Treasury proposes fundamental reform of financial institutions’ AML/CFT program requirements

The Financial Crimes Enforcement Network (FinCEN) within the United States Department of the Treasury (Treasury) has issued a notice of proposed rulemaking (Program Rule NPRM) to “fundamentally reform” the anti-money laundering and countering the financing of terrorism (AML/CFT) program requirements applicable to financial institutions under the Bank Secrecy Act (BSA). 

Released on April 7, 2026, the Program Rule NPRM is a component of Treasury’s broader BSA modernization effort, implementing key provisions of the Anti-Money Laundering Act of 2020 (AML Act), including Congress’s directive that AML/CFT programs be “reasonably designed to assure and monitor compliance” with the BSA and be “risk-based.” 

In an announcement about the Program Rule NPRM, Treasury Secretary Scott Bessent stated that the reform “restores common sense with a focus on keeping bad actors out of the financial system, not burying America’s banks in more red tape.” The Program Rule NPRM supersedes a prior notice of proposed rulemaking that FinCEN published on July 3, 2024, which, according to FinCEN, should be considered withdrawn.

Concurrently, the Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and National Credit Union Administration issued a joint notice of proposed rulemaking (Joint Banking Agency Proposed Rule) to align their respective BSA compliance program rules with FinCEN’s proposal. The Joint Banking Agency Proposed Rule was also prepared in consultation with the Board of Governors of the Federal Reserve System. 

This alert discusses the scope of FinCEN’s Program Rule NPRM, its proposed key changes to the existing framework, and considerations for financial institutions.

Scope of FinCEN’s Program Rule NPRM

FinCEN’s Program Rule NPRM would amend AML/CFT program requirements across most categories of financial institutions regulated under the BSA, including banks, money services businesses (MSBs), broker-dealers, mutual funds, certain insurance companies, futures commission merchants and introducing brokers in commodities, operators of credit card systems, and loan or finance companies. The NPRM does not affect FinCEN’s separate rulemaking establishing AML/CFT and suspicious activity report filing requirements for registered investment advisers and exempt reporting advisers, which has been delayed until January 1, 2028. 

Additionally, on April 10, 2026, FinCEN published a proposed rule outlining AML/CFT and sanctions program requirements for permitted payment stablecoin issuers under the Guiding and Establishing National Innovation for US Stablecoins Act (GENIUS Act), which FinCEN has stated is designed to be consistent with the Program Rule NPRM.  

Key changes

Establishing and maintaining an effective AML/CFT program

The Program Rule NPRM introduces a formal standard for AML/CFT program “effectiveness.” Under the current framework, regulators primarily evaluate whether a financial institution has established a program, including whether it has written policies, a compliance officer, a training program, and an independent audit function. Under the requirements outlined in the Program Rule NPRM, regulators would, in addition, be expected to evaluate whether those components are maintained.

Moreover, a financial institution must establish an AML/CFT program by designing a risk-based framework that incorporates the following four core “pillars”: 

• Internal policies, procedures, and controls, including risk assessment processes and, where applicable, ongoing customer due diligence
  
  
• Independent program testing
  
  
• Designation of a US-based compliance officer
  
  
• An ongoing employee training program

The obligation to establish a program is not a one-time exercise; a financial institution must keep its program current as its risk profile evolves, such as when introducing new products or services or operating in new geographic locations. Revised rule language in the Program Rule NPRM states that a financial institution is to maintain its AML/CFT program by implementing the established program “in all material respects.”

According to the NPRM’s analysis, the intent of these changes is to promote consistent articulation of supervisory expectations and prevent conflating criticisms of program design with criticisms of day-to-day implementation. 

Mandatory risk assessment processes

Although risk assessments have long been a supervisory expectation, existing AML/CFT program rules do not uniformly require them across institution types. The Program Rule NPRM would codify risk assessment processes as a formal component of every institution’s internal policies, procedures, and controls. Specifically, risk assessment processes would be required to: 

• Evaluate the money laundering, terrorist financing, and other illicit finance (ML/TF) risks of the institution’s business activities, including products, services, distribution channels, customers, and geographic locations
  
  
• Review and, as appropriate, incorporate the AML/CFT Priorities published by FinCEN
  
  
• Be updated promptly to reflect any changes that the institution knows or has reason to know significantly affect its ML/TF risks

Explicit risk-based resource allocation 

The Program Rule NPRM embeds the AML Act’s expectation that AML/CFT programs be risk-based. For the first time, the NPRM would expressly require financial institutions to direct more attention and resources toward higher-risk customers and activities rather than toward lower-risk customers and activities. According to the NPRM, FinCEN intends for this revised formulation to empower financial institutions to allocate resources away from lower-risk areas without fear that such reallocation will by itself draw supervisory criticism, so long as it is grounded in reasonably designed risk assessments and controls. The NPRM also states that the contemplated changes were informed by feedback urging FinCEN to move AML/CFT programs away from what public commenters have previously described as a “check-the-box” exercise that is unnecessarily burdensome. 

Incorporation of AML/CFT Priorities

The Program Rule NPRM would require financial institutions to review FinCEN’s government-wide AML/CFT Priorities and, as appropriate, incorporate them into their risk assessment processes. In the NPRM, FinCEN cautioned that superficial treatment of the priorities will not satisfy supervisory expectations. Rather, institutions are expected to evaluate the relevance of each priority to their business and risk profile and to explain why certain priorities are or are not material. Financial institutions will not be required to incorporate the AML/CFT Priorities into their risk-based programs until the final rule becomes effective. 

Clarified independent testing requirements

The Program Rule NPRM retains the BSA requirement for an independent audit function but clarifies the standard for independent testing. Per the NPRM, testing should be based on objective criteria designed to assess whether a financial institution has effectively established, implemented, and resourced an AML/CFT program consistent with its risk assessment processes. The NPRM states that auditors and examiners should not substitute their own subjective judgment in place of a financial institution’s risk-based and reasonably designed program. Independent testing must be conducted by individuals or parties who are independent of the AML/CFT function, and no conflicts of interest may be present. Institutions retain flexibility in how they structure this function and whether to engage outside audit firms.

US-based AML/CFT compliance officer requirement

Consistent with the AML Act and subsequent interpretations, the Program Rule NPRM would require each covered institution to designate an AML/CFT officer who is 1) located in the US, 2) accessible to FinCEN and appropriate federal regulators, and 3) responsible for establishing, implementing, and overseeing the financial institution’s day-to-day compliance with the BSA. Although the AML/CFT officer must be US-based, personnel located outside the US would still be permitted to perform certain AML/CFT functions, subject to existing restrictions on the sharing of suspicious activity reports with foreign personnel.

Elevated enforcement threshold and expanded role for FinCEN

Also new under the Program Rule NPRM is a trigger for an AML/CFT program-related enforcement action. Where a bank has properly established its AML/CFT program, FinCEN generally would not take an enforcement action and FinCEN – or other agencies acting on its behalf – generally would not take a significant supervisory action unless the bank has a “significant or systemic failure” to maintain that program. This threshold, according to FinCEN, is intended to focus supervision and enforcement on material failures rather than isolated, technical, or immaterial implementation deficiencies. Before initiating a significant AML/CFT supervisory action under delegated authority, federal banking supervisors would be required to provide FinCEN’s Director with at least 30 days’ advanced written notice (absent urgent circumstances) to review the proposed action and provide input. 

The Program Rule NPRM explains that in determining whether to pursue or support an enforcement or significant supervisory action, FinCEN’s Director would consider: 

• The four statutory factors required by the AML Act, which are as follows:
   
  
  • Ensuring that financial institutions deploy private compliance resources to protect the US from illicit finance risks
    
    
  • Expanding access to financial services for underbanked populations, including remittances from the US and abroad, while preventing the misuse of financial services networks by criminals
    
    
  • Maintaining the ability to prevent the flow of illicit funds through the financial system by assisting law enforcement and national security agencies
    
    
  • Maintaining AML programs that are risk‑based and reasonably designed to ensure and monitor compliance with the BSA 

• The extent to which the bank advances AML/CFT Priorities by providing highly useful information to law enforcement or national security officials
  
  
• Whether the bank is employing innovative tools such as artificial intelligence (AI) that demonstrate the effectiveness of the bank’s AML/CFT program

This bank-specific supervision and enforcement framework would apply only to banks and the federal banking agencies. FinCEN has requested public comment on whether these provisions should be extended to other financial institution types.

Technical and harmonizing changes

The Program Rule NPRM would also make a number of technical and clarifying revisions to FinCEN’s AML/CFT regulations, which FinCEN explains are intended to improve consistency across financial institution types. These changes include: 

• Consolidating the two separate bank program rules – one for banks with a federal functional regulator and one for banks without – into a single standard applicable to all banks
  
  
• Harmonizing and modernizing requirements for casinos and MSBs while retaining certain MSB-specific provisions (such as provisions relating to agents and foreign-located MSBs)
  
  
• Deleting outdated compliance dates and unnecessary cross-references to other regulations
  
  
• Revising definitions (including the definitions of “Bank Secrecy Act” and “Federal functional regulator”)
  
  
• Adding a regulatory definition of “AML/CFT Priorities”

FinCEN proposes an effective date of 12 months from the date of issuance of the final rule, an extension from the six-month implementation period proposed in the 2024 NPRM. The longer implementation period responds to industry feedback requesting additional time to review the final rule, make technological changes, incorporate the AML/CFT Priorities into risk assessment processes, reallocate resources, and provide training. FinCEN has solicited public comment on whether this proposed effective date is appropriate.

Practical implications 

Given the scope of the Program Rule NPRM and the significance of the changes it contemplates, financial institutions may wish to begin assessing their existing AML/CFT programs against the proposed framework now. Key considerations include:

• Program architecture. Financial institutions may evaluate whether their AML/CFT programs can be mapped to the new, two-pronged establishment and maintenance framework, and whether their existing program components satisfy the proposed standards for each of the four pillars. 
  
  
• Risk assessment processes. Financial institutions may assess whether their current risk assessments meet the proposed standards, including evaluation of ML/TF risks across business activities, meaningful incorporation of AML/CFT Priorities, and prompt updating in response to material changes in the institution’s risk profile. 
  
  
• Resource allocation. Financial institutions may review how AML/CFT resources are currently distributed across higher- and lower-risk areas and ensure that any allocation decisions are documented and defensible under a risk-based framework. 
  
  
• Governance and compliance officer requirement. Financial institutions may confirm that their compliance officer is US-based and that their governance structures, including board or senior management approval of the written AML/CFT program, align with the Program Rule NPRM.
  
  
• Independent testing. Financial institutions may evaluate the independence and effectiveness of their current audit and testing functions to ensure they are consistent with the proposed standards and focused on objective, risk-based criteria rather than subjective judgment.
  
  
• Innovation and technology. Given that FinCEN’s Director would consider the use of innovative tools such as AI in assessing program effectiveness, institutions may evaluate where technology and advanced analytics can demonstrably enhance AML/CFT outcomes. 

Conclusion

The Program Rule NPRM would revise the federal regulatory framework for AML/CFT programs, emphasizing a risk-based approach and explicit standards for program effectiveness. By codifying risk assessment processes, requiring risk-based resource allocation, and establishing a formal distinction between program establishment and maintenance, the Program Rule NPRM may signal a shift in how supervisory expectations align with the realities of modern financial crime risk management.

For more information regarding FinCEN’s Program Rule NPRM, please contact the authors.