FinCEN Proposed Rule on AML/CFT Program Requirements: Key Implications

The proposed rule sets out uniform terms for an AML/CFT program across FinCEN's regulations for all types of financial institutions regulated under the BSA, and not just banks. Thus, it is broad, applies across multiple sectors and delineates the requirements that must be met for financial institutions to have an effective AML/CFT program. It also signals latitude for financial institutions to implement next-generation technologies for AML programs. 

FinCEN will receive comments on the proposed rule through June 9, 2026.

Key Changes of Proposed Rule

The most notable changes under the proposed rule include:

• Risk-focused program design and ongoing assessments
  The proposed rule emphasizes that AML/CFT programs must be grounded in risk-based assessments tailored to an institution’s specific business, taking into account lines of business, customers and geography. While many banks and financial institutions have already implemented risk-based programs, FinCEN places new emphasis on the obligation to continuously maintain and update programs pursuant to risk assessment processes. Risk assessment processes are not intended to be periodic or static; rather, they must be updated as risk profiles change, including when institutions introduce new products or services, enter new markets or serve new customer types.
• Uniform guidelines for effective AML/CFT programs and testing
  Under the proposed rule, establishing a program would require a financial institution to design a risk-based AML/CFT framework incorporating four core required pillars: (1) internal policies, procedures, and controls including risk assessment processes and, when applicable, ongoing customer due diligence; (2) independent program testing; (3) designation of a U.S.-based compliance officer; and (4) ongoing employee training.  Again, many financial institutions already have established AML/CFT programs with these components, but FinCEN has recognized that it can “reasonably be expected to result in novel or alternative activities being undertaken by at least some affected parties.” Further, although financial institutions would retain flexibility in how they test the effectiveness of their programs, testing must focus on program effectiveness, be conducted by individuals or parties who are truly independent of the AML/CFT function and avoid conflicts of interest.
• U.S.-based AML/CFT compliance officer
  The proposed rule requires that the designated AML/CFT compliance officer be located in the United States and subject to FinCEN oversight and the appropriate Federal regulators. FinCEN clarifies that while the AML/CFT officer must be located in the United States, personnel located outside of the United States still would be permitted to perform certain AML/CFT functions. The proposed rule would not change existing regulations and guidance that generally prohibit the sharing of suspicious activity reports (SARs) with personnel located outside of the United States other than in limited circumstances, such as sharing with a bank’s foreign head office or controlling company.
• Updates to enforcement approaches—establishing vs. implementing an AML/CFT program
  The proposed rule also refocuses supervisory expectations on effectiveness by distinguishing between deficiencies stemming from the program’s design (“establishment”) on the one hand, or failures in the program’s operation (“implementation”) on the other. FinCEN intends this two-prong framework to help promote consistent articulation of supervisory expectations and prevent conflating criticisms of program design with criticisms of day-to-day implementation. Under the proposed rule, a financial institution maintains its properly established AML/CFT program by implementing it in all material respects. FinCEN’s commentary regarding this proposed change is that, generally, FinCEN or other supervisory authorities would not take significant supervisory action if there is an established AML/CFT program unless there are significant or systemic implementation issues.
• Increased FinCEN oversight in supervisory process
  The proposed rule would expand FinCEN’s role in AML/CFT supervision, particularly for banks. Other federal banking regulators generally would be required to provide advance notice (30 days) to FinCEN before taking significant AML/CFT supervisory actions and to consider FinCEN’s input. This change is intended to give FinCEN a more direct role in enforcement and promote greater consistency across regulators and enforcement action. It affirms FinCEN’s central role in AML/CFT supervision, including through the introduction of a notice and consultation framework between Federal banking supervisors and FinCEN with respect to significant AML/CFT supervisory actions.
• Support for innovative technologies in AML programs
  FinCEN takes further steps in the proposed rule, consistent with the AML Act, to support implementation of artificial intelligence and other advanced tools in AML programs, while seeking to manage perceived enforcement risks—a longstanding concern of banks and other financial institutions. FinCEN states that “{i}nstitutions that responsibly experiment with innovative technologies in their AML/CFT programs will not incur any additional risk of being subject to a significant supervisory AML/CFT action or AML/CFT enforcement action solely based on the use of innovative technologies. To the contrary, FinCEN recognizes that fostering the use of innovative technologies is vital to improving financial crime compliance and fighting illicit finance and strongly encourages their responsible use.”

Expectations Regarding FinCEN’s Enforcement Priorities
FinCEN’s proposed rule outlines FinCEN’s enforcement and supervisory policy for AML/CFT programs. As stated above, FinCEN’s commentary is that it generally would not take significant supervisory action unless there are significant or systemic failures to maintain an AML/CFT program. In determining whether to pursue an enforcement action or a significant supervisory action, or when reviewing a proposed supervisory action by a Federal banking supervisor, FinCEN’s Director would consider (i) the four core program pillars noted above that are required by the AML Act, (ii) the extent to which the financial institution advances AML/CFT Priorities by providing highly useful information to law enforcement or national security officials, (iii) and whether the bank is employing innovative tools such as artificial intelligence that demonstrate the effectiveness of the bank’s AML/CFT program, among other considerations that FinCEN’s Director may deem appropriate.

Further, FinCEN’s commentary on the proposed rule reflects FinCEN’s approach to feedback received regarding a previous rule proposed in 2024. Comments to the 2024 rule included concerns about compliance costs and operational burden. Many commenters—particularly smaller institutions—warned that the proposal could increase compliance costs, especially due to requirements around formalized risk assessment processes, that might not be warranted based on institution size and business model. In response, FinCEN has recognized that financial institutions are spending private funds for both public and private benefit, and the new proposed rule is designed to avoid requiring expenditures that do not provide meaningful value. FinCEN has underscored that institutions themselves are best positioned to assess their risks and should have “significant flexibility and discretion” in risk identification and resource allocation. Based on previous comments, FinCEN has also emphasized its objective to encourage prioritization and resource allocation to high-risk compliance areas. 

In particular, the proposed rule takes a proportional approach for community banks, making clear that AML/CFT program requirements should be commensurate with a bank’s size, complexity and risk profile. FinCEN specifically recognizes that community banks often rely on direct knowledge of their customers, local markets and transaction patterns, and that this knowledge can appropriately inform their AML/CFT programs. As a result, these institutions are not automatically expected to implement highly complex or model-driven systems, but may instead use simpler, qualitative risk assessments. At the same time, core AML/CFT obligations still apply, including the requirement to establish and maintain an effective, risk-based program and to update it as risks evolve.

FinCEN has recognized and stated in the proposed rule that “it is not possible for a financial institution to detect and report all potentially illicit transactions” and “a financial institution’s AML/CFT program can be effective without preventing every minor instance.” However, although it appears to be FinCEN’s approach that institutions are not expected to prevent every compliance lapse, it is critically important to recognize the proposed rule does not provide a safe harbor from compliance with criminal law. 

FinCEN makes clear that these principles do not limit or alter existing legal obligations under the BSA or related criminal statutes. Even where a financial institution has established an effective, risk-based program, it may still face civil or criminal liability for violations, particularly in cases involving willful misconduct or systemic failures. In this respect, the rule reinforces that a risk-based, effectiveness-oriented framework governs supervisory expectations—but does not shield institutions from enforcement under applicable law.