FinCEN Proposes Rule to Modernize AML/CFT Program Requirements

8 minute read | April.21.2026

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking on April 7, 2026, to modernize and reform anti-money laundering and countering the financing of terrorism (AML/CFT) program requirements under the Bank Secrecy Act (BSA). FinCEN described the proposal, issued pursuant to the Anti-Money Laundering Act of 2020 (AMLA), as a shift from a process-driven approach to one prioritizing measurable effectiveness, risk-based resource allocation, and provision of useful information to law enforcement. While the proposed rule evidences an intended change toward measurable effectiveness, it would not alter the essential structure of AML/CFT program obligations. Therefore, it is unclear whether the proposed rule, if adopted, would significantly change how financial institutions design and maintain their AML/CFT programs and allocate resources.

FinCEN noted that the proposed rule aims to promote consistency among AML/CFT program requirements for BSA-covered financial institutions, including banks, money service businesses (MSBs), broker-dealers and loan/finance companies, such as residential mortgage lenders. The agency also said it is intended to reduce regulatory burden on the private sector and ensure fair banking availability for all Americans. The proposed rule supersedes FinCEN’s earlier proposal issued on July 3, 2024.

The Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency and the National Credit Union Administration jointly issued a proposed companion rule on the same date to align their respective AML/CFT program requirements with FinCEN's proposed framework. The Federal Reserve Board of Governors did not join the rulemaking.

Key Takeaways

Requirements focused on effectiveness: The proposed rule would reframe AML/CFT program requirements to focus on measurable effectiveness, requiring covered financial institutions to “establish” an AML/CFT compliance program and “maintain” the program by “implementing” it in all material respects. A financial institution would need to update the program as its risk profile changes.
More explicit risk-based resource allocation: Financial institutions would be required to tailor controls to their size, complexity, and specific risk profile, and reallocate resources away from low-risk customers and toward higher-risk areas. This could, in theory, translate to reduced regulatory burden for financial institutions, although regulatory guidance already encompasses expectations that AML/CFT programs be risk-based.
A focus on material “implementation” failures in enforcement and supervisory actions: The proposed rule would reserve “significant” enforcement or supervisory actions for systemic or significantly deficient program implementation failures and would require enhanced cooperation between federal banking agencies and FinCEN. However, the proposed rule would not raise the threshold for enforcement or supervisory actions for deficiencies in establishment of a compliance program.
Standardizing “four pillars” and U.S.-based compliance officer requirement: The proposed rule would standardize AML/CFT program components across covered financial institution types, requiring risk-based internal controls, independent testing, ongoing training and a designated compliance officer located in the United States accessible to regulators.

Elements of the Proposed Rule

Establishment and Maintenance of an Effective AML/CFT Program

According to the proposed rule, the term “effective” would be defined for the first time in the context of AML/CFT programs, explicitly requiring financial institutions to establish and maintain programs that not only meet the minimum regulatory requirements but are also responsive to changes in the institution’s risk profile.
Under a new two-pronged framework, effectiveness would be measured by both program design (“establishment”) and ongoing implementation “in all material respects” (“maintenance”). The proposed rule does not define “in all material respects.”
FinCEN explained that even if a financial institution established its AML/CFT program in accordance with the proposed rule, its program may not be compliant with the rule’s establishment requirements if the institution fails to update the program to reflect changes to the institution’s risk profile.

AML/CFT Supervision and Enforcement Changes

The proposed rule would not limit supervisory or enforcement actions by federal banking agencies for failure to establish an AML/CFT program.
However, the proposed rule would limit federal banking agencies’ authority to take enforcement action or a “significant AML/CFT supervisory action” against banks in cases involving minor or technical issues where a compliant program exists, reserving such action for significant or systemic deficiencies in a bank’s implementation of a properly established program.
Banking regulators would have discretion to interpret these subjective terms. It is not clear how regulators would draw the lines in practice between the establishment and maintenance requirements.
In addition, notably, federal banking agencies have statutory authority outside the BSA to prescribe and enforce requirements related to banks’ AML/CFT compliance with the BSA.
The proposed rule would also significantly strengthen FinCEN’s oversight, introducing formal consultation and information-sharing requirements under which federal banking agencies would be required to provide 30 days’ notice to FinCEN of their intent to initiate a “significant AML/CFT supervisory action.” FinCEN would then have an opportunity to review the proposed action and provide input.
The proposed rule also outlines specific factors that FinCEN would be required to consider when making enforcement determinations, such as advancing AML/CFT priorities, providing useful information to law enforcement and effectively utilizing AI.

Risk-Based Program Requirements: Reducing Regulatory Burden and Serving Underbanked Populations

The proposed rule includes provisions intended to allow financial institutions to extend services to underbanked populations and facilitate international remittances, while employing controls designed to prevent criminals from abusing formal or informal financial services networks.
FinCEN noted that, as required by AMLA, it considered that financial institutions spend private compliance funds for private benefit and that the proposed rule seeks to allow financial institutions to reduce expenditure on low-risk customers instead of simply requiring additional expenditure on high-risk customers.
As noted, however, the proposed rule would require that internal controls remain current as risk profiles change, which implies a more dynamic form of risk assessment.
Additionally, FinCEN clarified that account closures should be based on a risk assessment, not due to external pressure on financial institutions.

Modified AML/CFT Program Components

The proposed rule would require financial institutions to design and implement a risk-based AML/CFT framework incorporating four core pillars:

1. Internal policies, procedures and controls

Must be risk-based and informed by current risk assessments.
Specifically, risk assessments incorporating FinCEN’s AML/CFT priorities, as appropriate, would be a required component of internal controls and not a separate pillar.
Ongoing customer diligence requirements would be incorporated into the internal controls pillar, although they would remain unchanged in substance.

2. Independent program testing

Conducted by an independent audit function.
Needs to be well-tailored, risk-based and focused on effectiveness.

3. A designated U.S.-based compliance officer

Responsible for establishing and implementing the AML/CFT program.
Would need to be located in the United States and accessible to regulators.
While personnel outside the United States would be able to perform AML/CFT functions, financial institutions would continue to be prohibited to share Suspicious Activity Reports (SARs) with them except in limited circumstances.
FinCEN emphasized that the AML/CFT officer’s authority, independence and access to resources are critical, and that the officer would need to have sufficient decision-making power and organizational stature to ensure compliance with BSA requirements.

4. Training

Required on an ongoing basis to reflect the institution’s internal controls, risk assessment results and current regulatory requirements.
Tailored to the institution’s risk profile and employee roles.

Technology

While the proposed rule would not mandate technology adoption, FinCEN noted that it strongly encourages the use of innovative technologies, such as machine learning and generative AI.
FinCEN clarified that institutions that responsibly adopt innovative technologies in their AML/CFT programs would not face increased supervisory or enforcement risk solely due to such adoption.
However, FinCEN also acknowledged that new technologies may not be appropriate for every institution—particularly smaller ones—and the proposed rule would not require or reference the use of any specific technology.

What Actions Should Financial Institutions Consider Taking?

Financial institutions that would be covered by the proposed rule should consider:

Strengthening risk assessment frameworks and ensuring they are updated to reflect material changes.
Reviewing FinCEN’s AML/CFT priorities to evaluate the extent to which each is applicable, and identify whether relevant priorities are incorporated into the institution’s AML program.
Planning how to reallocate compliance resources. As discussed above, the proposed rule would encourage shifting resources toward higher-risk customers and activities and away from lower risk ones. Companies should consider aligning AML/CFT resource allocation with their risk assessments.
If they do not have a U.S.-based compliance officer, planning for staffing changes, including potentially onboarding a new compliance officer.
Investing in AI, advanced analytics or other innovative technologies to improve efficiencies and effectiveness of the institution’s AML program, as encouraged by FinCEN.
Commenting on the proposed rule, particularly on aspects specifically relevant to the institution’s operations. For example, non-bank financial institutions may benefit from FinCEN extending certain proposed changes to enforcement and supervision beyond banks.
- Comments on the FinCEN proposed rule and the companion rule are due on June 9, 2026.
- Changes would become effective 12 months from the date of issuance of the final rule.

Shruthi Maganti (Law Clerk) contributed to this article.

Authors

Jeanine P. McGuinness Partner, International Trade and Investment, FCPA & Anti–Corruption

Washington, D.C.

See my bio

D:+1 202 339 8543
E: [email protected]

Practice:

International Trade and Investment
FCPA & Anti–Corruption
Anti‐Money Laundering and Bank Secrecy Act
Mergers & Acquisitions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Jeanine P. McGuinness Partner

Washington, D.C.

Jeanine’s clients include major U.S. and foreign financial institutions, and pharmaceutical, technology, defense, space, telecommunications, energy, and infrastructure companies, among others.

Examples of Jeanine’s experience include:

Represents clients in preparing voluntary self-disclosures, administrative subpoena responses and license applications, and represents companies in connection with enforcement actions by the Treasury Department’s Office of Foreign Assets Control (OFAC)
Provides policy and compliance advice to clients affected by frequent changes in U.S. sanctions, including sanctions targeting Iran, Cuba, and Russia/Ukraine
Assists foreign purchasers of U.S. companies in national security reviews, including navigating the CFIUS process, through preparation of notices, meetings with CFIUS member agencies, advising on follow-on investigations, and negotiating and implementing mitigation agreements
Assists clients in developing and updating economic sanctions, anti-money laundering, and anti-corruption compliance policies and procedures
Represents financial institutions in connection with U.S. federal and state enforcement actions regarding compliance with U.S. anti-money laundering laws and regulations
Represents lenders, underwriters, borrowers, and issuers in international lending and capital markets transactions regarding sanctions, anti-corruption, and anti-money laundering issues
Advises a U.S. trade association and its member banks regarding U.S. sanctions, anti-corruption, and anti-money laundering issues in lending transactions, and prepares guidance for the industry on these matters
Advises financial institutions on the application of U.S. anti-money laundering regulations, with specific emphasis on customer identification program (CIP)/know your customer (KYC)/customer due diligence (CDD) requirements and suspicious activity reporting requirements
Regularly advises private equity and hedge funds regarding compliance with U.S. anti-money laundering and sanctions laws and regulations, including with respect to appropriate provisions in subscription materials and enhanced due diligence on high-risk investors
Advises clients regarding sanctions-related inquiries from the Securities and Exchange Commission (SEC) and state agencies implementing divestment laws and assists clients in preparing sanctions-related disclosure for inclusion in annual reports to the SEC

Jeanine is ranked in both the CFIUS Experts and Export Controls & Economic Sanctions categories by Chambers USA in 2019, 2020, 2021, and 2022. An interviewee had this to say of their experience working with Jeanine, “I am continuously impressed by her extensive knowledge, excellent communication skills and her ability to wrap her subject matter expertise around the details of the matter and then drive conclusions or recommendations for next steps."

Benjamin Hutten Partner, Anti‐Money Laundering and Bank Secrecy Act, Financial & Fintech Advisory

New York

See my bio

D:+1 212 600 2333
E: [email protected]

Practice:

Anti‐Money Laundering and Bank Secrecy Act
Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
White Collar, Investigations, Securities Litigation & Compliance
Fintech

vCard

See full bio

Benjamin Hutten Partner

New York

Ben has a deep understanding of sanctions and AML regulation and enforcement. In addition to his client work, he has participated in numerous financial industry group regulatory initiatives related to sanctions and AML issues, including The Clearing House Guiding Principles for Anti-Money Laundering Policies and Procedures in Correspondent Banking, initiatives to address “de-risking” and related to BSA information sharing. Ben also conducts international trainings in AML and sanctions issues for the Financial Services Volunteer Corps.

He has been recognized by Best Lawyers in America as "One to Watch" and by Super Lawyers as a "Rising Star." Prior to joining Orrick, Ben was counsel at Buckley LLP and an associate at Sullivan & Cromwell LLP.

Magda Gathani Senior Associate, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 7944
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Magda Gathani Senior Associate

Washington, D.C.

Magda advises payments companies and commercial clients engaged in money transmission with regard to federal and state compliance, including the Bank Secrecy Act (BSA), anti-money-laundering (AML) laws, licensing obligations and consumer compliance. She also counsels clients on consumer privacy issues arising from the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the California Consumer Privacy Act (CCPA), the New York Department of Financial Services (NYDFS) Cybersecurity Rules, and other state and federal laws that address data privacy and information security.

Prior to joining Orrick, Magda was an associate at Buckley LLP.

She is a Certified Information Privacy Professional (CIPP/US).