Federal Banking Agencies and FinCEN Hit Reset on AML/CFT: Implications for Financial Institutions

Key Takeaways

• Risk-based resource allocation becomes the regulatory standard. Both the Office of the Comptroller of the Currency (OCC), jointly with the Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA), and FinCEN have issued proposed rules that would explicitly require financial institutions to direct more attention and resources toward higher-risk customers and activities—and away from lower-risk ones—marking a significant shift from “check-the-box” compliance to outcome-focused AML/CFT programs.
• Enforcement actions would be reserved for serious failures. Under the proposed framework, only “significant or systemic failures” to implement a properly established AML/CFT program would trigger an enforcement action or significant supervisory action, raising the bar for regulators and offering meaningful protection against penalties and costly lookbacks for isolated or technical deficiencies.
• FinCEN gains an elevated supervisory and enforcement role. A new notice and consultation framework would require federal banking regulators to consult with FinCEN at least 30 days before initiating significant AML/CFT supervisory or enforcement actions, centralizing oversight and promoting consistency across agencies.
• Rules proposed in 2024 are being withdrawn and replaced. The new proposed rules fully supersede and withdraw the prior FinCEN and federal banking agency notices of proposed rulemaking (NPRMs) published in July and August 2024, respectively, reflecting substantial changes informed by public comments and the current administration’s deregulatory priorities.
• Take note of the comment period and effective date. The proposed effective date for the new rules is 12 months after the final rule’s issuance. Comments on this proposal must be received by June 9, 2026.

On April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) issued a proposed rule intended to “fundamentally reform” the requirements for financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs under the Bank Secrecy Act (BSA). Concurrently, the FDIC, OCC, and NCUA (collectively, the Agencies) issued a joint proposed rule to amend their respective AML/CFT program requirements for supervised institutions, drafted to align with FinCEN’s proposal. Together, these rulemakings represent the most sweeping proposed overhaul of AML/CFT program requirements since the BSA was enacted in the 1970s.

The impetus for these proposals is the Anti-Money Laundering Act of 2020 (AML Act). The AML Act directed FinCEN and the Agencies to modernize and strengthen the AML/CFT regulatory framework, ensure that bank BSA programs focus on high-risk areas important to law enforcement and national security agencies, and encourage technological innovation. As FDIC Chairman Travis Hill stated, the proposal represents “perhaps the most important of the reforms Congress envisioned in the AML Act.” 

The proposals also reflect the current U.S. Treasury Department’s deregulatory priorities. Secretary of the Treasury Scott Bessent framed the reform bluntly: “For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats. Our proposal restores common sense with a focus on keeping bad actors out of the financial system, not burying America’s banks in more red tape.” 

Importantly, both proposed rules fully supersede and withdraw the prior proposed rules published in 2024 by these agencies—FinCEN’s NPRM of July 3, 2024, and the banking agencies’ NPRM of August 9, 2024. As discussed in our prior blog post analyzing those 2024 proposed rules and noted in FinCEN’s observations in the new proposed rule, the earlier proposed rules drew significant criticism from commenters who found them to be excessively prescriptive, additive rather than burden-reducing, and insufficiently clear on key concepts like what it means for a program to be “effective.” These new rules proposals shift approaches, responding to those concerns by emphasizing flexibility, discretion, and a higher threshold for enforcement action.

Overview of Major Changes

The proposed rules introduce several interrelated reforms to the AML/CFT program framework. While the traditional four-pillar structure of AML programs remains intact (internal controls, independent testing, a designated compliance officer, and ongoing training) the proposed rules alter the operation of those components and regulators’ evaluation of them. 

Explicit Risk-Based Resource Allocation

The proposed rules codify the AML Act’s mandate that AML/CFT programs be risk-based, requiring institutions to direct more attention and resources toward higher-risk customers and activities rather than lower-risk ones. This is a meaningful departure from prior regulatory practice, where the absence of an explicit risk-based standard often led to uniform, resource-intensive compliance efforts applied across all risk levels. The proposed rules would provide financial institutions with “flexibility and discretion” in mitigating illicit finance risks, moving AML/CFT programs away from unnecessarily burdensome “check-the-box” exercises. 

A Two-Pronged Framework: “Establish” and “Maintain”

The proposed rule also addresses program effectiveness, building on the 2024 NPRMs’ requirement that AML/CFT programs be “effective, risk-based, and reasonably designed” by explicitly defining what constitutes an “effective” program. The concept of effectiveness has an interesting regulatory history that went through various iterations over the years and was addressed in another prior blog post. A central structural innovation in the proposals is the distinction between “establishing” and “maintaining” an AML/CFT program, both of which are required to meet the definition of an “effective” AML/CFT program under the new proposed rules. 

• Establishing a program means designing an AML/CFT program that incorporates all required components: (1) a risk-based set of internal policies, procedures, and controls; (2) independent testing; (3) a designated compliance officer; and (4) ongoing employee training.
• Maintaining a program means implementing it “in all material respects.” 

This distinction matters because the proposed rules tie enforcement consequences to which prong is deficient. Failures to establish a program face no limitations on enforcement or supervisory actions, but once a bank has properly established its program, only “significant or systemic” implementation failures would warrant an enforcement action or significant supervisory action. The proposed approach aims to focus regulatory attention on substantive shortcomings rather than “isolated, technical, or immaterial implementation issues.” 

Codified Risk Assessment Requirements

Although many financial institutions already conduct risk assessments as a matter of practice, existing regulations do not currently require them explicitly. The proposed rules would codify risk assessment processes as a required component of the internal controls pillar. Risk assessment processes would need to evaluate the money laundering and terrorist financing risks of the bank’s business activities—including products, services, distribution channels, customers, and geographic locations—and, as appropriate, incorporate AML/CFT priorities issued by regulators and be updated promptly when the bank knows or has reason to know its risk profile has significantly changed. 

Customer Due Diligence Integrated Into Program Requirements

The proposed rules would formally incorporate ongoing customer due diligence (CDD) into AML/CFT program requirements for banks and applicable financial institutions. While this should not alter current compliance practices for most banks (since they already comply with FinCEN’s CDD rule), the consolidation is intended to eliminate confusion about the current differences between FinCEN’s and the Agencies’ respective requirements.

Expanded Program Approval Options

The proposed rules would expand the options for approving an institution’s written AML/CFT program beyond the board of directors alone. Specifically, approval could come from the board of directors, an equivalent governing body (such as a board compliance committee or, for a U.S. branch of a foreign bank, the foreign parent’s board) or appropriate senior management. This change reflects the practical division of labor at many institutions and is intended to allow more effective day-to-day oversight without diminishing the board’s governance responsibilities. However, the proposed rules do not alter certain other statutory requirements requiring board approval of an AML/CFT program for certain financial institutions—such as Rule 38a-1 under the Investment Company Act of 1940 requiring board approval of a mutual fund’s written policies and procedures—which will remain in effect.

AML/CFT Officer Must Be US-Based

The proposed rules implement the AML Act’s requirement that the individual responsible for establishing and implementing the AML/CFT program must be located in the United States and accessible to regulators. Importantly, the proposals clarify that while the designated AML/CFT officer must be U.S.-based, other AML/CFT staff and operations may remain outside the United States, and third-party providers located abroad may continue to perform certain functions. 

FinCEN Consultation Framework

The proposed rules would establish a new notice and consultation process under which the Agencies must provide FinCEN at least 30 days’ advance written notice before initiating an AML/CFT enforcement action or significant supervisory action. FinCEN would then have an opportunity to review the action and provide input, including its assessment of the effectiveness of the bank’s AML/CFT program. In making its assessment, FinCEN’s director would consider the statutory factors required by the AML Act, the extent to which the bank advances regulators’ AML/CFT priorities by providing useful information to law enforcement, and whether the bank employs innovative tools such as AI that demonstrate program effectiveness. 

Technology and Innovation

The proposals explicitly encourage responsible use of technology and innovation in AML/CFT programs. Banks that responsibly incorporate innovative technologies—including machine learning, generative artificial intelligence, digital identity solutions, blockchain monitoring, and APIs—will not incur additional risk of supervisory or enforcement action solely based on the use of such technologies. This is a notable signal in line with earlier statements by the Agencies and FinCEN, particularly given that the use of innovative tools is an explicit factor FinCEN’s director may consider when evaluating the effectiveness of a financial institution’s program. However, unlike the previous rulemaking from 2024, there is no specific reference encouraging the use of innovation and technology in the proposed regulatory text, except in the case of factors used to determine whether to take an enforcement action, which is unfortunate.

Impact on Attorney-Client Privileged Information

Under the FinCEN gatekeeper framework, the Agencies must provide written notice to the FinCEN director at least 30 days before initiating an AML/CFT enforcement or significant supervisory action, accompanied by “relevant AML/CFT information underlying the proposed action,” such as draft reports of examination, enforcement actions, workpapers, and bank-submitted information. Privileged information is explicitly excluded from this notice obligation, but a parallel provision authorizes banks to disclose to the FinCEN director “any information relating to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action,” including nonpublic supervisory information. The Agencies have acknowledged that this expanded information-sharing channel could jeopardize attorney-client privilege, the work-product doctrine, and the bank-examination privilege. To mitigate these risks, the rule expressly provides that disclosure to the FinCEN director “does not waive, invalidate, destroy, or otherwise affect any privilege or protection available under Federal or State law,” and treats such disclosure as made on behalf of the Agency pursuant to 12 U.S.C. 1821(t). The Agencies have proposed two alternatives: Option 1 would authorize disclosure without a contemporaneous-filing requirement, while Option 2 would require banks to contemporaneously file the same information with their Agency—an approach the Agencies view as a “greater safeguard against the unintended destruction of privilege.” 

Key Impacts and Takeaways for Financial Institutions

These proposed rules, if finalized, would represent a meaningful shift in how regulators approach AML/CFT obligations, and institutions should be thinking carefully about several critical dimensions.

A higher enforcement threshold provides real protection, but it is not a safe harbor. The “significant or systemic” standard for enforcement based on implementation deficiencies is a welcome development. Institutions that have properly established their programs gain significant protection from penalties for isolated or technical failures. However, regulators have been clear that this framework is not a license to establish “paper programs” that appear compliant on their face but fail to effectively detect and prevent illicit activity. 

Risk assessments become a linchpin of compliance. By codifying risk assessment processes as the foundation upon which internal controls must be built, the proposals make the quality and currency of an institution’s risk assessment a crucial component of its program. Financial institutions must be prepared to promptly update their risk assessments when their business activities, products, customer segments, or geographic footprints change in ways that materially alter their risk profiles. A static or stale risk assessment may lead regulators to conclude that the program no longer satisfies establishment requirements, a category with no enforcement limitations. 

FinCEN’s expanded supervisory role centralizes oversight. The new consultation framework effectively gives FinCEN a gatekeeping function over significant supervisory and enforcement actions, promoting consistency but also introducing an additional procedural layer. Banks should expect more coordinated—and potentially more deliberate—regulatory interactions on AML/CFT matters, and they should ensure their compliance teams understand how to engage with both their primary regulator and FinCEN.

The Agencies have independent statutory BSA requirements that do not apply to FinCEN. One notable requirement is that the Agencies must issue orders against banks for “failing to correct any problem with the procedures maintained by such [bank] which was previously reported to the [bank] by such agency.” (12 U.S.C. 1818(s)). The commentary to the rule does not get into specifics as to how this requirement will be applied by the Agencies. However, the new enforcement framework captures it and provides that “[e]xcept with respect to a significant or systemic failure to implement the AML/CFT program… a [bank] that has established an AML/CFT program in accordance with [the requirements] of this section will not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory action related to the requirements of 12 U.S.C. 1818(s)…” (emphasis added). Consistent with current practice, it is expected that the Agencies will deem a repeat uncorrected problem (i.e. matter requiring attention, violation of law, or unsafe or unsound practice) as a significant implementation failure that would fall within the independent statutory requirement applicable to the Agencies. Of course, this Agency practice and any required enforcement order under 12 U.S.C. 1818(s) will now be subject to FinCEN review as gatekeeper.

Debanking concerns are addressed head-on. Chairman Hill’s observation that “the risk of large fines due to BSA violations incentivizes banks to ‘debank’ customers by denying or closing accounts” is directly reflected in the proposed rules’ emphasis on risk-based, case-by-case customer relationship management. By providing a clearer framework under which institutions are evaluated for the reasonableness and effectiveness of their risk-based decisions, the proposals aim to reduce the inappropriate de-risking of entire customer categories, which has been a repeated focus of the current administration.

Protection of attorney-client privileged materials may be challenging. The proposed rule raises significant privilege concerns for banks as several of the privileges at issue are rooted in common law and were developed and shaped by the courts, not by regulatory fiat. The proposed rule’s attempt to preserve these privileges through regulatory text and statutory cross-references to 12 U.S.C. 1821(t) may face judicial skepticism, particularly in the wake of the U.S. Supreme Court decision in Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244 (2024), which eliminated Chevron deference to agency interpretations of ambiguous statutes. A reviewing court may independently conclude that the disclosure mechanisms established by the rule are inconsistent with the privilege protections that courts have historically applied. Given this heightened uncertainty, banks will likely need to take several affirmative steps concerning their information provided, including: (1) carefully segregating and identifying all privileged materials from information provided in connection with any AML/CFT examination; (2) invoking the rule’s carve-out for privileged information; (3) maintaining detailed privilege logs; (4) when disclosing information to the FinCEN director, contemporaneously filing the same information with their Agency consistent with Option 2 to maximize privilege protections; and (5) including express written reservations of all applicable privileges each time banks share AML/CFT information with the Agencies and FinCEN. 

The check-the-box examination approach comes under fire. The commentary to the proposed rule directly addresses long-standing industry concerns about a check-the-box examination dynamic. The establish/maintain framework limits enforcement for properly established programs to “significant or systemic” implementation failures rather than isolated or technical deficiencies. Separately, Section 6307 of the AML Act requires the secretary of the Treasury, in consultation with the Federal Financial Institutions Examination Council (FFIEC), FinCEN, and law enforcement agencies, to establish examiner training on risk-based topics and financial crimes patterns and trends. FinCEN’s 2024 NPRM discussed specific plans for annual training to shift examiners away from check-the-box exercises; that 2024 NPRM has been expressly withdrawn and superseded by FinCEN’s current 2026 proposed rule, which does not replicate those specific training commitments. Nonetheless, because the practical application of the “significant or systemic failure” standard has yet to be tested through examination cycles, and examiner training under the AML Act’s statutory mandate remains under development, questions persist about whether these measures will fully resolve the check-the-box concerns that have frustrated the industry for decades.

Proposed Effective Date and Comment Deadline

Both FinCEN and the Agencies are proposing an effective date of 12 months from the date of issuance of the final rule, reflecting feedback on the 2024 proposals where commenters strongly objected to the originally proposed six-month timeline. Financial institutions should use the comment period and subsequent finalization period to begin assessing gaps between their current programs and the updated requirements, particularly regarding formalized risk assessment documentation, program governance structures, and compliance officer location requirements.

Comments on both proposed rules must be received by June 9, 2026. Given the significance of these proposals, financial institutions and other interested persons should actively consider submitting comments.