FinCEN Proposes Reform of AML/CFT Program Requirements

On April 7, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued a Notice of Proposed Rulemaking (the “FinCEN NPRM”) to reform anti-money laundering and countering the financing of terrorism (“AML/CFT”) program requirements under the Bank Secrecy Act (“BSA”) for all regulated financial institutions. In a parallel Notice of Proposed Rulemaking (the “Banking Agency NPRM”), two of the three federal banking regulators — the Office of the Comptroller of the Currency (“OCC”) and the Federal Deposit Insurance Corporation (“FDIC”) — proposed conforming amendments to the AML/CFT program rules for the banking entities they supervise, as did the National Credit Union Administration (“NCUA”). The Board of Governors of the Federal Reserve System (“FRB”) did not join the Banking Agency NPRM.

These NPRMs follow previous proposals by FinCEN in September 2020 and July 2024 to revise the AML/CFT program rules and implement the 2020 Anti-Money Laundering Act (“AMLA”), respectively. The FinCEN NPRM substantially amends the July 2024 proposal and is framed as a cornerstone of the Treasury Department’s BSA modernization efforts.

The new NPRMs include some of the former proposals’ elements, including that programs be “effective” and based on robust risk assessments, and they largely retain the existing core elements of an AML/CFT program. At the same time, they seek to empower financial institutions to maintain more dynamic and innovative AML/CFT programs. And they would significantly change current AML/CFT enforcement and supervisory practices for banks by limiting enforcement for certain implementation deficiencies and coordinating supervisory oversight and enforcement through FinCEN. The long-term practical impact of the NPRMs on the financial services industry will thus depend, in part, on how FinCEN balances two distinct policy priorities:  modernizing BSA regulation; while also prioritizing AML/CFT intelligence-gathering and enforcement efforts that are necessary to support whole-of government criminal and national security priorities.

FinCEN, the federal banking regulators, and the NCUA are requesting comments on all aspects of the NPRMs by June 9, 2026.

The NPRMs define a new framework for “effective” AML/CFT programs and implement certain other reforms to core programmatic requirements.

Prioritizing Program “Effectiveness”. Current FinCEN regulations implementing the BSA generally require that AML/CFT programs and controls be “reasonably designed” to either achieve compliance with the BSA, prevent money laundering, or both. Consistent with AMLA, the NPRMs focus instead on whether AML/CFT programs are “effective.” However, also tracking the statutory text, there remains a requirement that such programs incorporate “a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance” with the BSA (emphasis added).

Defining “Effectiveness”. “Effectiveness” has two components: a financial institution must

1. establish an AML/CFT program by putting in place the required programmatic elements; and
2. maintain it, that is, implement the program “in all material respects.”

The formal distinction between establishing a program and maintaining is important because, as discussed below, the NPRMs propose limitations on the imposition of AML/CFT enforcement and supervisory actions against banks arising from program maintenance and implementation. 

Minimum Program Elements. The minimum elements required to “establish” an AML/CFT program are substantially unchanged from the existing program rule. The NPRMs maintain the traditional four pillars: (1) internal policies, procedures and controls, (2) independent testing, (3) a designated compliance officer, and (4) training. Existing customer due diligence requirements are maintained, without alteration, as part of required internal controls. Risk assessments will become part of the program rule itself, also within the internal controls pillar. While an explicit risk assessment requirement will be new for most financial institutions, this requirement essentially codifies what has already been a longstanding supervisory expectation.  

“Maintaining” an Effective AML/CFT Program. “Maintaining” the program refers to program execution and requires implementation in “all material respects.” Minor deficiencies would “not necessarily mean” an institution has failed to implement its program. But the NPRMs’ preambles cite several circumstances that would comprise, in the agencies’ view, a failure to implement in “all material respects.” These include a consistent failure to implement internal policies, procedures, and controls due to inadequate resources, gaps in transaction monitoring or other controls that result in missing or inadequately covering higher money laundering or terrorist financing (“ML/TF”) risks, or “data-related issues” or other weaknesses that have a “material impact” on the institution’s ability to mitigate its ML/TF risks.

Notable Aspects of Required Program Components.

• Risk Assessment. Institutions will have to evaluate the ML/TF risks associated with their products and services, distribution channels, customers, and geographic locations, as well as the national AML/CFT Priorities,[1] “as appropriate,” and update their risk assessments “promptly upon any change that the financial institution knows or has reason to know significantly changes the institution’s ML/TF risks.” FinCEN, the federal banking regulators, and the NCUA intend to afford institutions substantial discretion in identifying and evaluating ML/TF risks, and institutions may do so through a unified, comprehensive AML/CFT risk assessment process, or multiple sets of processes. The NPRMs do not prescribe specific methodologies or analytical approaches for conducting risk assessments.
• U.S.-Based AML/CFT Officer; Reliance on Overseas Staff and Contractors. The NPRMs clarify that while a designated AML/CFT officer must be located in the United States to facilitate engagement with U.S. regulators and law enforcement, institutions may continue to rely on AML/CFT personnel or third-party service providers located outside the United States, provided the designated officer retains responsibility and oversight for the AML/CFT program.
• Approval of a Written AML/CFT Program. The NPRMs would require that each financial institution’s written AML/CFT program be approved by its board of directors, an equivalent governing body, or appropriate senior management. For some financial institutions, including banks, the proposals would provide greater flexibility than current program rules, which specifically require board approval.
• Independent Testing and Auditing. The preamble to the FinCEN NPRM compares the role of auditors in independent testing to that of supervisory examiners. Audits should be focused on program effectiveness and an auditor should not “substitute his or her own subjective judgment in place of the financial institution.”

The NPRMs promote Treasury’s BSA modernization efforts, mandate resource allocation that aligns with higher-risk activities, and seek to provide financial institutions with greater flexibility in program administration.

Prioritization of Higher-Risk Areas. Consistent with AMLA, the Treasury Department intends for the program rules to enable regulated entities to direct more resources to high-risk areas, de-prioritize lower-risk activities, and focus on generating highly useful information for law enforcement and national security agencies.  

While the focus on higher-risk areas reflects long-standing industry feedback about avoiding check-the-box approaches to BSA compliance, the long-term impact of this change remains uncertain. On the one hand, the NPRMs each emphasize that financial institutions will have “significant flexibility and discretion in  . . . risk identification and resource allocation.” Further, FinCEN states in its preamble that its “proposed rule . . . does not contemplate regulatory second-guessing of a financial institution’s reasonable determinations” regarding risk-identification and resource allocation. At the same time, the proposed rules expressly indicate that an institution’s AML/CFT program will now be considered “established” only where, among other things, it is “directing more attention and resources toward higher-risk customers and activities . . . rather than toward lower-risk customers and activities.” This language could in the future be used to justify the type of second-guessing that FinCEN claims it will not engage in.

Continued Emphasis on Planning and Resourcing. The NPRMs continue to emphasize the importance of financial institutions conducting ongoing assessments of their financial crime risks, providing adequate program resources, and not dismissing even seemingly lower-risk activities where they may evidence higher-risk illicit conduct. For example, the FinCEN preamble observes that “potential structuring should not automatically be dismissed as lower value . . . without determining whether there is a potential connection to various types of other illicit finance.” Financial institutions thus should anticipate that regulatory expectations regarding risk allocation may take time to fully develop as the new program rule is implemented, and that regulatory expectations in these areas may evolve over time.  

The NPRMs would establish policy limits on enforcement against banks and centralize supervisory oversight of banks’ AML/CFT programs within FinCEN.

The NPRMs set forth a new “enforcement and supervision policy” of FinCEN, the OCC, FDIC, and NCUA for banks and credit unions.

Limitation on Enforcement and Significant Supervisory Action. Under the NPRMs, a bank that has established an AML/CFT program will not be subject to civil enforcement or a “significant AML/CFT supervisory action” for AML/CFT program implementation deficiencies, absent a “significant or systemic failure.” This policy would not restrict AML/CFT actions related to failures to establish an AML/CFT program, to other BSA/AML violations (e.g., failure to file SARs), or to criminal violations of the BSA.  

Notice and Consultation Framework. The federal banking regulators will be expected to notify and consult with FinCEN at least 30 days before initiating significant supervisory actions related to the Bank Secrecy Act or its implementing regulations. “Significant supervisory actions” are broadly defined to include any identified deficiency, violation of law, or unsafe or unsound practice relating to the BSA that “communicates supervisory expectations regarding actions or remedial measures” and “contemplates significant or programmatic actions or remedial measures to be taken by the bank.”  

The Banking Agency NPRM also obligates the OCC, FDIC, and NCUA to consult with FinCEN before issuing any formal or informal BSA enforcement action — which is notable, given that the federal banking regulators have previously emphasized their independent statutory authority and obligation to enforce AML/CFT program violations under 12 U.S.C. § 1818(s).

In determining whether to pursue an AML/CFT enforcement or supervisory action, or reviewing a proposed action by a banking agency, FinCEN “shall consider” (1) the factors Congress directed FinCEN to consider in AMLA, including that financial institutions are expending private resources for a public and private benefit; and (2) the extent to which the bank has advanced the national AML/CFT Priorities through providing information to law enforcement, “proactive analytics,” or “performing other innovative activities” that evidence program effectiveness. FinCEN also retains discretion to consider any other factors the Director deems appropriate. 

Analysis of Enforcement and Supervisory Policy Framework. The new policy and consultation requirements reflect a deliberate effort to recalibrate AML/CFT enforcement and supervision away from perceived regulatory over-attention to technical or procedural deficiencies. The proposals also centralize BSA enforcement and supervision with FinCEN, potentially providing greater consistency in how supervisory judgments are applied. 

The requirements are likely to meaningfully alter existing enforcement and supervisory practices. In the near term, banks can expect substantially less AML/CFT-related enforcement arising from bank examinations. The impact may be even more pronounced on the supervisory side — both because of formal policy changes concerning assessment of AML/CFT program implementation, and also because many MRAs, MRBAs, and MRIAs will fall within the scope of “significant AML/CFT supervisory actions” that are now subject to a FinCEN notification and consultation requirement. That requirement could both limit adverse findings and slow the finalization of supervisory and examination reports — although its practical impact may be cabined in part by the fact that FinCEN does not have to affirmatively approve bank regulator enforcement or supervisory actions, and there is no consultation requirement for “examiner observations, suggestions, or other informal comments.”

Effect of FRB Non-Participation. The FRB’s non-participation in the Banking Agency NPRM aligns with the FRB’s decision not to participate in an October 2025 proposal addressing reform of the “unsafe or unsound practices” standard. This could conceivably mean that state member banks and the non-depository operations of bank holding companies may face more extensive supervisory and enforcement risk than other banks.  In practice, however, we expect that the FRB will seek where possible to align its supervisory approach to that of other regulators and to coordinate informally with FinCEN on material supervisory and enforcement matters.

Long-Term Impact. While the NPRMs roll back certain previous enforcement and supervisory practices, FinCEN, the federal banking regulators, and the NCUA retain broad authority to enforce violations and deficiencies or require remedial actions. The terms “significant AML/CFT supervisory actions” and “significant or systemic failure” can be applied differently by different regulators and administrations. Even in the present administration, FinCEN has been assertive in exercising its authorities to advance whole-of-government priorities, such as those relating to drug cartels, trade controls, and immigration. The NPRMs do not constrain FinCEN or the federal banking regulators from continuing to pursue proactive supervision and enforcement in these priority areas.

For information about the NPRM, please contact the members of Covington’s Financial Services and Investigations practices.