Key Takeaways:

• On April 10, 2026, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued a proposed rule to amend the anti-money laundering and countering the financing of terrorism (“AML/CFT”) program requirements for financial institutions and create a new supervisory and enforcement framework requiring the federal supervisors of banks and credit unions (the “Agencies”) to consult with FinCEN before initiating significant AML/CFT supervisory actions.
• The proposed rule would require financial institutions to establish and maintain “effective” AML/CFT programs under a new two-pronged framework that distinguishes between program design and implementation and, for banks, would limit FinCEN enforcement and FinCEN or Agency significant supervisory actions based on implementation deficiencies to cases involving significant or systemic failures.
• On Monday, April 27, at 11 AM Eastern, we are hosting a webinar to discuss this new proposal and FinCEN’s new whistleblower proposal. If you would like to attend, please register here. If you would like to receive the on-demand recording, please register here.

---

On April 10, 2026, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) published a proposed rule (the “Proposed Rule”) in the Federal Register to amend the anti-money laundering and countering the financing of terrorism (“AML/CFT”) program requirements for financial institutions under the Bank Secrecy Act (“BSA”) and to introduce a new supervision and enforcement framework for banks that would require the federal bank and credit union supervisory agencies (together, the “Agencies”) to consult with FinCEN before initiating any “significant AML/CFT supervisory action.” The comment period on the Proposed Rule ends June 9, 2026. The final rule would take effect 12 months from its issuance.

The Proposed Rule would require financial institutions to establish and maintain “effective” AML/CFT programs, defined through a new two-pronged framework distinguishing between program “establishment” (design) and program “maintenance” (implementation). FinCEN intends this two-pronged framework to promote “consistent articulation of supervisory expectations and prevent conflating criticisms of program design … with criticisms of day-to-day implementation.”

• Establishment. Under the Proposed Rule, financial institutions would be required to establish a risk-based framework integrating four core required pillars: (1) internal policies, procedures and controls; (2) independent program testing; (3) a U.S.-based AML/CFT officer; and (4) ongoing employee training. FinCEN places particular emphasis on financial institutions’ risk-assessment processes, explaining that, by doing so, financial institutions would be free to devote more attention and resources toward higher risks. At the same time, FinCEN notes that a financial institution’s failure to update its program to reflect significant changes to its risk profile may result in the program no longer meeting the “establishment” requirements.

• Maintenance. Under the Proposed Rule, financial institutions would be required to maintain their AML/CFT programs by implementing them “in all material respects.” For a bank failing to satisfy the maintenance prong, the Proposed Rule would limit FinCEN enforcement and FinCEN or Agency significant supervisory actions to cases involving significant or systemic deficiencies in program implementation. In addition, the Agencies would be required to provide FinCEN with advance notice of certain potential significant AML/CFT supervisory actions, with the goal of enhancing FinCEN’s role in the AML/CFT supervisory and examination process and fostering consistency in how banks are evaluated

In this Debevoise In Depth, we highlight key provisions of the Proposed Rule and the potential implications for financial institutions. In addition, on Monday, April 27, we are hosting a webinar to discuss the Proposed Rule and FinCEN’s proposed new whistleblower rules (please register here to attend; register here to receive the on-demand recording).

Background

The AML Act, enacted on January 1, 2021, represented the first comprehensive reform of the BSA in decades. Section 6101(b) of the AML Act made several changes to the BSA’s AML/CFT requirements, including directing FinCEN to establish government-wide AML/CFT priorities (the “AML/CFT Priorities”), adding an express reference to CFT in the BSA’s program rule requirements and mandating that the duty to establish, maintain and enforce an AML/CFT program be the responsibility of persons in the United States.

Treasury Secretary Scott Bessent has identified BSA reform as a top priority, noting that the current supervisory regime has involved a “zero-tolerance focus on process and documentation” and latitude for supervisory judgments that are not always consistent with law or national security priorities. In contrast, the Proposed Rule is intended to empower financial institutions to focus resources and attention on higher-risk customers and activities and ensure that examiners do not substitute their own judgments in place of financial institutions’ risk-based, reasonably designed programs.

The Proposed Rule supersedes and withdraws a 2024 proposal to implement Section 6101(b) of the AML Act and address AML/CFT program effectiveness.

Overview of the Proposed Rule

Proposed Rule’s AML/CFT Program Requirements

A New Two-Pronged Framework: Establishing and Maintaining an AML/CFT Program
The Proposed Rule would create a two-pronged framework under which a financial institution’s AML/CFT program would be deemed “effective” if the financial institution both establishes and maintains its program in accordance with FinCEN’s regulations. Under this structure, financial institutions must:

• establish an AML/CFT program that incorporates all required components, as discussed below; and

• after establishing such a program, maintain it by implementing it in all material respects.

This two-pronged framework does not in and of itself change the substantive obligations under the current regulations; rather, the distinction between establishing and maintaining a program is intended to help promote consistent articulation of supervisory expectations, with particular significance for banks, as discussed below.

Establishment of the AML/CFT Program: The Four Pillars
The Proposed Rule generally retains the framework of the four AML/CFT program pillars under the BSA. The proposal adds the express obligation to establish risk assessment processes, including consideration of the AML/CFT Priorities, within the internal policies, procedures and controls pillar, and specifies that the AML/CFT officer must be located in the United States.

The Proposed Rule otherwise makes generally non-substantive changes to existing program requirements, including moving ongoing customer due diligence (“CDD”) or other diligence-related obligations for certain financial institutions (including the so-called “fifth pillar” adopted by FinCEN in 2016) within the internal controls pillar and standardizing language across the program rules applicable to different financial institution types.

The four minimum components of program establishment in the Proposed Rule are:

• Risk-based set of internal policies, procedures and controls: The set of internal policies, procedures and controls must be reasonably designed to ensure compliance with the BSA and FinCEN’s regulations as well as to (i) identify, assess and document money laundering and terrorist financing (“ML/TF”) risks through risk assessment processes (discussed below), (ii) mitigate those ML/TF risks, including by allocating more attention and resources toward higher-risk customers and activities, and (iii) for certain financial institutions, conduct ongoing CDD or other diligence-related activities.

• Independent testing: Independent testing should be based on objective criteria designed to assess whether a financial institution has established and maintained an effective AML/CFT program and allocated resources consistent with its risk assessment processes, and to identify issues for remediation accordingly. FinCEN notes that it does not believe that an auditor should substitute his or her own subjective judgment for that of the financial institution.

• U.S.-located AML/CFT officer: Financial institutions must designate an individual responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance with AML/CFT requirements (the “AML/CFT Officer”). The Proposed Rule adds to the existing regulations a requirement that the AML/CFT Officer be located in the United States and accessible to, and subject to oversight and supervision by, FinCEN and its designee. FinCEN clarified that overseas personnel may continue to assist with certain AML/CFT functions, an important point that was the subject of numerous comments on the (now withdrawn) 2024 proposal.

• Ongoing employee training program: The Proposed Rule retains the existing training requirement. FinCEN reiterated that the frequency, content and scope of ongoing training (including which employees and non-employees would require such training) should depend on the financial institution’s ML/TF risk profile and the roles and responsibilities of the persons receiving the training.

Importantly, FinCEN intends for program establishment to be an ongoing obligation rather than a one-time exercise. For example, a financial institution’s risk-based set of internal policies, procedures and controls must remain current as the financial institution’s risk profile changes. Even when a financial institution has previously established a compliant program, a failure to update the program in response to significant changes could constitute a failure to properly establish an effective program. This ongoing obligation extends equally to an institution’s employee training program and independent testing, which must likewise be kept current as the institution’s risk profile changes.

Program Maintenance: Implementing the Established Program
“Implementation,” as the Proposed Rule uses the term, focuses on whether a financial institution is executing its established program in practice—including whether it is allocating resources as contemplated by that program—rather than on whether the program has been properly designed.

FinCEN does not provide a detailed definition of what constitutes implementation in all material respects. Instead, it offers the following illustrative examples of potential failures to maintain a program: (i) internal policies, procedures and controls that are not being performed, or are not being performed on a consistent, regular and timely basis, due to inadequate resources; (ii) gaps in risk assessment processes that result in a program missing or inadequately covering higher ML/TF risks; or (iii) deficiencies or weaknesses in risk assessment processes that have a material impact on the institution’s mitigation of ML/TF risks through its internal policies, procedures and controls.

FinCEN identifies several mechanisms through which a financial institution could become aware of implementation-related concerns, including independent testing of the AML/CFT program, examiner observations or informal comments, management information systems outputs such as key performance indicators or key risk indicators, and issues identified by personnel involved in the operation of the program. A financial institution that fails reasonably to address warnings that its program is not being implemented would be at risk of a significant AML/CFT supervisory action, an AML/CFT enforcement action or both.

Mandatory Risk Assessment Processes
As part of a financial institution’s risk-based set of internal policies, procedures and controls, the Proposed Rule requires that financial institutions establish risk assessment processes that:

• evaluate the ML/TF risks of the institution’s business activities, including products, services, distribution channels, customers and geographic locations;

• review and, as appropriate, incorporate the most recent AML/CFT Priorities (to help ensure that financial institutions understand their exposure to risks in areas that are of particular importance nationally); and

• are updated promptly upon any change that the institution knows or has reason to know significantly changes its ML/TF risk profile (which may include introduction of new products, services or customer types; adoption of new risk mitigation technologies; expansion or contraction through mergers or divestitures; or factors external to the financial institution).

Notably, the use of the term “risk assessment processes” in the plural is intentional; FinCEN recognizes that many financial institutions currently maintain a single, standalone risk assessment, but the Proposed Rule contemplates that an institution may rely on multiple processes within its overall AML/CFT program. Financial institutions will be examined based on the totality of those processes, rather than the sufficiency of any single one.

FinCEN notes that it currently expects financial institutions to adopt risk-based AML/CFT programs and, thus, that many institutions already conduct risk assessments. The Proposed Rule would standardize existing expectations across all financial institutions by making risk assessment processes a formal regulatory requirement for all financial institutions. That said, although the requirement would be standardized, the methodology would not, and each institution would be able to determine for itself how best to assess and document its risks based on its size, complexity and business model. FinCEN also would not prescribe any timeframe for institutions to update their risk assessment processes.

Resource Allocation on Higher-Risk Areas and Examination Expectations
Consistent with the AML Act, the Proposed Rule requires financial institutions to allocate resources based on risk, directing greater attention to higher-risk customers and activities. FinCEN notes that a financial institution knows its customer base, business and risks better than regulators and the government and, being best positioned to identify and evaluate ML/TF risks, should have “significant flexibility and discretion” in its decisions and determinations related to risk identification and resource allocation.

In the preamble, FinCEN notes that the Proposed Rule does not contemplate regulatory second-guessing of a financial institution’s reasonable determinations regarding appropriate resource allocation or conclusions about specific risks. Instead, examiners would be expected to assess:

• whether a financial institution’s resource allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes (program establishment); and

• whether the institution knows or should know of resource-related issues that may result in a failure to implement its program in all material respects (program maintenance).

Approval of Written AML/CFT Program
The Proposed Rule requires that a financial institution’s written AML/CFT program be approved by the board of directors or an equivalent governing body or appropriate senior management.

The senior management approval option would be new for certain institution types (e.g., banks) and thus may provide greater flexibility than the current rules. Conversely, for casinos and MSBs, the approval requirement would be new, as their existing program rules do not contain any board or senior management approval requirement.

Supervisory and Enforcement Reform for Banks: Heightened Threshold for Government Action and FinCEN Consultation

The Proposed Rule would establish a supervision and enforcement framework applicable only to banks and the Agencies, although FinCEN has solicited comment on whether this framework should be extended to other financial institutions.

Under the Proposed Rule, a bank that has properly established an AML/CFT program would not be subject to a FinCEN AML/CFT enforcement action or significant supervisory action brought by FinCEN or an Agency (acting under supervisory authority delegated by FinCEN) based solely on implementation deficiencies, unless those deficiencies are significant or systemic. However, any failure to properly establish a program (which FinCEN interprets to include keeping the program up to date) would remain fully subject to enforcement. The Proposed Rule does not affect the factors that FinCEN applies in the disposition of a violation.

In addition, to help ensure that bank examiners are performing “risk-focused” supervision, the Proposed Rule would require the Agencies, when acting under supervisory authority delegated by FinCEN, to provide notice to and consult with FinCEN prior to taking a significant AML/CFT supervisory action, including to allow FinCEN the opportunity to offer input on the effectiveness of the bank’s AML/CFT program. The Agencies must provide written notice to FinCEN at least 30 days before the proposed action (unless a shorter period is necessary to address an unsafe or unsound condition), accompanied by relevant AML/CFT information underlying the proposed action (including relevant examination workpapers, draft enforcement action and AML/CFT information submitted by the bank). The Agencies must also respond, to the extent reasonably practicable, to requests for additional information from FinCEN.

Finally, in determining whether to take an enforcement or a significant supervisory action with respect to a bank, or when reviewing a proposed action by the Agencies, FinCEN will consider various factors, including (i) certain statutory factors (including recognition that financial institutions are spending private compliance funds and that extension of financial services to the underbanked is a key policy goal), and (ii) the extent to which the bank, where appropriate in light of its size, complexity and risk profile, has advanced the AML/CFT Priorities by providing highly useful information to law enforcement or national security officials, conducting proactive analytics or performing other innovative activities that produce “demonstrable outputs evincing the effectiveness of the bank’s AML/CFT program (including effective use of artificial intelligence, federated learning, and other advanced monitoring tools).” This proposal signals FinCEN’s intent that demonstrable AML/CFT outputs and innovative approaches, not merely technical program compliance, play a more central role in supervisory assessments going forward.

Harmonization and Technical Changes

The Proposed Rule would make several additional changes in the interest of consistency, modernization and clarity across FinCEN’s program rules for different types of financial institutions, including the following:

• Countering the financing of terrorism would be formally incorporated into all program rule references, replacing “AML program” with “AML/CFT program.”

• The two existing bank program rules—for banks with and without a federal functional regulator—would be consolidated into a single set of rules.

• Casino and MSB program rules would be harmonized with the framework applicable to other institution types.

• Outdated compliance dates, unnecessary cross-references and redundant regulatory text would be removed.

• New definitions would be added, including “AML/CFT priorities” and “Federal Financial Institutions Regulatory Agency.”

Potential Implications for Financial Institutions and Next Steps

The Proposed Rule and the accompanying preamble address several longstanding criticisms of the existing AML/CFT framework, and certain aspects have been positively received by banks and other financial institutions. Financial institutions should review the Proposed Rule to understand its potential implications for their AML/CFT programs, consider how their programs would be evaluated under the proposed two-pronged “establish and maintain” framework for determining program effectiveness and identify areas where additional regulatory clarity or guidance may be warranted.

We believe key areas of focus for financial institutions — both to inform potential comments and to prepare for the possibility that the Proposed Rule is finalized in whole or in part — include the following:

• Risk assessment processes and risk-based resource allocation: Financial institutions may consider how the proposed risk assessment processes requirement, including the requirement to review and incorporate AML/CFT Priorities, could affect their existing practices and how their internal policies, procedures and controls may be designed to mitigate their identified ML/TF risks through risk-based resource allocation.

• Enforcement and supervisory threshold for banks: Banks in particular may wish to consider the implications of the proposed supervision and enforcement framework, under which a properly established program would insulate the institution from enforcement or significant supervisory action absent a “significant or systemic failure” to implement the program. Because this protection would not apply if a bank fails to keep its program updated to reflect significant changes in the bank’s risk profile, banks may evaluate their existing processes for updating their AML/CFT programs and consider whether those processes would be sufficient under the proposed framework or whether additional guidance is needed on FinCEN’s expectations.

• U.S.-located AML/CFT Officer requirement: Institutions with global operations that currently have their AML/CFT Officers located overseas may wish to evaluate the potential operational and structural changes that may be necessary to comply with the proposed U.S.-location requirement.

Private sector feedback will be critical as FinCEN continues to consider how best to modernize and strengthen the U.S. AML/CFT regime. FinCEN has included 29 questions for public comment on the Proposed Rule, and financial institutions should consider engaging, whether through their trade associations or directly, to provide feedback, including on key issues such as whether the “significant or systemic failure” standard requires further clarification, whether the supervision and enforcement provisions should be extended beyond banks to other financial institution types and whether the proposed 12-month implementation period would be sufficient.

 

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.