FinCEN Proposes Fundamental Reforms to AML/CFT Program Requirements: Key Takeaways for Financial Institutions

On April 7, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPRM) that the agency said would “fundamentally reform” the requirements for anti-money laundering and countering the financing of terrorism (AML/CFT) programs. According to FinCEN, the NPRM signals a substantial move away from a regulatory regime that evaluates financial institutions based on their technical compliance with the Bank Secrecy Act (BSA) and instead proposes to adopt a results-based framework that focuses on whether financial institutions are effectively mitigating their highest risks.

This development also seeks to bring BSA/AML regulation into closer alignment with the Trump administration’s recalibration of safety and soundness expectations, a tension that has been the source of much discussion. If adopted, the changes proposed by the NPRM will substantially impact how financial institutions design, implement and use their AML/CFT programs.

There are already several important takeaways that financial institutions should consider in assessing how to respond to the NPRM:

• Risk-Based Approach: FinCEN proposed changes to the AML/CFT program regulatory framework that explicitly require financial institutions to design a program based on an assessment of the specific risks that the institution faces.
• Deference to Financial Institutions: Where financial institutions have established a risk-based AML/CFT program, FinCEN will not second-guess the institution’s assessment as to what its biggest risks are or how best to address those risks.
• FinCEN Will Serve as a Gatekeeper Over a Lower Risk of Enforcement: FinCEN, and other federal supervisory agencies in consultation with FinCEN, will bring enforcement or significant supervisory actions only in cases involving “significant or systemic implementation issues,” and other financial regulators must provide FinCEN with a 30-day notice before bringing an action.
• New Technologies Are Encouraged. Where financial institutions responsibly experiment with new technologies for AML/CFT compliance, including the use of artificial intelligence, they will not incur any additional risk of being subject to an action solely because of its use.

Many key questions remain, however, on how the NPRM may impact other components of AML/CFT compliance and enforcement, including:

• How will FinCEN apply its new enforcement regime in practice? The NPRM proposes to focus enforcement and significant supervisory actions on cases involving “significant or systemic implementation issues,” but how FinCEN will interpret that limitation in practice remains an open issue. Moreover, because the vast majority of actions against banks are informal ones based on examiner findings, whether these informal actions qualify as “significant supervisory” actions will be critical.
• How will the NPRM impact sanctions enforcement authorities? AML/CFT findings and exams have in recent years gone hand in hand with economic sanctions findings by the Office of Foreign Assets Control (OFAC), and it remains unclear how the NPRM may impact OFAC enforcement.
• Will the proposals impact criminal actions for AML/CFT program violations? While the NPRM states that it has no impact on criminal BSA enforcement, it remains to be seen whether criminal enforcement of AML/CFT program violations will also be pulled back to maintain a clear separation in scope between criminal and regulatory violations.
• Is the Federal Reserve going to follow suit? Because the Federal Reserve did not join a notice of proposed rulemaking issued by the other federal banking agencies, it remains unclear whether the Federal Reserve will also adopt the new AML/CFT program framework for the institutions it supervises.
• What about the SEC? The Securities and Exchange Commission (SEC) has separate authorities to pursue BSA-related violations that do not require deference to FinCEN. Without a similar proposal from the SEC, the impact of the NPRM on broker-dealers and other entities supervised by the SEC remains unclear.
• How will the NPRM impact bank/fintech relationships? Banks that offer services through fintechs may have additional risk exposure stemming from those relationships and will need to assess how relationships with third-party fintechs impact their risk profile. At the same time, while the NPRM expressly encourages the use of new technologies, it is unclear how much leeway banks will be given for innovative tools offered by fintechs.
• How is the NPRM relevant to current debanking policies? By proposing to relax enforcement standards and focus on a risk-based approach, the NPRM appears to support the administration’s emphasis on preventing improper de-banking efforts. But how much the NPRM will impact de-banking policies remains unclear.

While it remains to be seen how these questions will be answered, we offer some thoughts on these questions at the end of this alert.

1. Background

The NPRM originated from the Anti-Money Laundering Act of 2020 (AMLA), wherein Congress required FinCEN and other financial regulators to modernize AML/CFT regulations by promoting a risk-based AML/CFT regime for financial institutions and encouraging technological innovation in BSA compliance. In the summer of 2024, FinCEN and other financial regulators proposed new rules aimed at implementing the AMLA but those rules were subject to substantial criticism that they did not provide clearer regulatory guidance or alleviate compliance burdens, and also continued to allow financial institutions to be penalized for technical compliance failures.

Under the Trump administration, it became clear that deregulation would be a priority, including with respect to AML regulations. The NPRM flows from that priority and supersedes and withdraws the 2024 proposed rulemaking. As U.S. Treasury Secretary Scott Bessent stated in the press release announcing the NPRM: “For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats. Our proposal restores common sense with a focus on keeping bad actors out of the financial system, not burying America’s banks in more red tape.” On the same day as the press release, the Office of the Comptroller of Currency, the Federal Deposit Insurance Corporation and the National Credit Union Administration issued their own joint notice of proposed rulemaking (Banking NPRM) to make conforming changes to the AML/CFT program requirements for the institutions that they supervise. Comments on the NPRM are due on June 9, 2026.

2. Overview of the Substantial Changes

The NPRM does not propose to alter the basic regulatory framework governing AML/CFT programs and instead reinforces the traditional “four pillars” of compliance that has been in place for decades. What the NPRM does propose to change, however, is what financial institutions must do to meet their AML/CFT obligations, as well as the standards by which regulators will evaluate financial institutions’ compliance with their obligations. Below is a summary of the key changes proposed under the new framework.

1. Requiring a Risk-Based Approach

Under the NPRM, financial institutions would be required to establish a risk-based set of internal policies, procedures and controls that are reasonably designed to ensure compliance with the BSA. The NPRM proposes to implement this requirement through several new provisions (1) requiring periodic risk assessments; (2) establishing risk-based AML/CFT programs; and (3) affording deference to financial institutions on how best to mitigate material risks.

Risk Assessments. The NPRM proposes to require financial institutions to conduct risk assessments as part of the “internal policies, procedures, and controls” pillar of the BSA. While many financial institutions are already using risk assessments as part of their AML/CFT programs, the NPRM would make them mandatory, requiring financial institutions to assess their risk against their business activities, including products, services, customers, intermediaries, geographic locations, and distribution channels (i.e., the methods and tools through which a financial institution opens accounts and provides products or services). The NPRM expressly does not prescribe any particular methodology for conducting risk assessments, and makes clear that there is no one-size-fits-all approach. According to FinCEN, a financial institution’s internal policies, procedures and controls — including its risk assessment processes — should be commensurate with the financial institution’s size, structure, risk profile and complexity.

For example, a multinational bank with a complex corporate structure and exposure to higher-risk customers, services or geographic locations would not be expected to conduct the same type of risk assessment as a small bank with a narrow geographic footprint and customers from a defined local community. In conducting the risk assessment, the NPRM expects that financial institutions will draw upon a variety of information sources, including: (1) law enforcement or financial regulators; (2) other financial institutions (including through the section 314(b) process); (3) other internal data sources accessible to the financial institution; and (4) public reporting or guidance.

Focus on High-Risk Customers and Activities. Following the mandate of the AMLA, the NPRM provides that a risk-based AML/CFT program “should direct more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the financial institution, rather than toward lower-risk customers and activities.” Naturally, the results of the risk assessment process described above would help to inform which risks the financial institution should focus its attention and resources to mitigate.

In addition to the specific risks faced by a particular financial institution, the NPRM proposes that each financial institution must also consider the national AML/CFT priorities issued by FinCEN but only as appropriate to the particular financial institution’s business model. These priorities, which were last issued in June 2021, are undoubtedly broad: “(1) corruption; (2) cybercrime, including relevant cybersecurity and virtual currency considerations; (3) foreign and domestic terrorist financing; (4) fraud; (5) transnational criminal organization activity; (6) drug trafficking organization activity; (7) human trafficking and human smuggling; and (8) proliferation financing.”

Deference to the Judgment of Financial Institutions. According to the NPRM, FinCEN believes that “financial institutions are best positioned to identify and evaluate their [AML/CFT] risks and to make decisions related to risk identification and resource allocation in accordance with risk identification.” The NPRM thus proposes to provide financial institutions with unprecedented flexibility in deciding for themselves which risks are material and what steps they will take to mitigate those risks. Under the NPRM, examiners will not be permitted to engage in “regulatory second-guessing of a financial institution’s reasonable determinations regarding appropriate resource allocation or conclusions regarding specific risks.” According to FinCEN, this will reduce examiner focus on technical noncompliance with the BSA in favor of a results-oriented approach.

B. Lower Enforcement Risks Resulting From a New Focus Only on ‘Implementation’ Failures

The existing AML/CFT framework has long required financial institutions to both establish and implement an AML/CFT program but under the NPRM, FinCEN has now proposed to draw a hard line between those two requirements. According to FinCEN, “establishing’’ an AML/CFT program involves designing a program that incorporates all the required elements whereas the “implementation” of the program addresses whether the financial institution is executing that program in practice. Recognizing this difference is critical because under the new enforcement framework proposed by the NPRM, future enforcement actions would be focused on significant or systemic implementation failures of the AML/CFT program rather than the establishment or design of the program.

Establishing an Effective AML/CFT Program. Financial institutions are still required to build their AML/CFT programs around the four pillars: (1) risk-based policies, procedures and internal controls (including risk assessment and, if applicable, ongoing customer due diligence processes); (2) independent testing; (3) a U.S.-based BSA compliance officer; and (4) an ongoing risk-based employee training program. But, as noted above, FinCEN has proposed to provide financial institutions with substantial discretion in identifying material risks and designing their AML/CFT programs accordingly. As the NPRM states, financial institutions should have “more flexibility in deploying attention and resources . . . without fear of supervisory criticism or action from examiners for directing more attention and resources on higher risk customers and activities rather than toward lower risk customers and activities.”

That is not to say that there will be no enforcement for failures stemming from the establishment of AML/CFT programs under the NPRM. For example, the NPRM states that having an effective AML/CFT program “would be more than a onetime adoption of a risk-based set of internal policies, procedures, and controls.” Instead, as the financial institution’s risk profile changes, a financial institution would be required to keep current both its risk-based program and the risk assessment processes that inform that program. Moreover, examiners will still be required to assess whether “a financial institution’s resource allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes.”

Implementing an Effective AML/CFT Program. With respect to implementation failures, the NPRM has made it much harder for FinCEN to bring such actions. Once a bank has properly established an AML/CFT program, the NPRM proposes that FinCEN may pursue an enforcement or significant supervisory action only if the financial institution engaged in significant or systemic failures to implement an effective AML/CFT program, which FinCEN proposes to define as “deficiencies or issues that arise from failing to implement, in all material respects, a properly established AML/CFT program.” Going forward, this would exclude any actions based on “isolated, technical, or immaterial implementation issues.”

Again, however, examiners will still play a role in evaluating the effectiveness of a financial institution’s implementation of its AML/CFT program. For example, examiners will be required to assess “whether the financial institution knows or should know of resource-related issues involving its internal policies, procedures and controls and other mandatory elements that may result in the financial institution failing to implement its AML/CFT program in all material respects and failing to address such issues.”

FinCEN Will Serve as a Gatekeeper for Enforcement Actions. The NPRM makes clear that the narrowed scope for enforcement actions will also be imposed on other banking regulators. Under the proposed rule, banking regulators would for the first time be required to provide written and detailed notice to FinCEN at least 30 days before initiating certain enforcement or supervisory actions unless a shorter notice period is required. FinCEN would be required to review the proposed action and the banking regulator would be required to respond to additional questions from FinCEN and consider any input offered by FinCEN. Notably, it does not appear that FinCEN can overrule a banking agency’s decision to initiate an enforcement action.

While the NPRM makes clear that it has no impact on criminal enforcement of the BSA, as a practical matter, it would appear that the scope of criminal prosecution of AML/CFT program violations will necessarily be narrowed as well. There is close coordination with respect to enforcement between the banking agencies and the DOJ and it would be anomalous if civil liability standards were the same or narrower than criminal enforcement standards.

C.New Technology and Innovation Is Encouraged

Following the mandate of the AMLA, the NPRM encourages the responsible development of technological and other innovations as a way of making AML/CFT program more effective with lower costs and burdens. Recognizing that many financial institutions have already adopted such advances in their programs, FinCEN listed certain technologies, including machine learning, generative artificial intelligence (GenAI), digital identity, blockchain monitoring and analytics, and application programming interfaces (APIs) as potentially valuable tools for AML/CFT programs, particularly with respect to digital assets.

While not mandating that financial institutions must adopt any particular technologies, FinCEN nonetheless encouraged financial institutions to responsibly adopt such innovations by proposing that financial institutions “that responsibly experiment with innovative technologies in their AML/CFT programs will not incur any additional risk of being subject to a significant supervisory AML/CFT action or AML/CFT enforcement action solely based on the use of innovative technologies.” While not a safe harbor, the language in the NPRM underscores that financial institutions that adopt new technologies in good faith should not expect to be subject to enforcement actions for responsible testing and experimentation.

With that said, as we have noted previously, financial institutions should continue to exercise heightened diligence before adopting new technologies. Regulators will expect financial institutions to test new technologies and systems and exercise adequate oversight to ensure that they are working as intended. Institutions that fail to take appropriate steps to monitor the effectiveness of new technologies and address any issues may still be subject to scrutiny by regulators and potentially enforcement actions in a different administration.

3. What Happens Now?

Given the current political climate, it appears that the NPRM’s proposals covering risk assessments and risk-based AML/CFT programs will likely be adopted without material changes. Yet, it is unclear whether parties will seek to litigate aspects of the NPRM. We note that several parties opposed similar provisions contained in the prior, now withdrawn, 2024 NPRM, and it is possible that legal challenges may delay the implementation of these rules. Still, once the final rule is issued, FinCEN has proposed a one-year implementation period. Financial institutions should consider what steps are needed to bring their AML/CFT programs in line with these proposed rules, including re-emphasizing their focus on fulsome and detailed risk assessments and documenting their reasoning on risk decisions.

Moreover, several key questions remain as to the overall impact that the NPRM will have on AML/CFT program compliance and enforcement. While it remains to be seen how these questions will be answered, we offer some guidance below.

1. How will FinCEN apply its new enforcement regime in practice? The NPRM defines a significant supervisory action to include any written communication or other “formal” supervisory determination that communicates a deficiency and contemplates a remedial measure by the financial institution. With 6,000 to 8,000 banks/credit unions subject to examination every year, only a small percentage face formal actions. For most banks, remedial AML measures are imposed by informal actions, including Matters Requiring Attention and Matters Requiring Immediate Attention (MRAs and MRIAs). A bank may be subject to — and spend resources addressing — an MRA for many years until it becomes a formal enforcement action. That is a lot of time and money to possibly find out that FinCEN disagrees with the examiner’s finding. For the NPRM to have the impact sought by FinCEN, the agency would have to apply the new standards to these informal actions as well. The NPRM appears to do so by, for example, instructing examiners not to “second-guess” bank decisions on their assessment of risks. It remains to be seen whether FinCEN will take a more active role with respect to MRAs.
   
   Similarly, the NPRM proposes to focus enforcement and significant supervisory actions on cases involving “significant or systemic implementation issues.” What this term means remains to be seen but clues in the NPRM suggest that actions will be initiated only in egregious cases, such as when an institution fails to implement its AML/CFT program in all material respects and also fails to address those issues. In other words, this would include cases of major and intentional failures to establish an AML/CFT program and/or deliberate ignorance of material risks to the institution.


2. Will the proposals impact criminal actions? The NPRM proposes to narrow AML/CFT program actions to significant or systemic implementation issues. Because such cases typically involve knowledge by the institution of the program failures, the NPRM’s standard for enforcement looks very close to criminal conduct. To avoid a situation in which regulatory and criminal violations of the AML/CFT program requirements have the same scope, it is reasonable to expect a similar pullback in scope on criminal cases charging AML/CFT program violations.


3. Is the Federal Reserve going to follow suit? Unlike the other banking agencies, the Federal Reserve did not issue a proposed rule that corresponds to FinCEN’s NPRM. Notably, FinCEN’s Fact Sheet that accompanied the NPRM stated that it was “prepared in consultation with the [Federal Reserve],” making the Federal Reserve’s failure to join appear intentional. While this may mean that Federal Reserve-supervised banks may face different supervisory and enforcement AML/CFT standards, we do not expect that the Federal Reserve’s practices will be substantially different than the other banking regulators.


4. What about the SEC? The U.S. Supreme Court determined that the SEC has the authority to assess penalties against a broker-dealer for insufficient SAR filings without FinCEN authority under its independent recordkeeping requirements. The SEC’s ability to take action under these non-delegated authorities would allow formal enforcement actions involving AML/CFT compliance to occur without consultation or notification to FinCEN. The banking regulators have issued proposed rules that would limit their ability to use independent authorities to take AML/CFT-related actions but the SEC has not done the same. Like with respect to the Federal Reserve, as a practical matter, we would expect the SEC to conduct its supervision with an approach consistent with the NPRM.


5. How will the NPRM impact expectations for bank/fintech relationships? The expectations in the proposed rule require a financial institution to update its risk assessment upon any change the financial institution knows or has reason to know that significantly changes its risk. For financial institutions that offer services through fintech and other relationships, it is unclear if the “reason to know” standard will flow through those relationships to include increased risk from a customer type or a large-volume customer. The extent to which there is an expectation to look through to a customer’s customer under the proposal will depend heavily on facts and circumstances. Therefore, banks and other financial institutions that leverage fintechs for providing services should be mindful of their access to information to comply with the proposed rule when finalized.
   
   On the other hand, the NPRM’s proposal to encourage financial institutions to employ new technologies for AML/CFT compliance can result in increased partnerships between banks/fintechs, which historically have led the way in innovating solutions for banks. Because banks remain responsible for technology provided by third parties, they will still need to ensure that they properly supervise third party providers; likewise, fintechs must proactively maintain appropriate compliance (which includes understanding, monitoring and calibrating innovation). Thus, even with more partnerships, all players in the bank/fintech ecosystem will still need to remain vigilant.  


6. How does the NPRM support debanking policies? By moving away from strict enforcement policies for technical violations of the BSA and imposing a risk-based system for AML/CFT compliance, the NPRM seeks to alleviate some of the pressures that led to, according to the administration, the inappropriate de-risking of categories of bank customers. Under the NPRM, banks should decide which customers they will bank by focusing on the specific risks posed by each customer on a case-by-case basis. While the shift from bright-line policies to a risk-based approach provides banks, in theory, with more discretion regarding which customers they can bank, it also allows supervisory and enforcement priorities to shift with little warning, likely with a backward look. Therefore, prohibited customer and other similar de-risking policies should be grounded in current risk factors that are applied on a customer-by-customer basis and frequently reviewed to ensure alignment with current administration priorities and expectations.