bank, or appropriate senior management, and it would require that the AML/CFT program be made available to FinCEN or its designee upon request. With these changes, FinCEN believes it would no longer be necessary to have two sets of program rules for banks. Therefore, the proposed rule would consolidate 31 CFR 1020.210(a) and (b) into a single set of rules applicable to all banks.

2. Conforming and Modernizing Program Rules

For purposes of consistency and clarity, the proposed rule would harmonize certain elements, as described below, of the program rules for casinos and MSBs to the program rules for banks; broker-dealers; mutual funds; insurance companies; FCMs and IBCs; DPMSJs; operators of credit card systems; loan or finance companies; and housing GSEs.

Additionally, for casinos, the proposed rule would remove the following language in 31 CFR 1021.210(b)(2)(vi): “For casinos that have automated data processing systems, the use of automated programs to aid in assuring compliance.” Similarly, for MSBs, the proposed rule would remove the following language in 31 CFR 1022.210(d)(1)(ii): “Money services businesses that have automated data processing systems should integrate their compliance procedures with such systems.” The removal of automated data processing language is not intended to eliminate any substantive BSA compliance obligations for casinos or MSBs. Rather, it reflects that the application of the same risk-based approach used in the other program rules, which allows—but does not mandate—the use of automated data processing systems.

A few unique elements of the existing program rule for MSBs would be carried over into the new rule language. In particular, the customer identification provisions of current 31 CFR 1022.210(d)(1)(i)(A) and (d)(1)(iv), and the agent responsibility provision of current 31 CFR 1022.210(d)(1)(iii), would all be retained in the new MSB program rule language. This language reflects FinCEN's longstanding appreciation of the special circumstances applicable to many members of the extraordinarily diverse category of MSB, an appreciation that remains as accurate now as it was when these unique elements were included in FinCEN's regulations.

3. Compliance and Implementation Dates

Current 31 CFR 1022.210(e), 1027.210(c), 1029.210(d), and 1030.210(d) contain compliance and implementation dates for MSBs; DPMSJs; loan or finance companies; and housing GSEs, respectively. The proposed rule would retain implementation dates for MSBs and DPMSJs, respectively, since they set the time frames in which those specific financial institution types are required to comply once they conduct certain ( printed page 18724) activities or pass thresholds that subject them to AML/CFT program requirements. The proposed rule would also update the citations for these provisions (to 31 CFR 1022.210(d) and 1027.210(e)) to reflect other changes made to §§ 1022.210(d) and 1027.210(e).

The proposed rule, however, would amend these provisions, as well as those of other types of financial institutions, such as loan or finance companies and housing GSEs, to remove compliance dates that have passed and are therefore irrelevant.

4. Compliance With Other Rules

For consistency and clarity, the proposed rule would delete certain unnecessary cross-references to other regulations. Specifically, the proposed rule would no longer state that banks, broker-dealers, and FCMs and IBCs must comply with the 31 CFR 1010.610 and 1010.620 due diligence requirements for foreign correspondent and private banking accounts. [107 ] Additionally, the proposed rule would no longer state that banks must comply with the regulations of their Federal functional regulators. Those regulations and requirements apply irrespective of cross-references in the program rules, so FinCEN is proposing to remove the cross-references to streamline the program rules and promote consistency. FinCEN does not intend for these changes to have any substantive effect.

VI. Final Rule Effective Date

FinCEN is proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient time for financial institutions to review and implement the requirements of the proposed rule. FinCEN solicits comment on the proposed effective date.

VII. Request for Comment

FinCEN welcomes comment on all aspects of the proposed amendments and specifically seeks comment on the questions below. FinCEN encourages commenters to reference specific question numbers when responding.

An “Effective” AML/CFT Program (V.B.)

1. The proposed rule sets forth the conditions for an effective AML/CFT program. Is the description of an effective program sufficiently clear or is there anything further that FinCEN should consider adding in the final rule to clarify the concept of program effectiveness?

2. The proposed rule reflects a determination by FinCEN that financial institutions are best placed to identify risks and allocate resources, and that providing them with greater discretion in these areas will improve the quality of AML/CFT compliance and reporting to law enforcement. Is this correct or should FinCEN consider adding more requirements regarding allocation of resources? How might financial institutions assess changes in the total allocation of resources devoted to an AML/CFT program in a changing risk and cost environment?

Establishing and Maintaining an AML/CFT Program (V.C.)

1. Do financial institutions distinguish between “establishing a program” and “maintaining a program by implementing the program”? If so, how? Should FinCEN add anything to further define these terms in the final rule?

2. Should the proposed rule's distinction between “establishing” and “maintaining” a program be modified? Is the distinction between “establishing” and “maintaining” a compliance program useful for financial institutions?

3. Is clarification needed for banks to determine what constitutes a “significant or systemic failure” to implement an effective AML/CFT program (i.e., a failure to implement, in all material respects, a properly established AML/CFT program)?

4. Is clarification needed for banks to determine what constitutes a “failure to establish an AML/CFT program”?

5. How should the proposed rule ensure that the regulations issued by FinCEN and the appropriate Agencies function harmoniously? How should the proposed rule differentiate between the Secretary's responsibility for issuing regulations on establishing and maintaining AML/CFT programs and the Agencies' responsibilities for issuing regulations on establishing and maintaining AML/CFT programs under their respective authorities?

Internal Policies, Procedures, and Controls (V.D.1.)

1. Do financial institutions expect any changes to their existing internal policies, procedures, and controls under the proposed rule, which requires that internal policies, procedures, and controls be “risk-based” and “reasonably designed” to ensure compliance with the BSA?

Risk Assessment Processes (Generally) (V.D.1.i.)

1. The proposed rule refers to risk assessment processes rather than a risk assessment process. This leaves financial institutions free to use findings from one or more processes to holistically assess their ML/TF risks. Does this description of how financial institutions would assess their ML/TF risk under the proposed rule provide sufficient flexibility? How should FinCEN describe “risk assessment processes” to better reflect how financial institutions assess ML/TF risks?

2. Should risk assessment processes be required to take into account additional or different criteria or risks than those listed in the proposed rule? If so, what additional factors should FinCEN consider requiring?

3. How long does it generally take a financial institution to incorporate the results of a risk assessment into the other aspects of its AML/CFT program? What factors determine this timeframe?

Risk Assessment Processes (AML/CFT Priorities) (V.D.1.i.b.)

1. What, if any, difficulties do financial institutions anticipate when incorporating the AML/CFT Priorities as part of their risk assessment processes?

2. What additional guidance on how to incorporate the AML/CFT Priorities into a financial institution's risk assessment processes would it be useful for FinCEN to provide?

Risk Assessment Processes (Updates) (V.D.1.i.c.)

1. The proposed rule requires that risk assessment processes are updated promptly upon any change that the bank knows or has reason to know significantly changes the bank's ML/FT risks. Would the proposed update requirement change the way financial institutions currently update their risk assessment processes, and if so, how? Is additional explanation needed concerning when a financial institution would be required to update its risk assessment? In particular, how might FinCEN clarify how risk assessment processes would be updated “promptly”? Would an alternative approach, such as periodic updates or a set schedule for updates, be preferable? Would an alternative standard, such as “materially changes,” be clearer than “significantly changes”?

2. How does a financial institution's monitoring for ML/TF risks and its risk assessment processes affect one another? Put differently, if there is a feedback loop between the two, please describe it, including the typical amount of time between discovering new risks and incorporating those findings into risk assessment processes. ( printed page 18725)

Independent AML/CFT Program Testing To Be Conducted by Bank Personnel or by an Outside Party (V.D.2.)

1. Under the proposed rule, a financial institution is required to conduct independent AML/CFT program testing. This requirement is already reflected in existing AML program rule requirements [108 ] as the requirement to include “an independent audit function to test programs.” [109 ] FinCEN solicits comment on how financial institutions may interpret and carry out this requirement, based on the proposed rule's description of an effective AML/CFT program. Are further clarifications on the independent AML/CFT program testing requirement necessary to ensure that audits carried out by bank personnel or outside third parties are well-tailored, risk-based, and focused on effectiveness?

AML/CFT Officer Located in the United States (V.D.3.)

1. Under the proposed rule, while the AML/CFT officer must be located in the United States, personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. This language does not alter existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States other than limited circumstances, such as a bank's foreign head office or controlling company. Are any further clarifications on what duties personnel outside the United States may perform needed?

Written AML/CFT Program and Approval (V.E.1)

1. The proposed rule standardizes the long-standing requirement that an AML/CFT program be written. Should FinCEN further clarify which specific elements of an institution's AML/CFT program must be written, or is this requirement generally understood in its current form? In particular: (a) which program components—such as risk assessment processes; internal policies, procedures, and controls; transaction monitoring rules and parameters; escalation and reporting protocols; independent testing results; training materials; and documentation of designated personnel—should be required in writing; (b) what form (e.g., narrative descriptions, checklists, system configurations, or electronic records) should such documentation take; and (c) what level of detail is appropriate for each component? Should FinCEN instead eliminate the requirement that an AML/CFT program be expressly required to be “written” because, among other reasons, financial institutions may be subject to other applicable recordkeeping and documentation requirements? What would be the benefits or drawbacks of not prescribing a mandatory written requirement in the regulation?

2. The proposed rule would require that a financial institution's written AML/CFT program be approved by its board of directors, an equivalent governing body, or appropriate senior management. Should FinCEN further clarify which aspects of the AML/CFT program must be subject to such approval? In particular: (a) should approval be required for each of the core program components (e.g., the risk assessment processes framework; internal policies, procedures, and controls; transaction-monitoring and escalation frameworks; independent testing structure; training program; and designation of responsible personnel), or would approval of the overall program framework be sufficient; (b) should material revisions to particular components (such as significant changes to the institution's risk assessment methodology, monitoring architecture, or governance structure) require re-approval at the same level; and (c) what level of specificity should the approving body be required to review and approve (e.g., high-level program architecture versus detailed procedures or parameter-level settings)? Should FinCEN instead eliminate the specified approval requirement, allowing financial institutions flexibility in determining how leadership oversight of the AML/CFT program is structured? What would be the benefits or drawbacks of not prescribing a mandatory approval requirement in the regulation? If FinCEN does not eliminate the specified approval requirement, should FinCEN consider amending the requirement? Are there alternatives to board of directors, an equivalent governing body, or appropriate senior management that would be more appropriate?

Supervision and Enforcement (V.F.)

1. The proposed rule would add a new § 1020.221 to set forth a supervision and enforcement framework for banks. The new supervision and enforcement requirements would apply only to banks and the Federal banking agencies in the proposed rule. FinCEN welcomes comment on whether these provisions should apply to other financial institutions.

2. Is further clarification needed for financial institutions to determine what constitutes a “significant or systemic failure to implement an AML/CFT program in accordance with § 1020.210(c)”?

3. Is further clarification needed for financial institutions to determine what constitutes a “failure to establish an AML/CFT program in accordance with § 1020.210(b)”?

4. The proposed rule refers to FinCEN's “enforcement and supervision policy.” Does it introduce confusion to label regulatory provisions having the force of law as “policy”? If so, how should the proposed regulatory language be amended to eliminate that confusion?

5. The proposed rule would add a requirement for an Agency to notify and consider information provided by FinCEN before initiating a significant AML/CFT supervisory action when acting pursuant to authority delegated under this chapter. Should the proposed consultation process include an asset threshold— e.g., consultation is required for any significant AML/CFT supervisory actions involving banks with $10 billion or more in assets? In addition, or as an alternative, should the proposed rule not require but instead provide the option for banks to request their Agency consult with FinCEN prior to initiating a significant AML/CFT supervisory action?

6. The definition of significant AML/CFT supervisory action includes the term “any written communication.” Is the term “any written communication” too broad? Are there negative consequences to including the term “any written communication” in the proposed regulatory text? If so, please describe. Should the term “any written communication” be more clearly defined or removed altogether?

7. As described above, the purpose of the FinCEN consultation requirement is to ensure consistency in BSA/AML enforcement and supervision across banks, and for FinCEN to provide relevant information on the effectiveness and impact of an institution's AML/CFT program. While Treasury, FinCEN, and the Agencies believe the benefits of a required consultation process outweigh the costs, the parties recognize this adds additional layers of review for financial institutions and the Agencies during an examination. Are there any avenues, communication channels, or methods in ( printed page 18726) which FinCEN and the Agencies can streamline the consultation process and prevent logistical burdens for financial institutions or delays in exam report issuance?

8. Is the definition of the term “significant AML/CFT supervisory action” sufficiently clear? Does the inclusion of “unsafe or unsound practices or conditions” introduce confusion about what types of supervisory actions would be subject to the FinCEN consultation requirement, since those terms are not found in the BSA?

9. FinCEN welcomes comment on provisions related to the use of innovative tools to achieve effective outcomes, specifically on how the Director may consider the performance of innovative activities that produce demonstrable outputs under the proposed supervision and enforcement framework.

Final Rule Effective Date (VI.)

1. FinCEN is proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient time for financial institutions to review and implement its requirements. FinCEN solicits comment on the proposed effective date.

VIII. Severability

As a part of this proposal, FinCEN proposes that if one portion of the proposed rule, if finalized, is found to be invalid, the invalidated portion of the regulation should be severed with the other portions of the proposed rule, as well as the existing FinCEN regulations for each type of financial institution in chapter X, remaining in full force and effect. FinCEN's position is that invalidation of any one provision, or application thereof to any one person or circumstance, does not, and should not, affect any other provision in this proposed regulation or existing regulations under chapter X. Each provision serves an important, related, but distinct purpose and application, designed to benefit the public by protecting the U.S. financial system from illicit financial activity. FinCEN accordingly has proposed to incorporate this position into the respective rules for each type of financial institution, such that invalidity to one provision would not undermine the operability or usefulness of the other provisions.

IX. E.O. 14294

Section 5 of E.O. 14294 directs that all future notices of proposed rulemaking and final rules published in the Federal Register, the violation of which may constitute criminal regulatory offenses, should include a statement identifying that the rule or proposed rule is a criminal regulatory offense and the authorizing statute. [110 ] E.O. 14294 directs agencies to draft this statement in consultation with the Department of Justice.

E.O. 14294 further directs that the regulatory text of all NPRMs and final rules with criminal consequences published in the Federal Register after May 9, 2025, should explicitly state a mens rea requirement for each element of a criminal regulatory offense, accompanied by citations to the relevant provisions of the authorizing statute.

Willful violations of the regulations set forth in this proposed rule may be subject to criminal penalties pursuant to 31 U.S.C. 5322 and regulations promulgated 31 CFR chapter X. The statutory authority for criminal liability requires a mens rea of willfulness as an element under 31 U.S.C. 5322(a) and 31 U.S.C. 5322(b). FinCEN's existing regulation, 31 CFR 1010.840, that sets out criminal penalties for violations of regulations promulgated in 31 CFR chapter X also includes a mens rea of willfulness. In drafting this statement, FinCEN has consulted with the Department of Justice.

X. Regulatory Impact Analysis

FinCEN has analyzed the proposed rule as required under E.O. 12866, [111 ] E.O. 13563, [112 ] E.O. 14192, [113 ] the Regulatory Flexibility Act (RFA), [114 ] the Unfunded Mandates Reform Act of 1995 (UMRA), [115 ] and the Paperwork Reduction Act (PRA). [116 ]

This proposed rule has been determined to be a “significant regulatory action” under section 3(f)(1) of E.O. 12866, as it may have an annual effect on the economy of $100 million or more. FinCEN has included an Initial Regulatory Flexibility Analysis (IRFA) pursuant to the RFA as the proposed rule may have a significant economic impact on a substantial number of certain types of affected small entities. [117 ] Pursuant to analysis required by UMRA, FinCEN concludes it unlikely that the proposed rule, if implemented, would result in a novel annual expenditure of more than $193 million by State, local, and Tribal governments or by the private sector. [118 ] While the PRA analysis included in this NPRM introduces certain new pro forma accounting estimates to the existing Office of Management and Budget (OMB) control numbers covered by the rulemaking, these burdens and costs largely reflect administrative updates that are being introduced to more accurately represent the activity currently undertaken by covered financial institutions to comply with existing program requirements unchanged by the proposed rule. The aggregate PRA estimates do not represent, and should not be interpreted to reflect, novel incremental costs attributable to the proposed rule. [119 ]

In its totality, FinCEN's regulatory impact analysis (RIA) anticipates that the primary aggregate economic effects of the proposed rule would be reallocative insofar as the requirement for programs to support law enforcement and national security and advance AML/CFT Priorities remains unchanged. Thus, while total expenditures on program compliance may not be reduced, the distribution of which financial institutions incur costs and what they expended those resources on would be expected to change responsively to the incentives introduced by the proposed rule that better align institutions' attention and activities with its unique ML/TF risks. While aggregate costs would not be expected to decrease, FinCEN's analysis ( printed page 18727) concludes that they would also not be expected to increase, and because the proposed rule would enable financial institutions to more efficiently focus their resources on higher-risk items, the same level of expenditures may generate more effective outcomes—for the financial institution, the integrity of the financial system, law enforcement, national security, and the American public, generally.

As described above, [120 ] the proposed rule would require covered financial institutions to establish and maintain effective AML/CFT programs with certain minimum components, such as: (1) a risk-based set of internal policies, procedures, and controls; (2) independent AML/CFT program testing; (3) the designation of an individual, who is located in the United States, accessible to FinCEN and/or the appropriate Federal functional regulator (FFR), and responsible for establishing and implementing the AML/CFT program and coordinating compliance; and (4) an ongoing training program. The proposed rule would also, in certain instances, alter the scope of conditions under which FinCEN—and regulators to whom FinCEN has delegated supervisory authority such as the Agencies—could issue supervisory or enforcement actions based solely on implementation deficiencies in cases where a covered financial institution has properly established a program. Further, the proposed rule would provide FinCEN with a consultative role in certain aspects of the supervisory process for banks. [121 ]

In so doing, FinCEN contemplates a number of benefits for covered financial institutions, regulators and other compliance examiners, law enforcement and national security agencies, and the general public that would flow from (1) ensuring that AML/CFT programs are risk based, (2) modernizing and reforming Federal supervision of AML/CFT programs, and (3) promoting clarity and consistency across FinCEN's program rules for the different covered financial institution types.

This RIA begins by describing the broad economic analysis FinCEN undertook to inform its expectations of the proposed rule's economic impact and burden. [122 ] This is followed by pieces of additional and, in some cases, more specifically tailored analysis as required by E.O.s 12866, 13563, and 14192; [123 ] the RFA; [124 ] the UMRA; [125 ] and the PRA. [126 ] Requests for comments related to the RIA—regarding specific findings, assumptions, or expectations, or with respect to the analysis in its entirety—can be found in the final subsection. [127 ] These requests for comments have been previewed and cross-referenced throughout the RIA.

A. Assessment of Impact

Consistent with best practices in regulatory economic analysis, FinCEN's assessment of impact begins with an overview of broad economic considerations, identifying, among other things, the need for the policy intervention. [128 ] Next, FinCEN (1) establishes baseline estimates of the number of covered financial institutions and other entities that could be affected by the proposed rule and (2) describes the current regulatory requirements and background practices against which the proposed rule would introduce changes. [129 ] The analysis then briefly reviews elements of the proposed rule that most directly inform how foreseeable economic impacts would flow from how covered financial institutions and their respective regulators would engage in otherwise-not-undertaken activities to comply. [130 ] Next, the RIA presents the anticipated benefits and estimated costs to the respective affected parties that would be associated with compliance. [131 ] Finally, the assessment concludes with a brief discussion of alternative policies FinCEN considered and could have proposed, including an evaluation of the relative economic merits of each against the expected value of the rule as proposed. [132 ]

1. Broad Economic Considerations

Because this NPRM is being issued pursuant to statutory obligations, the necessity for FinCEN to independently identify and articulate fundamental economic problems that the proposed rule is intended to address, as the basis for regulatory action, [133 ] is attenuated because at best this activity would complement the problem identification already performed by Congress. [134 ] Nevertheless, FinCEN has remained mindful of these animating considerations as well as the general social and economic costs that may ensue from an ineffective AML/CFT regime. [135 ]

FinCEN expects that the proposed rulemaking would meaningfully alleviate certain underlying economic problems that can impede the effectiveness of AML/CFT programs. These include potential problems that flow from the presence of reporting-related externalities and certain information asymmetries. [136 ]

The expected benefits of the proposed rule, as discussed below, [137 ] are therefore linked by the extent to which the proposed new and amended program requirements would address these fundamental economic problems, as doing so would enhance AML/CFT program effectiveness and thereby strengthen, modernize, and improve the U.S. AML/CFT regime.

2. Affected Parties and Institutional Baseline

In proposing this rule, FinCEN considered the incremental impacts of the proposed requirements relative to the current state of the affected markets and their participants. [138 ] This baseline ( printed page 18728) analysis of the parties that would be affected by the proposed rule, their current obligations, current program-related activities, and currently accrued costs and/or benefits satisfies analytical best practices by describing the alternative of not pursuing the proposed, or any other, novel regulatory action. [139 ] In each case, for amended and new requirements, within the RIA, we have attempted to identify the incremental expected economic effects of each component of the proposal as precisely as practicable against this baseline. Nevertheless, in certain cases, FinCEN can make only qualitative assessments.

As a first step in the process of isolating these anticipated marginal effects, FinCEN assessed the current landscape of the covered financial institutions that would be affected by the proposed rule, including the population sizes by financial institution type, their existing regulatory requirements, and the burden they currently face associated with their compliance activities. FinCEN also briefly discusses other categories of persons and entities (i.e., regulators, compliance examiners, law enforcement and national security agencies, and certain members of the general public) that are expected to be directly affected by the proposed rule.

FinCEN acknowledges that the discussion below does not include an assessment of the baseline level of general compliance with existing program requirements and must therefore caveat that the incremental effects estimated in subsequent sections are based on the presumption of full compliance with the current rules. [140 ] FinCEN does not attempt to estimate a baseline population of currently non-compliant entities that could be differently affected by the rule because it is unclear that the proposed rule would alter the compliance choices already made by those covered financial institutions. FinCEN invites comment on whether this assumption, or the baseline it implies, is appropriate for the purposes of this analysis. [141 ]

i. Baseline of Affected Parties

FinCEN expects the following populations would be directly affected by proposed rule: (1) covered financial institutions, (2) regulators and other compliance examiners, and (3) law enforcement and national security agencies. FinCEN also took into consideration that certain other members and groups of the general public, counterparties, clients/customers of affected parties, and other persons may be indirectly affected by the proposed rule. However, because such effects are not readily quantifiable, nor is attribution within groups likely to be uniform, the corresponding economic impacts are not itemized in further detail for all members of the general public in the discussion below. Rather, further consideration of the anticipated economic impact on the general public is limited to select clearly identifiable subpopulations expected to be the most directly affected. [142 ] To the extent that the economic impact on additional key, directly affected subpopulations of the general public should be considered, FinCEN invites comment, data, studies, or reports that would enhance its ability to identify and quantify such effects. [143 ]

a. Covered Financial Institutions

The parties expected to comply with the proposed new requirements and amendments to existing requirements include all covered financial institutions as defined in 31 CFR 1010.100(t) and with existing program obligations prescribed in 31 CFR chapter X, parts 1020 through 1030. This would include banks (both those with and without an FFR), casinos, MSBs, broker-dealers, mutual funds, insurance companies, FCMs and IBCs, DPMSJs, operators of credit card systems, loan or finance companies, and housing GSEs. [144 ]

Table 1 presents FinCEN's estimates of the total number of entities that meet the respective regulatory definitions of covered financial institutions. [145 ] Based on these estimates, FinCEN expects that the proposed rule would affect approximately 369 thousand covered financial institutions, of which approximately 361 thousand, or approximately 98 percent, would qualify as small financial institutions for IRFA purposes. [146 ]

| Financial institution type a | Number of financial
institutions |
| --- | --- |
| Banks with an FFR b | c 8,623 |
| Banks without an FFR d | e 365 |
| Casinos f | g 1,299 |
| Principal MSBs h | i 24,856 |
| Agent MSBs | 307,212 |
| Broker-Dealers j | k 3,278 |
| Mutual Funds l | m 1,355 |
| Insurance Companies n | o 717 |
| FCMs and IBCs p | q 954 |
| DPMSJs r | s 6,742 |
| Operators of Credit Card Systems t | u 4 |
| Loan or Finance Companies v | w 13,342 |
| Housing GSEs x | y 13 |
| Total | 368,760 |
| a See 31 U.S.C. 5312(a)(2); see also 31 CFR 1010.100(t) (definition of financial institution). | |
| b See 31 CFR 1010.100(t)(1); see also 31 CFR 1010.100(d) and 1020.210(a). ( printed page 18729) | |
| c This includes 4,336 FDIC-insured depository institutions (i.e., federally regulated banks) according to the FDIC's Quarterly Bank Profile for Q4 2025, p. 2 (https://www.fdic.gov/​quarterly-banking-profile/​past-quarterly-banking-profiles). It also includes 4,287 NCUA-chartered credit unions (i.e., federally regulated credit unions) as of December 31, 2025, according to NCUA's Quarterly Credit Union Data Summary: 2025 Q4, p. i (https://ncua.gov/​analysis/​credit-union-corporate-call-report-data/​quarterly-data-summary-reports). | |
| d See 31 CFR 1020.210(b). | |
| e The Board of Governors of the Federal Reserve System Master Account and Services Database (https://www.federalreserve.gov/​paymentsystems/​master-account-and-services-database-existing-access.htm) contains data as of November 30, 2025, on financial institutions that use Federal Reserve Bank financial services, including those with no additional Federal regulator. FinCEN used this data to identify 365 banks and credit unions with no additional Federal regulator using Federal Reserve Bank financial services. | |
| f See 31 U.S.C. 5312(a)(2)(X); see also 31 CFR 1010.100(t)(5) and (6). | |
| g American Gaming Association, State of the States 2025: The AGA Analysis of the Commercial Casino Industry, May 2025, p. 14 (https://www.americangaming.org/​wp-content/​uploads/​2025/​05/​AGA-State-of-the-States-2025.pdf). | |
| h See 31 U.S.C. 5312(a)(2) (J,K,R); see also 31 CFR 1010.100(t)(3) and (ff) (definition of MSB). | |
| i The definition of MSB (31 CFR 1010.100(ff)) covers both principal and agent MSBs. FinCEN estimated there were 24,856 uniquely identifiable registered principal MSBs with indicia of active business operations as of the three year-ends 2023-2025. FinCEN has estimated that the number of agent MSBs is approximately 307,212 based on internal data. | |
| j See 31 U.S.C. 5312(a)(2)(G); see also 31 CFR 1010.100(t)(2). | |
| k This estimate is based on U.S. Securities and Exchange Commission (SEC) data on active broker-dealers available at “Company Information About Active Broker-Dealers” (https://www.sec.gov/​foia-services/​frequently-requested-documents/​company-information-about-active-broker-dealers), which listed 3,278 active broker-dealers registered with the SEC as of December 31, 2025. | |
| l See 31 U.S.C. 5312(a)(2)(I); see also 31 CFR 1010.100(t)(10) and (gg). | |
| m This estimate is based on the number of registered investment companies filing Form N-1A in SEC's Annual Registered Investment Company Update: Form N-CEN Data, Period Ending December 2024, April 2025, table 1.3, p. 4 (https://www.sec.gov/​files/​annual-registered-investment-company-update-20250404.pdf). | |
| n See 31 U.S.C. 5312(a)(2)(M); see also 31 CFR 1025.100(g) (definition of “insurance company or insurer” for purposes of applicability of FinCEN regulations). | |
| o This estimate includes 717 life and health insurers in the United States during 2024. From U.S. Department of the Treasury, Annual Report on the Insurance Industry (Sept. 2025), p. 10 (https://home.treasury.gov/​system/​files/​311/​Final%20FIO%202025%20Annual%20Report.pdf). Neither the estimate presented here nor the estimate of broker-dealers controls for entities that may be both a broker-dealer and an insurance company; thus, a certain number of affected entities may be double-counted. However, based on consultation with staff of other Federal regulators, FinCEN believes this population of dually affected entities may be relatively small and unlikely to significantly distort the overall assessment. | |
| p See 31 U.S.C. 5312(a)(2)(H); see also 31 CFR 1010.100(t)(8) and (9). | |
| q According to Commodity Futures Trading Commission (CFTC) data on FCMs available at “Financial Data for FCMs” (https://www.cftc.gov/​MarketReports/​financialfcmdata/​index.htm), there were 66 registered FCMs as of December 31, 2025. The number of IBCs as of December 31, 2025 (888) was obtained from the National Futures Association (NFA) “NFA Membership and Registration” website (https://www.nfa.futures.org/​registration-membership/​membership-and-directories.html). Because deduplication of entities registered as both FCMs and IBCs was not feasible, this estimate may double-count some entities registered in both categories. FinCEN, however, believes this subpopulation may be small. | |
| r See 31 U.S.C. 5312(a)(2)(N) (definition of a “dealer” in precious metals, stones, or jewels for purposes of applicability of FinCEN regulations); see also 31 CFR 1027.100(b). | |
| s This estimate is based on data on firms with North American Industry Classification System (NAICS) code 423940 (Jewelry, Watch, Precious Stone, and Precious Metal Merchant Wholesalers) in the U.S. Census Bureau 2022 Statistics of U.S. Businesses (“2022 SUSB Data”) accessed March 1, 2025 (https://www.census.gov/​data/​tables/​2022/​econ/​susb/​2022-susb-annual.html). It does not include Jewelry and Silverware Manufacturing (NAICS code 33991) or Jewelry Retailers (NAICS code 44831). | |
| t See 31 U.S.C. 5312(a)(2)(L) (definition of “operator of a credit card system” for purposes of applicability of FinCEN regulations); see also 31 CFR 1028.100(e). | |
| u This value is based on FinCEN review of active, U.S.-based market participants at year-end 2025. | |
| v See 31 U.S.C. 5312(a)(2)(P) (definition of “loan or finance company”); see also 31 CFR 1010.100(lll). | |
| w This estimate is based on 2022 SUSB Data on firms with NAICS codes 522292 (Real Estate Credit) and 522310 (Mortgage and Non-Mortgage Loan Brokers). | |
| x See 31 CFR 1010.100(mmm) (definition of “housing government sponsored enterprise”). | |
| y Data on the 11 regional Federal home loan banks were obtained from the Federal Housing Finance Agency (https://www.fhfa.gov/​supervision/​federal-home-loan-bank-system/​about). Housing GSEs are U.S. Government-sponsored enterprises and additionally include Fannie Mae and Freddie Mac. | |

b. Regulators and Other Compliance Examiners

Because covered financial institutions would be examined for compliance with the proposed requirements in this rule, the proposed rule is expected to directly affect FinCEN, the FFRs, and other compliance examiners, including approximately 8,000 to 10,000 Federal examiners, who conduct such reviews. [147 ]

FinCEN has delegated authority to examine covered financial institutions to determine compliance as presented in table 2. [148 ]

Financial institution type	Delegated examining agency
Banks with an FFR	FDIC
	FRB
	NCUA
	OCC
Banks without an FFR	IRS
Casinos
MSBs (Principals and Agents)
Insurance Companies
DPMSJs
Operators of Credit Card Systems
Loan or Finance Companies
Broker-Dealers	SEC a
Mutual Funds
FCMs and IBCs	CFTC a
Housing GSEs	FHFA
a See FinCEN, Anti-Money Laundering Programs for Financial Institutions, 67 FR 21110 (Apr. 29, 2002). In the 2002 interim final rule, FinCEN noted it was appropriate to implement section 5318(h)(1) of the BSA with respect to broker-dealers and FCMs through their respective SROs, because the SEC and the CFTC and their SROs significantly accelerated the implementation of AML programs for their regulated financial institutions. Accordingly, 31 CFR 1023.210 and 1026.210 provided that broker-dealers, and FCMs and IBCs, respectively, would be deemed to be in compliance with the requirements of section 5318(h)(1) of the BSA if they comply with any applicable regulation of their FFR governing the establishment and implementation of AML programs. FinCEN recognizes the SEC as the FFR, and registered national securities exchanges or a national securities association, such as FINRA, as the SROs for member broker-dealers. Each SRO may have its own AML program requirements (see, e.g., FINRA Rule 3310). The CFTC's SRO is the NFA. The AML program requirements for FCMs and IBCs are set out in NFA Rule 2-9(c).

FinCEN additionally anticipates being uniquely affected as the agency (1) to which covered financial institutions would submit AML/CFT program-related reports; (2) which would coordinate how information submitted in AML/CFT program-related reports may in turn support law enforcement and national security efforts; and (3) which would take, or consult with the Agencies on, formal or informal enforcement or supervisory actions in regard to banks. [149 ]

c. Law Enforcement and National Security Agencies

The proposed rule is intended to support the efforts of law enforcement and national security agencies by promoting AML/CFT program design and implementation that is responsive and better tailored to these entities' evolving needs. Law enforcement and national security agencies can directly access and use reports and data provided to FinCEN in compliance with the AML/CFT program requirements and other applicable BSA requirements after entering a memorandum of understanding with FinCEN. As of fiscal year 2024, 432 Federal, State, and local law enforcement; regulatory; and national security agencies had access to BSA reports and BSA Search, and the BSA Portal had over 12,000 users. [150 ]

d. General Public

FinCEN expects the general public to be affected by the proposed rule, with certain subpopulations affected more directly than others. In particular, FinCEN considered two groups that it anticipates could benefit most notably from the proposed rule: (1) those harmed, or who could be harmed, by ML/TF or related illicit activities and (2) those whose access to the financial system is unduly constrained as a result of inappropriately tailored AML/CFT programs.

AML/CFT programs that are effective facilitate law enforcement and national security efforts to prevent the flow of illicit funds, identify and prosecute criminals, and detect and deter illicit activity. To the extent that the proposed rule would enhance the current effectiveness of AML/CFT programs, this could benefit the public by reducing the instances of harm (via effective deterrence) or reducing the severity of harm (when illicit activity can be identified and prosecuted). While the annual cost of crime in general, and financial crimes, specifically, are generally inestimable, certain published statistics indicate that the scale is staggering. [151 ] This effect is not only significant in its economic magnitude but affects a substantial fraction of the U.S. population. Considering only one type of illicit activity combatted by effective AML/CFT programs, a recent study suggests that approximately one in five adults may be the victim of a financial fraud or scam. [152 ] Generalized to the corresponding U.S. adult population in the survey year, that would imply that over 56 million people were affected by fraud or scams alone, and thus, that the subpopulation of those harmed, or who could be harmed, by ML/TF or related illicit activities is vast.

FinCEN anticipates that though smaller in size, the population whose access to the financial system is unduly constrained as a result of inappropriately tailored AML/CFT programs is also non-trivial. Recent studies report that in 2023, 4.2 percent of U.S. households and six percent of surveyed adults were unbanked. [153 ] This equates to approximately 5.6 million households and 15.5 million adults. [154 ] Because the extent to which unbanked or underbanked status is exclusively attributable to AML/CFT program concerns is unclear, these values should be considered upper bounds on the potentially affected subpopulation.

ii. Regulatory Baseline

As part of its baseline analysis, FinCEN considered the variation in requirements under the current regulatory framework for the covered financial institutions that would be affected by the proposed rule. This includes concurrent statutory requirements, regulatory requirements at the State level, or other regulatory regimes with which a covered financial institution must concurrently comply. ( printed page 18731) In particular, FinCEN considered: (1) the current program rule requirements that the proposed rulemaking would amend and to which it would add new requirements and (2) the broader framework of AML compliance requirements [155 ] that each type of covered financial institutions' program is meant to guide and ensure are met. [156 ] Table 3 presents an overview of features of the current program requirements that the proposed rule would further harmonize as well as their current organization and sequencing in the respective sections of the regulatory text.

As summarized in table 3, all covered financial institution types face broadly comparable program requirements with respect to developing and operationalizing internal policies, procedures, and controls; independent testing; designation of key individuals; training; and CDD (to the extent CDD is currently required for respective covered financial institution types). Nevertheless, a level of variation in not just the organization/ordering of the core requirements but also the specific language in each provision may lead different categories of covered financial institutions to interpret the harmonization and standardization of requirements in the proposed rule to represent a departure from current standards that is not uniform across types. To illustrate, FinCEN notes the following examples of variation as a non-exhaustive list of instances where the standardization of regulatory text in the proposed rule departs differentially from preceding regulatory language.

Internal Policies, Procedures, and Controls [157 ] —Current rules require that the internal controls of banks and casinos “assure ongoing compliance,” [158 ] while for MSBs, the requirement is simply to ensure that the MSB complies. [159 ] Meanwhile for broker-dealers, internal policies, procedures and controls must be “reasonably designed to achieve compliance.” [160 ]

Independent AML Program Testing [161 ] —The requirements for some financial institutions (i.e., banks, broker-dealers, mutual funds, and FCMs and IBCs) simply specify that independent testing for compliance must be conducted by personnel or an outside party, [162 ] while the requirements for other financial institution types (i.e., MSBs, insurance companies, DPMSJs, operators of credit card systems, loan or finance companies, and housing GSEs) specify that the entities must provide for independent review or testing to monitor and maintain an adequate program. [163 ] Some requirements (e.g., those for insurance companies, DPMSJs, operators of credit card systems, loan or finance companies, and housing GSEs) include further language about the scope and frequency of the testing, which must be commensurate with risk. [164 ]

Designated Individual(s) [165 ] —Banks must designate “an individual or individuals responsible for coordinating and monitoring day-to-day compliance,” [166 ] whereas broker-dealers, mutual funds, and FCMs and IBCs must designate person(s) “responsible for implementing and monitoring the operations and internal controls” of a program. [167 ] Others (i.e., insurance companies, DPMSJs, operators of credit card systems, loan or finance companies, and housing GSEs) must designate a compliance officer who is responsible for ensuring that (1) the AML program is implemented effectively and updated as necessary and (2) appropriate persons are educated and trained. [168 ]

Training [169 ] —Several covered financial institution types' existing requirements specify that training must be ongoing (i.e., for broker-dealers, mutual funds, insurance companies, FCMs and IBCs, DPMSJs, loan or finance companies, and housing GSEs), [170 ] while for the others, the requirements simply specify that training must be conducted. [171 ] Further, the language regarding the training requirement for some covered financial institution types (i.e., insurance companies, loan or finance companies, and housing GSEs) specifies an entity may choose to train appropriate persons directly or they can choose to verify “that such persons have received training by a competent third party.” [172 ]

CDD [173 ] —While it is understood that all categories of financial institutions have obligations to be diligent in developing an understanding of their clients or customers, generally, and often in the ordinary course of business, only certain financial institution types have programmatic CDD requirements. These include banks, irrespective of FFR; broker-dealers; mutual funds; and FCMs and IBCs. The language describing the CDD requirements for these covered financial institution types is nearly identical across financial institution type. [174 ] Other covered financial institutions do not have an explicit CDD requirement but have certain CDD-like requirements, including casinos and operators of credit card systems. [175 ] For example, casinos must have procedures for determining “the name, address, social security number, and other ( printed page 18732) information” of a person and verifying that information when required. [176 ]

Table 4 further illustrates additional features associated with the current program requirements that the proposed rule would standardize, including whether the program must be written, whether it must newly incorporate language to articulate program coverage of terrorist financing risks or the financing of terrorist activities, as well as who must approve the program and to whom a copy of the written program must be made available upon request.

Finally, while all covered financial institution types are required to have an effective AML/CFT program, the scope of requirements, obligations, and activities those programs cover, and hence, the number of components to be integrated and addressed by a program's design, risk assessment processes, and training, among other things, differs across covered financial institution types. This variation in scope of programmatic components is illustrated with a non-exhaustive list of examples in table 5. Table 5 highlights, for instance, that the programs of banks, broker-dealers, mutual funds, and FCMs and IBCs would be required to account for CIP requirements, SAR and CTR filing requirements, and other activities like additional due diligence (e.g., due diligence programs for correspondent accounts for foreign financial institutions and for private banking accounts as set forth in 31 CFR 1010.610 and 1010.620, respectively). Other covered financial institution types have fewer of these obligations, and hence the scope of what would need to be accounted for in their AML/CFT programs may be narrower.

| Covered financial institution type | 31 CFR
chapter X
section | Internal
policies,
procedures,
and controls | Independent
AML program
testing | Designating
individuals | Training | CDD |
| --- | --- | --- | --- | --- | --- | --- |
| Banks: | | | | | | |
| with an FFR | 1020.210 | (a)(2)(i) | (a)(2)(ii) | (a)(2)(iii) | (a)(2)(iv) | (a)(2)(v) |
| without an FFR | | (b)(2)(i) | (b)(2)(ii) | (b)(2)(iii) | (b)(2)(iv) | (b)(2)(v) |
| Casinos | 1021.210 | (b)(2)(i) | (b)(2)(ii) | (b)(2)(iv) | (b)(2)(iii) | (a) |
| MSBs | 1022.210 | (d)(1) | (d)(4) | (d)(2) | (d)(3) | |
| Broker-Dealers | 1023.210 | (b)(1) | (b)(2) | (b)(3) | (b)(4) | (b)(5) |
| Mutual Funds | 1024.210 | (b)(1) | (b)(2) | (b)(3) | (b)(4) | (b)(5) |
| Insurance Companies | 1025.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | |
| FCMs and IBCs | 1026.210 | (b)(1) | (b)(2) | (b)(3) | (b)(4) | (b)(5) |
| DPMSJs | 1027.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | |
| Operators of Credit Card Systems | 1028.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | (b) |
| Loan or Finance Companies | 1029.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | |
| Housing GSEs | 1030.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | |
| a While the current casino AML program requirements do not include an itemized CDD subsection, they include some customer-specific requirements. See, e.g., 31 CFR 1021.210(b)(2)(v)(A). | | | | | | |
| b Despite the absence of a CDD AML program requirement for operators of credit card systems, compliance with the AML program requirements necessitates some CDD-like activities. See 31 CFR 1028.210(b)(1)(i) and (ii). | | | | | | |

| Covered financial institution type | 31 CFR
chapter X
section | Written | Addresses
terrorist
financing | Approved by | To whom a written copy of a
program should be made available

to upon request |
| --- | --- | --- | --- | --- | --- |
| Banks: | | | | | |
| with an FFR | 1020.210 | ✓ a | | Board of directors or equivalent governing body a | Not applicable. |
| without an FFR | | ✓ | | Board of directors or equivalent governing body | FinCEN or its designee. |
| Casinos | 1021.210 | ✓ | ✓ | | Not specified. |
| MSBs (Principals and Agents) | 1022.210 | ✓ | ✓ | | Department of the Treasury. |
| Broker-Dealers | 1023.210 | ✓ | | Senior management | Not specified. b |
| Mutual Funds | 1024.210 | ✓ | ✓ | Board of directors or trustees | SEC. |
| Insurance Companies | 1025.210 | ✓ | ✓ | Senior management | Department of the Treasury, FinCEN, or its designee. |
| FCMs and IBCs | 1026.210 | ✓ | ✓ | Senior management | Not specified. |
| DPMSJs | 1027.210 | ✓ | ✓ | Senior management | Department of the Treasury through FinCEN or its designee. |
| Operators of Credit Card Systems | 1028.210 | ✓ | ✓ | Senior management | Department of the Treasury or appropriate Federal regulator. |
| Loan or Finance Companies | 1029.210 | ✓ | ✓ | Senior management | FinCEN or its designee. |
| Housing GSEs | 1030.210 | ✓ | ✓ | Senior management | FinCEN or its designee. |
| a The applicable regulations of the several Federal banking regulators specify these elements of a bank's AML program. See 12 CFR 208.63(b) (FRB), 21.21(c)(1) (OCC), 326.8(b) (FDIC), 748.2(b) (NCUA). FinCEN regulations indirectly impose these requirements by deeming a bank with an FFR to be in compliance with FinCEN's AML program requirement if it complies with comparable regulations of its FFR. 31 CFR 1020.210(a)(3). | | | | | |
| b FinCEN has delegated authority to examine broker-dealers' compliance with FinCEN regulations to the SEC (see 31 CFR 1010.810(b)(6)). Thus, while the FinCEN regulation regarding broker-dealer AML programs, 31 CFR 1023.210, does not itself grant SEC authority to examine a broker-dealer's AML program, the SEC has authority pursuant to 31 CFR 1010.810(b)(6), in combination with 31 CFR 1023.210, to request a written copy of a broker-dealer's AML program. | | | | | |
( printed page 18733)
| Covered financial institution type | 31 CFR
chapter
X part | CIP | Required reports | | Additional
due

diligence b
CTR or

                                Form 8300 a | SAR |  |  |  |  |

| Banks (with and without an FFR) | 1020 | ✓ | ✓ | ✓ | ✓ |
| Casinos | 1021 | (c) | ✓ | ✓ | |
| Principal MSBs: | | | | | |
| Providers or sellers of prepaid access programs d | 1022 | (e) | ✓ | ✓ | |
| Others | | | ✓ | ✓ | |
| Agent MSBs | | | ✓ | ✓ | |
| Broker-Dealers | 1023 | ✓ | ✓ | ✓ | ✓ |
| Mutual Funds | 1024 | ✓ | ✓ | ✓ | ✓ |
| Insurance Companies | 1025 | | ✓ | ✓ | |
| FCMs and IBCs | 1026 | ✓ | ✓ | ✓ | ✓ |
| DPMSJs | 1027 | | ✓ | | |
| Operators of Credit Card Systems | 1028 | (f) | ✓ | | |
| Loan or Finance Companies | 1029 | | ✓ | ✓ | |
| Housing GSEs | 1030 | | ✓ | ✓ | |
| a Certain financial institutions (i.e., banks, casinos, MSBs, broker-dealers, mutual funds, and FCMs and IBCs) are required to report currency transactions over $10,000 conducted by, or on behalf of, one person and multiple currency transactions that aggregate to be over $10,000 per day in a CTR. The remaining covered financial institutions are required to report cash payments over $10,000 that are received in a trade or a business using Form 8300. | | | | | |
| b Additional due diligence requirements as set forth in 31 CFR 1010.610, and due diligence requirements for private banking accounts, as described in 31 CFR 1010.620, are included in program requirements. | | | | | |
| c While there is no directly comparable CIP section to the casino AML program requirements, there are CIP-like requirements in 31 CFR 1021.210(b)(2)(v)(A), as a casino's program must include procedures for determining and verifying relevant information related to persons. | | | | | |
| d A provider or seller of prepaid access includes principal MSBs as defined in 31 CFR 1010.100(ff)(4)(i) and (ii) for providers, 31 CFR 1010.100(ff)(7) for sellers. | | | | | |
| e While there is no directly comparable CIP section to the MSB program requirements, there are CIP-like requirements for providers and sellers of prepaid access in 31 CFR 1022.210(d)(1)(i) through (iv). | | | | | |
| f The program rules applicable to operators of credit card systems do not contain a formal CIP requirement; however, program compliance in certain cases necessitates some CIP-like activities. See 31 CFR 1028.210(b). | | | | | |

iii. Current Practices

FinCEN made efforts to account for current practices when estimating the expected incremental impact of the proposed rule. In the subsections below, FinCEN describes select key features of current practices of covered financial institutions, regulators, and law enforcement agencies considered salient to its analysis. FinCEN requests comment on the existence of other aspects of current practice that should have been considered or further information about the aspects considered that should be included. [177 ]

a. Current Market Practices

FinCEN took certain data and features of financial institutions' current practices into consideration when estimating the expected incremental impact of the proposed rule. Among these features were the presence of third-party services, industry-specific associations, or other organizations that currently facilitate compliance with BSA/AML requirements as well as information about the costs of currently operating AML/CFT programs.

Public commentary has at times suggested that general compliance with the BSA and maintaining an AML program under current practice is costly and burdensome to covered financial institutions and, in some cases, of perceived limited value. [178 ] However, publicly available data with which to form a robust estimate of the aggregate burden of program compliance—to the U.S. economy, generally, or to the unique industry groups to which the proposed rule would apply, specifically—as it has been understood and operationalized to date, is scarce. Absent more reliable comprehensive baseline data, FinCEN is constrained in its ability to estimate total current economic costs with any meaningful degree of certainty, or assess the substitutability of current and expected compliance activities under the proposed regulation, or quantify the potential for aggregate cost savings that covered institutions might privately benefit from in complying with the proposed rule. [179 ] Nevertheless, this analysis includes FinCEN's best efforts at quantification with certain qualifications. FinCEN continues to request more comprehensive, precise, and/or generalizable information on financial institutions' compliance burden and costs in its routine OMB control number renewals, [180 ] in its forthcoming survey, [181 ] and as part of this rulemaking. [182 ]

As in the 2024 Program NPRM, FinCEN continues to believe that the aggregate costs of BSA compliance, including AML program requirements, may be several billion dollars per year. [183 ] This estimate (1) is generally ( printed page 18734) consistent with FinCEN's estimate that the aggregate annual costs of the portion of BSA compliance burden that are attributable to reporting and recordkeeping activities alone (PRA activities) is over $6 billion and (2) tracks data interpolated from both a 2020 U.S. Government Accountability Office (GAO) study of bank AML programs [184 ] and a 2018 St. Louis Federal Reserve report on the regulatory burden on community banks. [185 ] Extrapolating from the survey results in these studies, FinCEN estimates that the comparable aggregate annual program costs for FDIC-insured banks and NCUA-regulated credit unions, as a unique subpopulation of all financial institutions subject to program requirements, would have been over $4 billion at the time of the surveys, with the average bank spending approximately $500 thousand or just under two percent of operating expenses, on program compliance. These results broadly comport with recent research findings that in non-financial industries, approximately 1.3 percent of the average firm's wage bill is expended on regulatory compliance activities. [186 ] Using a methodological approach similar to the 2020 and 2018 studies, but applied to data as available at end of calendar year 2024, FinCEN estimates that the size-weighted mean (median) bank or credit union currently spends approximately $598,700 ($414,300) on program compliance annually, which is equivalent to an aggregate annual expenditure level between $3.7 and $5.4 billion for banks with an FFR.

b. Current Supervisory and Enforcement Practices

The proposed rule is expected to introduce certain changes that could affect current supervisory and enforcement practices to varying degree by category of affected financial institution. Thus, FinCEN took into consideration its own and other FFRs'—particularly, the Agencies'—current supervisory and enforcement processes.

In its capacity as the administrator of the BSA, FinCEN has delegated its authority to the FFRs, including the Agencies, to examine financial institutions for compliance with the BSA and its implementing regulations. [187 ] In connection with this delegation, FinCEN has entered into certain memoranda of understanding with the FFRs that enable FinCEN and the FFRs to share information with one another on a routine basis about relevant financial institutions' compliance with the BSA and its implementing regulations. FinCEN and the FFRs also regularly engage one another in supervisory dialogue, regarding both specific issues related to a particular financial institution's compliance and broader patterns or trends in financial institutions' general compliance with the BSA. Although such information sharing and supervisory dialogue may include matters that the proposed rule would define as significant supervisory actions or enforcement actions, [188 ] these current practices do not entail consultation by the Federal banking regulators with FinCEN to the same extent as the proposed rule would require.

With respect to the Agencies, FinCEN understands that these agencies examine banks' BSA/AML compliance programs every 12 to 18 months using risk-focused procedures outlined in the FFIEC BSA/AML Examination Manual. If violations are found or they have serious supervisory concerns that are not timely addressed, the Agencies may take actions ranging from informal corrective measures to formal enforcement actions such as cease-and-desist orders. [189 ] The baseline costs associated with these activities are understood to be a fraction of the Agencies' reported aggregate expenses on conducting supervision and enforcement. In its survey of the most recent publicly available information, FinCEN noted that in total spending on supervision: (1) the FDIC allocated $1.35 billion to supervision in its 2026 proposed operating budget; 190 the FRB spent nearly $2.2 billion on supervision and regulation in 2024 and proposed allocating nearly $2.4 billion in its 2025 budget; [191 ] and (3) the OCC reported spending $1.2 billion in costs associated with its supervision program in fiscal year 2025. [192 ] Using this data [193 ] to form a crude approximation, FinCEN estimates that a change in total expenditures or reallocation of current expenditures of less than two percent, would, independent of all other expected economic effects of the rule, constitute a significant economic impact in any given year. [194 ]

Based on consultation with the Agencies, FinCEN anticipates changes of this magnitude to be unlikely because the proposed rulemaking is not expected to require substantial alterations to the Agencies' supervisory expenditures or to require significant additional resources to develop, implement, and maintain the enforcement and supervisory action consultation process with FinCEN. As such, any reallocative effects that flow from the proposed rule through changes in supervisory and enforcement practices are likely to be more pronounced for FinCEN than for those ( printed page 18735) to whom it has delegated examination authority.

c. Current Use of BSA Information by Law Enforcement and National Security Agencies

While results may not be published, FinCEN both routinely receives reports [195 ] and conduct surveys [196 ] that speak to the use and usefulness of BSA information to law enforcement and national security agencies. An older, but broadly analogous, publicly available report from the GAO found that in 2018, a majority of Federal and State law enforcement agencies had direct access to FinCEN's BSA database (i.e., 85 percent of federal agencies and 54 percent of State agencies), though fewer than one percent of local law enforcement agencies did. [197 ] FinCEN believes these survey results may underrepresent the extent to which local law enforcement may benefit from BSA information insofar as the GAO study could not directly account for the incidence of referrals to local law enforcement of matters not otherwise pursued by Federal or State agencies directly. The study also surveyed 5,257 investigators, analysts, and prosecutors at six Federal law enforcement agencies and found that these agencies used BSA data extensively, estimating that approximately 72 percent of personnel conducting investigations from 2015 to 2018 used BSA reports to support their work. [198 ]

3. Description of Proposed Regulatory Changes

For purposes of the RIA, FinCEN considered the various components of the proposed rule—including its proposed amendments to existing rules and proposed new requirements—with a view towards the specific features or elements that are expected to generate, either directly or indirectly, an economic benefit or cost or lead to changes in market participant incentives in a way that may generate economic benefits or costs. [199 ] For components of the proposed rule that FinCEN analysis has not assigned an expected economic effect, the reason for doing so is briefly described below.

The description of proposed requirements below is organized by the scope and anticipated potential magnitude of economic effects, starting with the proposed changes, applicable to the broadest scope of financial institutions, that are expected to be the least substantive and concluding with the proposed changes, concentrated on the narrowest scope of affected parties, that have the greatest potential to result in substantive changes. To balance the completeness of the RIA with the desire for expositional clarity and ease of tractability between the proposed regulatory text and sections V (section-by-section analysis) and X (regulatory impact analysis), FinCEN has included table 6, to provide a mapping of the various components of the proposed rulemaking as presented in the section-by-section analysis to their analogous categorization in the RIA.

| Scope of
affected entities | The proposed rule would . . . | Section V analysis | Considered in
RIA subsection(s) | Proposed regulatory text location |
| --- | --- | --- | --- | --- |
| Generally Applicable to all Financial Institutions | Insert “CFT” to standardize references to “AML/CFT” as in “AML/CFT Program,” replacing “AML program” or “BSA/AML program” | V.A, V.G | X.A.3.i | various (regulatory titles, CIP regulations, etc.) |
| | Remove program-related compliance dates that are no longer relevant | V.G.3 | X.A.3.i | n/a, text removed |
| | Conceptually define program “effectiveness” | V.B, V.C | X.A.3, X.A.4 | 10XX.210(a) |
| | Introduce a two-prong program framework of compliance with program requirements | V.C. | X.A.3, X.A.4 | 10XX.210(a)(1) and (2) and (c) |
| | Encourage adoption of new technology or other innovative approaches, while removing prescriptive requirements | V.B, V.D.1, V.F.4, V.G.2 | X.A.3.i, X.A.4.i.a, X.A.4.ii.a | n/a |
| | Standardize requirements that a program's internal policies, procedures, and controls be reasonably designed to: (1) identify, assess, and document ML/TF risks through risk assessment processes; (2) mitigate ML/TF risks consistent with its risk assessment processes; and, if applicable (3) conduct ongoing CDD | V.D.1 | X.A.3.i | 10XX.210(b)(1) |
| | Require that internal policies, procedures, and controls identify, assess, and document ML/TF risks through risk assessment processes | V.D.1.i | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(1)(i) |
| | Require that internal policies, procedures, and controls mitigate ML/TF risks consistent with a financial institution's risk assessment processes (including appropriate allocation toward higher-risk customers) | V.D.1.ii | X.A.3.i, X.A.4.i.a, X.A.4.ii.a | 10XX.210(b)(1)(ii) |
| | Require that risk assessment processes (1) evaluate ML/TF risks from business activities; (2) consider AML/CFT Priorities; and (3) update promptly responsive to significant changes to ML/TF risks | V.D.1.i.a, b, c | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(1)(i)(A), (B), and (C) |
| | Standardize language describing program requirements for independent testing | V.D.2 | X.A.3.i | 10XX.210(b)(2) |
| | Require independent testing | V.D.2 | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(2) |
| | Standardize program requirements regarding the designated individual responsible for establishing, implementing, and coordinating day-to-day program compliance | V.D.3.i | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(3) |
| | Require that the designated individual is located in the United States | V.D.3.ii | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(3) |
| | Require that the designated individual is accessible to, and subject to oversight and supervision by, FinCEN and the appropriate FFR | V.D.3.ii | X.A.3.i | 10XX.210(b)(3) |
| | Require that the designated individual is responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance | V.D.3 | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(3) |
| | Standardize language describing program requirements for ongoing employee training | V.D.4 | X.A.3.i | 10XX.210(b)(4) |
| | Require ongoing employee training | V.D.4 | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(4) |
| | Require the AML/CFT program to be written | V.E.1 | X.A.3.i, X.A.4.ii.a | 10XX.210(d) |
| | Require the AML/CFT program to be made available upon request to FinCEN or its designee | V.E.1 | X.A.3.i, X.A.4.ii.a | 10XX.210(d) |
| | Require the AML/CFT program to be approved by the financial institution's board of directors or an equivalent governing body within the financial institution, or appropriate senior management | V.E.2 | X.A.3.i, X.A.4.ii.a, X.E | 10XX.210(d) |
| Applicable to Covered FIs Only | Integrate CDD-related program requirements into the “establishment prong” of the proposed new program framework | V.D.1.iii | X.A.3.ii, X.E | 1020.210(b)(1)(iii), 1023.210(b)(1)(iii), 1024.210(b)(1)(iii), 1026.210(b)(1)(iii), and 1028.210(b)(1)(iii) |
| Applicable to Banks Only | Consolidate 31 CFR 1020.210(a) and (b) into a single set of rules applicable to all banks | V.G.1 | X.A.3.iii | n/a, text consolidated |
| | Remove redundant regulatory text affirming the requirement that banks must comply with the rules of their FFRs | V.G.4 | X.A.3.iii | n/a, text removed |
| | Define the terms/phrases “AML/CFT enforcement action,” “AML/CFT requirement,” and “significant AML/CFT supervisory action” | V.F.1 | X.A.3.iii, X.A.4.ii.a | 1020.221(a) |
| | Provide that a bank with an AML/CFT program established in accordance with proposed 31 CFR 1020.210(b) would not be subject to an AML/CFT enforcement action or significant AML/CFT supervisory action absent a significant or systemic failure to implement said program within the meaning of proposed 31 CFR 1020.210(c) | V.F.2 | X.A.3.iii, X.A.4.i.a | 1020.221(b)(1) |
| | Provide that the proposed 31 CFR 1020.221(b)(1) provisions do not apply when there is a failure to establish a bank program within the meaning of proposed 31 CFR 1020.210(b) | V.F.2 | X.A.3.iii, X.A.4.i.a, X.A.4.ii.a | 1020.221(b)(2) |
| | Provide that in determining to take, or in review of, an AML/CFT enforcement action or significant AML/CFT supervisory action, the Director would take into account factors under 31 U.S.C. 5318(h)(2)(B) and the bank's unique ability and efforts to advance AML/CFT Priorities | V.F.4 | X.A.3.iii, X.A.4.i.a, X.A.4.i.b, X.A.4.ii.b | 1020.221(d) |
| Applicable to Bank FFIRAs | Require FFIRA consultation with the Director before any significant AML/CFT supervisory action pursuant to delegated authority is initiated | V.F.3 | X.A.3.iv, X.A.4.i.a, X.A.4.i.b, X.A.4.ii.a, X.A.4.ii.b | 1020.221(c)(1) |
| | Require, generally, an FFIRA to provide written notice to the Director of any intent to take a significant AML/CFT supervisory action pursuant to delegated authority at least 30 days in advance of the proposed action | V.F.3 | | 1020.221(c)(2)(i) |
| | Require, to the extent reasonably practicable, that an FFIRA respond to requests from the Director for additional information regarding a proposed significant AML/CFT supervisory action | V.F.3 | | 1020.221(c)(2)(ii) |
( printed page 18737)

i. Generally Applicable to All Financial Institutions

In this NPRM, FinCEN proposes to introduce a number of technical changes that include new definitions and new or amended language that seek to improve the clarity and congruence of the current regulatory text across all categories of financial institutions. Many of these are expected to be non-substantive changes, but some might reasonably be expected to result in novel or alternative activities being undertaken by at least some affected parties. For completeness, the full scope of changes is reviewed in the section below; however, only those changes that could foreseeably result in non-negligible changes in the activities of a non-trivial subpopulation of affected parties are further discussed in section X.A.4.

Changes that are not foreseen to be substantive include updating 31 CFR chapter X to insert the term “CFT” into the program rules; [200 ] the standardization of the ordering and language used to describe the necessary “four pillars” required of all financial institution types' AML/CFT programs, [201 ] and other technical amendments to program attributes. [202 ] FinCEN is also proposing to amend certain existing definitions to incorporate non-substantive, modernizing updates. [203 ]

Other changes might reasonably be expected to result, to varying degrees, in novel or alternative activities being undertaken by affected parties and are identified as such for further consideration in section X.A.4 below. These include the introduction of certain definitions, concepts, textual reorganizations, and express requirements.

FinCEN proposes to define “AML/CFT priorities” such that when the term is used throughout 31 CFR chapter X, it is clear that only the most recently published version [204 ] of the AML/CFT Priorities is being referenced. [205 ] The extent to which defining the priorities this way may affect expected burdens would depend on how path-dependent programmatic best practices would otherwise be and the magnitude of changes in AML/CFT Priorities between one publication and the next.

Additionally, the proposed rule includes certain linguistic changes that are to a greater extent intended to demarcate intended changes in conceptual framing and accountability mechanisms than introduce new requirements for financial institutions. [206 ] The novel imposition of these specific semantic distinctions between “establish” and “maintain” are meant to create an evaluative framework that would enable an evaluator or evaluated entity to meaningfully distinguish between facially similar observed errors, omissions, or other failures that impede a program's effectiveness by causal attribution (to either a flaw in program design or in program execution). This causal distinction, in turn, would afford certain protections from excessive supervisory and/or enforcement action by regulators or other compliance examiners and relieve a given financial institution from the need, real or perceived, to prophylactically undertake excessive program activities for the exclusive purpose of mitigating such excessive supervisory or enforcement action risks.

ii. Applicable to Covered Financial Institutions

As discussed in section X.A.2.ii, while all financial institutions must exercise diligence when developing an understanding of their clients or customers, only a select subset of financial institutions subject to the BSA have express “fifth pillar,” or CDD obligations. [207 ] FinCEN has long held that this “fifth pillar” is itself composed of four core elements, [208 ] including three (in addition to beneficial ownership identification and verification) that are integral to the design and execution of a compliant AML program. [209 ] This NPRM includes a proposed, non-substantive change in the structural organization of program requirements that would move CDD core elements three and four from their current standalone textual positions to become nested in the “establishment prong” of AML/CFT program requirements.

As explained in section V.D.1.iii, this change is intended to simply better reflect how covered financial institutions operationalize such ongoing CDD as part of their overall AML programs and would not be expected to engender novel incremental burden. It is therefore not further discussed in section X.A.4 below. However, FinCEN has, in the course of analysis undertaken in connection with several recent rulemakings and its review of its PRA obligations, taken note of certain clerical errors and omissions that caused the existing recordkeeping burden associated with CDD core elements three and four to be omitted from certain pre-existing OMB control numbers. As a result, the PRA analysis in section X.E below includes a line item associated with CDD program obligations that would address the previous omission. This administrative correction does not reflect, in either level or proportion, an anticipated need for catholic changes to covered financial institutions' baseline due diligence practices.

iii. Applicable to Banks

When assessing the potential economic impact of the incremental portions of the proposed rule unique to banks, FinCEN considered both the ( printed page 18738) portions of the proposed regulatory text that pertain to requirements placed on banks directly as well as portions of the proposed regulatory text that may prescribe activities for parties other than banks but are reasonably expected to have an impact on banks. The distinction in causal channels, while recognized in this section, is not maintained in section X.A.4 below in cases where the economic effects of the proposed regulatory text on banks are not reliably separable or such incremental analysis would not enrich the analysis.

Additionally, certain proposed changes are not discussed further in section X.A.4 below because it is unclear that they would have either independent incremental effects or any economic effect at all. These changes include the proposals: (1) to combine the two bank program rules—for banks with an FFR and those without an FFR—into one framework; 210 to remove regulatory text affirming the requirement for banks to comply with the rules of their FFRs; [211 ] and (3) to define the terms/phrases “AML/CFT enforcement action,” “AML/CFT requirement,” and “significant AML/CFT supervisory action” for purposes of proposed 31 CFR 1020.221. [212 ]

In the proposed rule, the supervision and enforcement requirements would apply only to banks and the Agencies. Of the proposed requirements, FinCEN anticipates that proposed 31 CFR 1020.221(b)(1) is likely to have the most substantive impact on banks, while, by contrast section 221(b)(2), in practice, represents the least difference from status quo. Notwithstanding that the framework of proposed § 10XX.210(a) and the proposed requirements/provision of § 10XX.210(b)(1)(ii) (to allocate program resources and attention by risk level) apply to all categories of regulated financial institutions, the economic effects of the proposed evaluative framework are expected to be greatest where supervisory and enforcement commitment to abide by the framework is perceived by affected financial institutions to be the most credible. For this reason, banks regulated by the Agencies may be uniquely affected among the categories of financial institutions that would be subject to the proposed rule because they are the only financial institutions with companionate regulation binding the parties supervising and enforcing their compliance.

FinCEN also expects proposed 31 CFR 1020.221(d) to affect banks' incentives because it provides that in determining to take, or in review of, an AML/CFT enforcement action or significant AML/CFT supervisory action, the Director would take certain factors into consideration, including facts and circumstances unique to the bank in question. In particular, section 221(d)(2) would require the Director to consider the bank's demonstrable efforts to advance AML/CFT Priorities such as its production of highly useful information, analytics, or other innovations. If these efforts would newly be, or to a markedly greater extent than they currently are, allowed to weigh in the bank's favor when under consideration for an AML/CFT enforcement action or significant AML/CFT supervisory action, FinCEN expects that the proposed regulation could reasonably be expected to generate economic effects because it would likely change the scope or nature of activities undertaken and/or investments made.

iv. Applicable to Federal Financial Institutions Regulatory Agencies

As described above in section V.F.3, the proposed rule would introduce new notice, [213 ] consultation, [214 ] consideration, [215 ] and response [216 ] requirements for the Agencies before initiating significant AML/CFT supervisory actions. FinCEN anticipates that the proposed consultation process is likely to have direct economic effects on both FinCEN and the Agencies, further discussed below in sections X.A.4.i.b (expected benefits) and ii.b (expected costs). The proposed process could also reasonably be expected to have indirect effects on the banks subject to supervision and examination by Federal banking regulators to the extent that the consultative process is successful in better aligning supervisory and enforcement activities with the efficient establishment and maintenance of AML/CFT programs. Finally, while further downstream economic effects may also flow to the general public from this improved alignment, these effects would be third order at best, and difficult to distinguish from the effects of other incremental components of the proposed rule. Thus, despite acknowledging that economic effects of the proposed regulatory changes applicable to the Agencies may reach to banks and the general public, they are not itemized or further considered for these affected parties in their respective sections below.

4. Anticipated Economic Effects

Ideally, conducting an RIA would enable FinCEN to identify and monetize all of a proposed regulation's most salient economic effects with a high degree of certainty so that policymakers and the commenting public would be able to comparatively evaluate different regulatory options' benefits and costs and advocate for the option with the greatest net benefits. In practice, however, financial regulations include benefits and costs that cannot be quantified with any degree of certainty, making simple benefit-cost comparisons potentially misleading, “because the calculation of net benefits in such cases does not provide a full evaluation of all relevant benefits and costs.” [217 ] In its analysis, FinCEN has therefore sought to include an evaluation of certain foreseeable non-quantified economic effects in addition to certain quantified costs to more comprehensively assess the potential net benefit of the proposed rule and select alternatives.

Additionally, because program rules are a minimum standard, [218 ] FinCEN preemptively qualifies its analysis as likely to overstate both the benefits and costs of the proposed rule for covered financial institutions that already strive for best practices or whose programs already meet or surpass the proposed requirements. However, because the lack of an incremental effect for these institutions would affect both benefits and costs, it should not, in theory, affect an assessment of the overall net effects, as the differences on both sides should offset each other. FinCEN requests comment on the reasonableness of this expectation and solicits data or information, if available, that would improve the accuracy of its assessment of impact if this reliance on theory is not appropriate. [219 ]

i. Expected Benefits

The proposed rule is anticipated to result in certain nonquantifiable benefits to covered financial ( printed page 18739) institutions, regulators and other compliance examiners, law enforcement and national security agencies, and the general public. As discussed in section X.A.1, these benefits are expected to flow from the extent to which the new and amended program requirements are better able to address the fundamental economic problems that might otherwise limit current AML program and regime effectiveness.

a. Regulated Financial Institutions

As discussed above in section X.A.1, this proposed rule, among other things, aims to reduce distortions due to information asymmetries by providing regulated financial institutions and their regulators with clarity about the requirements that would need to be met in order to have an effective AML/CFT program. By emphasizing that an effective program is one that mitigates a regulated financial institution's ML/TF risks by directing more attention and resources toward higher-risk customers and activities rather than toward lower-risk ones, regulated financial institutions may choose to reallocate their resources in a way that better aligns the program requirements and the elements of a regulated financial institution's compliance burden that are unobservable. This reallocation of resources could decrease the cost per unit of effectiveness. That is, it could reduce the expense of time and money on activities that do not create value, while improving the effectiveness of their AML/CFT programs by better preventing money laundering and financing of terrorism with risk-based improvements to detecting, preventing, and identifying illicit financial activity.

Further, by having FinCEN and the Federal regulators focus on addressing significant or systemic failures to implement an effective program rather than addressing isolated, technical, or immaterial implementation issues, FinCEN expects that in aggregate, financial institutions would have to respond to fewer such enforcement or supervisory actions and may save personnel time that would otherwise be allocated to unproductive supervisory inquiries.

Specifically for banks, giving FinCEN a greater role in the supervisory process could reduce the possibility for differences between how FinCEN and the compliance examiners might assess the quality of a bank's program. This would help ensure that bank regulators are focused on assessing banks' AML/CFT programs for effectiveness rather than mere technical compliance. Doing so would allow banks to focus their attention and resources on activities that are truer to the nature of their business and clientele rather than non-meaningful metrics that aim to assess, by proxy, the program-related efforts that cannot be directly observed.

Additionally, by explicitly allowing (but not requiring) financial institutions to use technological innovation, financial institutions may be better positioned to incur benefits from being encouraged to use newer methods to identify and thwart illicit finance activity risks with a broader view to value of doing so.

The proposed rule may result in benefits to certain regulated financial institutions individually. In other instances, groups of regulated financial institutions may benefit collectively. The proposed program establishment requirement would require every regulated financial institution to develop risk-based internal policies, procedures, and controls that are reasonably designed to identify, assess, and document ML/TF risk through risk assessment processes and mitigate those risks consistent with the risk assessment processes, including by allocating more attention and resources toward higher risks. While some financial institutions already engage in such practices, the proposed rule would require every financial institution covered under the BSA to undertake such a process. This could enable each affected covered financial institution to better understand its own ML/TF risks and help it detect threat patterns or trends that could then be incorporated into its risk assessment processes.

The proposed changes in AML/CFT program requirements may also reduce the distortion in incentives of certain covered financial institutions that currently benefit disproportionately from the positive externalities of other institutions by more explicitly limiting their ability to underinvest in their own efforts by requiring them to direct more attention and resources toward higher-risk customers. While this would result in an incremental change in expenditures to the affected covered financial institutions, both peer institutions and the affected financial institution may benefit from the change.

FinCEN anticipates that financial institutions would also incur benefits from being better positioned to identify, deter, and detect illicit financial activity because financial crime not only impacts the public at large, but can also disrupt financial institutions directly impacted by financial crime or that are used as conduits to facilitate such crimes. Moreover, financial institutions with ineffective AML/CFT programs are exposed to the risks of criminal, regulatory, and civil investigations; penalties; and actions, where restrictions to engage in mergers and acquisitions may be applied to certain covered financial institutions with ineffective AML records. Thus, financial institutions with effective programs could incur tangible benefits in avoiding litigation costs, investigation costs, and monetary penalties associated with ineffective AML/CFT programs.

Further, as a result of the collective enhancements to a covered financial institution's AMF/CFT program, the institution itself, or the group of financial institutions to which it belongs, may also experience reputational benefit if they come to be viewed as better insulated from such disruptions and/or potentially become generally perceived as more reliable or transparent in their financial services or activities.

b. Regulators and Other Compliance Examiners.

By encouraging regulators and other compliance examiners to focus their efforts on addressing significant or systemic failures to implement an effective AML/CFT program, rather than addressing isolated, technical, or immaterial implementation issues, these regulators and examiners may have fewer non-substantive issues to adjudicate with regulated entities, which could potentially relieve the demand for, and the less productive use of, time and other limited resources. This, in turn, may enable examinations and other supervisory activities to be more productive by better aligning outcomes with AML/CFT Priorities and objectives. [220 ]

c. Law Enforcement and National Security Agencies

The proposed rule may also benefit U.S. law enforcement and national security efforts against ML/TF risks by rendering AML/CFT programs more risk based through proposed requirements such as incorporating risk assessment processes into internal policies, procedures, and controls and ensuring that AML/CFT programs focus attention and resources on high-risk customers and activities. These proposed changes would increase the likelihood that the information provided to law enforcement and national security agencies from AML/CFT programs would be highly useful.

Moreover, under the proposed rule, covered financial institutions would be required to promptly re-establish their AML/CFT program any time they face a ( printed page 18740) significant change in their ML/TF risk. This, along with ensuring they focus attention and resources toward higher-risk customers and activities, would allow AML/CFT programs to respond to evolving risks that the financial institutions may face. FinCEN anticipates that this risk-focused posture of AML/CFT programs would lead to better information that would enhance U.S. agencies' ability to investigate, prosecute, and disrupt financing of terrorism, other transnational security threats, and domestic and transnational illicit financial activity.

The proposed rule would also require covered financial institutions to review and, as appropriate, incorporate the AML/CFT Priorities into their AML/CFT programs. Incorporating the priorities, which have been issued in consultation with various U.S. and State government agencies, [221 ] would further equip AML/CFT programs to produce information that is highly useful to law enforcement, particularly with respect to identified threats to U.S. financial system and national security deemed government-wide priorities. Thus, law enforcement efforts with respect to these AML/CFT Priorities, such as investigations and prosecutions, data analytics, and policy analysis and decision making, would benefit.

There is also a corollary benefit from the proposed rule in reducing BSA records and reporting that are not highly useful, since such “not highly useful” records and reports degrade the ability of law enforcement and national security to efficiently and effectively identify illicit finance activity relevant to their investigations, prosecutions, and risk assessments.

Additionally, the proposed rule would provide financial institutions with the flexibility to innovate responsibly. In doing so, law enforcement and national security efforts may reap the benefits of financial institutions' use of technological innovation to detect and disrupt illicit financial activity.

d. General Public

The proposed rule is additionally expected to benefit the public. FinCEN anticipates that the public benefit would result from both the potential for a more effective AML/CFT regime to better deter illicit activity and the potential for a better-calibrated regime to reduce certain low-value activities and unintended social costs. [222 ] The proposed rule is expected to enhance the deterrent effect of AML/CFT programs and the utility of information such programs provide to law enforcement and national security agencies, and through these mechanisms, contribute to reduced rates of crime and enhanced national security, respectively.

While FinCEN expects the proposed rule to enhance the deterrent effect of current AML/CFT programs at covered financial institutions and facilitate law enforcement and national security agencies in identifying and disrupting or otherwise bringing actions against illicit activities, it is difficult to estimate how much additional economic loss the proposed requirements would prevent. FinCEN lacks data that would be necessary to quantify how much money laundering and the financing of terrorism could be reduced as a result of the proposed rule or how much other illegal activity would be curbed by this reduction in money laundering and terrorist financing. [223 ] Money laundering and other illicit financing is related to a wide array of activities including human trafficking, drug trafficking, terrorism, public corruption, the proliferation of weapons of mass destruction, fraud, and other crimes and illicit activities that cause substantial monetary and nonmonetary damages, but costs to the public attributable to each typology are not always measurable, able to be separately estimated, or quantified over the same period of time due to the variation in lags between when illicit activity occurs and when it is detected or related financial activity occurs. [224 ]

Nevertheless, certain subcategories of illicit financial activity that frequently have a nexus with ML/TF that are better identified and studied can help contextualize the significance of its economic effects. For example, the eight percent of 2024 SHED participants described in section X.A.2.i.d above who reported being the victim of financial fraud or a scam involving their money, but not a credit card, only recovered $21 billion from $84 billion in identified losses, meaning $63 billion was lost to fraud and scams. If this were the exclusive category of losses that the proposed rule's effectiveness addressed, then enhanced AML/CFT programs would only need to reduce—whether by greater deterrence and/or an increase in recovery—losses by a mere two-tenths (0.2) of a percent to generate an economic impact large enough for the proposed rule to be deemed a significant regulatory action. [225 ]

Thus despite an inability to precisely quantify the magnitude of anticipated aggregate economic benefit of the proposed rule to the general public, FinCEN anticipates that by reducing ML/TF risks, and by extension associated illicit activities, the related economic effects could reasonably be expected to be meaningfully large even if the subset of harms that are quantifiable are only reduced by very small proportions.

ii. Expected Costs

a. Regulated Financial Institutions

Given the magnitude of expenses incurred annually by financial institutions in efforts to satisfy existing program obligations, FinCEN estimates that a change in expenditures of as little as one percent would already be economically significant.

FinCEN currently lacks the data necessary to estimate the proportion of covered financial institutions that would establish and maintain their AML/CFT programs differently as a result of the proposed rule, the manner in which they would do so, and whether such changes were technically necessary for reasons uniquely attributable to the regulatory changes proposed. [226 ] Additionally, given (1) the differences in baselines between covered financial institution types; (2) the differences in scope that must be covered by each of the covered financial institution type's AML/CFT programs; [227 ] and (3) the extent to which compliance costs can vary within a covered financial institution type based on, for example, a financial institution's ( printed page 18741) size and the level of program sophistication, it is not clear that the aggregate net costs incurred by all affected financial institutions as a result of this proposed rule would be distinguishable from zero. [228 ]

On the one hand, FinCEN cannot definitively conclude that the aggregate annual expenditure level across all categories of affected financial institutions would be expected to decrease, particularly in the short run. At the same time, FinCEN does not have a reasonable basis to expect that the proposed rule would necessitate an increase in aggregate costs because of the flexibility in risk-based resource allocation that it is intended to promote.

Furthermore, there are a number of scenarios in which the proposed rule could achieve its intended deregulatory effects while facially appearing to increase the burden of program compliance. For example, at the institutional level, a certain financial institution may be able to reduce per-unit compliance costs, while simultaneously increasing compliance-related expenditures due to technology-enabled expansion into new products, markets, or lines of business activities.

While projecting or demonstrating the successful deregulatory outcomes of the proposed rule may prove challenging, if even possible, using traditional accounting metrics, FinCEN expects that, to the extent that financial institutions make use of the opportunities afforded by the new effectiveness framework embedded in the rule, they should unequivocally incur the same or lower costs per unit of effective compliance. Expending greater financial outlays per unit of effective compliance would be fundamentally at odds with the proposed requirement for risk assessment processes to inform the development of internal policies, procedures and controls that mitigate risk by directing attention and resources toward higher-risk customers and activities. [229 ]

b. Government Costs

To implement the proposed rule, FinCEN expects to incur certain operating costs that would include approximately $2.8 million prior to the final rule's effective date, $6.2 million in the first effective year of the final rule, and approximately $7.5 million in the average subsequent year. These estimates include anticipated expenses related to stakeholder outreach and informational support, compliance monitoring, and potential enforcement activities as well as certain incremental increases to pre-existing administrative and logistic expenses.

FinCEN acknowledges that this treatment of cost estimates implicitly assumes that increased resources commensurate with any novel operating costs would exist. If this assumption does not hold, then operating costs associated with a rule may impose certain economic costs on the public in the form of opportunity costs from the agency's forgone alternative activities and those activities' attendant benefits. Putting that into the context of this proposed rule, and benchmarking against FinCEN's actual appropriated budget for fiscal year 2025 ($190,193,000), [230 ] the corresponding opportunity cost could resemble forgoing up to 3.2 percent (4.0 percent) of current activities annually in the first year (each subsequent year) in which a final rule was effective. However, to the extent that activities FinCEN would undertake as a function of the proposed rule would functionally substitute for or otherwise replace forgone activities, such an estimate likely overstates the potential economic costs to FinCEN and, consequently, the public.

FinCEN notes that these estimates do not include the potential costs borne by other regulators or entities engaged in informational outreach, examinations (such as those by SROs), or related enforcement activities as a consequence of the proposed rule. These estimates also do not include considered costs to the Agencies that may accrue in connection with the proposed new consultation requirements. FinCEN acknowledges that, as such, the cost estimates here would understate the burden of activities required to promote compliance with the rules, as proposed, and the full scope of government costs.

c. Clients or Customers of Covered Financial Institutions

FinCEN is mindful of concerns certain parties have long expressed regarding the potential for unintended effects, or other indirect costs, that can accompany an AML/CFT program inappropriately tailored to a financial institution's true risk profile and that are borne by its current and potential clients or customers. These include concerns about both (1) the risk of increased inequities in access to financial services (or other consequences of overbroad de-risking strategies), which, if not prohibitive, can make it more expensive and less efficient for affected persons to conduct financial transactions, and (2) the potential for inequalities in report filing on the basis of characteristics unrelated (or insufficiently related) to the underlying nature of risk reported, which may impose other types of indirect costs.

FinCEN's general expectation is that the advancements in this proposed rule toward more effective programs would generally reduce, not increase, such burdens and costs to otherwise affected persons and reduce the likelihood that they may continue to face unduly limited—or a complete absence of—access to the services of various financial institutions. This is because FinCEN expects that, in complying with changes in the proposed rule, if adopted, financial institutions would be more empowered to provide services in a manner that is more appropriately tailored to their respective risk profiles (as identified by their risk assessment processes) and would be required to direct more attention and resources toward higher-risk customers and activities rather than lower-risk ones, including via the adoption of technological innovations that could improve the calibration of reporting processes. Thus, by reducing those institutions' prior disincentives to provide underserved communities with more efficient levels of services and access to the U.S. financial system, FinCEN expects that the proposed rule may reduce the costs of previously forgone economic activity as well as additional indirect costs persons might have incurred from previously calibrated reporting mechanisms.

5. Consideration of Policy Alternatives

FinCEN has considered several alternatives, in part or whole, to the currently proposed version of the rule, but is limiting the presentation here to considerations where public response may be most useful. The alternatives described below are scenarios that may have resulted in reduced burdens for certain affected financial institutions but would do so at the expense of forgone benefits or efficiency gains. For the reasons described below, FinCEN decided not to propose any of these alternatives. FinCEN invites comment on these alternatives, and on any other ( printed page 18742) alternatives that were not considered here. [231 ]

i. Alternatives Proposing Regulatory Definitions

The proposed rule reflects FinCEN's view that because financial institutions know their customers, businesses, and risks better than their regulators and the government, they are best positioned to identify and evaluate their ML/TF risks. However, in response to previous rulemaking efforts, comments from the public have indicated that allocating resources can be challenging if there is regulatory ambiguity or if examiner expectations are unclear or inconsistent. One way to alleviate such uncertainties and/or ambiguities could have been to promulgate more specific and prescriptive definitions for certain key terms/phrases fundamental to the design and operation of highly productive, value-creating AML/CFT programs. FinCEN considered alternatives that would have taken that approach with respect to the various phrases discussed in greater detail below, but ultimately determined such approaches were less desirable than those in the proposed rule. FinCEN includes the reasoning that informed its determinations here for review so that commenters may respond with information, data, studies, or other evidence that may have altered FinCEN's rank ordering of policies by perceived optimality.

Instead of proposing a two-prong, conceptual framework approach to define an “effective” AML/CFT program, FinCEN could have proposed a more prescriptive, attribute- or component-based definition. This approach, by leaving less to the facts and circumstances of a particular financial institution, would have reduced the uncertainty about regulatory and/or examiner expectations, potentially giving the institution greater ability to allocate resources in a cost-effective manner given the certainty about what criteria the program would need to meet to be considered operationally effective.

While FinCEN considered this potential for enhanced efficiency as a result of the greater clarity a more prescriptive, attribute- or component-based definition of effective would provide, the agency also weighed the potential benefits of this approach against certain concerns. One concern was that by being more prescriptive, an alternative definition of effective may leave less flexibility for an AML/CFT program to be tailored based on a financial institution's size, activities, or other characteristics. Another concern was that, while engendering some planning and design efficiencies, a more prescriptive definition may exacerbate other, and potentially more consequential, inefficiencies, costs, and potential harms related to one-size-fits-all or “paper” programs. For these reasons, among others, FinCEN concluded that the proposed two-prong framework approach would strike a more appropriate balance between anticipated benefits and costs.

ii. Adopting the 2024 Program NPRM

Instead of the proposed rule, FinCEN alternatively could have chosen to promulgate a final rule that in part, or as a whole, would have adopted the requirements proposed in the 2024 Program NPRM, described above in section II.C.1. For a number of reasons, including certain concerns also expressed by commenters, [232 ] FinCEN considered that the formulation of program amendments proposed in this NPRM is likely to strike a more appropriate balance of benefits to costs.

In particular, the relationship envisioned between a financial institution's risk assessment process(es) and the allocation of attention and resources in this proposed rule is expected to more efficiently connect business intelligence and program execution. The proposed program requirements with respect to internal policies, procedures, and controls, expressly enable the mechanisms that transform business-operations-specific data into information about a financial institution's ML/TF risks to guide the architecture and resource allocation of that institution's AML/CFT program. This informed tailoring, in turn, is rewarded (and hence better incentivized) by the protections a properly established program would afford.

The proposed rule also improves upon the likelihood of the prior proposal to incentivize dynamic program developments that are aligned with evolving AML/CFT Priorities. This is expected to be the case because, unlike the 2024 Program NPRM, the proposed rule proffers an evaluative framework of effectiveness that would better insulate a financial institution from supervisory or enforcements actions that may otherwise unduly penalize innovation and/or customization that FinCEN would welcome but whose value a supervisory evaluator may not be as well-positioned to appreciate.

iii. Alternatives Delaying the Effective Date

As set forth in section VI, FinCEN is proposing that the rule's effective date be 12 months following the publication of the final rule. Because of comments received in response to the 2024 Program NPRM, FinCEN considered whether providing any additional periods of time to some or all expected affected financial institutions would facilitate a more efficient transition to practices in conformance with the new requirements. [233 ] While the scope and nature of the anticipated changes to current practices differs substantially between NPRMs, the economic and practical realities of any financial institution that perceived a need to make non-trivial adjustments to its current program structure or activities likely do not.

a. An Additional Delay in Effective Date of Six Months for All Financial Institutions

One option FinCEN considered was an additional delay in the effective date of the final rule by six months for all covered financial institutions. This might allow financial institutions making substantive changes to their AML/CFT programs to better optimize while doing so, if, for instance, financing for new investments would need to be procured or budgets would need to be redrawn and reapproved. It would also ensure a more effective transition, if, for instance, additional systems testing before deployment significantly improved the security or quality of a newly established (or re-established) AML/CFT program as a whole or one of its internal or risk assessment process(es). The relative merits of this contemplated delay are expected to correlate with the proportion of the population anticipated to undertake program establishment or re-establishment-like actions. That is, this alternative would be considered more valuable if a greater proportion of regulated financial institutions were expected to make substantive changes than the proportion that may simply reallocate existing personnel and allotted budgets.

Because FinCEN expects that more financial institutions are likely to reallocate existing budgets and resources than newly undertake ( printed page 18743) substantive, costly activities in response to the proposed rule, FinCEN considers the cost of further delays to regulatory implementation insufficiently offset by the incremental value of an additional six months to the relatively smaller portion of the population that might benefit from the delay.

b. An Additional Delay in Effective Date of 12 Months for Small Entities as Defined by the RFA

Another option FinCEN considered was an additional delay in effective date of the final rule by 12 months for only small entities as defined by the RFA. FinCEN considered that this option might be beneficial to small entities that may require more time to effectuate programmatic updates. Small entities may rely more than non-small entities on personnel in-house to conduct certain activities manually and may outsource technology functions and/or training to third parties more frequently or pervasively than non-small entities. Thus, they may need to take more steps to modify their AML/CFT programs, including, for example, renegotiating certain third-party services in light of the need for programs to be demonstrably tailored to the unique ML/TF risks of a given financial institution. At the same time, the proposed rule would allow for AML/CFT programs to be better tailored to the characteristics of the financial institution, including size. In practice, this may imply that many smaller entities would not need to undertake significant or costly changes and may even be able to reduce certain expenditures of resources in connection with ML/TF risks that are less relevant or germane to the small business's operations. On balance, it was not clear to FinCEN which effect would dominate—the potentially greater costs to a small entity of regulatory transition, which would weigh in favor of a delayed effective date, versus the potential for the transition to relieve burden and reduce costs, which would weigh against any delay—therefore FinCEN did not opt to pursue a small entity-specific timing accommodation.

c. A Hybrid Delay of 12 Months for Small Entities and Six Months for All Other Covered Financial Institutions

As a third option, FinCEN considered proposing an alternative effective date of 24 months following the adoption of the final rule for small covered financial institutions [234 ] and 18 months for the remaining covered financial institutions. This alternative would allow for an additional 12 months for the small covered financial institutions and an additional six months for the remaining covered financial institutions to transition to compliance with the final rule as adopted than what is being proposed.

FinCEN is not proposing to adopt this combined, graduated approach at this time for the same reasons that it declined to adopt either the general or small entity-specific timing accommodations separately.

B. E.O.s 12866, 13563, and 14192

E.O. 12866 and E.O. 13563 direct agencies to assess the benefits and costs of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, and public health and safety effects; distributive impacts; and equity). E.O. 13563 emphasizes the importance of quantifying both benefits and costs, reducing costs, harmonizing rules, and promoting flexibility. E.O. 13563 also recognizes that some benefits are difficult to quantify and provides that, where appropriate and permitted by law, agencies may consider and discuss qualitatively values that are difficult or impossible to quantify. [235 ]

This proposed rule was deemed “Economically Significant” by the Office of Information and Regulatory Affairs under E.O. 12866, section 3(f)(1). Per E.O. 12866, section 6(a)(3)(C), if a regulatory action is expected to result in a rule that would have an annual effect on the economy equal to or greater than $100 million, [236 ] an RIA is required. Accordingly, the foregoing analysis was conducted because it is expected to result in effects beyond this threshold.

When final, however, this action is not expected to be an E.O. 14192 regulatory action because the net change in aggregate costs attributable to the proposed rule is not expected to be easily distinguishable from zero.

C. Initial Regulatory Flexibility Analysis

When an agency issues a rulemaking proposal, the RFA requires the agency to either provide an IRFA or certify that the proposed rule would not have a significant economic impact on a substantial number of small entities. [237 ] Because the proposed rule may have a significant economic impact on a substantial number of small entities in certain affected industries, FinCEN undertook the following analysis. In the event that FinCEN has potentially overestimated the anticipated significance of the economic impact of the proposed rule, and certification would instead be more appropriate, comments to this effect—including studies, data, or other evidence—are invited. [238 ]

1. The Proposed Rule: Objectives, Description, and Legal Basis

The proposed rule would require covered financial institutions to establish and maintain effective AML/CFT programs, while amending FinCEN's regulations that prescribe the minimum requirements for AML/CFT programs. The proposed rule would also provide FinCEN with a greater role in the bank supervisory process by requiring that the Agencies, when acting under supervisory authority delegated by FinCEN, consult with FinCEN prior to taking a significant AML/CFT supervisory action.

By explicitly defining the requirements for an institution to establish and maintain an effective AML/CFT program and by standardizing the AML/CFT supervision and enforcement process for banks and their Federal banking regulators, the proposed rule is expected to better achieve the purposes of the BSA and improve outcomes for financial institutions and law enforcement and national security agencies.

The legal basis for the proposed rule is the AML Act. The purposes of the AML Act, among others, include to “modernize anti-money laundering and counter the financing of terrorism laws to adapt the government and private sector response to new and emerging threats;” “to encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism;” and “to reinforce that the anti-money laundering and countering the financing of terrorism policies, procedures, and controls of financial institutions shall be risk-based” [239 ] as part of the broader initiative to “strengthen, modernize, and improve” the U.S. AML/CFT regime.

Specifically, section 6101(b)(2)(B)(ii) of the AML Act amended the BSA to require Treasury, when prescribing minimum standards for AML/CFT ( printed page 18744) programs, to take into account that AML/CFT programs should be “reasonably designed to assure and monitor compliance with the BSA and its implementing regulations and be risk based.” [240 ] FinCEN intends for this proposed rule to meet these objectives by clarifying that covered financial institutions would need to establish and maintain effective AML/CFT programs such that they yield useful outcomes that support the purposes of the BSA.

In addition, with this proposed rule, FinCEN is addressing its first AML/CFT Priorities. FinCEN published the first AML/CFT Priorities on June 30, 2021, as required under 31 U.S.C. 5318(h)(4)(A). In the proposed rule, FinCEN is proposing to add a new definition of “AML/CFT priorities” at 31 CFR 1010.100(nnn) to support the promulgation of regulations pursuant to 31 U.S.C. 5318(h)(4)(D). According to the proposed definition, “AML/CFT priorities” would refer to the most recent statement of Anti-Money Laundering and Counting the Financing of Terrorism National Priorities issued pursuant to 31 U.S.C. 5318(h)(4).

2. The Expected Impact on Small Entities

FinCEN estimates that 98 percent of the financial institutions that would be subject to the proposed rule meet the RFA's definitional criteria for a “small entity” in their respective industry. [241 ] Table 7 presents the relative size distribution by category of financial institution. [242 ]

| Financial institution type | Number of
financial

                                institutions a | Estimated 
                             percentage  
                             of small  
                             entities (%) |

| --- | --- | --- |
| Banks with an FFR: | | |
| FDIC | 2,738 | b 75.4 |
| FRB | 703 | c 62.6 |
| NCUA | 4,287 | d 58.6 |
| OCC | 895 | e 68.0 |
| Banks without an FFR | 365 | f 99.7 |
| Casinos | 1,299 | g 68.5 |
| Principal MSBs | 24,856 | h 95.0 |
| Agent MSBs | 307,212 | i 100.0 |
| Broker-Dealers | 3,278 | j 38.9 |
| Mutual Funds | 1,355 | k 94.0 |
| Insurance Companies | 717 | l 81.2 |
| FCMs and IBCs | 954 | m 93.7 |
| DPMSJs | 6,742 | n 99.8 |
| Operators of Credit Card Systems | 4 | ° 0 |
| Loan or Finance Companies | 13,342 | p 93.5 |
| Housing GSEs | 13 | q 0 |
| Total | 368,760 | 97.9 |
| a See supra table 1. | | |
| b Based on consultation with FDIC staff, using FFIEC Reports on Condition and Income (Call Reports) data as of September 30, 2025. FinCEN estimated the percentage of small entities by dividing FDIC's estimated number of small entities (2,064) by the estimated number of FDIC-regulated banks (2,738). | | |
| c Based on consultation with FRB staff. FinCEN estimated the percentage of small entities by dividing FRB's estimated number of small entities (440) by the estimated number of FRB-regulated banks (703). | | |
| d Based on consultation with NCUA staff. The NCUA estimated that 2,514 of 4,287 federally insured credit unions met their operational definition of small, which requires that a credit union have less than $100 million in assets. | | |
| e Based on consultation with OCC staff. The OCC estimates the number of small entities based on the SBA's size thresholds for commercial banks and savings institutions, and trust companies, which are $850 million and $47 million, respectively. Consistent with the General Principles of Affiliation at 13 CFR 121.103(a), the OCC counted the assets of affiliated financial institutions when determining if it should classify an OCC-supervised institution as a small entity. The OCC used data as of December 31, 2024, to determine size because a “financial institution's assets are determined by averaging the assets reported on its four quarterly financial statements for the preceding year.” See footnote 8 of the SBA, Table of Small Business Size Standards (Mar. 17, 2023), https://www.sba.gov/​document/​support-table-size-standards. FinCEN estimated the percentage of small entities by dividing the OCC's estimated number of small entities (609) by the estimated number of OCC-regulated banks (895). | | |
| f To FinCEN's knowledge, only one bank without an FFR exceeds the $850 million threshold criteria for small. | | |
| g The SBA thresholds for a small business in this category (NAICS codes 713210 and 713290) are $34 million and $40 million, respectively. The 2022 SUSB data on the number of firms by receipts size indicate that 97 out of the 198 firms that received over $1 million in annual receipts in NAICS code 713210 received between $1 million and $35 million in annual receipts, and 674 out of the 766 firms that received over $1 million in annual receipts in NAICS code 713290 received between $1 million and $40 million in annual receipts. This results in an average of 68.5 percent. | | |
| h The SBA thresholds for a small business in this category (NAICS codes 522320 and 522390) are $47 million and $28.5 million, respectively. The 2022 SUSB data indicate that 3,357 out of 3,532 firms in NAICS code 522320 received under $50 million in annual receipts and 2,844 out of 2,977 firms in NAICS code 522390 received under $30 million in annual receipts. This results in an average of 95.0 percent. This estimate differs from alternatively using the current SEC small entity standards in rulemakings involving mutual funds. See 17 CFR 270.0-10. The SEC has proposed to amend this standard. See SEC, “Small Business” and “Small Organization” Definitions for Investment Companies and Investment Advisers for Purposes of the Regulatory Flexibility Act, 91 FR 1107 (Jan. 12, 2026). | | |
| i This estimate is based on the assumption that all agent MSBs are small entities. ( printed page 18745) | | |
| j The SEC defines a small entity as a broker-dealer that had total capital of less than $500,000 on the date in the prior fiscal year as of which its audited financial statements were prepared or, if not required to file such statements, a broker-dealer that has total capital of less than $500,000 on the last business day of the preceding fiscal year. 12 CFR 240.0-10(c). FinCEN estimated the percentage of small entities by dividing the SEC's estimated number of small entities (1,275), which was submitted to the Office of Information and Regulatory Affairs on January 23, 2026 as part of SEC's PRA information collection for the renewal of 17 CFR 240.15b1-1 (Rule 15b1-1) by the estimated number of broker-dealers (3,278). See SEC, Application for Registration of Brokers or Dealers, https://www.reginfo.gov/​public/​do/​PRAViewIC?​ref_​nbr=​202509-3235-012&​icID=​193354. | | |
| k The SBA threshold for a small business in this category (NAICS code 525910) is $40 million in annual receipts. According to the 2022 SUSB data, 313 out of 333 firms received under $50 million in annual receipts. This estimate differs from alternatively using the current SEC small entity standards in rulemakings involving mutual funds. See 17 CFR 270.0-10. The SEC has proposed to amend this standard. See SEC, “Small Business” and “Small Organization” Definitions for Investment Companies and Investment Advisers for Purposes of the Regulatory Flexibility Act, 91 FR 1107 (Jan. 12, 2026). | | |
| l The SBA threshold for a small business in this category (NAICS code 524113) is $47 million in annual receipts. According to the 2022 SUSB data, 739 out of 910 firms received under $50 million in annual receipts. | | |
| m The SBA threshold for small businesses in this category (NAICS codes 523130 and 523140) is $47 million. According to the 2022 SUSB data, 565 out of 614 firms in NAICS 523130 and 699 out of 733 firms in NAICS 523140 received under $50 million in annual receipts. This results in an average of 93.7 percent. | | |
| n The SBA threshold for a small business in this category (NAICS code 423940) is 125 employees. According to the 2022 SUSB data, 6,726 out of 6,742 firms had fewer than 500 employees. | | |
| o This estimate is based on FinCEN's assessment that no entities in this category would qualify as a small entity. | | |
| p The SBA thresholds for a small business in this category (NAICS codes 522292 and 522310) are $47 million and $15 million, respectively. According to the 2022 SUSB data, 3,307 out of 3,711 firms in NAICS code 522292 received under $50 million in annual receipts and 9,428 out of 9,631 in NAICS code 522310 received under $15 million in annual receipts. This results in an average of 93.5 percent. | | |
| q This estimate is based on FinCEN's assessment that no entities in this category would qualify as a small entity. | | |
FinCEN anticipates that the proposed rule may have a significant economic impact on a substantial number of certain types of affected small entities. The proposed changes to the program rules would require small entities to more effectively tailor their program to their risk profiles. However, as a threshold matter, the proposed rule is not expected to have the effect of imposing substantial, new requirements on small entities that currently maintain effective AML/CFT programs. Some small entities may initially expend time or other resources to familiarize themselves with the rule's requirements, make a determination about whether any programmatic changes are necessary for their respective institutions, and make any needed changes. FinCEN acknowledges some uncertainty regarding costs to small entities and requests comment on the share of small entities that would incur costs as a result of the proposed changes and information on the magnitude of expected costs. [243 ]

In the agency's experience, a number of industry trade groups often prepare and disseminate informational materials to their members to promote and facilitate best practices in regulatory compliance, and FinCEN itself both (1) has routinely publishes substantial amounts of supporting informational materials in connection with its rulemakings and (2) responds to public inquiries and informational requests submitted online. To the extent that a small entity would voluntarily retain the services of an external consultant or newly decide to implement costly changes to its current AML/CFT program, FinCEN anticipates that these activities would be undertaken because the entity believed the benefits of doing so would outweigh the upfront costs.

Additionally, FinCEN expects that small entities would benefit over the long term. [244 ] Small entities would be able to avoid expenditures on low-impact activities and redirect those resources toward activities that yield greater returns in terms of program effectiveness. Small entities would further benefit from having a more effective program, for example, by reducing the likelihood of costly negative consequences that could stem from having an ineffective program (e.g., AML/CFT supervisory and enforcement actions and litigation and investigation costs), while strengthening their overall reputation. In addition, individual small entities would benefit from the positive externalities created when other covered financial institutions concurrently establish and maintain more effective AML/CFT programs, for example, by being able to better understand their own ML/TF risks and detect threat patterns or trends.

3. Other Matters: Duplicate, Overlapping, Conflicting, and Alternative Requirements

FinCEN is unaware of any existing Federal regulations that would overlap or conflict with the proposed rule. [245 ]

As discussed in greater detail in section X.A.5, FinCEN considered proposing a delayed effective date for smaller entities that would provide an additional 12 months to come into compliance with the final rule. FinCEN is not proposing to this additional time accommodation because it is unclear that the delay is necessary given the nature of the changes proposed. Small entities are invited to provide comment, including quantitative or qualitative evidence about the cost impact of the rule and the benefit they anticipate from a size-based delay to the effective date of a final rule. [246 ]

D. Unfunded Mandates Reform Act

Section 202 of the UMRA requires that an agency prepare a budgetary impact statement before promulgating a rule that may result in expenditures by State, local, and Tribal governments, in the aggregate, or by the private sector, of $193 million or more in any one year ($100 million in 1995, adjusted for inflation). [247 248 ] If a budgetary impact statement is required, section 202 of the UMRA also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule.

As discussed in section X.A.4, FinCEN does not anticipate that the proposed rule would result in novel incremental aggregate expenditures by State, local, and Tribal governments, or by the private sector of $193 million or ( printed page 18746) more in any one year. Accordingly, FinCEN does not believe a budgetary impact statement or a consideration of regulatory alternatives would be required for UMRA purposes. Nevertheless, were these items to be required, FinCEN believes the section X analysis in its totality, including the consideration of alternatives presented in section X.A.5, would satisfy the analytical requirements by incorporation as permitted by UMRA. [249 ]

Members of the public who have reason to believe FinCEN has erred in its UMRA analysis, such as the possession of facts, data, studies, or anecdotal or other qualitative information that would cause FinCEN to reconsider its analytical conclusions, are invited to provide comment. [250 ]

E. Paperwork Reduction Act

The recordkeeping requirements in the proposed rule, which qualify as “collections of information” under the PRA, will be submitted to OMB for review in accordance with the PRA. [251 ] Under the PRA, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid control number assigned by OMB. [252 ] Written comments and recommendations for the proposed information collection can be submitted by visiting https://www.reginfo.gov/​public/​do/​PRAMain. Find this particular document by selecting “Currently Under Review—Open for Public Comments” or by using the search function. Comments are welcome and must be received by June 9, 2026.

In accordance with requirements of the PRA, 44 U.S.C. 3506(c)(2)(A), and its implementing regulations, 5 CFR part 1320, the following information concerns the collection of information as it relates to the amendments to covered financial institutions' AML/CFT program regulations.

1. Description of Affected Financial Institutions and OMB Control Numbers

OMB Control Number(s): 1506-0020, 1506-0030, 1506-0035, and 1506-0051.

FinCEN has historically accounted for the existing reporting and recordkeeping burdens associated with the program rules using the following OMB control numbers: 1506-0020 (MSBs, mutual funds, and operators of credit card systems); 1506-0030 (DPMSJs); 1506-0035 (insurance companies, loan or finance companies, and banks lacking an FFR); and 1506-0051 (casinos). FinCEN does not maintain existing OMB control numbers for the program rule requirements for banks, [253 ] broker-dealers, FCMs or IBCs, [254 ] or housing GSEs. [255 ]

This scoping of the population for purposes of PRA estimates avoids double counting the recordkeeping burdens of the proposed rule for entities regulated by the Agencies. The accounting of burden estimates for OMB purposes, when aggregated across the relevant control numbers, should be generally comparable for the common program-related components considered in both this and the Agencies' respective exercises to the extent that the same assumptions about incremental burden apply.

Table 8 presents the same population estimates from the baseline analysis but appends the respective agency's OMB control numbers to illustrate the differences in aggregate estimates that are attributable to the inclusion or exclusion of covered financial institutions accounted for under another agency's control numbers or unassigned to a control number. This is followed by table 9, which includes only the covered financial institutions whose burdens are included in this PRA analysis, grouped by their respective control numbers.

| Covered financial institution type | a Number of financial
institutions | Agency OMB
control No. |
| --- | --- | --- |
| Banks with an FFR: | | |
| FDIC | 2,738 | FDIC 3064-0087 |
| FRB | 703 | FRB 7100-0310 |
| NCUA | 4,287 | NCUA 3133-0108 |
| OCC | 895 | OCC 1557-0180 |
| Banks without an FFR | 365 | FinCEN 1506-0035 |
| Casinos | 1,299 | FinCEN 1506-0051 |
| Principal MSBs | 24,856 | FinCEN 1506-0020 |
| Agent MSBs | 307,212 | FinCEN 1506-0020 |
| Broker-Dealers | 3,278 | N/A |
| Mutual Funds | 1,355 | FinCEN 1506-0020 |
| Insurance Companies | 717 | FinCEN 1506-0035 |
| FCMs and IBCs | 954 | N/A |
| DPMSJs | 6,742 | FinCEN 1506-0030 |
| Operators of Credit Card Systems | 4 | FinCEN 1506-0020 |
| Loan or Finance Companies | 13,342 | FinCEN 1506-0035 |
| Housing GSEs | 13 | N/A |
| Total | 368,760 | |
| a See supra table 1. | | |

| Covered financial institution type | Number of
financial

                                institutions a  | Affected financial institution types by activity  | | | FinCEN OMB Control No.  |

| --- | --- | --- | --- | | |
| 31 CFR 1021.210(2)(b)(vi) | CDD b | Program

                                approval c |  |  |  |

| Principal MSBs | 24,856 | | | ✓ | 1506-0020 |
| Agent MSBs d | 307,212 | | | | |
| Mutual Funds | 1,355 | | ✓ | | |
| Operators of Credit Card Systems | 4 | | | ✓ | |
| DPMSJs | 6,742 | | | ✓ | 1506-0030 |
| Banks without an FFR | 365 | | ✓ | | 1506-0035 |
| Insurance Companies | 717 | | | ✓ | |
| Loan or Finance Companies | 13,342 | | | ✓ | |
| Casinos | 1,299 | ✓ | | ✓ | 1506-0051 |
| Total | 355,892 | 1,299 | 1,720 | 46,960 | |
| a See supra table 1. | | | | | |
| b See supra table 3. | | | | | |
| c See supra table 4. | | | | | |
| d FinCEN assumes that the activities associated with program approval would be operationalized at the principal-MSB level. Therefore, FinCEN does not estimate PRA burden for the agent MSB population associated with program approval. FinCEN requests comment on whether this is a reasonable assumption. See infra section X.F #20. | | | | | |

2. Estimated Annual Burden

Table 10 presents the burden hours and labor costs associated with features of current market practices pertaining to BSA compliance as previously published for public comment by FinCEN, [256 ] which is responsible for reporting the PRA burdens for eight of the 11 covered financial institution types. [257 ] FinCEN estimated that these covered financial institutions incur the same per-entity hourly burden for certain program requirements (e.g., maintaining and updating the written AML program, storing the program, or producing the program upon request). However, only certain covered financial institution types incur or have previously been assigned pro forma PRA costs associated with program requirements such as obtaining board of director or trustee approval of the AML program; obtaining, verifying, and storing cardholder identifying information; and ongoing compliance with the requirements in 31 CFR 1021.210(b)(2)(v) and (vi). Thus, the total burden associated with BSA compliance can vary significantly across covered financial institution types. [258 ]

( printed page 18748)
| OMB Control No. | Covered financial institution type | Number of
financial

institutions | Total burden hours per program requirement | | | | | | Total |
| --- | --- | --- | --- | --- | | | | | |
| A. Maintaining and updating written AML program | B. Storing the written AML program | C. Producing the AML program upon request | D. Board of Directors/
Trustees

approval of the

AML program | E. Obtaining, verifying, and
storing cardholder

identifying

information | F. Ongoing
compliance

with the

requirements in 31 CFR 1021.210(b) (2)(v) and (vi) | | | | |
| 1506-0020 | Principal MSBs—Providers and Sellers of Prepaid Access | 2,605 | 2,605 | 217 | 217 | | 86,667 | | 89,706 |
| | Principal MSBs—Others | 24,895 | 24,895 | 2,075 | 2,075 | | | | 29,044 |
| | Agent MSBs | 229,161 | | 19,097 | 19,097 | | | | 38,194 |
| | Mutual Funds | 1,400 | 1,400 | 117 | 117 | 1,400 | | | 3,033 |
| | Operators of Credit Card Systems | 4 | 4 | 0.3 | 0.3 | | | | 5 |
| 1506-0030 | DPMSJs | 6,700 | 6,700 | 558 | 558 | | | | 7,817 |
| 1506-0035 | Banks without an FFR | 600 | 600 | 50 | 50 | 600 | | | 1,300 |
| | Insurance Companies | 4,678 | 4,678 | 390 | 390 | | | | 5,458 |
| | Loan or Finance Companies | 13,000 | 13,000 | 1,083 | 1,083 | | | | 15,167 |
| 1506-0051 | Casinos | 1,277 | 1,277 | 106 | 106 | | | 126,423 | 127,913 |
| Total Burden Hours | | 284,320 | 55,159 | 23,693 | 23,693 | 2,000 | 86,667 | 126,423 | 317,635 |
| Total Labor Cost | | | $5,863,402 | $2,518,601 | $2,518,601 | $212,600 | $9,212,667 | $13,438,765 | $33,764,636 |
( printed page 18749) As discussed in section X.A.4.ii, FinCEN does not expect this proposed rule to impose any new incremental burden on the covered financial institutions. Consequently, FinCEN does not expect that this proposed rule would result in any new incremental PRA recordkeeping burden. Still, in this analysis, in response to the proposed removal of the language associated with 31 CFR 1021.210(b)(2)(vi), which is unique to the casino AML program regulations, FinCEN proposes to remove a de minimis burden that is currently associated with that activity. In addition, FinCEN introduces new pro forma accounting estimates that reflect administrative updates to more accurately represent the activity currently undertaken by covered financial institutions to comply with CDD and program approval requirements. FinCEN discusses these administrative changes to the PRA recordkeeping burdens in more detail below. [259 ]

Administrative Changes in PRA Recordkeeping Burden Due to the Proposed Removal of 31 CFR 1021.210(b)(2)(vi)

The rule proposes to remove the language in 31 CFR 1021.210(b)(2) (vi), which requires casinos that have automated data processing systems to provide for the use of automated programs to aid in assuring compliance in their compliance program. [260 ] In the most recent renewal, FinCEN has estimated that the annual burden per casino associated with this provision was de minimis; [261 ] thus, given the proposed changes, FinCEN is revising the associated annual burden for this component of program requirements per casino to 0 hours.

Administrative Changes in PRA Recordkeeping Burden Due to Reorganizing CDD Requirements Under Internal Policies, Procedures, and Controls

The rule also proposes to make ongoing CDD obligations part of the requirement that covered financial institutions establish risk-based internal policies, procedures, and controls that are reasonably designed. The organizational change more accurately reflects how covered financial institutions integrate the design and operationalization of ongoing CDD as part of their overall AML programs.

As discussed in section V.D.1.iii, certain financial institution types are required to conduct ongoing CDD, such as monitoring customer relationships and maintaining and updating customer information on a risk basis, though this burden has never been articulated in FinCEN's previous OMB renewals. Upon review, FinCEN has determined that this omission was likely due to a clerical oversight at the time that the original CDD rule was finalized in 2016 and in subsequent rulemakings that would apply AML/CFT program obligations on new categories of financial institution, has typically proposed to include the program elements of ongoing CDD requirements as an itemized cost. [262 ] Therefore, to harmonize PRA accounting practices and to more accurately reflect the burden associated with including ongoing CDD program obligations as part of a covered financial institution's necessary activities to establish risk-based internal policies, procedures, and controls that are reasonably designed, FinCEN is incorporating a new pro forma average annual burden of 50 hours to the existing burden of certain OMB control numbers covered by the rulemaking, where applicable. These burdens and costs reflect administrative updates that are being introduced to more accurately represent the activity currently undertaken by covered financial institutions to comply with program requirements. These PRA estimates do not represent, and should not be interpreted to reflect, novel incremental costs attributable to the proposed rule.

Administrative Changes in PRA Recordkeeping Burden Associated With Proposed Standardization of the Program Approval Requirement

The proposed rule would also require a financial institution's board of directors, equivalent governing body within the financial institution, or appropriate senior management to approve each covered financial institution's written AML/CFT program. As discussed in section V.E.2 and presented in table 4, casinos and MSBs do not have explicit requirements to have their programs approved. Still FinCEN expects that the programs of these financial institutions must also be approved as a matter of best practice. Other financial institution types, including insurance companies, DPMSJs, operators of credit card systems, loan or finance companies, and housing GSEs, must currently obtain senior management-level approval for their programs. For consistency across all the covered financial institution types, FinCEN will include a one-hour pro forma average annual burden for all financial institutions covered under FinCEN's OMB control numbers to obtain approval of their program that do not currently have a PRA burden associated with program approval. Again, these PRA estimates do not represent, and should not be interpreted to reflect, novel incremental costs attributable to the proposed rule.

Estimated Number of Respondents: 48,680 financial institutions. [263 ]

As discussed above, FinCEN would make the following administrative changes to the PRA recordkeeping burdens in response to the proposed changes: (1) removing the de minimis burden incurred by casinos associated with the 31 CFR 1021.210(b)(2)(vi) requirement, (2) newly articulating the pro forma average annual 50-hour burden that banks without an FFR and mutual funds already incur associated with CDD obligations, and (3) newly articulating a pro forma average annual one-hour burden associated with program approval for financial institution types that do not already have PRA burden associated with that activity.

As presented in table 11, FinCEN estimates on average, these activities ( printed page 18750) result in an average annual burden of approximately 132,960 hours.

| Activity | Number of

                                respondents a | Hours per 
                             respondent | Total burden hours |

| --- | --- | --- | --- |
| Removal of 31 CFR 1021.210(b)(2)(vi) | 1,299 | 0 | 0 |
| CDD—General Program | 1,720 | 50 | 86,000 |
| Program Approval | 46,960 | 1 | 46,960 |
| Total | 48,680 | | 132,960 |
| a See supra table 9. | | | |

3. Estimated Annual Cost

FinCEN estimates that the 132,960 burden hours associated with these activities would result in an average annual pro forma cost adjustment of approximately $16.6 million. [264 ]

4. Summary of Burden and Cost Estimates

Estimated Number of Respondents: 48,680 financial institutions.

Estimated Aggregate Pro Forma Annual Burden: Approximately 132,960 hours.

Estimated Aggregate Pro Forma Annual Cost: Approximately $16,564,157. [265 ]

5. General Request for Comments under the Paperwork Reduction Act

FinCEN invites comments on: (1) whether the collection of information is necessary for the proper performance of the mission of FinCEN, including whether the information would have practical utility; (2) the accuracy of FinCEN's estimate of the burden of the proposed collection of information; (3) ways to enhance the quality, utility, and clarity of the information required to be maintained; (4) ways to minimize the burden of the collection of information, including through the use of automated collection techniques or other forms of information technology; and (5) estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services required to report the information.

F. Additional Requests for Comment

Baseline Estimates

1. Are FinCEN's baseline estimates of the number of covered financial institutions in each industry accurate? Are there specific sources of data that would suggest any of these population estimates should be revised? Please provide data, studies, or anecdotal evidence that would support any suggested alternatives.

2. Is it appropriate for FinCEN to presume covered financial institutions are generally in full compliance with current rules? If not, please provide defensible methods, data, studies, or anecdotal evidence that FinCEN could use to estimate the share of non-compliant financial institutions and identify the areas in which they are not currently compliant in order to revise the baseline assessment of current market practices.

3. To what extent should the economic impact on additional key, directly affected subpopulations of the general public be considered in the RIA? Please provide data, studies, or reports that would enhance FinCEN's ability to identify and quantify such effects.

4. Are FinCEN's baseline expectations about how covered financial institutions currently comply with existing program rules and the incremental change in burden due to the proposed changes reasonably accurate? In particular, are the baseline expectations accurate for small covered financial institutions? Are there any other aspects of current practice that FinCEN should have considered or further information about the aspects considered that should be included?

5. Do the cost estimates presented in the RIA baseline reflect a reasonable range of the costs that covered financial institutions incur to maintain their AML/CFT programs? Is the assumption that per-entity costs would be lower for covered non-bank financial institutions than covered banks of similar sizes a reasonable one? How much does a typical financial institution spend to implement their current AML program? How much does a typical small financial institution spend to implement their current AML program?

6. Are FinCEN's expectations about the incremental change in burden on regulators and compliance examiners described in sections X.A.3.iv, X.A.4.i.b, and X.A.4.ii.b due to the proposed changes reasonable? If not, please provide data, studies, or anecdotal evidence that would support an alternate conclusion.

Potential Efficiencies and Burden

1. Because program rules are a minimum standard, FinCEN preemptively qualified its analysis as likely to overstate both the benefits and costs of the proposed rule for covered financial institutions that already strive for best practices or whose programs already meet or surpass the proposed requirements, and assumes it should not, in theory, affect an assessment of the overall net effects, as the differences in benefits and costs should offset each other. Is this expectation reasonable? Please provide data or information, if available, that would improve the accuracy of FinCEN's assessment of impact if this reliance on theory is not appropriate.

2. Is there any empirical evidence or data that would support the quantification of how much money laundering and the financial of terrorism could be reduced as a result of the proposed rule or the quantification of how much other illegal activity could ( printed page 18751) be curbed by this reduction in money laundering and terrorist financing?

3. As described in section X.A.4.ii.a of the RIA, FinCEN has not identified any unambiguous sources of significant burden on covered financial institutions that would result from the changes described in the proposed rule. Are there categories of burden that FinCEN should articulate and quantify as part of its calculated burden estimates? For example, costs associated with becoming familiar with the rule, external consultation costs, costs to establish and maintain an AML/CFT program, training costs, or other costs associated with ongoing compliance. If so, what are they, and what are the estimated one-time and ongoing burdens per financial institution? In particular, what are the estimated one-time and ongoing burdens per small financial institution?

4. Is FinCEN's expectation that, in aggregate, the net change in cost incurred by covered financial institutions would not be easily distinguished from zero as a result of the proposed changes reasonably accurate?

5. Would implementing any changes necessary to comply with the proposed rule be expected to increase or decrease current compliance costs and by how much? For example, are there any current compliance costs that would be reduced by the proposed requirement that attention and resources be directed toward high-risk activities and customers rather than low-risk activities and customers? What type and share of covered financial institutions would likely experience this change in compliance costs?

6. What is the likelihood that a covered financial institution or group of covered financial institutions, by type, would invest in updating or new technology as a result of the rule as proposed? Are there modifications to the proposed rule that would significantly increase (or decrease) this likelihood? If so, please describe. Where possible, please explain why the described modification is expected to change the likelihood.

7. Is FinCEN's assessment that the proposed changes would have a deregulatory impact appropriate? Are there specific sources of empirical evidence or data that would suggest this determination should be revised? Please provide data, studies, or anecdotal evidence that would support any suggested alternative determination.

8. With respect to the economic analysis in its entirety, are there comments as to the specific findings, assumptions, or expectations?

ALTERNATIVES

1. FinCEN requests comment on the alternative policy options presented in section X.A.5 as well as any other alternatives that were not considered and their economic effects. Please provide information, data, studies, or other evidence that would support any suggested alternatives that FinCEN should consider.

IRFA

1. Is FinCEN's expectation that the proposed rule would have a significant economic impact on a significant number of small entities reasonable? Are there specific sources of empirical evidence or data that would suggest this determination should be revised? Please provide data, studies, or anecdotal evidence that would support the suggested alternative determination.

2. Are FinCEN's baseline estimates of the proportion of each industry type's regulated financial institutions that are small reasonably accurate? Are there specific sources of data that would suggest any of these percentages should be revised?

3. Has FinCEN reasonably assessed the relative value to affected small businesses that the alternative 12 additional months to transition compliance to the proposed new and amended program requirements would afford?

UMRA

1. FinCEN does not anticipate that the proposed rule would result in novel incremental aggregate expenditures by State, local, or Tribal governments, or by the private sector of $193 million or more in any one year. Is this assumption reasonable? If not, what studies, data, or anecdotal evidence should be taken into consideration that would update this expectation?

PRA

1. Is it reasonable to assume that the PRA recordkeeping burden associated with program approval requirements would generally be incurred at the principal-MSB level rather than the agent-MSB level? If not, what share of the agent MSB population would likely incur the recordkeeping burden?

2. Does current market practice associated with conducting an audit as part of independent AML program testing involve documenting the results of the audit? If so, should FinCEN articulate and assign a PRA recordkeeping burden for doing so? And if so, how much burden should be attributed to the activity?

List of Subjects

31 CFR Part 1010

• Administrative practice and procedure
• Aliens
• Authority delegations (Government agencies)
• Banks, banking
• Brokers
• Business and industry
• Citizenship and naturalization
• Commodity futures
• Crime
• Currency
• Electronic filing
• Federal savings associations
• Federal-State relations
• Fiduciaries
• Foreign banking
• Foreign currencies
• Foreign persons
• Gambling
• Holding companies
• Indians
• Indians-law
• Indians-tribal government
• Insurance companies
• Investigations
• Investment companies
• Law enforcement
• Penalties
• Reporting and recordkeeping requirements
• Savings associations
• Securities
• Small business
• Terrorism
• Time

31 CFR Part 1020

• Administrative practice and procedure
• Banks, banking
• Brokers
• Citizenship and naturalization
• Commodity futures
• Currency
• Electronic filing
• Federal savings associations
• Federal-State relations
• Foreign banking
• Foreign currencies
• Foreign persons
• Holding companies
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities
• Terrorism

31 CFR Parts 1021, 1024, 1025, and 1028

• Administrative practice and procedure
• Banks, banking
• Brokers
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Parts 1022 and 1027

• Administrative practice and procedure
• Banks, banking
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1023

• Administrative practice and procedure
• Banks, banking
• Brokers
• Currency
• Foreign banking
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1026

• Administrative practice and procedure
• Banks, banking
• Brokers
• Currency
• Foreign banking
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirement
• Securities

31 CFR Parts 1029 and 1030

• Administrative practice and procedure
• Banks, banking
• Brokers
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities
• Terrorism For the reasons set forth in the SUPPLEMENTARY INFORMATION, FinCEN proposes to amend 31 CFR parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, and 1030 as follows:

PART 1010—GENERAL PROVISIONS

1. The authority citation for part 1010 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951 -60; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 2006, Pub. L. 114-41, 129 Stat. 458-459; sec. 701, Pub. L. 114-74, 129 Stat. 599; sec. 6403, Pub. L. 116-283, 134 Stat. 3388.

1. Amend § 1010.100 by:

a. Revising paragraphs (e) and (r); and

b. Adding paragraphs (nnn) and (ooo).

The revisions and additions read as follows:

§ 1010.100 General definitions. * * * * * (e) Bank Secrecy Act. The Bank Secrecy Act means 12 U.S.C. 1829b, 12 U.S.C. 1951-1960, and 31 U.S.C. 5311-5314 and 5316-5336, including notes thereto.

• * * * * (r) Federal functional regulator. (1) The Board of Governors of the Federal Reserve System;

(2) The Office of the Comptroller of the Currency;

(3) The Federal Deposit Insurance Corporation;

(4) The National Credit Union Administration;

(5) The Securities and Exchange Commission; or

(6) The Commodity Futures Trading Commission.

• * * * * (nnn) AML/CFT priorities. AML/CFT priorities means the most recent statement of Anti-Money Laundering and Countering the Financing of Terrorism National Priorities issued pursuant to 31 U.S.C. 5318(h)(4).

(ooo) Federal Financial Institutions Regulatory Agency. (1) The Board of Governors of the Federal Reserve System;

(2) The Office of the Comptroller of the Currency;

(3) The Federal Deposit Insurance Corporation; or

(4) The National Credit Union Administration.

PART 1020—RULES FOR BANKS

1. The authority citation for part 1020 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1020.110 to read as follows:

§ 1020.110 Severability. If any provision of this part, or any provision of this chapter referencing banks, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1020.210 to read as follows:

§ 1020.210 Anti-money laundering/countering the financing of terrorism program requirements for banks. (a) In general. A bank has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the bank:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A bank establishes an AML/CFT program in accordance with this paragraph (b) if the bank:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the bank's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the bank's business activities, including its products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the bank knows or has reason to know significantly changes the bank's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the bank's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the bank, rather than toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including information regarding the beneficial owners of legal entity customers, as defined in § 1010.230 of this chapter);

(2) Establishes independent AML/CFT program testing to be conducted by bank personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A bank implements an AML/CFT program in accordance with this paragraph (c) if the bank implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A bank's AML/CFT program must be written, and it must be approved by the bank's board of directors, an equivalent governing body within the bank, or appropriate senior management. The bank must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

1. Amend § 1020.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

§ 1020.220 Customer identification program requirements for banks. (a) * * *

(1) In general. A bank required to have an AML/CFT program under 31 U.S.C. 5318(h), 12 U.S.C. 1818(s), or 12 U.S.C. 1786(q)(1) must implement a written Customer Identification Program (CIP) appropriate for the bank's size and type of business that, at a minimum, ( printed page 18753) includes each of the requirements of paragraphs (a)(1) through (5) of this section. The CIP must be a part of the AML/CFT program.

• * * * * (6) * * *

(iii) The other financial institution enters into a contract requiring it to certify annually to the bank that it has implemented its AML/CFT program, and that it will perform (or its agent will perform) the specified requirements of the bank's CIP.

• * * * * 8. Add § 1020.221 to read as follows:

§ 1020.221 Supervision and enforcement. (a) Definitions. For purposes of this section:

(1) AML/CFT enforcement action means any formal or informal action taken by FinCEN that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes—

(i) A cease-and-desist order, consent order, or memorandum of understanding; or

(ii) The assessment of a civil money penalty.

(2) AML/CFT requirement means a requirement of the Bank Secrecy Act or this chapter.

(3) Significant AML/CFT supervisory action means any written communication or other formal supervisory determination issued by FinCEN or a Federal Financial Institutions Regulatory Agency when acting pursuant to authority delegated under this chapter that, in either case—

(i) Identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement;

(ii) Communicates supervisory expectations to a bank regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and

(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the bank.

(iv) The term does not include examiner observations, suggestions, or other informal comments.

(b) FinCEN enforcement and supervision policy —(1) In general. Except with respect to a significant or systemic failure to implement the AML/CFT program in accordance with § 1020.210(c), a bank that has established an AML/CFT program in accordance with § 1020.210(b) will not be subject to:

(i) An AML/CFT enforcement action related to the requirements of 31 U.S.C. 5318(h)(1) § 1020.210 by FinCEN; or

(ii) A significant AML/CFT supervisory action related to the requirements of 31 U.S.C. 5318(h)(1) or § 1020.210 by FinCEN or by a Federal Financial Institutions Regulatory Agency when acting pursuant to authority delegated under this chapter.

(2) Program establishment violations. Nothing in this paragraph (b) may be construed to restrict an AML/CFT enforcement action by FinCEN, or a significant AML/CFT supervisory action by FinCEN or a Federal Financial Institutions Regulatory Agency when acting pursuant to authority delegated under this chapter with respect to any failure to establish an AML/CFT program in accordance with § 1020.210(b).

(3) Criminal enforcement. Nothing in this paragraph (b) may be construed to affect criminal enforcement liability under the Bank Secrecy Act.

(c) FinCEN consultation —(1) Consultation and consideration requirement. Before initiating a significant AML/CFT supervisory action, a Federal Financial Institutions Regulatory Agency when acting pursuant to authority delegated under this chapter will provide the Director, FinCEN an opportunity to review the action and consider any input offered by the Director, FinCEN on the action, which may include any view as to the effectiveness of the bank's AML/CFT program.

(2) Notice requirement. To provide the Director, FinCEN an opportunity to provide a view under paragraph (c)(1) of this section, a Federal Financial Institutions Regulatory Agency when acting pursuant to authority delegated under this chapter will:

(i) Send written notice to the Director, FinCEN of its intent to take that action at least 30 days before taking the action (unless a shorter period of time is necessary, in the sole discretion of the Federal Financial Institutions Regulatory Agency, to remedy, prevent, or respond to an unsafe or unsound practice or condition), accompanied by the relevant AML/CFT information underlying the proposed action, including the relevant portions of the draft report or enforcement action, the relevant examination workpapers supporting the proposed action, and the relevant AML/CFT information submitted by the bank to the Federal Financial Institutions Regulatory Agency, other than information over which the bank may claim privilege under Federal or State law; and

(ii) Respond to the extent reasonably practicable to requests for additional information from the Director, FinCEN regarding the proposed action.

(d) FinCEN considerations. In determining whether to take an AML/CFT enforcement action or significant AML/CFT supervisory action, or when reviewing a proposed action by a Federal Financial Institutions Regulatory Agency under paragraph (c) of this section or 12 CFR 21.21, 208.63, 211.5(m), 211.24(j), 326.8, or 748.2, the Director, FinCEN shall consider:

(1) The factors under 31 U.S.C. 5318(h)(2)(B), as applicable to actions concerning the AML/CFT program requirements under § 1020.210;

(2) The extent (if any) to which the bank, where appropriate in light of its size, complexity, and risk profile, has advanced the AML/CFT priorities by providing highly useful information to law enforcement authorities or national security officials, conducting proactive analytics, or performing other innovative activities producing demonstrable outputs evincing the effectiveness of the bank's AML/CFT program (including effective use of artificial intelligence, federated learning, and other advanced monitoring tools); and

(3) Any other factor the Director, FinCEN deems appropriate, including the bank's size, complexity, and risk profile, and, as relevant, where the bank's low-risk customers or limited business activities naturally limits the extent to which the bank can meaningfully contribute to AML/CFT priorities.

PART 1021—RULES FOR CASINOS AND CARD CLUBS

1. Revise the authority citation for part 1021 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1021.110 to read as follows:

§ 1021.110 Severability. If any provision of this part, or any provision of this chapter referencing casinos and card clubs, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect ( printed page 18754) without the invalid provision or application.

1. Revise § 1021.210 to read as follows:

§ 1021.210 Anti-money laundering/countering the financing of terrorism program requirements for casinos. (a) In general. A casino has an effective AML/CFT program and complies with the requirements for 31 U.S.C. 5318(h)(1) if the casino:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A casino establishes an AML/CFT program in accordance with this paragraph (b) if the casino:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the casino's money laundering, terrorist financing, and other illicit finance activity risks though risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the casino's business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the casino knows or has reason to know significantly changes the casino's money laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the casino's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the casino, rather than toward lower-risk customers and activities;

(2) Establishes independent AML/CFT program testing to be conducted by casino personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(5) Procedures for using all available information to determine:

(i) When required by this chapter, the name, address, social security number, and other information, and verification of the same, of a person;

(ii) The occurrence of any transactions or patterns of transactions required to be reported pursuant to § 1021.320; and

(iii) Whether any record as described in subpart D of part 1010 of this chapter or subpart D of this part must be made and retained.

(c) Program implementation. A casino implements an AML/CFT program in accordance with this paragraph (c) if the casino implements, in all material aspects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A casino's AML/CFT program must be written, and it must be approved by the casino's board of directors, an equivalent governing body within the casino, or appropriate senior management. The casino must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

1. Amend § 1021.410 by revising paragraph (b)(10) to read as follows:

§ 1021.410 Additional records to be made and retained by casinos. * * * * * (b) * * *

(10) A copy of the AML/CFT program described in § 1021.210.

---

PART 1022—RULES FOR MONEY SERVICES BUSINESSES

1. Revise the authority citation for part 1022 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1022.110 to read as follows:

§ 1022.110 Severability. If any provision of this part, or any provision of this chapter referencing money services businesses, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1022.210 to read as follows:

§ 1022.210 Anti-money laundering/countering the financing of terrorism program requirements for money services businesses. (a) In general. A money services business has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h) and this section if the money services business:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A money services business establishes an AML/CFT program in accordance with this paragraph (b) if the money services business:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the money services business's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the money services business's activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any changes that the money services business knows or has reason to know significantly changes the money services business's money laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the money services business's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the money services business, rather than toward lower-risk customers and activities; and

(iii) To the extent applicable to the money services business:

(A) Verify customer identification, including as set forth in paragraph (b)(1)(v) of this section; ( printed page 18755)

(B) File reports;

(C) Create and retain records; and

(D) Respond to law enforcement requests.

(iv) For a person that is a money services business solely because it is an agent for another money services business, as set forth in § 1022.380(a)(3) and for the money services business for which it serves as agent, choose by agreement to allocate between them responsibility for development of internal policies, procedures, and controls required by this paragraph (b)(1). Each money services business will remain solely responsible for implementation of the requirements set forth in this section, and nothing in this paragraph (b)(1) relieves any money services business from its obligation to establish and maintain an effective AML/CFT program.

(v) For a money services business that is a provider or seller of prepaid access, establish procedures to verify the identity of a person who obtains prepaid access under a prepaid program and obtain identifying information concerning such a person, including name, date of birth, address, and identification number. Sellers of prepaid access must also establish procedures to verify the identity of a person who obtains prepaid access to funds that exceed $10,000 during any one day and obtain identifying information concerning such a person, including name, date of birth, address, and identification number. Providers of prepaid access must retain access to such identifying information for five years after the last use of the prepaid access device or vehicle; such information obtained by sellers of prepaid access must be retained for five years from the date of the sale of the prepaid access device or vehicle.

(2) Establishes independent AML/CFT program testing to be conducted by money services business personnel or by an outside party.

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance.

(4) Establishes an ongoing employee training program.

(c) Program implementation. A money services business implements an AML/CFT program in accordance with this paragraph (c) if the money services business implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A money services business's AML/CFT program must be written, and it must be approved by the money services business's board of directors, an equivalent governing body within the bank, or appropriate senior management. The money services business must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

(e) Compliance date. A money services business must develop and implement an anti-money laundering program that complies with the requirements of this section on or before the end of the 90-day period beginning on the day following the date the business is established.

PART 1023—RULES FOR BROKERS OR DEALERS IN SECURITIES

1. Revise the authority citation for part 1023 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1023.110 to read as follows:

§ 1023.110 Severability. If any provision of this part, or any provision of this chapter referencing brokers-dealers, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1023.210 to read as follows:

§ 1023.210 Anti-money laundering/countering the financing of terrorism program requirements for broker-dealers. (a) In general. A broker-dealer has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the broker-dealer:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section;

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A broker-dealer establishes an AML/CFT program in accordance with this paragraph (b) if the broker-dealer:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the broker-dealer's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the broker-dealer's business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the broker-dealer knows or has reason to know significantly changes the broker-dealer's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the broker-dealer's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the broker-dealer, rather than toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including information regarding the beneficial owners of legal entity customers, as defined in § 1010.230 of this chapter);

(2) Establishes independent AML/CFT program testing to be conducted by broker-dealer personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program. ( printed page 18756)

(c) Program implementation. A broker-dealer implements an AML/CFT program in accordance with this paragraph (c) if the broker-dealer implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A broker-dealer AML/CFT program must be written, and it must be approved by the broker-dealer's board of directors, an equivalent governing body within the broker-dealer, or appropriate senior management. The broker-dealer must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

(e) Compliance with self-regulatory organization. A broker-dealer AML/CFT program must comply with the rules, regulations, or requirements of its self-regulatory organization governing such programs; provided that the rules, regulations, or requirements of the self-regulatory organization governing such programs have been made effective under the Securities Exchange Act of 1934 by the appropriate Federal functional regulator in consultation with FinCEN.

1. Amend § 1023.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

§ 1023.220 Customer identification programs for broker-dealers. (a) * * *

(1) In general. A broker-dealer must establish, document, and maintain a written Customer Identification Program (CIP) appropriate for its size and business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section. The CIP must be a part of the broker-dealer's AML/CFT program required under 31 U.S.C. 5318(h).

• * * * * (6) * * *

(iii) The other financial institution enters into a contract requiring it to certify annually to the broker-dealer that it has implemented its AML/CFT program, and that it will perform (or its agent will perform) the specified requirements of the broker-dealer's CIP.

---

PART 1024—RULES FOR MUTUAL FUNDS

1. Revise the authority citation for part 1024 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1024.110 to read as follows:

§ 1024.110 Severability. If any provision of this part, or any provision of this chapter referencing mutual funds, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1024.210 to read as follows:

§ 1024.210 Anti-money laundering/countering the financing of terrorism program requirements for mutual funds. (a) In general. A mutual fund has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the mutual fund:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A mutual fund establishes an AML/CFT program in accordance with this paragraph (b) if the mutual fund:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the mutual fund's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the mutual fund's business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the mutual fund knows or has reason to know significantly changes the mutual fund's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the mutual fund's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the mutual fund, rather than toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including information regarding the beneficial owners of legal entity customers, as defined in § 1010.230 of this chapter);

(2) Establishes independent AML/CFT program testing to be conducted by mutual fund personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A mutual fund implements an AML/CFT program in accordance with this paragraph (c) if the mutual fund implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A mutual fund's AML/CFT program must be written, and it must be approved by the mutual fund's board of directors, an equivalent governing body within the mutual fund, or appropriate senior management. The mutual fund must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

1. Amend § 1024.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

§ 1024.220 Customer identification programs for mutual funds. (a) * * *

(1) In general. A mutual fund must implement a written Customer Identification Program (CIP) appropriate for its size and type of business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section. The CIP must be a part of the mutual fund's AML/CFT program required under the regulations ( printed page 18757) in this part implementing 31 U.S.C. 5318(h).

• * * * * (6) * * *

(iii) The other financial institution enters into a contract requiring it to certify annually to the mutual fund that it has implemented its AML/CFT program, and that it will perform (or its agent will perform) the specified requirements of the mutual fund's CIP.

---

PART 1025—RULES FOR INSURANCE COMPANIES

1. Revise the authority citation for part 1025 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1025.110 to read as follows:

§ 1025.110 Severability. If any provision of this part, or any provision of this chapter referencing insurance companies, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1025.210 to read as follows:

§ 1025.210 Anti-money laundering/countering the financing of terrorism program requirements for insurance companies. (a) In general. An insurance company has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the insurance company:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. An insurance company establishes an AML/CFT program in accordance with this paragraph (b) if the insurance company:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the insurance company's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the insurance company's business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the insurance company knows or has reason to know significantly changes the insurance company's money laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the insurance company's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the insurance company's, rather than toward lower-risk customers and activities;

(2) Establishes independent AML/CFT program testing to be conducted by insurance company personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(c) Program implementation. An insurance company implements an AML/CFT program in accordance with this paragraph (c) if the insurance company implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. An insurance company's AML/CFT program must be written, and it must be approved by the insurance company's board of directors, an equivalent governing body within the insurance company, or appropriate senior management. The insurance company must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

(e) AML/CFT program requirements for insurance companies required to register with the Securities and Exchange Commission as broker-dealers in securities. An insurance company that is registered or required to register with the Securities and Exchange Commission as a broker-dealer in securities shall be deemed to have satisfied the requirements of this section for its broker-dealer activities to the extent that the company is required to establish and has established an anti-money laundering program pursuant to § 1023.210 of this chapter and complies with such program.

PART 1026—RULES FOR FUTURES COMMISSION MERCHANTS AND INTRODUCING BROKERS IN COMMODITIES

1. Revise the authority citation for part 1026 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1026.110 to read as follows:

§ 1026.110 Severability. If any provision of this part, or any provision of this chapter referencing futures commission merchants or introducing brokers in commodities, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1026.210 to read as follows:

§ 1026.210 Anti-money laundering/countering the financing of terrorism program requirements for futures commission merchants and introducing brokers in commodities. (a) In general. A futures commission merchant or an introducing broker in commodities has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the futures commission merchant or introducing broker in commodities:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section. ( printed page 18758)

(b) Program establishment. A futures commission merchant or an introducing broker in commodities establishes an AML/CFT program in accordance with this paragraph (b) if the futures commission merchant or introducing broker in commodities:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the futures commission merchant's or introducing broker's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the futures commission merchant's or introducing broker's business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the futures commission merchant or introducing broker in commodities knows or has reason to know significantly changes the futures commission merchant's or introducing broker's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the futures commission merchant's or introducing broker's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the futures commission merchant or introducing broker in commodities, rather than toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including information regarding the beneficial owners of legal entity customers, as defined in § 1010.230 of this chapter);

(2) Establishes independent AML/CFT program testing to be conducted by futures commission merchant or introducing broker personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A futures commission merchant or introducing broker in commodities implements an AML/CFT program in accordance with this paragraph (c) if the futures commission merchant or introducing broker in commodities implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A futures commission merchant or introducing broker in commodities AML/CFT program must be written, and it must be approved by the futures commission merchant's or introducing broker's board of directors, an equivalent governing body within the futures commission merchant or introducing broker in commodities, or appropriate senior management. The futures commission merchant and the introducing broker in commodities must make copies of their respective AML/CFT programs available to FinCEN or its designee upon request.

(e) Compliance with self-regulatory organization. Complies with the rules, regulations, or requirements of its self-regulatory organization governing such programs, provided that the rules, regulations, or requirements of the self-regulatory organization governing such programs have been made effective under the Commodity Exchange Act by the appropriate Federal functional regulator in consultation with FinCEN.

1. Amend § 1026.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

§ 1026.220 Customer identification programs for futures commission merchants and introducing brokers. (a) * * *

(1) In general. Each futures commission merchant or introducing broker must implement a written Customer Identification Program (CIP) appropriate for its size and business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section. The CIP must be a part of each futures commission merchant's or introducing broker's AML/CFT program required under 31 U.S.C. 5318(h).

• * * * * (6) * * *

(iii) The other financial institution enters into a contract requiring it to certify annually to the futures commission merchant or introducing broker that it has implemented its AML/CFT program, and that it will perform (or its agent will perform) the specified requirements of the futures commission merchant's or introducing broker's CIP.

---

PART 1027—RULES FOR DEALERS IN PRECIOUS METALS, PRECIOUS STONES, OR JEWELS

1. Revise the authority citation for part 1027 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Amend § 1027.100 by revising paragraph (b)(4) to read as follows:

§ 1027.100 Definitions. * * * * * (b) * * *

(4) For purposes of this paragraph (b) and § 1027.210, the terms “purchase” and “sale” do not include the purchase of jewels, precious metals, or precious stones that are incorporated into machinery or equipment to be used for industrial purposes, and the purchase and sale of such machinery or equipment.

• * * * * 40. Add § 1027.110 to read as follows:

§ 1027.110 Severability. If any provision of this part, or any provision of this chapter referencing dealers in precious metals, precious stones, or jewels, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1027.210 to read as follows:

§ 1027.210 Anti-money laundering/countering the financing of terrorism program requirements for dealers in precious metals, precious stones, or jewels. (a) In general. A dealer has an effective AML/CFT program and ( printed page 18759) complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the dealer:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(3) To the extent that a retailer's purchases from persons other than dealers and other retailers exceeds the $50,000 threshold contained in § 1027.100(b)(2)(i), the AML/CFT program required of the retailer under this paragraph (a) need only address such purchases.

(b) Program establishment. A dealer establishes an AML/CFT program in accordance with this paragraph (b) if the dealer:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the dealer's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the dealer's business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the dealer knows or has reason to know significantly changes the dealer's money laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the dealer's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the dealer, rather than toward lower-risk customers and activities;

(2) Establishes independent AML/CFT program testing to be conducted by dealer personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A dealer implements an AML/CFT program in accordance with this paragraph (c) if the insurance company implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A dealer's AML/CFT program must be written, and it must be approved by the dealer's board of directors, an equivalent governing body within the dealer, or appropriate senior management. The dealer must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

(e) Implementation date. A dealer must develop and implement an anti-money laundering program that complies with the requirements of this section on or before six months after the date a dealer becomes subject to the requirements of this section.

PART 1028—RULES FOR OPERATORS OF CREDIT CARD SYSTEMS

1. Revise the authority citation for part 1028 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1028.110 to read as follows:

§ 1028.110 Severability. If any provision of this part, or any provision of this chapter referencing operators of credit card systems, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1028.210 to read as follows:

§ 1028.210 Anti-money laundering/countering the financing of terrorism program requirements for operators of credit card systems. (a) In general. An operator of credit card systems has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the operator of credit card systems:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. An operator establishes an AML/CFT program in accordance with this paragraph (b) if the operator of credit card systems:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the operator's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the operator's business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the operator knows or has reason to know significantly changes the operator's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the operator's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the operator's, rather than toward lower-risk customers and activities; and

(iii) That the operator does not authorize, or maintain authorization for, any person to serve as an issuing or acquiring institution without the operator taking appropriate steps, based upon the operator's money laundering or terrorist financing risk assessment, to guard against that person issuing the operator's credit card or acquiring merchants who accept the operator's credit card in circumstances that facilitate money laundering or the financing of terrorist activities; and

(iv) For purposes of making the risk assessment required by paragraph (b)(1)(i) of this section, the following persons are presumed to pose a heightened risk of money laundering or terrorist financing when evaluating whether and under what circumstances ( printed page 18760) to authorize, or to maintain authorization for, any such person to serve as an issuing or acquiring institution:

(A) A foreign shell bank that is not a regulated affiliate, as those terms are defined in § 1010.605(g) and (n) of this chapter;

(B) A person appearing on the Specially Designated Nationals List issued by Treasury's Office of Foreign Assets Control;

(C) A person located in, or operating under a license issued by, a jurisdiction whose government has been identified by the Department of State as a sponsor of international terrorism under 22 U.S.C. 2371;

(D) A foreign bank operating under an offshore banking license, other than a branch of a foreign bank if such foreign bank has been found by the Board of Governors of the Federal Reserve System under the Bank Holding Company Act (12 U.S.C. 1841, et seq.) or the International Banking Act (12 U.S.C. 3101, et seq.) to be subject to comprehensive supervision or regulation on a consolidated basis by the relevant supervisors in that jurisdiction;

(E) A person located in, or operating under a license issued by, a jurisdiction that has been designated as noncooperative with international anti-money laundering principles or procedures by an intergovernmental group or organization of which the United States is a member, with which designation the United States representative to the group or organization concurs; and

(F) A person located in, or operating under a license issued by, a jurisdiction that has been designated by the Secretary of the Treasury pursuant to 31 U.S.C. 5318A as warranting special measures due to money laundering concerns;

(2) Establishes independent AML/CFT program testing to be conducted by operator personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(c) Program implementation. An operator implements an AML/CFT program in accordance with this paragraph (c) if the operator implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. An operator's AML/CFT program must be written, and it must be approved by the operator's board of directors, or an equivalent governing body within the operator, or appropriate senior management. The operator must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

PART 1029—RULES FOR LOAN OR FINANCE COMPANIES

1. Revise the authority citation for part 1029 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1029.110 to read as follows:

§ 1029.110 Severability. If any provision of this part, or any provision of this chapter referencing loan or finance companies, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1029.210 to read as follows:

§ 1029.210 Anti-money laundering/countering the financing of terrorism program requirements for loan or finance companies. (a) In general. A loan or finance company has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the operator of credit card systems:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A loan or finance company establishes an AML/CFT program in accordance with this paragraph (b) if the loan or finance company:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the operator's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the loan or finance company's business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the loan or finance company knows or has reason to know significantly changes the loan or finance company's money laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the loan or finance company's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the loan or finance company's, rather than toward lower-risk customers and activities;

(2) Establishes independent AML/CFT program testing to be conducted by loan or finance company personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A loan or finance company implements an AML/CFT program in accordance with this paragraph (c) if the operator implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A loan or finance company AML/CFT program must be written, and it must be approved by the loan or finance company's board of directors, an equivalent governing body within the loan or finance company, or appropriate senior management. The loan or finance company must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

( printed page 18761) § 1029.320 [Amended] 51. Amend § 1029.320 by removing paragraph (g).

PART 1030—RULES FOR HOUSING GOVERNMENT SPONSORED ENTERPRISES

1. Revise the authority citation for part 1030 to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1030.110 to read as follows:

§ 1030.110 Severability. If any provision of this part, or any provision of this chapter referencing housing government sponsored enterprises, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1030.210 to read as follows:

§ 1030.210 Anti-money laundering/countering the financing of terrorism program requirements for housing government sponsored enterprises. (a) In general. A housing government sponsored enterprise has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the housing government sponsored enterprise:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A housing government sponsored enterprise establishes an AML/CFT program in accordance with this paragraph (b) if the housing government sponsored enterprise:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the housing government sponsored enterprise's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the housing government sponsored enterprise business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the housing government sponsored enterprise knows or has reason to know significantly changes the housing government sponsored enterprise's money laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the housing government sponsored enterprise's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the housing government sponsored enterprise, rather than toward lower-risk customers and activities; and

(2) Establishes independent AML/CFT program testing to be conducted by housing government sponsored enterprise personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A housing government sponsored enterprise implements an AML/CFT program in accordance with this paragraph (c) if the housing government sponsored enterprise implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A housing government sponsored enterprise's AML/CFT program must be written, and it must be approved by the housing government sponsored enterprise's board of directors, an equivalent governing body within the housing government sponsored enterprise, or appropriate senior management. The housing government sponsored enterprise must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

§ 1030.320 [Amended] 56. Amend § 1030.320 by removing paragraph (g).

Andrea M. Gacki,

Director, Financial Crimes Enforcement Network.

Footnotes

1.

                         When referring to the existing program rules, the term “AML program rules” is used; when referring to the requirements that this NPRM is proposing, the term “AML/CFT program rules” is used.

Back to Citation 2.

                         Certain parts of the Currency and Foreign Transactions Reporting Act, its amendments, and the other statutes relating to the subject matter of that Act, have come to be referred to as the BSA. These statutes are codified at [12 U.S.C. 1829b](https://www.govinfo.gov/link/uscode/12/1829b), [12 U.S.C. 1951-1960](https://www.govinfo.gov/link/uscode/12/1951), and [31 U.S.C. 5311-5314](https://www.govinfo.gov/link/uscode/31/5311) and [5316-5336](https://www.govinfo.gov/link/uscode/31/5316) and notes thereto, with implementing regulations at [31 CFR chapter X](https://www.ecfr.gov/current/title-31/chapter-X). Certain criminal statutes—namely, [18 U.S.C. 1956](https://www.govinfo.gov/link/uscode/18/1956), [1957](https://www.govinfo.gov/link/uscode/18/1957), and [1960](https://www.govinfo.gov/link/uscode/18/1960) —are included in the BSA definition at [31 CFR 1010.100(e)](https://www.ecfr.gov/current/title-31/section-1010.100#p-1010.100(e)). Section 6003 of the AML Act, however, does not include these provisions in its BSA definition, and thus FinCEN is not considering them part of the BSA for the purposes of this proposed rule. The AML program rules are located at [31 CFR 1020.210](https://www.ecfr.gov/current/title-31/section-1020.210) (banks), 1021.210 (casinos), 1022.210 (MSBs), 1023.210 (broker-dealers), 1024.210 (mutual funds), 1025.210 (insurance companies), 1026.210 (FCMs and IBCs), 1027.210 (DPMSJs), 1028.210 (operators of credit card systems), 1029.210 (loan or finance companies), and 1030.210 (housing GSEs). FinCEN notes this proposed rule does not propose any amendments to the final rule establishing AML/CFT and suspicious activity report (SAR) filing requirements for registered investment advisers and exempt reporting advisers, which has been delayed until January 1, 2028. 
                        See 
                         FinCEN, *Delaying the Effective Date of the Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers Final Rule,* [91 FR 36](https://www.federalregister.gov/citation/91-FR-36) (Jan. 2, 2026).

Back to Citation 3.

                         As defined in section 281(5) of the Countering America's Adversaries Through Sanctions Act, the term “illicit finance” means “the financing of terrorism, narcotics trafficking, or proliferation, money laundering, or other forms of illicit financing domestically or internationally, as defined by the President.” [Public Law 115-44](https://www.govinfo.gov/link/plaw/115/public/44) (Aug. 2, 2017).

Back to Citation 4. 31 U.S.C. 5311.

Back to Citation 5.

                         Treasury Order 180-01 (Jan. 14, 2020), para. 3, *[https://home.treasury.gov/​about/​general-information/​orders-and-directives/​treasury-order-180-01](https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01); see also* [31 U.S.C. 310(b)(2)(I)](https://www.govinfo.gov/link/uscode/31/310) (providing that the Director of FinCEN shall “[a]dminister the requirements of subchapter II of chapter 53 of this title, chapter 2 of title I of Public Law 91-508, and section 21 of the Federal Deposit Insurance Act, to the extent delegated such authority by the Secretary.”).

Back to Citation 6.

                         Most recently, Congress enacted the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act on July 18, 2025. [Public Law 119-27](https://www.govinfo.gov/link/plaw/119/public/27), *codified at* [12 U.S.C. 5901](https://www.govinfo.gov/link/uscode/12/5901) *et seq.* The GENIUS Act requires that permitted payment stablecoin issuers be treated as financial institutions for purposes of the BSA including being required to maintain “an effective anti-money laundering program.” 
                        See [12 U.S.C. 5903(a)(5)(A)(i)](https://www.govinfo.gov/link/uscode/12/5903). The GENIUS Act also requires the Agencies to issue regulations relating to PPSIs, including regulations pertaining to BSA compliance standards. [12 U.S.C. 5903(a)(4)(iv)](https://www.govinfo.gov/link/uscode/12/5903). These AML/CFT requirements and standards for PPSIs are addressed separately from this rulemaking.

Back to Citation 7.

                         Section 1517 of the Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992).

Back to Citation 8. 31 U.S.C. 5318(h)(1), as added by section 1517(b) of the Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550 (Oct. 28, 1992). FinCEN notes the proposed rule sequences these AML/CFT program components—the four pillars—in the order of the existing AML program rule for banks, rather than the order used in 31 U.S.C. 5318(h)(1): namely, (i) a system of internal controls to assure ongoing compliance; (ii) independent testing for compliance to be conducted by bank personnel or by an outside party; (iii) designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and (iv) training for appropriate personnel.
See 31 CFR 1020.210(a)(2). FinCEN, however, does not intend the change in sequencing to modify or signify changes in any substantive requirements.

Back to Citation 9. 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272 (Oct. 26, 2001).

Back to Citation 10. 31 U.S.C. 5318(h), as added by section 352 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272 (Oct. 26, 2001).

Back to Citation 11. 31 U.S.C. 5318(a)(2), (h)(1), (h)(2); supra note 5

Back to Citation 12.

                         
                        See 
                         FinCEN, *Customer Due Diligence Requirements for Financial Institutions,* [81 FR 29398](https://www.federalregister.gov/citation/81-FR-29398) (May 11, 2016).

Back to Citation 13.

                         William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, [Public Law 116-283](https://www.govinfo.gov/link/plaw/116/public/283), 134 Stat. 3388 (Jan. 1, 2021).

Back to Citation 14.

                         Congress noted in its Joint Explanatory Statement of the Committee of Conference accompanying the FY21 NDAA that: “the current [AML/CFT] regulatory framework is an amalgamation of statutes and regulations that are grounded in the [BSA], which the Congress enacted in 1970. This decades-old regime, which has not seen comprehensive reform and modernization since its inception, is generally built on individual reporting mechanisms (*i.e.,* currency transaction reports (CTRs) and SARs) and contemplates aging, decades-old technology, rather than the current, sophisticated AML compliance systems now managed by most financial institutions.” Congress further stated that the AML Act “comprehensively update[s] the BSA for the first time in decades and provide[s] for the establishment of a coherent set of risk-based priorities.” Among other objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication, and feedback among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better focusing bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory Statement of the Committee of Conference).

Back to Citation 15.

                         H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory Statement of the Committee of Conference).

Back to Citation 16. 15 U.S.C. 6809(2).

Back to Citation 17.

                         
                        See 
                         FinCEN, AML/CFT Priorities (June 30, 2021). As required by [31 U.S.C. 5318(h)(4)(C)](https://www.govinfo.gov/link/uscode/31/5318), the AML/CFT Priorities are consistent with Treasury's National Strategy for Combating Terrorist and Other Illicit Financing (May 16, 2024) and supported by Treasury's National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing. 
                        See 
                         U.S. Department of the Treasury, 2026 National Money Laundering Risk Assessment (March 2026), *[https://home.treasury.gov/​system/​files/​246/​2026-NMLRA.pdf](https://home.treasury.gov/system/files/246/2026-NMLRA.pdf);* 2026 National Terrorist Financing Risk Assessment (March 2026), *[https://home.treasury.gov/​system/​files/​246/​2026-NTFRA.pdf](https://home.treasury.gov/system/files/246/2026-NTFRA.pdf);* 2026 National Proliferation Financing Risk Assessment (March 2026), *[https://home.treasury.gov/​system/​files/​246/​2026-NPFRA.pdf](https://home.treasury.gov/system/files/246/2026-NPFRA.pdf).* As also required by [31 U.S.C. 5318(h)(4)(B)](https://www.govinfo.gov/link/uscode/31/5318), the Secretary, in consultation with the Attorney General, Federal functional regulators, relevant State financial regulators, and relevant national security agencies, must update the AML/CFT Priorities not less frequently than once every four years.

Back to Citation 18.

                         FinCEN, *Anti-Money Laundering Program Effectiveness,* [85 FR 58023](https://www.federalregister.gov/citation/85-FR-58023) (Sept. 17, 2020).

Back to Citation 19. 85 FR 58026.

Back to Citation 20. Id.

Back to Citation 21.

                         FinCEN, *Anti-Money Laundering and Countering the Financing of Terrorism Programs,* [89 FR 55428](https://www.federalregister.gov/citation/89-FR-55428) (July 3, 2024).

Back to Citation 22.

                         As discussed below, these Federal agencies are also known as the Federal Financial Institutions Regulatory Agencies (FFIRAs) and proposed 1010.100(ooo) defines these agencies using this term. However, this preamble uses the term “Agencies” to refer to the FFIRAs.

Back to Citation 23.

                         FRB, FDIC, NCUA, and OCC, *Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements,* [89 FR 65242](https://www.federalregister.gov/citation/89-FR-65242) (Aug. 9, 2024).

Back to Citation 24. 89 FR 55430.

Back to Citation 25. 89 FR 55436.

Back to Citation 26.

                         “Reports filed under this subsection shall be guided by the compliance program of a covered financial institution with respect to the Bank Secrecy Act, including the risk assessment processes of the covered institution that should include a consideration of priorities established by the Secretary of the Treasury under section 5318.” [31 U.S.C. 5318(g)(5)(C)](https://www.govinfo.gov/link/uscode/31/5318), as added by section 6202 of the AML Act.

Back to Citation 27. 89 FR 55485.

Back to Citation 28. 31 U.S.C. 5318(h)(5).

Back to Citation 29. 89 FR 55444.

Back to Citation 30.

                         U.S. Department of the Treasury, Press Release, “Treasury Secretary Scott Bessent Remarks before the American Bankers Association” (Apr. 9, 2025), *[https://home.treasury.gov/​news/​press-releases/​sb0078](https://home.treasury.gov/news/press-releases/sb0078).*

Back to Citation 31.

                         U.S. Department of the Treasury, Press Release, “Remarks by Secretary of the Treasury Scott Bessent Before the Fed Community Bank Conference” (Oct. 9, 2025), *[https://home.treasury.gov/​news/​press-releases/​sb0276](https://home.treasury.gov/news/press-releases/sb0276).*

Back to Citation 32. Id.

Back to Citation 33.

                         U.S. Department of the Treasury, Press Release, “Deputy Secretary Faulkender Lays Out Guiding Principles for Bank Secrecy Act Modernization” (June 18, 2025), *[https://home.treasury.gov/​news/​press-releases/​sb0173](https://home.treasury.gov/news/press-releases/sb0173).*

Back to Citation 34.

                         FinCEN, *FinCEN Permits Banks to Use Alternative Collection Method for Obtaining TIN Information* (June 27, 2025), *[https://www.fincen.gov/​news/​news-releases/​fincen-permits-banks-use-alternative-collection-method-obtaining-tin-information](https://www.fincen.gov/news/news-releases/fincen-permits-banks-use-alternative-collection-method-obtaining-tin-information).*

Back to Citation 35.

                         FinCEN, *FinCEN Issues Frequently Asked Questions to Clarify Suspicious Activity Reporting Requirements* (Oct. 9, 2025), *[https://www.fincen.gov/​news/​news-releases/​fincen-issues-frequently-asked-questions-clarify-suspicious-activity-reporting](https://www.fincen.gov/news/news-releases/fincen-issues-frequently-asked-questions-clarify-suspicious-activity-reporting).*

Back to Citation 36.

                         FinCEN, *FinCEN Issues Exceptive Relief to Streamline Customer Due Diligence Requirements* (Feb. 13, 2026), *[https://www.fincen.gov/​system/​files/​2026-02/​FinCEN-Order-CCDExceptiveRelief.pdf](https://www.fincen.gov/system/files/2026-02/FinCEN-Order-CCDExceptiveRelief.pdf).*

Back to Citation 37. E.O. 14192, Unleashing Prosperity Through Deregulation, 90 FR 9065 (issued Jan. 31, 2025; published Feb. 6, 2025).

Back to Citation 38. Id.

Back to Citation 39. 31 U.S.C. 5311.

Back to Citation 40. 31 U.S.C. 5318(h)(2)(B)(iv)(II).

Back to Citation 41. E.O. 14331, Guaranteeing Fair Banking for All Americans, 90 FR 38925 (issued Aug. 7, 2025; published Aug. 12, 2025).

Back to Citation 42.

                         
                        See 
                         FRB, FDIC, FinCEN, NCUA, and OCC, *Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence* (July 6, 2022), *[https://www.fincen.gov/​news/​news-releases/​joint-statement-risk-based-approach-assessing-customer-relationships-and](https://www.fincen.gov/news/news-releases/joint-statement-risk-based-approach-assessing-customer-relationships-and).*

Back to Citation 43. 31 U.S.C. 5318(h)(2)(B)(iii).

Back to Citation 44.

                         FinCEN, *FinCEN Statement on Enforcement of the Bank Secrecy Act* (Aug. 18, 2020), *[https://www.fincen.gov/​news/​news-releases/​fincen-statement-enforcement-bank-secrecy-act](https://www.fincen.gov/news/news-releases/fincen-statement-enforcement-bank-secrecy-act).*

Back to Citation 45.

                         Because FinCEN has not delegated any enforcement authority to the Agencies, the Agencies have no authority to take an enforcement action under [31 CFR chapter X](https://www.ecfr.gov/current/title-31/chapter-X). As a result, there is no corresponding rule text related to enforcement actions by the Agencies acting under authority provided by FinCEN.

Back to Citation 46.

                         FinCEN anticipates the Agencies imposing a similar consultation requirement on themselves when the Agencies act under other laws, including [12 U.S.C. 1786](https://www.govinfo.gov/link/uscode/12/1786) or [1818](https://www.govinfo.gov/link/uscode/12/1818).

Back to Citation 47.

                         Countering the financing of terrorism (CFT) includes laws, rules, regulations, or other measures intended to detect and disrupt the solicitation, collection, or provision of funds to support terrorist acts or terrorist organizations, or other violent extremist groups.

Back to Citation 48.

                         
                        See [31 U.S.C. 5318(h)(2)(B)(iii)](https://www.govinfo.gov/link/uscode/31/5318).

Back to Citation 49.

                         Federal Financial Institutions Examination Council (FFIEC), *FFIEC BSA/AML Examination Manual, Assessing Compliance with BSA Regulatory Requirements* — *Suspicious Activity Reporting, [https://bsaaml.ffiec.gov/​manual/​AssessingComplianceWithBSARegulatoryRequirements/​04](https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04).*

Back to Citation 50. 85 FR 58026.

Back to Citation 51.

                          AML Act, section 6002(3) (Purposes).

Back to Citation 52. E.O. 14179, Removing Barriers to American Leadership in Artificial Intelligence, 90 FR 8741 (issued Jan. 23, 2025; published Jan. 31, 2025); White House, Winning the Race America's AI Action Plan (July 2025), https://www.whitehouse.gov/​wp-content/​uploads/​2025/​07/​Americas-AI-Action-Plan.pdf; E.O. 14179, Ensuring a National Policy Framework for Artificial Intelligence, 90 FR 58499 (issued Dec. 11, 2025; published Dec. 16, 2025).

Back to Citation 53.

                         U.S. Department of the Treasury, *2024 National Strategy for Combating Terrorist and Other Illicit Financing* (May 2024), *[https://home.treasury.gov/​system/​files/​136/​2024-Illicit-Finance-Strategy.pdf](https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf).*

Back to Citation 54.

                         U.S. Department of the Treasury, Press Release, “Remarks by Under Secretary for Terrorism and Financial Intelligence John K. Hurley at the Association of Certified Anti-Money Laundering Specialists Assembly Conference” (Sept. 17, 2025), *[https://home.treasury.gov/​news/​press-releases/​sb0251](https://home.treasury.gov/news/press-releases/sb0251).*

Back to Citation 55.

                         White House, *Strengthening American Leadership in Digital Financial Technology* (July 30, 2025), *[https://www.whitehouse.gov/​wp-content/​uploads/​2025/​07/​Digital-Assets-Report-EO14178.pdf](https://www.whitehouse.gov/wp-content/uploads/2025/07/Digital-Assets-Report-EO14178.pdf);* U.S. Department of the Treasury, *Report to Congress from the Secretary of the Treasury on Innovative Technologies to Counter Illicit Finance Involving Digital Assets* (Mar. 2026), *[https://home.treasury.gov/​system/​files/​246/​GENIUS-Act-Illicit-Finance-Innovation-Congressional-Report-March-2026.pdf](https://home.treasury.gov/system/files/246/GENIUS-Act-Illicit-Finance-Innovation-Congressional-Report-March-2026.pdf).*

Back to Citation 56.

                         FRB, FDIC, FinCEN, NCUA, and OCC, *Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing* (Dec. 3, 2018), *[https://www.fincen.gov/​system/​files/​2018-12/​Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_​508.pdf](https://www.fincen.gov/system/files/2018-12/Joint%2520Statement%2520on%2520Innovation%2520Statement%2520%2528Final%252011-30-18%2529_508.pdf).*

Back to Citation 57.

                         OCC, FRB, FDIC, NCUA, and FinCEN, *Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements,* [86 FR 18978](https://www.federalregister.gov/citation/86-FR-18978) (Apr. 12, 2021).

Back to Citation 58.

                         FRB and OCC, *Supervisory Guidance on Model Risk Management,* (Apr. 4, 2011), *[https://www.federalreserve.gov/​supervisionreg/​srletters/​sr1107a1.pdf](https://www.federalreserve.gov/supervisionreg/srletters/sr1107a1.pdf).*

Back to Citation 59.

                         For instance, the provision of the BSA which requires financial institutions to have AML/CFT program rules states that “each financial institution shall *establish* ”(emphasis added) such programs, including certain requirements as specified. 
                        See [31 U.S.C. 5318(h)(1)](https://www.govinfo.gov/link/uscode/31/5318). The corresponding Federal statute requiring banks regulated by the Federal banking agencies to have BSA compliance programs states that these banks must “establish and maintain procedures reasonably designed to assure and monitor the compliance” with the requirements of the BSA. [12 U.S.C. 1818(s)(1)](https://www.govinfo.gov/link/uscode/12/1818). In addition, the current program rules regulating financial institutions use inconsistent terms to describe establishing, implementing, and maintaining AML/CFT programs. For example, some programs rules use the terms “implements and maintains”— [31 CFR 1020.210](https://www.ecfr.gov/current/title-31/section-1020.210) (banks); 1021.210 (casinos); 1023.210 (broker-dealers); 1026.210 (FCMs and IBCs) while others use the terms “develop, implement, and maintain,” 1022.210 (MSBs) and others use “develop and implement” 1024.210 (mutual funds); 1025.210 (insurance companies); 1027.210 (DPMSJs); 1028.210 (operators of credit card systems); 1029.210 (loan or finance companies); and 1030.210 (housing GSEs)—with respect to the general AML program requirement.

Back to Citation 60.

                         The proposed rule would clarify that this limitation on AML/CFT enforcement actions and significant AML/CFT supervisory actions does not apply with respect to a failure to properly *establish* an AML/CFT program.

Back to Citation 61. 31 U.S.C. 5318(h)(1)(A).

Back to Citation 62.

                         
                        See [31 CFR 1029.210](https://www.ecfr.gov/current/title-31/section-1029.210) (loan or finance companies); 1030.210 (housing GSEs); *see also* [31 CFR 1025.210](https://www.ecfr.gov/current/title-31/section-1025.210) (insurance companies); 1028.210 (operators of credit card systems).

Back to Citation 63.

                         
                        See [31 CFR 1022.210](https://www.ecfr.gov/current/title-31/section-1022.210) (MSBs); 1025.210 (insurance companies); *see also* [31 CFR 1021.210](https://www.ecfr.gov/current/title-31/section-1021.210) (casinos) (“commensurate with the money laundering and terrorist financing risks posed by the products and services”).

Back to Citation 64.

                         The current program rules without explicit risk assessment requirements are located at [31 CFR 1020.210](https://www.ecfr.gov/current/title-31/section-1020.210) (banks); 1021.210 (casinos); 1022.210 (MSBs); 1023.210 (broker-dealers); 1024.210 (mutual funds); and 1026.210 (FCMs and IBCs).

Back to Citation 65.

                         
                        See 
                         FinCEN, *Section 314(b) Fact Sheet,* (Dec. 2020), *[https://www.fincen.gov/​system/​files/​shared/​314bfactsheet.pdf](https://www.fincen.gov/system/files/shared/314bfactsheet.pdf).*

Back to Citation 66.

                         
                        See 
                         U.S. Department of the Treasury, *2026 National Money Laundering Risk Assessment* (March 2026), *[https://home.treasury.gov/​system/​files/​246/​2026-NMLRA.pdf](https://home.treasury.gov/system/files/246/2026-NMLRA.pdf); 2026 National Terrorist Financing Risk Assessment* (March 2026), *[https://home.treasury.gov/​system/​files/​246/​2026-NTFRA.pdf](https://home.treasury.gov/system/files/246/2026-NTFRA.pdf); 2026 National Proliferation Financing Risk Assessment* (March 2026), *[https://home.treasury.gov/​system/​files/​246/​2026-NPFRA.pdf](https://home.treasury.gov/system/files/246/2026-NPFRA.pdf).*

Back to Citation 67. See, e.g., FinCEN, Financial Trend Analyses, https://www.fincen.gov/​resources/​financial-trend-analyses.

Back to Citation 68. 31 U.S.C. 5318(h)(4)(E).

Back to Citation 69. 31 U.S.C. 5318(h)(4)(B).

Back to Citation 70.

                         U.S. Department of the Treasury, Press Release, “Secretary Bessent Announces Initiatives to Combat Rampant Fraud in Minnesota” (Jan. 9, 2026), *[https://home.treasury.gov/​news/​press-releases/​sb0354](https://home.treasury.gov/news/press-releases/sb0354).*

Back to Citation 71.

                         FinCEN, *Alerts/Advisories/Notices/Bulletins/Fact Sheets, [https://www.fincen.gov/​resources/​advisoriesbulletinsfact-sheets](https://www.fincen.gov/resources/advisoriesbulletinsfact-sheets).*

Back to Citation 72.

                         FinCEN, *Financial Trend Analyses, [https://www.fincen.gov/​resources/​financial-trend-analyses](https://www.fincen.gov/resources/financial-trend-analyses).*

Back to Citation 73.

                         FinCEN, *FinCEN Alert on Fraud Rings and their Exploitation of Federal Child Nutrition programs in Minnesota,* (Jan. 9, 2026), *[https://www.fincen.gov/​system/​files/​2026-01/​FinCEN-Alert-Federal-Child-Nutrition-Programs.pdf](https://www.fincen.gov/system/files/2026-01/FinCEN-Alert-Federal-Child-Nutrition-Programs.pdf).*

Back to Citation 74. 31 U.S.C. 5318(h)(2)(B)(iv)(II).

Back to Citation 75.

                         
                        See 
                         applicable program rules with CDD requirements for covered financial institutions located at [31 CFR 1020.210(a)(2)(v)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(v)) and [(b)(2)(v)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(v)) (banks); 1023.210(b)(5) (broker-dealers); 1024.210(b)(5) (mutual funds); and 1026.210(b)(5) (FCMs and IBCs).

Back to Citation 76. 31 U.S.C. 5318(h)(1)(D).

Back to Citation 77.

                         
                        See [31 CFR 1020.210(a)(2)(ii)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(ii)), [(b)(2)(ii)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(ii)) (banks); 1021.210(b)(2)(ii) (casinos); 1022.210(d)(4) (MSBs); 1023.210(b)(2) (broker-dealers); 1024.210(b)(2) (mutual funds); 1025.210(b)(4) (insurance companies); 1026.210(b)(2) (FCMs and IBCs); 1027.210(b)(4) (DPMSJs); 1028.210(b)(4) (operators of a credit card system); 1029.210(b)(4) (loan or finance companies); 1030.210(b)(4) (housing GSEs).

Back to Citation 78.

                         This is consistent with current [31 CFR 1022.210](https://www.ecfr.gov/current/title-31/section-1022.210), which provides that independent testing review may be conducted by an officer or employee of the MSB so long as the tester is not the AML/CFT officer. Similarly, current [31 CFR 1025.210](https://www.ecfr.gov/current/title-31/section-1025.210), [1029.210](https://www.ecfr.gov/current/title-31/section-1029.210), and [1030.210](https://www.ecfr.gov/current/title-31/section-1030.210) provide that independent testing at insurance companies, loan or finance companies, and housing GSEs, respectively, may be conducted by a third party or by any officer or employee of the financial institution, other than the AML/CFT officer. Likewise, [31 CFR 1027.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1027.210#p-1027.210(b)(4)) and [1028.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1028.210#p-1028.210(b)(4)) provide that independent testing of a DPMSJ or an operator of a credit card system, respectively, can be conducted by an officer or employee of the institution, so long as the tester is not the AML/CFT officer or a person involved in the operation of the AML/CFT program. Determining whether testing at U.S. operations of foreign financial institutions is adequately “independent” may include a review of the reporting arrangements between the party 

                        conducting the independent testing and the AML/CFT officer, or equivalent management function such as a head of business line or a general manager, to assess any conflicts of interests and the level of independence with the party conducting the independent testing.

Back to Citation 79.

                         
                        See 
                         FRB, FDIC, NCUA, OCC and FinCEN, *Interagency Statement on Sharing Bank Secrecy Act Resources* (Oct. 3, 2018), *[https://www.fincen.gov/​news/​news-releases/​interagency-statement-sharing-bank-secrecy-act-resources](https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources).*

Back to Citation 80.

                         
                        See 
                         applicable program rules located at [31 CFR 1023.210(b)(2)](https://www.ecfr.gov/current/title-31/section-1023.210#p-1023.210(b)(2)) (broker-dealers); 1024.210(b)(2) (mutual funds); and 1026.210(b)(2) (FCMs and IBCs).

Back to Citation 81.

                         
                        See [31 CFR 1022.210(d)(2)](https://www.ecfr.gov/current/title-31/section-1022.210#p-1022.210(d)(2)) (MSBs); 1025.210(b)(2) (insurance companies); 1027.210(b)(2) (DPMSJs); 1028.210(b)(2) (operators of credit card systems); 1029.210(b)(2) (loan or finance companies); 1030.210(b)(2) (housing GSEs).

Back to Citation 82.

                         
                        See [31 CFR 1027.210(b)(2)(i)](https://www.ecfr.gov/current/title-31/section-1027.210#p-1027.210(b)(2)(i)) (DPMSJs); 1028.210(b)(2)(i) (operators of credit card systems); 1029.210(b)(2)(i) (loan or finance companies); 1030.210(b)(2)(i) (housing GSEs).

Back to Citation 83. 31 U.S.C. 5318(h)(5).

Back to Citation 84. See, e.g., FinCEN, Financial Crimes Enforcement Network; Confidentiality of Suspicious Activity Reports, 75 FR 75593 (Dec. 3, 2010); see also FinCEN, FRB, FDIC, OCC, and Office of Thrift Supervision, Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies (Jan. 20, 2006), https://www.fincen.gov/​system/​files/​guidance/​sarsharingguidance01122006.pdf.

Back to Citation 85. 31 U.S.C. 5318(h)(1)(C).

Back to Citation 86.

                         
                        See [31 CFR 1020.210(a)(2)(iv)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(iv)), [(b)(2)(iv)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(iv)) (banks); 1021.210(b)(2)(iii) (casinos); 1022.210(d)(3) (MSBs); 1023.210(b)(4) (broker-dealers); 1024.210(b)(4) (mutual funds); 1025.210(b)(3) (insurance companies); 1026.210(b)(4) (FCMs and IBCs); 1027.210(b)(3) (DPMSJs); 1028.210(b)(3) (operators of credit card systems); 1029.210(b)(3) (loan or finance companies); 1030.210(b)(3) (housing GSEs).

Back to Citation 87.

                         Current [31 CFR 1020.210(b)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)) requires banks lacking a Federal functional regulator to establish, maintain, and make available a written anti-money laundering program. Banks with a Federal functional regulator are required to have written anti-money laundering programs under the regulators' existing rules. 
                        See [12 CFR 21.21(c)(1)](https://www.ecfr.gov/current/title-12/section-21.21#p-21.21(c)(1)), [208.63(b)(1)](https://www.ecfr.gov/current/title-12/section-208.63#p-208.63(b)(1)), [326.8(b)(1)](https://www.ecfr.gov/current/title-12/section-326.8#p-326.8(b)(1)), [748.2(b)(1)](https://www.ecfr.gov/current/title-12/section-748.2#p-748.2(b)(1)). The current program rules require other types of financial institutions to have written programs at [31 CFR 1021.210(b)(1)](https://www.ecfr.gov/current/title-31/section-1021.210#p-1021.210(b)(1)) (casinos); 1022.210(c) (MSBs); 1023.210 (broker-dealers); 1024.210(a) (mutual funds); 1025.210(a) (insurance companies); 1026.210 (FCMs and IBCs); 1027.210(a)(1) (DPMSJs); 1028.210(a) (operators of credit card systems); 1029.210(a) (loan or finance companies); 1030.210(a) (housing GSEs).

Back to Citation 88.

                         
                        See [31 CFR 1010.810(b)](https://www.ecfr.gov/current/title-31/section-1010.810#p-1010.810(b)) (FinCEN's delegation of “[a]uthority to examine institutions to determine compliance with the requirements of this chapter”).

Back to Citation 89.

                         For broker-dealers, FinCEN recognizes the SEC as the relevant Federal functional regulator. *See id.* 1010.810(b)(6) (delegating examination authority to SEC for broker-dealers). FinCEN recognizes registered national securities exchanges or a national securities association, such as the Financial Industry Regulatory Authority (FINRA), as the relevant SROs for member broker-dealers. Similarly, for FCMs and IBCs, FinCEN recognizes the CFTC as the relevant Federal functional regulator, [31 CFR 1010.810(b)(9)](https://www.ecfr.gov/current/title-31/section-1010.810#p-1010.810(b)(9)), and the National Futures Association (NFA) as the SRO.

Back to Citation 90.

                         The FRB, FDIC, and OCC each require the U.S. branches, agencies, and representative offices of the foreign banks they supervise operating in the United States to develop written BSA compliance programs that are approved by their respective bank's board and noted in the minutes, or that are approved by delegates acting under the express authority of their respective bank's board to approve the BSA compliance programs. 
                        See 
                         208.63(b)(1), [12 CFR 21.21(c)(1)](https://www.ecfr.gov/current/title-12/section-21.21#p-21.21(c)(1)), [326.8(b)(1)](https://www.ecfr.gov/current/title-12/section-326.8#p-326.8(b)(1)), and [748.2(b)(1)](https://www.ecfr.gov/current/title-12/section-748.2#p-748.2(b)(1)). “Express authority” means the head office must be aware of its U.S. AML program requirements and there must be some indication of purposeful delegation.

Back to Citation 91.

                         
                        See [31 CFR 1020.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(3)) (banks lacking a Federal functional regulator).

Back to Citation 92.

                         
                        See [12 CFR 21.21(c)(1)](https://www.ecfr.gov/current/title-12/section-21.21#p-21.21(c)(1)), [208.63(b)(1)](https://www.ecfr.gov/current/title-12/section-208.63#p-208.63(b)(1)), [326.8(b)(1)](https://www.ecfr.gov/current/title-12/section-326.8#p-326.8(b)(1)), [748.2(b)(1)](https://www.ecfr.gov/current/title-12/section-748.2#p-748.2(b)(1)).

Back to Citation 93.

                         
                        See [31 CFR 1023.210](https://www.ecfr.gov/current/title-31/section-1023.210) (broker-dealers); 1025.210(a) (insurance companies); 1026.210 (FCMs and IBCs); 1027.210(a)(1) (DPMSJs); 1028.210(a) (operators of credit card systems); 1029.210(a) (loan or finance companies); 1030.210(a) (housing GSEs).

Back to Citation 94.

                         
                        See 
                         applicable AML program rules located at [31 CFR 1021.210](https://www.ecfr.gov/current/title-31/section-1021.210) (casinos) and 1022.210 (MSBs).

Back to Citation 95.

                         
                        See [17 CFR 270.38a-1(a)(2)](https://www.ecfr.gov/current/title-17/section-270.38a-1#p-270.38a-1(a)(2)).

Back to Citation 96.

                         The proposal is not intended to and does not affect criminal enforcement liability under the BSA, or the related authority of the Department of Justice.

Back to Citation 97.

                         FinCEN, *FinCEN Statement on Enforcement of the Bank Secrecy Act* (Aug. 18, 2020), at pp. 2-3, *[https://www.fincen.gov/​system/​files/​shared/​FinCEN%20Enforcement%20Statement_​FINAL%20508.pdf](https://www.fincen.gov/system/files/shared/FinCEN%2520Enforcement%2520Statement_FINAL%2520508.pdf).*

Back to Citation 98.

                         This includes when the Agencies are consulting with FinCEN as required under the proposed rule, or under a consultation requirement they have imposed on themselves (which may include enforcement actions).

Back to Citation 99.

                         FinCEN, *FinCEN Exchange, [https://www.fincen.gov/​resources/​fincen-exchange](https://www.fincen.gov/resources/fincen-exchange).*

Back to Citation 100.

                         FinCEN, *FinCEN Statement on Enforcement of the Bank Secrecy Act* (Aug. 18, 2020), *[https://www.fincen.gov/​system/​files/​shared/​FinCEN%20Enforcement%20Statement_​FINAL%20508.pdf](https://www.fincen.gov/system/files/shared/FinCEN%2520Enforcement%2520Statement_FINAL%2520508.pdf).*

Back to Citation 101.

                         The CIP rules are located at [31 CFR 1020.220](https://www.ecfr.gov/current/title-31/section-1020.220) (banks), 1023.220 (broker-dealers), 1024.220 (mutual funds), and 1026.220 (FCMs and IBCs).

Back to Citation 102.

                         In particular, FinCEN first proposes to simplify this BSA definition to refer only to the U.S. Code provisions codifying the BSA, rather than to any act of Congress from which these provisions were originally derived. Second, FinCEN proposes removing [18 U.S.C. 1956](https://www.govinfo.gov/link/uscode/18/1956), [1957](https://www.govinfo.gov/link/uscode/18/1957), and 1960 from the regulatory BSA definition. These criminal provisions were included in FinCEN's BSA definition given their relationship to money laundering but are not otherwise linked to the other BSA provisions and are not included in the AML Act's BSA definition in section 6003(1) of the Act. Third, FinCEN proposes amending its BSA definition to include [31 U.S.C. 5336](https://www.govinfo.gov/link/uscode/31/5336) (*i.e.,* the operative provisions of the Corporate Transparency Act), which was added to the BSA by section 6403 of the AML Act.

Back to Citation 103.

                         Additionally, FinCEN proposes amending the authority citations in the relevant CFR sections to account for relevant statutory changes.

Back to Citation 104. 15 U.S.C. 78a et seq.

Back to Citation 105. 7 U.S.C. 1 et seq.

Back to Citation 106.

                         
                        See 
                         FinCEN, *Customer Identification Programs, Anti-Money Laundering Programs, and Beneficial Ownership Requirements for Banks Lacking a Federal Functional Regulator,* [85 FR 57129](https://www.federalregister.gov/citation/85-FR-57129) (Sept. 15, 2020).

Back to Citation 107.

                         
                        See 
                         applicable program rules located at [31 CFR 1020.210(a)(1)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(1)), [(b)(1)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(1)) (banks); 1023.210(a) (broker-dealers); and 1026.210(a) (FCMs and IBCs).

Back to Citation 108.

                         
                        See [31 CFR 1020.210(a)(2)(ii)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(ii)), [(b)(2)(ii)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(ii)) (banks); 1021.210(b)(2)(ii) (casinos); 1022.210(d)(4) (MSBs); 1023.210(b)(2) (broker-dealers); 1024.210(b)(2) (mutual funds); 1025.210(b)(4) (insurance companies); 1026.210(b)(2) (FCMs and IBCs); 1027.210(b)(4) (DPMSJs); 1028.210(b)(4) (operators of a credit card system); 1029.210(b)(4) (loan or finance companies); 1030.210(b)(4) (housing GSEs).

Back to Citation 109. 31 U.S.C. 5318(h)(1)(D).

Back to Citation 110. E.O. 14294, Fighting Overcriminalization in Federal Regulations, 90 FR 20367 (issued May 9, 2025; published May 14, 2025).

Back to Citation 111. E.O. 12866, Regulatory Planning and Review, 58 FR 51735 (issued Sept. 30, 1993; published Oct. 4, 1993).

Back to Citation 112. E.O. 13563, Improving Regulation and Regulatory Review, 76 FR 3821 (issued Jan. 18, 2011; published Jan. 21, 2011).

Back to Citation 113.

                         
                        See [E.O. 14192](https://www.federalregister.gov/executive-order/14192), *Unleashing Prosperity Through Deregulation,* [90 FR 9065](https://www.federalregister.gov/citation/90-FR-9065) (issued Jan. 31, 2025; published Feb. 6, 2025); Office of Management and Budget, *Guidance Implementing Section 3 of [Executive Order 14192](https://www.federalregister.gov/executive-order/14192), Titled “Unleashing Prosperity Through Deregulation,”* M-25-20 (Mar. 26, 2025), *[https://www.whitehouse.gov/​wp-content/​uploads/​2025/​02/​M-25-20-Guidance-Implementing-Section-3-of-Executive-Order-14192-Titled-Unleashing-Prosperity-Through-Deregulation.pdf](https://www.whitehouse.gov/wp-content/uploads/2025/02/M-25-20-Guidance-Implementing-Section-3-of-Executive-Order-14192-Titled-Unleashing-Prosperity-Through-Deregulation.pdf).*

Back to Citation 114. 5 U.S.C. 601 et seq.

Back to Citation 115. 2 U.S.C. 1532.

Back to Citation 116. 44 U.S.C. 3501 et seq.

Back to Citation 117.

                         This economic expectation is sensitive to key assumptions about how potentially affected financial institutions would respond to the proposed requirements. FinCEN requests comment on whether it would instead be more reasonable to certify that the proposed rule would not have a significant economic impact on a substantial number of small entities. *See infra* section X.F #16.

Back to Citation 118.

                         The UMRA requires an assessment of mandates with an annual expenditure of $100 million or more, adjusted for inflation. [2 U.S.C. 1532(a)](https://www.govinfo.gov/link/uscode/2/1532). FinCEN has not anticipated material changes in expenditures for State, local, and Tribal governments, insofar as they would not participate in the primary activities of monitoring or enforcing compliance of the newly proposed requirements in a way that differs from current involvement, thereby incurring novel incremental costs. But because the proposed rule would affect entities in the private sector that are covered financial institutions, FinCEN has considered expenditures these private entities may incur, pursuant to UMRA, as part of the regulatory impact in its assessment below.

Back to Citation 119. See infra section X.E.

Back to Citation 120. See supra section IV.B.

Back to Citation 121.

                         Banks include covered financial institutions defined under [31 CFR 1010.100(t)(1)](https://www.ecfr.gov/current/title-31/section-1010.100#p-1010.100(t)(1)) and [(d)](https://www.ecfr.gov/current/title-31/section-1010.100#p-1010.100(d)).

Back to Citation 122. See infra section X.A.

Back to Citation 123. See infra section X.B.

Back to Citation 124. See infra section X.C.

Back to Citation 125. See infra section X.D.

Back to Citation 126. See infra section X.E.

Back to Citation 127. See infra section X.F.

Back to Citation 128. See infra section X.A.1.

Back to Citation 129. See infra section X.A.2.

Back to Citation 130. See infra section X.A.3.

Back to Citation 131. See infra section X.A.4.

Back to Citation 132. See infra section X.A.5.

Back to Citation 133.

                         
                        See [E.O. 12866](https://www.federalregister.gov/executive-order/12866), *supra* note 111, sec 1(b)(1), (“Each agency shall identify the problem that it intends to address (including, where applicable, the failures of private markets or public institutions that warrant new agency action) as well as assess the significance of that problem.”); *see also* OMB, *Circular A-4* (2003), sec. B, The Need for Federal Regulatory Action, *[https://www.whitehouse.gov/​wp-content/​uploads/​2025/​08/​CircularA-4.pdf](https://www.whitehouse.gov/wp-content/uploads/2025/08/CircularA-4.pdf).*

Back to Citation 134.

                         In particular, Congress instructed FinCEN to consider the potential economic inefficiencies engendered by the presence of market externalities when promulgating implementing regulations. 
                        See [31 U.S.C. 5318(h)(2)(B)(i)](https://www.govinfo.gov/link/uscode/31/5318) (noting that compliant financial institutions generate “a public . . . benefit,” *i.e.,* positive externalities); *see also id.* 5318(h)(2)(B)(iii) (further noting the “public benefits”—positive externalities—generated by compliant financial institutions).

Back to Citation 135.

                         The extent to which these broad economic considerations apply uniformly to the various components of the proposed rule may in some instances be limited. FinCEN's analysis is not intended to speak to (or in place of) the views of Congress regarding the fundamental economic problems that animate the proposed rule but are expected to be generally consistent with what AML Act section 6101(b), as promulgated, was intended to accomplish.

Back to Citation 136.

                         
                        See 
                         FinCEN, *Anti-Money Laundering and Countering the Financing of Terrorism Programs,* [89 FR 55428](https://www.federalregister.gov/citation/89-FR-55428), [55450](https://www.federalregister.gov/citation/89-FR-55450) (July 3, 2024) (Broad Economic Considerations).

Back to Citation 137. See infra section X.A.4.i.

Back to Citation 138.

                         In this context, FinCEN employs the term “market” in its broadest economic sense, referring to any set of exchanges, transactions, or actions that involve counterparties with unique objectives. The baseline here set forth also forms the counterfactual against which the quantifiable effects of the rule are measured; therefore, substantive errors in or omissions of relevant data, facts, or other information may affect the conclusions formed regarding the general and economically significant impacts of the rule. FinCEN invites comment on the 

                        accuracy of the baseline population estimates as well as any supporting studies, data, or anecdotes in *infra* section X.F #1.

Back to Citation 139.

                         
                        See [E.O. 12866](https://www.federalregister.gov/executive-order/12866), *supra* note 111, at section 1(a) (“In deciding whether and how to regulate, agencies should assess all costs and benefits of available regulatory alternatives, including the alternative of not regulating.”).

Back to Citation 140. See infra section X.A.4; see also infra sections X.C and X.E.

Back to Citation 141. See infra section X.F #2.

Back to Citation 142. See infra section X.A.2.i.d; see also infra sections X.A.4.i.d and X.A.4.ii.c.

Back to Citation 143. See infra section X.F #3.

Back to Citation 144. See supra note 2; see also supra section I.

Back to Citation 145. 31 CFR 1010.100(t).

Back to Citation 146. 13 CFR 121.201; see generally infra section X.C.

Back to Citation 147.

                         These figures represent an approximate number of Federal examiners provided by FFRs with AML/CFT supervisory responsibilities. These estimates do not include persons performing examinations on behalf of SROs, though FinCEN expects that such parties may also be affected.

Back to Citation 148.

                         
                        See [31 CFR 1010.810(b)](https://www.ecfr.gov/current/title-31/section-1010.810#p-1010.810(b)).

Back to Citation 149. See supra sections V.F.2 and 3.

Back to Citation 150.

                         
                        See 
                         FinCEN, *Financial Crimes Enforcement Network (FinCEN) Year in Review for Fiscal Year 2024,* p. 5, *[https://www.fincen.gov/​system/​files/​2025-08/​FinCEN-Infographic-Public-2025-508.pdf](https://www.fincen.gov/system/files/2025-08/FinCEN-Infographic-Public-2025-508.pdf).* Note that not all users are from external agencies. FinCEN employees are also among the users with access to the BSA Portal.

Back to Citation 151.

                         Estimates of the annual cost of crime, generally, are usually measured in trillions of dollars (*see, e.g.,* David A. Anderson, “The Aggregate Cost of Crime in the United States,” *The Journal of Law and Economics,* vol 64 no. 4 (2021)) and financial crimes specifically in billions of dollars (*see, e.g.,* the Federal Trade Commission, *Consumer Sentinel Network Data Book 2024* (Mar. 2025), *[https://www.ftc.gov/​system/​files/​ftc_​gov/​pdf/​csn-annual-data-book-2024.pdf](https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf)*).

Back to Citation 152.

                         Of participants in the FRB's 2024 Survey of Household Economics and Decisionmaking (SHED), 21 percent reported being the victim of financial fraud or a scam involving their money, of which, eight of those percent did not involve credit cards. 
                        See 
                         FRB, *Report on the Economic Well-Being of U.S. Households in 2024—May 2025* (*SHED Report 2024*), *[https://www.federalreserve.gov/​publications/​2025-economic-well-being-of-us-households-in-2024-banking-and-credit.htm](https://www.federalreserve.gov/publications/2025-economic-well-being-of-us-households-in-2024-banking-and-credit.htm).*

Back to Citation 153.

                         
                        See 
                         FDIC, *2023 FDIC National Survey of Unbanked and Underbanked Households* (Nov. 2024), *[https://www.fdic.gov/​household-survey/​2023-fdic-national-survey-unbanked-and-underbanked-households-report](https://www.fdic.gov/household-survey/2023-fdic-national-survey-unbanked-and-underbanked-households-report); see also SHED Report 2024,* *[https://www.federalreserve.gov/​publications/​2025-economic-well-being-of-us-households-in-2024-banking-and-credit.htm](https://www.federalreserve.gov/publications/2025-economic-well-being-of-us-households-in-2024-banking-and-credit.htm).*

Back to Citation 154.

                         
                        See 
                         U.S. Census Bureau, *Age and Sex Composition in the United States: 2023, [https://www.census.gov/​data/​tables/​2023/​demo/​age-and-sex/​2023-age-sex-composition.html](https://www.census.gov/data/tables/2023/demo/age-and-sex/2023-age-sex-composition.html).*

Back to Citation 155.

                         Although some financial institutions covered by this change have already incorporated awareness of and response to CFT issues into their programs (*see infra* table 4), for the purposes of this analysis, FinCEN is employing the term “AML/CFT program” for programs that would be adopted should this rulemaking become effective.

Back to Citation 156. See supra section V.D for a description of current program requirements and the proposed amendments.

Back to Citation 157. See supra section V.D.1 for a discussion of proposed amendments to internal policies, procedures, and controls requirements.

Back to Citation 158.

                         
                        See [31 CFR 1020.210(a)(2)(i)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(i)) for banks with an FFR, [31 CFR 1020.210(b)(2)(i)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(i)) for banks without an FFR, and [31 CFR 1021.210(b)(2)(i)](https://www.ecfr.gov/current/title-31/section-1021.210#p-1021.210(b)(2)(i)) for casinos.

Back to Citation 159.

                         
                        See [31 CFR 1022.210(d)(1)](https://www.ecfr.gov/current/title-31/section-1022.210#p-1022.210(d)(1)).

Back to Citation 160.

                         
                        See [31 CFR 1023.210(b)(1)](https://www.ecfr.gov/current/title-31/section-1023.210#p-1023.210(b)(1)).

Back to Citation 161. See supra section V.D.2 for a discussion of proposed amendments to the independent testing requirements.

Back to Citation 162.

                         
                        See [31 CFR 1020.210(a)(2)(ii)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(ii)) for banks with an FFR, [31 CFR 1020.210(b)(2)(ii)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(ii)) for banks without an FFR, [31 CFR 1023.210(b)(2)](https://www.ecfr.gov/current/title-31/section-1023.210#p-1023.210(b)(2)) for broker-dealers, [31 CFR 1024.210(b)(2)](https://www.ecfr.gov/current/title-31/section-1024.210#p-1024.210(b)(2)) for mutual funds, and [31 CFR 1026.210(b)(2)](https://www.ecfr.gov/current/title-31/section-1026.210#p-1026.210(b)(2)) for FCMs and IBCs.

Back to Citation 163.

                         
                        See [31 CFR 1022.210(d)(4)](https://www.ecfr.gov/current/title-31/section-1022.210#p-1022.210(d)(4)) for MSBs, [31 CFR 1025.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1025.210#p-1025.210(b)(4)) for insurance companies, [31 CFR 1027.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1027.210#p-1027.210(b)(4)) for DPMSJs, [31 CFR 1028.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1028.210#p-1028.210(b)(4)) for operators of credit card systems, [31 CFR 1029.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1029.210#p-1029.210(b)(4)) for loan or finance companies, and [31 CFR 1030.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1030.210#p-1030.210(b)(4)) for housing GSEs.

Back to Citation 164.

                         
                        See [31 CFR 1025.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1025.210#p-1025.210(b)(4)) for insurance companies, [31 CFR 1027.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1027.210#p-1027.210(b)(4)) for DPMSJs, [31 CFR 1028.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1028.210#p-1028.210(b)(4)) for operators of credit card systems, [31 CFR 1029.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1029.210#p-1029.210(b)(4)) for loan or finance companies, and [31 CFR 1030.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1030.210#p-1030.210(b)(4)) for housing GSEs.

Back to Citation 165. See supra section V.D.3 for a discussion on the proposed AML/CFT officer amendments.

Back to Citation 166.

                         
                        See [31 CFR 1020.210(a)(2)(iii)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(iii)) for banks with an FFR and [31 CFR 1020.210(b)(2)(iii)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(iii)) for banks without an FFR.

Back to Citation 167.

                         
                        See [31 CFR 1023(b)(3)](https://www.ecfr.gov/current/title-31/part-1023#p-1023(b)(3)) for broker-dealers, [31 CFR 1024.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1024.210#p-1024.210(b)(3)) for mutual funds, and [31 CFR 1026.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1026.210#p-1026.210(b)(3)) for FCMs and IBCs.

Back to Citation 168.

                         
                        See [31 CFR 1025.210(b)(2)](https://www.ecfr.gov/current/title-31/section-1025.210#p-1025.210(b)(2)) for insurance companies, [31 CFR 1027.210(b)(2)](https://www.ecfr.gov/current/title-31/section-1027.210#p-1027.210(b)(2)) for DPMSJs, [31 CFR 1028.210(b)(2)](https://www.ecfr.gov/current/title-31/section-1028.210#p-1028.210(b)(2)) for operators of credit card systems, [31 CFR 1029.210(b)(2)](https://www.ecfr.gov/current/title-31/section-1029.210#p-1029.210(b)(2)) for loan or finance companies, and [31 CFR 1030.210(b)(2)](https://www.ecfr.gov/current/title-31/section-1030.210#p-1030.210(b)(2)) for housing GSEs.

Back to Citation 169. See supra section V.D.4 for a discussion of the proposed amendments to the training requirements.

Back to Citation 170.

                         
                        See [31 CFR 1023.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1023.210#p-1023.210(b)(4)) for broker-dealers, [31 CFR 1024.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1024.210#p-1024.210(b)(4)) for mutual funds, [31 CFR 1025.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1025.210#p-1025.210(b)(3)) for insurance companies, [31 CFR 1026.210(b)(4)](https://www.ecfr.gov/current/title-31/section-1026.210#p-1026.210(b)(4)) for FCMs and IBCs, [31 CFR 1027.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1027.210#p-1027.210(b)(3)) for DPMSJs, [31 CFR 1029.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1029.210#p-1029.210(b)(3)) for loan or finance companies, and [31 CFR 1030.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1030.210#p-1030.210(b)(3)) for housing GSEs.

Back to Citation 171.

                         
                        See [31 CFR 1020.210(a)(2)(iv)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(iv)) for banks with an FFR, [31 CFR 1020.210(b)(2)(iv)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(iv)) for banks without an FFR, [31 CFR 1021.210(b)(2)(iii)](https://www.ecfr.gov/current/title-31/section-1021.210#p-1021.210(b)(2)(iii)) for casinos, [31 CFR 1022.210(d)(3)](https://www.ecfr.gov/current/title-31/section-1022.210#p-1022.210(d)(3)) for MSBs, and [31 CFR 1028.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1028.210#p-1028.210(b)(3)) for operators of credit card systems.

Back to Citation 172.

                         
                        See [31 CFR 1025.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1025.210#p-1025.210(b)(3)) for insurance companies, [31 CFR 1029.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1029.210#p-1029.210(b)(3)) for loan or finance companies, and [31 CFR 1030.210(b)(3)](https://www.ecfr.gov/current/title-31/section-1030.210#p-1030.210(b)(3)) for housing GSEs.

Back to Citation 173. See supra section V.D.1.iii for a discussion of proposed amendments to the CDD requirements.

Back to Citation 174.

                         
                        See [31 CFR 1020.210(a)(2)(v)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(a)(2)(v)) for banks with an FFR, [31 CFR 1020.210(b)(2)(v)](https://www.ecfr.gov/current/title-31/section-1020.210#p-1020.210(b)(2)(v)) for banks without an FFR, [31 CFR 1023.210(b)(5)](https://www.ecfr.gov/current/title-31/section-1023.210#p-1023.210(b)(5)) for broker-dealers, [31 CFR 1024.210(b)(5)](https://www.ecfr.gov/current/title-31/section-1024.210#p-1024.210(b)(5)) for mutual funds, [31 CFR 1026.210(b)(5)](https://www.ecfr.gov/current/title-31/section-1026.210#p-1026.210(b)(5)) for FCMs and IBCs.

Back to Citation 175.

                         
                        See [31 CFR 1021.210(b)(2)(v)(A)](https://www.ecfr.gov/current/title-31/section-1021.210#p-1021.210(b)(2)(v)(A)) for casinos and [31 CFR 1028.210(b)(1)(i)](https://www.ecfr.gov/current/title-31/section-1028.210#p-1028.210(b)(1)(i)) and [(ii)](https://www.ecfr.gov/current/title-31/section-1028.210#p-1028.210(b)(1)(ii)) for operators of credit card systems.

Back to Citation 176.

                         
                        See [31 CFR 1021.210(b)(2)(v)(A)](https://www.ecfr.gov/current/title-31/section-1021.210#p-1021.210(b)(2)(v)(A)).

Back to Citation 177. See infra section X.F #4.

Back to Citation 178.

                         
                        See 
                         Comments to the Advance Notice of Proposed Rulemaking, FinCEN, *Anti-Money Laundering Program Effectiveness,* [85 FR 58023](https://www.federalregister.gov/citation/85-FR-58023) (Sept. 17, 2020), *[https://www.regulations.gov/​docket/​FINCEN-2020-0011/​comments](https://www.regulations.gov/docket/FINCEN-2020-0011/comments). See also* Comments to the Request for Information, FinCEN, *Review of Bank Secrecy Act Regulations and Guidance,* [86 FR 71201](https://www.federalregister.gov/citation/86-FR-71201) (Dec. 15, 2021), *[https://www.regulations.gov/​document/​FINCEN-2021-0008-0001](https://www.regulations.gov/document/FINCEN-2021-0008-0001). See also* Comments to the NPRM, FinCEN, *Anti-Money Laundering and Countering the Financing of Terrorism Programs,* [89 FR 55428](https://www.federalregister.gov/citation/89-FR-55428) (July 3, 2024), *[https://www.regulations.gov/​document/​FINCEN-2024-0013-0001/​comment](https://www.regulations.gov/document/FINCEN-2024-0013-0001/comment).*

Back to Citation 179.

                         Nevertheless, such changes in expenditures may benefit some financial institutions (*See infra* section X.A.4.i.a).

Back to Citation 180.

                         
                        See 
                         60-day notice for OMB Control No. 1506-0020, 1506-0030, and 1506-0035: FinCEN, *Anti-Money Laundering Programs for Certain Financial Institutions* (for banks lacking an FFR, principal MSBs, agent MSBs, mutual funds, insurance companies, DPMSJs, operators of credit card systems, and loan or finance companies), [89 FR 29427](https://www.federalregister.gov/citation/89-FR-29427) (Apr. 22, 2024). *See also* 60-day notice for OMB Control No. 1506-0051: FinCEN, *Anti-Money Laundering Program Requirements for Casinos,* [89 FR 65977](https://www.federalregister.gov/citation/89-FR-65977) (Aug. 13, 2024).

Back to Citation 181.

                         
                        See 
                         FinCEN, *Agency Information Collection Activities: Proposed New Information Collection; Survey of the Costs of AML/CFT Compliance; Comment Request,* [90 FR 47132](https://www.federalregister.gov/citation/90-FR-47132) (Sept. 30, 2025).

Back to Citation 182. See infra section X.F #5.

Back to Citation 183.

                         
                        See 
                         FinCEN, *Anti-Money Laundering/Countering the Financing of Terrorism Programs,* 89 

                        FR 55428, 55458-55463 (July 3, 2024). In section VII.A.2.C., Current Market Practices, FinCEN estimated an annual burden between $5.1 and $7.5 billion in AML Program and SAR reporting costs.

Back to Citation 184.

                         
                        See 
                         GAO, *Anti-Money Laundering: Opportunities Exist to Increase Law Enforcement Use of Bank Secrecy Act Reports, and Banks' Costs to Comply with the Act Varied,* GAO-20-574 (Sept. 2020), *[https://www.gao.gov/​assets/​gao-20-574.pdf](https://www.gao.gov/assets/gao-20-574.pdf).*

Back to Citation 185.

                         
                        See 
                         Drew Dahl, Jim Fuchs, Andrew Meyer, and Michelle Neely, *Compliance Costs, Economies of Scale and Compliance Performance: Evidence from a Survey of Community Banks,* Federal Reserve Bank of St. Louis (Apr. 2018), *[https://www.communitybanking.org/​-/​media/​files/​communitybanking/​compliance-costs-economies-of-scale-and-compliance-performance.pdf?​sc_​lang=​en&​hash=​19C682B5EFB86B37D6A8604DE9087DA6](https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf?sc_lang=en&hash=19C682B5EFB86B37D6A8604DE9087DA6).*

Back to Citation 186.

                         
                        See 
                         Francesco Trebbi, Miao Ben Zhang, and Michael Simkovic, *The Cost of Regulatory Compliance in the United States,* U.S.C. Marshall School of Business Research Paper (Oct. 23, 2024), *[https://papers.ssrn.com/​sol3/​papers.cfm?​abstract_​id=​4331146](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4331146).*

Back to Citation 187. 31 CFR 1010.810(b).

Back to Citation 188.

                         FinCEN has not delegated to the Agencies its ability to enforce the BSA and undertakes its own enforcement investigations and actions, as appropriate (*see supra* note 45). However, FinCEN generally undertakes a materially lower volume of BSA-related enforcement actions than the Agencies, including because FinCEN's enforcement mandate encompasses all types of financial institutions subject to the BSA (*i.e.,* it is not limited to banks and depository institutions).

Back to Citation 189.

                         For more detail, *see, e.g.,* GAO 2020 report (*supra* note 184), *see also* OCC, *Examination Process: Bank Supervision Process Comptroller's Handbook* (Sept. 2019), *[https://www.occ.gov/​publications-and-resources/​publications/​comptrollers-handbook/​files/​bank-supervision-process/​pub-ch-bank-supervision-process.pdf](https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/bank-supervision-process/pub-ch-bank-supervision-process.pdf); see also,* David W. Perkins, *Bank Supervision by Federal Regulators: Overview and Policy Issues,* Congressional Research Service, CRS Report R46648 (Dec. 28, 2020), *[https://www.congress.gov/​crs-product/​R46648](https://www.congress.gov/crs-product/R46648).*

Back to Citation 190.

                         
                        See 
                         FDIC, *Proposed 2026 FDIC Operating Budget,* Exhibit 6, Proposed 2026 Corporate Operating Budget by Business Line (Jan. 9, 2026), *[https://www.fdic.gov/​financial-reports/​fdic-budget](https://www.fdic.gov/financial-reports/fdic-budget).*

Back to Citation 191.

                         
                        See 
                         FRB, *Annual Report—2024,* Federal Reserve System Budgets, Table D.3 and D.9, *[https://www.federalreserve.gov/​publications/​2024-ar-federal-reserve-system-budgets.htm](https://www.federalreserve.gov/publications/2024-ar-federal-reserve-system-budgets.htm).* FinCEN calculated the total budgets as the sum of the budgets for the Board of Governors and the Federal Reserve Banks.

Back to Citation 192.

                         
                        See 
                         OCC, *2025 Annual Report,* p. 25, *[https://www.occ.gov/​publications-and-resources/​publications/​annual-report/​files/​2025-annual-report.html](https://www.occ.gov/publications-and-resources/publications/annual-report/files/2025-annual-report.html).*

Back to Citation 193.

                         FinCEN was unable to obtain comparable data on the NCUA's expenditures on supervisory or examinations activities but anticipates that it would be significantly smaller given that the NCUA's entire operating budget for 2025 was less than $423 million in 2025. 
                        See 
                         NCUA, *2026-2027 Staff Draft Budget* (Sept. 2025), p. 11, *[https://ncua.gov/​files/​publications/​budget/​budget-justification-proposed-2026-2027.pdf](https://ncua.gov/files/publications/budget/budget-justification-proposed-2026-2027.pdf).*

Back to Citation 194.

                         This estimated percentage does not include an estimate of expenditures by the NCUA, but given their expected order of magnitude (*see supra* note 193), this exclusion is not expected to affect the general magnitude of change required to exceed a $100 million significance threshold.

Back to Citation 195.

                         FY21 NDAA, section 6201 (Annual reporting requirements), *[https://www.congress.gov/​116/​plaws/​publ283/​PLAW-116publ283.pdf](https://www.congress.gov/116/plaws/publ283/PLAW-116publ283.pdf).*

Back to Citation 196.

                         FinCEN, *Agency Information Collection Activities: Proposed Renewal; Comment Request; Renewal Without Change of the Generic Clearance for the Collection of Qualitative Feedback on Agency Service Delivery,* [88 FR 30383](https://www.federalregister.gov/citation/88-FR-30383) (May 11, 2023).

Back to Citation 197.

                         GAO conducted the survey from November 9, 2019, through March 16, 2020. *See supra* note 184.

Back to Citation 198.

                         Based on a response rate of approximately 57 percent.

Back to Citation 199. See infra section X.A.4.

Back to Citation 200. See supra section V.A.

Back to Citation 201. See, e.g., with respect to regulatory language used to describe program-related training requirements supra sections V.D.4 and X.A.2.ii. S ee also, with respect to regulatory language used to describe independent testing requirements supra sections V.D.2 and X.A.2.ii.
See
with respect to regulatory language used to describe a designated individual supra sections V.D.3.i and X.A.2.ii.

Back to Citation 202.

                         
                        See 
                         discussion of the documentation requirements for programs *supra* section V.E.1; *see also supra* table 4. *See also* discussion of the removal from regulatory text of automated data processing requirements for casino and MSBs *supra* section V.G.2, of no longer binding compliance deadlines *supra* section V.G.3, and of cross-references to other regulations that are binding independent of FinCEN regulations *supra* V.G.4.

Back to Citation 203. See supra section V.G for description of definitional changes at 31 CFR 1010.100(e), (r), (nnn), and (ooo).

Back to Citation 204.

                         
                        See 
                         AML/CFT Priorities (June 30, 2021), *[https://www.fincen.gov/​news/​news-releases/​fincen-issues-first-national-amlcft-priorities-and-accompanying-statements](https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements).* As required by [31 U.S.C. 5318(h)(4)(C)](https://www.govinfo.gov/link/uscode/31/5318), the AML/CFT priorities are consistent with Treasury's National Strategy for Combating Terrorist and Other Illicit Financing (May 16, 2024), *[https://home.treasury.gov/​news/​press-releases/​jy2346](https://home.treasury.gov/news/press-releases/jy2346).* The AML/CFT Priorities are supported by Treasury's National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing (Feb. 7, 2024), *[https://home.treasury.gov/​news/​press-releases/​jy2080](https://home.treasury.gov/news/press-releases/jy2080).* As also required by [31 U.S.C. 5318(h)(4)(B)](https://www.govinfo.gov/link/uscode/31/5318), the Secretary, in consultation with the Attorney General, Federal functional regulators, relevant State financial regulators, and relevant national security agencies, must update the AML/CFT Priorities not less frequently than once every four years. [31 U.S.C. 5318(h)(2)(B)](https://www.govinfo.gov/link/uscode/31/5318).

Back to Citation 205. See supra section V.D.1.i.b.

Back to Citation 206. See supra sections V.B and C (describing the intent and mechanics of proposed 31 CFR 10XX.210(a)).

Back to Citation 207. See supra table 3 for covered financial institutions; i.e., those with CDD obligations.

Back to Citation 208.

                         FinCEN, *Customer Due Diligence Requirements for Financial Institutions,* [81 FR 29398](https://www.federalregister.gov/citation/81-FR-29398) (May 11, 2016), (stating, “FinCEN believes that there are four core elements of customer due diligence (CDD)[. . . ]: (1) Customer identification and verification, (2) beneficial ownership identification and verification, (3) understanding the nature and purpose of customer relationships to develop a customer risk profile, and (4) ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information.”).

Back to Citation 209. Id. (Referring to the core elements: “The first is already an AML program requirement [. . . t]he third and fourth elements are already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements. The AML program rules for all covered financial institutions are being amended by the final rule in order to include the third and fourth elements as explicit requirements.”).

Back to Citation 210. See supra section V.G.1.

Back to Citation 211. See supra section V.G.4.

Back to Citation 212. See supra section V.F.1.

Back to Citation 213.

                         
                        See 
                         proposed [31 CFR 1020.221(c)(2)(i)](https://www.ecfr.gov/current/title-31/section-1020.221#p-1020.221(c)(2)(i)) (generally requiring FFIRAs to provide written notice to the Director of any intent to take a significant AML/CFT supervisory action pursuant to delegated authority at least 30 days in advance of the proposed action).

Back to Citation 214.

                         
                        See 
                         proposed [31 CFR 1020.221(c)(1)](https://www.ecfr.gov/current/title-31/section-1020.221#p-1020.221(c)(1)) (requiring FFIRA consultation with the Director before any significant AML/CFT supervisory action pursuant to delegated authority is initiated).

Back to Citation 215. Id.

Back to Citation 216.

                         
                        See 
                         proposed [31 CFR 1020.221(c)(2)(ii)](https://www.ecfr.gov/current/title-31/section-1020.221#p-1020.221(c)(2)(ii)) (requiring, to the extent reasonably practicable, that an FFIRA respond to requests from the Director for additional information regarding a proposed significant AML/CFT supervisory action).

Back to Citation 217.

                         
                        See 
                         OMB, Circular A-4, at 10. (2003), *[https://www.whitehouse.gov/​wp-content/​uploads/​2025/​08/​CircularA-4.pdf](https://www.whitehouse.gov/wp-content/uploads/2025/08/CircularA-4.pdf).*

Back to Citation 218. See supra section V.B.

Back to Citation 219. See infra section X.F #7.

Back to Citation 220. See infra section X.F #6.

Back to Citation 221.

                         In this context, the phrase “U.S. and State government agencies” is meant to include Treasury's Offices of Terrorist Financing and Financial Crimes, Foreign Assets Control, and Intelligence and Analysis, as well as the Attorney General, FFRs, relevant State financial regulators, and relevant law enforcement and national security agencies.

Back to Citation 222.

                         Further discussion of these changes to costs are covered in section X.A.4.ii.c. The discussion in this section considers more exclusively the expected benefits to the general public that would flow from successful implementation of the proposed rule.

Back to Citation 223. See infra section X.F #8 for a request for comment about the availability of such data.

Back to Citation 224.

                         For further discussion of the harms and risks associated with money laundering, *see* U.S. Department of the Treasury, *2024 National Strategy for Combating Terrorist and Other Illicit Financing* (May 2024), *[https://home.treasury.gov/​system/​files/​136/​2024-Illicit-Finance-Strategy.pdf](https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf); see also* U.S. Department of the Treasury, *National Money Laundering Risk Assessment* (2024), *[https://home.treasury.gov/​system/​files/​136/​2024-National-Money-Laundering-Risk-Assessment.pdf](https://home.treasury.gov/system/files/136/2024-National-Money-Laundering-Risk-Assessment.pdf).*

Back to Citation 225.

                         As defined by [E.O. 12866](https://www.federalregister.gov/executive-order/12866) under section 3(f)(1) as an annual effect on the economy of $100 million or more. *See supra* note 111.

Back to Citation 226.

                         FinCEN requests comment on whether there are any categories of burden to covered financial institutions that should be articulated and quantified in this subsection and requests data that would support such burden estimation. *See infra* section X.F #9.

Back to Citation 227. See supra section X.A.2.ii.

Back to Citation 228.

                         FinCEN requests data on whether this expectation is reasonably accurate. *See infra* section X.F #10.

Back to Citation 229.

                         FinCEN requests comment on whether its assessment that the proposed changes would have a deregulatory impact is appropriate. *See infra* section X.F #13.

Back to Citation 230.

                         
                        See 
                         FinCEN, *Congressional Budget Justification FY 2026,* available at *[https://home.treasury.gov/​system/​files/​266/​11.-FinCEN-FY-2026-CJ.pdf](https://home.treasury.gov/system/files/266/11.-FinCEN-FY-2026-CJ.pdf).*

Back to Citation 231. See infra section X.F #15.

Back to Citation 232. See supra section II.C.2.

Back to Citation 233.

                         In response to the 2024 Program NPRM, certain parties asserted a transition period of two of more years would be necessary to operationalize a paradigmatic shift in program practices, pointing to various logistic issues such as updating processes and technology, systems testing, and developing and deploying new training materials, among other necessary activities.

Back to Citation 234.

                         
                        See [13 CFR 121.201](https://www.ecfr.gov/current/title-13/section-121.201) for the size standards applied to small financial institutions as defined by the U.S. Small Business Administration (SBA).

Back to Citation 235. Supra note 112, E.O. 13563 at section 1(c) (“Where appropriate and permitted by law, each agency may consider (and discuss qualitatively) values that are difficult or impossible to quantify, including [. . .] distributive impacts.”).

Back to Citation 236. 58 FR 51740-41; 76 FR 3821-22.

Back to Citation 237. 5 U.S.C. 601 et seq.

Back to Citation 238. See infra section X.F #16.

Back to Citation 239.

                         AML Act, section 6002(2)-(4) (Purposes).

Back to Citation 240. 31 U.S.C. 5318(h)(2)(B)(9)(iv)(II), as amended by section 6101 of the AML Act.

Back to Citation 241. 5 U.S.C. 601(6).

Back to Citation 242.

                         FinCEN requests comment on the accuracy of these baseline estimates. *See infra* section X.F #17.

Back to Citation 243. See infra section X.F #4, 5, 9, and 16.

Back to Citation 244. See supra section X.A.4.i.a.

Back to Citation 245. 5 U.S.C. 603(b)(5) (requiring initial regulatory flexibility analysis to identify, to the extent practicable, all relevant Federal rules which may duplicate, overlap, or conflict with the proposed rule).

Back to Citation 246. See infra section X.F #18.

Back to Citation 247. 2 U.S.C. 1532.

248.

                         The U.S. Bureau of Economic Analysis reports the annual value of the gross domestic product implicit price deflator for calendar year 1995 (the year UMRA was enacted) as 66.939, and as 128.974 for calendar year 2025 (the most recent available). Thus, the inflation-adjusted estimate for $100 million is 128.974 ÷ 66.939 × $100 million, or $192.7 million. U.S. Bureau of Economic Analysis, Table 1.1.9. Implicit Price Deflators for Gross Domestic Product, *<a href="https://apps.bea.gov/iTable/?reqid=19&step=3&isuri=1&1921=survey&1903=13#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJDYXRlZ29yaWVzIiwiU3VydmV5Il0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyNSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ==">https://apps.bea.gov/​iTable/​?reqid=​19&​step=​3&​isuri=​1&​1921=​survey&​1903=​13#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJDYXRlZ29yaWVzIiwiU3VydmV5Il0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyNSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ=​=</a>.*

Back to Citation 249. 2 U.S.C. 1532(c) (“Any agency may prepare any statement required under subsection (a) of this section in conjunction with or as a part of any other statement or analysis, provided that the statement or analysis satisfies the provisions of subsection (a) of this section.”).

Back to Citation 250. See infra section X.F #19.

Back to Citation 251.

                         
                        See [44 U.S.C. 3506(c)(2)(A)](https://www.govinfo.gov/link/uscode/44/3506).

Back to Citation 252.

                         
                        See [44 U.S.C. 3507(a)(3)](https://www.govinfo.gov/link/uscode/44/3507).

Back to Citation 253.

                         Banks with an FFR have OMB control numbers that are maintained by the Agencies, as follows: (1) FDIC (OMB Control No. 3064-0087); (2) FRB (OMB Control No. 7100-0310); (3) NCUA (OMB Control No. 3133-0108); and (4) OCC (OMB Control No. 1557-0180).

Back to Citation 254.

                         
                        See 
                         FinCEN, *Financial Crimes Enforcement Network; Anti-Money Laundering Programs for Financial Institutions,* [67 FR 21110](https://www.federalregister.gov/citation/67-FR-21110) (Apr. 29, 2002). In the 2002 interim final rule, FinCEN noted it was appropriate to implement section 5318(h)(1) of the BSA with respect to broker-dealers and FCMs through their respective SROs, because the SEC and the CFTC and their SROs significantly accelerated the implementation of AML programs for their regulated financial institutions. Accordingly, [31 CFR 1023.210](https://www.ecfr.gov/current/title-31/section-1023.210) and [1026.210pro](https://www.ecfr.gov/current/title-31/section-1026.210pro) vides that broker-dealers, and FCMs and IBCs, respectively, would be deemed to be in compliance with the requirements of section 5318(h)(1) of the BSA if they comply with any applicable regulation of their FFR governing the establishment and implementation of AML programs. FinCEN recognizes the SEC as the FFR, and registered national securities exchanges or a national securities association, such as FINRA, as the SROs for member broker-dealers. Each SRO may have its own AML program requirements. *See, e.g.,* FINRA Rule 3310. The CFTC's SRO is the National Futures Association. The AML program requirements for FCMs and IBCs are set out in NFA Rule 2-9(c). The SROs are not required to comply with the PRA. Therefore, there are no OMB control numbers for the AML/CFT program regulatory requirements of broker-dealers or FCMs and IBCs.

Back to Citation 255.

                         The PRA does not apply to the collection of information by one Federal agency (FinCEN) from another Federal entity (the housing GSEs).

Back to Citation 256.

                         
                        See 
                         FinCEN, Supporting Statement to OMB Control No. 1506-0035: *Anti-Money Laundering Programs for Insurance Companies, Loan or Finance Companies, and Banks Lacking a Federal Functional Regulator* (June 27, 2024), *<a href="https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202406-1506-005;">https://www.reginfo.gov/​public/​do/​PRAViewDocument?​ref_​nbr=​202406-1506-005;</a>* FinCEN, Supporting Statement to OMB Control No. 1506-0020: *Anti-Money Laundering Programs for Money Services Businesses, Mutual Funds, Operators of Credit Card Systems* (June 27, 2024), *<a href="https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202406-1506-003;">https://www.reginfo.gov/​public/​do/​PRAViewDocument?​ref_​nbr=​202406-1506-003;</a>* FinCEN, Supporting Statement to OMB Control No. 1506-0030: *Anti-Money Laundering Programs for Dealers in Precious Metals, Precious Stones, or Jewels* (June 27, 2024), *<a href="https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202406-1506-004;">https://www.reginfo.gov/​public/​do/​PRAViewDocument?​ref_​nbr=​202406-1506-004;</a>* FinCEN, Supporting Statement to OMB Control No. 1506-0051: *Anti-Money Laundering Program Requirements for Casinos* (Oct. 28, 2024), *[https://www.reginfo.gov/​public/​do/​PRAViewDocument?​ref_​nbr=​202410-1506-002](https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202410-1506-002).*

Back to Citation 257. See supra table 8.

Back to Citation 258.

                         FinCEN requests comment on whether it should articulate and assign PRA reporting and/or recordkeeping burden associated with any other activities required under the program rules. *See infra* section X.F #21.

Back to Citation 259.

                         Please note that FinCEN is estimating only the paperwork burden associated with the specific program components discussed above (*i.e.,* the [31 CFR 1021.210(b)(2)(vi)](https://www.ecfr.gov/current/title-31/section-1021.210#p-1021.210(b)(2)(vi)), CDD, and program approval requirements) in this PRA analysis, as other components of the full burden associated with existing program rules are accounted for in connection with OMB control numbers 1506-0020, 1506-0030, 1506-0035, and 1506-0051. *See supra* note 180 for the 60-day notice for OMB Control No. 1506-0020, 1506-0030, and 1506-0035 and the 60-day notice for OMB Control No. 1506-0051.

Back to Citation 260. See supra section V.G.2. This rule also proposed to remove the language requiring MSBs that have automated data processing systems to integrate their compliance procedures with such systems. Since no PRA burden is associated with this requirement, FinCEN is not proposing any changes to OMB control number 1506-0020 is association with the proposed change.

Back to Citation 261. See supra note 180 for FinCEN, Agency Information Collection Activities; Proposed Renewal; Comment Request; Renewal Without Change of Anti-Money Laundering Program Requirements for Casinos.

Back to Citation 262. See, e.g., FinCEN, Financial Crimes Enforcement Network: Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempts Reporting Advisers, 89 FR 72156 (Sept. 4, 2024).

Back to Citation 263.

                         FinCEN is adding a pro forma recordkeeping burden associated with the CDD requirements for 1,720 covered financial institutions and a pro forma recordkeeping burden associated with the proposed program approval requirements for 46,960 financial institutions, which includes the 1,299 casinos that would be additionally affected by the proposed removal of [31 CFR 1021.210(b)(2)(vi)](https://www.ecfr.gov/current/title-31/section-1021.210#p-1021.210(b)(2)(vi)). This results in a total of 48,680 respondents.

Back to Citation 264.

                         The wage rate applied here is a general composite hourly wage ($87.61) scaled by a private sector benefits factor of 1.42 ($124.58 = $87.61 × 1.42). This incorporates Bureau of Labor Statistics mean wage data associated with six occupational codes (11-1010: Chief Executives; 11-3021: Computer and Information Systems Managers; 11-3031: Financial Managers; 13-1041: Compliance Officers; 23-1010: Lawyers and Judicial Law Clerks; 43-3099: Financial Clerks, All Other) for each of the nine groupings of NAICS industry codes that FinCEN determined are most directly comparable to its 11 categories of potentially affected financial institutions as delineated in [31 CFR parts 1020 to 1030](https://www.ecfr.gov/current/title-31/part-1020). 
                        See 
                         Bureau of Labor Statistics, *May 2024—National industry-specific and by ownership, [https://www.bls.gov/​oes/​tables.htm](https://www.bls.gov/oes/tables.htm).* Given that many occupations provide benefits beyond wages (*e.g.,* insurance and paid leave), FinCEN applies the private sector benefit factor to the unloaded wage rate to reflect the total cost to the employer. The benefit factor is the ratio of total compensation (which includes wages and benefits) to wages. Total compensation = 43.94 and Wages and salaries = 30.90 (1.42 = 43.94 ÷ 30.90) as of June 2024, based on the private industry workers series data downloaded from the Bureau of Labor Statistics. Bureau of Labor Statistics, *Employer Costs for Employee Compensation* data, *[https://www.bls.gov/​news.release/​archives/​ecec_​09102024.pdf](https://www.bls.gov/news.release/archives/ecec_09102024.pdf).*

Back to Citation 265.

                         132,960 hours multiplied by an average hourly wage rate of $124.58 equals $16,564,157.

Back to Citation [FR Doc. 2026-07033 Filed 4-9-26; 8:45 am]

BILLING CODE 4810-02-P

Published Document: 2026-07033 (91 FR 18704)