FinCEN Proposes AML/CFT Program Reforms for Financial Institutions

Content

ACTION:

Proposed rule.

SUMMARY:

Pursuant to the Department of the Treasury (Treasury) and FinCEN's efforts to modernize the Bank Secrecy Act (BSA) and to
implement provisions of the Anti-Money Laundering Act of 2020 (AML Act), FinCEN is proposing a rule to fundamentally reform
the requirements for financial institutions' anti-money laundering and countering the financing of terrorism (AML/CFT) programs.
Among other changes, this proposed rule aims to ensure that financial institutions establish and maintain effective AML/CFT
programs that better achieve the purposes of the BSA and lead to more effective outcomes for financial institutions as well
as law enforcement and national security agencies. Through this rulemaking, consistent with its statutory authority as the
administrator of the BSA, FinCEN is also proposing measures to modernize and reform Federal supervision of AML/CFT programs
by enhancing FinCEN's role in AML/CFT supervision and enforcement in coordination with Federal banking regulators. In addition,
FinCEN is proposing regulatory amendments to promote clarity and consistency across FinCEN's program rules for different types
of financial institutions.

DATES:

Comments must be received by June 9, 2026.

ADDRESSES:

Comments must be submitted in one of the following two ways (please choose only one of the ways listed):

• Electronically at https://www.regulations.gov. Follow the “Submit a comment” instructions. If you are reading this document on federalregister.gov, you may use the green “SUBMIT A PUBLIC COMMENT” button beneath this rulemaking's title to submit a comment to the regulations.gov docket. Refer to Docket Number FINCEN-2026-0034 and RIN 1506-AB72.

• You may mail written comments to the following address: Regulatory and Strategic Affairs Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket
Number FINCEN-2026-0034 and RIN 1506-AB72. Mailed comments must be received by the close of the comment period.

Do not include any personally identifiable information (such as name, address, or other contact information) or confidential
business information that you do not want publicly disclosed. All comments are public records; they are publicly displayed
exactly as received, and will not be deleted, modified, or redacted. Comments may be submitted anonymously.

Follow the search instructions on https://www.regulations.gov to view public comments. In accordance with 5 U.S.C. 553(b)(4), a summary of this rule may be found at www.regulations.gov under Docket FINCEN-2026-0034.

FOR FURTHER INFORMATION CONTACT:

The FinCEN Regulatory Support Section at www.fincen.gov/contact.

SUPPLEMENTARY INFORMATION:

I. Scope

The proposed rule would amend FinCEN's regulations that prescribe anti-money laundering program requirements for financial
institutions (AML program rules) (1) under the BSA. (2) For purposes of the AML program rules and this proposed rule, “financial institutions” are: (1) banks; (2) casinos and card
clubs (casinos); (3) money services businesses (MSBs); (4) brokers or dealers in securities (broker-dealers); (5) mutual funds;
(6) insurance companies; (7) futures commission merchants (FCMs) and introducing brokers in commodities (IBCs); (8) dealers
in precious metals, precious stones, or jewels (DPMSJs); (9) operators of credit card systems; (10) loan or finance companies;
and (11) housing government sponsored enterprises (housing GSEs).

II. Background

A. Anti-Money Laundering Programs Under the Bank Secrecy Act

Enacted in 1970 and amended several times since, the BSA is designed to combat money laundering, the financing of terrorism,
and other illicit finance activity risks (3) (collectively, ML/TF risks). (4) Congress has authorized the Secretary of the Treasury (Secretary) to administer the BSA. The Secretary has in turn delegated
the authority to implement, administer, and enforce compliance with the BSA and its associated regulations to the Director
of FinCEN (Director). (5)

Since its original enactment, Congress has continued to address various aspects of AML/CFT compliance, including through expansion
of the BSA. (6) In 1992, the Annunzio-Wylie Anti-Money Laundering Act (7) gave the Secretary authority to prescribe minimum standards for AML programs, including: “(A) the development of

  internal policies, procedures, and controls, (B) the designation of a compliance officer, (C) an ongoing employee training
  program, and (D) an independent audit function to test programs”—what are often called the “four pillars” of AML programs. [(8)]() Later, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
  of 2001 (USA PATRIOT Act) further amended the BSA to include, among other things, customer identification program (CIP) requirements
  and the expansion of AML program rules to cover certain other financial industry participants (*e.g.,* credit unions and FCMs). [(9)]() The USA PATRIOT Act also made it mandatory for financial institutions to maintain AML programs that meet minimum prescribed
  standards. [(10)]() Through the exercise of its delegated authority, FinCEN is authorized to require each financial institution to establish an
  AML program to ensure compliance with the BSA and guard against ML/TF risks. [(11)]() Over time, FinCEN incorporated these standards into the AML program rules and implemented additional requirements for certain
  covered financial institutions, such as customer due diligence (CDD) requirements (sometimes referred to as the “fifth pillar”
  of AML programs). [(12)]()

On January 1, 2021, Congress enacted the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021
(FY21 NDAA), of which the AML Act was a component. (13) With the passage of the AML Act, Congress stated that it was seeking to modernize and strengthen the AML/CFT regulatory framework,
which “had not seen comprehensive reform or modernization” since the BSA was enacted in the 1970s. (14) Among other objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication,
and feedback among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better
focusing bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” (15)

Section 6101(b) of the AML Act made several changes to the BSA's AML/CFT program requirements.

First, section 6101(b) amended the BSA at 31 U.S.C. 5318(h)(2)(B) to state that, “[i]n prescribing the minimum standards [for
AML/CFT programs], and in supervising and examining compliance with those standards, the Secretary of the Treasury, and the
appropriate Federal functional regulator (as defined in section 509 of the Gramm-Leach-Bliley Act) (16) shall take into account” certain factors, which are further described in section IV.A.

Second, section 6101(b) requires the Secretary, in consultation with the Attorney General, appropriate Federal functional
regulators, relevant State financial regulators, and relevant national security agencies, to establish and make public government-wide
AML/CFT priorities (AML/CFT Priorities). After consultation with the Federal functional regulators and relevant State financial
regulators, the Secretary must promulgate regulations, as appropriate, to incorporate those priorities into revised program
rules, and incorporation of the priorities must be included as a measure on which financial institutions are supervised and
examined. FinCEN issued the first AML/CFT Priorities on June 30, 2021. (17)

Third, section 6101(b) expands the BSA's program rule requirement to formally include an express reference to CFT in addition
to AML.

Fourth, section 6101(b) provides that the duty to establish, maintain, and enforce an AML/CFT program shall remain the responsibility
of, and be performed by, persons in the United States who are accessible to, and subject to, oversight and supervision by,
the Secretary and the appropriate Federal functional regulator.

B. FinCEN's Effectiveness Advance Notice of Proposed Rulemaking (ANPRM)

Prior to the enactment of the AML Act, and as informed by the recommendations of the AML Effectiveness Bank Secrecy Act Advisory
Group working group, FinCEN published an ANPRM seeking public comment on potential regulatory amendments to increase the effectiveness
of the current program rules (Effectiveness ANPRM). (18) The Effectiveness ANPRM sought public comment on a number of issues, including whether FinCEN should define an effective and
reasonably designed AML program as one that: (1) identifies, assesses, and reasonably mitigates the risks resulting from illicit
financial activity, including terrorist financing, money laundering, and other related financial crimes, consistent with both
the institution's risk profile and the risks communicated by relevant government authorities as national AML

  priorities; (2) assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and (3) provides
  information with a high degree of usefulness to government authorities consistent with both the financial institution's risk
  assessment and the risks communicated by relevant government authorities as national AML priorities. [(19)]()

Additionally, the Effectiveness ANPRM sought comment on whether FinCEN should amend its regulations to explicitly require
financial institutions to implement risk assessment processes and whether FinCEN should publish AML priorities that financial
institutions would incorporate into their risk assessments. (20) Congress enacted the AML Act shortly after FinCEN received comments on the Effectiveness ANPRM. As a result, many of the Effectiveness
ANPRM's proposals have been superseded by statutory amendments.

FinCEN received 111 comments in response to the Effectiveness ANPRM, many of which generally supported the goals underlying
the ANPRM. Some comments covered specific topics that would later be addressed in section 6101 of the AML Act and that are
related to the proposed rule. For example, many commenters supported the Effectiveness ANPRM's concepts of effective and reasonably
designed AML programs. Commenters further noted that prioritizing and allocating resources can be challenging if there is
regulatory ambiguity or if examiner expectations are unclear or inconsistent, and that requirements for effective and reasonably
designed programs should be tailored based on a financial institution's size, activities, or other characteristics. Finally,
commenters expressed widespread concern about added burden on financial institutions, especially burden related to updating
AML programs to incorporate national AML priorities.

C. The 2024 Notice of Proposed Rulemaking Revising AML Programs

1. Summary of 2024 Program Notice of Proposed Rulemaking (NPRM)

On July 3, 2024, FinCEN published an NPRM proposing revisions to AML/CFT program requirements (2024 Program NPRM). (21) In issuing that proposed rule, FinCEN consulted with the Federal functional regulators, the Internal Revenue Service (IRS),
and relevant State financial regulators, as required under section 6101(b) of the AML Act. Additionally, on August 9, 2024,
the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB), the Federal
Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the “Agencies”) (22) issued an NPRM proposing amendments to their respective AML program rules applicable to the financial institutions they regulate. (23)

The 2024 Program NPRM proposed that financial institutions establish AML/CFT programs that would include, at minimum, the
following components: (1) a risk assessment process; (2) reasonable management and mitigation of illicit finance risks through
internal policies, procedures, and controls; (3) a qualified AML/CFT officer; (4) an ongoing employee training program; (5)
independent, periodic testing conducted by qualified personnel of the financial institution or by a qualified outside party;
and (6) other requirements (such as customer due diligence) depending on the type of financial institution.

The 2024 Program NPRM further proposed that financial institutions would be expected to base their AML/CFT program on the
results of a risk assessment process. The risk assessment process would identify, evaluate, and document a financial institution's
ML/TF risks, taking into account the following considerations: (1) the AML/CFT Priorities issued by FinCEN, as appropriate;
(2) the ML/TF risks of the financial institution based on the institution's business activities, including products, services,
distribution channels, customers, intermediaries, and geographic locations; and (3) reports filed by the financial institution
pursuant to FinCEN's regulations at 31 CFR chapter X. Additionally, the 2024 Program NPRM provided that financial institutions
would have to review and update their risk assessments on a periodic basis, including, at a minimum, when there are material
changes to a financial institution's illicit finance risks.

The 2024 Program NPRM would have also required a financial institution's AML/CFT program to be approved and overseen by the
financial institution's board of directors (board) or equivalent governing body and would have made AML/CFT program approval
and oversight requirements consistent across financial institution types. Furthermore, the 2024 Program NPRM reflected the
requirement in the BSA, as amended by the AML Act, that the duty to establish, maintain, and enforce a financial institution's
AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to,
and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator.

FinCEN does not intend to finalize the 2024 Program NPRM, and it should be considered withdrawn and superseded by this proposed
rule.

2. Comments FinCEN Received on the 2024 Program NPRM

In response to the 2024 Program NPRM, FinCEN received 86 comments from the public. Submissions came from a broad array of
individuals and organizations, including members of Congress, the financial industry and related trade associations, groups
representing small business interests, corporate transparency advocacy groups, regulatory associations, legal associations,
and other interested groups and individuals.

A small number of commenters expressed support for the 2024 Program NPRM's effort to modernize and strengthen AML/CFT programs
in line with the reform goals of the AML Act. Some supporters of the 2024 Program NPRM agreed with its emphasis on “effective,
risk-based, and reasonably designed” AML/CFT programs that would promote “effectiveness, efficiency, innovation, and flexibility.” (24) Others commended FinCEN's efforts to emphasize the risk-based nature of AML/CFT programs and provide financial institutions
with the flexibility to provide financial services based on their risk profile and capacity to manage customer relationships.

Commenters also expressed concerns with the 2024 Program NPRM, such as the proposed program requirements being excessively
prescriptive and even redundant in light of the view that existing AML/CFT compliance programs were already intended to be
risk-based. A number of commenters found the proposal to be an additive regulatory imposition that would increase costs and
burdens, particularly to smaller financial institutions, without

  any increase in program effectiveness, efficiency, or innovation.

On behalf of FinCEN, Treasury's Office of Tribal and Native Affairs (OTNA) also solicited comments and conducted Tribal consultations
and coordination with Tribal Nations. OTNA received six comments from Tribal representatives during this process.

Taken together, the comments submitted to the Effectiveness ANPRM and 2024 Program NPRM provide helpful context that FinCEN
has considered in developing the current NPRM.

i. Risk-Based Resource Allocation

The 2024 Program NPRM proposed a formulation of risk-based resource allocation as follows: “an effective, risk-based, and
reasonably designed AML/CFT program focuses attention and resources in a manner consistent with the bank's risk profile that
takes into account higher risk and lower-risk customers and activities.” (25) Commenters criticized this formulation of risk-based resource allocation in the NPRM and generally stated that this framing
would not sufficiently enable financial institutions to reallocate resources in the manner intended by the AML Act by allowing
financial institutions to direct more resources toward higher-risk customers and activity rather than lower-risk customers
and activity, leaving open the concern that examiners may penalize financial institutions for doing so. Commenters strongly
recommended that FinCEN adopt the statutory language from the AML Act concerning risk-based resource allocation. No commenters
expressed support for the 2024 Program NPRM formulation.

ii. The Risk Assessment Process

Commenters to the 2024 Program NPRM were critical of the proposed risk assessment process. Commenters generally supported
the idea of a risk assessment process requirement in the NPRM, as many financial institutions already conduct risk assessments.
Commenters argued, however, that the proposal was insufficiently deferential to existing risk assessment practices and would
impose new compliance costs by creating an additive “check-the-box” exercise for financial institutions that already conduct
risk assessments. Commenters also stated that financial institutions should not be required to consider BSA reports, including
SARs and CTRs, as part of their risk assessment process, noting language in the AML Act stating that BSA filings should be
guided by risk-based compliance programs, rather than the opposite. (26) Commenters also argued that even the idea of making the risk assessment process serve as the basis of the AML/CFT program
would be too prescriptive and not correspond to the various ways financial institutions incorporate these assessments into
their programs. Finally, commenters objected to the description of a risk assessment process as a singular process that implied
a one-time, annual exercise whereas financial institutions conduct numerous and often continuous risk assessments throughout
the year.

iii. “Effective, Risk-Based, and Reasonably Designed” AML/CFT Programs

Commenters generally appreciated FinCEN's inclusion of the concept of “effective, risk-based, and reasonably designed” AML/CFT
programs, but sought additional guidance on the meaning of these terms. Some commenters requested that FinCEN adopt specific
regulatory definitions of these terms, while others requested principles or examples to clarify how FinCEN understands them.
Several commenters urged that the final rule clarify that an “effective, risk-based, and reasonably designed” program does
not mean one that is “perfect” and completely prevents financial crime.

iv. Other Provisions of the 2024 NPRM

Proposed § 1020.210(c) of the 2024 Program NPRM provided that “[t]he duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject
to oversight and supervision by, FinCEN and the appropriate Federal functional regulator,” (27) pursuant to the statutory requirement set forth in section 6101 of the AML Act. (28) Many commenters discussed this provision. They generally stated that an appropriate interpretation of this provision is critical
for many financial institutions since many have AML/CFT staff and operations overseas, and it would be extremely costly and
disruptive to require relocation to the United States. Many commenters requested that FinCEN interpret this provision to allow
financial institutions to maintain staff and operations in non-U.S. jurisdictions so long as the person with the “duty to
establish, maintain, and enforce the AML/CFT program” is located in the United States. Some commenters also requested clarification
on how this provision would apply to financial institutions with third-party service providers located outside the United
States.

The 2024 Program NPRM also proposed requiring that a financial institution's board or an equivalent governing body approve
and provide oversight of AML/CFT programs. (29) Commenters generally expressed reservations about the board approval and oversight provision of the NPRM. Some credit union
commenters expressed concern that the requirement would impose significant new burdens on boards and noted that many credit
union boards are volunteers. Commenters representing Native Tribes were most critical of the board oversight and approval
requirement because of the potential impact on Tribal casinos and Tribal Councils. Several of these commenters stated that
many Tribal gaming entities are not operated under the authority of a business board. Commenters expressed concern that the
proposed rule may require Tribal Councils to approve and provide oversight of the AML/CFT program adopted by the casino, detracting
from other responsibilities of the Tribal Council.

v. Effective Date

The 2024 Program NPRM proposed that financial institutions would have six months from the date of issuance of the final rule
to comply with its requirements. A large number of commenters reacted negatively to the six-month implementation period in
the 2024 Program NPRM, and they were nearly unanimous in requesting additional time. Some commenters asked for at least one
year after issuance of the final rule to implement the rule, and other commenters requested two or more years. Some commenters
representing larger financial institutions cited the need for additional time to review the final rule, make technological
changes or other changes to existing processes, incorporate the AML/CFT Priorities into their risk assessment processes, reallocate
resources from lower- to higher-risk areas, and provide training.

III. BSA Modernization

The Secretary has identified BSA reform and modernization as one of Treasury's top priorities. In an April 2025 speech, the
Secretary noted that Treasury “will advocate for changes to the AML/CFT framework to truly focus on national security priorities
and higher-risk areas and explicitly permit financial institutions to de-prioritize lower risks.” (30) Additionally, the Secretary has noted that supervision of AML/CFT programs has too often involved a “zero-tolerance focus
on process and documentation and wide latitude for supervisory expectations and judgments that are not always consistent with
the law or our national security priorities.” (31) The Secretary noted that this proposed rule would ensure that financial institutions' AML/CFT programs are focused “on higher
value activities [that] will also better serve our law enforcement and national security objectives.” (32)

In June 2025, Treasury identified its guiding principles for BSA reform, recognizing the urgent need to modernize the implementation
of the AML/CFT regime in the United States so that it is effective, risk-based, and focused on the greatest threats to financial
institutions and national security. (33) Treasury's vision of a modernized BSA regulatory and supervisory regime is one where financial institutions:

• comply with AML/CFT laws and regulations;
• are examined for the risk-based and reasonably designed nature of their AML/CFT programs and set of internal policies, procedures, and controls;
• direct more resources to higher-risk areas rather than to lower-risk areas; and
• generate highly useful information for law enforcement and national security agencies in priority areas defined by Treasury. Treasury and FinCEN, in coordination with the Agencies, have taken a number of steps to implement this vision of a modernized BSA regulatory and supervisory regime. In June and July 2025, the Agencies, with FinCEN's concurrence, issued an order permitting banks, as part of their CIP obligations, to collect Taxpayer Identification Number information from a third party rather than from the bank's customer. (34) In October 2025, FinCEN and the Agencies issued Frequently Asked Questions to clarify certain SAR obligations to help ensure financial institutions are not needlessly expending resources on efforts that do not provide law enforcement and national security agencies with the critical information they need to detect, combat, and deter criminal activity. (35) In February 2026, FinCEN issued an order granting exceptive relief to covered financial institutions from certain requirements under FinCEN's CDD Rule, supporting a more efficient, risk-based approach to customer due diligence and reducing unnecessary regulatory burden without weakening the foundational requirements that protect the U.S. financial system. (36)

In addition to advancing the goals of a modernized BSA regulatory and supervisory regime, Treasury and FinCEN have played
a leading role in supporting Executive Order (E.O.) 14192, Unleashing Prosperity Through Deregulation. (37) The E.O. announced an Administration policy to “significantly reduce the private expenditures required to comply with Federal
regulations to secure America's economic prosperity and national security and the highest possible quality of life for each
citizen” and “alleviate unnecessary regulatory burdens placed on the American people.” (38) Consistent with E.O. 14192, FinCEN is issuing this proposed rule to ensure that financial institutions' AML/CFT programs are
appropriately risk-based, such that compliance with their program obligations is focused on the goals of the BSA, including
combatting and preventing ML/TF, rather than mere technical compliance. Furthermore, the proposed rule for banks would help
ensure that supervisory and enforcement actions related to AML/CFT programs are focused on significant or systemic failures
to implement an effective AML/CFT program (i.e., deficiencies or issues that arise from failing to implement, in all material respects, a properly established AML/CFT program).
The proposal would also reflect FinCEN's key role, in accordance with its statutory authority as the administrator of the
BSA, in ensuring a consistent and holistic approach to enforcement and supervision of banks' AML/CFT programs that focuses
on program effectiveness rather than mere technical compliance. The Agencies have a long history of coordination with FinCEN
in exercising its delegated supervisory authority, and FinCEN views this proposed rule as a way to further strengthen that
relationship to promote more consistent supervision. FinCEN believes this enhanced coordination in AML/CFT supervision and
enforcement will support the goals of E.O. 14192.

Fulfilling the AML Act's goals of BSA modernization and reform is a priority for Treasury and FinCEN, and this proposed rule
is a major part of that effort.

IV. Overview of the Proposed Rule

A central objective of Treasury and FinCEN's BSA modernization efforts is to create an AML/CFT supervisory and regulatory
regime that is more effective in achieving the purposes of the BSA and promoting better outcomes for law enforcement and national
security agencies. (39) This proposed rule would further that objective by explicitly defining the requirements for a financial institution to establish
and maintain an effective AML/CFT program. It would also adopt into regulations the AML Act's expectation that AML/CFT programs
should be risk-based, including ensuring that financial institutions direct more attention and resources toward higher-risk
customers and activities, consistent with the risk profile of the financial institution, rather than toward lower-risk customers
and activities. (40)

As noted in the previous section, the proposed rule would also revise the AML/CFT supervisory and examination process for
banks by enhancing FinCEN's role in the supervision and enforcement process. In support of this objective, the proposed rule
would establish a mechanism in which

  FinCEN—as the statutory administrator of the BSA—has an opportunity to review and provide feedback to the Agencies prior to
  a significant supervisory action. This change will promote consistent approaches to AML/CFT supervision and better outcomes
  for both banks and the law enforcement and national security agencies that depend upon those financial institutions' critical
  BSA reporting.

A. Factors Rhat FinCEN Considered Pursuant to Section 6101(b)(2)(B) of the AML Act (31 U.S.C. 5318(h)(2)(B))

Section 6101(b)(2)(B)(ii) of the AML Act (codified at 31 U.S.C. 5318(h)(2)(B)) requires FinCEN to take into account certain
factors when prescribing minimum AML/CFT program standards:

(i) Financial institutions are spending private compliance funds for a public and private benefit, including protecting the
United States financial system from illicit finance risks.

(ii) The extension of financial services to the underbanked and the facilitation of financial transactions, including remittances,
coming from the United States and abroad in ways that simultaneously prevent criminal persons from abusing formal or informal
financial services networks are key policy goals of the United States.

(iii) Effective anti-money laundering and countering the financing of terrorism programs safeguard national security and generate
significant public benefits by preventing the flow of illicit funds in the financial system and by assisting law enforcement
and national security agencies with the identification and prosecution of persons attempting to launder money and undertake
other illicit activity through the financial system.

(iv) Anti-money laundering and countering the financing of terrorism programs . . . should be—

(I) reasonably designed to assure and monitor compliance with the requirements of this subchapter and regulations promulgated
under this subchapter; and

(II) risk-based, including ensuring that more attention and resources of financial institutions should be directed toward
higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk
customers and activities.

FinCEN has considered all of these factors in developing this proposed rule.

First, as required by 31 U.S.C. 5318(h)(2)(B)(i), FinCEN has considered that, through their AML/CFT programs, financial institutions
are spending private compliance funds for a public and private benefit. The proposed rule reflects this in several ways—especially
in how it endeavors to avoid imposing unnecessary regulatory burdens and ensuring that financial institutions are able to
tailor their AML/CFT programs to their risk profiles. In this way, FinCEN seeks to ensure that financial institutions are
not required to expend private compliance funds without meaningful benefit to both the public and their own operations.

Second, section 5318(h)(2)(B)(ii) requires FinCEN to consider the extension of financial services to the underbanked and the
facilitation of financial transactions, including remittances, while preventing criminal persons from abusing formal or informal
financial services networks. Through its emphasis on risk-based AML/CFT programs, the proposed rule seeks to provide financial
institutions with the flexibility to serve a broad range of customers and avoid one-size-fits-all approaches to customer risk
that can lead to financial institutions declining to provide financial services to entire categories of customers. The proposed
rule would help ensure that decisions taken by financial institutions with respect to closing customer accounts are based
on legitimate ML/TF risks and informed by relevant facts and circumstances. The proposed rule is intended to mitigate the
risks of financial institutions potentially being inappropriately pressured into closing customer accounts by emphasizing
the risk-based nature of AML/CFT programs. In doing so, the proposed rule also furthers the objectives of E.O. 14331, Guaranteeing Fair Banking for All Americans, which seeks to combat “politicized or unlawful debanking.” (41)

Moreover, by establishing a risk-based AML/CFT program that takes into account a financial institution's specific business
activities, the proposed rule will enable financial institutions to avoid debanking customers and extend financial services
based on a financial institution's evaluation of the ML/TF risks and the financial institution's ability to manage those risks
and customer relationships, among other considerations. This flexibility would allow such financial institutions to respond
to changing circumstances and evolving risk profiles, including through the use of emerging technologies that support transparency
and preserve privacy, which may deter debanking and enable financial institutions to reach underbanked individuals and facilitate
financial transactions that simultaneously prevent criminal persons from abusing formal or informal financial services networks.

The proposed rule would also provide financial institutions with the ability to modernize their AML/CFT programs and to responsibly
innovate while still managing ML/TF risks, as the financial services industry continues to innovate over time. Consistent
with previous guidance, (42) FinCEN encourages financial institutions to manage customer relationships on a case-by-case basis, and the proposed rule would
provide financial institutions with the framework to make such evaluations and provide financial services accordingly, without
broad de-risking that can result in debanking that may increase the use of financial services that exist outside of the regulated
financial system and complicate efforts to detect and deter illicit finance. FinCEN believes that effective AML/CFT programs
are an important component in mitigating the effects of de-banking to national security and law enforcement interests.

Third, as stated in 31 U.S.C. 5318(h)(2)(B)(iii), effective AML/CFT programs safeguard national security and generate significant
public benefits by preventing the flow of illicit funds in the financial system and by assisting law enforcement and national
security agencies with the identification and prosecution of persons attempting to launder money or undertake other illicit
activity through the financial system. (43) The proposed rule would advance the BSA modernization and reform goals of the AML Act by providing financial institutions
and their regulators with clarity about the requirements to have effective AML/CFT programs.

Likewise, 31 U.S.C. 5318(h)(2)(B)(iv)(I) provides that AML/CFT programs should be “reasonably designed to assure and monitor
compliance” with the BSA and its implementing regulations and be risk-based. As described in more detail in section IV, the
proposed rule advances these objectives by explicitly requiring financial institutions to have effective AML/CFT programs
and by describing the minimum components for an AML/CFT program to be effective. Specifically, as part of an effective AML/CFT
program, the proposed rule

  requires that a financial institution establish and maintain a risk-based set of internal policies, procedures, and controls
  that is reasonably designed to ensure compliance with the BSA and FinCEN's regulations.

The internal policies, procedures, and controls requirement in the proposed rule also demonstrates FinCEN's consideration
of 31 U.S.C. 5318(h)(2)(B)(iv)(II), which states that AML/CFT programs should be risk-based, including ensuring that more
attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent
with a financial institution's risk profile, rather than toward lower-risk customers and activities. While FinCEN has previously
expected financial institutions to adopt risk-based AML/CFT programs, the proposed rule incorporates this directive by explicitly
requiring, as part of an institution's risk-based set of internal policies, procedures, and controls, that an institution
identify, assess, and document its ML/TF risks through risk assessment processes. These risk assessment processes require
a financial institution to evaluate ML/TF risks and review and, as appropriate, incorporate the AML/CFT Priorities, with updates
to risk assessment processes promptly upon any change that the financial institution knows or has reason to know significantly
changes the financial institution's ML/TF risks. These risk assessment processes are designed to help financial institutions
mitigate ML/TF risks and ensure that they are allocating resources commensurate with their documented ML/TF risks, directing
more attention and resources toward higher-risk customers rather than toward lower-risk customers and activities.

B. Proposed Rule

As noted above, the proposed rule would require financial institutions to establish and maintain effective AML/CFT programs
and define the requirements for doing so. In order for an AML/CFT program to be effective, the proposed rule would require
a financial institution to establish an AML/CFT program and then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT program.

As described in more detail in section V.D., a financial institution would be required to establish a risk-based set of internal
policies, procedures, and controls that is reasonably designed to ensure compliance with the BSA and 31 CFR chapter X. The
risk-based set of internal policies, procedures, and controls must also be reasonably designed to: (1) identify, assess, and
document the financial institution's ML/TF risks through risk assessment processes that evaluate the risks of the institution's
business activities, review and, as appropriate, incorporate the AML/CFT Priorities, and are updated promptly upon any change
that the financial institution knows or has reason to know significantly changes the institution's ML/TF risks; (2) mitigate
the financial institution's ML/TF risks, consistent with the financial institution's risk assessment processes; and, for certain
financial institutions, (3) conduct ongoing customer due diligence.

The proposed rule would also require a financial institution to establish an ongoing employee training program and independent
AML/CFT program testing as part of its AML/CFT program. Finally, the proposed rule would require a financial institution to
designate an individual responsible for establishing and implementing the AML/CFT program and coordinating and monitoring
day-to-day compliance; that individual would be required to be located in the United States and accessible to, and subject
to oversight and supervision by, FinCEN and its designee, including the appropriate Federal functional regulator.

Under the proposed rule, in addition to establishing an AML/CFT program, the financial institution would be required to maintain
that program by implementing, in all material respects, its established AML/CFT program. By structuring the requirement to have an effective AML/CFT program
as distinct obligations to establish and maintain (via implementation) an AML/CFT program, the proposed rule is intended to
clarify and reinforce the distinction between failures to establish an AML/CFT program and failures to implement a properly
established program.

The distinction between establishing a program and implementing a program is particularly important under the proposed rule
for potential supervisory and enforcement actions. The proposed rule would not limit enforcement or supervisory actions for
failures to establish an AML/CFT program. However, with respect to banks, once a bank has properly established an AML/CFT program, the proposed
rule would raise the threshold for significant actions based solely on implementation deficiencies so only significant or systemic failures by a bank to implement an effective AML/CFT program (i.e., deficiencies or issues that arise from failing to implement, in all material respects, a properly established AML/CFT program)
would warrant an “AML/CFT enforcement action” or a “significant AML/CFT supervisory action,” as these terms are defined in
the proposed rule. In this way, the proposed rule is intended to clarify and reinforce a supervisory and enforcement focus
on addressing significant or systemic failures to implement an effective AML/CFT program, rather than on isolated, technical,
or immaterial implementation issues. (44)

Importantly, under the proposed regulations, having an effective AML/CFT program would be more than a one-time adoption of
a risk-based set of internal policies, procedures, and controls. Rather, a financial institution would be required to keep
its risk-based set of internal policies, procedures, and controls—and the risk assessment processes that inform them—current
as the financial institution's risk profile changes. For example, while a financial institution's risk-based set of internal
policies, procedures, and controls may, at one time, have been reasonably designed, they may no longer be reasonably designed
given changes to the financial institution's risk profile. Similarly, an effective AML/CFT program would involve more than
a one-time creation of an employee training program or initiation of an independent testing mechanism: the financial institution
would also be required to keep such aspects of the AML/CFT program current as the financial institution's risk profile changes.
Thus, even where a financial institution has previously established an AML/CFT program in accordance with the proposed rule,
a failure to update the program to reflect significant changes to the institution's risk profile may result in the program
no longer meeting the program establishment requirements, and the financial institution may accordingly be subject to supervisory
or enforcement action for a failure to establish an effective AML/CFT program.

The proposed rule would provide FinCEN with a greater role in the supervisory process with respect to banks and the relevant
Agency. To better ensure that bank examiners are performing “risk focused” supervision, the proposed rule would require that
the Agencies, when acting under supervisory authority delegated by FinCEN, consult with FinCEN prior to taking a significant
AML/CFT

  supervisory action. [(45)]() FinCEN would require the Agencies, when acting pursuant to FinCEN's delegated authority, to provide FinCEN written notice
  at least 30 days prior to taking such an action. FinCEN would have an opportunity to review the action and the underlying
  information giving rise to it, and the Agencies would be required to consider any input offered by FinCEN concerning the effectiveness
  of the bank's AML/CFT program. [(46)]()

By explicitly defining the requirements for an institution to establish and maintain an effective AML/CFT program, and by
standardizing the AML/CFT supervision and enforcement process for banks and the Agencies, the proposed rule is expected to
better achieve the purposes of the BSA and lead to better outcomes for financial institutions, law enforcement, and national
security agencies. Treasury and FinCEN do not intend, however, for the proposed rule to provide permission for financial institutions
to establish “paper programs” that might be interpreted as meeting the proposed rule's technical requirements on their face
but do not achieve the desired outcomes of more effectively and efficiently detecting and preventing ML/TF activity. To establish
a compliant AML/CFT program under the proposed rule, a financial institution must, among other things, establish a risk-based
set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the BSA and 31 CFR
chapter X, including through the adoption of risk assessment processes. A critical element of this requirement is that the
financial institution's internal policies, procedures, and controls be “reasonably designed.” For example, if a financial
institution's program testing reveals that a new customer type or new activity is high risk, but the financial institution
does not take any action to revise the design of its internal policies, procedures, and controls and therefore treats the
customer or activity as presenting low risk, then its program should not be considered reasonably designed. Treasury and FinCEN
believe that financial institutions know their customer base, businesses, and risks better than their regulators and the government;
thus, financial institutions are best positioned to identify and evaluate their ML/TF risks. Financial institutions should
therefore, and would under this proposed rule, have significant flexibility and discretion in their decisions and determinations
related to risk identification and resource allocation. However, examiners would be expected to assess whether: (1) a financial
institution's resource allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes;
and (2) with respect to implementation, specifically, whether the financial institution knows or should know of resource-related
issues involving its internal policies, procedures, and controls that may result in the financial institution failing to implement
its AML/CFT program in all material respects and failing to address such issues.

Similarly, Treasury and FinCEN expect a financial institution to be examined for its implementation of the established AML/CFT
program in all material respects. Merely designating an individual responsible for establishing and implementing the AML/CFT
program, and having that individual establish internal policies, procedures, and controls, an employee training program, and
an independent testing program, are not sufficient to satisfy the proposed rule's obligations for a financial institution
to have an effective AML/CFT program. Rather, a financial institution would be examined for whether it has implemented, in
all material respects, its established AML/CFT program, including whether the financial institution is, in fact, allocating
resources as contemplated in its established AML/CFT program, which the proposed rule would require to be consistent with
its reasonably designed risk assessment processes. Banks with significant or systemic failures to implement an effective AML/CFT
program may be subject to a significant supervisory action or enforcement action, whereas isolated, technical, or immaterial
implementation deficiencies would not be cause for such actions.

V. Section-by-Section Analysis

This section-by-section analysis describes the specific proposed changes to the program rules. Section V.A addresses the proposed
incorporation of CFT into the program rules. Section V.B discusses the requirements for an “effective” AML/CFT program to
comply with the requirements of 31 U.S.C. 5318(h)(1) and the proposed rule. Section V.C explains what it means to “establish,”
“maintain,” and “implement” an effective AML/CFT program. Section V.D describes the components of program establishment, including:
(1) internal policies, procedures, and controls (including risk assessment processes); (2) independent program testing; (3)
an individual, located in the United States and accessible to FinCEN and the appropriate Federal functional regulator, responsible
for establishing and maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing employee
training. Section V.E discusses the requirements that the AML/CFT program be written, accessible, and approved by financial
institution leadership. Section V.F addresses the supervision and enforcement section of the proposed rule for banks, and
Section V.G describes several technical changes that the proposal makes to existing AML program rules.

A. Inserting the Term “CFT” Into the AML Program Rules

Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to reference “countering the financing of terrorism” (47) in addition to “anti-money laundering” when describing the requirement to establish an AML/CFT program. FinCEN proposes to
update its regulations in 31 CFR chapter X to reflect this new statutory language. For example, the proposed rule would change
the title of 31 CFR 1020.210 from “Anti-money laundering program requirements for banks” to “Anti-money laundering/countering
the financing of terrorism program requirements for banks.” Similar changes would apply to the titles of the other program
rules in chapter X.

The inclusion of “CFT” in the program rules would not create new obligations for financial institutions, insofar as the USA
PATRIOT Act already requires them to account for risks related to terrorist financing. Accordingly, FinCEN expects any changes
to existing AML/CFT programs from the amendments described in this subsection to be technical and therefore not have any substantive
impact on financial institutions' BSA compliance obligations.

B. An “Effective” AML/CFT Program

As discussed above in section IV.A, in prescribing the minimum standards for

  an AML/CFT program and in supervising and examining compliance with those standards, the AML Act requires the Secretary and
  the appropriate Federal functional regulator to take into account that effective AML/CFT programs safeguard national security
  and help law enforcement prevent the flow of illicit funds in the financial system. [(48)]() Further, the AML Act instructs FinCEN to focus on achieving effective outcomes rather than dictating the processes used to
  reach those outcomes, an orientation reflected in the proposed rule. Consistent with FinCEN and the Agencies' longstanding
  expectations regarding what effective outcomes entail, FinCEN believes that, as a practical matter, it is not possible for
  a financial institution to detect and report all potentially illicit transactions that flow through the institution. [(49)]() Similarly, a financial institution's AML/CFT program can be effective without preventing every minor instance of a financial
  institution falling prey to illicit finance misuse. Accordingly, the proposed rule would set out that an AML/CFT program is
  “effective” and complies with the requirements of 31 U.S.C. 5318(h)(1) so long as it is established and maintained in accordance
  with applicable requirements.

As noted in section II.B and section II.C, FinCEN has introduced the concept of an “effective” AML/CFT program in prior rulemakings,
and the public has provided valuable feedback on this concept. For example, the Effectiveness ANPRM considered proposing a
definition of an effective and reasonably designed program as one that: (1) identifies, assesses, and reasonably mitigates
the risks resulting from illicit financial activity—including terrorist financing, money laundering, and other related financial
crimes—consistent with both the institution's risk profile and the risks communicated by relevant government authorities as
national AML priorities; (2) assures and monitors compliance with the recordkeeping and reporting requirements of the BSA;
and (3) provides information with a high degree of usefulness to government authorities consistent with both the institution's
risk assessment and the risks communicated by relevant government authorities as national AML priorities. (50)

The proposed rule would provide that a financial institution has an “effective” program if it (1) is established in accordance
with the proposed rule's establishment requirements; and (2) is maintained, meaning that a properly established program is
implemented in all material respects.

One of the AML Act's key purposes is to “encourage technological innovation and the adoption of new technology by financial
institutions to more effectively counter money laundering and financing of terrorism.” (51) Consistent with this purpose and pursuant to the Executive order on Removing Barriers to American Leadership in Artificial Intelligence, the Winning the Race America's AI Action Plan, and the Executive order on Ensuring a National Policy Framework for Artificial Intelligence, Treasury has undertaken various efforts to research, promote, and take actions that reflect its commitment to the role of
innovation as part of a modernized AML/CFT framework. (52)

Treasury has highlighted the potential for innovative technologies to strengthen AML/CFT programs in various strategies and
public engagements. The 2024 National Illicit Finance Strategy highlighted how innovative technologies like machine learning
and large language models have potential to strengthen financial institutions' AML/CFT programs, enabling financial institutions
to more rapidly and effectively analyze data to identify patterns, risks, trends, and typologies. (53) In addition to discussion of specific types of and applications for technology, Treasury has expressed broad support for exploring
areas where AI, blockchain analysis, digital identity, and other tools can produce a more efficient and more effective AML/CFT
framework. (54)

FinCEN encourages financial institutions to evaluate whether new technology or innovative approaches might help to more effectively
combat financial crime. Innovative approaches could involve machine learning, generative artificial intelligence (GenAI),
digital identity, blockchain monitoring and analytics, or application programming interfaces (APIs). These technologies may
be especially useful in countering illicit finance activity involving digital assets, an effort for which FinCEN supports
financial institutions' responsible use of novel models, techniques, or strategies. To that end, FinCEN encourages financial
institutions to review the White House report on Strengthening American Leadership in Digital Financial Technology as well as Treasury's report on Innovative Technologies to Counter Illicit Finance Involving Digital Assets. (55) This report explores how financial institutions can employ innovative and novel methods to detect and stop financial crime
involving digital assets, and encourages the responsible use of novel tools and techniques that can improve the effectiveness
of the U.S. AML/CFT regime.

FinCEN recognizes that adopting new technologies for BSA compliance may not be suitable for every financial institution, particularly
smaller ones, and the proposed rule therefore does not reference or require the use of any particular technology. A financial
institution may find it beneficial to consider whether its AML/CFT program appropriately uses the financial institution's
existing resources, including technology and data. However, building on longstanding guidance, FinCEN encourages institutions
to engage in responsible AML/CFT innovation. (56) Institutions that responsibly experiment with innovative technologies in their AML/CFT programs will not incur any additional
risk of being subject to a significant supervisory AML/CFT action or AML/CFT enforcement action solely

  based on the use of innovative technologies. To the contrary, FinCEN recognizes that fostering the use of innovative technologies
  is vital to improving financial crime compliance and fighting illicit finance and strongly encourages their responsible use.

In addition to new technology, FinCEN is aware of concerns surrounding model risk management at financial institutions. FinCEN
has considered comments submitted in response to the 2021 Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy
Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements (RFI). (57) FinCEN received comments including concerns that supervisors may expect financial institutions to apply the Supervisory Guidance
on Model Risk Management (MRMG) to AML/CFT and OFAC-related policies, procedures, and controls. (58)

While FinCEN has not issued or been party to any prior MRMG guidance, FinCEN shares certain concerns articulated in the comments
to the RFI that these models, which are designed to assess different types of risks with different information input, processing,
and reporting components may be overly burdensome and ill-fitted to address illicit finance risks. FinCEN welcomes comment
on this position and intends to work with the Agencies to address these concerns.

C. Establishing and Maintaining an AML/CFT Program

The requirement that financial institutions establish and maintain an AML/CFT program is not new, although over time various
formulations of this requirement have developed in statutes and regulations. (59) The proposed rule would set out uniform terms for an AML/CFT program across FinCEN's regulations for all types of financial
institutions regulated under the BSA and delineate the requirements that must be met for financial institutions to have an
effective AML/CFT program. That is, the proposed rule would create a two-pronged framework under which a financial institution's
AML/CFT program would be deemed to be effective if the financial institution establishes and maintains their program. Under the proposed rule, a financial institution maintains its properly established AML/CFT program by implementing it in all material respects.

1. Proposed 31 CFR 10XX.210(b)—Establishing Versus Maintaining an AML/CFT Program

For a financial institution to have an effective AML/CFT program, the proposed 31 CFR 10XX.210(b) (“31 CFR 10XX” refers to
proposed changes to the AML program rules of all eleven financial institution types) would require a financial institution
to establish an AML/CFT program and then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT program. The proposed rule describes
the requirements for a financial institution to establish and maintain an effective AML/CFT program that complies with the
requirements of 31 U.S.C. 5318(h)(1). The AML/CFT program minimum components constituting program establishment, and described
in further detail in section V.D below, are: (1) internal policies, procedures, and controls (including risk assessment processes);
(2) independent program testing; (3) an individual, located in the United States and accessible to FinCEN and the Agencies,
responsible for establishing and maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing
employee training. “Establishing” an AML/CFT program involves designing an AML/CFT program that incorporates all of the required
components. “Implementation,” by contrast, addresses whether the financial institution is executing that program in practice.
This distinction matters, particularly for banks, because proposed 31 CFR 1020.221(b) ties the availability of AML/CFT enforcement
and significant supervisory actions based on the program rule for an established bank program to a significant or systemic
failure to implement an effective AML/CFT program. The distinction between establishing and implementing an AML/CFT program
is intended to make transparent how the individual elements of 31 CFR 1020.210 work together to satisfy 31 U.S.C. 5318(h)(1).

The concepts of program establishment and program maintenance are closely related to the supervision and enforcement provisions
of the proposed program rule for banks. In particular, as explained in more detail in section V.F, a bank that has properly
established an AML/CFT program (i.e., satisfied the proposed rule's requirements regarding establishment) will not be subject to an AML/CFT enforcement action or
a significant supervisory action based on the program rule except with respect to a significant or systemic failure to implement
an effective AML/CFT program (i.e., a failure to implement, in all material respects, a properly established AML/CFT program). (60)

Separating program establishment from program maintenance therefore provides needed clarity regarding whether a supervisory
concern relates to deficiencies stemming from the program's design, on the one hand, or failures in the program's operation,
on the other. This two-prong framework would help promote consistent articulation of supervisory expectations and prevent
conflating criticisms of program design—the remediation of which would likely be different in kind—with criticisms of day-to-day
implementation. The proposed distinction does not change the substantive obligations of 31 U.S.C. 5318(h)(1); rather, it clarifies
how those obligations map onto the two statutory requirements at the core of section 5318(h)(1): having a risk-based and reasonably
designed program and adhering to it in operation.

As noted previously, FinCEN intends for the requirements of this proposed rule to not be limited to a one-time adoption of
the elements required for program establishment, such as internal policies, procedures, and controls. Rather, FinCEN intends
a financial

  institution's establishment of its AML/CFT program to require the financial institution's risk-based set of internal policies,
  procedures, and controls—and the risk assessment processes that inform them—to remain current as the financial institution's
  risk profile changes. For example, if a financial institution begins providing a new product or service—or changes how it
  provides an existing product or services, such as operating in a new geographic location—under this proposed rule, a financial
  institution would need to incorporate its new product or service as part of its risk assessment processes. The proposed rule
  would require a financial institution to make a risk determination and, as appropriate, redesign its internal policies, procedures,
  and controls to account for the risks that it did not previously encounter prior to offering the new product or service, or
  operating in the new geographic location. Thus, under the proposed rule, even where a financial institution has previously
  established an AML/CFT program in accordance with the proposed rule, a failure to update the program to reflect significant
  changes in the institution's risk profile may result in the program no longer satisfying the proposed rule's requirements
  regarding establishment.

2. Proposed 31 CFR 10XX.210(c)—Implementation of an AML/CFT Program

Once a financial institution has properly “established” an AML/CFT program, the institution must “maintain” the program by
implementing it, in all material respects. Minor deficiencies of an AML/CFT program would not necessarily mean that a financial
institution has failed to implement the program.

Although there are a variety of ways that a financial institution may not be implementing its program “in all material respects,”
in FinCEN's experience, commonly observed examples may include, but would not be limited to: (1) internal policies, procedures,
and controls are not being performed or not being performed on a consistent, regular, and timely basis (e.g., consistently ignored warnings or red flags that a program was seriously deficient) due to the nature or extent of required
resources becoming inadequate; (2) gaps in the risk assessment processes that result in the financial institution's program
missing or inadequately covering higher ML/TF risks (e.g., systems used to monitor for potentially suspicious activity failing to capture material volumes or types of transactions);
or (3) deficiencies or weaknesses in the risk assessment processes that have a material impact on the financial institution's
mitigation of ML/TF risks through its internal policies, procedures, and controls, including due to data-related issues involving
relevant processes and systems.

Similarly, FinCEN expects that a financial institution could become aware of such implementation-related concerns through
a variety of mechanisms, including, but not limited to: (1) independent testing of the AML/CFT program; (2) examiner observations,
suggestions, or other informal comments about the AML/CFT program from FinCEN (or its designee, such as a Federal functional
regulator); (3) management information systems and related reports or other outputs (e.g., key performance indicators or key risk indicators, such as monitoring for potentially material backlogs in relevant AML/CFT
processes); and (4) issues identified by personnel involved in the operation of the financial institution's AML/CFT program.
A bank that fails to reasonably address such warnings that its program is not being implemented would be at risk of being
subject to a significant AML/CFT supervisory action, an AML/CFT enforcement action, or both.

D. Program Establishment

As noted earlier, pursuant to 31 U.S.C. 5318(h), the AML/CFT program requirements for financial institutions must have certain
minimum elements comprised of: (1) internal policies, procedures, and controls; (2) an independent audit function to test
programs; (3) a designated compliance officer; (4) an ongoing employee training program; and (5) other components, depending
on the type of financial institution. The majority of the proposed rule's AML/CFT program components are substantially similar
to the existing statutory and regulatory requirements for financial institutions. However, FinCEN is proposing certain additions
and modifications to modernize and strengthen financial institutions' AML/CFT programs to enable financial institutions to
better mitigate illicit finance risks.

1. Proposed 31 CFR 10XX.210(b)(1)—Internal Policies, Procedures, and Controls

The BSA requires financial institutions to develop “internal policies, procedures, and controls” as part of their AML/CFT
programs. (61) Existing AML program rules already impose internal policies, procedures, and controls requirements to ensure compliance, but
with differing formulations. The proposed rule would standardize these requirements for financial institutions required to
comply with FinCEN's program rules to establish a risk-based set of internal policies, procedures, and controls in their AML/CFT
programs.

Proposed 31 CFR 10XX.210(b)(1) provides that a financial institution's risk-based set of internal policies, procedures, and
controls must be reasonably designed to: (1) identify, assess, and document ML/TF risks through risk assessment processes;
(2) mitigate ML/TF risks consistent with the risk assessment processes, including by allocating more attention and resources
toward higher-risk customers and activities rather than toward lower-risk customers and activities; and, for certain financial
institutions (3) conduct ongoing CDD. The preamble addresses each of these features below.

Under this proposal, a financial institution's risk-based set of internal policies, procedures, and controls should be based
upon, informed by, and consistent with the financial institution's risk assessment processes. The level of sophistication
of the internal policies, procedures, and controls should be commensurate with the size, structure, risk profile, and complexity
of the financial institution.

The requirement that a financial institution's risk-based set of internal policies, procedures, and controls be “reasonably
designed” gives financial institutions flexibility in how they achieve compliance with the BSA and the proposed rule's other
requirements. As part of having risk-based set of internal policies, procedures, and controls reasonably designed to ensure
compliance with the BSA and FinCEN's regulations, financial institutions may choose to responsibly adopt new technologies
or innovative approaches to comply with BSA requirements. Consistent with this purpose, FinCEN encourages financial institutions
to evaluate whether new technology or innovative approaches in other resources might help to more effectively combat financial
crime. Innovative approaches could involve machine learning, GenAI, digital identity, blockchain monitoring and analytics,
or APIs. These technologies may be especially useful in countering illicit finance activity involving digital assets, an effort
for which FinCEN supports the responsible use of novel models, techniques, or strategies.

i. Proposed 31 CFR 10XX.210(b)(1)(i)—Risk Assessment Processes

FinCEN is proposing in 31 CFR 10XX.210(b)(1)(i) that, as part of a financial institution's risk-based set of internal policies,
procedures, and controls, the financial institution establish and maintain risk assessment processes to: (1) evaluate the
ML/TF risks of the financial institution's business activities, including products, services, distribution channels, customers,
and geographic locations; (2) review and, as appropriate, incorporate the AML/CFT Priorities; and (3) be updated promptly
upon any change that the financial institution knows or has reason to know significantly changes the institution's ML/TF risks.

While it is common practice among many financial institutions to maintain a risk assessment process or processes, the requirement
that financial institutions have risk assessment processes when developing their AML/CFT programs is not stated in a uniform
manner for all financial institutions under the current AML program rules. Under some program rules, certain financial institutions—such
as insurance companies and loan and finance companies—are explicitly required to “[i]ncorporate policies, procedures, and
internal controls based upon . . . [an] assessment of the . . . risks associated with its products and services.” (62) Under other program rules, some financial institutions—such as casinos and MSBs—must develop internal policies, procedures,
and controls, and independent testing “commensurate with the risks” posed by their products. (63) This latter requirement implicitly requires risk assessment processes, as an institution cannot develop a risk-based set of
internal policies, procedures, and controls without first identifying the institution's risks by way of some process. Thus,
the proposed rule would standardize the requirement for risk assessment processes across different types of financial institutions
subject to program rules, thereby clarifying existing expectations and practices.

Importantly, the proposed rule requires, as part of a financial institution's risk-based set of internal policies, procedures
and controls, that it identify, assess, and document its ML/TF risks using risk assessment processes. FinCEN understands that
many financial institutions currently maintain a single, or standalone, risk assessment process either voluntarily or as required
or expected by Federal regulators. This risk assessment process, generally conducted on an annual basis, results in a documented
ML/TF risk assessment. While such a risk assessment process may be appropriate under the proposal, the use of the term “risk
assessment processes” is intended to reflect that a financial institution may rely on multiple processes—applied as appropriate
within its AML/CFT program—to identify, assess, and document its ML/TF risks and will be examined based on the totality of
these processes rather than the sufficiency of a single, standalone risk assessment process.

FinCEN believes financial institutions are best positioned to identify and evaluate their ML/TF risks and is therefore not
prescribing any particular risk assessment processes or methodologies other than the critical elements described in this proposed
rule. Under the proposed rule, financial institutions will be examined for whether they have established and implemented,
in all material respects, reasonably designed risk assessment processes—which need not be in the form of a singular risk assessment
process. Furthermore, as discussed further below, FinCEN is not prescribing any particular timeframe for institutions to update
their risk assessment processes.

The explicit requirement to have risk assessment processes will be new for banks, casinos, MSBs, broker-dealers, mutual funds,
and FCMs and IBCs. (64)

a. Proposed 31 CFR 10XX.210(b)(1)(i)(A)—ML/TF Risks

Proposed 31 CFR 10XX.210(b)(1)(i)(A) would require a financial institution's risk assessment processes to evaluate the ML/TF
risks of its business activities, including products, services, distribution channels, customers, and geographic locations.
These factors are generally well known and often incorporated into current risk assessment processes of some financial institutions.
FinCEN considers “distribution channels” to refer to the methods and tools through which a financial institution opens accounts
and provides products or services, including, for example, through remote or other non-face-to-face means.

Financial institutions may use a variety of sources to inform their risk assessment processes. Such sources may include information
obtained from other financial institutions, such as emerging risks and typologies identified through section 314(b) information
sharing or payment transactions that other financial institutions returned or flagged due to ML/TF risks. (65) Information a financial institution generates or maintains could be another source. Such internal information may include,
for example, customer internet protocol (IP) addresses or device logins and related geolocation information.

Feedback from FinCEN, law enforcement, and financial regulators may also inform risk assessment processes. For example, if
a financial institution receives feedback from law enforcement about a report it has filed or potential risks at the financial
institution, the financial institution may incorporate that information into its risk assessment processes. Similarly, a financial
institution may consider information identified from responding to section 314(a) requests.

In addition to feedback, reports, and analyses published by Treasury and FinCEN, the Federal functional regulators, or self-regulatory
organizations (SROs) may be particularly relevant to a financial institution's business activities, thereby warranting consideration
when evaluating ML/TF risks. Treasury describes changes in the illicit finance risk environment in its biennial National Money Laundering Risk Assessment, National Terrorist Financing Risk Assessment, and National Proliferation Financing Risk Assessment, which highlight significant illicit finance threats, vulnerabilities, and risks. (66) FinCEN also publishes advisories and analyses on emerging risks and typologies, including Financial Trend Analyses issued
pursuant to section 6206 of the AML Act. These reports contain threat pattern and trend information derived from BSA filings
and may help inform financial institutions' understanding of

  risks associated with different threats and vulnerabilities as they evolve. [(67)]() Regardless of the source, financial institutions should take measures in their risk assessment processes to ensure this information
  is reasonably current, complete, and accurate.

b. Proposed 31 CFR 10XX.210(b)(1)(i)(B)—AML/CFT Priorities

Proposed 31 CFR 10XX.210(b)(1)(i)(B) would require financial institutions to review and incorporate the AML/CFT Priorities.
The AML/CFT Priorities set out the priorities for the U.S. government's AML/CFT policy as required by the AML Act and are
designed to ensure that financial institutions' AML/CFT programs are aligned with those priorities. Recognizing the diverse
nature of ML/TF threats facing the U.S. financial system and national security, and that financial institution AML/CFT programs
benefit U.S. national security by safeguarding the financial system from ML/TF risks, the AML/CFT Priorities are intended
to ensure that financial institutions are focusing on the greatest threats to U.S. national security, as defined by Treasury.

Section 6101 of the AML Act requires that a financial institution's review and appropriate incorporation of the AML/CFT Priorities
into its AML/CFT program be subject to supervision and examination for compliance with the BSA and other AML/CFT laws and
regulations. (68) FinCEN is implementing this statutory requirement by proposing that, as part of their risk assessment processes, financial
institutions must review and, as appropriate, incorporate the AML/CFT Priorities. The inclusion of the AML/CFT Priorities
in risk assessment processes is meant to help ensure that financial institutions understand their exposure to risks in areas
that are of particular importance nationally, which may help financial institutions develop risk-based and reasonably designed
AML/CFT programs.

FinCEN understands that the AML/CFT Priorities may not always be applicable to a financial institution's risk profile and
activities. Therefore, FinCEN requires the incorporation of the AML/CFT Priorities in financial institution's risk assessment
processes as appropriate. This means that, having reviewed the AML/CFT Priorities, a financial institution may determine the extent to which a particular
priority is applicable and whether and how a particular AML/CFT Priority should be incorporated into its risk assessment processes.

Further, a financial institution may use its judgment and apply a reasonable, risk-based determination on whether to focus
on a specific aspect of an AML/CFT Priority (e.g., cyber-enabled fraud), rather than addressing all aspects of a AML/CFT Priority that may either not be applicable (e.g., digital assets cybercrime for a financial institution that does not offer any digital asset products or services, or have
any digital asset customers) or pose lower risks to the financial institution (e.g., proliferation financing risks for a financial institution with no cross-border operations, customers, transactions, or activities).
However, FinCEN cautions that a surface-level, perfunctory review of an AML/CFT Priority by a financial institution and the
foreseeable ways in which it may manifest itself within the financial institution's customers, products and services, geographies,
and distribution channels would not satisfy this requirement. For example, patterns of transactions that may be consistent
with potential structuring should not automatically be dismissed as lower value to law enforcement and untethered to an AML/CFT
Priority without determining whether there is a potential connection to various types of other illicit finance activity (e.g., structuring or similar patterns involving transactions in narcotics trafficking proceeds).

Under the AML Act, FinCEN is required to update the AML/CFT Priorities not less than once every four years. (69) Whenever the AML/CFT Priorities are updated, financial institutions would no longer be required to incorporate prior versions
of the AML/CFT Priorities. Financial institutions would only be required to incorporate the most recent AML/CFT Priorities
into their risk assessment processes.

FinCEN anticipates that some financial institutions may ultimately determine that their business models and risk profiles
have limited exposure to some of the threats addressed in the AML/CFT Priorities but instead have greater exposure to other
ML/TF risks not addressed in the AML/CFT Priorities. Additionally, some financial institutions' risk assessment processes
may determine that their AML/CFT programs already sufficiently take into account some, or all, of the AML/CFT Priorities.
In either case, any changes to financial institutions' AML/CFT programs, such as internal policies, procedures, or controls,
would be based on the results of risk assessment processes and their impact on the AML/CFT program, including how to review
and, as appropriate, incorporate the AML/CFT Priorities before making these determinations.

FinCEN recognizes that some AML/CFT Priorities describe threats at a high level, or at a point in time, and that financial
institutions may lack the context or information necessary on which specific threats, or what time frames, to consider or
focus on when conducting their risk assessments. For instance, the AML/CFT Priorities that FinCEN issued in June 2021 describes
“fraud” as one of the eight priorities and discusses specific examples of fraud that were especially salient in 2021. However,
the government's priorities may have changed since the publication of the AML/CFT Priorities due to emergent ML/TF typologies
(e.g., sanctions evasions by Russian oligarchs) or ML/TF threats (e.g., pig butchering) not addressed specifically in the AML/CFT Priorities. For example, FinCEN's support to Treasury's efforts
to combat rampant government benefits fraud is just one example of how the government's focus on specific types of fraud evolves
over time. (70) This type of fraud may not have been a concern for a financial institution in prior risk assessment processes, but a financial
institution may decide to conduct and apply risk assessment processes to identify whether such a risk is significant for a
financial institution, and that determination may necessitate changes to a financial institution's AML/CFT program.

To assist financial institutions with their risk assessment processes, and to better identify activity related to the AML/CFT
Priorities, FinCEN issues products under its Financial Institution Advisory Program (Advisory Program). (71) FinCEN's Advisory Program communicates priority ML/TF threats and vulnerabilities to the U.S. financial system. Financial
institutions may use this information to support effective, risk-based, and reasonably designed AML/CFT programs and suspicious
activity monitoring systems to help generate highly useful information for

  law enforcement and national security agencies.

Relatedly, since 2021, FinCEN has published Financial Trends Analyses (FTA) highlighting threat pattern and trend information
derived from BSA data on additional fraud-related topics, including an FTA on fraud schemes targeting digital identities,
mail theft-related check fraud, and elder financial exploitation. (72) More recently, FinCEN issued an Alert on Fraud Rings and their Exploitation of Federal Child Nutrition programs in Minnesota
given the rampant financial fraud and improper payments in Minnesota. (73) As noted in the alert, ongoing investigations into fraudsters in Minnesota by the U.S. Department of Justice have identified
potentially billions of dollars stolen from the Federal child nutrition programs and other Federal and State government benefits
programs, including Medicaid.

FinCEN requests comment from the public on whether additional guidance related to the consideration of the AML/CFT Priorities
as part of an institution's risk assessment processes would be warranted.

c. Proposed 31 CFR 10XX.210(b)(1)(i)(C)—Updates to Risk Assessment Processes

Proposed 31 CFR 10XX.210(b)(1)(i)(C) would require financial institutions to update their risk assessment processes promptly
upon any change that the financial institution knows or has reason to know significantly changes their ML/TF risk profiles.
For example, a financial institution may need to update its risk assessment when new products, services, and customer types
are introduced; if existing products, services, and customer types undergo significant changes; when the financial institution
adopts new risk mitigation technology; or if the financial institution as a whole expands or contracts through mergers, acquisitions,
divestitures, dissolutions, and liquidations. Financial institutions may also need to update their risk assessment processes
based on factors external to their operations that they know or have reason to know significantly change their ML/TF risk
profiles. FinCEN welcomes comments on whether it should further clarify when financial institutions must review or update
their risk assessment processes.

ii. Proposed 31 CFR 10XX.210(b)(1)(ii)—Mitigate ML/TF Risks Through Risk-Based Allocation of Attention and Resources

Section 6101(b) of the AML Act states that the AML/CFT programs of financial institutions should be “risk-based, including
ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities,
consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.” (74) Proposed 31 CFR 10XX.210(b)(1)(ii) would adopt this formulation as part of a financial institution's obligation to establish
a risk-based set of internal policies, procedures, and controls. Under the proposed rule, a financial institution's efforts
to mitigate its ML/TF risks would involve “directing more attention and resources toward higher-risk customers and activities,
consistent with the risk profile of the [financial institution], rather than toward lower-risk customers and activities.”

FinCEN views risk-based allocation of resources as a critical step in realizing the AML Act's BSA modernization and reform
ambitions, and an important departure from the status quo of AML/CFT compliance and supervision. The proposed rule envisions
financial institutions exercising more flexibility in deploying attention and resources in accordance with the proposed rule
without fear of supervisory criticism or action from examiners for directing more attention and resources on higher risk customers
and activities rather than toward lower risk customers and activities.

The goal of risk-based resource allocation is for financial institutions to spend less time, energy, and resources on lower
priority activities that may result in fewer resources devoted to, and potentially distract from, more serious threats. The
proposed rule would thus enable financial institutions to focus more on higher risk customers and activities, which FinCEN
has determined should result in financial institutions being more effective at detecting, reporting, and preventing the flow
of illicit funds and providing law enforcement with more valuable BSA reporting.

As noted above, Treasury and FinCEN believe that financial institutions are best positioned to identify and evaluate their
ML/TF risks and to make decisions related to risk identification and resource allocation in accordance with risk identification.
The proposed rule, therefore, does not contemplate regulatory second-guessing of a financial institution's reasonable determinations
regarding appropriate resource allocation or conclusions regarding specific risks. However, while Treasury and FinCEN do not
believe that an examiner should substitute his or her own subjective judgment in place of the financial institution, examiners
will be expected to assess whether: (1) a financial institution's resource allocation decisions are informed by, and consistent
with, reasonably designed risk assessment processes; and (2) with respect to implementation, specifically, whether the financial
institution knows or should know of resource-related issues involving its internal policies, procedures, and controls and
other mandatory elements that may result in the financial institution failing to implement its AML/CFT program in all material
respects and failing to address such issues.

iii. Proposed 31 CFR 1020.210(b)(1)(iii), 1023.210(b)(1)(iii), 1024.210(b)(1)(iii), 1026.210(b)(1)(iii), and 1028.210(b)(1)(iii)—Conduct

Ongoing Customer Due Diligence

The existing program rules for certain financial institutions, referred to here as covered financial institutions, contain
CDD requirements that have commonly been referred to as the “fifth pillar” of AML program rules for those types of financial
institutions. (75) Under these requirements, covered financial institutions must establish and maintain a written AML program that includes:
“appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to: understanding
the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and conducting ongoing
monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”

Proposed 31 CFR 1020.210(b)(1)(iii), 1023.210(b)(1)(iii), 1024.210(b)(1)(iii), 1026.210(b)(1)(iii), and 1028.210(b)(1)(iii)
would retain these ongoing CDD obligations without alteration but would make them part of the requirement that covered financial
institutions establish a risk-based set of internal policies, procedures, and controls that is reasonably designed.

  FinCEN proposes this organizational change because the activities required by the CDD pillar are, in practice, subsumed by
  the obligation for a covered financial institution to have a risk-based set of internal policies, procedures, and controls
  that is reasonably designed. The organizational change more accurately reflects how covered financial institutions operationalize
  such ongoing customer due diligence as part of their overall AML programs. This organizational change, however, is not intended
  to have any substantive effect on existing obligations under 31 CFR 1010.230.

iv. Application to Community Banks

FinCEN recognizes that financial institutions vary significantly in size, structure, complexity, and risk profile. Under the
proposed rule, the level of sophistication of a financial institution's internal policies, procedures, and controls—including
its risk assessment processes—should be commensurate with the financial institution's size, structure, risk profile, and complexity.
Accordingly, financial institutions with broader product offerings, more complex corporate structures, or greater exposure
to higher-risk customers, products, services, or geographic locations would be expected to establish correspondingly more
formalized or analytically complex internal policies, procedures, and controls—including risk assessment processes. By contrast,
many community banks operate with more limited business activities, traditional lending and deposit services, a narrower geographic
footprint, and customer bases concentrated within defined local communities. For such banks, risk assessment processes may
appropriately be more streamlined or qualitative in nature, and a risk-based set of internal policies, procedures, and controls
that is reasonably designed for a large, complex financial organization would not necessarily be required or appropriate for
a community bank with a more limited risk profile.

The proposed rule does not prescribe any specific methodology for identifying, assessing, and documenting ML/TF risks. Community
banks may use risk assessment processes that are tailored to their business model and operational scale, including processes
that rely on direct knowledge of products, services, customers, and geographic locations rather than highly parameterized
or model-driven approaches. Many community banks maintain longstanding customer relationships and operate within defined local
markets, which may provide bank personnel with meaningful information relevant to identifying, assessing, and mitigating ML/TF
risks. Familiarity with local businesses, direct interaction between bank staff and customers, and an understanding of ordinary
patterns of activity within the bank's community may appropriately inform the bank's risk assessment processes and the design
of reasonably designed internal policies, procedures, and controls. While such characteristics do not reduce a community bank's
obligation to establish and maintain an effective AML/CFT program in accordance with the proposed rule, they may influence
how a community bank documents its ML/TF risks and allocates attention and resources consistent with those risks.

Further, under the proposed rule's requirement that a financial institution review and, as appropriate, incorporate the AML/CFT
Priorities, a community bank may determine, based on its risk assessment processes, that certain AML/CFT Priorities may not
be applicable to its business activities. In such cases, the community bank would not be required to allocate attention or
resources to risks for which it has no identified exposure. Rather, the bank would be expected to direct its attention and
resources in a manner consistent with its documented ML/TF risks.

2. Proposed 31 CFR 10XX.210(b)(2)—Independent Testing

The AML Act did not change the BSA requirement that each financial institution include “an independent audit function to test
programs,” (76) which is already reflected in AML/CFT program rule requirements, (77) and proposed 31 CFR 10XX.210(b)(2). The purpose of independent testing is to assess the financial institution's compliance
with AML/CFT statutory and regulatory requirements, relative to its risk profile. The independent AML/CFT program testing
should be focused on whether the AML/CFT program is effective, and it should identify issues and areas for remediation accordingly.
Similar to the expectations outlined above for examiners, Treasury and FinCEN do not believe that an auditor should substitute
his or her own subjective judgment in place of the financial institution. To support the effective implementation of an AML/CFT
program, independent testing should be based on objective criteria designed to assess whether a financial institution has
established and maintained an effective AML/CFT program and allocated resources consistent with its risk assessment processes.
These criteria should also assess whether related program governance is sufficient to manage risks and apply compensating
controls where necessary, particularly in areas where remediation is underway. This evaluation helps to inform the financial
institution's senior management of weaknesses or areas in need of enhancement or stronger controls. Typically, this evaluation
includes a conclusion about the financial institution's overall compliance with AML/CFT statutory and regulatory requirements
and sufficient information for the reviewer (e.g., board of directors, senior management, AML/CFT officer, outside auditor, or an examiner) to reach a conclusion about whether
the risk-based set of internal policies, procedures, and controls is reasonably designed and resources are well-allocated
consistent with the institution's risk assessment processes.

Additionally, while financial institutions retain some flexibility regarding who conducts the audit or testing, the proposed
rule would continue to require that testing be independent. Financial institutions that do not employ outside auditors or
consultants or that do not have internal audit departments may comply with this requirement by using internal staff who are
not involved in the function being tested. For these financial institutions and financial institutions with other types of
arrangements for independent testing, the AML/CFT officer or any party who directly, and in some cases, indirectly reports
to the AML/CFT officer, or an equivalent role, would generally not be considered sufficiently independent. (78) Any

  individual conducting the testing, whether internal or external, would be required to be independent of other parts of the
  financial institution's AML/CFT program, including its oversight. For financial institutions that engage outside auditors
  or consultants, the financial institution would be required to ensure that the outside parties conducting the independent
  testing are not involved in functions related to the AML/CFT program at the financial institution that may present a conflict
  of interest or lack of independence, such as AML/CFT training or the development or enhancement of internal policies, procedures,
  and controls. Additionally, for the purposes of the independent testing component, outside parties would not include government
  agencies, entities, or instrumentalities, such as a financial institution's Federal or State functional regulators. Financial
  institutions with less complex operations, and lower risk profiles may consider utilizing a shared resource as part of a collaborative
  arrangement to conduct testing, as long as the testing is independent. [(79)]()

While all financial institutions are required under existing regulations to establish independent testing, FinCEN is standardizing
this requirement across all financial institution types. For example, the current rules for broker-dealers, mutual funds,
and FCMs and IBCs require outside parties conducting the independent testing to be qualified; (80) however, FinCEN does not find it necessary to add this “qualified” description as it does not establish a new substantive
requirement. FinCEN would generally expect, as with the AML/CFT officer component, independent testers to have the expertise
and experience necessary to perform such testing effectively, including having sufficient knowledge of the financial institution's
risk profile and AML/CFT laws and regulations.

3. Proposed 31 CFR 10XX.210(b)(3)—Designate an AML/CFT Officer Located in the United States

i. Duties of the AML/CFT Officer

The BSA requires that financial institutions with AML/CFT program obligations must have a designated compliance officer. While
FinCEN has adopted this obligation—commonly referred to as the BSA/AML officer—in existing guidance and regulations, the program
rules use slight variations in the specific language to describe this requirement for different types of financial institutions.
The proposed rule provides technical changes to promote clarity and consistency.

As in the current program rules, proposed 31 CFR 10XX.210(b)(3) would provide that an AML/CFT program must designate an individual
(referred to as an AML/CFT officer) responsible for establishing and implementing the AML/CFT program and coordinating and
monitoring day-to-day compliance with the requirements and prohibitions of the BSA and FinCEN's implementing regulations.
FinCEN's view is that the individual serving as the AML/CFT officer must be qualified for that role and not overburdened with
other responsibilities at the institution.

The proposed rule is not intended to be primarily concerned with the formal title of the individual responsible for establishing
and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; instead, the proposed rule focuses
on the AML/CFT officer's position in the financial institution's organizational structure that enables the AML/CFT officer
to effectively establish and implement the financial institution's AML/CFT program. The AML/CFT officer's authority, independence,
and access to resources within the financial institution are critical. An AML/CFT officer should have decision-making capability
regarding the AML/CFT program and sufficient functional stature within the organization to ensure that the program meets BSA
requirements.

The AML/CFT officer's access to resources may include the following: adequate compliance funds and staffing with the skills
and expertise appropriate to the financial institution's risk profile, size, and complexity; an organizational structure that
supports compliance and effectiveness; and sufficient technology and systems to support the timely identification, measurement,
monitoring, reporting, and management of the financial institution's ML/TF risks. An AML/CFT officer with conflicting responsibilities
that adversely impact the officer's ability to effectively coordinate and monitor day-to-day AML/CFT compliance generally
would not fulfill this requirement. The addition of the explicit requirement that the AML/CFT officer be responsible for “establishing
and implementing the AML/CFT program” in the proposed rule would make explicit a long-standing supervisory expectation, rather
than changing current supervisory or regulatory requirements or expectations.

To promote consistency and reduce redundancy, the proposed rule would remove some examples of what it means to coordinate
and monitor day-to-day compliance with AML/CFT requirements that are currently listed in the AML program rules for MSBs; insurance
companies; DPMSJs; operators of credit card systems; loan or finance companies; and housing GSEs. (81) For example, those AML program rules currently provide that an AML/CFT officer is responsible for updating the financial institution's
AML program and ensuring that employees are educated or trained in accordance with the financial institution's AML program
training obligation. Removing this type of language in the proposed rule does not indicate that an AML/CFT officer is not
responsible for these activities, but rather reflects that such examples in the regulatory text are not necessary, and that
each financial institution should decide for itself the specific activities that an AML/CFT officer should undertake to establish,
maintain, and implement an AML/CFT program.

Likewise, the proposed rule would remove unnecessary provisions in certain current program rules—those applicable to DPMSJs;
operators of credit card systems; loan or finance companies; and housing GSEs—requiring AML/CFT officers to ensure that a
financial institution's AML/CFT program is implemented effectively. (82) That expectation is embedded in the proposed rule's requirement that AML/CFT officers coordinate and monitor day-to-day compliance.

Similarly, the proposed rule would delete an unnecessary reference from current 31 CFR 1022.210(d)(2)(i). That provision provides
that an MSB's AML/CFT officer must ensure that the MSB properly files reports, and creates and retains records, in accordance
with the

  BSA. These activities are and remain part of the AML/CFT officer's duty to monitor and coordinate day-to-day compliance, and
  thus it is not necessary to separately list them in the rule. This deletion and the removal of the other redundant references
  will ensure consistent language across program rules.

ii. Proposed 31 CFR 10XX.210(b)(3)—The AML/CFT Officer Must Be Located in the United States and Accessible to Regulators

The AML Act provides that the duty to establish, maintain, and enforce a financial institution's AML/CFT program shall remain
the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and
supervision by, the Secretary and the appropriate Federal functional regulator. (83) Proposed 31 CFR 10XX.210(b)(3) therefore requires the very same, noting that the designated individual must be accessible
to, and subject to oversight and supervision by, FinCEN and its designee. FinCEN's designee, in this instance, includes any
agency to which FinCEN has delegated examination authority or the appropriate SRO.

FinCEN recognizes financial institutions may currently have AML/CFT staff and operations outside of the United States, or
they may contract out or delegate parts of their AML/CFT operations to third-party providers located outside of the United
States. These arrangements may serve to improve cost efficiencies, to enhance coordination, particularly with respect to cross-border
operations, or serve other purposes not in conflict with goals underlying the BSA. Consequently, under the proposed rule,
while the AML/CFT officer must be located in the United States, personnel located outside of the United States would still
be permitted to perform certain AML/CFT functions. This language does not alter existing regulations and guidance that generally
prohibit the sharing of SARs with personnel located outside of the United States other than in limited circumstances such
as a bank's foreign head office or controlling company. (84) FinCEN requests comment on whether any further clarifications on this point would be useful.

4. Proposed 31 CFR 10XX.210(b)(4)—Ongoing Employee Training Program

The BSA requires AML/CFT programs to include an “ongoing employee training program.” (85) This statutory requirement is reflected in all current AML program rules, but in different formulations. (86) Proposed 31 CFR 10XX.210(b)(4) would eliminate inconsistency in the AML program rules' training requirement by adopting the
BSA's “ongoing employee training program” language uniformly. This change is clarifying, not substantive.

FinCEN would generally expect training to cover the financial institution's internal policies, procedures, and controls, which
should in turn reflect the results of the financial institution's risk assessment processes, the latest AML/CFT regulatory
requirements, and other relevant information. The frequency with which the training would occur, and the content of the training,
would depend on the financial institution's ML/TF risk profile and the roles and responsibilities of the persons receiving
the training. FinCEN welcomes comment on whether any further clarifications of the proposed training requirement are needed.
FinCEN recognizes that financial institutions may have employees and non-employees who may have a variety of roles and responsibilities
in relation to the AML/CFT program. The risk-based nature of an AML/CFT program provides flexibility for financial institutions
to identify both employees and non-employees who must be trained on an ongoing basis.

E. Access to and Approval of a Written AML/CFT Program

1. Proposed 31 CFR 10XX.210(d)—Written AML/CFT Programs Must Be Made Available Upon Request

Current program rules generally require financial institutions to have written AML/CFT programs, but there is variation in
how the requirement is formulated in FinCEN's regulations for certain types of financial institutions. (87) Proposed 31 CFR 10XX.210(d) would provide a consistent standard by requiring that an AML/CFT program be written, and that
a financial institution, upon request, make available a copy of its written AML/CFT program to FinCEN or its designee. FinCEN's
designee, in this instance, includes any agency to which FinCEN has delegated examination authority or the appropriate SRO.
It is thus assured that agencies with original or delegated examination authority over a financial institution, including
for example an agency with examination authorities delegated by FinCEN (88) or the appropriate SRO (89) will be among the agencies able to access a financial institution's written AML/CFT program. In addition to promoting consistency
across the program rules, these clarifications are intended to help financial institutions develop a structured AML/CFT program
understood across the enterprise.

2. Proposed 31 CFR 10XX.210(d)—Financial Institution Approval of a Written AML/CFT Program

Proposed 31 CFR 10XX.210(d) would also require that a financial institution's written AML/CFT program be approved by the financial
institution's board of directors or an equivalent governing body within the financial institution, or appropriate senior management.

Current program rules generally require a financial institution's board or an equivalent governing body within the institution,
or appropriate senior management, to approve the financial institution's written AML program. However, the proposed rule

  standardizes this language across all financial institution types and provides financial institutions with significant flexibility
  in its chosen approval method. While some financial institutions may choose to have their boards approve the written AML/CFT
  program, for others, an equivalent governing body might be a sole proprietor, general partner, or trustee, or a grouping of
  owners, senior officers (including board committees or other groups with oversight responsibilities), senior management, or
  other persons having functions and authority similar to that of a board. For the U.S. branch of a foreign bank, the equivalent
  governing body may be the foreign banking organization's board of directors or delegates acting under the board's express
  authority. [(90)]()

Alternatively, some financial institutions might have other individuals or groups with similar status or functions as directors
approve the AML/CFT program. Such individuals may include Chief Executive Officer, Chief Financial Officer, Chief Operations
Officer, Chief Legal Officer, Chief Compliance Officer, Director, and individuals with similar status or functions. Also,
groups with oversight responsibilities may include board committees such as compliance or audit committees as well as a group
of some, or all of these individuals with aforementioned titles, as senior management that can provide effective oversight
of the AML/CFT program to comply with the proposed rule.

Although some financial institutions must already obtain board approval for their AML/CFT programs or be subject to oversight
by a board of directors, or an equivalent governing body, this board or senior management approval requirement will represent
a change in requirements for other financial institutions. In some cases, the proposed rule would provide greater flexibility
than current program rules provide. For example, a bank lacking a Federal functional regulator must have an AML/CFT program
that is approved by the board or equivalent governing body within the bank. (91) Banks with a Federal functional regulator must also have board approval for their AML/CFT programs under their regulators'
existing rules, although not FinCEN's. (92) On the other hand, broker-dealers; insurance companies; FCMs and IBCs; DPMSJs; operators of credit card systems; loan or finance
companies; and housing GSEs, must currently obtain senior management level approval for their AML/CFT programs. (93) Board approval is not required for these entities currently, so the proposed rule would not be a change. The existing program
rules for casinos and MSBs do not contain specific board or senior management approval requirements, so the proposed rule
would constitute a change for these entities. (94)

In the case of some financial institutions, there may be existing statutes or regulations (other than the BSA and its implementing
regulations) that will determine whether a financial institution must have its board approve its AML/CFT program. The proposed
rule would not interfere with any such requirements. For instance, mutual funds must comply with Rule 38a-1 under the Investment
Company Act of 1940 requiring board approval of a mutual fund's written policies and procedures, which would include its AML/CFT
Program. (95) Because of this requirement, FinCEN understands that Rule 38a-1 would be controlling in practice and require a mutual fund's
board to approve its AML/CFT program; needless to say, such approval would also satisfy FinCEN's proposed rule.

The proposed rule's provision requiring the approval of the AML/CFT program by a financial institution's board of directors,
equivalent body, or appropriate senior management reflects the importance of a financial institution maintaining a strong
culture of compliance. A culture of compliance involves demonstrable support and visible commitment from leadership, the dedication
of adequate resources to AML/CFT compliance, effective information sharing throughout the financial institution, qualified
and independent testing, and understanding across leadership and staff levels of the importance of BSA reports. Adherence
to these principles is critical to ensuring that AML/CFT programs are effective.

At the same time, an alternative approach is to refrain from prescribing corporate-governance detail in the proposed rule,
instead allowing financial institutions to determine the appropriate approving authority consistent with their legal structure
and other regulatory and legal requirements. Leaving firm-level choices to financial institutions would preserve flexibility
across differing corporate structures, avoid imposing a single model for allocating responsibilities, and reduce the risk
of unintended conflict with other regulatory or legal requirements.

F. Proposed 31 CFR 1020.221—Supervision and Enforcement

The proposed rule would add new 31 CFR 1020.221 to set forth a supervision and enforcement framework for banks' AML/CFT programs
that is aligned with the AML Act's emphasis on effectiveness and risk-based supervision. The proposed section defines key
terms, describes FinCEN's enforcement and supervision policy with respect to the requirements of the BSA or 31 CFR chapter
X, establishes consultation requirements between FinCEN and the Agencies, when acting under supervisory authority delegated
by FinCEN, and specifies factors that the Director would consider in determining whether to take, or in reviewing, an AML/CFT
enforcement action or significant AML/CFT supervisory action. The supervision and enforcement requirements apply only to banks
and the Agencies in the proposed rule, but FinCEN welcomes comment on whether these provisions should apply to other financial
institutions. Likewise, the enforcement requirements do not apply to and in no way affect criminal enforcement liability under
the Bank Secrecy Act.

1. Proposed 31 CFR 1020.221(a)—Definitions

Proposed 31 CFR 1020.221(a) would define several terms used throughout the section. The term “AML/CFT requirement” would mean
a requirement of the BSA or 31 CFR chapter X.

The term “AML/CFT enforcement action” as proposed in 31 CFR 1020.211(a)(1) would mean any formal or informal action taken
by FinCEN that seeks to penalize, remedy, prevent, or respond to noncompliance with, past or ongoing violations of, or past
or ongoing deficiencies relating to, an AML/CFT requirement.

The term “significant AML/CFT supervisory action” as proposed in 31

  CFR 1020.221(a)(3) would mean any written communication or other formal supervisory determination issued by FinCEN or an Agency,
  when acting under supervisory authority delegated by FinCEN, that identifies one or more alleged deficiencies, weaknesses,
  violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement; communicates supervisory
  expectations regarding actions or remedial measures required to correct the issue; and contemplates significant or programmatic
  actions or remedial measures to be taken by the bank. Examiner observations, suggestions, or other informal comments would
  be expressly excluded from this definition.

2. Proposed 31 CFR 1020.221(b)—FinCEN Enforcement and Supervision Policy

Proposed 31 CFR 1020.221(b) would articulate FinCEN's enforcement and supervision policy as it relates to AML/CFT requirements
applicable to banks. (96) Except with respect to a significant or systemic failure to implement an effective AML/CFT program (i.e., deficiencies or issues that arise from failing to implement, in all material respects, a properly established AML/CFT program),
a bank that has properly established an AML/CFT program would not be subject to an AML/CFT enforcement action based on the
program rule by FinCEN or to a significant AML/CFT supervisory action based on the program rule by FinCEN or by the Agencies,
when acting under supervisory authority delegated by FinCEN.

At the same time, the proposed rule would clarify that nothing in this policy would restrict an AML/CFT enforcement action
or a significant AML/CFT supervisory action with respect to a failure to properly establish an AML/CFT program. Moreover, the proposed rule would not affect the factors that FinCEN applies in the disposition of a violation (97) once FinCEN has determined that such violation involves either: (1) a failure to properly establish an AML/CFT program, or
(2) a significant or systemic failure to implement an effective AML/CFT program.

3. 31 CFR 1020.221(c)—FinCEN Consultation

Proposed 31 CFR 1020.221(c) would establish a notice and consultation framework applicable when the Agencies, acting under
supervisory authority delegated by FinCEN, intend to initiate a significant AML/CFT supervisory action. Before initiating
such an action, the Agencies would be required to provide the Director with an opportunity to review the action and consider
any input offered by the Director, which may include any view as to the effectiveness of the bank's AML/CFT program. To facilitate
that review, the Agencies would be required to provide written notice to the Director of their intent to take the action at
least 30 days in advance of the proposed action, unless a shorter period is necessary, in the sole discretion of the Agencies,
to remedy, prevent, or respond to an unsafe or unsound practice or condition.

The notice would be accompanied by the relevant AML/CFT information underlying the proposed action. Relevant AML/CFT information
may include, but is not limited to: the relevant portions of the draft report enforcement action; the relevant examination
workpapers supporting the proposed action and the relevant AML/CFT information submitted by the bank to the Agency. FinCEN
notes the Agencies would not be obligated to provide information over which the bank may claim privilege under Federal or
State law. The Agencies would also be required to respond to requests for additional AML/CFT information from the Director
regarding the proposed action.

4. 31 CFR 1020.221(d)—FinCEN Considerations

Proposed 31 CFR 1020.221(d) specifies the factors that the Director would consider in determining whether to take an enforcement
action or significant supervisory action with respect to banks, or when reviewing a proposed action by the Agencies. (98) These factors would include the factors set forth in 31 U.S.C. 5318(h)(2)(B), as applicable; the extent, if any, to which
the bank—where appropriate in light of its size, complexity, and risk profile—has advanced the AML/CFT Priorities by providing
highly useful information to law enforcement or national security officials, conducting proactive analytics or performing
other innovative activities producing demonstrable outputs evincing the effectiveness of the bank's AML/CFT program (including
effective use of artificial intelligence, federated learning, or other advanced monitoring tools); and any other factor the
Director deems appropriate, including the bank's size, complexity, and risk profile, and, as relevant, circumstances in which
the bank's low-risk customers or limited business activities naturally limit the extent to which the bank can meaningfully
contribute to AML/CFT Priorities.

The Director's consideration of the extent to which a bank has provided highly useful information to law enforcement or national
security agencies reflects that FinCEN considers information sharing to be an important element of an effective AML/CFT program.
Financial institutions may share useful information by responding to 314(a) requests or may use 314(b) authorities to share
information with other financial institutions to identify and report to the Federal Government activities that may involve
ML/TF. Financial institutions may also elect to participate in the FinCEN Exchange Program, a voluntary public-private information
sharing partnership among FinCEN, law enforcement agencies, national security agencies, and financial institutions and other
private sector entities that aims to support priority national security and counter-illicit finance objectives. (99) FinCEN strongly encourages information sharing for the purpose of advancing the AML/CFT Priorities.

The Director may consider the above alongside other factors, including those outlined in the FinCEN Statement on Enforcement
of the Bank Secrecy Act, such as the nature and seriousness of violations, including the extent of possible harm to the public
and amounts involved; impact or harm of the violations on FinCEN's mission to safeguard the financial system from illicit
use, combat money laundering, and promote national security; or financial gain or other benefit resulting from, or attributable
to, the violations, amongst others. (100)

G. Other Changes for Modernization, Clarification, and Consistency

In addition to the previously described changes, the proposed rule would make other revisions to increase

  clarity and consistency in the program rules. Most of these changes are technical, such as renumbering provisions, amending
  cross-references, and updating statutory references based on changes to the BSA by the AML Act. For example, along with the
  Agencies, references to “BSA/AML programs” are being updated to “AML/CFT programs” for financial institutions subject to CIP
  requirements. [(101)]() These technical changes are not anticipated to establish new obligations.

The proposed rule also would make minor changes to the definitions in FinCEN regulations, including the definition of “Bank
Secrecy Act” at 31 CFR 1010.100(e). (102) The proposed rule would also amend the definition of “Federal functional regulator” at § 1010.100(r) to remove reference to
the defunct Office of Thrift Supervision and insert “The Federal Deposit Insurance Corporation” in place of “The Board of
Directors of the Federal Deposit Insurance Corporation.” The proposed rule would also add a definition of “AML/CFT priorities”
at § 1010.100(nnn) to mean the most recent statement of Anti-Money Laundering and Countering the Financing of Terrorism National
Priorities issued pursuant to 31 U.S.C. 5318(h)(4). Finally, as noted above, the proposed rule adds a definition of “Federal
Financial Institutions Regulatory Agency” at § 1010.100(ooo). (103)

Additionally, as required under section 6101(b) of the AML Act, FinCEN consulted with Federal functional regulators, particularly
the Agencies, to inform this rulemaking and coordinate updates to the bank program rule. The proposed rule is removing the
provision in FinCEN's program rule for banks requiring them to comply with the parallel program rule for banks adopted by
the Federal functional regulators since these program rules are consistent. As the delegated administrator of the BSA, FinCEN
expects banks to adhere to FinCEN's rule as promulgated via the Secretary's explicit authority to prescribe minimum standards
for AML/CFT programs.

The proposed rules for broker-dealers and FCMs and IBCs would retain requirements to comply with the rules, regulations, or
requirements of their SROs, provided those rules, regulations, or requirements have been made effective under the Securities
Exchange Act of 1934 for broker-dealers, (104) or the Commodity Exchange Act for FCMs and IBCs, (105) or by the appropriate Federal functional regulator in consultation with FinCEN.

The following subsections describe more significant changes.

1. Combining the Bank Rules

Since 2020, banks lacking a Federal functional regulator have been subject to substantially similar AML/CFT program requirements
(31 CFR 1020.210(b)) as banks with a Federal functional regulator (31 CFR 1020.210(a)). (106) The proposed rule would combine the program rules for both bank types.

The most significant difference between the existing AML program rules is that 31 CFR 1020.210(b)(3) requires banks lacking
a Federal functional regulator to: (1) have their AML programs approved by the board of directors or, if the bank does not
have a board of directors, an equivalent governing body within the bank; and (2) make a copy of its AML program available
to FinCEN or its designee upon request. FinCEN's designee, in this instance, includes any agency to which FinCEN has delegated
examination authority or the appropriate SRO. As previously discussed, the proposed rule would require banks to obtain the
approval of their AML/CFT programs from the board of directors, an equivalent governing body within the bank, or appropriate
senior management, and it would require that the AML/CFT program be made available to FinCEN or its designee upon request.
With these changes, FinCEN believes it would no longer be necessary to have two sets of program rules for banks. Therefore,
the proposed rule would consolidate 31 CFR 1020.210(a) and (b) into a single set of rules applicable to all banks.

2. Conforming and Modernizing Program Rules

For purposes of consistency and clarity, the proposed rule would harmonize certain elements, as described below, of the program
rules for casinos and MSBs to the program rules for banks; broker-dealers; mutual funds; insurance companies; FCMs and IBCs;
DPMSJs; operators of credit card systems; loan or finance companies; and housing GSEs.

Additionally, for casinos, the proposed rule would remove the following language in 31 CFR 1021.210(b)(2)(vi): “For casinos
that have automated data processing systems, the use of automated programs to aid in assuring compliance.” Similarly, for
MSBs, the proposed rule would remove the following language in 31 CFR 1022.210(d)(1)(ii): “Money services businesses that
have automated data processing systems should integrate their compliance procedures with such systems.” The removal of automated
data processing language is not intended to eliminate any substantive BSA compliance obligations for casinos or MSBs. Rather,
it reflects that the application of the same risk-based approach used in the other program rules, which allows—but does not
mandate—the use of automated data processing systems.

A few unique elements of the existing program rule for MSBs would be carried over into the new rule language. In particular,
the customer identification provisions of current 31 CFR 1022.210(d)(1)(i)(A) and (d)(1)(iv), and the agent responsibility
provision of current 31 CFR 1022.210(d)(1)(iii), would all be retained in the new MSB program rule language. This language
reflects FinCEN's longstanding appreciation of the special circumstances applicable to many members of the extraordinarily
diverse category of MSB, an appreciation that remains as accurate now as it was when these unique elements were included in
FinCEN's regulations.

3. Compliance and Implementation Dates

Current 31 CFR 1022.210(e), 1027.210(c), 1029.210(d), and 1030.210(d) contain compliance and implementation dates for MSBs;
DPMSJs; loan or finance companies; and housing GSEs, respectively. The proposed rule would retain implementation dates for
MSBs and DPMSJs, respectively, since they set the time frames in which those specific financial institution types are required
to comply once they conduct certain

  activities or pass thresholds that subject them to AML/CFT program requirements. The proposed rule would also update the citations
  for these provisions (to 31 CFR 1022.210(d) and 1027.210(e)) to reflect other changes made to §§ 1022.210(d) and 1027.210(e).

The proposed rule, however, would amend these provisions, as well as those of other types of financial institutions, such
as loan or finance companies and housing GSEs, to remove compliance dates that have passed and are therefore irrelevant.

4. Compliance With Other Rules

For consistency and clarity, the proposed rule would delete certain unnecessary cross-references to other regulations. Specifically,
the proposed rule would no longer state that banks, broker-dealers, and FCMs and IBCs must comply with the 31 CFR 1010.610
and 1010.620 due diligence requirements for foreign correspondent and private banking accounts. (107) Additionally, the proposed rule would no longer state that banks must comply with the regulations of their Federal functional
regulators. Those regulations and requirements apply irrespective of cross-references in the program rules, so FinCEN is proposing
to remove the cross-references to streamline the program rules and promote consistency. FinCEN does not intend for these changes
to have any substantive effect.

VI. Final Rule Effective Date

FinCEN is proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient time for
financial institutions to review and implement the requirements of the proposed rule. FinCEN solicits comment on the proposed
effective date.

VII. Request for Comment

FinCEN welcomes comment on all aspects of the proposed amendments and specifically seeks comment on the questions below. FinCEN
encourages commenters to reference specific question numbers when responding.

An “Effective” AML/CFT Program (V.B.)

1. The proposed rule sets forth the conditions for an effective AML/CFT program. Is the description of an effective program
   sufficiently clear or is there anything further that FinCEN should consider adding in the final rule to clarify the concept
   of program effectiveness?

2. The proposed rule reflects a determination by FinCEN that financial institutions are best placed to identify risks and
   allocate resources, and that providing them with greater discretion in these areas will improve the quality of AML/CFT compliance
   and reporting to law enforcement. Is this correct or should FinCEN consider adding more requirements regarding allocation
   of resources? How might financial institutions assess changes in the total allocation of resources devoted to an AML/CFT program
   in a changing risk and cost environment?

Establishing and Maintaining an AML/CFT Program (V.C.)

1. Do financial institutions distinguish between “establishing a program” and “maintaining a program by implementing the program”?
   If so, how? Should FinCEN add anything to further define these terms in the final rule?

2. Should the proposed rule's distinction between “establishing” and “maintaining” a program be modified? Is the distinction
   between “establishing” and “maintaining” a compliance program useful for financial institutions?

3. Is clarification needed for banks to determine what constitutes a “significant or systemic failure” to implement an effective
   AML/CFT program (i.e., a failure to implement, in all material respects, a properly established AML/CFT program)?

4. Is clarification needed for banks to determine what constitutes a “failure to establish an AML/CFT program”?

5. How should the proposed rule ensure that the regulations issued by FinCEN and the appropriate Agencies function harmoniously?
   How should the proposed rule differentiate between the Secretary's responsibility for issuing regulations on establishing
   and maintaining AML/CFT programs and the Agencies' responsibilities for issuing regulations on establishing and maintaining
   AML/CFT programs under their respective authorities?

Internal Policies, Procedures, and Controls (V.D.1.)

1. Do financial institutions expect any changes to their existing internal policies, procedures, and controls under the proposed rule, which requires that internal policies, procedures, and controls be “risk-based” and “reasonably designed” to ensure compliance with the BSA?

Risk Assessment Processes (Generally) (V.D.1.i.)

1. The proposed rule refers to risk assessment processes rather than a risk assessment process. This leaves financial institutions free to use findings from one or more processes to holistically assess their ML/TF risks.
   Does this description of how financial institutions would assess their ML/TF risk under the proposed rule provide sufficient
   flexibility? How should FinCEN describe “risk assessment processes” to better reflect how financial institutions assess ML/TF
   risks?

2. Should risk assessment processes be required to take into account additional or different criteria or risks than those
   listed in the proposed rule? If so, what additional factors should FinCEN consider requiring?

3. How long does it generally take a financial institution to incorporate the results of a risk assessment into the other
   aspects of its AML/CFT program? What factors determine this timeframe?

Risk Assessment Processes (AML/CFT Priorities) (V.D.1.i.b.)

1. What, if any, difficulties do financial institutions anticipate when incorporating the AML/CFT Priorities as part of their
   risk assessment processes?

2. What additional guidance on how to incorporate the AML/CFT Priorities into a financial institution's risk assessment processes
   would it be useful for FinCEN to provide?

Risk Assessment Processes (Updates) (V.D.1.i.c.)

1. The proposed rule requires that risk assessment processes are updated promptly upon any change that the bank knows or
   has reason to know significantly changes the bank's ML/FT risks. Would the proposed update requirement change the way financial
   institutions currently update their risk assessment processes, and if so, how? Is additional explanation needed concerning
   when a financial institution would be required to update its risk assessment? In particular, how might FinCEN clarify how
   risk assessment processes would be updated “promptly”? Would an alternative approach, such as periodic updates or a set schedule
   for updates, be preferable? Would an alternative standard, such as “materially changes,” be clearer than “significantly changes”?

2. How does a financial institution's monitoring for ML/TF risks and its risk assessment processes affect one another? Put
   differently, if there is a feedback loop between the two, please describe it, including the typical amount of time between
   discovering new risks and incorporating those findings into risk assessment processes.

Independent AML/CFT Program Testing To Be Conducted by Bank Personnel or by an Outside Party (V.D.2.)

1. Under the proposed rule, a financial institution is required to conduct independent AML/CFT program testing. This requirement is already reflected in existing AML program rule requirements (108) as the requirement to include “an independent audit function to test programs.” (109) FinCEN solicits comment on how financial institutions may interpret and carry out this requirement, based on the proposed rule's description of an effective AML/CFT program. Are further clarifications on the independent AML/CFT program testing requirement necessary to ensure that audits carried out by bank personnel or outside third parties are well-tailored, risk-based, and focused on effectiveness?

AML/CFT Officer Located in the United States (V.D.3.)

1. Under the proposed rule, while the AML/CFT officer must be located in the United States, personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. This language does not alter existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States other than limited circumstances, such as a bank's foreign head office or controlling company. Are any further clarifications on what duties personnel outside the United States may perform needed?

Written AML/CFT Program and Approval (V.E.1)

1. The proposed rule standardizes the long-standing requirement that an AML/CFT program be written. Should FinCEN further
   clarify which specific elements of an institution's AML/CFT program must be written, or is this requirement generally understood
   in its current form? In particular: (a) which program components—such as risk assessment processes; internal policies, procedures,
   and controls; transaction monitoring rules and parameters; escalation and reporting protocols; independent testing results;
   training materials; and documentation of designated personnel—should be required in writing; (b) what form (e.g., narrative descriptions, checklists, system configurations, or electronic records) should such documentation take; and (c)
   what level of detail is appropriate for each component? Should FinCEN instead eliminate the requirement that an AML/CFT program
   be expressly required to be “written” because, among other reasons, financial institutions may be subject to other applicable
   recordkeeping and documentation requirements? What would be the benefits or drawbacks of not prescribing a mandatory written
   requirement in the regulation?

2. The proposed rule would require that a financial institution's written AML/CFT program be approved by its board of directors,
   an equivalent governing body, or appropriate senior management. Should FinCEN further clarify which aspects of the AML/CFT
   program must be subject to such approval? In particular: (a) should approval be required for each of the core program components
   (e.g., the risk assessment processes framework; internal policies, procedures, and controls; transaction-monitoring and escalation
   frameworks; independent testing structure; training program; and designation of responsible personnel), or would approval
   of the overall program framework be sufficient; (b) should material revisions to particular components (such as significant
   changes to the institution's risk assessment methodology, monitoring architecture, or governance structure) require re-approval
   at the same level; and (c) what level of specificity should the approving body be required to review and approve (e.g., high-level program architecture versus detailed procedures or parameter-level settings)? Should FinCEN instead eliminate the
   specified approval requirement, allowing financial institutions flexibility in determining how leadership oversight of the
   AML/CFT program is structured? What would be the benefits or drawbacks of not prescribing a mandatory approval requirement
   in the regulation? If FinCEN does not eliminate the specified approval requirement, should FinCEN consider amending the requirement?
   Are there alternatives to board of directors, an equivalent governing body, or appropriate senior management that would be
   more appropriate?

Supervision and Enforcement (V.F.)

1. The proposed rule would add a new § 1020.221 to set forth a supervision and enforcement framework for banks. The new supervision
   and enforcement requirements would apply only to banks and the Federal banking agencies in the proposed rule. FinCEN welcomes
   comment on whether these provisions should apply to other financial institutions.

2. Is further clarification needed for financial institutions to determine what constitutes a “significant or systemic failure
   to implement an AML/CFT program in accordance with § 1020.210(c)”?

3. Is further clarification needed for financial institutions to determine what constitutes a “failure to establish an AML/CFT
   program in accordance with § 1020.210(b)”?

4. The proposed rule refers to FinCEN's “enforcement and supervision policy.” Does it introduce confusion to label regulatory
   provisions having the force of law as “policy”? If so, how should the proposed regulatory language be amended to eliminate
   that confusion?

5. The proposed rule would add a requirement for an Agency to notify and consider information provided by FinCEN before initiating
   a significant AML/CFT supervisory action when acting pursuant to authority delegated under this chapter. Should the proposed
   consultation process include an asset threshold— e.g., consultation is required for any significant AML/CFT supervisory actions involving banks with $10 billion or more in assets?
   In addition, or as an alternative, should the proposed rule not require but instead provide the option for banks to request
   their Agency consult with FinCEN prior to initiating a significant AML/CFT supervisory action?

6. The definition of significant AML/CFT supervisory action includes the term “any written communication.” Is the term “any
   written communication” too broad? Are there negative consequences to including the term “any written communication” in the
   proposed regulatory text? If so, please describe. Should the term “any written communication” be more clearly defined or removed
   altogether?

7. As described above, the purpose of the FinCEN consultation requirement is to ensure consistency in BSA/AML enforcement
   and supervision across banks, and for FinCEN to provide relevant information on the effectiveness and impact of an institution's
   AML/CFT program. While Treasury, FinCEN, and the Agencies believe the benefits of a required consultation process outweigh
   the costs, the parties recognize this adds additional layers of review for financial institutions and the Agencies during
   an examination. Are there any avenues, communication channels, or methods in

   which FinCEN and the Agencies can streamline the consultation process and prevent logistical burdens for financial institutions
   or delays in exam report issuance?

8. Is the definition of the term “significant AML/CFT supervisory action” sufficiently clear? Does the inclusion of “unsafe
   or unsound practices or conditions” introduce confusion about what types of supervisory actions would be subject to the FinCEN
   consultation requirement, since those terms are not found in the BSA?

9. FinCEN welcomes comment on provisions related to the use of innovative tools to achieve effective outcomes, specifically
   on how the Director may consider the performance of innovative activities that produce demonstrable outputs under the proposed
   supervision and enforcement framework.

Final Rule Effective Date (VI.)

1. FinCEN is proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient time for financial institutions to review and implement its requirements. FinCEN solicits comment on the proposed effective date.

VIII. Severability

As a part of this proposal, FinCEN proposes that if one portion of the proposed rule, if finalized, is found to be invalid,
the invalidated portion of the regulation should be severed with the other portions of the proposed rule, as well as the existing
FinCEN regulations for each type of financial institution in chapter X, remaining in full force and effect. FinCEN's position
is that invalidation of any one provision, or application thereof to any one person or circumstance, does not, and should
not, affect any other provision in this proposed regulation or existing regulations under chapter X. Each provision serves
an important, related, but distinct purpose and application, designed to benefit the public by protecting the U.S. financial
system from illicit financial activity. FinCEN accordingly has proposed to incorporate this position into the respective rules
for each type of financial institution, such that invalidity to one provision would not undermine the operability or usefulness
of the other provisions.

IX. E.O. 14294

Section 5 of E.O. 14294 directs that all future notices of proposed rulemaking and final rules published in the
Federal Register
, the violation of which may constitute criminal regulatory offenses, should include a statement identifying that the rule
or proposed rule is a criminal regulatory offense and the authorizing statute. (110) E.O. 14294 directs agencies to draft this statement in consultation with the Department of Justice.

E.O. 14294 further directs that the regulatory text of all NPRMs and final rules with criminal consequences published in the

  Federal Register
  after May 9, 2025, should explicitly state a *mens rea* requirement for each element of a criminal regulatory offense, accompanied by citations to the relevant provisions of the
  authorizing statute.

Willful violations of the regulations set forth in this proposed rule may be subject to criminal penalties pursuant to 31
U.S.C. 5322 and regulations promulgated 31 CFR chapter X. The statutory authority for criminal liability requires a mens rea of willfulness as an element under 31 U.S.C. 5322(a) and 31 U.S.C. 5322(b). FinCEN's existing regulation, 31 CFR 1010.840,
that sets out criminal penalties for violations of regulations promulgated in 31 CFR chapter X also includes a mens rea of willfulness. In drafting this statement, FinCEN has consulted with the Department of Justice.

X. Regulatory Impact Analysis

FinCEN has analyzed the proposed rule as required under E.O. 12866, (111) E.O. 13563, (112) E.O. 14192, (113) the Regulatory Flexibility Act (RFA), (114) the Unfunded Mandates Reform Act of 1995 (UMRA), (115) and the Paperwork Reduction Act (PRA). (116)

This proposed rule has been determined to be a “significant regulatory action” under section 3(f)(1) of E.O. 12866, as it
may have an annual effect on the economy of $100 million or more. FinCEN has included an Initial Regulatory Flexibility Analysis
(IRFA) pursuant to the RFA as the proposed rule may have a significant economic impact on a substantial number of certain
types of affected small entities. (117) Pursuant to analysis required by UMRA, FinCEN concludes it unlikely that the proposed rule, if implemented, would result in
a novel annual expenditure of more than $193 million by State, local, and Tribal governments or by the private sector. (118) While the PRA analysis included in this NPRM introduces certain new pro forma accounting estimates to the existing Office
of Management and Budget (OMB) control numbers covered by the rulemaking, these burdens and costs largely reflect administrative
updates that are being introduced to more accurately represent the activity currently undertaken by covered financial institutions
to comply with existing program requirements unchanged by the proposed rule. The aggregate PRA estimates do not represent,
and should not be interpreted to reflect, novel incremental costs attributable to the proposed rule. (119)

In its totality, FinCEN's regulatory impact analysis (RIA) anticipates that the primary aggregate economic effects of the
proposed rule would be reallocative insofar as the requirement for programs to support law enforcement and national security
and advance AML/CFT Priorities remains unchanged. Thus, while total expenditures on program compliance may not be reduced,
the distribution of which financial institutions incur costs and what they expended those resources on would be expected to
change responsively to the incentives introduced by the proposed rule that better align institutions' attention and activities
with its unique ML/TF risks. While aggregate costs would not be expected to decrease, FinCEN's analysis

  concludes that they would also not be expected to increase, and because the proposed rule would enable financial institutions
  to more efficiently focus their resources on higher-risk items, the same level of expenditures may generate more effective
  outcomes—for the financial institution, the integrity of the financial system, law enforcement, national security, and the
  American public, generally.

As described above, (120) the proposed rule would require covered financial institutions to establish and maintain effective AML/CFT programs with certain
minimum components, such as: (1) a risk-based set of internal policies, procedures, and controls; (2) independent AML/CFT
program testing; (3) the designation of an individual, who is located in the United States, accessible to FinCEN and/or the
appropriate Federal functional regulator (FFR), and responsible for establishing and implementing the AML/CFT program and
coordinating compliance; and (4) an ongoing training program. The proposed rule would also, in certain instances, alter the
scope of conditions under which FinCEN—and regulators to whom FinCEN has delegated supervisory authority such as the Agencies—could
issue supervisory or enforcement actions based solely on implementation deficiencies in cases where a covered financial institution
has properly established a program. Further, the proposed rule would provide FinCEN with a consultative role in certain aspects
of the supervisory process for banks. (121)

In so doing, FinCEN contemplates a number of benefits for covered financial institutions, regulators and other compliance
examiners, law enforcement and national security agencies, and the general public that would flow from (1) ensuring that AML/CFT
programs are risk based, (2) modernizing and reforming Federal supervision of AML/CFT programs, and (3) promoting clarity
and consistency across FinCEN's program rules for the different covered financial institution types.

This RIA begins by describing the broad economic analysis FinCEN undertook to inform its expectations of the proposed rule's
economic impact and burden. (122) This is followed by pieces of additional and, in some cases, more specifically tailored analysis as required by E.O.s 12866,
13563, and 14192; (123) the RFA; (124) the UMRA; (125) and the PRA. (126) Requests for comments related to the RIA—regarding specific findings, assumptions, or expectations, or with respect to the
analysis in its entirety—can be found in the final subsection. (127) These requests for comments have been previewed and cross-referenced throughout the RIA.

A. Assessment of Impact

Consistent with best practices in regulatory economic analysis, FinCEN's assessment of impact begins with an overview of broad
economic considerations, identifying, among other things, the need for the policy intervention. (128) Next, FinCEN (1) establishes baseline estimates of the number of covered financial institutions and other entities that could
be affected by the proposed rule and (2) describes the current regulatory requirements and background practices against which
the proposed rule would introduce changes. (129) The analysis then briefly reviews elements of the proposed rule that most directly inform how foreseeable economic impacts
would flow from how covered financial institutions and their respective regulators would engage in otherwise-not-undertaken
activities to comply. (130) Next, the RIA presents the anticipated benefits and estimated costs to the respective affected parties that would be associated
with compliance. (131) Finally, the assessment concludes with a brief discussion of alternative policies FinCEN considered and could have proposed,
including an evaluation of the relative economic merits of each against the expected value of the rule as proposed. (132)

1. Broad Economic Considerations

Because this NPRM is being issued pursuant to statutory obligations, the necessity for FinCEN to independently identify and
articulate fundamental economic problems that the proposed rule is intended to address, as the basis for regulatory action, (133) is attenuated because at best this activity would complement the problem identification already performed by Congress. (134) Nevertheless, FinCEN has remained mindful of these animating considerations as well as the general social and economic costs
that may ensue from an ineffective AML/CFT regime. (135)

FinCEN expects that the proposed rulemaking would meaningfully alleviate certain underlying economic problems that can impede
the effectiveness of AML/CFT programs. These include potential problems that flow from the presence of reporting-related externalities
and certain information asymmetries. (136)

The expected benefits of the proposed rule, as discussed below, (137) are therefore linked by the extent to which the proposed new and amended program requirements would address these fundamental
economic problems, as doing so would enhance AML/CFT program effectiveness and thereby strengthen, modernize, and improve
the U.S. AML/CFT regime.

2. Affected Parties and Institutional Baseline

In proposing this rule, FinCEN considered the incremental impacts of the proposed requirements relative to the current state
of the affected markets and their participants. (138) This baseline

  analysis of the parties that would be affected by the proposed rule, their current obligations, current program-related activities,
  and currently accrued costs and/or benefits satisfies analytical best practices by describing the alternative of not pursuing
  the proposed, or any other, novel regulatory action. [(139)]() In each case, for amended and new requirements, within the RIA, we have attempted to identify the incremental expected economic
  effects of each component of the proposal as precisely as practicable against this baseline. Nevertheless, in certain cases,
  FinCEN can make only qualitative assessments.

As a first step in the process of isolating these anticipated marginal effects, FinCEN assessed the current landscape of the
covered financial institutions that would be affected by the proposed rule, including the population sizes by financial institution
type, their existing regulatory requirements, and the burden they currently face associated with their compliance activities.
FinCEN also briefly discusses other categories of persons and entities (i.e., regulators, compliance examiners, law enforcement and national security agencies, and certain members of the general public)
that are expected to be directly affected by the proposed rule.

FinCEN acknowledges that the discussion below does not include an assessment of the baseline level of general compliance with
existing program requirements and must therefore caveat that the incremental effects estimated in subsequent sections are
based on the presumption of full compliance with the current rules. (140) FinCEN does not attempt to estimate a baseline population of currently non-compliant entities that could be differently affected
by the rule because it is unclear that the proposed rule would alter the compliance choices already made by those covered
financial institutions. FinCEN invites comment on whether this assumption, or the baseline it implies, is appropriate for
the purposes of this analysis. (141)

i. Baseline of Affected Parties

FinCEN expects the following populations would be directly affected by proposed rule: (1) covered financial institutions,
(2) regulators and other compliance examiners, and (3) law enforcement and national security agencies. FinCEN also took into
consideration that certain other members and groups of the general public, counterparties, clients/customers of affected parties,
and other persons may be indirectly affected by the proposed rule. However, because such effects are not readily quantifiable,
nor is attribution within groups likely to be uniform, the corresponding economic impacts are not itemized in further detail
for all members of the general public in the discussion below. Rather, further consideration of the anticipated economic impact
on the general public is limited to select clearly identifiable subpopulations expected to be the most directly affected. (142) To the extent that the economic impact on additional key, directly affected subpopulations of the general public should be
considered, FinCEN invites comment, data, studies, or reports that would enhance its ability to identify and quantify such
effects. (143)

a. Covered Financial Institutions

The parties expected to comply with the proposed new requirements and amendments to existing requirements include all covered
financial institutions as defined in 31 CFR 1010.100(t) and with existing program obligations prescribed in 31 CFR chapter
X, parts 1020 through 1030. This would include banks (both those with and without an FFR), casinos, MSBs, broker-dealers,
mutual funds, insurance companies, FCMs and IBCs, DPMSJs, operators of credit card systems, loan or finance companies, and
housing GSEs. (144)

Table 1 presents FinCEN's estimates of the total number of entities that meet the respective regulatory definitions of covered
financial institutions. (145) Based on these estimates, FinCEN expects that the proposed rule would affect approximately 369 thousand covered financial
institutions, of which approximately 361 thousand, or approximately 98 percent, would qualify as small financial institutions
for IRFA purposes. (146)

| Financial institution type a | Number of financial
institutions |
| --- | --- |
| Banks with an FFR b | c 8,623 |
| Banks without an FFR d | e 365 |
| Casinos f | g 1,299 |
| Principal MSBs h | i 24,856 |
| Agent MSBs | 307,212 |
| Broker-Dealers j | k 3,278 |
| Mutual Funds l | m 1,355 |
| Insurance Companies n | o 717 |
| FCMs and IBCs p | q 954 |
| DPMSJs r | s 6,742 |
| Operators of Credit Card Systems t | u 4 |
| Loan or Finance Companies v | w 13,342 |
| Housing GSEs x | y 13 |
| Total | 368,760 |
| a See 31 U.S.C. 5312(a)(2); see also 31 CFR 1010.100(t) (definition of financial institution). | |
| b See 31 CFR 1010.100(t)(1); see also 31 CFR 1010.100(d) and 1020.210(a). | |
| c This includes 4,336 FDIC-insured depository institutions (i.e., federally regulated banks) according to the FDIC's Quarterly Bank Profile for Q4 2025, p. 2 (https://www.fdic.gov/quarterly-banking-profile/past-quarterly-banking-profiles). It also includes 4,287 NCUA-chartered credit unions (i.e., federally regulated credit unions) as of December 31, 2025, according to NCUA's Quarterly Credit Union Data Summary: 2025 Q4, p. i (https://ncua.gov/analysis/credit-union-corporate-call-report-data/quarterly-data-summary-reports). | |
| d See 31 CFR 1020.210(b). | |
| e The Board of Governors of the Federal Reserve System Master Account and Services Database (https://www.federalreserve.gov/paymentsystems/master-account-and-services-database-existing-access.htm) contains data as of November 30, 2025, on financial institutions that use Federal Reserve Bank financial services, including
those with no additional Federal regulator. FinCEN used this data to identify 365 banks and credit unions with no additional
Federal regulator using Federal Reserve Bank financial services. | |
| f See 31 U.S.C. 5312(a)(2)(X); see also 31 CFR 1010.100(t)(5) and (6). | |
| g American Gaming Association, State of the States 2025: The AGA Analysis of the Commercial Casino Industry, May 2025, p. 14 (https://www.americangaming.org/wp-content/uploads/2025/05/AGA-State-of-the-States-2025.pdf). | |
| h See 31 U.S.C. 5312(a)(2)(J,K,R); see also 31 CFR 1010.100(t)(3) and (ff) (definition of MSB). | |
| i The definition of MSB (31 CFR 1010.100(ff)) covers both principal and agent MSBs. FinCEN estimated there were 24,856 uniquely
identifiable registered principal MSBs with indicia of active business operations as of the three year-ends 2023-2025. FinCEN
has estimated that the number of agent MSBs is approximately 307,212 based on internal data. | |
| j See 31 U.S.C. 5312(a)(2)(G); see also 31 CFR 1010.100(t)(2). | |
| k This estimate is based on U.S. Securities and Exchange Commission (SEC) data on active broker-dealers available at “Company
Information About Active Broker-Dealers” (https://www.sec.gov/foia-services/frequently-requested-documents/company-information-about-active-broker-dealers), which listed 3,278 active broker-dealers registered with the SEC as of December 31, 2025. | |
| l See 31 U.S.C. 5312(a)(2)(I); see also 31 CFR 1010.100(t)(10) and (gg). | |
| m This estimate is based on the number of registered investment companies filing Form N-1A in SEC's Annual Registered Investment Company Update: Form N-CEN Data, Period Ending December 2024, April 2025, table 1.3, p. 4 (https://www.sec.gov/files/annual-registered-investment-company-update-20250404.pdf). | |
| n See 31 U.S.C. 5312(a)(2)(M); see also 31 CFR 1025.100(g) (definition of “insurance company or insurer” for purposes of applicability of FinCEN regulations). | |
| o This estimate includes 717 life and health insurers in the United States during 2024. From U.S. Department of the Treasury, Annual Report on the Insurance Industry (Sept. 2025), p. 10 (https://home.treasury.gov/system/files/311/Final%20FIO%202025%20Annual%20Report.pdf). Neither the estimate presented here nor the estimate of broker-dealers controls for entities that may be both a broker-dealer
and an insurance company; thus, a certain number of affected entities may be double-counted. However, based on consultation
with staff of other Federal regulators, FinCEN believes this population of dually affected entities may be relatively small
and unlikely to significantly distort the overall assessment. | |
| p See 31 U.S.C. 5312(a)(2)(H); see also 31 CFR 1010.100(t)(8) and (9). | |
| q According to Commodity Futures Trading Commission (CFTC) data on FCMs available at “Financial Data for FCMs” (https://www.cftc.gov/MarketReports/financialfcmdata/index.htm), there were 66 registered FCMs as of December 31, 2025. The number of IBCs as of December 31, 2025 (888) was obtained from
the National Futures Association (NFA) “NFA Membership and Registration” website (https://www.nfa.futures.org/registration-membership/membership-and-directories.html). Because deduplication of entities registered as both FCMs and IBCs was not feasible, this estimate may double-count some
entities registered in both categories. FinCEN, however, believes this subpopulation may be small. | |
| r See 31 U.S.C. 5312(a)(2)(N) (definition of a “dealer” in precious metals, stones, or jewels for purposes of applicability of FinCEN
regulations); see also 31 CFR 1027.100(b). | |
| s This estimate is based on data on firms with North American Industry Classification System (NAICS) code 423940 (Jewelry,
Watch, Precious Stone, and Precious Metal Merchant Wholesalers) in the U.S. Census Bureau 2022 Statistics of U.S. Businesses
(“2022 SUSB Data”) accessed March 1, 2025 (https://www.census.gov/data/tables/2022/econ/susb/2022-susb-annual.html). It does not include Jewelry and Silverware Manufacturing (NAICS code 33991) or Jewelry Retailers (NAICS code 44831). | |
| t See 31 U.S.C. 5312(a)(2)(L) (definition of “operator of a credit card system” for purposes of applicability of FinCEN regulations); see also 31 CFR 1028.100(e). | |
| u This value is based on FinCEN review of active, U.S.-based market participants at year-end 2025. | |
| v See 31 U.S.C. 5312(a)(2)(P) (definition of “loan or finance company”); see also 31 CFR 1010.100(lll). | |
| w This estimate is based on 2022 SUSB Data on firms with NAICS codes 522292 (Real Estate Credit) and 522310 (Mortgage and Non-Mortgage
Loan Brokers). | |
| x See 31 CFR 1010.100(mmm) (definition of “housing government sponsored enterprise”). | |
| y Data on the 11 regional Federal home loan banks were obtained from the Federal Housing Finance Agency (https://www.fhfa.gov/supervision/federal-home-loan-bank-system/about). Housing GSEs are U.S. Government-sponsored enterprises and additionally include Fannie Mae and Freddie Mac. | |

b. Regulators and Other Compliance Examiners

Because covered financial institutions would be examined for compliance with the proposed requirements in this rule, the proposed
rule is expected to directly affect FinCEN, the FFRs, and other compliance examiners, including approximately 8,000 to 10,000
Federal examiners, who conduct such reviews. (147)

FinCEN has delegated authority to examine covered financial institutions to determine compliance as presented in table 2. (148)

Financial institution type	Delegated examining agency
Banks with an FFR	FDIC
	FRB
	NCUA
	OCC
Banks without an FFR	IRS
Casinos
MSBs (Principals and Agents)
Insurance Companies
DPMSJs
Operators of Credit Card Systems
Loan or Finance Companies
Broker-Dealers	SEC a
Mutual Funds
FCMs and IBCs	CFTC a
Housing GSEs	FHFA
a See FinCEN, Anti-Money Laundering Programs for Financial Institutions, 67 FR 21110 (Apr. 29, 2002). In the 2002 interim final rule, FinCEN noted it was appropriate to implement section 5318(h)(1)

           of the BSA with respect to broker-dealers and FCMs through their respective SROs, because the SEC and the CFTC and their SROs
           significantly accelerated the implementation of AML programs for their regulated financial institutions. Accordingly, 31 CFR
           1023.210 and 1026.210 provided that broker-dealers, and FCMs and IBCs, respectively, would be deemed to be in compliance with
           the requirements of section 5318(h)(1) of the BSA if they comply with any applicable regulation of their FFR governing the
           establishment and implementation of AML programs. FinCEN recognizes the SEC as the FFR, and registered national securities
           exchanges or a national securities association, such as FINRA, as the SROs for member broker-dealers. Each SRO may have its
           own AML program requirements (*see, e.g.,* FINRA Rule 3310). The CFTC's SRO is the NFA. The AML program requirements for FCMs and IBCs are set out in NFA Rule 2-9(c).  | |

FinCEN additionally anticipates being uniquely affected as the agency (1) to which covered financial institutions would submit
AML/CFT program-related reports; (2) which would coordinate how information submitted in AML/CFT program-related reports may
in turn support law enforcement and national security efforts; and (3) which would take, or consult with the Agencies on,
formal or informal enforcement or supervisory actions in regard to banks. (149)

c. Law Enforcement and National Security Agencies

The proposed rule is intended to support the efforts of law enforcement and national security agencies by promoting AML/CFT
program design and implementation that is responsive and better tailored to these entities' evolving needs. Law enforcement
and national security agencies can directly access and use reports and data provided to FinCEN in compliance with the AML/CFT
program requirements and other applicable BSA requirements after entering a memorandum of understanding with FinCEN. As of
fiscal year 2024, 432 Federal, State, and local law enforcement; regulatory; and national security agencies had access to
BSA reports and BSA Search, and the BSA Portal had over 12,000 users. (150)

d. General Public

FinCEN expects the general public to be affected by the proposed rule, with certain subpopulations affected more directly
than others. In particular, FinCEN considered two groups that it anticipates could benefit most notably from the proposed
rule: (1) those harmed, or who could be harmed, by ML/TF or related illicit activities and (2) those whose access to the financial
system is unduly constrained as a result of inappropriately tailored AML/CFT programs.

AML/CFT programs that are effective facilitate law enforcement and national security efforts to prevent the flow of illicit
funds, identify and prosecute criminals, and detect and deter illicit activity. To the extent that the proposed rule would
enhance the current effectiveness of AML/CFT programs, this could benefit the public by reducing the instances of harm (via
effective deterrence) or reducing the severity of harm (when illicit activity can be identified and prosecuted). While the
annual cost of crime in general, and financial crimes, specifically, are generally inestimable, certain published statistics
indicate that the scale is staggering. (151) This effect is not only significant in its economic magnitude but affects a substantial fraction of the U.S. population. Considering
only one type of illicit activity combatted by effective AML/CFT programs, a recent study suggests that approximately one
in five adults may be the victim of a financial fraud or scam. (152) Generalized to the corresponding U.S. adult population in the survey year, that would imply that over 56 million people were
affected by fraud or scams alone, and thus, that the subpopulation of those harmed, or who could be harmed, by ML/TF or related
illicit activities is vast.

FinCEN anticipates that though smaller in size, the population whose access to the financial system is unduly constrained
as a result of inappropriately tailored AML/CFT programs is also non-trivial. Recent studies report that in 2023, 4.2 percent
of U.S. households and six percent of surveyed adults were unbanked. (153) This equates to approximately 5.6 million households and 15.5 million adults. (154) Because the extent to which unbanked or underbanked status is exclusively attributable to AML/CFT program concerns is unclear,
these values should be considered upper bounds on the potentially affected subpopulation.

ii. Regulatory Baseline

As part of its baseline analysis, FinCEN considered the variation in requirements under the current regulatory framework for
the covered financial institutions that would be affected by the proposed rule. This includes concurrent statutory requirements,
regulatory requirements at the State level, or other regulatory regimes with which a covered financial institution must concurrently
comply.

  In particular, FinCEN considered: (1) the current program rule requirements that the proposed rulemaking would amend and to
  which it would add new requirements and (2) the broader framework of AML compliance requirements [(155)]() that each type of covered financial institutions' program is meant to guide and ensure are met. [(156)]() Table 3 presents an overview of features of the current program requirements that the proposed rule would further harmonize
  as well as their current organization and sequencing in the respective sections of the regulatory text.

As summarized in table 3, all covered financial institution types face broadly comparable program requirements with respect
to developing and operationalizing internal policies, procedures, and controls; independent testing; designation of key individuals;
training; and CDD (to the extent CDD is currently required for respective covered financial institution types). Nevertheless,
a level of variation in not just the organization/ordering of the core requirements but also the specific language in each
provision may lead different categories of covered financial institutions to interpret the harmonization and standardization
of requirements in the proposed rule to represent a departure from current standards that is not uniform across types. To
illustrate, FinCEN notes the following examples of variation as a non-exhaustive list of instances where the standardization
of regulatory text in the proposed rule departs differentially from preceding regulatory language.

Internal Policies, Procedures, and Controls (157) —Current rules require that the internal controls of banks and casinos “assure ongoing compliance,” (158) while for MSBs, the requirement is simply to ensure that the MSB complies. (159) Meanwhile for broker-dealers, internal policies, procedures and controls must be “reasonably designed to achieve compliance.” (160)

Independent AML Program Testing (161) —The requirements for some financial institutions (i.e., banks, broker-dealers, mutual funds, and FCMs and IBCs) simply specify that independent testing for compliance must be conducted
by personnel or an outside party, (162) while the requirements for other financial institution types (i.e., MSBs, insurance companies, DPMSJs, operators of credit card systems, loan or finance companies, and housing GSEs) specify
that the entities must provide for independent review or testing to monitor and maintain an adequate program. (163) Some requirements (e.g., those for insurance companies, DPMSJs, operators of credit card systems, loan or finance companies, and housing GSEs) include
further language about the scope and frequency of the testing, which must be commensurate with risk. (164)

Designated Individual(s) (165) —Banks must designate “an individual or individuals responsible for coordinating and monitoring day-to-day compliance,” (166) whereas broker-dealers, mutual funds, and FCMs and IBCs must designate person(s) “responsible for implementing and monitoring
the operations and internal controls” of a program. (167) Others (i.e., insurance companies, DPMSJs, operators of credit card systems, loan or finance companies, and housing GSEs) must designate
a compliance officer who is responsible for ensuring that (1) the AML program is implemented effectively and updated as necessary
and (2) appropriate persons are educated and trained. (168)

Training (169) —Several covered financial institution types' existing requirements specify that training must be ongoing (i.e., for broker-dealers, mutual funds, insurance companies, FCMs and IBCs, DPMSJs, loan or finance companies, and housing GSEs), (170) while for the others, the requirements simply specify that training must be conducted. (171) Further, the language regarding the training requirement for some covered financial institution types (i.e., insurance companies, loan or finance companies, and housing GSEs) specifies an entity may choose to train appropriate persons
directly or they can choose to verify “that such persons have received training by a competent third party.” (172)

CDD (173) —While it is understood that all categories of financial institutions have obligations to be diligent in developing an understanding
of their clients or customers, generally, and often in the ordinary course of business, only certain financial institution
types have programmatic CDD requirements. These include banks, irrespective of FFR; broker-dealers; mutual funds; and FCMs
and IBCs. The language describing the CDD requirements for these covered financial institution types is nearly identical across
financial institution type. (174) Other covered financial institutions do not have an explicit CDD requirement but have certain CDD-like requirements, including
casinos and operators of credit card systems. (175) For example, casinos must have procedures for determining “the name, address, social security number, and other

  information” of a person and verifying that information when required. [(176)]()

Table 4 further illustrates additional features associated with the current program requirements that the proposed rule would
standardize, including whether the program must be written, whether it must newly incorporate language to articulate program
coverage of terrorist financing risks or the financing of terrorist activities, as well as who must approve the program and
to whom a copy of the written program must be made available upon request.

Finally, while all covered financial institution types are required to have an effective AML/CFT program, the scope of requirements,
obligations, and activities those programs cover, and hence, the number of components to be integrated and addressed by a
program's design, risk assessment processes, and training, among other things, differs across covered financial institution
types. This variation in scope of programmatic components is illustrated with a non-exhaustive list of examples in table 5.
Table 5 highlights, for instance, that the programs of banks, broker-dealers, mutual funds, and FCMs and IBCs would be required
to account for CIP requirements, SAR and CTR filing requirements, and other activities like additional due diligence (e.g., due diligence programs for correspondent accounts for foreign financial institutions and for private banking accounts as set
forth in 31 CFR 1010.610 and 1010.620, respectively). Other covered financial institution types have fewer of these obligations,
and hence the scope of what would need to be accounted for in their AML/CFT programs may be narrower.

| Covered financial institution type | 31 CFR
chapter Xsection | Internal
policies,procedures,and controls | Independent
AML programtesting | Designating
individuals | Training | CDD |
| --- | --- | --- | --- | --- | --- | --- |
| Banks: | | | | | | |
| with an FFR | 1020.210 | (a)(2)(i) | (a)(2)(ii) | (a)(2)(iii) | (a)(2)(iv) | (a)(2)(v) |
| without an FFR | | (b)(2)(i) | (b)(2)(ii) | (b)(2)(iii) | (b)(2)(iv) | (b)(2)(v) |
| Casinos | 1021.210 | (b)(2)(i) | (b)(2)(ii) | (b)(2)(iv) | (b)(2)(iii) | (a) |
| MSBs | 1022.210 | (d)(1) | (d)(4) | (d)(2) | (d)(3) | |
| Broker-Dealers | 1023.210 | (b)(1) | (b)(2) | (b)(3) | (b)(4) | (b)(5) |
| Mutual Funds | 1024.210 | (b)(1) | (b)(2) | (b)(3) | (b)(4) | (b)(5) |
| Insurance Companies | 1025.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | |
| FCMs and IBCs | 1026.210 | (b)(1) | (b)(2) | (b)(3) | (b)(4) | (b)(5) |
| DPMSJs | 1027.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | |
| Operators of Credit Card Systems | 1028.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | (b) |
| Loan or Finance Companies | 1029.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | |
| Housing GSEs | 1030.210 | (b)(1) | (b)(4) | (b)(2) | (b)(3) | |
| a While the current casino AML program requirements do not include an itemized CDD subsection, they include some customer-specific
requirements. See, e.g., 31 CFR 1021.210(b)(2)(v)(A). | | | | | | |
| b Despite the absence of a CDD AML program requirement for operators of credit card systems, compliance with the AML program
requirements necessitates some CDD-like activities. See 31 CFR 1028.210(b)(1)(i) and (ii). | | | | | | |

| Covered financial institution type | 31 CFR
chapter Xsection | Written | Addresses
terroristfinancing | Approved by | To whom a written copy of a
program should be made available to upon request |
| --- | --- | --- | --- | --- | --- |
| Banks: | | | | | |
| with an FFR | 1020.210 | ✓ a | | Board of directors or equivalent governing body a | Not applicable. |
| without an FFR | | ✓ | | Board of directors or equivalent governing body | FinCEN or its designee. |
| Casinos | 1021.210 | ✓ | ✓ | | Not specified. |
| MSBs (Principals and Agents) | 1022.210 | ✓ | ✓ | | Department of the Treasury. |
| Broker-Dealers | 1023.210 | ✓ | | Senior management | Not specified. b |
| Mutual Funds | 1024.210 | ✓ | ✓ | Board of directors or trustees | SEC. |
| Insurance Companies | 1025.210 | ✓ | ✓ | Senior management | Department of the Treasury, FinCEN, or its designee. |
| FCMs and IBCs | 1026.210 | ✓ | ✓ | Senior management | Not specified. |
| DPMSJs | 1027.210 | ✓ | ✓ | Senior management | Department of the Treasury through FinCEN or its designee. |
| Operators of Credit Card Systems | 1028.210 | ✓ | ✓ | Senior management | Department of the Treasury or appropriate Federal regulator. |
| Loan or Finance Companies | 1029.210 | ✓ | ✓ | Senior management | FinCEN or its designee. |
| Housing GSEs | 1030.210 | ✓ | ✓ | Senior management | FinCEN or its designee. |
| a The applicable regulations of the several Federal banking regulators specify these elements of a bank's AML program. See 12 CFR 208.63(b) (FRB), 21.21(c)(1) (OCC), 326.8(b) (FDIC), 748.2(b) (NCUA). FinCEN regulations indirectly impose these requirements
by deeming a bank with an FFR to be in compliance with FinCEN's AML program requirement if it complies with comparable regulations
of its FFR. 31 CFR 1020.210(a)(3). | | | | | |
| b FinCEN has delegated authority to examine broker-dealers' compliance with FinCEN regulations to the SEC (see 31 CFR 1010.810(b)(6)). Thus, while the FinCEN regulation regarding broker-dealer AML programs, 31 CFR 1023.210, does not
itself grant SEC authority to examine a broker-dealer's AML program, the SEC has authority pursuant to 31 CFR 1010.810(b)(6),
in combination with 31 CFR 1023.210, to request a written copy of a broker-dealer's AML program. | | | | | |

| Covered financial institution type | 31 CFR
chapter
X part | CIP | Required reports | | Additional
due

           diligence 
           b  |

| --- | --- | --- | --- | --- | |
| CTR or

           Form 8300 a | SAR |  |  |  |  |

| Banks (with and without an FFR) | 1020 | ✓ | ✓ | ✓ | ✓ |
| Casinos | 1021 | (c) | ✓ | ✓ | |
| Principal MSBs: | | | | | |
| Providers or sellers of prepaid access programs d | 1022 | (e) | ✓ | ✓ | |
| Others | | | ✓ | ✓ | |
| Agent MSBs | | | ✓ | ✓ | |
| Broker-Dealers | 1023 | ✓ | ✓ | ✓ | ✓ |
| Mutual Funds | 1024 | ✓ | ✓ | ✓ | ✓ |
| Insurance Companies | 1025 | | ✓ | ✓ | |
| FCMs and IBCs | 1026 | ✓ | ✓ | ✓ | ✓ |
| DPMSJs | 1027 | | ✓ | | |
| Operators of Credit Card Systems | 1028 | (f) | ✓ | | |
| Loan or Finance Companies | 1029 | | ✓ | ✓ | |
| Housing GSEs | 1030 | | ✓ | ✓ | |
| a Certain financial institutions (i.e., banks, casinos, MSBs, broker-dealers, mutual funds, and FCMs and IBCs) are required to report currency transactions over $10,000
conducted by, or on behalf of, one person and multiple currency transactions that aggregate to be over $10,000 per day in
a CTR. The remaining covered financial institutions are required to report cash payments over $10,000 that are received in
a trade or a business using Form 8300. | | | | | |
| b Additional due diligence requirements as set forth in 31 CFR 1010.610, and due diligence requirements for private banking
accounts, as described in 31 CFR 1010.620, are included in program requirements. | | | | | |
| c While there is no directly comparable CIP section to the casino AML program requirements, there are CIP-like requirements
in 31 CFR 1021.210(b)(2)(v)(A), as a casino's program must include procedures for determining and verifying relevant information
related to persons. | | | | | |
| d A provider or seller of prepaid access includes principal MSBs as defined in 31 CFR 1010.100(ff)(4)(i) and (ii) for providers,
31 CFR 1010.100(ff)(7) for sellers. | | | | | |
| e While there is no directly comparable CIP section to the MSB program requirements, there are CIP-like requirements for providers
and sellers of prepaid access in 31 CFR 1022.210(d)(1)(i) through (iv). | | | | | |
| f The program rules applicable to operators of credit card systems do not contain a formal CIP requirement; however, program
compliance in certain cases necessitates some CIP-like activities. See 31 CFR 1028.210(b). | | | | | |

iii. Current Practices

FinCEN made efforts to account for current practices when estimating the expected incremental impact of the proposed rule.
In the subsections below, FinCEN describes select key features of current practices of covered financial institutions, regulators,
and law enforcement agencies considered salient to its analysis. FinCEN requests comment on the existence of other aspects
of current practice that should have been considered or further information about the aspects considered that should be included. (177)

a. Current Market Practices

FinCEN took certain data and features of financial institutions' current practices into consideration when estimating the
expected incremental impact of the proposed rule. Among these features were the presence of third-party services, industry-specific
associations, or other organizations that currently facilitate compliance with BSA/AML requirements as well as information
about the costs of currently operating AML/CFT programs.

Public commentary has at times suggested that general compliance with the BSA and maintaining an AML program under current
practice is costly and burdensome to covered financial institutions and, in some cases, of perceived limited value. (178) However, publicly available data with which to form a robust estimate of the aggregate burden of program compliance—to the
U.S. economy, generally, or to the unique industry groups to which the proposed rule would apply, specifically—as it has been
understood and operationalized to date, is scarce. Absent more reliable comprehensive baseline data, FinCEN is constrained
in its ability to estimate total current economic costs with any meaningful degree of certainty, or assess the substitutability
of current and expected compliance activities under the proposed regulation, or quantify the potential for aggregate cost
savings that covered institutions might privately benefit from in complying with the proposed rule. (179) Nevertheless, this analysis includes FinCEN's best efforts at quantification with certain qualifications. FinCEN continues
to request more comprehensive, precise, and/or generalizable information on financial institutions' compliance burden and
costs in its routine OMB control number renewals, (180) in its forthcoming survey, (181) and as part of this rulemaking. (182)

As in the 2024 Program NPRM, FinCEN continues to believe that the aggregate costs of BSA compliance, including AML program
requirements, may be several billion dollars per year. (183) This estimate (1) is generally

  consistent with FinCEN's estimate that the aggregate annual costs of the portion of BSA compliance burden that are attributable
  to reporting and recordkeeping activities alone (PRA activities) is over $6 billion and (2) tracks data interpolated from
  both a 2020 U.S. Government Accountability Office (GAO) study of bank AML programs [(184)]() and a 2018 St. Louis Federal Reserve report on the regulatory burden on community banks. [(185)]() Extrapolating from the survey results in these studies, FinCEN estimates that the comparable aggregate annual program costs
  for FDIC-insured banks and NCUA-regulated credit unions, as a unique subpopulation of all financial institutions subject to
  program requirements, would have been over $4 billion at the time of the surveys, with the average bank spending approximately
  $500 thousand or just under two percent of operating expenses, on program compliance. These results broadly comport with recent
  research findings that in non-financial industries, approximately 1.3 percent of the average firm's wage bill is expended
  on regulatory compliance activities. [(186)]() Using a methodological approach similar to the 2020 and 2018 studies, but applied to data as available at end of calendar
  year 2024, FinCEN estimates that the size-weighted mean (median) bank or credit union currently spends approximately $598,700
  ($414,300) on program compliance annually, which is equivalent to an aggregate annual expenditure level between $3.7 and $5.4
  billion for banks with an FFR.

b. Current Supervisory and Enforcement Practices

The proposed rule is expected to introduce certain changes that could affect current supervisory and enforcement practices
to varying degree by category of affected financial institution. Thus, FinCEN took into consideration its own and other FFRs'—particularly,
the Agencies'—current supervisory and enforcement processes.

In its capacity as the administrator of the BSA, FinCEN has delegated its authority to the FFRs, including the Agencies, to
examine financial institutions for compliance with the BSA and its implementing regulations. (187) In connection with this delegation, FinCEN has entered into certain memoranda of understanding with the FFRs that enable FinCEN
and the FFRs to share information with one another on a routine basis about relevant financial institutions' compliance with
the BSA and its implementing regulations. FinCEN and the FFRs also regularly engage one another in supervisory dialogue, regarding
both specific issues related to a particular financial institution's compliance and broader patterns or trends in financial
institutions' general compliance with the BSA. Although such information sharing and supervisory dialogue may include matters
that the proposed rule would define as significant supervisory actions or enforcement actions, (188) these current practices do not entail consultation by the Federal banking regulators with FinCEN to the same extent as the
proposed rule would require.

With respect to the Agencies, FinCEN understands that these agencies examine banks' BSA/AML compliance programs every 12 to
18 months using risk-focused procedures outlined in the FFIEC BSA/AML Examination Manual. If violations are found or they
have serious supervisory concerns that are not timely addressed, the Agencies may take actions ranging from informal corrective
measures to formal enforcement actions such as cease-and-desist orders. (189) The baseline costs associated with these activities are understood to be a fraction of the Agencies' reported aggregate expenses
on conducting supervision and enforcement. In its survey of the most recent publicly available information, FinCEN noted that
in total spending on supervision: (1) the FDIC allocated $1.35 billion to supervision in its 2026 proposed operating budget; (190) (2) the FRB spent nearly $2.2 billion on supervision and regulation in 2024 and proposed allocating nearly $2.4 billion in
its 2025 budget; (191) and (3) the OCC reported spending $1.2 billion in costs associated with its supervision program in fiscal year 2025. (192) Using this data (193) to form a crude approximation, FinCEN estimates that a change in total expenditures or reallocation of current expenditures
of less than two percent, would, independent of all other expected economic effects of the rule, constitute a significant
economic impact in any given year. (194)

Based on consultation with the Agencies, FinCEN anticipates changes of this magnitude to be unlikely because the proposed
rulemaking is not expected to require substantial alterations to the Agencies' supervisory expenditures or to require significant
additional resources to develop, implement, and maintain the enforcement and supervisory action consultation process with
FinCEN. As such, any reallocative effects that flow from the proposed rule through changes in supervisory and enforcement
practices are likely to be more pronounced for FinCEN than for those

  to whom it has delegated examination authority.

c. Current Use of BSA Information by Law Enforcement and National Security Agencies

While results may not be published, FinCEN both routinely receives reports (195) and conduct surveys (196) that speak to the use and usefulness of BSA information to law enforcement and national security agencies. An older, but broadly
analogous, publicly available report from the GAO found that in 2018, a majority of Federal and State law enforcement agencies
had direct access to FinCEN's BSA database (i.e., 85 percent of federal agencies and 54 percent of State agencies), though fewer than one percent of local law enforcement agencies
did. (197) FinCEN believes these survey results may underrepresent the extent to which local law enforcement may benefit from BSA information
insofar as the GAO study could not directly account for the incidence of referrals to local law enforcement of matters not
otherwise pursued by Federal or State agencies directly. The study also surveyed 5,257 investigators, analysts, and prosecutors
at six Federal law enforcement agencies and found that these agencies used BSA data extensively, estimating that approximately
72 percent of personnel conducting investigations from 2015 to 2018 used BSA reports to support their work. (198)

3. Description of Proposed Regulatory Changes

For purposes of the RIA, FinCEN considered the various components of the proposed rule—including its proposed amendments to
existing rules and proposed new requirements—with a view towards the specific features or elements that are expected to generate,
either directly or indirectly, an economic benefit or cost or lead to changes in market participant incentives in a way that
may generate economic benefits or costs. (199) For components of the proposed rule that FinCEN analysis has not assigned an expected economic effect, the reason for doing
so is briefly described below.

The description of proposed requirements below is organized by the scope and anticipated potential magnitude of economic effects,
starting with the proposed changes, applicable to the broadest scope of financial institutions, that are expected to be the
least substantive and concluding with the proposed changes, concentrated on the narrowest scope of affected parties, that
have the greatest potential to result in substantive changes. To balance the completeness of the RIA with the desire for expositional
clarity and ease of tractability between the proposed regulatory text and sections V (section-by-section analysis) and X (regulatory
impact analysis), FinCEN has included table 6, to provide a mapping of the various components of the proposed rulemaking as
presented in the section-by-section analysis to their analogous categorization in the RIA.

| Scope of
affected entities | The proposed rule would . . . | Section V analysis | Considered in
RIA subsection(s) | Proposed regulatory text location |
| --- | --- | --- | --- | --- |
| Generally Applicable to all Financial Institutions | Insert “CFT” to standardize references to “AML/CFT” as in “AML/CFT Program,” replacing “AML program” or “BSA/AML program” | V.A, V.G | X.A.3.i | various (regulatory titles, CIP regulations, etc.) |
| | Remove program-related compliance dates that are no longer relevant | V.G.3 | X.A.3.i | n/a, text removed |
| | Conceptually define program “effectiveness” | V.B, V.C | X.A.3, X.A.4 | 10XX.210(a) |
| | Introduce a two-prong program framework of compliance with program requirements | V.C. | X.A.3, X.A.4 | 10XX.210(a)(1) and (2) and (c) |
| | Encourage adoption of new technology or other innovative approaches, while removing prescriptive requirements | V.B, V.D.1, V.F.4, V.G.2 | X.A.3.i, X.A.4.i.a, X.A.4.ii.a | n/a |
| | Standardize requirements that a program's internal policies, procedures, and controls be reasonably designed to: (1) identify,
assess, and document ML/TF risks through risk assessment processes; (2) mitigate ML/TF risks consistent with its risk assessment
processes; and, if applicable (3) conduct ongoing CDD | V.D.1 | X.A.3.i | 10XX.210(b)(1) |
| | Require that internal policies, procedures, and controls identify, assess, and document ML/TF risks through risk assessment
processes | V.D.1.i | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(1)(i) |
| | Require that internal policies, procedures, and controls mitigate ML/TF risks consistent with a financial institution's risk
assessment processes (including appropriate allocation toward higher-risk customers) | V.D.1.ii | X.A.3.i, X.A.4.i.a, X.A.4.ii.a | 10XX.210(b)(1)(ii) |
| | Require that risk assessment processes (1) evaluate ML/TF risks from business activities; (2) consider AML/CFT Priorities;
and (3) update promptly responsive to significant changes to ML/TF risks | V.D.1.i.a, b, c | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(1)(i)(A), (B), and (C) |
| | Standardize language describing program requirements for independent testing | V.D.2 | X.A.3.i | 10XX.210(b)(2) |
| | Require independent testing | V.D.2 | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(2) |
| | Standardize program requirements regarding the designated individual responsible for establishing, implementing, and coordinating
day-to-day program compliance | V.D.3.i | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(3) |
| | Require that the designated individual is located in the United States | V.D.3.ii | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(3) |
| | Require that the designated individual is accessible to, and subject to oversight and supervision by, FinCEN and the appropriate
FFR | V.D.3.ii | X.A.3.i | 10XX.210(b)(3) |
| | Require that the designated individual is responsible for establishing and implementing the AML/CFT program and coordinating
and monitoring day-to-day compliance | V.D.3 | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(3) |
| | Standardize language describing program requirements for ongoing employee training | V.D.4 | X.A.3.i | 10XX.210(b)(4) |
| | Require ongoing employee training | V.D.4 | X.A.3.i, X.A.4.ii.a | 10XX.210(b)(4) |
| | Require the AML/CFT program to be written | V.E.1 | X.A.3.i, X.A.4.ii.a | 10XX.210(d) |
| | Require the AML/CFT program to be made available upon request to FinCEN or its designee | V.E.1 | X.A.3.i, X.A.4.ii.a | 10XX.210(d) |
| | Require the AML/CFT program to be approved by the financial institution's board of directors or an equivalent governing body
within the financial institution, or appropriate senior management | V.E.2 | X.A.3.i, X.A.4.ii.a, X.E | 10XX.210(d) |
| Applicable to Covered FIs Only | Integrate CDD-related program requirements into the “establishment prong” of the proposed new program framework | V.D.1.iii | X.A.3.ii, X.E | 1020.210(b)(1)(iii), 1023.210(b)(1)(iii), 1024.210(b)(1)(iii), 1026.210(b)(1)(iii), and 1028.210(b)(1)(iii) |
| Applicable to Banks Only | Consolidate 31 CFR 1020.210(a) and (b) into a single set of rules applicable to all banks | V.G.1 | X.A.3.iii | n/a, text consolidated |
| | Remove redundant regulatory text affirming the requirement that banks must comply with the rules of their FFRs | V.G.4 | X.A.3.iii | n/a, text removed |
| | Define the terms/phrases “AML/CFT enforcement action,” “AML/CFT requirement,” and “significant AML/CFT supervisory action” | V.F.1 | X.A.3.iii, X.A.4.ii.a | 1020.221(a) |
| | Provide that a bank with an AML/CFT program established in accordance with proposed 31 CFR 1020.210(b) would not be subject
to an AML/CFT enforcement action or significant AML/CFT supervisory action absent a significant or systemic failure to implement
said program within the meaning of proposed 31 CFR 1020.210(c) | V.F.2 | X.A.3.iii, X.A.4.i.a | 1020.221(b)(1) |
| | Provide that the proposed 31 CFR 1020.221(b)(1) provisions do not apply when there is a failure to establish a bank program
within the meaning of proposed 31 CFR 1020.210(b) | V.F.2 | X.A.3.iii, X.A.4.i.a, X.A.4.ii.a | 1020.221(b)(2) |
| | Provide that in determining to take, or in review of, an AML/CFT enforcement action or significant AML/CFT supervisory action,
the Director would take into account factors under 31 U.S.C. 5318(h)(2)(B) and the bank's unique ability and efforts to advance
AML/CFT Priorities | V.F.4 | X.A.3.iii, X.A.4.i.a, X.A.4.i.b, X.A.4.ii.b | 1020.221(d) |
| Applicable to Bank FFIRAs | Require FFIRA consultation with the Director before any significant AML/CFT supervisory action pursuant to delegated authority
is initiated | V.F.3 | X.A.3.iv, X.A.4.i.a, X.A.4.i.b, X.A.4.ii.a, X.A.4.ii.b | 1020.221(c)(1) |
| | Require, generally, an FFIRA to provide written notice to the Director of any intent to take a significant AML/CFT supervisory
action pursuant to delegated authority at least 30 days in advance of the proposed action | V.F.3 | | 1020.221(c)(2)(i) |
| | Require, to the extent reasonably practicable, that an FFIRA respond to requests from the Director for additional information
regarding a proposed significant AML/CFT supervisory action | V.F.3 | | 1020.221(c)(2)(ii) |

i. Generally Applicable to All Financial Institutions

In this NPRM, FinCEN proposes to introduce a number of technical changes that include new definitions and new or amended language
that seek to improve the clarity and congruence of the current regulatory text across all categories of financial institutions.
Many of these are expected to be non-substantive changes, but some might reasonably be expected to result in novel or alternative
activities being undertaken by at least some affected parties. For completeness, the full scope of changes is reviewed in
the section below; however, only those changes that could foreseeably result in non-negligible changes in the activities of
a non-trivial subpopulation of affected parties are further discussed in section X.A.4.

Changes that are not foreseen to be substantive include updating 31 CFR chapter X to insert the term “CFT” into the program
rules; (200) the standardization of the ordering and language used to describe the necessary “four pillars” required of all financial institution
types' AML/CFT programs, (201) and other technical amendments to program attributes. (202) FinCEN is also proposing to amend certain existing definitions to incorporate non-substantive, modernizing updates. (203)

Other changes might reasonably be expected to result, to varying degrees, in novel or alternative activities being undertaken
by affected parties and are identified as such for further consideration in section X.A.4 below. These include the introduction
of certain definitions, concepts, textual reorganizations, and express requirements.

FinCEN proposes to define “AML/CFT priorities” such that when the term is used throughout 31 CFR chapter X, it is clear that
only the most recently published version (204) of the AML/CFT Priorities is being referenced. (205) The extent to which defining the priorities this way may affect expected burdens would depend on how path-dependent programmatic
best practices would otherwise be and the magnitude of changes in AML/CFT Priorities between one publication and the next.

Additionally, the proposed rule includes certain linguistic changes that are to a greater extent intended to demarcate intended
changes in conceptual framing and accountability mechanisms than introduce new requirements for financial institutions. (206) The novel imposition of these specific semantic distinctions between “establish” and “maintain” are meant to create an evaluative
framework that would enable an evaluator or evaluated entity to meaningfully distinguish between facially similar observed
errors, omissions, or other failures that impede a program's effectiveness by causal attribution (to either a flaw in program
design or in program execution). This causal distinction, in turn, would afford certain protections from excessive supervisory
and/or enforcement action by regulators or other compliance examiners and relieve a given financial institution from the need,
real or perceived, to prophylactically undertake excessive program activities for the exclusive purpose of mitigating such
excessive supervisory or enforcement action risks.

ii. Applicable to Covered Financial Institutions

As discussed in section X.A.2.ii, while all financial institutions must exercise diligence when developing an understanding
of their clients or customers, only a select subset of financial institutions subject to the BSA have express “fifth pillar,”
or CDD obligations. (207) FinCEN has long held that this “fifth pillar” is itself composed of four core elements, (208) including three (in addition to beneficial ownership identification and verification) that are integral to the design and
execution of a compliant AML program. (209) This NPRM includes a proposed, non-substantive change in the structural organization of program requirements that would move
CDD core elements three and four from their current standalone textual positions to become nested in the “establishment prong”
of AML/CFT program requirements.

As explained in section V.D.1.iii, this change is intended to simply better reflect how covered financial institutions operationalize
such ongoing CDD as part of their overall AML programs and would not be expected to engender novel incremental burden. It
is therefore not further discussed in section X.A.4 below. However, FinCEN has, in the course of analysis undertaken in connection
with several recent rulemakings and its review of its PRA obligations, taken note of certain clerical errors and omissions
that caused the existing recordkeeping burden associated with CDD core elements three and four to be omitted from certain
pre-existing OMB control numbers. As a result, the PRA analysis in section X.E below includes a line item associated with
CDD program obligations that would address the previous omission. This administrative correction does not reflect, in either
level or proportion, an anticipated need for catholic changes to covered financial institutions' baseline due diligence practices.

iii. Applicable to Banks

When assessing the potential economic impact of the incremental portions of the proposed rule unique to banks, FinCEN considered
both the

  portions of the proposed regulatory text that pertain to requirements placed on banks directly as well as portions of the
  proposed regulatory text that may prescribe activities for parties other than banks but are reasonably expected to have an
  impact on banks. The distinction in causal channels, while recognized in this section, is not maintained in section X.A.4
  below in cases where the economic effects of the proposed regulatory text on banks are not reliably separable or such incremental
  analysis would not enrich the analysis.

Additionally, certain proposed changes are not discussed further in section X.A.4 below because it is unclear that they would
have either independent incremental effects or any economic effect at all. These changes include the proposals: (1) to combine
the two bank program rules—for banks with an FFR and those without an FFR—into one framework; (210) (2) to remove regulatory text affirming the requirement for banks to comply with the rules of their FFRs; (211) and (3) to define the terms/phrases “AML/CFT enforcement action,” “AML/CFT requirement,” and “significant AML/CFT supervisory
action” for purposes of proposed 31 CFR 1020.221. (212)

In the proposed rule, the supervision and enforcement requirements would apply only to banks and the Agencies. Of the proposed
requirements, FinCEN anticipates that proposed 31 CFR 1020.221(b)(1) is likely to have the most substantive impact on banks,
while, by contrast section 221(b)(2), in practice, represents the least difference from status quo. Notwithstanding that the
framework of proposed § 10XX.210(a) and the proposed requirements/provision of § 10XX.210(b)(1)(ii) (to allocate program resources
and attention by risk level) apply to all categories of regulated financial institutions, the economic effects of the proposed
evaluative framework are expected to be greatest where supervisory and enforcement commitment to abide by the framework is
perceived by affected financial institutions to be the most credible. For this reason, banks regulated by the Agencies may
be uniquely affected among the categories of financial institutions that would be subject to the proposed rule because they
are the only financial institutions with companionate regulation binding the parties supervising and enforcing their compliance.

FinCEN also expects proposed 31 CFR 1020.221(d) to affect banks' incentives because it provides that in determining to take,
or in review of, an AML/CFT enforcement action or significant AML/CFT supervisory action, the Director would take certain
factors into consideration, including facts and circumstances unique to the bank in question. In particular, section 221(d)(2)
would require the Director to consider the bank's demonstrable efforts to advance AML/CFT Priorities such as its production
of highly useful information, analytics, or other innovations. If these efforts would newly be, or to a markedly greater extent
than they currently are, allowed to weigh in the bank's favor when under consideration for an AML/CFT enforcement action or
significant AML/CFT supervisory action, FinCEN expects that the proposed regulation could reasonably be expected to generate
economic effects because it would likely change the scope or nature of activities undertaken and/or investments made.

iv. Applicable to Federal Financial Institutions Regulatory Agencies

As described above in section V.F.3, the proposed rule would introduce new notice, (213) consultation, (214) consideration, (215) and response (216) requirements for the Agencies before initiating significant AML/CFT supervisory actions. FinCEN anticipates that the proposed
consultation process is likely to have direct economic effects on both FinCEN and the Agencies, further discussed below in
sections X.A.4.i.b (expected benefits) and ii.b (expected costs). The proposed process could also reasonably be expected to
have indirect effects on the banks subject to supervision and examination by Federal banking regulators to the extent that
the consultative process is successful in better aligning supervisory and enforcement activities with the efficient establishment
and maintenance of AML/CFT programs. Finally, while further downstream economic effects may also flow to the general public
from this improved alignment, these effects would be third order at best, and difficult to distinguish from the effects of
other incremental components of the proposed rule. Thus, despite acknowledging that economic effects of the proposed regulatory
changes applicable to the Agencies may reach to banks and the general public, they are not itemized or further considered
for these affected parties in their respective sections below.

4. Anticipated Economic Effects

Ideally, conducting an RIA would enable FinCEN to identify and monetize all of a proposed regulation's most salient economic
effects with a high degree of certainty so that policymakers and the commenting public would be able to comparatively evaluate
different regulatory options' benefits and costs and advocate for the option with the greatest net benefits. In practice,
however, financial regulations include benefits and costs that cannot be quantified with any degree of certainty, making simple
benefit-cost comparisons potentially misleading, “because the calculation of net benefits in such cases does not provide a
full evaluation of all relevant benefits and costs.” (217) In its analysis, FinCEN has therefore sought to include an evaluation of certain foreseeable non-quantified economic effects
in addition to certain quantified costs to more comprehensively assess the potential net benefit of the proposed rule and
select alternatives.

Additionally, because program rules are a minimum standard, (218) FinCEN preemptively qualifies its analysis as likely to overstate both the benefits and costs of the proposed rule for covered
financial institutions that already strive for best practices or whose programs already meet or surpass the proposed requirements.
However, because the lack of an incremental effect for these institutions would affect both benefits and costs, it should
not, in theory, affect an assessment of the overall net effects, as the differences on both sides should offset each other.
FinCEN requests comment on the reasonableness of this expectation and solicits data or information, if available, that would
improve the accuracy of its assessment of impact if this reliance on theory is not appropriate. (219)

i. Expected Benefits

The proposed rule is anticipated to result in certain nonquantifiable benefits to covered financial

  institutions, regulators and other compliance examiners, law enforcement and national security agencies, and the general public.
  As discussed in section X.A.1, these benefits are expected to flow from the extent to which the new and amended program requirements
  are better able to address the fundamental economic problems that might otherwise limit current AML program and regime effectiveness.

a. Regulated Financial Institutions

As discussed above in section X.A.1, this proposed rule, among other things, aims to reduce distortions due to information
asymmetries by providing regulated financial institutions and their regulators with clarity about the requirements that would
need to be met in order to have an effective AML/CFT program. By emphasizing that an effective program is one that mitigates
a regulated financial institution's ML/TF risks by directing more attention and resources toward higher-risk customers and
activities rather than toward lower-risk ones, regulated financial institutions may choose to reallocate their resources in
a way that better aligns the program requirements and the elements of a regulated financial institution's compliance burden
that are unobservable. This reallocation of resources could decrease the cost per unit of effectiveness. That is, it could
reduce the expense of time and money on activities that do not create value, while improving the effectiveness of their AML/CFT
programs by better preventing money laundering and financing of terrorism with risk-based improvements to detecting, preventing,
and identifying illicit financial activity.

Further, by having FinCEN and the Federal regulators focus on addressing significant or systemic failures to implement an
effective program rather than addressing isolated, technical, or immaterial implementation issues, FinCEN expects that in
aggregate, financial institutions would have to respond to fewer such enforcement or supervisory actions and may save personnel
time that would otherwise be allocated to unproductive supervisory inquiries.

Specifically for banks, giving FinCEN a greater role in the supervisory process could reduce the possibility for differences
between how FinCEN and the compliance examiners might assess the quality of a bank's program. This would help ensure that
bank regulators are focused on assessing banks' AML/CFT programs for effectiveness rather than mere technical compliance.
Doing so would allow banks to focus their attention and resources on activities that are truer to the nature of their business
and clientele rather than non-meaningful metrics that aim to assess, by proxy, the program-related efforts that cannot be
directly observed.

Additionally, by explicitly allowing (but not requiring) financial institutions to use technological innovation, financial
institutions may be better positioned to incur benefits from being encouraged to use newer methods to identify and thwart
illicit finance activity risks with a broader view to value of doing so.

The proposed rule may result in benefits to certain regulated financial institutions individually. In other instances, groups
of regulated financial institutions may benefit collectively. The proposed program establishment requirement would require
every regulated financial institution to develop risk-based internal policies, procedures, and controls that are reasonably
designed to identify, assess, and document ML/TF risk through risk assessment processes and mitigate those risks consistent
with the risk assessment processes, including by allocating more attention and resources toward higher risks. While some financial
institutions already engage in such practices, the proposed rule would require every financial institution covered under the BSA to undertake such a process. This could enable each affected covered financial
institution to better understand its own ML/TF risks and help it detect threat patterns or trends that could then be incorporated
into its risk assessment processes.

The proposed changes in AML/CFT program requirements may also reduce the distortion in incentives of certain covered financial
institutions that currently benefit disproportionately from the positive externalities of other institutions by more explicitly
limiting their ability to underinvest in their own efforts by requiring them to direct more attention and resources toward
higher-risk customers. While this would result in an incremental change in expenditures to the affected covered financial
institutions, both peer institutions and the affected financial institution may benefit from the change.

FinCEN anticipates that financial institutions would also incur benefits from being better positioned to identify, deter,
and detect illicit financial activity because financial crime not only impacts the public at large, but can also disrupt financial
institutions directly impacted by financial crime or that are used as conduits to facilitate such crimes. Moreover, financial
institutions with ineffective AML/CFT programs are exposed to the risks of criminal, regulatory, and civil investigations;
penalties; and actions, where restrictions to engage in mergers and acquisitions may be applied to certain covered financial
institutions with ineffective AML records. Thus, financial institutions with effective programs could incur tangible benefits
in avoiding litigation costs, investigation costs, and monetary penalties associated with ineffective AML/CFT programs.

Further, as a result of the collective enhancements to a covered financial institution's AMF/CFT program, the institution
itself, or the group of financial institutions to which it belongs, may also experience reputational benefit if they come
to be viewed as better insulated from such disruptions and/or potentially become generally perceived as more reliable or transparent
in their financial services or activities.

b. Regulators and Other Compliance Examiners.

By encouraging regulators and other compliance examiners to focus their efforts on addressing significant or systemic failures
to implement an effective AML/CFT program, rather than addressing isolated, technical, or immaterial implementation issues,
these regulators and examiners may have fewer non-substantive issues to adjudicate with regulated entities, which could potentially
relieve the demand for, and the less productive use of, time and other limited resources. This, in turn, may enable examinations
and other supervisory activities to be more productive by better aligning outcomes with AML/CFT Priorities and objectives. (220)

c. Law Enforcement and National Security Agencies

The proposed rule may also benefit U.S. law enforcement and national security efforts against ML/TF risks by rendering AML/CFT
programs more risk based through proposed requirements such as incorporating risk assessment processes into internal policies,
procedures, and controls and ensuring that AML/CFT programs focus attention and resources on high-risk customers and activities.
These proposed changes would increase the likelihood that the information provided to law enforcement and national security
agencies from AML/CFT programs would be highly useful.

Moreover, under the proposed rule, covered financial institutions would be required to promptly re-establish their AML/CFT
program any time they face a

  significant change in their ML/TF risk. This, along with ensuring they focus attention and resources toward higher-risk customers
  and activities, would allow AML/CFT programs to respond to evolving risks that the financial institutions may face. FinCEN
  anticipates that this risk-focused posture of AML/CFT programs would lead to better information that would enhance U.S. agencies'
  ability to investigate, prosecute, and disrupt financing of terrorism, other transnational security threats, and domestic
  and transnational illicit financial activity.

The proposed rule would also require covered financial institutions to review and, as appropriate, incorporate the AML/CFT
Priorities into their AML/CFT programs. Incorporating the priorities, which have been issued in consultation with various
U.S. and State government agencies, (221) would further equip AML/CFT programs to produce information that is highly useful to law enforcement, particularly with respect
to identified threats to U.S. financial system and national security deemed government-wide priorities. Thus, law enforcement
efforts with respect to these AML/CFT Priorities, such as investigations and prosecutions, data analytics, and policy analysis
and decision making, would benefit.

There is also a corollary benefit from the proposed rule in reducing BSA records and reporting that are not highly useful, since such “not highly useful” records and reports degrade the ability
of law enforcement and national security to efficiently and effectively identify illicit finance activity relevant to their
investigations, prosecutions, and risk assessments.

Additionally, the proposed rule would provide financial institutions with the flexibility to innovate responsibly. In doing
so, law enforcement and national security efforts may reap the benefits of financial institutions' use of technological innovation
to detect and disrupt illicit financial activity.

d. General Public

The proposed rule is additionally expected to benefit the public. FinCEN anticipates that the public benefit would result
from both the potential for a more effective AML/CFT regime to better deter illicit activity and the potential for a better-calibrated
regime to reduce certain low-value activities and unintended social costs. (222) The proposed rule is expected to enhance the deterrent effect of AML/CFT programs and the utility of information such programs
provide to law enforcement and national security agencies, and through these mechanisms, contribute to reduced rates of crime
and enhanced national security, respectively.

While FinCEN expects the proposed rule to enhance the deterrent effect of current AML/CFT programs at covered financial institutions
and facilitate law enforcement and national security agencies in identifying and disrupting or otherwise bringing actions
against illicit activities, it is difficult to estimate how much additional economic loss the proposed requirements would
prevent. FinCEN lacks data that would be necessary to quantify how much money laundering and the financing of terrorism could
be reduced as a result of the proposed rule or how much other illegal activity would be curbed by this reduction in money
laundering and terrorist financing. (223) Money laundering and other illicit financing is related to a wide array of activities including human trafficking, drug trafficking,
terrorism, public corruption, the proliferation of weapons of mass destruction, fraud, and other crimes and illicit activities
that cause substantial monetary and nonmonetary damages, but costs to the public attributable to each typology are not always
measurable, able to be separately estimated, or quantified over the same period of time due to the variation in lags between
when illicit activity occurs and when it is detected or related financial activity occurs. (224)

Nevertheless, certain subcategories of illicit financial activity that frequently have a nexus with ML/TF that are better
identified and studied can help contextualize the significance of its economic effects. For example, the eight percent of
2024 SHED participants described in section X.A.2.i.d above who reported being the victim of financial fraud or a scam involving
their money, but not a credit card, only recovered $21 billion from $84 billion in identified losses, meaning $63 billion
was lost to fraud and scams. If this were the exclusive category of losses that the proposed rule's effectiveness addressed,
then enhanced AML/CFT programs would only need to reduce—whether by greater deterrence and/or an increase in recovery—losses
by a mere two-tenths (0.2) of a percent to generate an economic impact large enough for the proposed rule to be deemed a significant
regulatory action. (225)

Thus despite an inability to precisely quantify the magnitude of anticipated aggregate economic benefit of the proposed rule
to the general public, FinCEN anticipates that by reducing ML/TF risks, and by extension associated illicit activities, the
related economic effects could reasonably be expected to be meaningfully large even if the subset of harms that are quantifiable
are only reduced by very small proportions.

ii. Expected Costs

a. Regulated Financial Institutions

Given the magnitude of expenses incurred annually by financial institutions in efforts to satisfy existing program obligations,
FinCEN estimates that a change in expenditures of as little as one percent would already be economically significant.

FinCEN currently lacks the data necessary to estimate the proportion of covered financial institutions that would establish
and maintain their AML/CFT programs differently as a result of the proposed rule, the manner in which they would do so, and
whether such changes were technically necessary for reasons uniquely attributable to the regulatory changes proposed. (226) Additionally, given (1) the differences in baselines between covered financial institution types; (2) the differences in scope
that must be covered by each of the covered financial institution type's AML/CFT programs; (227) and (3) the extent to which compliance costs can vary within a covered financial institution type based on, for example, a
financial institution's

  size and the level of program sophistication, it is not clear that the aggregate net costs incurred by all affected financial
  institutions as a result of this proposed rule would be distinguishable from zero. [(228)]()

On the one hand, FinCEN cannot definitively conclude that the aggregate annual expenditure level across all categories of
affected financial institutions would be expected to decrease, particularly in the short run. At the same time, FinCEN does
not have a reasonable basis to expect that the proposed rule would necessitate an increase in aggregate costs because of the
flexibility in risk-based resource allocation that it is intended to promote.

Furthermore, there are a number of scenarios in which the proposed rule could achieve its intended deregulatory effects while
facially appearing to increase the burden of program compliance. For example, at the institutional level, a certain financial
institution may be able to reduce per-unit compliance costs, while simultaneously increasing compliance-related expenditures
due to technology-enabled expansion into new products, markets, or lines of business activities.

While projecting or demonstrating the successful deregulatory outcomes of the proposed rule may prove challenging, if even
possible, using traditional accounting metrics, FinCEN expects that, to the extent that financial institutions make use of
the opportunities afforded by the new effectiveness framework embedded in the rule, they should unequivocally incur the same
or lower costs per unit of effective compliance. Expending greater financial outlays per unit of effective compliance would
be fundamentally at odds with the proposed requirement for risk assessment processes to inform the development of internal
policies, procedures and controls that mitigate risk by directing attention and resources toward higher-risk customers and
activities. (229)

b. Government Costs

To implement the proposed rule, FinCEN expects to incur certain operating costs that would include approximately $2.8 million
prior to the final rule's effective date, $6.2 million in the first effective year of the final rule, and approximately $7.5
million in the average subsequent year. These estimates include anticipated expenses related to stakeholder outreach and informational
support, compliance monitoring, and potential enforcement activities as well as certain incremental increases to pre-existing
administrative and logistic expenses.

FinCEN acknowledges that this treatment of cost estimates implicitly assumes that increased resources commensurate with any
novel operating costs would exist. If this assumption does not hold, then operating costs associated with a rule may impose
certain economic costs on the public in the form of opportunity costs from the agency's forgone alternative activities and
those activities' attendant benefits. Putting that into the context of this proposed rule, and benchmarking against FinCEN's
actual appropriated budget for fiscal year 2025 ($190,193,000), (230) the corresponding opportunity cost could resemble forgoing up to 3.2 percent (4.0 percent) of current activities annually
in the first year (each subsequent year) in which a final rule was effective. However, to the extent that activities FinCEN
would undertake as a function of the proposed rule would functionally substitute for or otherwise replace forgone activities,
such an estimate likely overstates the potential economic costs to FinCEN and, consequently, the public.

FinCEN notes that these estimates do not include the potential costs borne by other regulators or entities engaged in informational
outreach, examinations (such as those by SROs), or related enforcement activities as a consequence of the proposed rule. These
estimates also do not include considered costs to the Agencies that may accrue in connection with the proposed new consultation
requirements. FinCEN acknowledges that, as such, the cost estimates here would understate the burden of activities required
to promote compliance with the rules, as proposed, and the full scope of government costs.

c. Clients or Customers of Covered Financial Institutions

FinCEN is mindful of concerns certain parties have long expressed regarding the potential for unintended effects, or other
indirect costs, that can accompany an AML/CFT program inappropriately tailored to a financial institution's true risk profile
and that are borne by its current and potential clients or customers. These include concerns about both (1) the risk of increased
inequities in access to financial services (or other consequences of overbroad de-risking strategies), which, if not prohibitive,
can make it more expensive and less efficient for affected persons to conduct financial transactions, and (2) the potential
for inequalities in report filing on the basis of characteristics unrelated (or insufficiently related) to the underlying
nature of risk reported, which may impose other types of indirect costs.

FinCEN's general expectation is that the advancements in this proposed rule toward more effective programs would generally
reduce, not increase, such burdens and costs to otherwise affected persons and reduce the likelihood that they may continue
to face unduly limited—or a complete absence of—access to the services of various financial institutions. This is because
FinCEN expects that, in complying with changes in the proposed rule, if adopted, financial institutions would be more empowered
to provide services in a manner that is more appropriately tailored to their respective risk profiles (as identified by their
risk assessment processes) and would be required to direct more attention and resources toward higher-risk customers and activities
rather than lower-risk ones, including via the adoption of technological innovations that could improve the calibration of
reporting processes. Thus, by reducing those institutions' prior disincentives to provide underserved communities with more
efficient levels of services and access to the U.S. financial system, FinCEN expects that the proposed rule may reduce the
costs of previously forgone economic activity as well as additional indirect costs persons might have incurred from previously
calibrated reporting mechanisms.

5. Consideration of Policy Alternatives

FinCEN has considered several alternatives, in part or whole, to the currently proposed version of the rule, but is limiting
the presentation here to considerations where public response may be most useful. The alternatives described below are scenarios
that may have resulted in reduced burdens for certain affected financial institutions but would do so at the expense of forgone
benefits or efficiency gains. For the reasons described below, FinCEN decided not to propose any of these alternatives. FinCEN
invites comment on these alternatives, and on any other

  alternatives that were not considered here. [(231)]()

i. Alternatives Proposing Regulatory Definitions

The proposed rule reflects FinCEN's view that because financial institutions know their customers, businesses, and risks better
than their regulators and the government, they are best positioned to identify and evaluate their ML/TF risks. However, in
response to previous rulemaking efforts, comments from the public have indicated that allocating resources can be challenging
if there is regulatory ambiguity or if examiner expectations are unclear or inconsistent. One way to alleviate such uncertainties
and/or ambiguities could have been to promulgate more specific and prescriptive definitions for certain key terms/phrases
fundamental to the design and operation of highly productive, value-creating AML/CFT programs. FinCEN considered alternatives
that would have taken that approach with respect to the various phrases discussed in greater detail below, but ultimately
determined such approaches were less desirable than those in the proposed rule. FinCEN includes the reasoning that informed
its determinations here for review so that commenters may respond with information, data, studies, or other evidence that
may have altered FinCEN's rank ordering of policies by perceived optimality.

Instead of proposing a two-prong, conceptual framework approach to define an “effective” AML/CFT program, FinCEN could have
proposed a more prescriptive, attribute- or component-based definition. This approach, by leaving less to the facts and circumstances
of a particular financial institution, would have reduced the uncertainty about regulatory and/or examiner expectations, potentially
giving the institution greater ability to allocate resources in a cost-effective manner given the certainty about what criteria
the program would need to meet to be considered operationally effective.

While FinCEN considered this potential for enhanced efficiency as a result of the greater clarity a more prescriptive, attribute-
or component-based definition of effective would provide, the agency also weighed the potential benefits of this approach
against certain concerns. One concern was that by being more prescriptive, an alternative definition of effective may leave
less flexibility for an AML/CFT program to be tailored based on a financial institution's size, activities, or other characteristics.
Another concern was that, while engendering some planning and design efficiencies, a more prescriptive definition may exacerbate
other, and potentially more consequential, inefficiencies, costs, and potential harms related to one-size-fits-all or “paper”
programs. For these reasons, among others, FinCEN concluded that the proposed two-prong framework approach would strike a
more appropriate balance between anticipated benefits and costs.

ii. Adopting the 2024 Program NPRM

Instead of the proposed rule, FinCEN alternatively could have chosen to promulgate a final rule that in part, or as a whole,
would have adopted the requirements proposed in the 2024 Program NPRM, described above in section II.C.1. For a number of
reasons, including certain concerns also expressed by commenters, (232) FinCEN considered that the formulation of program amendments proposed in this NPRM is likely to strike a more appropriate
balance of benefits to costs.

In particular, the relationship envisioned between a financial institution's risk assessment process(es) and the allocation
of attention and resources in this proposed rule is expected to more efficiently connect business intelligence and program
execution. The proposed program requirements with respect to internal policies, procedures, and controls, expressly enable
the mechanisms that transform business-operations-specific data into information about a financial institution's ML/TF risks
to guide the architecture and resource allocation of that institution's AML/CFT program. This informed tailoring, in turn,
is rewarded (and hence better incentivized) by the protections a properly established program would afford.

The proposed rule also improves upon the likelihood of the prior proposal to incentivize dynamic program developments that
are aligned with evolving AML/CFT Priorities. This is expected to be the case because, unlike the 2024 Program NPRM, the proposed
rule proffers an evaluative framework of effectiveness that would better insulate a financial institution from supervisory
or enforcements actions that may otherwise unduly penalize innovation and/or customization that FinCEN would welcome but whose
value a supervisory evaluator may not be as well-positioned to appreciate.

iii. Alternatives Delaying the Effective Date

As set forth in section VI, FinCEN is proposing that the rule's effective date be 12 months following the publication of the
final rule. Because of comments received in response to the 2024 Program NPRM, FinCEN considered whether providing any additional
periods of time to some or all expected affected financial institutions would facilitate a more efficient transition to practices
in conformance with the new requirements. (233) While the scope and nature of the anticipated changes to current practices differs substantially between NPRMs, the economic
and practical realities of any financial institution that perceived a need to make non-trivial adjustments to its current
program structure or activities likely do not.

a. An Additional Delay in Effective Date of Six Months for All Financial Institutions

One option FinCEN considered was an additional delay in the effective date of the final rule by six months for all covered
financial institutions. This might allow financial institutions making substantive changes to their AML/CFT programs to better
optimize while doing so, if, for instance, financing for new investments would need to be procured or budgets would need to
be redrawn and reapproved. It would also ensure a more effective transition, if, for instance, additional systems testing
before deployment significantly improved the security or quality of a newly established (or re-established) AML/CFT program
as a whole or one of its internal or risk assessment process(es). The relative merits of this contemplated delay are expected
to correlate with the proportion of the population anticipated to undertake program establishment or re-establishment-like
actions. That is, this alternative would be considered more valuable if a greater proportion of regulated financial institutions
were expected to make substantive changes than the proportion that may simply reallocate existing personnel and allotted budgets.

Because FinCEN expects that more financial institutions are likely to reallocate existing budgets and resources than newly
undertake

  substantive, costly activities in response to the proposed rule, FinCEN considers the cost of further delays to regulatory
  implementation insufficiently offset by the incremental value of an additional six months to the relatively smaller portion
  of the population that might benefit from the delay.

b. An Additional Delay in Effective Date of 12 Months for Small Entities as Defined by the RFA

Another option FinCEN considered was an additional delay in effective date of the final rule by 12 months for only small entities
as defined by the RFA. FinCEN considered that this option might be beneficial to small entities that may require more time
to effectuate programmatic updates. Small entities may rely more than non-small entities on personnel in-house to conduct
certain activities manually and may outsource technology functions and/or training to third parties more frequently or pervasively
than non-small entities. Thus, they may need to take more steps to modify their AML/CFT programs, including, for example,
renegotiating certain third-party services in light of the need for programs to be demonstrably tailored to the unique ML/TF
risks of a given financial institution. At the same time, the proposed rule would allow for AML/CFT programs to be better
tailored to the characteristics of the financial institution, including size. In practice, this may imply that many smaller
entities would not need to undertake significant or costly changes and may even be able to reduce certain expenditures of
resources in connection with ML/TF risks that are less relevant or germane to the small business's operations. On balance,
it was not clear to FinCEN which effect would dominate—the potentially greater costs to a small entity of regulatory transition,
which would weigh in favor of a delayed effective date, versus the potential for the transition to relieve burden and reduce
costs, which would weigh against any delay—therefore FinCEN did not opt to pursue a small entity-specific timing accommodation.

c. A Hybrid Delay of 12 Months for Small Entities and Six Months for All Other Covered Financial Institutions

As a third option, FinCEN considered proposing an alternative effective date of 24 months following the adoption of the final
rule for small covered financial institutions (234) and 18 months for the remaining covered financial institutions. This alternative would allow for an additional 12 months for
the small covered financial institutions and an additional six months for the remaining covered financial institutions to
transition to compliance with the final rule as adopted than what is being proposed.

FinCEN is not proposing to adopt this combined, graduated approach at this time for the same reasons that it declined to adopt
either the general or small entity-specific timing accommodations separately.

B. E.O.s 12866, 13563, and 14192

E.O. 12866 and E.O. 13563 direct agencies to assess the benefits and costs of available regulatory alternatives and, if regulation
is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, and
public health and safety effects; distributive impacts; and equity). E.O. 13563 emphasizes the importance of quantifying both
benefits and costs, reducing costs, harmonizing rules, and promoting flexibility. E.O. 13563 also recognizes that some benefits
are difficult to quantify and provides that, where appropriate and permitted by law, agencies may consider and discuss qualitatively
values that are difficult or impossible to quantify. (235)

This proposed rule was deemed “Economically Significant” by the Office of Information and Regulatory Affairs under E.O. 12866,
section 3(f)(1). Per E.O. 12866, section 6(a)(3)(C), if a regulatory action is expected to result in a rule that would have
an annual effect on the economy equal to or greater than $100 million, (236) an RIA is required. Accordingly, the foregoing analysis was conducted because it is expected to result in effects beyond this
threshold.

When final, however, this action is not expected to be an E.O. 14192 regulatory action because the net change in aggregate
costs attributable to the proposed rule is not expected to be easily distinguishable from zero.

C. Initial Regulatory Flexibility Analysis

When an agency issues a rulemaking proposal, the RFA requires the agency to either provide an IRFA or certify that the proposed
rule would not have a significant economic impact on a substantial number of small entities. (237) Because the proposed rule may have a significant economic impact on a substantial number of small entities in certain affected
industries, FinCEN undertook the following analysis. In the event that FinCEN has potentially overestimated the anticipated
significance of the economic impact of the proposed rule, and certification would instead be more appropriate, comments to
this effect—including studies, data, or other evidence—are invited. (238)

1. The Proposed Rule: Objectives, Description, and Legal Basis

The proposed rule would require covered financial institutions to establish and maintain effective AML/CFT programs, while
amending FinCEN's regulations that prescribe the minimum requirements for AML/CFT programs. The proposed rule would also provide
FinCEN with a greater role in the bank supervisory process by requiring that the Agencies, when acting under supervisory authority
delegated by FinCEN, consult with FinCEN prior to taking a significant AML/CFT supervisory action.

By explicitly defining the requirements for an institution to establish and maintain an effective AML/CFT program and by standardizing
the AML/CFT supervision and enforcement process for banks and their Federal banking regulators, the proposed rule is expected
to better achieve the purposes of the BSA and improve outcomes for financial institutions and law enforcement and national
security agencies.

The legal basis for the proposed rule is the AML Act. The purposes of the AML Act, among others, include to “modernize anti-money
laundering and counter the financing of terrorism laws to adapt the government and private sector response to new and emerging
threats;” “to encourage technological innovation and the adoption of new technology by financial institutions to more effectively
counter money laundering and the financing of terrorism;” and “to reinforce that the anti-money laundering and countering
the financing of terrorism policies, procedures, and controls of financial institutions shall be risk-based” (239) as part of the broader initiative to “strengthen, modernize, and improve” the U.S. AML/CFT regime.

Specifically, section 6101(b)(2)(B)(ii) of the AML Act amended the BSA to require Treasury, when prescribing minimum standards
for AML/CFT

  programs, to take into account that AML/CFT programs should be “reasonably designed to assure and monitor compliance with
  the BSA and its implementing regulations and be risk based.” [(240)]() FinCEN intends for this proposed rule to meet these objectives by clarifying that covered financial institutions would need
  to establish and maintain effective AML/CFT programs such that they yield useful outcomes that support the purposes of the
  BSA.

In addition, with this proposed rule, FinCEN is addressing its first AML/CFT Priorities. FinCEN published the first AML/CFT
Priorities on June 30, 2021, as required under 31 U.S.C. 5318(h)(4)(A). In the proposed rule, FinCEN is proposing to add a
new definition of “AML/CFT priorities” at 31 CFR 1010.100(nnn) to support the promulgation of regulations pursuant to 31 U.S.C.
5318(h)(4)(D). According to the proposed definition, “AML/CFT priorities” would refer to the most recent statement of Anti-Money
Laundering and Counting the Financing of Terrorism National Priorities issued pursuant to 31 U.S.C. 5318(h)(4).

2. The Expected Impact on Small Entities

FinCEN estimates that 98 percent of the financial institutions that would be subject to the proposed rule meet the RFA's definitional
criteria for a “small entity” in their respective industry. (241) Table 7 presents the relative size distribution by category of financial institution. (242)

| Financial institution type | Number of
financial
institutions a | Estimated
percentage of small entities (%) |
| --- | --- | --- |
| Banks with an FFR: | | |
| FDIC | 2,738 | b 75.4 |
| FRB | 703 | c 62.6 |
| NCUA | 4,287 | d 58.6 |
| OCC | 895 | e 68.0 |
| Banks without an FFR | 365 | f 99.7 |
| Casinos | 1,299 | g 68.5 |
| Principal MSBs | 24,856 | h 95.0 |
| Agent MSBs | 307,212 | i 100.0 |
| Broker-Dealers | 3,278 | j 38.9 |
| Mutual Funds | 1,355 | k 94.0 |
| Insurance Companies | 717 | l 81.2 |
| FCMs and IBCs | 954 | m 93.7 |
| DPMSJs | 6,742 | n 99.8 |
| Operators of Credit Card Systems | 4 | ° 0 |
| Loan or Finance Companies | 13,342 | p 93.5 |
| Housing GSEs | 13 | q 0 |
| Total | 368,760 | 97.9 |
| a See supra table 1. | | |
| b Based on consultation with FDIC staff, using FFIEC Reports on Condition and Income (Call Reports) data as of September 30,
2025. FinCEN estimated the percentage of small entities by dividing FDIC's estimated number of small entities (2,064) by the
estimated number of FDIC-regulated banks (2,738). | | |
| c Based on consultation with FRB staff. FinCEN estimated the percentage of small entities by dividing FRB's estimated number
of small entities (440) by the estimated number of FRB-regulated banks (703). | | |
| d Based on consultation with NCUA staff. The NCUA estimated that 2,514 of 4,287 federally insured credit unions met their operational
definition of small, which requires that a credit union have less than $100 million in assets. | | |
| e Based on consultation with OCC staff. The OCC estimates the number of small entities based on the SBA's size thresholds for
commercial banks and savings institutions, and trust companies, which are $850 million and $47 million, respectively. Consistent
with the General Principles of Affiliation at 13 CFR 121.103(a), the OCC counted the assets of affiliated financial institutions
when determining if it should classify an OCC-supervised institution as a small entity. The OCC used data as of December 31,
2024, to determine size because a “financial institution's assets are determined by averaging the assets reported on its four
quarterly financial statements for the preceding year.” See footnote 8 of the SBA, Table of Small Business Size Standards (Mar. 17, 2023), https://www.sba.gov/document/support-table-size-standards. FinCEN estimated the percentage of small entities by dividing the OCC's estimated number of small entities (609) by the estimated
number of OCC-regulated banks (895). | | |
| f To FinCEN's knowledge, only one bank without an FFR exceeds the $850 million threshold criteria for small. | | |
| g The SBA thresholds for a small business in this category (NAICS codes 713210 and 713290) are $34 million and $40 million,
respectively. The 2022 SUSB data on the number of firms by receipts size indicate that 97 out of the 198 firms that received
over $1 million in annual receipts in NAICS code 713210 received between $1 million and $35 million in annual receipts, and
674 out of the 766 firms that received over $1 million in annual receipts in NAICS code 713290 received between $1 million
and $40 million in annual receipts. This results in an average of 68.5 percent. | | |
| h The SBA thresholds for a small business in this category (NAICS codes 522320 and 522390) are $47 million and $28.5 million,
respectively. The 2022 SUSB data indicate that 3,357 out of 3,532 firms in NAICS code 522320 received under $50 million in
annual receipts and 2,844 out of 2,977 firms in NAICS code 522390 received under $30 million in annual receipts. This results
in an average of 95.0 percent. This estimate differs from alternatively using the current SEC small entity standards in rulemakings
involving mutual funds. See 17 CFR 270.0-10. The SEC has proposed to amend this standard. See SEC, “Small Business” and “Small Organization” Definitions for Investment Companies and Investment Advisers for Purposes of the
Regulatory Flexibility Act, 91 FR 1107 (Jan. 12, 2026). | | |
| i This estimate is based on the assumption that all agent MSBs are small entities. | | |
| j The SEC defines a small entity as a broker-dealer that had total capital of less than $500,000 on the date in the prior fiscal
year as of which its audited financial statements were prepared or, if not required to file such statements, a broker-dealer
that has total capital of less than $500,000 on the last business day of the preceding fiscal year. 12 CFR 240.0-10(c). FinCEN
estimated the percentage of small entities by dividing the SEC's estimated number of small entities (1,275), which was submitted
to the Office of Information and Regulatory Affairs on January 23, 2026 as part of SEC's PRA information collection for the
renewal of 17 CFR 240.15b1-1 (Rule 15b1-1) by the estimated number of broker-dealers (3,278). See SEC, Application for Registration of Brokers or Dealers, https://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=202509-3235-012&icID=193354. | | |
| k The SBA threshold for a small business in this category (NAICS code 525910) is $40 million in annual receipts. According to
the 2022 SUSB data, 313 out of 333 firms received under $50 million in annual receipts. This estimate differs from alternatively
using the current SEC small entity standards in rulemakings involving mutual funds. See 17 CFR 270.0-10. The SEC has proposed to amend this standard. See SEC, “Small Business” and “Small Organization” Definitions for Investment Companies and Investment Advisers for Purposes of the
Regulatory Flexibility Act, 91 FR 1107 (Jan. 12, 2026). | | |
| l The SBA threshold for a small business in this category (NAICS code 524113) is $47 million in annual receipts. According to
the 2022 SUSB data, 739 out of 910 firms received under $50 million in annual receipts. | | |
| m The SBA threshold for small businesses in this category (NAICS codes 523130 and 523140) is $47 million. According to the 2022
SUSB data, 565 out of 614 firms in NAICS 523130 and 699 out of 733 firms in NAICS 523140 received under $50 million in annual
receipts. This results in an average of 93.7 percent. | | |
| n The SBA threshold for a small business in this category (NAICS code 423940) is 125 employees. According to the 2022 SUSB data,
6,726 out of 6,742 firms had fewer than 500 employees. | | |
| o This estimate is based on FinCEN's assessment that no entities in this category would qualify as a small entity. | | |
| p The SBA thresholds for a small business in this category (NAICS codes 522292 and 522310) are $47 million and $15 million,
respectively. According to the 2022 SUSB data, 3,307 out of 3,711 firms in NAICS code 522292 received under $50 million in
annual receipts and 9,428 out of 9,631 in NAICS code 522310 received under $15 million in annual receipts. This results in
an average of 93.5 percent. | | |
| q This estimate is based on FinCEN's assessment that no entities in this category would qualify as a small entity. | | |
FinCEN anticipates that the proposed rule may have a significant economic impact on a substantial number of certain types
of affected small entities. The proposed changes to the program rules would require small entities to more effectively tailor
their program to their risk profiles. However, as a threshold matter, the proposed rule is not expected to have the effect
of imposing substantial, new requirements on small entities that currently maintain effective AML/CFT programs. Some small
entities may initially expend time or other resources to familiarize themselves with the rule's requirements, make a determination
about whether any programmatic changes are necessary for their respective institutions, and make any needed changes. FinCEN
acknowledges some uncertainty regarding costs to small entities and requests comment on the share of small entities that would
incur costs as a result of the proposed changes and information on the magnitude of expected costs. (243)

In the agency's experience, a number of industry trade groups often prepare and disseminate informational materials to their
members to promote and facilitate best practices in regulatory compliance, and FinCEN itself both (1) has routinely publishes
substantial amounts of supporting informational materials in connection with its rulemakings and (2) responds to public inquiries
and informational requests submitted online. To the extent that a small entity would voluntarily retain the services of an
external consultant or newly decide to implement costly changes to its current AML/CFT program, FinCEN anticipates that these
activities would be undertaken because the entity believed the benefits of doing so would outweigh the upfront costs.

Additionally, FinCEN expects that small entities would benefit over the long term. (244) Small entities would be able to avoid expenditures on low-impact activities and redirect those resources toward activities
that yield greater returns in terms of program effectiveness. Small entities would further benefit from having a more effective
program, for example, by reducing the likelihood of costly negative consequences that could stem from having an ineffective
program (e.g., AML/CFT supervisory and enforcement actions and litigation and investigation costs), while strengthening their overall reputation.
In addition, individual small entities would benefit from the positive externalities created when other covered financial
institutions concurrently establish and maintain more effective AML/CFT programs, for example, by being able to better understand
their own ML/TF risks and detect threat patterns or trends.

3. Other Matters: Duplicate, Overlapping, Conflicting, and Alternative Requirements

FinCEN is unaware of any existing Federal regulations that would overlap or conflict with the proposed rule. (245)

As discussed in greater detail in section X.A.5, FinCEN considered proposing a delayed effective date for smaller entities
that would provide an additional 12 months to come into compliance with the final rule. FinCEN is not proposing to this additional
time accommodation because it is unclear that the delay is necessary given the nature of the changes proposed. Small entities
are invited to provide comment, including quantitative or qualitative evidence about the cost impact of the rule and the benefit
they anticipate from a size-based delay to the effective date of a final rule. (246)

D. Unfunded Mandates Reform Act

Section 202 of the UMRA requires that an agency prepare a budgetary impact statement before promulgating a rule that may result
in expenditures by State, local, and Tribal governments, in the aggregate, or by the private sector, of $193 million or more
in any one year ($100 million in 1995, adjusted for inflation). (247 248) If a budgetary impact statement is required, section 202 of the UMRA also requires an agency to identify and consider a reasonable
number of regulatory alternatives before promulgating a rule.

As discussed in section X.A.4, FinCEN does not anticipate that the proposed rule would result in novel incremental aggregate
expenditures by State, local, and Tribal governments, or by the private sector of $193 million or

  more in any one year. Accordingly, FinCEN does not believe a budgetary impact statement or a consideration of regulatory alternatives
  would be required for UMRA purposes. Nevertheless, were these items to be required, FinCEN believes the section X analysis
  in its totality, including the consideration of alternatives presented in section X.A.5, would satisfy the analytical requirements
  by incorporation as permitted by UMRA. [(249)]()

Members of the public who have reason to believe FinCEN has erred in its UMRA analysis, such as the possession of facts, data,
studies, or anecdotal or other qualitative information that would cause FinCEN to reconsider its analytical conclusions, are
invited to provide comment. (250)

E. Paperwork Reduction Act

The recordkeeping requirements in the proposed rule, which qualify as “collections of information” under the PRA, will be
submitted to OMB for review in accordance with the PRA. (251) Under the PRA, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information
unless it displays a valid control number assigned by OMB. (252) Written comments and recommendations for the proposed information collection can be submitted by visiting https://www.reginfo.gov/public/do/PRAMain. Find this particular document by selecting “Currently Under Review—Open for Public Comments” or by using the search function.
Comments are welcome and must be received by June 9, 2026.

In accordance with requirements of the PRA, 44 U.S.C. 3506(c)(2)(A), and its implementing regulations, 5 CFR part 1320, the
following information concerns the collection of information as it relates to the amendments to covered financial institutions'
AML/CFT program regulations.

1. Description of Affected Financial Institutions and OMB Control Numbers

OMB Control Number(s): 1506-0020, 1506-0030, 1506-0035, and 1506-0051.

FinCEN has historically accounted for the existing reporting and recordkeeping burdens associated with the program rules using
the following OMB control numbers: 1506-0020 (MSBs, mutual funds, and operators of credit card systems); 1506-0030 (DPMSJs);
1506-0035 (insurance companies, loan or finance companies, and banks lacking an FFR); and 1506-0051 (casinos). FinCEN does
not maintain existing OMB control numbers for the program rule requirements for banks, (253) broker-dealers, FCMs or IBCs, (254) or housing GSEs. (255)

This scoping of the population for purposes of PRA estimates avoids double counting the recordkeeping burdens of the proposed
rule for entities regulated by the Agencies. The accounting of burden estimates for OMB purposes, when aggregated across the
relevant control numbers, should be generally comparable for the common program-related components considered in both this
and the Agencies' respective exercises to the extent that the same assumptions about incremental burden apply.

Table 8 presents the same population estimates from the baseline analysis but appends the respective agency's OMB control
numbers to illustrate the differences in aggregate estimates that are attributable to the inclusion or exclusion of covered
financial institutions accounted for under another agency's control numbers or unassigned to a control number. This is followed
by table 9, which includes only the covered financial institutions whose burdens are included in this PRA analysis, grouped
by their respective control numbers.

| Covered financial institution type | a Number of financial
institutions | Agency OMB
control No. |
| --- | --- | --- |
| Banks with an FFR: | | |
| FDIC | 2,738 | FDIC 3064-0087 |
| FRB | 703 | FRB 7100-0310 |
| NCUA | 4,287 | NCUA 3133-0108 |
| OCC | 895 | OCC 1557-0180 |
| Banks without an FFR | 365 | FinCEN 1506-0035 |
| Casinos | 1,299 | FinCEN 1506-0051 |
| Principal MSBs | 24,856 | FinCEN 1506-0020 |
| Agent MSBs | 307,212 | FinCEN 1506-0020 |
| Broker-Dealers | 3,278 | N/A |
| Mutual Funds | 1,355 | FinCEN 1506-0020 |
| Insurance Companies | 717 | FinCEN 1506-0035 |
| FCMs and IBCs | 954 | N/A |
| DPMSJs | 6,742 | FinCEN 1506-0030 |
| Operators of Credit Card Systems | 4 | FinCEN 1506-0020 |
| Loan or Finance Companies | 13,342 | FinCEN 1506-0035 |
| Housing GSEs | 13 | N/A |
| Total | 368,760 | |
| a See supra table 1. | | |

| Covered financial institution type | Number of
financial

           institutions  
           a  | Affected financial institution types by activity  | | | FinCEN OMB Control No.  |

| --- | --- | --- | --- | | |
| 31 CFR 1021.210(2)(b)(vi) | CDD b | Program

           approval c |  |  |  |

| Principal MSBs | 24,856 | | | ✓ | 1506-0020 |
| Agent MSBs d | 307,212 | | | | |
| Mutual Funds | 1,355 | | ✓ | | |
| Operators of Credit Card Systems | 4 | | | ✓ | |
| DPMSJs | 6,742 | | | ✓ | 1506-0030 |
| Banks without an FFR | 365 | | ✓ | | 1506-0035 |
| Insurance Companies | 717 | | | ✓ | |
| Loan or Finance Companies | 13,342 | | | ✓ | |
| Casinos | 1,299 | ✓ | | ✓ | 1506-0051 |
| Total | 355,892 | 1,299 | 1,720 | 46,960 | |
| a See supra table 1. | | | | | |
| b See supra table 3. | | | | | |
| c See supra table 4. | | | | | |
| d FinCEN assumes that the activities associated with program approval would be operationalized at the principal-MSB level.
Therefore, FinCEN does not estimate PRA burden for the agent MSB population associated with program approval. FinCEN requests
comment on whether this is a reasonable assumption. See infra section X.F #20. | | | | | |

2. Estimated Annual Burden

Table 10 presents the burden hours and labor costs associated with features of current market practices pertaining to BSA
compliance as previously published for public comment by FinCEN, (256) which is responsible for reporting the PRA burdens for eight of the 11 covered financial institution types. (257) FinCEN estimated that these covered financial institutions incur the same per-entity hourly burden for certain program requirements
(e.g., maintaining and updating the written AML program, storing the program, or producing the program upon request). However, only
certain covered financial institution types incur or have previously been assigned pro forma PRA costs associated with program
requirements such as obtaining board of director or trustee approval of the AML program; obtaining, verifying, and storing
cardholder identifying information; and ongoing compliance with the requirements in 31 CFR 1021.210(b)(2)(v) and (vi). Thus,
the total burden associated with BSA compliance can vary significantly across covered financial institution types. (258)

| OMB Control No. | Covered financial institution type | Number of
financial
institutions | Total burden hours per program requirement | | | | | | Total |
| --- | --- | --- | --- | --- | | | | | |
| A. Maintaining and updating written AML program | B. Storing the written AML program | C. Producing the AML program upon request | D. Board of Directors/
Trustees approval of the AML program | E. Obtaining, verifying, and
storing cardholder identifying information | F. Ongoing
compliance with the requirements in 31 CFR 1021.210(b) (2)(v) and (vi) | | | | |
| 1506-0020 | Principal MSBs—Providers and Sellers of Prepaid Access | 2,605 | 2,605 | 217 | 217 | | 86,667 | | 89,706 |
| | Principal MSBs—Others | 24,895 | 24,895 | 2,075 | 2,075 | | | | 29,044 |
| | Agent MSBs | 229,161 | | 19,097 | 19,097 | | | | 38,194 |
| | Mutual Funds | 1,400 | 1,400 | 117 | 117 | 1,400 | | | 3,033 |
| | Operators of Credit Card Systems | 4 | 4 | 0.3 | 0.3 | | | | 5 |
| 1506-0030 | DPMSJs | 6,700 | 6,700 | 558 | 558 | | | | 7,817 |
| 1506-0035 | Banks without an FFR | 600 | 600 | 50 | 50 | 600 | | | 1,300 |
| | Insurance Companies | 4,678 | 4,678 | 390 | 390 | | | | 5,458 |
| | Loan or Finance Companies | 13,000 | 13,000 | 1,083 | 1,083 | | | | 15,167 |
| 1506-0051 | Casinos | 1,277 | 1,277 | 106 | 106 | | | 126,423 | 127,913 |
| Total Burden Hours | | 284,320 | 55,159 | 23,693 | 23,693 | 2,000 | 86,667 | 126,423 | 317,635 |
| Total Labor Cost | | | $5,863,402 | $2,518,601 | $2,518,601 | $212,600 | $9,212,667 | $13,438,765 | $33,764,636 |
As discussed in section X.A.4.ii, FinCEN does not expect this proposed rule to impose any new incremental burden on the covered
financial institutions. Consequently, FinCEN does not expect that this proposed rule would result in any new incremental PRA
recordkeeping burden. Still, in this analysis, in response to the proposed removal of the language associated with 31 CFR
1021.210(b)(2)(vi), which is unique to the casino AML program regulations, FinCEN proposes to remove a de minimis burden that is currently associated with that activity. In addition, FinCEN introduces new pro forma accounting estimates
that reflect administrative updates to more accurately represent the activity currently undertaken by covered financial institutions
to comply with CDD and program approval requirements. FinCEN discusses these administrative changes to the PRA recordkeeping
burdens in more detail below. (259)

Administrative Changes in PRA Recordkeeping Burden Due to the Proposed Removal of 31 CFR 1021.210(b)(2)(vi)

The rule proposes to remove the language in 31 CFR 1021.210(b)(2) (vi), which requires casinos that have automated data processing
systems to provide for the use of automated programs to aid in assuring compliance in their compliance program. (260) In the most recent renewal, FinCEN has estimated that the annual burden per casino associated with this provision was de minimis; (261) thus, given the proposed changes, FinCEN is revising the associated annual burden for this component of program requirements
per casino to 0 hours.

Administrative Changes in PRA Recordkeeping Burden Due to Reorganizing CDD Requirements Under Internal Policies, Procedures,

and Controls

The rule also proposes to make ongoing CDD obligations part of the requirement that covered financial institutions establish
risk-based internal policies, procedures, and controls that are reasonably designed. The organizational change more accurately
reflects how covered financial institutions integrate the design and operationalization of ongoing CDD as part of their overall
AML programs.

As discussed in section V.D.1.iii, certain financial institution types are required to conduct ongoing CDD, such as monitoring
customer relationships and maintaining and updating customer information on a risk basis, though this burden has never been
articulated in FinCEN's previous OMB renewals. Upon review, FinCEN has determined that this omission was likely due to a clerical
oversight at the time that the original CDD rule was finalized in 2016 and in subsequent rulemakings that would apply AML/CFT
program obligations on new categories of financial institution, has typically proposed to include the program elements of
ongoing CDD requirements as an itemized cost. (262) Therefore, to harmonize PRA accounting practices and to more accurately reflect the burden associated with including ongoing
CDD program obligations as part of a covered financial institution's necessary activities to establish risk-based internal
policies, procedures, and controls that are reasonably designed, FinCEN is incorporating a new pro forma average annual burden
of 50 hours to the existing burden of certain OMB control numbers covered by the rulemaking, where applicable. These burdens
and costs reflect administrative updates that are being introduced to more accurately represent the activity currently undertaken
by covered financial institutions to comply with program requirements. These PRA estimates do not represent, and should not
be interpreted to reflect, novel incremental costs attributable to the proposed rule.

Administrative Changes in PRA Recordkeeping Burden Associated With Proposed Standardization of the Program Approval Requirement

The proposed rule would also require a financial institution's board of directors, equivalent governing body within the financial
institution, or appropriate senior management to approve each covered financial institution's written AML/CFT program. As
discussed in section V.E.2 and presented in table 4, casinos and MSBs do not have explicit requirements to have their programs
approved. Still FinCEN expects that the programs of these financial institutions must also be approved as a matter of best
practice. Other financial institution types, including insurance companies, DPMSJs, operators of credit card systems, loan
or finance companies, and housing GSEs, must currently obtain senior management-level approval for their programs. For consistency
across all the covered financial institution types, FinCEN will include a one-hour pro forma average annual burden for all
financial institutions covered under FinCEN's OMB control numbers to obtain approval of their program that do not currently
have a PRA burden associated with program approval. Again, these PRA estimates do not represent, and should not be interpreted
to reflect, novel incremental costs attributable to the proposed rule.

Estimated Number of Respondents: 48,680 financial institutions. (263)

As discussed above, FinCEN would make the following administrative changes to the PRA recordkeeping burdens in response to
the proposed changes: (1) removing the de minimis burden incurred by casinos associated with the 31 CFR 1021.210(b)(2)(vi) requirement, (2) newly articulating the pro forma
average annual 50-hour burden that banks without an FFR and mutual funds already incur associated with CDD obligations, and
(3) newly articulating a pro forma average annual one-hour burden associated with program approval for financial institution
types that do not already have PRA burden associated with that activity.

As presented in table 11, FinCEN estimates on average, these activities

  result in an average annual burden of approximately 132,960 hours.

| Activity | Number of

           respondents a | Hours per 
           respondent | Total burden hours |

| --- | --- | --- | --- |
| Removal of 31 CFR 1021.210(b)(2)(vi) | 1,299 | 0 | 0 |
| CDD—General Program | 1,720 | 50 | 86,000 |
| Program Approval | 46,960 | 1 | 46,960 |
| Total | 48,680 | | 132,960 |
| a See supra table 9. | | | |

3. Estimated Annual Cost

FinCEN estimates that the 132,960 burden hours associated with these activities would result in an average annual pro forma
cost adjustment of approximately $16.6 million. (264)

4. Summary of Burden and Cost Estimates

Estimated Number of Respondents: 48,680 financial institutions.

Estimated Aggregate Pro Forma Annual Burden: Approximately 132,960 hours.

Estimated Aggregate Pro Forma Annual Cost: Approximately $16,564,157. (265)

5. General Request for Comments under the Paperwork Reduction Act

FinCEN invites comments on: (1) whether the collection of information is necessary for the proper performance of the mission
of FinCEN, including whether the information would have practical utility; (2) the accuracy of FinCEN's estimate of the burden
of the proposed collection of information; (3) ways to enhance the quality, utility, and clarity of the information required
to be maintained; (4) ways to minimize the burden of the collection of information, including through the use of automated
collection techniques or other forms of information technology; and (5) estimates of capital or start-up costs and costs of
operation, maintenance, and purchase of services required to report the information.

F. Additional Requests for Comment

Baseline Estimates

1. Are FinCEN's baseline estimates of the number of covered financial institutions in each industry accurate? Are there specific
   sources of data that would suggest any of these population estimates should be revised? Please provide data, studies, or anecdotal
   evidence that would support any suggested alternatives.

2. Is it appropriate for FinCEN to presume covered financial institutions are generally in full compliance with current rules?
   If not, please provide defensible methods, data, studies, or anecdotal evidence that FinCEN could use to estimate the share
   of non-compliant financial institutions and identify the areas in which they are not currently compliant in order to revise
   the baseline assessment of current market practices.

3. To what extent should the economic impact on additional key, directly affected subpopulations of the general public be
   considered in the RIA? Please provide data, studies, or reports that would enhance FinCEN's ability to identify and quantify
   such effects.

4. Are FinCEN's baseline expectations about how covered financial institutions currently comply with existing program rules
   and the incremental change in burden due to the proposed changes reasonably accurate? In particular, are the baseline expectations
   accurate for small covered financial institutions? Are there any other aspects of current practice that FinCEN should have
   considered or further information about the aspects considered that should be included?

5. Do the cost estimates presented in the RIA baseline reflect a reasonable range of the costs that covered financial institutions
   incur to maintain their AML/CFT programs? Is the assumption that per-entity costs would be lower for covered non-bank financial
   institutions than covered banks of similar sizes a reasonable one? How much does a typical financial institution spend to
   implement their current AML program? How much does a typical small financial institution spend to implement their current
   AML program?

6. Are FinCEN's expectations about the incremental change in burden on regulators and compliance examiners described in sections
   X.A.3.iv, X.A.4.i.b, and X.A.4.ii.b due to the proposed changes reasonable? If not, please provide data, studies, or anecdotal
   evidence that would support an alternate conclusion.

Potential Efficiencies and Burden

1. Because program rules are a minimum standard, FinCEN preemptively qualified its analysis as likely to overstate both the
   benefits and costs of the proposed rule for covered financial institutions that already strive for best practices or whose
   programs already meet or surpass the proposed requirements, and assumes it should not, in theory, affect an assessment of
   the overall net effects, as the differences in benefits and costs should offset each other. Is this expectation reasonable?
   Please provide data or information, if available, that would improve the accuracy of FinCEN's assessment of impact if this
   reliance on theory is not appropriate.

2. Is there any empirical evidence or data that would support the quantification of how much money laundering and the financial
   of terrorism could be reduced as a result of the proposed rule or the quantification of how much other illegal activity could

   be curbed by this reduction in money laundering and terrorist financing?

3. As described in section X.A.4.ii.a of the RIA, FinCEN has not identified any unambiguous sources of significant burden
   on covered financial institutions that would result from the changes described in the proposed rule. Are there categories
   of burden that FinCEN should articulate and quantify as part of its calculated burden estimates? For example, costs associated
   with becoming familiar with the rule, external consultation costs, costs to establish and maintain an AML/CFT program, training
   costs, or other costs associated with ongoing compliance. If so, what are they, and what are the estimated one-time and ongoing
   burdens per financial institution? In particular, what are the estimated one-time and ongoing burdens per small financial
   institution?

4. Is FinCEN's expectation that, in aggregate, the net change in cost incurred by covered financial institutions would not
   be easily distinguished from zero as a result of the proposed changes reasonably accurate?

5. Would implementing any changes necessary to comply with the proposed rule be expected to increase or decrease current
   compliance costs and by how much? For example, are there any current compliance costs that would be reduced by the proposed
   requirement that attention and resources be directed toward high-risk activities and customers rather than low-risk activities
   and customers? What type and share of covered financial institutions would likely experience this change in compliance costs?

6. What is the likelihood that a covered financial institution or group of covered financial institutions, by type, would
   invest in updating or new technology as a result of the rule as proposed? Are there modifications to the proposed rule that
   would significantly increase (or decrease) this likelihood? If so, please describe. Where possible, please explain why the
   described modification is expected to change the likelihood.

7. Is FinCEN's assessment that the proposed changes would have a deregulatory impact appropriate? Are there specific sources
   of empirical evidence or data that would suggest this determination should be revised? Please provide data, studies, or anecdotal
   evidence that would support any suggested alternative determination.

8. With respect to the economic analysis in its entirety, are there comments as to the specific findings, assumptions, or
   expectations?

ALTERNATIVES

1. FinCEN requests comment on the alternative policy options presented in section X.A.5 as well as any other alternatives that were not considered and their economic effects. Please provide information, data, studies, or other evidence that would support any suggested alternatives that FinCEN should consider.

IRFA

1. Is FinCEN's expectation that the proposed rule would have a significant economic impact on a significant number of small
   entities reasonable? Are there specific sources of empirical evidence or data that would suggest this determination should
   be revised? Please provide data, studies, or anecdotal evidence that would support the suggested alternative determination.

2. Are FinCEN's baseline estimates of the proportion of each industry type's regulated financial institutions that are small
   reasonably accurate? Are there specific sources of data that would suggest any of these percentages should be revised?

3. Has FinCEN reasonably assessed the relative value to affected small businesses that the alternative 12 additional months
   to transition compliance to the proposed new and amended program requirements would afford?

UMRA

1. FinCEN does not anticipate that the proposed rule would result in novel incremental aggregate expenditures by State, local, or Tribal governments, or by the private sector of $193 million or more in any one year. Is this assumption reasonable? If not, what studies, data, or anecdotal evidence should be taken into consideration that would update this expectation?

PRA

1. Is it reasonable to assume that the PRA recordkeeping burden associated with program approval requirements would generally
   be incurred at the principal-MSB level rather than the agent-MSB level? If not, what share of the agent MSB population would
   likely incur the recordkeeping burden?

2. Does current market practice associated with conducting an audit as part of independent AML program testing involve documenting
   the results of the audit? If so, should FinCEN articulate and assign a PRA recordkeeping burden for doing so? And if so, how
   much burden should be attributed to the activity?

List of Subjects

Administrative practice and procedure, Aliens, Authority delegations (Government agencies), Banks, banking, Brokers, Business
and industry, Citizenship and naturalization, Commodity futures, Crime, Currency, Electronic filing, Federal savings associations,
Federal-State relations, Fiduciaries, Foreign banking, Foreign currencies, Foreign persons, Gambling, Holding companies, Indians,
Indians-law, Indians-tribal government, Insurance companies, Investigations, Investment companies, Law enforcement, Penalties,
Reporting and recordkeeping requirements, Savings associations, Securities, Small business, Terrorism, Time.

Administrative practice and procedure, Banks, banking, Brokers, Citizenship and naturalization, Commodity futures, Currency,
Electronic filing, Federal savings associations, Federal-State relations, Foreign banking, Foreign currencies, Foreign persons,
Holding companies, Investigations, Penalties, Reporting and recordkeeping requirements, Securities, Terrorism.

Administrative practice and procedure, Banks, banking, Brokers, Currency, Foreign banking, Foreign currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping requirements, Securities.

Administrative practice and procedure, Banks, banking, Currency, Foreign banking, Foreign currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping requirements, Securities.

Administrative practice and procedure, Banks, banking, Brokers, Currency, Foreign banking, Gambling, Investigations, Penalties,
Reporting and recordkeeping requirements, Securities.

Administrative practice and procedure, Banks, banking, Brokers, Currency, Foreign banking, Gambling, Investigations, Penalties,
Reporting and recordkeeping requirement, Securities.

Administrative practice and procedure, Banks, banking, Brokers,

     Currency, Foreign banking, Foreign currencies, Gambling, Investigations, Penalties, Reporting and recordkeeping requirements,
     Securities, Terrorism.

For the reasons set forth in the
SUPPLEMENTARY INFORMATION
, FinCEN proposes to amend 31 CFR parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, and 1030 as follows:

PART 1010—GENERAL PROVISIONS

1. The authority citation for part 1010 is revised to read as follows:

Authority:

12 U.S.C. 1829b and 1951-60; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 2006,
Pub. L. 114-41, 129 Stat. 458-459; sec. 701, Pub. L. 114-74, 129 Stat. 599; sec. 6403, Pub. L. 116-283, 134 Stat. 3388.

1. Amend § 1010.100 by:

a. Revising paragraphs (e) and (r); and

b. Adding paragraphs (nnn) and (ooo).

The revisions and additions read as follows:

§ 1010.100 General definitions. * * * * *

(e) Bank Secrecy Act. The Bank Secrecy Act means 12 U.S.C. 1829b, 12 U.S.C. 1951-1960, and 31 U.S.C. 5311-5314 and 5316-5336, including notes thereto.

---

(r) Federal functional regulator. (1) The Board of Governors of the Federal Reserve System;

(2) The Office of the Comptroller of the Currency;

(3) The Federal Deposit Insurance Corporation;

(4) The National Credit Union Administration;

(5) The Securities and Exchange Commission; or

(6) The Commodity Futures Trading Commission.

---

(nnn) AML/CFT priorities. AML/CFT priorities means the most recent statement of Anti-Money Laundering and Countering the Financing of Terrorism National
Priorities issued pursuant to 31 U.S.C. 5318(h)(4).

(ooo) Federal Financial Institutions Regulatory Agency. (1) The Board of Governors of the Federal Reserve System;

(2) The Office of the Comptroller of the Currency;

(3) The Federal Deposit Insurance Corporation; or

(4) The National Credit Union Administration.

PART 1020—RULES FOR BANKS

1. The authority citation for part 1020 is revised to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1020.110 to read as follows:

§ 1020.110 Severability. If any provision of this part, or any provision of this chapter referencing banks, is held to be invalid, or the application
thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application
of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1020.210 to read as follows:

§ 1020.210 Anti-money laundering/countering the financing of terrorism program requirements for banks. (a) In general. A bank has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the
bank:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A bank establishes an AML/CFT program in accordance with this paragraph (b) if the bank:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the bank's money laundering, terrorist financing, and other illicit finance activity risks
through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the bank's business activities,
including its products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the bank knows or has reason to know significantly changes the bank's money
laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the bank's money laundering, terrorist financing, and other illicit finance activity risks consistent with the
risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and resources
toward higher-risk customers and activities, consistent with the risk profile of the bank, rather than toward lower-risk customers
and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update
customer information (including information regarding the beneficial owners of legal entity customers, as defined in § 1010.230
of this chapter);

(2) Establishes independent AML/CFT program testing to be conducted by bank personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A bank implements an AML/CFT program in accordance with this paragraph (c) if the bank implements, in all material respects,
the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A bank's AML/CFT program must be written, and it must be approved by the bank's board of directors, an equivalent governing
body within the bank, or appropriate senior management. The bank must make a copy of its AML/CFT program available to FinCEN
or its designee upon request.

1. Amend § 1020.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

§ 1020.220 Customer identification program requirements for banks. (a) * * *

(1) In general. A bank required to have an AML/CFT program under 31 U.S.C. 5318(h), 12 U.S.C. 1818(s), or 12 U.S.C. 1786(q)(1) must implement
a written Customer Identification Program (CIP) appropriate for the bank's size and type of business that, at a minimum,

  includes each of the requirements of paragraphs (a)(1) through (5) of this section. The CIP must be a part of the AML/CFT
  program.

---

(6) * * *

(iii) The other financial institution enters into a contract requiring it to certify annually to the bank that it has implemented
its AML/CFT program, and that it will perform (or its agent will perform) the specified requirements of the bank's CIP.

---

1. Add § 1020.221 to read as follows:

§ 1020.221 Supervision and enforcement. (a) Definitions. For purposes of this section:

(1) AML/CFT enforcement action means any formal or informal action taken by FinCEN that seeks to penalize, remedy, prevent, or respond to noncompliance with
past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes—

(i) A cease-and-desist order, consent order, or memorandum of understanding; or

(ii) The assessment of a civil money penalty.

(2) AML/CFT requirement means a requirement of the Bank Secrecy Act or this chapter.

(3) Significant AML/CFT supervisory action means any written communication or other formal supervisory determination issued by FinCEN or a Federal Financial Institutions
Regulatory Agency when acting pursuant to authority delegated under this chapter that, in either case—

(i) Identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions
relating to an AML/CFT requirement;

(ii) Communicates supervisory expectations to a bank regarding actions or remedial measures required to correct the deficiency,
weakness, violation, or practice or condition; and

(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the bank.

(iv) The term does not include examiner observations, suggestions, or other informal comments.

(b) FinCEN enforcement and supervision policy —(1) In general. Except with respect to a significant or systemic failure to implement the AML/CFT program in accordance with § 1020.210(c),
a bank that has established an AML/CFT program in accordance with § 1020.210(b) will not be subject to:

(i) An AML/CFT enforcement action related to the requirements of 31 U.S.C. 5318(h)(1) § 1020.210 by FinCEN; or

(ii) A significant AML/CFT supervisory action related to the requirements of 31 U.S.C. 5318(h)(1) or § 1020.210 by FinCEN
or by a Federal Financial Institutions Regulatory Agency when acting pursuant to authority delegated under this chapter.

(2) Program establishment violations. Nothing in this paragraph (b) may be construed to restrict an AML/CFT enforcement action by FinCEN, or a significant AML/CFT
supervisory action by FinCEN or a Federal Financial Institutions Regulatory Agency when acting pursuant to authority delegated
under this chapter with respect to any failure to establish an AML/CFT program in accordance with § 1020.210(b).

(3) Criminal enforcement. Nothing in this paragraph (b) may be construed to affect criminal enforcement liability under the Bank Secrecy Act.

(c) FinCEN consultation —(1) Consultation and consideration requirement. Before initiating a significant AML/CFT supervisory action, a Federal Financial Institutions Regulatory Agency when acting
pursuant to authority delegated under this chapter will provide the Director, FinCEN an opportunity to review the action and
consider any input offered by the Director, FinCEN on the action, which may include any view as to the effectiveness of the
bank's AML/CFT program.

(2) Notice requirement. To provide the Director, FinCEN an opportunity to provide a view under paragraph (c)(1) of this section, a Federal Financial
Institutions Regulatory Agency when acting pursuant to authority delegated under this chapter will:

(i) Send written notice to the Director, FinCEN of its intent to take that action at least 30 days before taking the action
(unless a shorter period of time is necessary, in the sole discretion of the Federal Financial Institutions Regulatory Agency,
to remedy, prevent, or respond to an unsafe or unsound practice or condition), accompanied by the relevant AML/CFT information
underlying the proposed action, including the relevant portions of the draft report or enforcement action, the relevant examination
workpapers supporting the proposed action, and the relevant AML/CFT information submitted by the bank to the Federal Financial
Institutions Regulatory Agency, other than information over which the bank may claim privilege under Federal or State law;
and

(ii) Respond to the extent reasonably practicable to requests for additional information from the Director, FinCEN regarding
the proposed action.

(d) FinCEN considerations. In determining whether to take an AML/CFT enforcement action or significant AML/CFT supervisory action, or when reviewing
a proposed action by a Federal Financial Institutions Regulatory Agency under paragraph (c) of this section or 12 CFR 21.21,
208.63, 211.5(m), 211.24(j), 326.8, or 748.2, the Director, FinCEN shall consider:

(1) The factors under 31 U.S.C. 5318(h)(2)(B), as applicable to actions concerning the AML/CFT program requirements under
§ 1020.210;

(2) The extent (if any) to which the bank, where appropriate in light of its size, complexity, and risk profile, has advanced
the AML/CFT priorities by providing highly useful information to law enforcement authorities or national security officials,
conducting proactive analytics, or performing other innovative activities producing demonstrable outputs evincing the effectiveness
of the bank's AML/CFT program (including effective use of artificial intelligence, federated learning, and other advanced
monitoring tools); and

(3) Any other factor the Director, FinCEN deems appropriate, including the bank's size, complexity, and risk profile, and,
as relevant, where the bank's low-risk customers or limited business activities naturally limits the extent to which the bank
can meaningfully contribute to AML/CFT priorities.

PART 1021—RULES FOR CASINOS AND CARD CLUBS

1. Revise the authority citation for part 1021 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1021.110 to read as follows:

§ 1021.110 Severability. If any provision of this part, or any provision of this chapter referencing casinos and card clubs, is held to be invalid,
or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions,
or application of such provisions to other persons or circumstances, that can be given effect

  without the invalid provision or application.

1. Revise § 1021.210 to read as follows:

§ 1021.210 Anti-money laundering/countering the financing of terrorism program requirements for casinos. (a) In general. A casino has an effective AML/CFT program and complies with the requirements for 31 U.S.C. 5318(h)(1) if the casino:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A casino establishes an AML/CFT program in accordance with this paragraph (b) if the casino:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the casino's money laundering, terrorist financing, and other illicit finance activity
risks though risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the casino's business
activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the casino knows or has reason to know significantly changes the casino's money
laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the casino's money laundering, terrorist financing, and other illicit finance activity risks consistent with
the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and
resources toward higher-risk customers and activities, consistent with the risk profile of the casino, rather than toward
lower-risk customers and activities;

(2) Establishes independent AML/CFT program testing to be conducted by casino personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(5) Procedures for using all available information to determine:

(i) When required by this chapter, the name, address, social security number, and other information, and verification of the
same, of a person;

(ii) The occurrence of any transactions or patterns of transactions required to be reported pursuant to § 1021.320; and

(iii) Whether any record as described in subpart D of part 1010 of this chapter or subpart D of this part must be made and
retained.

(c) Program implementation. A casino implements an AML/CFT program in accordance with this paragraph (c) if the casino implements, in all material aspects,
the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A casino's AML/CFT program must be written, and it must be approved by the casino's board of directors, an equivalent governing
body within the casino, or appropriate senior management. The casino must make a copy of its AML/CFT program available to
FinCEN or its designee upon request.

1. Amend § 1021.410 by revising paragraph (b)(10) to read as follows:

§ 1021.410 Additional records to be made and retained by casinos. * * * * *

(b) * * *

(10) A copy of the AML/CFT program described in § 1021.210.

---

PART 1022—RULES FOR MONEY SERVICES BUSINESSES

1. Revise the authority citation for part 1022 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1022.110 to read as follows:

§ 1022.110 Severability. If any provision of this part, or any provision of this chapter referencing money services businesses, is held to be invalid,
or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions,
or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision
or application.

1. Revise § 1022.210 to read as follows:

§ 1022.210 Anti-money laundering/countering the financing of terrorism program requirements for money services businesses. (a) In general. A money services business has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h) and this
section if the money services business:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A money services business establishes an AML/CFT program in accordance with this paragraph (b) if the money services business:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the money services business's money laundering, terrorist financing, and other illicit
finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the money services business's
activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any changes that the money services business knows or has reason to know significantly changes
the money services business's money laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the money services business's money laundering, terrorist financing, and other illicit finance activity risks
consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more
attention and resources toward higher-risk customers and activities, consistent with the risk profile of the money services
business, rather than toward lower-risk customers and activities; and

(iii) To the extent applicable to the money services business:

(A) Verify customer identification, including as set forth in paragraph (b)(1)(v) of this section;

(B) File reports;

(C) Create and retain records; and

(D) Respond to law enforcement requests.

(iv) For a person that is a money services business solely because it is an agent for another money services business, as
set forth in § 1022.380(a)(3) and for the money services business for which it serves as agent, choose by agreement to allocate
between them responsibility for development of internal policies, procedures, and controls required by this paragraph (b)(1).
Each money services business will remain solely responsible for implementation of the requirements set forth in this section,
and nothing in this paragraph (b)(1) relieves any money services business from its obligation to establish and maintain an
effective AML/CFT program.

(v) For a money services business that is a provider or seller of prepaid access, establish procedures to verify the identity
of a person who obtains prepaid access under a prepaid program and obtain identifying information concerning such a person,
including name, date of birth, address, and identification number. Sellers of prepaid access must also establish procedures
to verify the identity of a person who obtains prepaid access to funds that exceed $10,000 during any one day and obtain identifying
information concerning such a person, including name, date of birth, address, and identification number. Providers of prepaid
access must retain access to such identifying information for five years after the last use of the prepaid access device or
vehicle; such information obtained by sellers of prepaid access must be retained for five years from the date of the sale
of the prepaid access device or vehicle.

(2) Establishes independent AML/CFT program testing to be conducted by money services business personnel or by an outside
party.

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance.

(4) Establishes an ongoing employee training program.

(c) Program implementation. A money services business implements an AML/CFT program in accordance with this paragraph (c) if the money services business
implements, in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A money services business's AML/CFT program must be written, and it must be approved by the money services business's board
of directors, an equivalent governing body within the bank, or appropriate senior management. The money services business
must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

(e) Compliance date. A money services business must develop and implement an anti-money laundering program that complies with the requirements
of this section on or before the end of the 90-day period beginning on the day following the date the business is established.

PART 1023—RULES FOR BROKERS OR DEALERS IN SECURITIES

1. Revise the authority citation for part 1023 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1023.110 to read as follows:

§ 1023.110 Severability. If any provision of this part, or any provision of this chapter referencing brokers-dealers, is held to be invalid, or the
application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions,
or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision
or application.

1. Revise § 1023.210 to read as follows:

§ 1023.210 Anti-money laundering/countering the financing of terrorism program requirements for broker-dealers. (a) In general. A broker-dealer has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section
if the broker-dealer:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section;

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A broker-dealer establishes an AML/CFT program in accordance with this paragraph (b) if the broker-dealer:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the broker-dealer's money laundering, terrorist financing, and other illicit finance activity
risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the broker-dealer's business
activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the broker-dealer knows or has reason to know significantly changes the broker-dealer's
money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the broker-dealer's money laundering, terrorist financing, and other illicit finance activity risks consistent
with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention
and resources toward higher-risk customers and activities, consistent with the risk profile of the broker-dealer, rather than
toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update
customer information (including information regarding the beneficial owners of legal entity customers, as defined in § 1010.230
of this chapter);

(2) Establishes independent AML/CFT program testing to be conducted by broker-dealer personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A broker-dealer implements an AML/CFT program in accordance with this paragraph (c) if the broker-dealer implements, in all
material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A broker-dealer AML/CFT program must be written, and it must be approved by the broker-dealer's board of directors, an equivalent
governing body within the broker-dealer, or appropriate senior management. The broker-dealer must make a copy of its AML/CFT
program available to FinCEN or its designee upon request.

(e) Compliance with self-regulatory organization. A broker-dealer AML/CFT program must comply with the rules, regulations, or requirements of its self-regulatory organization
governing such programs; provided that the rules, regulations, or requirements of the self-regulatory organization governing
such programs have been made effective under the Securities Exchange Act of 1934 by the appropriate Federal functional regulator
in consultation with FinCEN.

1. Amend § 1023.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

§ 1023.220 Customer identification programs for broker-dealers. (a) * * *

(1) In general. A broker-dealer must establish, document, and maintain a written Customer Identification Program (CIP) appropriate for its
size and business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section.
The CIP must be a part of the broker-dealer's AML/CFT program required under 31 U.S.C. 5318(h).

---

(6) * * *

(iii) The other financial institution enters into a contract requiring it to certify annually to the broker-dealer that it
has implemented its AML/CFT program, and that it will perform (or its agent will perform) the specified requirements of the
broker-dealer's CIP.

---

PART 1024—RULES FOR MUTUAL FUNDS

1. Revise the authority citation for part 1024 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1024.110 to read as follows:

§ 1024.110 Severability. If any provision of this part, or any provision of this chapter referencing mutual funds, is held to be invalid, or the application
thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application
of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.

1. Revise § 1024.210 to read as follows:

§ 1024.210 Anti-money laundering/countering the financing of terrorism program requirements for mutual funds. (a) In general. A mutual fund has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this section
if the mutual fund:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A mutual fund establishes an AML/CFT program in accordance with this paragraph (b) if the mutual fund:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the mutual fund's money laundering, terrorist financing, and other illicit finance activity
risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the mutual fund's business
activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the mutual fund knows or has reason to know significantly changes the mutual
fund's money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the mutual fund's money laundering, terrorist financing, and other illicit finance activity risks consistent
with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention
and resources toward higher-risk customers and activities, consistent with the risk profile of the mutual fund, rather than
toward lower-risk customers and activities; and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update
customer information (including information regarding the beneficial owners of legal entity customers, as defined in § 1010.230
of this chapter);

(2) Establishes independent AML/CFT program testing to be conducted by mutual fund personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A mutual fund implements an AML/CFT program in accordance with this paragraph (c) if the mutual fund implements, in all material
respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A mutual fund's AML/CFT program must be written, and it must be approved by the mutual fund's board of directors, an equivalent
governing body within the mutual fund, or appropriate senior management. The mutual fund must make a copy of its AML/CFT program
available to FinCEN or its designee upon request.

1. Amend § 1024.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

§ 1024.220 Customer identification programs for mutual funds. (a) * * *

(1) In general. A mutual fund must implement a written Customer Identification Program (CIP) appropriate for its size and type of business
that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section. The CIP must be a
part of the mutual fund's AML/CFT program required under the regulations

  in this part implementing 31 U.S.C. 5318(h).

---

(6) * * *

(iii) The other financial institution enters into a contract requiring it to certify annually to the mutual fund that it has
implemented its AML/CFT program, and that it will perform (or its agent will perform) the specified requirements of the mutual
fund's CIP.

---

PART 1025—RULES FOR INSURANCE COMPANIES

1. Revise the authority citation for part 1025 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1025.110 to read as follows:

§ 1025.110 Severability. If any provision of this part, or any provision of this chapter referencing insurance companies, is held to be invalid, or
the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions,
or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision
or application.

1. Revise § 1025.210 to read as follows:

§ 1025.210 Anti-money laundering/countering the financing of terrorism program requirements for insurance companies. (a) In general. An insurance company has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and this
section if the insurance company:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. An insurance company establishes an AML/CFT program in accordance with this paragraph (b) if the insurance company:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the insurance company's money laundering, terrorist financing, and other illicit finance
activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the insurance company's
business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the insurance company knows or has reason to know significantly changes the
insurance company's money laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the insurance company's money laundering, terrorist financing, and other illicit finance activity risks consistent
with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention
and resources toward higher-risk customers and activities, consistent with the risk profile of the insurance company's, rather
than toward lower-risk customers and activities;

(2) Establishes independent AML/CFT program testing to be conducted by insurance company personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(c) Program implementation. An insurance company implements an AML/CFT program in accordance with this paragraph (c) if the insurance company implements,
in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. An insurance company's AML/CFT program must be written, and it must be approved by the insurance company's board of directors,
an equivalent governing body within the insurance company, or appropriate senior management. The insurance company must make
a copy of its AML/CFT program available to FinCEN or its designee upon request.

(e) AML/CFT program requirements for insurance companies required to register with the Securities and Exchange Commission as broker-dealers
in securities. An insurance company that is registered or required to register with the Securities and Exchange Commission as a broker-dealer
in securities shall be deemed to have satisfied the requirements of this section for its broker-dealer activities to the extent
that the company is required to establish and has established an anti-money laundering program pursuant to § 1023.210 of this
chapter and complies with such program.

PART 1026—RULES FOR FUTURES COMMISSION MERCHANTS AND INTRODUCING BROKERS IN COMMODITIES

1. Revise the authority citation for part 1026 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1026.110 to read as follows:

§ 1026.110 Severability. If any provision of this part, or any provision of this chapter referencing futures commission merchants or introducing brokers
in commodities, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such
invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can
be given effect without the invalid provision or application.

1. Revise § 1026.210 to read as follows:

§ 1026.210 Anti-money laundering/countering the financing of terrorism program requirements for futures commission merchants and introducing
brokers in commodities. (a) In general. A futures commission merchant or an introducing broker in commodities has an effective AML/CFT program and complies with the
requirements of 31 U.S.C. 5318(h)(1) and this section if the futures commission merchant or introducing broker in commodities:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A futures commission merchant or an introducing broker in commodities establishes an AML/CFT program in accordance with this
paragraph (b) if the futures commission merchant or introducing broker in commodities:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the futures commission merchant's or introducing broker's money laundering, terrorist financing,
and other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the futures commission
merchant's or introducing broker's business activities, including products, services, distribution channels, customers, and
geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the futures commission merchant or introducing broker in commodities knows or
has reason to know significantly changes the futures commission merchant's or introducing broker's money laundering, terrorist
financing, and other illicit finance activity risks;

(ii) Mitigate the futures commission merchant's or introducing broker's money laundering, terrorist financing, and other illicit
finance activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including
by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of
the futures commission merchant or introducing broker in commodities, rather than toward lower-risk customers and activities;
and

(iii) Conduct ongoing customer due diligence, including to:

(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update
customer information (including information regarding the beneficial owners of legal entity customers, as defined in § 1010.230
of this chapter);

(2) Establishes independent AML/CFT program testing to be conducted by futures commission merchant or introducing broker personnel
or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A futures commission merchant or introducing broker in commodities implements an AML/CFT program in accordance with this paragraph
(c) if the futures commission merchant or introducing broker in commodities implements, in all material respects, the AML/CFT
program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A futures commission merchant or introducing broker in commodities AML/CFT program must be written, and it must be approved
by the futures commission merchant's or introducing broker's board of directors, an equivalent governing body within the futures
commission merchant or introducing broker in commodities, or appropriate senior management. The futures commission merchant
and the introducing broker in commodities must make copies of their respective AML/CFT programs available to FinCEN or its
designee upon request.

(e) Compliance with self-regulatory organization. Complies with the rules, regulations, or requirements of its self-regulatory organization governing such programs, provided
that the rules, regulations, or requirements of the self-regulatory organization governing such programs have been made effective
under the Commodity Exchange Act by the appropriate Federal functional regulator in consultation with FinCEN.

1. Amend § 1026.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

§ 1026.220 Customer identification programs for futures commission merchants and introducing brokers. (a) * * *

(1) In general. Each futures commission merchant or introducing broker must implement a written Customer Identification Program (CIP) appropriate
for its size and business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section.
The CIP must be a part of each futures commission merchant's or introducing broker's AML/CFT program required under 31 U.S.C.
5318(h).

---

(6) * * *

(iii) The other financial institution enters into a contract requiring it to certify annually to the futures commission merchant
or introducing broker that it has implemented its AML/CFT program, and that it will perform (or its agent will perform) the
specified requirements of the futures commission merchant's or introducing broker's CIP.

---

PART 1027—RULES FOR DEALERS IN PRECIOUS METALS, PRECIOUS STONES, OR JEWELS

1. Revise the authority citation for part 1027 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Amend § 1027.100 by revising paragraph (b)(4) to read as follows:

§ 1027.100 Definitions. * * * * *

(b) * * *

(4) For purposes of this paragraph (b) and § 1027.210, the terms “purchase” and “sale” do not include the purchase of jewels,
precious metals, or precious stones that are incorporated into machinery or equipment to be used for industrial purposes,
and the purchase and sale of such machinery or equipment.

---

1. Add § 1027.110 to read as follows:

§ 1027.110 Severability. If any provision of this part, or any provision of this chapter referencing dealers in precious metals, precious stones, or
jewels, is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity
shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given
effect without the invalid provision or application.

1. Revise § 1027.210 to read as follows:

§ 1027.210 Anti-money laundering/countering the financing of terrorism program requirements for dealers in precious metals, precious
stones, or jewels. (a) In general. A dealer has an effective AML/CFT program and

  complies with the requirements of 31 U.S.C. 5318(h)(1) and this section if the dealer:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(3) To the extent that a retailer's purchases from persons other than dealers and other retailers exceeds the $50,000 threshold
contained in § 1027.100(b)(2)(i), the AML/CFT program required of the retailer under this paragraph (a) need only address
such purchases.

(b) Program establishment. A dealer establishes an AML/CFT program in accordance with this paragraph (b) if the dealer:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the dealer's money laundering, terrorist financing, and other illicit finance activity
risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the dealer's business
activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the dealer knows or has reason to know significantly changes the dealer's money
laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the dealer's money laundering, terrorist financing, and other illicit finance activity risks consistent with
the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and
resources toward higher-risk customers and activities, consistent with the risk profile of the dealer, rather than toward
lower-risk customers and activities;

(2) Establishes independent AML/CFT program testing to be conducted by dealer personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A dealer implements an AML/CFT program in accordance with this paragraph (c) if the insurance company implements, in all material
respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A dealer's AML/CFT program must be written, and it must be approved by the dealer's board of directors, an equivalent governing
body within the dealer, or appropriate senior management. The dealer must make a copy of its AML/CFT program available to
FinCEN or its designee upon request.

(e) Implementation date. A dealer must develop and implement an anti-money laundering program that complies with the requirements of this section on
or before six months after the date a dealer becomes subject to the requirements of this section.

PART 1028—RULES FOR OPERATORS OF CREDIT CARD SYSTEMS

1. Revise the authority citation for part 1028 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1028.110 to read as follows:

§ 1028.110 Severability. If any provision of this part, or any provision of this chapter referencing operators of credit card systems, is held to be
invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect
other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the
invalid provision or application.

1. Revise § 1028.210 to read as follows:

§ 1028.210 Anti-money laundering/countering the financing of terrorism program requirements for operators of credit card systems. (a) In general. An operator of credit card systems has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1)
and this section if the operator of credit card systems:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. An operator establishes an AML/CFT program in accordance with this paragraph (b) if the operator of credit card systems:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the operator's money laundering, terrorist financing, and other illicit finance activity
risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the operator's business
activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the operator knows or has reason to know significantly changes the operator's
money laundering, terrorist financing, and other illicit finance activity risks;

(ii) Mitigate the operator's money laundering, terrorist financing, and other illicit finance activity risks consistent with
the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more attention and
resources toward higher-risk customers and activities, consistent with the risk profile of the operator's, rather than toward
lower-risk customers and activities; and

(iii) That the operator does not authorize, or maintain authorization for, any person to serve as an issuing or acquiring
institution without the operator taking appropriate steps, based upon the operator's money laundering or terrorist financing
risk assessment, to guard against that person issuing the operator's credit card or acquiring merchants who accept the operator's
credit card in circumstances that facilitate money laundering or the financing of terrorist activities; and

(iv) For purposes of making the risk assessment required by paragraph (b)(1)(i) of this section, the following persons are
presumed to pose a heightened risk of money laundering or terrorist financing when evaluating whether and under what circumstances

  to authorize, or to maintain authorization for, any such person to serve as an issuing or acquiring institution:

(A) A foreign shell bank that is not a regulated affiliate, as those terms are defined in § 1010.605(g) and (n) of this chapter;

(B) A person appearing on the Specially Designated Nationals List issued by Treasury's Office of Foreign Assets Control;

(C) A person located in, or operating under a license issued by, a jurisdiction whose government has been identified by the
Department of State as a sponsor of international terrorism under 22 U.S.C. 2371;

(D) A foreign bank operating under an offshore banking license, other than a branch of a foreign bank if such foreign bank
has been found by the Board of Governors of the Federal Reserve System under the Bank Holding Company Act (12 U.S.C. 1841, et seq.) or the International Banking Act (12 U.S.C. 3101, et seq.) to be subject to comprehensive supervision or regulation on a consolidated basis by the relevant supervisors in that jurisdiction;

(E) A person located in, or operating under a license issued by, a jurisdiction that has been designated as noncooperative
with international anti-money laundering principles or procedures by an intergovernmental group or organization of which the
United States is a member, with which designation the United States representative to the group or organization concurs; and

(F) A person located in, or operating under a license issued by, a jurisdiction that has been designated by the Secretary
of the Treasury pursuant to 31 U.S.C. 5318A as warranting special measures due to money laundering concerns;

(2) Establishes independent AML/CFT program testing to be conducted by operator personnel or by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(c) Program implementation. An operator implements an AML/CFT program in accordance with this paragraph (c) if the operator implements, in all material
respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. An operator's AML/CFT program must be written, and it must be approved by the operator's board of directors, or an equivalent
governing body within the operator, or appropriate senior management. The operator must make a copy of its AML/CFT program
available to FinCEN or its designee upon request.

PART 1029—RULES FOR LOAN OR FINANCE COMPANIES

1. Revise the authority citation for part 1029 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1029.110 to read as follows:

§ 1029.110 Severability. If any provision of this part, or any provision of this chapter referencing loan or finance companies, is held to be invalid,
or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions,
or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision
or application.

1. Revise § 1029.210 to read as follows:

§ 1029.210 Anti-money laundering/countering the financing of terrorism program requirements for loan or finance companies. (a) In general. A loan or finance company has an effective AML/CFT program and complies with the requirements of 31 U.S.C. 5318(h)(1) and
this section if the operator of credit card systems:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A loan or finance company establishes an AML/CFT program in accordance with this paragraph (b) if the loan or finance company:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the operator's money laundering, terrorist financing, and other illicit finance activity
risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the loan or finance company's
business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the loan or finance company knows or has reason to know significantly changes
the loan or finance company's money laundering, terrorist financing, and other illicit finance activity risks; and

(ii) Mitigate the loan or finance company's money laundering, terrorist financing, and other illicit finance activity risks
consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including by directing more
attention and resources toward higher-risk customers and activities, consistent with the risk profile of the loan or finance
company's, rather than toward lower-risk customers and activities;

(2) Establishes independent AML/CFT program testing to be conducted by loan or finance company personnel or by an outside
party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A loan or finance company implements an AML/CFT program in accordance with this paragraph (c) if the operator implements,
in all material respects, the AML/CFT program required under paragraph (b) of this section.

(d) Written AML/CFT program and approval. A loan or finance company AML/CFT program must be written, and it must be approved by the loan or finance company's board
of directors, an equivalent governing body within the loan or finance company, or appropriate senior management. The loan
or finance company must make a copy of its AML/CFT program available to FinCEN or its designee upon request.

§ 1029.320 [Amended] 51. Amend § 1029.320 by removing paragraph (g).

PART 1030—RULES FOR HOUSING GOVERNMENT SPONSORED ENTERPRISES

1. Revise the authority citation for part 1030 to read as follows:

Authority:

12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec.
701, Pub. L. 114-74, 129 Stat. 599.

1. Revise the subpart A heading to read as follows:

Subpart A—General Provisions

1. Add § 1030.110 to read as follows:

§ 1030.110 Severability. If any provision of this part, or any provision of this chapter referencing housing government sponsored enterprises, is held
to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect
other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the
invalid provision or application.

1. Revise § 1030.210 to read as follows:

§ 1030.210 Anti-money laundering/countering the financing of terrorism program requirements for housing government sponsored enterprises. (a) In general. A housing government sponsored enterprise has an effective AML/CFT program and complies with the requirements of 31 U.S.C.
5318(h)(1) and this section if the housing government sponsored enterprise:

(1) Establishes an AML/CFT program in accordance with paragraph (b) of this section; and

(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (c) of this section.

(b) Program establishment. A housing government sponsored enterprise establishes an AML/CFT program in accordance with this paragraph (b) if the housing
government sponsored enterprise:

(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance
with the Bank Secrecy Act and this chapter and to:

(i) Identify, assess, and document the housing government sponsored enterprise's money laundering, terrorist financing, and
other illicit finance activity risks through risk assessment processes that:

(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the housing government
sponsored enterprise business activities, including products, services, distribution channels, customers, and geographic locations;

(B) Review and, as appropriate, incorporate the AML/CFT priorities; and

(C) Are updated promptly upon any change that the housing government sponsored enterprise knows or has reason to know significantly
changes the housing government sponsored enterprise's money laundering, terrorist financing, and other illicit finance activity
risks; and

(ii) Mitigate the housing government sponsored enterprise's money laundering, terrorist financing, and other illicit finance
activity risks consistent with the risk assessment processes required under paragraph (b)(1)(i) of this section, including
by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of
the housing government sponsored enterprise, rather than toward lower-risk customers and activities; and

(2) Establishes independent AML/CFT program testing to be conducted by housing government sponsored enterprise personnel or
by an outside party;

(3) Designates an individual, who is:

(i) Located in the United States;

(ii) Accessible to, and subject to oversight and supervision by, FinCEN and its designee; and

(iii) Responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance;
and

(4) Establishes an ongoing employee training program.

(c) Program implementation. A housing government sponsored enterprise implements an AML/CFT program in accordance with this paragraph (c) if the housing
government sponsored enterprise implements, in all material respects, the AML/CFT program required under paragraph (b) of
this section.

(d) Written AML/CFT program and approval. A housing government sponsored enterprise's AML/CFT program must be written, and it must be approved by the housing government
sponsored enterprise's board of directors, an equivalent governing body within the housing government sponsored enterprise,
or appropriate senior management. The housing government sponsored enterprise must make a copy of its AML/CFT program available
to FinCEN or its designee upon request.

§ 1030.320 [Amended] 56. Amend § 1030.320 by removing paragraph (g).

Andrea M. Gacki, Director, Financial Crimes Enforcement Network. [FR Doc. 2026-07033 Filed 4-9-26; 8:45 am] BILLING CODE 4810-02-P

Footnotes

(1) When referring to the existing program rules, the term “AML program rules” is used; when referring to the requirements that
this NPRM is proposing, the term “AML/CFT program rules” is used.

(2) Certain parts of the Currency and Foreign Transactions Reporting Act, its amendments, and the other statutes relating to
the subject matter of that Act, have come to be referred to as the BSA. These statutes are codified at 12 U.S.C. 1829b, 12
U.S.C. 1951-1960, and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto, with implementing regulations at 31 CFR chapter
X. Certain criminal statutes—namely, 18 U.S.C. 1956, 1957, and 1960—are included in the BSA definition at 31 CFR 1010.100(e).
Section 6003 of the AML Act, however, does not include these provisions in its BSA definition, and thus FinCEN is not considering
them part of the BSA for the purposes of this proposed rule. The AML program rules are located at 31 CFR 1020.210 (banks),
1021.210 (casinos), 1022.210 (MSBs), 1023.210 (broker-dealers), 1024.210 (mutual funds), 1025.210 (insurance companies), 1026.210
(FCMs and IBCs), 1027.210 (DPMSJs), 1028.210 (operators of credit card systems), 1029.210 (loan or finance companies), and
1030.210 (housing GSEs). FinCEN notes this proposed rule does not propose any amendments to the final rule establishing AML/CFT
and suspicious activity report (SAR) filing requirements for registered investment advisers and exempt reporting advisers,
which has been delayed until January 1, 2028. See FinCEN, Delaying the Effective Date of the Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity
Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers Final Rule, 91 FR 36 (Jan. 2, 2026).

(3) As defined in section 281(5) of the Countering America's Adversaries Through Sanctions Act, the term “illicit finance” means
“the financing of terrorism, narcotics trafficking, or proliferation, money laundering, or other forms of illicit financing
domestically or internationally, as defined by the President.” Public Law 115-44 (Aug. 2, 2017).

(4) 31 U.S.C. 5311.

(5) Treasury Order 180-01 (Jan. 14, 2020), para. 3, https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01; see also 31 U.S.C. 310(b)(2)(I) (providing that the Director of FinCEN shall “[a]dminister the requirements of subchapter II of chapter
53 of this title, chapter 2 of title I of Public Law 91-508, and section 21 of the Federal Deposit Insurance Act, to the extent
delegated such authority by the Secretary.”).

(6) Most recently, Congress enacted the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act on July
18, 2025. Public Law 119-27, codified at 12 U.S.C. 5901 et seq. The GENIUS Act requires that permitted payment stablecoin issuers be treated as financial institutions for purposes of the
BSA including being required to maintain “an effective anti-money laundering program.” See 12 U.S.C. 5903(a)(5)(A)(i). The GENIUS Act also requires the Agencies to issue regulations relating to PPSIs, including regulations
pertaining to BSA compliance standards. 12 U.S.C. 5903(a)(4)(iv). These AML/CFT requirements and standards for PPSIs are addressed
separately from this rulemaking.

(7) Section 1517 of the Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992).

(8) 31 U.S.C. 5318(h)(1), as added by section 1517(b) of the Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550 (Oct.
28, 1992). FinCEN notes the proposed rule sequences these AML/CFT program components—the four pillars—in the order of the
existing AML program rule for banks, rather than the order used in 31 U.S.C. 5318(h)(1): namely, (i) a system of internal
controls to assure ongoing compliance; (ii) independent testing for compliance to be conducted by bank personnel or by an
outside party; (iii) designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;
and (iv) training for appropriate personnel. See 31 CFR 1020.210(a)(2). FinCEN, however, does not intend the change in sequencing to modify or signify changes in any substantive
requirements.

(9) 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat.
272 (Oct. 26, 2001).

(10) 31 U.S.C. 5318(h), as added by section 352 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272 (Oct. 26, 2001).

(11) 31 U.S.C. 5318(a)(2), (h)(1), (h)(2); supra note 5

(12) See FinCEN, Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398 (May 11, 2016).

(13) William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388 (Jan.
1, 2021).

(14) Congress noted in its Joint Explanatory Statement of the Committee of Conference accompanying the FY21 NDAA that: “the current
[AML/CFT] regulatory framework is an amalgamation of statutes and regulations that are grounded in the [BSA], which the Congress
enacted in 1970. This decades-old regime, which has not seen comprehensive reform and modernization since its inception, is
generally built on individual reporting mechanisms (i.e., currency transaction reports (CTRs) and SARs) and contemplates aging, decades-old technology, rather than the current, sophisticated
AML compliance systems now managed by most financial institutions.” Congress further stated that the AML Act “comprehensively
update[s] the BSA for the first time in decades and provide[s] for the establishment of a coherent set of risk-based priorities.”
Among other objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication,
and feedback among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better
focusing bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” H.R. Rep.
No. 6395 (2020) at pp. 731-732 (Joint Explanatory Statement of the Committee of Conference).

(15) H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory Statement of the Committee of Conference).

(16) 15 U.S.C. 6809(2).

(17) See FinCEN, AML/CFT Priorities (June 30, 2021). As required by 31 U.S.C. 5318(h)(4)(C), the AML/CFT Priorities are consistent
with Treasury's National Strategy for Combating Terrorist and Other Illicit Financing (May 16, 2024) and supported by Treasury's
National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing. See U.S. Department of the Treasury, 2026 National Money Laundering Risk Assessment (March 2026), https://home.treasury.gov/system/files/246/2026-NMLRA.pdf; 2026 National Terrorist Financing Risk Assessment (March 2026), https://home.treasury.gov/system/files/246/2026-NTFRA.pdf; 2026 National Proliferation Financing Risk Assessment (March 2026), https://home.treasury.gov/system/files/246/2026-NPFRA.pdf. As also required by 31 U.S.C. 5318(h)(4)(B), the Secretary, in consultation with the Attorney General, Federal functional
regulators, relevant State financial regulators, and relevant national security agencies, must update the AML/CFT Priorities
not less frequently than once every four years.

(18) FinCEN, Anti-Money Laundering Program Effectiveness, 85 FR 58023 (Sept. 17, 2020).

(19) 85 FR 58026.

(20) Id.

(21) FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Programs, 89 FR 55428 (July 3, 2024).

(22) As discussed below, these Federal agencies are also known as the Federal Financial Institutions Regulatory Agencies (FFIRAs)
and proposed 1010.100(ooo) defines these agencies using this term. However, this preamble uses the term “Agencies” to refer
to the FFIRAs.

(23) FRB, FDIC, NCUA, and OCC, Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements, 89 FR 65242 (Aug. 9, 2024).

(24) 89 FR 55430.

(25) 89 FR 55436.

(26) “Reports filed under this subsection shall be guided by the compliance program of a covered financial institution with respect
to the Bank Secrecy Act, including the risk assessment processes of the covered institution that should include a consideration
of priorities established by the Secretary of the Treasury under section 5318.” 31 U.S.C. 5318(g)(5)(C), as added by section
6202 of the AML Act.

(27) 89 FR 55485.

(28) 31 U.S.C. 5318(h)(5).

(29) 89 FR 55444.

(30) U.S. Department of the Treasury, Press Release, “Treasury Secretary Scott Bessent Remarks before the American Bankers Association”
(Apr. 9, 2025), https://home.treasury.gov/news/press-releases/sb0078.

(31) U.S. Department of the Treasury, Press Release, “Remarks by Secretary of the Treasury Scott Bessent Before the Fed Community
Bank Conference” (Oct. 9, 2025), https://home.treasury.gov/news/press-releases/sb0276.

(32) Id.

(33) U.S. Department of the Treasury, Press Release, “Deputy Secretary Faulkender Lays Out Guiding Principles for Bank Secrecy
Act Modernization” (June 18, 2025), https://home.treasury.gov/news/press-releases/sb0173.

(34) FinCEN, FinCEN Permits Banks to Use Alternative Collection Method for Obtaining TIN Information (June 27, 2025), https://www.fincen.gov/news/news-releases/fincen-permits-banks-use-alternative-collection-method-obtaining-tin-information.

(35) FinCEN, FinCEN Issues Frequently Asked Questions to Clarify Suspicious Activity Reporting Requirements (Oct. 9, 2025), https://www.fincen.gov/news/news-releases/fincen-issues-frequently-asked-questions-clarify-suspicious-activity-reporting.

(36) FinCEN, FinCEN Issues Exceptive Relief to Streamline Customer Due Diligence Requirements (Feb. 13, 2026), https://www.fincen.gov/system/files/2026-02/FinCEN-Order-CCDExceptiveRelief.pdf.

(37) E.O. 14192, Unleashing Prosperity Through Deregulation, 90 FR 9065 (issued Jan. 31, 2025; published Feb. 6, 2025).

(38) Id.

(39) 31 U.S.C. 5311.

(40) 31 U.S.C. 5318(h)(2)(B)(iv)(II).

(41) E.O. 14331, Guaranteeing Fair Banking for All Americans, 90 FR 38925 (issued Aug. 7, 2025; published Aug. 12, 2025).

(42) See FRB, FDIC, FinCEN, NCUA, and OCC, Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence (July 6, 2022), https://www.fincen.gov/news/news-releases/joint-statement-risk-based-approach-assessing-customer-relationships-and.

(43) 31 U.S.C. 5318(h)(2)(B)(iii).

(44) FinCEN, FinCEN Statement on Enforcement of the Bank Secrecy Act (Aug. 18, 2020), https://www.fincen.gov/news/news-releases/fincen-statement-enforcement-bank-secrecy-act.

(45) Because FinCEN has not delegated any enforcement authority to the Agencies, the Agencies have no authority to take an enforcement
action under 31 CFR chapter X. As a result, there is no corresponding rule text related to enforcement actions by the Agencies
acting under authority provided by FinCEN.

(46) FinCEN anticipates the Agencies imposing a similar consultation requirement on themselves when the Agencies act under other
laws, including 12 U.S.C. 1786 or 1818.

(47) Countering the financing of terrorism (CFT) includes laws, rules, regulations, or other measures intended to detect and disrupt
the solicitation, collection, or provision of funds to support terrorist acts or terrorist organizations, or other violent
extremist groups.

(48) See 31 U.S.C. 5318(h)(2)(B)(iii).

(49) Federal Financial Institutions Examination Council (FFIEC), FFIEC BSA/AML Examination Manual, Assessing Compliance with BSA Regulatory Requirements — Suspicious Activity Reporting, https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04.

(50) 85 FR 58026.

(51) AML Act, section 6002(3) (Purposes).

(52) E.O. 14179, Removing Barriers to American Leadership in Artificial Intelligence, 90 FR 8741 (issued Jan. 23, 2025; published Jan. 31, 2025); White House, Winning the Race America's AI Action Plan (July 2025), https://www.whitehouse.gov/wp-content/uploads/2025/07/Americas-AI-Action-Plan.pdf; E.O. 14179, Ensuring a National Policy Framework for Artificial Intelligence, 90 FR 58499 (issued Dec. 11, 2025; published Dec. 16, 2025).

(53) U.S. Department of the Treasury, 2024 National Strategy for Combating Terrorist and Other Illicit Financing (May 2024), https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf.

(54) U.S. Department of the Treasury, Press Release, “Remarks by Under Secretary for Terrorism and Financial Intelligence John
K. Hurley at the Association of Certified Anti-Money Laundering Specialists Assembly Conference” (Sept. 17, 2025), https://home.treasury.gov/news/press-releases/sb0251.

(55) White House, Strengthening American Leadership in Digital Financial Technology (July 30, 2025), https://www.whitehouse.gov/wp-content/uploads/2025/07/Digital-Assets-Report-EO14178.pdf; U.S. Department of the Treasury, Report to Congress from the Secretary of the Treasury on Innovative Technologies to Counter Illicit Finance Involving Digital
Assets (Mar. 2026), https://home.treasury.gov/system/files/246/GENIUS-Act-Illicit-Finance-Innovation-Congressional-Report-March-2026.pdf.

(56) FRB, FDIC, FinCEN, NCUA, and OCC, Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing (Dec. 3, 2018), https://www.fincen.gov/system/files/2018-12/Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_508.pdf.

(57) OCC, FRB, FDIC, NCUA, and FinCEN, Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy
Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements, 86 FR 18978 (Apr. 12, 2021).

(58) FRB and OCC, Supervisory Guidance on Model Risk Management, (Apr. 4, 2011), https://www.federalreserve.gov/supervisionreg/srletters/sr1107a1.pdf.

(59) For instance, the provision of the BSA which requires financial institutions to have AML/CFT program rules states that “each
financial institution shall establish ”(emphasis added) such programs, including certain requirements as specified. See 31 U.S.C. 5318(h)(1). The corresponding Federal statute requiring banks regulated by the Federal banking agencies to have
BSA compliance programs states that these banks must “establish and maintain procedures reasonably designed to assure and
monitor the compliance” with the requirements of the BSA. 12 U.S.C. 1818(s)(1). In addition, the current program rules regulating
financial institutions use inconsistent terms to describe establishing, implementing, and maintaining AML/CFT programs. For
example, some programs rules use the terms “implements and maintains”—31 CFR 1020.210 (banks); 1021.210 (casinos); 1023.210
(broker-dealers); 1026.210 (FCMs and IBCs) while others use the terms “develop, implement, and maintain,” 1022.210 (MSBs)
and others use “develop and implement” 1024.210 (mutual funds); 1025.210 (insurance companies); 1027.210 (DPMSJs); 1028.210
(operators of credit card systems); 1029.210 (loan or finance companies); and 1030.210 (housing GSEs)—with respect to the
general AML program requirement.

(60) The proposed rule would clarify that this limitation on AML/CFT enforcement actions and significant AML/CFT supervisory actions
does not apply with respect to a failure to properly establish an AML/CFT program.

(61) 31 U.S.C. 5318(h)(1)(A).

(62) See 31 CFR 1029.210 (loan or finance companies); 1030.210 (housing GSEs); see also 31 CFR 1025.210 (insurance companies); 1028.210 (operators of credit card systems).

(63) See 31 CFR 1022.210 (MSBs); 1025.210 (insurance companies); see also 31 CFR 1021.210 (casinos) (“commensurate with the money laundering and terrorist financing risks posed by the products and
services”).

(64) The current program rules without explicit risk assessment requirements are located at 31 CFR 1020.210 (banks); 1021.210
(casinos); 1022.210 (MSBs); 1023.210 (broker-dealers); 1024.210 (mutual funds); and 1026.210 (FCMs and IBCs).

(65) See FinCEN, Section 314(b) Fact Sheet, (Dec. 2020), https://www.fincen.gov/system/files/shared/314bfactsheet.pdf.

(66) See U.S. Department of the Treasury, 2026 National Money Laundering Risk Assessment (March 2026), https://home.treasury.gov/system/files/246/2026-NMLRA.pdf; 2026 National Terrorist Financing Risk Assessment (March 2026), https://home.treasury.gov/system/files/246/2026-NTFRA.pdf; 2026 National Proliferation Financing Risk Assessment (March 2026), https://home.treasury.gov/system/files/246/2026-NPFRA.pdf.

(67) See, e.g., FinCEN, Financial Trend Analyses, https://www.fincen.gov/resources/financial-trend-analyses.

(68) 31 U.S.C. 5318(h)(4)(E).

(69) 31 U.S.C. 5318(h)(4)(B).

(70) U.S. Department of the Treasury, Press Release, “Secretary Bessent Announces Initiatives to Combat Rampant Fraud in Minnesota”
(Jan. 9, 2026), https://home.treasury.gov/news/press-releases/sb0354.

(71) FinCEN, Alerts/Advisories/Notices/Bulletins/Fact Sheets, https://www.fincen.gov/resources/advisoriesbulletinsfact-sheets.

(72) FinCEN, Financial Trend Analyses, https://www.fincen.gov/resources/financial-trend-analyses.

(73) FinCEN, FinCEN Alert on Fraud Rings and their Exploitation of Federal Child Nutrition programs in Minnesota, (Jan. 9, 2026), https://www.fincen.gov/system/files/2026-01/FinCEN-Alert-Federal-Child-Nutrition-Programs.pdf.

(74) 31 U.S.C. 5318(h)(2)(B)(iv)(II).

(75) See applicable program rules with CDD requirements for covered financial institutions located at 31 CFR 1020.210(a)(2)(v) and
(b)(2)(v) (banks); 1023.210(b)(5) (broker-dealers); 1024.210(b)(5) (mutual funds); and 1026.210(b)(5) (FCMs and IBCs).

(76) 31 U.S.C. 5318(h)(1)(D).

(77) See 31 CFR 1020.210(a)(2)(ii), (b)(2)(ii) (banks); 1021.210(b)(2)(ii) (casinos); 1022.210(d)(4) (MSBs); 1023.210(b)(2) (broker-dealers);
1024.210(b)(2) (mutual funds); 1025.210(b)(4) (insurance companies); 1026.210(b)(2) (FCMs and IBCs); 1027.210(b)(4) (DPMSJs);
1028.210(b)(4) (operators of a credit card system); 1029.210(b)(4) (loan or finance companies); 1030.210(b)(4) (housing GSEs).

(78) This is consistent with current 31 CFR 1022.210, which provides that independent testing review may be conducted by an officer
or employee of the MSB so long as the tester is not the AML/CFT officer. Similarly, current 31 CFR 1025.210, 1029.210, and
1030.210 provide that independent testing at insurance companies, loan or finance companies, and housing GSEs, respectively,
may be conducted by a third party or by any officer or employee of the financial institution, other than the AML/CFT officer.
Likewise, 31 CFR 1027.210(b)(4) and 1028.210(b)(4) provide that independent testing of a DPMSJ or an operator of a credit
card system, respectively, can be conducted by an officer or employee of the institution, so long as the tester is not the
AML/CFT officer or a person involved in the operation of the AML/CFT program. Determining whether testing at U.S. operations
of foreign financial institutions is adequately “independent” may include a review of the reporting arrangements between the
party

  conducting the independent testing and the AML/CFT officer, or equivalent management function such as a head of business line
  or a general manager, to assess any conflicts of interests and the level of independence with the party conducting the independent
  testing.

(79) See FRB, FDIC, NCUA, OCC and FinCEN, Interagency Statement on Sharing Bank Secrecy Act Resources (Oct. 3, 2018), https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources.

(80) See applicable program rules located at 31 CFR 1023.210(b)(2) (broker-dealers); 1024.210(b)(2) (mutual funds); and 1026.210(b)(2)
(FCMs and IBCs).

(81) See 31 CFR 1022.210(d)(2) (MSBs); 1025.210(b)(2) (insurance companies); 1027.210(b)(2) (DPMSJs); 1028.210(b)(2) (operators of
credit card systems); 1029.210(b)(2) (loan or finance companies); 1030.210(b)(2) (housing GSEs).

(82) See 31 CFR 1027.210(b)(2)(i) (DPMSJs); 1028.210(b)(2)(i) (operators of credit card systems); 1029.210(b)(2)(i) (loan or finance
companies); 1030.210(b)(2)(i) (housing GSEs).

(83) 31 U.S.C. 5318(h)(5).

(84) See, e.g., FinCEN, Financial Crimes Enforcement Network; Confidentiality of Suspicious Activity Reports, 75 FR 75593 (Dec. 3, 2010); see also FinCEN, FRB, FDIC, OCC, and Office of Thrift Supervision, Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies (Jan. 20, 2006), https://www.fincen.gov/system/files/guidance/sarsharingguidance01122006.pdf.

(85) 31 U.S.C. 5318(h)(1)(C).

(86) See 31 CFR 1020.210(a)(2)(iv), (b)(2)(iv) (banks); 1021.210(b)(2)(iii) (casinos); 1022.210(d)(3) (MSBs); 1023.210(b)(4) (broker-dealers);
1024.210(b)(4) (mutual funds); 1025.210(b)(3) (insurance companies); 1026.210(b)(4) (FCMs and IBCs); 1027.210(b)(3) (DPMSJs);
1028.210(b)(3) (operators of credit card systems); 1029.210(b)(3) (loan or finance companies); 1030.210(b)(3) (housing GSEs).

(87) Current 31 CFR 1020.210(b) requires banks lacking a Federal functional regulator to establish, maintain, and make available
a written anti-money laundering program. Banks with a Federal functional regulator are required to have written anti-money
laundering programs under the regulators' existing rules. See 12 CFR 21.21(c)(1), 208.63(b)(1), 326.8(b)(1), 748.2(b)(1). The current program rules require other types of financial institutions
to have written programs at 31 CFR 1021.210(b)(1) (casinos); 1022.210(c) (MSBs); 1023.210 (broker-dealers); 1024.210(a) (mutual
funds); 1025.210(a) (insurance companies); 1026.210 (FCMs and IBCs); 1027.210(a)(1) (DPMSJs); 1028.210(a) (operators of credit
card systems); 1029.210(a) (loan or finance companies); 1030.210(a) (housing GSEs).

(88) See 31 CFR 1010.810(b) (FinCEN's delegation of “[a]uthority to examine institutions to determine compliance with the requirements
of this chapter”).

(89) For broker-dealers, FinCEN recognizes the SEC as the relevant Federal functional regulator. See id. 1010.810(b)(6) (delegating examination authority to SEC for broker-dealers). FinCEN recognizes registered national securities
exchanges or a national securities association, such as the Financial Industry Regulatory Authority (FINRA), as the relevant
SROs for member broker-dealers. Similarly, for FCMs and IBCs, FinCEN recognizes the CFTC as the relevant Federal functional
regulator, 31 CFR 1010.810(b)(9), and the National Futures Association (NFA) as the SRO.

(90) The FRB, FDIC, and OCC each require the U.S. branches, agencies, and representative offices of the foreign banks they supervise
operating in the United States to develop written BSA compliance programs that are approved by their respective bank's board
and noted in the minutes, or that are approved by delegates acting under the express authority of their respective bank's
board to approve the BSA compliance programs. See 208.63(b)(1), 12 CFR 21.21(c)(1), 326.8(b)(1), and 748.2(b)(1). “Express authority” means the head office must be aware of
its U.S. AML program requirements and there must be some indication of purposeful delegation.

(91) See 31 CFR 1020.210(b)(3) (banks lacking a Federal functional regulator).

(92) See 12 CFR 21.21(c)(1), 208.63(b)(1), 326.8(b)(1), 748.2(b)(1).

(93) See 31 CFR 1023.210 (broker-dealers); 1025.210(a) (insurance companies); 1026.210 (FCMs and IBCs); 1027.210(a)(1) (DPMSJs); 1028.210(a)
(operators of credit card systems); 1029.210(a) (loan or finance companies); 1030.210(a) (housing GSEs).

(94) See applicable AML program rules located at 31 CFR 1021.210 (casinos) and 1022.210 (MSBs).

(95) See 17 CFR 270.38a-1(a)(2).

(96) The proposal is not intended to and does not affect criminal enforcement liability under the BSA, or the related authority
of the Department of Justice.

(97) FinCEN, FinCEN Statement on Enforcement of the Bank Secrecy Act (Aug. 18, 2020), at pp. 2-3, https://www.fincen.gov/system/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf.

(98) This includes when the Agencies are consulting with FinCEN as required under the proposed rule, or under a consultation requirement
they have imposed on themselves (which may include enforcement actions).

(99) FinCEN, FinCEN Exchange, https://www.fincen.gov/resources/fincen-exchange.

(100) FinCEN, FinCEN Statement on Enforcement of the Bank Secrecy Act (Aug. 18, 2020), https://www.fincen.gov/system/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf.

(101) The CIP rules are located at 31 CFR 1020.220 (banks), 1023.220 (broker-dealers), 1024.220 (mutual funds), and 1026.220 (FCMs
and IBCs).

(102) In particular, FinCEN first proposes to simplify this BSA definition to refer only to the U.S. Code provisions codifying
the BSA, rather than to any act of Congress from which these provisions were originally derived. Second, FinCEN proposes removing
18 U.S.C. 1956, 1957, and 1960 from the regulatory BSA definition. These criminal provisions were included in FinCEN's BSA
definition given their relationship to money laundering but are not otherwise linked to the other BSA provisions and are not
included in the AML Act's BSA definition in section 6003(1) of the Act. Third, FinCEN proposes amending its BSA definition
to include 31 U.S.C. 5336 (i.e., the operative provisions of the Corporate Transparency Act), which was added to the BSA by section 6403 of the AML Act.

(103) Additionally, FinCEN proposes amending the authority citations in the relevant CFR sections to account for relevant statutory
changes.

(104) 15 U.S.C. 78a et seq.

(105) 7 U.S.C. 1 et seq.

(106) See FinCEN, Customer Identification Programs, Anti-Money Laundering Programs, and Beneficial Ownership Requirements for Banks Lacking
a Federal Functional Regulator, 85 FR 57129 (Sept. 15, 2020).

(107) See applicable program rules located at 31 CFR 1020.210(a)(1), (b)(1) (banks); 1023.210(a) (broker-dealers); and 1026.210(a) (FCMs
and IBCs).

(108) See 31 CFR 1020.210(a)(2)(ii), (b)(2)(ii) (banks); 1021.210(b)(2)(ii) (casinos); 1022.210(d)(4) (MSBs); 1023.210(b)(2) (broker-dealers);
1024.210(b)(2) (mutual funds); 1025.210(b)(4) (insurance companies); 1026.210(b)(2) (FCMs and IBCs); 1027.210(b)(4) (DPMSJs);
1028.210(b)(4) (operators of a credit card system); 1029.210(b)(4) (loan or finance companies); 1030.210(b)(4) (housing GSEs).

(109) 31 U.S.C. 5318(h)(1)(D).

(110) E.O. 14294, Fighting Overcriminalization in Federal Regulations, 90 FR 20367 (issued May 9, 2025; published May 14, 2025).

(111) E.O. 12866, Regulatory Planning and Review, 58 FR 51735 (issued Sept. 30, 1993; published Oct. 4, 1993).

(112) E.O. 13563, Improving Regulation and Regulatory Review, 76 FR 3821 (issued Jan. 18, 2011; published Jan. 21, 2011).

(113) See E.O. 14192, Unleashing Prosperity Through Deregulation, 90 FR 9065 (issued Jan. 31, 2025; published Feb. 6, 2025); Office of Management and Budget, Guidance Implementing Section 3 of Executive Order 14192, Titled “Unleashing Prosperity Through Deregulation,” M-25-20 (Mar. 26, 2025), https://www.whitehouse.gov/wp-content/uploads/2025/02/M-25-20-Guidance-Implementing-Section-3-of-Executive-Order-14192-Titled-Unleashing-Prosperity-Through-Deregulation.pdf.

(114) 5 U.S.C. 601 et seq.

(115) 2 U.S.C. 1532.

(116) 44 U.S.C. 3501 et seq.

(117) This economic expectation is sensitive to key assumptions about how potentially affected financial institutions would respond
to the proposed requirements. FinCEN requests comment on whether it would instead be more reasonable to certify that the proposed
rule would not have a significant economic impact on a substantial number of small entities. See infra section X.F #16.

(118) The UMRA requires an assessment of mandates with an annual expenditure of $100 million or more, adjusted for inflation. 2
U.S.C. 1532(a). FinCEN has not anticipated material changes in expenditures for State, local, and Tribal governments, insofar
as they would not participate in the primary activities of monitoring or enforcing compliance of the newly proposed requirements
in a way that differs from current involvement, thereby incurring novel incremental costs. But because the proposed rule would
affect entities in the private sector that are covered financial institutions, FinCEN has considered expenditures these private
entities may incur, pursuant to UMRA, as part of the regulatory impact in its assessment below.

(119) See infra section X.E.

(120) See supra section IV.B.

(121) Banks include covered financial institutions defined under 31 CFR 1010.100(t)(1) and (d).

(122) See infra section X.A.

(123) See infra section X.B.

(124) See infra section X.C.

(125) See infra section X.D.

(126) See infra section X.E.

(127) See infra section X.F.

(128) See infra section X.A.1.

(129) See infra section X.A.2.

(130) See infra section X.A.3.

(131) See infra section X.A.4.

(132) See infra section X.A.5.

(133) See E.O. 12866, supra note 111, sec 1(b)(1), (“Each agency shall identify the problem that it intends to address (including, where applicable, the
failures of private markets or public institutions that warrant new agency action) as well as assess the significance of that
problem.”); see also OMB, Circular A-4 (2003), sec. B, The Need for Federal Regulatory Action, https://www.whitehouse.gov/wp-content/uploads/2025/08/CircularA-4.pdf.

(134) In particular, Congress instructed FinCEN to consider the potential economic inefficiencies engendered by the presence of
market externalities when promulgating implementing regulations. See 31 U.S.C. 5318(h)(2)(B)(i) (noting that compliant financial institutions generate “a public . . . benefit,” i.e., positive externalities); see also id. 5318(h)(2)(B)(iii) (further noting the “public benefits”—positive externalities—generated by compliant financial institutions).

(135) The extent to which these broad economic considerations apply uniformly to the various components of the proposed rule may
in some instances be limited. FinCEN's analysis is not intended to speak to (or in place of) the views of Congress regarding
the fundamental economic problems that animate the proposed rule but are expected to be generally consistent with what AML
Act section 6101(b), as promulgated, was intended to accomplish.

(136) See FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Programs, 89 FR 55428, 55450 (July 3, 2024) (Broad Economic Considerations).

(137) See infra section X.A.4.i.

(138) In this context, FinCEN employs the term “market” in its broadest economic sense, referring to any set of exchanges, transactions,
or actions that involve counterparties with unique objectives. The baseline here set forth also forms the counterfactual against
which the quantifiable effects of the rule are measured; therefore, substantive errors in or omissions of relevant data, facts,
or other information may affect the conclusions formed regarding the general and economically significant impacts of the rule.
FinCEN invites comment on the

  accuracy of the baseline population estimates as well as any supporting studies, data, or anecdotes in *infra* section X.F #1.

(139) See E.O. 12866, supra note 111, at section 1(a) (“In deciding whether and how to regulate, agencies should assess all costs and benefits of available
regulatory alternatives, including the alternative of not regulating.”).

(140) See infra section X.A.4; see also infra sections X.C and X.E.

(141) See infra section X.F #2.

(142) See infra section X.A.2.i.d; see also infra sections X.A.4.i.d and X.A.4.ii.c.

(143) See infra section X.F #3.

(144) See supra note 2; see also supra section I.

(145) 31 CFR 1010.100(t).

(146) 13 CFR 121.201; see generally infra section X.C.

(147) These figures represent an approximate number of Federal examiners provided by FFRs with AML/CFT supervisory responsibilities.
These estimates do not include persons performing examinations on behalf of SROs, though FinCEN expects that such parties
may also be affected.

(148) See 31 CFR 1010.810(b).

(149) See supra sections V.F.2 and 3.

(150) See FinCEN, Financial Crimes Enforcement Network (FinCEN) Year in Review for Fiscal Year 2024, p. 5, https://www.fincen.gov/system/files/2025-08/FinCEN-Infographic-Public-2025-508.pdf. Note that not all users are from external agencies. FinCEN employees are also among the users with access to the BSA Portal.

(151) Estimates of the annual cost of crime, generally, are usually measured in trillions of dollars (see, e.g., David A. Anderson, “The Aggregate Cost of Crime in the United States,” The Journal of Law and Economics, vol 64 no. 4 (2021)) and financial crimes specifically in billions of dollars (see, e.g., the Federal Trade Commission, Consumer Sentinel Network Data Book 2024 (Mar. 2025), https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf).

(152) Of participants in the FRB's 2024 Survey of Household Economics and Decisionmaking (SHED), 21 percent reported being the
victim of financial fraud or a scam involving their money, of which, eight of those percent did not involve credit cards. See FRB, Report on the Economic Well-Being of U.S. Households in 2024—May 2025 (SHED Report 2024), https://www.federalreserve.gov/publications/2025-economic-well-being-of-us-households-in-2024-banking-and-credit.htm.

(153) See FDIC, 2023 FDIC National Survey of Unbanked and Underbanked Households (Nov. 2024), https://www.fdic.gov/household-survey/2023-fdic-national-survey-unbanked-and-underbanked-households-report; see also SHED
Report 2024, https://www.federalreserve.gov/publications/2025-economic-well-being-of-us-households-in-2024-banking-and-credit.htm.

(154) See U.S. Census Bureau, Age and Sex Composition in the United States: 2023, https://www.census.gov/data/tables/2023/demo/age-and-sex/2023-age-sex-composition.html.

(155) Although some financial institutions covered by this change have already incorporated awareness of and response to CFT issues
into their programs (see infra table 4), for the purposes of this analysis, FinCEN is employing the term “AML/CFT program” for programs that would be adopted
should this rulemaking become effective.

(156) See supra section V.D for a description of current program requirements and the proposed amendments.

(157) See supra section V.D.1 for a discussion of proposed amendments to internal policies, procedures, and controls requirements.

(158) See 31 CFR 1020.210(a)(2)(i) for banks with an FFR, 31 CFR 1020.210(b)(2)(i) for banks without an FFR, and 31 CFR 1021.210(b)(2)(i)
for casinos.

(159) See 31 CFR 1022.210(d)(1).

(160) See 31 CFR 1023.210(b)(1).

(161) See supra section V.D.2 for a discussion of proposed amendments to the independent testing requirements.

(162) See 31 CFR 1020.210(a)(2)(ii) for banks with an FFR, 31 CFR 1020.210(b)(2)(ii) for banks without an FFR, 31 CFR 1023.210(b)(2)
for broker-dealers, 31 CFR 1024.210(b)(2) for mutual funds, and 31 CFR 1026.210(b)(2) for FCMs and IBCs.

(163) See 31 CFR 1022.210(d)(4) for MSBs, 31 CFR 1025.210(b)(4) for insurance companies, 31 CFR 1027.210(b)(4) for DPMSJs, 31 CFR 1028.210(b)(4)
for operators of credit card systems, 31 CFR 1029.210(b)(4) for loan or finance companies, and 31 CFR 1030.210(b)(4) for housing
GSEs.

(164) See 31 CFR 1025.210(b)(4) for insurance companies, 31 CFR 1027.210(b)(4) for DPMSJs, 31 CFR 1028.210(b)(4) for operators of credit
card systems, 31 CFR 1029.210(b)(4) for loan or finance companies, and 31 CFR 1030.210(b)(4) for housing GSEs.

(165) See supra section V.D.3 for a discussion on the proposed AML/CFT officer amendments.

(166) See 31 CFR 1020.210(a)(2)(iii) for banks with an FFR and 31 CFR 1020.210(b)(2)(iii) for banks without an FFR.

(167) See 31 CFR 1023(b)(3) for broker-dealers, 31 CFR 1024.210(b)(3) for mutual funds, and 31 CFR 1026.210(b)(3) for FCMs and IBCs.

(168) See 31 CFR 1025.210(b)(2) for insurance companies, 31 CFR 1027.210(b)(2) for DPMSJs, 31 CFR 1028.210(b)(2) for operators of credit
card systems, 31 CFR 1029.210(b)(2) for loan or finance companies, and 31 CFR 1030.210(b)(2) for housing GSEs.

(169) See supra section V.D.4 for a discussion of the proposed amendments to the training requirements.

(170) See 31 CFR 1023.210(b)(4) for broker-dealers, 31 CFR 1024.210(b)(4) for mutual funds, 31 CFR 1025.210(b)(3) for insurance companies,
31 CFR 1026.210(b)(4) for FCMs and IBCs, 31 CFR 1027.210(b)(3) for DPMSJs, 31 CFR 1029.210(b)(3) for loan or finance companies,
and 31 CFR 1030.210(b)(3) for housing GSEs.

(171) See 31 CFR 1020.210(a)(2)(iv) for banks with an FFR, 31 CFR 1020.210(b)(2)(iv) for banks without an FFR, 31 CFR 1021.210(b)(2)(iii)
for casinos, 31 CFR 1022.210(d)(3) for MSBs, and 31 CFR 1028.210(b)(3) for operators of credit card systems.

(172) See 31 CFR 1025.210(b)(3) for insurance companies, 31 CFR 1029.210(b)(3) for loan or finance companies, and 31 CFR 1030.210(b)(3)
for housing GSEs.

(173) See supra section V.D.1.iii for a discussion of proposed amendments to the CDD requirements.

(174) See 31 CFR 1020.210(a)(2)(v) for banks with an FFR, 31 CFR 1020.210(b)(2)(v) for banks without an FFR, 31 CFR 1023.210(b)(5) for
broker-dealers, 31 CFR 1024.210(b)(5) for mutual funds, 31 CFR 1026.210(b)(5) for FCMs and IBCs.

(175) See 31 CFR 1021.210(b)(2)(v)(A) for casinos and 31 CFR 1028.210(b)(1)(i) and (ii) for operators of credit card systems.

(176) See 31 CFR 1021.210(b)(2)(v)(A).

(177) See infra section X.F #4.

(178) See Comments to the Advance Notice of Proposed Rulemaking, FinCEN, Anti-Money Laundering Program Effectiveness, 85 FR 58023 (Sept. 17, 2020), https://www.regulations.gov/docket/FINCEN-2020-0011/comments. See also Comments to the Request for Information, FinCEN, Review of Bank Secrecy Act Regulations and Guidance, 86 FR 71201 (Dec. 15, 2021), https://www.regulations.gov/document/FINCEN-2021-0008-0001. See also Comments to the NPRM, FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Programs, 89 FR 55428 (July 3, 2024), https://www.regulations.gov/document/FINCEN-2024-0013-0001/comment.

(179) Nevertheless, such changes in expenditures may benefit some financial institutions (See infra section X.A.4.i.a).

(180) See 60-day notice for OMB Control No. 1506-0020, 1506-0030, and 1506-0035: FinCEN, Anti-Money Laundering Programs for Certain Financial Institutions (for banks lacking an FFR, principal MSBs, agent MSBs, mutual funds, insurance companies, DPMSJs, operators of credit card
systems, and loan or finance companies), 89 FR 29427 (Apr. 22, 2024). See also 60-day notice for OMB Control No. 1506-0051: FinCEN, Anti-Money Laundering Program Requirements for Casinos, 89 FR 65977 (Aug. 13, 2024).

(181) See FinCEN, Agency Information Collection Activities: Proposed New Information Collection; Survey of the Costs of AML/CFT Compliance;
Comment Request, 90 FR 47132 (Sept. 30, 2025).

(182) See infra section X.F #5.

(183) See FinCEN, Anti-Money Laundering/Countering the Financing of Terrorism Programs, 89

  FR 55428, 55458-55463 (July 3, 2024). In section VII.A.2.C., Current Market Practices, FinCEN estimated an annual burden between
  $5.1 and $7.5 billion in AML Program and SAR reporting costs.

(184) See GAO, Anti-Money Laundering: Opportunities Exist to Increase Law Enforcement Use of Bank Secrecy Act Reports, and Banks' Costs to
Comply with the Act Varied, GAO-20-574 (Sept. 2020), https://www.gao.gov/assets/gao-20-574.pdf.

(185) See Drew Dahl, Jim Fuchs, Andrew Meyer, and Michelle Neely, Compliance Costs, Economies of Scale and Compliance Performance: Evidence from a Survey of Community Banks, Federal Reserve Bank of St. Louis (Apr. 2018), https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf?sc_lang=en&hash=19C682B5EFB86B37D6A8604DE9087DA6.

(186) See Francesco Trebbi, Miao Ben Zhang, and Michael Simkovic, The Cost of Regulatory Compliance in the United States, U.S.C. Marshall School of Business Research Paper (Oct. 23, 2024), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4331146.

(187) 31 CFR 1010.810(b).

(188) FinCEN has not delegated to the Agencies its ability to enforce the BSA and undertakes its own enforcement investigations
and actions, as appropriate (see supra note 45). However, FinCEN generally undertakes a materially lower volume of BSA-related enforcement actions than the Agencies,
including because FinCEN's enforcement mandate encompasses all types of financial institutions subject to the BSA (i.e., it is not limited to banks and depository institutions).

(189) For more detail, see, e.g., GAO 2020 report (supra note 184), see also OCC, Examination Process: Bank Supervision Process Comptroller's Handbook (Sept. 2019), https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/bank-supervision-process/pub-ch-bank-supervision-process.pdf;
see also, David W. Perkins, Bank Supervision by Federal Regulators: Overview and Policy Issues, Congressional Research Service, CRS Report R46648 (Dec. 28, 2020), https://www.congress.gov/crs-product/R46648.

(190) See FDIC, Proposed 2026 FDIC Operating Budget, Exhibit 6, Proposed 2026 Corporate Operating Budget by Business Line (Jan. 9, 2026), https://www.fdic.gov/financial-reports/fdic-budget.

(191) See FRB, Annual Report—2024, Federal Reserve System Budgets, Table D.3 and D.9, https://www.federalreserve.gov/publications/2024-ar-federal-reserve-system-budgets.htm. FinCEN calculated the total budgets as the sum of the budgets for the Board of Governors and the Federal Reserve Banks.

(192) See OCC, 2025 Annual Report, p. 25, https://www.occ.gov/publications-and-resources/publications/annual-report/files/2025-annual-report.html.

(193) FinCEN was unable to obtain comparable data on the NCUA's expenditures on supervisory or examinations activities but anticipates
that it would be significantly smaller given that the NCUA's entire operating budget for 2025 was less than $423 million in
2025. See NCUA, 2026-2027 Staff Draft Budget (Sept. 2025), p. 11, https://ncua.gov/files/publications/budget/budget-justification-proposed-2026-2027.pdf.

(194) This estimated percentage does not include an estimate of expenditures by the NCUA, but given their expected order of magnitude
(see supra note 193), this exclusion is not expected to affect the general magnitude of change required to exceed a $100 million significance
threshold.

(195) FY21 NDAA, section 6201 (Annual reporting requirements), https://www.congress.gov/116/plaws/publ283/PLAW-116publ283.pdf.

(196) FinCEN, Agency Information Collection Activities: Proposed Renewal; Comment Request; Renewal Without Change of the Generic Clearance
for the Collection of Qualitative Feedback on Agency Service Delivery, 88 FR 30383 (May 11, 2023).

(197) GAO conducted the survey from November 9, 2019, through March 16, 2020. See supra note 184.

(198) Based on a response rate of approximately 57 percent.

(199) See infra section X.A.4.

(200) See supra section V.A.

(201) See, e.g., with respect to regulatory language used to describe program-related training requirements supra sections V.D.4 and X.A.2.ii. S ee also, with respect to regulatory language used to describe independent testing requirements supra sections V.D.2 and X.A.2.ii. See with respect to regulatory language used to describe a designated individual supra sections V.D.3.i and X.A.2.ii.

(202) See discussion of the documentation requirements for programs supra section V.E.1; see also supra table 4. See also discussion of the removal from regulatory text of automated data processing requirements for casino and MSBs supra section V.G.2, of no longer binding compliance deadlines supra section V.G.3, and of cross-references to other regulations that are binding independent of FinCEN regulations supra V.G.4.

(203) See supra section V.G for description of definitional changes at 31 CFR 1010.100(e), (r), (nnn), and (ooo).

(204) See AML/CFT Priorities (June 30, 2021), https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements. As required by 31 U.S.C. 5318(h)(4)(C), the AML/CFT priorities are consistent with Treasury's National Strategy for Combating
Terrorist and Other Illicit Financing (May 16, 2024), https://home.treasury.gov/news/press-releases/jy2346. The AML/CFT Priorities are supported by Treasury's National Risk Assessments on Money Laundering, Terrorist Financing, and
Proliferation Financing (Feb. 7, 2024), https://home.treasury.gov/news/press-releases/jy2080. As also required by 31 U.S.C. 5318(h)(4)(B), the Secretary, in consultation with the Attorney General, Federal functional
regulators, relevant State financial regulators, and relevant national security agencies, must update the AML/CFT Priorities
not less frequently than once every four years. 31 U.S.C. 5318(h)(2)(B).

(205) See supra section V.D.1.i.b.

(206) See supra sections V.B and C (describing the intent and mechanics of proposed 31 CFR 10XX.210(a)).

(207) See supra table 3 for covered financial institutions; i.e., those with CDD obligations.

(208) FinCEN, Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398 (May 11, 2016), (stating, “FinCEN believes that there are four core elements of customer due diligence (CDD)[.
. . ]: (1) Customer identification and verification, (2) beneficial ownership identification and verification, (3) understanding
the nature and purpose of customer relationships to develop a customer risk profile, and (4) ongoing monitoring for reporting
suspicious transactions and, on a risk-basis, maintaining and updating customer information.”).

(209) Id. (Referring to the core elements: “The first is already an AML program requirement [. . . t]he third and fourth elements are
already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements.
The AML program rules for all covered financial institutions are being amended by the final rule in order to include the third
and fourth elements as explicit requirements.”).

(210) See supra section V.G.1.

(211) See supra section V.G.4.

(212) See supra section V.F.1.

(213) See proposed 31 CFR 1020.221(c)(2)(i) (generally requiring FFIRAs to provide written notice to the Director of any intent to take
a significant AML/CFT supervisory action pursuant to delegated authority at least 30 days in advance of the proposed action).

(214) See proposed 31 CFR 1020.221(c)(1) (requiring FFIRA consultation with the Director before any significant AML/CFT supervisory
action pursuant to delegated authority is initiated).

(215) Id.

(216) See proposed 31 CFR 1020.221(c)(2)(ii) (requiring, to the extent reasonably practicable, that an FFIRA respond to requests from
the Director for additional information regarding a proposed significant AML/CFT supervisory action).

(217) See OMB, Circular A-4, at 10. (2003), https://www.whitehouse.gov/wp-content/uploads/2025/08/CircularA-4.pdf.

(218) See supra section V.B.

(219) See infra section X.F #7.

(220) See infra section X.F #6.

(221) In this context, the phrase “U.S. and State government agencies” is meant to include Treasury's Offices of Terrorist Financing
and Financial Crimes, Foreign Assets Control, and Intelligence and Analysis, as well as the Attorney General, FFRs, relevant
State financial regulators, and relevant law enforcement and national security agencies.

(222) Further discussion of these changes to costs are covered in section X.A.4.ii.c. The discussion in this section considers
more exclusively the expected benefits to the general public that would flow from successful implementation of the proposed
rule.

(223) See infra section X.F #8 for a request for comment about the availability of such data.

(224) For further discussion of the harms and risks associated with money laundering, see U.S. Department of the Treasury, 2024 National Strategy for Combating Terrorist and Other Illicit Financing (May 2024), https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf; see also U.S. Department of the Treasury, National Money Laundering Risk Assessment (2024), https://home.treasury.gov/system/files/136/2024-National-Money-Laundering-Risk-Assessment.pdf.

(225) As defined by E.O. 12866 under section 3(f)(1) as an annual effect on the economy of $100 million or more. See supra note 111.

(226) FinCEN requests comment on whether there are any categories of burden to covered financial institutions that should be articulated
and quantified in this subsection and requests data that would support such burden estimation. See infra section X.F #9.

(227) See supra section X.A.2.ii.

(228) FinCEN requests data on whether this expectation is reasonably accurate. See infra section X.F #10.

(229) FinCEN requests comment on whether its assessment that the proposed changes would have a deregulatory impact is appropriate. See infra section X.F #13.

(230) See FinCEN, Congressional Budget Justification FY 2026, available at https://home.treasury.gov/system/files/266/11.-FinCEN-FY-2026-CJ.pdf.

(231) See infra section X.F #15.

(232) See supra section II.C.2.

(233) In response to the 2024 Program NPRM, certain parties asserted a transition period of two of more years would be necessary
to operationalize a paradigmatic shift in program practices, pointing to various logistic issues such as updating processes
and technology, systems testing, and developing and deploying new training materials, among other necessary activities.

(234) See 13 CFR 121.201 for the size standards applied to small financial institutions as defined by the U.S. Small Business Administration
(SBA).

(235) Supra note 112, E.O. 13563 at section 1(c) (“Where appropriate and permitted by law, each agency may consider (and discuss qualitatively)
values that are difficult or impossible to quantify, including [. . .] distributive impacts.”).

(236) 58 FR 51740-41; 76 FR 3821-22.

(237) 5 U.S.C. 601 et seq.

(238) See infra section X.F #16.

(239) AML Act, section 6002(2)-(4) (Purposes).

(240) 31 U.S.C. 5318(h)(2)(B)(9)(iv)(II), as amended by section 6101 of the AML Act.

(241) 5 U.S.C. 601(6).

(242) FinCEN requests comment on the accuracy of these baseline estimates. See infra section X.F #17.

(243) See infra section X.F #4, 5, 9, and 16.

(244) See supra section X.A.4.i.a.

(245) 5 U.S.C. 603(b)(5) (requiring initial regulatory flexibility analysis to identify, to the extent practicable, all relevant
Federal rules which may duplicate, overlap, or conflict with the proposed rule).

(246) See infra section X.F #18.

(247) 2 U.S.C. 1532.

(248) The U.S. Bureau of Economic Analysis reports the annual value of the gross domestic product implicit price deflator for calendar
year 1995 (the year UMRA was enacted) as 66.939, and as 128.974 for calendar year 2025 (the most recent available). Thus,
the inflation-adjusted estimate for $100 million is 128.974 ÷ 66.939 × $100 million, or $192.7 million. U.S. Bureau of Economic
Analysis, Table 1.1.9. Implicit Price Deflators for Gross Domestic Product, https://apps.bea.gov/iTable/?reqid=19&step=3&isuri=1&1921=survey&1903=13#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJDYXRlZ29yaWVzIiwiU3VydmV5Il0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyNSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ==.

(249) 2 U.S.C. 1532(c) (“Any agency may prepare any statement required under subsection (a) of this section in conjunction with
or as a part of any other statement or analysis, provided that the statement or analysis satisfies the provisions of subsection
(a) of this section.”).

(250) See infra section X.F #19.

(251) See 44 U.S.C. 3506(c)(2)(A).

(252) See 44 U.S.C. 3507(a)(3).

(253) Banks with an FFR have OMB control numbers that are maintained by the Agencies, as follows: (1) FDIC (OMB Control No. 3064-0087);
(2) FRB (OMB Control No. 7100-0310); (3) NCUA (OMB Control No. 3133-0108); and (4) OCC (OMB Control No. 1557-0180).

(254) See FinCEN, Financial Crimes Enforcement Network; Anti-Money Laundering Programs for Financial Institutions, 67 FR 21110 (Apr. 29, 2002). In the 2002 interim final rule, FinCEN noted it was appropriate to implement section 5318(h)(1)
of the BSA with respect to broker-dealers and FCMs through their respective SROs, because the SEC and the CFTC and their SROs
significantly accelerated the implementation of AML programs for their regulated financial institutions. Accordingly, 31 CFR
1023.210 and 1026.210provides that broker-dealers, and FCMs and IBCs, respectively, would be deemed to be in compliance with
the requirements of section 5318(h)(1) of the BSA if they comply with any applicable regulation of their FFR governing the
establishment and implementation of AML programs. FinCEN recognizes the SEC as the FFR, and registered national securities
exchanges or a national securities association, such as FINRA, as the SROs for member broker-dealers. Each SRO may have its
own AML program requirements. See, e.g., FINRA Rule 3310. The CFTC's SRO is the National Futures Association. The AML program requirements for FCMs and IBCs are set
out in NFA Rule 2-9(c). The SROs are not required to comply with the PRA. Therefore, there are no OMB control numbers for
the AML/CFT program regulatory requirements of broker-dealers or FCMs and IBCs.

(255) The PRA does not apply to the collection of information by one Federal agency (FinCEN) from another Federal entity (the housing
GSEs).

(256) See FinCEN, Supporting Statement to OMB Control No. 1506-0035: Anti-Money Laundering Programs for Insurance Companies, Loan or Finance Companies, and Banks Lacking a Federal Functional
Regulator (June 27, 2024), https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202406-1506-005; FinCEN, Supporting Statement to OMB Control No. 1506-0020: Anti-Money Laundering Programs for Money Services Businesses, Mutual Funds, Operators of Credit Card Systems (June 27, 2024), https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202406-1506-003; FinCEN, Supporting Statement to OMB Control No. 1506-0030: Anti-Money Laundering Programs for Dealers in Precious Metals, Precious Stones, or Jewels (June 27, 2024), https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202406-1506-004; FinCEN, Supporting Statement to OMB Control No. 1506-0051: Anti-Money Laundering Program Requirements for Casinos (Oct. 28, 2024), https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202410-1506-002.

(257) See supra table 8.

(258) FinCEN requests comment on whether it should articulate and assign PRA reporting and/or recordkeeping burden associated with
any other activities required under the program rules. See infra section X.F #21.

(259) Please note that FinCEN is estimating only the paperwork burden associated with the specific program components discussed
above (i.e., the 31 CFR 1021.210(b)(2)(vi), CDD, and program approval requirements) in this PRA analysis, as other components of the full
burden associated with existing program rules are accounted for in connection with OMB control numbers 1506-0020, 1506-0030,
1506-0035, and 1506-0051. See supra note 180 for the 60-day notice for OMB Control No. 1506-0020, 1506-0030, and 1506-0035 and the 60-day notice for OMB Control
No. 1506-0051.

(260) See supra section V.G.2. This rule also proposed to remove the language requiring MSBs that have automated data processing systems to
integrate their compliance procedures with such systems. Since no PRA burden is associated with this requirement, FinCEN is
not proposing any changes to OMB control number 1506-0020 is association with the proposed change.

(261) See supra note 180 for FinCEN, Agency Information Collection Activities; Proposed Renewal; Comment Request; Renewal Without Change of Anti-Money Laundering
Program Requirements for Casinos.

(262) See, e.g., FinCEN, Financial Crimes Enforcement Network: Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity
Report Filing Requirements for Registered Investment Advisers and Exempts Reporting Advisers, 89 FR 72156 (Sept. 4, 2024).

(263) FinCEN is adding a pro forma recordkeeping burden associated with the CDD requirements for 1,720 covered financial institutions
and a pro forma recordkeeping burden associated with the proposed program approval requirements for 46,960 financial institutions,
which includes the 1,299 casinos that would be additionally affected by the proposed removal of 31 CFR 1021.210(b)(2)(vi).
This results in a total of 48,680 respondents.

(264) The wage rate applied here is a general composite hourly wage ($87.61) scaled by a private sector benefits factor of 1.42
($124.58 = $87.61 × 1.42). This incorporates Bureau of Labor Statistics mean wage data associated with six occupational codes
(11-1010: Chief Executives; 11-3021: Computer and Information Systems Managers; 11-3031: Financial Managers; 13-1041: Compliance
Officers; 23-1010: Lawyers and Judicial Law Clerks; 43-3099: Financial Clerks, All Other) for each of the nine groupings of
NAICS industry codes that FinCEN determined are most directly comparable to its 11 categories of potentially affected financial
institutions as delineated in 31 CFR parts 1020 to 1030. See Bureau of Labor Statistics, May 2024—National industry-specific and by ownership, https://www.bls.gov/oes/tables.htm. Given that many occupations provide benefits beyond wages (e.g., insurance and paid leave), FinCEN applies the private sector benefit factor to the unloaded wage rate to reflect the total
cost to the employer. The benefit factor is the ratio of total compensation (which includes wages and benefits) to wages.
Total compensation = 43.94 and Wages and salaries = 30.90 (1.42 = 43.94 ÷ 30.90) as of June 2024, based on the private industry
workers series data downloaded from the Bureau of Labor Statistics. Bureau of Labor Statistics, Employer Costs for Employee Compensation data, https://www.bls.gov/news.release/archives/ecec_09102024.pdf.

(265) 132,960 hours multiplied by an average hourly wage rate of $124.58 equals $16,564,157.

Download File

Download