backOn April 7, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) proposed a rule to “fundamentally reform the requirements for financial institutions’ anti-money laundering and countering the financing of terrorism (“AML/CFT”) programs under the Bank Secrecy Act (“BSA”).” The proposed rule aims to “promote risk-based, reasonably designed programs and greater consistency in how banks are evaluated for effectiveness.” It reflects the latest move by FinCEN to modernize AML compliance, including by encouraging financial institutions to evaluate the use of innovative technologies like digital identity and generative artificial intelligence, and reduce regulatory burdens placed on covered financial institutions—banks, money services businesses, broker-dealers, mutual funds, and certain insurance companies—including by encouraging examiners to focus on outcomes rather than “foot fault” program deficiencies.1See also FinCEN Limits Beneficial Ownership Review for Subsequent Account Openings (Feb. 17, 2026); FinCEN Relaxes Suspicious Activity Reporting Requirements Via Four New FAQs (Oct. 15, 2025); Fed Follows Earlier OCC, FDIC, and NCUA Orders Allowing Banks to Collect TIN Information from Third Parties (Aug. 8, 2025).
The proposal was prepared in consultation with the Board of Governors of the Federal Reserve System (the “Fed”), Federal Deposit Insurance Corporation (“FDIC”), National Credit Union Administration (“NCUA”), and Office of the Comptroller of the Currency (“OCC”). The FDIC, OCC, and NCUA issued their own proposed rule on the same day to align with FinCEN’s proposed rulemaking.2The Fed has not yet issued its own proposal to align with this effort. Public comments on the proposed rules are due by June 9, 2026.
FinCEN’s proposed rule focuses on making the following changes to AML/CFT programs:
- Positioning financial institutions to identify and evaluate their own illicit finance risks;
- Devoting more attention and resources toward higher risks to shift AML/CFT programs away from a “check-the-box” exercise;
- Requiring risk assessment processes to evaluate business activities, incorporate AML/CFT priorities, and be updated promptly upon changes to a financial institution’s AML/CFT risk profile;
- Emphasizing effectiveness by distinguishing between deficiencies stemming from program design and implementation;
- Shifting existing Customer Due Diligence (“CDD”) obligations to formally be part of a financial institution’s requirements regarding its internal policies, procedures, and controls, as opposed to a standalone requirement;
- Expanding upon who can approve a financial institution’s written AML/CFT program to include the board of directors, an equivalent governing body, or appropriate senior management;
- Clarifying AML/CFT program requirements regarding independent testing and audit functions to ensure objectivity in exams and audits; and
- Introducing a notice and consultation framework between FinCEN and federal banking regulators that would, for the first time, require federal banking regulators to consult with FinCEN prior to taking certain types of supervisory or enforcement actions.
The proposed rule, which implements the AML Act of 2020, supersedes FinCEN’s prior proposed rule that was published on July 3, 2024, which FinCEN has withdrawn. Among other changes to the BSA’s AML/CFT program requirements, the AML Act required that relevant regulators establish and publicly issue government-wide AML/CFT priorities. FinCEN first published its AML/CFT priorities in 2021, which must be updated no less frequently than once every four years to reflect new or evolving risks.3FinCEN has not published updated AML/CFT Priorities since June 2021.
The new proposed rule addresses issues FinCEN identified in feedback to the 2024 proposed rule, including directing more resources toward higher risk customers (as opposed to lower risk customers), making risk assessments less of a “check-the-box” exercise, providing more meaning to the concept of an “effective, risk-based, and reasonably designed” AML/CFT program, and allowing options beyond a financial institution’s board or an equivalent governing body, like senior management, to approve and provide oversight of the AML/CFT program.
These changes would result in federal banking regulators bringing supervisory or enforcement actions only for the most serious deficiencies in a financial institution’s implementation of its program, with a requirement that federal banking regulators consult with FinCEN at least 30 days before bringing an enforcement action or “significant” supervisory action. In its consideration of whether to pursue an enforcement action, FinCEN would assess the effectiveness of the financial institution’s AML/CFT program, including, for banks, whether the bank has provided highly useful information to law enforcement and/or leveraged technological innovations to enhance the effectiveness of its AML/CFT program. To align with these changes, the proposed rulemaking by the FDIC, OCC, and NCUA focuses on:
- Including a risk assessment process in AML/CFT program rules that considers the priorities set out by FinCEN;
- Incorporating CDD requirements to reflect prior updates to FinCEN’s requirements;
- Creating a two-pronged framework for evaluating when a financial institution has “established” and “maintained” its program; and
- Establishing the above-referenced consultation process with FinCEN, including developing a standard for the issuance of certain supervisory or enforcement actions to ensure consistency across the same.
Covered financial institutions will still be required to establish and maintain an AML/CFT program that is reasonably designed to ensure compliance with the BSA and includes: (1) internal policies, procedures, and controls, including risk assessment processes and ongoing CDD; (2) independent program testing; (3) designation of a U.S.-based compliance officer; and (4) ongoing employee training. By distinguishing between an AML/CFT program’s design (“establishment”) and its implementation (“maintenance”) in the proposed rules, it is contemplated that this risk-based approach to BSA compliance would result in fewer enforcement actions unless such issues were “significant or systemic.”
Analysis
The proposed rules advocate for a flexible standard that could lead to inconsistent application across covered financial institutions, particularly given the: (1) lack of a prescribed timeframe for updating risk assessments (since the proposed rules require “prompt” updates but do not define a specific period); (2) lack of clarity regarding what constitutes “significant or systemic” implementation failures warranting enforcement action; and (3) broad discretion afforded to financial institutions to determine their own risk assessment methodologies. These are areas that are ripe for public comment.
Importantly, the proposed rules’ aim to remove subjective judgment from exams and audits is a significant and far-reaching shift as it limits the ability of examiners to second guess an institution’s risk assessments and program design choices when those choices are reasonable and risk informed. Such limitation is explicitly tied to the proposed rules’ discussions of risk-based resource allocation, which state that the rules do not “contemplate second-guessing of a bank’s reasonable determinations regarding appropriate resource allocation or conclusions regarding specific risks.”
This shift is consistent with the administration’s recent focus on “debanking,” which the administration has stated allowed financial institutions to close accounts and deny services for political and ideological reasons based on the subjective use of “reputation risk” in banking supervision. In keeping with this view, the FDIC and OCC finalized a separate joint rule on April 7, 2026 that removes reputation risk from the FDIC and OCC’s supervisory frameworks.
Conclusion
Overhauling the AML/CFT program rule is an important step and long overdue. With well over twenty years of experience implementing AML/CFT programs compliant with the rule, financial institutions are equipped with the knowledge and experience to tailor their programs to their risk levels. That said, for years regulators have been second-guessing the industry’s decision-making regarding the design and implementation of their AML/CFT programs and bringing hundreds of enforcement actions in situations that too often, in effect and after the fact, result in “Monday morning quarterbacking” their judgment. Enforcement actions based on foot faults or immaterial compliance issues that do not raise the overall risk level at a financial institution and did not result in money laundering activity occurring by, at, or through the institution send signals to the industry that they need to focus their resources and attention on areas of lower risk or potentially face a public enforcement action, which causes significant risk of financial and reputational harm. This not only increases the compliance and regulatory burdens; it also leads to potentially higher risk areas not being prioritized or missed altogether because the regulators’ expectations are skewing the industry’s focus.
One important outcome of FinCEN’s consideration of comments submitted in response to its proposal will be to ensure that adopting a less prescriptive framework does not have the unintended effect of increasing compliance burdens. Issuing meaningful guidance and ensuring that examination and enforcement staff and supervisors have appropriate levels of training, expertise, and judgment so that the industry can implement programs consistent with the government’s expectations and have comfort that they will not be second guessed will go a long way to achieving the goals of this initiative.
As Treasury and FinCEN continue to modernize AML compliance to maintain the BSA’s risk-based framework with greater efficiency and reduced regulatory burden, King & Spalding is well equipped to advise clients subject to these requirements on compliance with their AML obligations.