On April 7, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) unveiled a sweeping proposed rule aimed at modernizing anti-money laundering and countering the financing of terrorism (AML/CFT) compliance obligations under the Bank Secrecy Act (BSA). The proposal, developed in coordination with federal banking regulators, reflects a significant evolution in how regulators evaluate compliance programs, enforce obligations, and encourage innovation.

At its core, the proposal attempts to recalibrate the regulatory framework toward outcomes, risk management, and clarity—while reducing ambiguity that has long complicated AML compliance.

A More Structured Approach to Supervision and Enforcement

One of the most consequential changes is the introduction of a more coordinated supervisory framework between FinCEN and federal banking agencies. Under the proposal, regulators such as the OCC, FDIC, Federal Reserve, and NCUA would be required to provide FinCEN with advance notice before taking significant supervisory actions related to AML/CFT deficiencies.

This move signals FinCEN’s intent to play a more active oversight role in enforcement decisions while promoting consistency across agencies. At the same time, FinCEN indicates that enforcement actions will generally be reserved for cases involving substantial or systemic breakdowns, rather than isolated implementation issues.

A Two-Pronged Test for Program Effectiveness

Perhaps the most notable conceptual shift is the adoption of a “two-pronged” framework for evaluating AML/CFT programs. Rather than relying on vague standards such as whether a program is “effective,” the proposal distinguishes between:

• Whether a financial institution has properly established its AML/CFT program; and
• Whether it is adequately maintaining and implementing that program over time.

This distinction is critical. Failures in program design may still trigger enforcement, but shortcomings in execution would need to rise to a significant or systemic level before prompting regulatory action. This approach raises the enforcement threshold and provides institutions with greater predictability.

Reinforcing the Core Pillars—While Reframing CDD

The proposal retains the traditional four foundational elements of an AML program: internal controls, independent testing, designated leadership, and training. However, it formally incorporates customer due diligence (CDD) into the broader internal controls framework, rather than treating it as a standalone “fifth pillar.”

This restructuring does not materially alter CDD obligations but reflects a more integrated, risk-based philosophy.

Mandatory Risk Assessments and Resource Allocation

A key operational requirement is the explicit mandate that financial institutions conduct and maintain risk assessment processes. While many institutions already perform such assessments, the proposed rule standardizes this expectation across sectors, including banks, broker-dealers, and money services businesses.

Importantly, these risk assessments must be dynamic. Institutions are expected to update them when business activities, customer bases, or geographic exposure change.

The proposal also emphasizes that institutions should allocate resources proportionately—focusing more heavily on higher-risk customers and activities. Regulators signal that they will defer to reasonable, well-supported risk determinations, rather than substituting their own judgment.

Governance and Accountability Enhancements

The proposal introduces several governance-related requirements designed to strengthen accountability:

• AML/CFT programs must be approved by a board of directors or equivalent governing authority;
• A designated AML/CFT officer must be located in the United States; and
• Programs must be available for regulatory review upon request.

These changes reinforce the expectation that AML compliance is a core organizational responsibility, not merely a compliance function operating in isolation.

Encouraging Innovation—Including AI

In a notable departure from traditional regulatory caution, FinCEN explicitly acknowledges the role of technological innovation in strengthening AML compliance. The proposal suggests that the use of advanced analytics, including artificial intelligence, may be considered evidence of an effective program.

At the same time, FinCEN reassures institutions that responsible experimentation with new technologies will not, by itself, increase enforcement risk. This reflects a broader policy goal of encouraging modernization and improving the usefulness of reporting to law enforcement.

Harmonization and Extended Implementation Timeline

The proposal also aims to eliminate discrepancies between regulatory regimes by creating a unified AML/CFT standard for banks, regardless of their supervisory structure.

Recognizing the operational complexity of these changes, FinCEN proposes a 12-month implementation period following issuance of a final rule—doubling the timeline initially contemplated in earlier proposals.

Looking Ahead

If finalized, this proposal would represent one of the most significant updates to the U.S. AML/CFT framework in decades. It reflects a broader regulatory shift toward risk-based compliance, clearer standards, and a more measured enforcement posture.

For financial institutions, the message is clear: success will depend not only on having the right policies in place, but on demonstrating thoughtful risk management, governance, and adaptability in an evolving threat landscape.

With the comment period open until June 9, stakeholders have an important opportunity to shape the final contours of this regulatory transformation.