Financial Services Advisory | FinCEN and Federal Banking Agencies Propose Changes to AML/CFT Program Rules

On April 10, 2026, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) issued a notice of proposed rulemaking to revise anti-money laundering and countering the financing of terrorism (AML/CFT) program requirements applicable to banks and credit unions subject to the agencies’ supervision.

The Proposed Rule would amend the agencies' AML/CFT program regulations to align with the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) concurrent proposed rulemaking under Bank Secrecy Act (BSA) authority. The FinCEN proposal has guided the substance of the Proposed Rule and would also amend AML/CFT program requirements applicable to money services businesses (MSBs), casinos, broker-dealers, and other financial institutions subject to the BSA.

Notably, the Board of Governors of the Federal Reserve System did not join in the Proposed Rule, but it was consulted in developing these proposals, including as part of 2024 proposed rulemaking that would be superseded.

Key Takeaways

• Enhanced supervisory coordination with FinCEN. The agencies would be required to consult with FinCEN before taking certain enforcement or significant supervisory actions against banks or credit unions. FinCEN intends this requirement to promote a more consistent and holistic approach to enforcement and supervision activity, focusing on program effectiveness rather than “mere technical compliance.”
• Two-pronged “effective program” and enforcement standard. The proposals formally distinguish between AML/CFT compliance program design (i.e., establishment) and execution (i.e., implementation), and would generally restrict implementation-based enforcement to significant or systemic, rather than isolated or technical, failures.
• Risk assessment as the core organizing principle. Institutions would be expressly required to maintain and update documented risk assessment processes that drive program design, monitoring, and governance.
• Mandatory integration of AML/CFT national priorities. FinCEN’s national priorities would be incorporated through risk assessment processes, with substantive, as opposed to perfunctory, implementation.
• Resource allocation tied to risk. The proposals codify the expectation that institutions direct greater attention and resources to higher-risk customers and activities, increasing focus on alignment between risk assessments and operations.

Comments are due by June 9, 2026. FinCEN and the agencies have proposed an effective date of 12 months following the issuance of final rules.

Overview

FinCEN and the agencies describe the Proposed Rule and FinCEN proposal as efforts to advance the modernization objectives of the Anti-Money Laundering Act of 2020 (the AML Act) by embedding government-wide AML/CFT priorities into institutional frameworks and reinforcing a risk-based, outcomes-oriented approach.

While the proposals largely reiterate existing regulatory expectations, they update outdated and inconsistent technical requirements and emphasize generating “highly useful” law enforcement information, a stated purpose of the BSA.

Although FinCEN administers the BSA and technically delegates its supervision to the agencies for the institutions they supervise, in issuing the Proposed Rule, the agencies emphasize that they are acting pursuant to their independent statutory authority to require supervised institutions to establish and maintain procedures reasonably designed to assure and monitor BSA compliance. A coordinated approach is intended to maintain consistency between FinCEN’s requirements and prudential supervisory expectations.

Importantly, the FinCEN consultation requirement under the Proposed Rule would not restrict the agencies from initiating supervisory or enforcement action under independent, nondelegated authority, such as broad safety and soundness oversight authority.

Key Changes Under the Proposed Rule

A clearer “effective program” standard

At the center of the proposals is a formal distinction between program design and program execution.

An “effective” AML/CFT program would be one that is both “established” with specified minimum components and “maintained” through implementation “in all material respects.” This distinction is intended to differentiate failures to establish required program elements from failures to execute an otherwise compliant program.

Under the proposals, when a bank or credit union has established a compliant AML/CFT program, it generally “will not be subject to” an AML/CFT enforcement action or “significant AML/CFT supervisory action” based solely on implementation issues unless those issues are “significant or systemic” failures. At the same time, FinCEN and the agencies make clear that this approach does not limit actions addressing failures to establish a compliant program or criminal enforcement under the BSA.

According to FinCEN and the agencies, the revised framework is designed to highlight whether identified issues reflect isolated execution gaps or broader breakdowns in program design or implementation.

An explicit risk-based program architecture

The proposals retain the traditional “four pillars” of AML compliance but significantly enhance the internal controls component by anchoring it in a formal risk assessment process:

1. Risk-based internal controls.
2. Independent program testing.
3. A designated U.S.-based individual responsible for program establishment and implementation.
4. Training.

Institutions would be required to maintain policies, procedures, and controls “reasonably designed” to identify, assess, document, and mitigate money laundering and terrorist financing risks, including directing more attention and resources to higher-risk customers and activities and conducting ongoing customer due diligence.

The “reasonably designed” standard is intended to preserve flexibility and support innovation. However, controls that are sufficient at one point in time may no longer satisfy expectations as an institution’s risk profile evolves.

Codified risk assessments and integration of national priorities

Institutions would be required to establish and maintain ongoing, documented risk assessments that are updated in response to material changes in products, customers, geographies, or delivery channels. The assessments would also serve as the mechanism for incorporating FinCEN’s AML/CFT national priorities (as required under Section 6101 of the AML Act), including corruption, cybercrime, terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking and smuggling, and proliferation financing.

The agencies caution against “surface-level, perfunctory” approaches and instead expect institutions to assess how these risks manifest across their business lines and to integrate them meaningfully into monitoring, investigation, and escalation frameworks.

Resource allocation, CDD, and governance expectations

The proposals codify Section 6101’s requirement that institutions direct more attention and resources toward higher-risk customers and activities, rather than applying uniform controls across risk categories.

This formulation is likely to influence supervisory expectations for the alignment between risk assessments and operational decisions, including alert thresholds, investigative workflows, staffing levels, resource deployment and governance oversight. While examiners will likely take a closer look at institutions’ mitigation practices, the agencies expressly state that examiners should not substitute their judgment for that of an institution.

Under the Proposed Rule, the agencies would incorporate ongoing customer due diligence (CDD)—sometimes referred to as a “fifth pillar” of AML programs—directly into the required program rule structure, aligning with FinCEN’s existing CDD framework. This includes developing customer risk profiles, conducting ongoing monitoring to identify and report suspicious activity, and updating customer information on a risk basis.

The agencies note that embedding CDD within the internal controls program pillar better reflects how institutions operationalize these requirements in practice. The FinCEN proposal takes a similar approach to other financial institutions (such as broker-dealers) subject to CDD rules.

The proposals also clarify governance expectations by requiring a written AML/CFT program approved by the board of directors, an equivalent governing body, or appropriate senior management, and requiring designation of a U.S.-based AML/CFT officer who is accessible to regulators and responsible for program implementation.

While FinCEN and the agencies acknowledge that certain AML functions may be performed outside the United States, they highlight potential constraints under existing rules and interpretive guidance for suspicious activity report (SAR) confidentiality and cross-border information sharing.

Consistent with the AML Act’s emphasis on innovation, FinCEN and the agencies decline to prescribe specific technologies but explicitly encourage institutions to consider whether emerging tools such as machine learning, generative artificial intelligence (AI), digital identity solutions, and blockchain analytics could enhance program effectiveness.

New Supervisory and Enforcement Framework

FinCEN consultation and coordination

The Proposed Rule would introduce a more structured supervisory framework centered on enhanced coordination with FinCEN. Before initiating an AML/CFT enforcement action or a “significant AML/CFT supervisory action” against a bank or credit union, the relevant agency would be required to provide FinCEN with an opportunity to review and offer input.

“AML/CFT enforcement action” would be defined broadly to include both formal and informal actions such as cease-and-desist orders, written agreements, consent orders, memoranda of understanding, and civil money penalties. Notably, “significant AML/CFT supervisory actions” would include formal determinations requiring remedial measures but not routine examiner observations or any actions initiated by the agencies beyond the BSA supervisory and enforcement authority delegated to them by FinCEN.

Notice process and information sharing

This consultation requirement would generally be implemented through a 30-day advance notice process, under which the relevant agency would provide FinCEN with supporting materials, including draft examination findings, draft enforcement actions, and examination workpapers. Exceptions may apply, at the agencies’ discretion, in exigent safety- and soundness-related circumstances. FinCEN would also be entitled to request that agencies respond to additional information requests.

The FinCEN proposal outlines factors that FinCEN must consider in determining whether to take an AML/CFT enforcement action or “significant AML/CFT supervisory action” against a bank or credit union, or in reviewing a “significant AML/CFT supervisory action” proposed by one of the agencies, including:

• Factors specified under the AML Act guiding FinCEN’s development of minimum AML/CFT program standards, including that these programs should be risk-based and the fact that, under these programs, financial institutions “are spending private compliance funds for a public and private benefit” (namely, protecting the U.S. financial system from illicit finance risks and safeguarding U.S. national security generally), as well as extending financial services to the “underbanked” and facilitating transactions (including cross-border remittance) in ways that prevent criminal abuse of payment systems.
• The extent to which the institution in question, in light of its size, complexity, and risk profile, has advanced published AML/CFT priorities “by providing highly useful information to law enforcement authorities or national security officials, conducting proactive analytics, or performing other innovative activities producing demonstrable outputs evincing the effectiveness of the [institution’s] AML/CFT program (including effective use of artificial intelligence, federated learning, and other advanced monitoring tools).”
• Any other factor that FinCEN deems appropriate, including the institution’s size, complexity, and risk profile, and, as relevant, where the institution’s low-risk customers or limited business activities naturally limits the extent to which the institution can meaningfully contribute to AML/CFT priorities.

The Proposed Rule also includes two alternative approaches to facilitating the agencies’ sharing of supervisory information with FinCEN, notwithstanding existing confidentiality restrictions.

Both approaches include explicit provisions that disclosure to FinCEN does not waive legal privileges, including attorney-client privilege, work product protection, and the bank examination privilege. Collectively, these provisions are intended to enhance FinCEN’s role within AML/CFT supervision and alleviate concerns that privilege or confidentiality constraints could inhibit effective information sharing.

Practical Implications

Even for institutions with well-established AML/CFT programs, the proposals could have meaningful implications.

Institutions may face increased scrutiny of risk assessment processes, with an expectation of a more dynamic, ongoing approach. There is also an emphasis on whether and how institutions update controls in response to changes in risk.

Institutions may also face heightened expectations on the substantive integration of AML/CFT national priorities into program design and execution, particularly when an institution determines that certain priorities are not applicable or present lower risk. Similarly, the emphasis on allocating greater attention and resources to higher-risk activity may require clearer documentation of how risk assessments drive operational decisions, including transaction monitoring frequency, staffing plans, and governance oversight.

From a governance perspective, institutions may need to reassess approval structures and the level of detail presented to governing bodies and senior management. Institutions with global operations should evaluate compliance with the U.S.-based AML/CFT officer requirement and consider how to balance operational efficiency and enterprise-wide standards with regulatory expectations on accessibility and SAR confidentiality. For banks and credit unions, the introduction of formal FinCEN consultation may affect the dynamics of supervisory and enforcement actions.

Conclusion

The FinCEN proposal and Proposed Rule reflect a more risk-based, outcomes-oriented federal AML/CFT framework, coupled with a more structured and coordinated supervisory approach.

By proposing to clarify the distinction between program design and execution, elevate risk assessment processes, and enhance coordination between FinCEN and the agencies, these regulators are signaling a more precise, nuanced approach to both supervision and enforcement.

While these proposals are still in their initial stages, institutions should begin assessing alignment with these expectations and consider engaging in the rulemaking process.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.