FinCEN’s Proposed Whistleblower Program: A Sea Change in AML and Sanctions Enforcement
- Brad A. Resnikoff,
- Ravi Shah,
- Tamer A. Soliman,
- Samuel Tope-Ojo
On March 30, 2026, the Financial Crimes Enforcement Network (FinCEN) published a Notice of Proposed Rulemaking (NPRM) to operationalize its whistleblower program by creating substantial financial incentives for individuals to report violations of the Bank Secrecy Act (BSA), US sanctions laws, and related national security laws “critical to safeguarding the US financial system and national security.” The NPRM’s remarkably broad scope would reach companies with sanctions exposure, not just BSA-covered financial institutions. Comments are due June 1, 2026.
The NPRM proposes:
- Procedures for timely and secure reporting, including for submitting an award application;
- Eligibility criteria for making awards and a process to adjudicate award applications;
- Awards of “10-30 percent of collected monetary penalties for individuals whose tip leads to a successful enforcement action;” and
- Protections for whistleblowers who provide information through this program.
This Legal Update analyzes the proposed rule’s key provisions, compares the program to other federal whistleblower initiatives, and offers practical guidance for affected companies.
Statutory and Regulatory Framework
The whistleblower program is administered pursuant to 31 U.S.C. § 5323, which authorizes the Secretary of the Treasury to pay awards to compensate individuals who come forward with valuable information about financial crimes. The information must then be used in a “covered judicial or administrative action” brought by Treasury or the Attorney General under the BSA, the International Emergency Economic Powers Act (IEEPA), or the Foreign Narcotics Kingpin Designation Act (Kingpin Act), and must ultimately lead to a successful enforcement action resulting in monetary sanctions exceeding $1 million.
Although FinCEN has accepted whistleblower tips for many years (including at least 270 unique tips from 2021 through May 2024), the NPRM would establish detailed procedures intended to operationalize the program and process whistleblower claims and awards.
The proposed rule defines “whistleblower” broadly as any individual, or two or more individuals acting jointly, who provides information relating to a violation of the covered laws or a conspiracy to violate those laws. Notably, the proposed rule does not state that a whistleblower must be a US Person.
To qualify for an award, the whistleblower must provide “original information” derived from independent analysis that is not already known to the Treasury Secretary or Attorney General through other sources. This is particularly noteworthy because, even where underlying facts are publicly available, an individual may contribute original information through “independent analysis” that yields material insights not generally known to the public. This may incentivize outside actors to identify violations in public data such as blockchain records or sanctions compliance filings.
Certain individuals are ineligible for awards (e.g., a member, officer, or employee acting in the normal course of their job duties of (i) an appropriate regulatory or banking agency; (ii) Treasury or DOJ; (iii) a law enforcement agency; (iv) Congress; or (v) a self-regulatory organization).
Scope of Conduct Covered
The scope of the proposed rule is notably broad and extends far beyond traditional AML compliance failures. It covers violations of the BSA, the International Emergency Economic Powers Act (IEEPA), the Trading with the Enemy Act (TWEA), and the Foreign Narcotics Kingpin Designation Act (Kingpin Act). The inclusion of IEEPA in particular significantly broadens the universe of conduct, entities, and regulatory programs within the program’s reach.
- Bank Secrecy Act: The Bank Secrecy Act (BSA) is the foundational US AML statute, subjecting banks, broker-dealers, money services businesses, casinos, insurance companies, and other financial institutions to recordkeeping, reporting, and AML compliance program requirements. The whistleblower program now provides a formal, incentivized channel for reporting BSA violations.
- International Emergency Economic Powers Act: IEEPA is arguably the most consequential of the covered statutes because it underpins a sweeping array of national security regulatory regimes. Treasury’s Office of Foreign Assets Control (OFAC) enforces US economic sanctions programs pursuant to IEEPA. IEEPA also serves as the legal basis for Treasury’s Outbound Investment Security Program (OISP), which restricts certain US investments in national security technologies in countries of concern, and the Data Security Program (DSP), which prohibits data transactions that could grant foreign adversaries access to bulk sensitive personal data of Americans. Violations of any of these IEEPA-based regimes would fall within the whistleblower program’s scope.
- Trading with the Enemy Act: TWEA authorizes the regulation of transactions involving foreign-owned property during times of war, including seizure and holding of such property in trust. OFAC enforces certain economic sanctions programs based on TWEA, and violations of those programs are now reportable under the whistleblower framework.
- Foreign Narcotics Kingpin Designation Act: The Kingpin Act authorizes sanctions against significant narcotics traffickers and their networks, and OFAC-enforced violations of its sanctions program are covered by the proposed rule.
The proposed rule would also authorize FinCEN to share whistleblower tips not only with Treasury and DOJ but also with other “appropriate agencies and authorities,” including the US Department of Commerce’s Bureau of Industry and Security (BIS), which enforces export controls, and foreign law enforcement authorities. In practical terms, this means any company that maintains a sanctions compliance program under IEEPA, operates in sanctions-sensitive sectors, or has touchpoints with the regulated outbound investment and data security regimes could find itself the subject of a whistleblower tip.
Award Structure and Eligibility
Eligible whistleblowers may receive awards ranging from 10% to 30% of the monetary sanctions collected in successful “covered actions” or “related actions.” A covered action is defined as a judicial or administrative proceeding, whether criminal or civil, brought by Treasury or DOJ under a covered statute that results in monetary sanctions exceeding $1 million. FinCEN has invited comment on this definition.
The proposed rule presumes a 30% award when total collected sanctions yield an award of $15 million or less. FinCEN retains broad discretion to determine award amounts based on several factors, including the significance of the information provided, the degree of assistance the whistleblower rendered, the whistleblower’s culpability (if any), any unreasonable delay in reporting, and the programmatic interest of Treasury or DOJ in deterring violations.
The 120-Day Waiting Period: A Critical Provision for Compliance Personnel
One of the most consequential features of the proposed rule is the 120-day waiting period for certain “insider” whistleblowers. Individuals who learn of potential violations through the performance of internal audit, compliance, or internal-control functions, as well as officers, directors, trustees, and partners, must wait at least 120 days after obtaining the information before reporting to FinCEN to be eligible for an award.
The 120-day waiting period is intended to give companies the opportunity to assess potential violations and, where appropriate, address them or voluntarily disclose them to the government. The NPRM is clear: this provision is intended to benefit companies “that invest in strong internal audit and compliance programs.” The waiting period allows entities to review information and consider submitting a voluntary self-disclosure (VSD). Thus, companies should ensure adequate and efficient reporting channels for potential violations to review and determine prompt disclosure to the government in order to obtain the benefits of VSD.
FinCEN has invited public comment on several aspects of this waiting period, including whether 120 days is an appropriate length, whether the covered personnel categories are appropriately defined, and whether alternative approaches would better balance encouraging internal reporting with enforcement objectives. The NPRM also states that if it is finalized, FinCEN will provide separate public guidance as to what constitutes “reasonable time” for reporting.
Comparison with Other Federal Whistleblower Programs
The FinCEN whistleblower program is one of several federal whistleblower initiatives, and there is substantial overlap and important distinctions between them. Understanding how these programs interact is critical for companies that may be subject to multiple regulatory regimes and for individuals evaluating where to report potential misconduct.
| Feature | FinCEN Program (Proposed) | SEC Whistleblower Program | DOJ Criminal Division Pilot Program |
|---|---|---|---|
| Covered Violations | BSA, IEEPA, TWEA, Kingpin Act violations (including sanctions, AML, OISP, DSP) | Federal securities laws, including fraud, accounting violations, insider trading, and foreign bribery (FCPA) | Financial institution crimes, foreign corruption (non-issuer FCPA), domestic corruption, health care fraud involving private insurers |
| Award Range | 10%-30% of collected sanctions | 10%-30% of collected sanctions | Up to 30% of first $100M forfeited; up to 5% of $100M-$500M |
| Monetary Threshold | $1 million | $1 million | $1 million |
| Minimum Award Presumption | 30% presumption for awards ≤$15 million | Historically applied similar presumptions | 30% presumption for first $10 million forfeited |
| Award Fund | $300M revolving fund from collected penalties | Investor Protection Fund | DOJ’s Asset Forfeiture Fund |
| Award Discretion | Mandatory payment within statutory range | Mandatory payment within statutory range | Awards are entirely discretionary |
| Culpability Bar | Conviction-based disqualification | Conviction-based disqualification | No award for “meaningful participation” (though minimal participants may qualify) |
| Compliance Personnel Treatment | 120-day waiting period | Limited eligibility for compliance/audit personnel | 120-day window to report internally and to DOJ |
| Anti-Retaliation | Statutory protections; Labor complaint or federal court action | Statutory protections with private right of action | No explicit protections, but retaliation considered in company cooperation assessment |
Significant Overlap in Covered Conduct
The overlap between FinCEN’s program and other whistleblower regimes is significant. DOJ’s Criminal Division launched its Corporate Whistleblower Awards Pilot Program in August 2024, and expanded it in May 2025 to cover sanctions offenses, trade and customs fraud, and material support of terrorism (We discussed this in our Legal Update, DOJ Announces White-Collar Enforcement Priorities and Revised Policies).
However, there are crucial differences. Whistleblowers under the DOJ Pilot Program cannot receive an award if they would be eligible for an award through another federal whistleblower program. The programs also differ in how awards are calculated: while the DOJ Pilot Program bases awards solely on forfeited amounts (net proceeds from criminal or civil forfeiture), FinCEN’s proposed program explicitly excludes forfeiture and blocked property from the award calculation, focusing instead on “monetary sanctions” collected, such as penalties, fines, and disgorgement. Thus, a potential whistleblower with information about both securities violations and AML violations would need to evaluate which program offers the most favorable pathway. The DOJ guidance explicitly encourages whistleblowers who are unsure which program applies to submit information to both programs so that the agencies can assess eligibility.
For sanctions violations, the significance of FinCEN’s program is particularly pronounced. Although the whistleblower program is administered by FinCEN (which is not authorized to enforce US sanctions), the program covers enforcement actions brought by both Treasury (including OFAC) and the DOJ. The establishment of a new reporting channel and monetary incentives could help drive additional civil actions. In 2025, FinCEN brought two civil enforcement actions for a total of approximately $40 million, while OFAC brought 14 civil enforcement actions for a total of $265 million.
Implications for Employers
The proposed rule represents a significant shift in the enforcement landscape and has immediate practical implications for employers.
Heightened Compliance Expectations
The program creates powerful financial incentives for employees, contractors, and third parties to report suspected BSA, AML, and sanctions violations directly to the government. Employees with knowledge of potential compliance failures, such as inadequate customer due diligence, failures to file Suspicious Activity Reports (SARs), deficient transaction monitoring, or sanctions screening breakdowns, now have a direct path to report deficiencies and receive substantial monetary rewards.
Internal Reporting and Investigation Timelines
Although the 120-day waiting period provides some breathing room for companies to investigate and remediate internally identified issues, it also creates significant pressure to move quickly. Companies should evaluate whether their processes can support a rapid response to internal whistleblower complaints. Delays or incomplete remediation during the 120-day period may increase the risk of reporting to FinCEN and other authorities.
Anti-Retaliation Obligations
The proposed rule reinforces statutory protections against retaliation for whistleblowers who provide information to Treasury, regardless of whether they receive an award. Employers are prohibited from retaliating, and aggrieved individuals may file complaints with the Department of Labor or bring actions in federal court.
Companies should review and strengthen anti-retaliation policies and training to ensure that managers understand the serious legal consequences of retaliating against employees who report potential violations.
Recommendations for Companies
In light of this proposed rule, companies should consider taking the following steps:
- Review and enhance internal compliance programs: Conduct a thorough review and, where necessary, an independent assessment, of existing AML and sanctions compliance programs to identify and remediate gaps before an insider does so on the company’s behalf.
- Strengthen internal reporting channels: Ensure internal channels are robust, accessible, and well publicized so employees feel confident raising concerns internally before turning to FinCEN. This is particularly important given the proposed 120-day waiting period for whistleblowers who obtain information through internal compliance or audit functions.
- Accelerate investigation and remediation timelines: Review internal protocols and consider process changes to ensure potentially reportable matters are timely triaged and investigated within the 120-day window.
- Conduct tabletop exercises: Consider a tabletop exercise to confirm roles, timelines, and documentation expectations in light of the proposed 120-day framework.
- Evaluate voluntary disclosure frameworks: Develop or refine a framework for determining when to report matters to regulators and who will be involved in those decisions. The whistleblower program heightens the importance of prompt escalation to personnel with disclosure authority.
- Prepare for the OISP and DSP: Adopt compliance programs to address transactions covered by the Outbound Investment Security Program and Data Security Program, now within the scope of FinCEN’s whistleblower authorities.
- Consider submitting comments: FinCEN invites comments on all aspects of the proposed rule. Companies, trade associations, and other stakeholders may wish to comment on issues such as the definition of “original information,” the mechanics and timing of award applications, confidentiality safeguards, treatment of internal reporting, and the interaction between the new program and existing compliance obligations.
Conclusion
This proposed rule signals that FinCEN intends to build a whistleblower program with the reach and financial firepower to materially change the enforcement landscape for AML, sanctions, and national security violations. Companies should not wait for the final rule to act. The practical steps are clear: stress-test compliance programs for gaps a whistleblower might exploit, ensure internal reporting channels are credible and responsive, and build the institutional capacity to investigate and make disclosure decisions within the 120-day window. We will provide additional guidance when FinCEN issues a final rule.
