FinCEN Issues Proposed Rule Revising the AML Program Requirements for Financial Institutions

 

I. Summary

On April 7, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a long-awaited new Notice of Proposed Rulemaking (NPRM or Proposed Rule) substantially revising the anti-money laundering and countering the financing of terrorism (AML/CFT) program requirements applicable to financial institutions under the Bank Secrecy Act (BSA).¹ The Proposed Rule kicks off the most significant overhaul of financial institutions’ AML/CFT program obligations in years and implements key provisions of the Anti‑Money Laundering Act of 2020 (AML Act), including Congress’s directive that AML programs must be both “reasonably designed to assure and monitor compliance” and “risk-based.”² Later the same day, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) issued their own joint Notice of Proposed Rulemaking to align their BSA compliance programs with the FinCEN’s proposal.³ The Federal Reserve Board has not issued a similar proposal as of this writing, although FinCEN’s summary of key changes [PNCI-21.1][JM1.2]notes that the Proposed Rule “was prepared in consultation with” the Board of Governors of the Federal Reserve System as well as the FDIC, NCUA, and OCC.⁴

The stated aim of the Proposed Rule is to reduce unnecessary regulatory burdens, elevate FinCEN’s role in AML/CFT supervision, and refocus financial institutions’ AML/CFT programs on addressing the purposes of the BSA in identifying, preventing, and reporting illicit finance activity, rather than mere technical compliance. In announcing FinCEN’s Proposed Rule, Treasury Secretary Scott Bessent stated that the reform “restores common sense with a focus on keeping bad actors out of the financial system, not burying America’s banks in more red tape.”⁵

Although the Proposed Rule may be revised before a final rule is issued, it appears to offer some relief to financial institutions that have been carrying the ever-increasing weight of AML compliance, particularly in its explicit grant of discretion to financial institutions to focus their AML resources on areas of higher risk. Other reforms, such as making FinCEN the gatekeeper for bank enforcement actions, might help temper enforcers’ zeal—or might simply increase the number of AML cases in which FinCEN adds its own penalty on top of other regulators’ penalties.

II. Key Takeaways

The Proposed Rule begins with a significant organizational change, by which a financial institution’s AML program will be evaluated differently based on how well it establishes an AML/CFT program and how well it maintains such a program. According to FinCEN’s “Fact Sheet,” the purpose of distinguishing between deficiencies in program design (“establishment”) and program implementation (“maintenance”) is to refocus financial institutions’ compliance obligations and expectations on “effectiveness.”⁶ The Fact Sheet describes the Proposed Rule as requiring a financial institution to design and implement “a risk-based AML/CFT framework incorporating four core required pillars”:

1. internal policies, procedures, and controls including risk assessment processes and, when applicable, ongoing customer due diligence;
2. independent program testing;
3. designation of a U.S.-based compliance officer; and
4. ongoing employee training.

The first pillar, in addition to requiring financial institutions to conduct risk assessments, would also require them to “mitigate” these risks by directing more attention to higher-risk customers and activities, and to conduct “ongoing customer due diligence” that would include both developing customer risk profiles and conducting “ongoing monitoring to identify and report suspicious transactions.”⁷

In a significant change, the Proposed Rules would establish FinCEN as a clearer gatekeeper for AML enforcement—at least regarding banks. The Proposed Rule establishes a mechanism to provide FinCEN with an opportunity to review and provide feedback to federal banking agencies prior to a “significant AML/CFT supervisory action.”⁸ Federal banking supervisors must provide FinCEN’s director with at least 30 days’ advance written notice, absent urgent circumstances, before initiating a significant AML/CFT supervisory or enforcement action under delegated authority, allowing FinCEN to review and provide input before action is taken. This includes any written communication or supervisory determination identifying alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices relating to an AML/CFT requirement. In assessing whether to pursue or support a significant supervisory or enforcement action, FinCEN’s director will consider the statutory factors set forth in the AML Act, as well as the extent to which an institution advances the AML/CFT Priorities by providing highly useful information to law enforcement or national security authorities. The director will also evaluate whether the institution is deploying innovative and effective compliance tools, including the use of artificial intelligence and other advanced technologies, signaling a shift toward greater recognition of outcomes, effectiveness and innovation in AML/CFT program oversight. Notably, however, there is no similar FinCEN consultation requirement in the proposed rules for broker-dealers, casinos and card clubs, money services business, mutual funds, or insurance companies.

In the past, FinCEN has brought few independent enforcement actions against regulated financial institutions and often appeared to piggyback on other agencies’ investigations, adding to the penalties and settlements that financial institutions faced for the same underlying conduct. For example, FinCEN concluded just two AML enforcement actions in 2025,⁹ while other prudential regulators, state officials, and the U.S. Department of Justice concluded an estimated 35 actions. One impact of requiring prudential banking regulators to share all proposed enforcement actions with FinCEN may be that FinCEN joins in and adds its own penalties to far more of them.

Other notable reforms in the Proposed Rule include, among others:

1. empowering financial institutions to direct more attention and resources toward high-risk customers and activities;
2. raising the threshold for enforcement so only “significant” or “systemic” failures to implement an effective AML/CFT program would justify an enforcement action against a bank; and
3. requiring the designated AML/CFT officer to be located in the U.S.¹⁰

The Proposed Rule reflects the current administration’s effort to reform the AML regime to an outcome-oriented model that would enable institutions to prioritize substantive AML/CFT priorities. While the rule requires a program to be “effective,” it is framed as refocusing the compliance obligations and expectations on effectiveness by distinguishing deficiencies that stem from program design as opposed to program implementation. This is intended to focus supervision and enforcement on “significant or systemic failures” rather than “isolated, technical, or immaterial implementation deficiencies.”¹¹

As a practical matter, however, financial institutions may remain at the mercy of unpredictable regulatory enforcement and supervisory interpretations of what issues or AML/CFT supervisory actions are “significant,” what implementation failures are “systemic,” what degree of deference will be paid to “risk-based” judgments, or even what constitutes a material AML “risk” for a particular institution or business line. These terms are only sparsely defined or not defined at all in the Notice of Proposed Rulemaking. Recent enforcement actions, including a record for a non-criminal broker-dealer,¹² demonstrate that substantial enforcement risk remains for financial institutions with programs that do not meet regulators’ expectations.¹³

III. Next Steps 

FinCEN will publish its proposal in the Federal Register in the coming days. The public will be invited to submit comments to be received within 60 days after publication in the Federal Register.

As financial institutions begin to assess the Proposed Rule, significant questions remain regarding how regulators will interpret and apply key concepts such as “significant” or “systemic” implementation failures, the degree of deference afforded to risk based judgments, and what constitutes a material AML/CFT risk in practice. These interpretive uncertainties will be critical to program design, examiner expectations, and enforcement risk. WilmerHale regularly advises banks and other financial institutions on implementing complex AML/CFT reforms, engaging with supervisory agencies, and developing effective, outcome oriented compliance frameworks. We also assist clients in preparing and submitting comment letters aimed at shaping final rules in ways that are practical and risk sensitive.

Please reach out to us if you would like to discuss the implications of the Proposed Rule for your institution or to assist with implementation planning or the development of comments during this rulemaking process.