Skip to main content
aktuelle Themen
Featured Insights
alle Beratungsfelder anzeigen
alle Industrien anzeigen
About Us Overview
  • Home
  • Insights
  • Out with the Old, In with the Risk-Based: FinCEN Proposes Fundamental Reform of AML/CFT Program Requirements
April 27. 2026

Out with the Old, In with the Risk-Based: FinCEN Proposes Fundamental Reform of AML/CFT Program Requirements

Authors:
Generate PDF
Share

On April 7, 2026, the US Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued a proposed rule (the “Proposed Rule”) intended to fundamentally reform financial institutions’ anti-money laundering and countering the financing of terrorism (“AML/CFT”) programs under the Bank Secrecy Act (“BSA”). The Proposed Rule is a central component of Treasury’s broader effort to modernize the US AML/CFT regulatory and supervisory framework by moving away from process-driven, technical compliance toward a regime focused on demonstrable outcomes and effectiveness in combating money laundering, terrorist finance (“ML/TF”), and other illicit financial activities. The Proposed Rule supersedes and withdraws FinCEN’s prior AML/CFT program modernization proposal, published on July 3, 2024 (discussed in our Legal Update on the proposal).

Public comments on the Proposed Rule must be received by June 9, 2026, and FinCEN proposes a 12-month implementation period following issuance of a final rule.

In this Legal Update, we provide background on the Proposed Rule, summarize its key changes, and discuss practical considerations for financial institutions.

Background

The Proposed Rule would implement key provisions of the Anti-Money Laundering Act of 2020 (the “AML Act”), which directed FinCEN and the federal banking agencies to modernize and strengthen the AML/CFT regulatory framework to encourage more effective outcomes. The AML Act, among other things, directed FinCEN to issue government-wide AML/CFT priorities and to incorporate them into program requirements, and required that AML/CFT programs be risk-based, including ensuring that more attention and resources of financial institutions are directed toward higher-risk customers and activities, consistent with the risk-profile of a financial institution.

The Proposed Rule was prepared in consultation with the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the National Credit Union Administration (“NCUA”). Concurrently, the FDIC, OCC and NCUA, but not the Federal Reserve Board, issued a joint proposed rule to align their respective AML/CFT program requirements for supervised institutions with the changes proposed by FinCEN.

Scope of the Proposed Rule

The Proposed Rule would amend AML/CFT program requirements in 31 CFR Chapter X for a broad range of financial institutions, including banks, casinos and card clubs, money services businesses, broker-dealers, mutual funds, certain insurance companies, futures commission merchants  and introducing brokers in commodities, dealers in precious metals, stones, or jewels, operators of credit card systems, loan or finance companies, and housing government-sponsored enterprises. AML/CFT rules for certain registered investment advisers are being separately considered following FinCEN’s delay of its previous final rule to January 1, 2028 and are not affected by this Proposed Rule.

Key Changes

Below is a summary of some of the key changes addressed in the Proposed Rule:

New Definition of an “Effective” AML/CFT Program

The Proposed Rule would introduce a formal definition of an “effective” AML/CFT program. Under the Proposed Rule, a financial institution would have an “effective” program if it satisfies the following two-prong framework:

  • Establishment: The financial institution establishes a risk-based AML/CFT program incorporating the four core required pillars: (i) internal policies, procedures, and controls (including risk assessment processes); (ii) independent program testing; (iii) designation of a US-based compliance officer; and (iv) ongoing employee training. Establishing an AML/CFT program would also require keeping the program current as a financial institution’s risk-profile evolves.
  • Maintenance: The program is maintained, meaning that the program is implemented “in all material respects.”

FinCEN expressly acknowledges that no program can eliminate all illicit activity or capture every suspicious transaction; rather, the standard focuses on whether the program is reasonably designed to ensure BSA compliance, identify and mitigate the institution’s actual illicit finance risks, and generate information that is highly useful to law enforcement and national security agencies.

1. Risk-Based Internal Controls and Mandatory Risk Assessment Processes

Under the Proposed Rule, every covered financial institution would be required to establish a risk-based set of internal policies, procedures, and controls that is reasonably designed to: (1) identify, assess, and document ML/TF risks through risk assessment processes; (2) mitigate ML/TF risks consistent with the risk assessment processes, including by allocating more attention and resources toward higher-risk customers and activities rather than toward lower-risk customers and activities; and, for certain financial institutions; and (3) conduct ongoing Customer Due Diligence (“CDD”).

Accordingly, the Proposed Rule would place existing requirements for certain financial institutions to conduct ongoing CDD, commonly referred to as the “fifth pillar” of AML program rules, under the internal policies, procedures, and controls pillar.

In addition, although the prior July 2024 NPRM proposed adding risk assessment as a standalone “sixth pillar” of AML compliance, the Proposed Rule would instead incorporate risk assessment as part of the internal controls requirement. While the current AML/CFT program rules do not require risk assessments in a uniform manner across institution types, the Proposed Rule would use consistent language to require risk assessment processes as part of a financial institution’s internal policies, procedures, and controls. The risk assessment processes would be required to (1) evaluate risks arising from the institution’s products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate FinCEN’s AML/CFT priorities;1 and (3) be updated promptly when the institution knows or has reason to know that its risk-profile has significantly changed, for example, due to new products, markets, or customer types.

Further, as part of a financial institution’s obligation to establish a risk-based set of internal policies, procedures, and controls, the Proposed Rule would provide that a financial institution’s efforts to mitigate its ML/TF risks would involve directing more attention and resources toward higher-risk customers and activities, consistent with the institution’s risk-profile, rather than toward lower-risk customers and activities. FinCEN intends this formulation to give institutions greater comfort in reallocating resources away from lower-risk areas without fear that such reallocation, by itself, would be cited adversely, so long as it is grounded in reasonably designed risk assessments and controls.

2. Independent Testing

The Proposed Rule aims to harmonize and clarify the existing independent testing pillar by requiring independent AML/CFT program testing, conducted either by internal personnel who are independent of the AML/CFT function and relevant business lines or by a qualified external party. Testing would be risk-based and focused on program effectiveness, not merely technical completeness. Importantly, the Proposed Rule would articulate, in both the internal controls and independent testing contexts, that neither examiners nor auditors or testers should substitute their own subjective judgment for a financial institution’s risk-based and reasonably designed AML/CFT program determinations.

3. US-Based AML/CFT Officer

Consistent with the AML Act, each covered institution would be required to designate an AML/CFT officer who is located in the United States, accessible to, and subject to oversight and supervision by, FinCEN and its designee (which would include any agency to which FinCEN has delegated examination authority or the appropriate self-regulatory organization). That individual would be responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance. The existing AML/CFT program rules contain variations in the description of this requirement, and the Proposed Rule would provide clarifying and standardized language.

4. Ongoing Training Requirement

The Proposed Rule would standardize the requirement for an ongoing employee training program across all covered institution types. FinCEN would generally expect training to reflect the institution’s internal controls, risk assessment results, and current regulatory requirements, with frequency and content tailored to the institution’s risk-profile and personnel roles.

Access to and Approval of a Written AML/CFT Program

The Proposed Rule would also standardize governance expectations by requiring that the written AML/CFT program be approved by the board of directors, an equivalent governing body, or appropriate senior management, and be made available to FinCEN or its designee upon request. The Proposed Rule would standardize this language across all financial institution types and would provide financial institutions with significant flexibility in their chosen approval method.

New Bank-Specific Supervision and Enforcement Framework

Under the Proposed Rule, a bank that has properly established its AML/CFT program would not be subject to an AML/CFT enforcement action or a significant AML/CFT supervisory action based on the program rule, except with respect to a “significant or systemic failure” to implement an effective AML/CFT program (i.e., a failure to implement, in all material respects, a properly established program). This limitation would not restrict enforcement or supervisory actions with respect to a failure to properly establish an AML/CFT program in the first instance.

Thus, the proposed bank-specific supervision and enforcement framework would raise the threshold for significant AML/CFT supervisory and enforcement actions based on implementation deficiencies, limiting such actions to cases involving significant or systemic failures to implement a properly established program. While the precise contours of what constitutes a “significant or systemic failure” remain to be defined (and are likely to be a focus of public comments), this framework, if adopted, could meaningfully change the dynamics of AML/CFT examinations and enforcement. For institutions, the key challenge will be configuring compliance programs against a standard that is inherently fact-specific and likely subject to differing interpretations by examiners and enforcement staff.

In determining whether to take, or when reviewing, an enforcement action or significant supervisory action, FinCEN’s Director would consider: (i) the four statutory factors required by the AML Act, as applicable; (ii) the extent to which the bank—where appropriate in light of its size, complexity, and risk-profile—has advanced AML/CFT priorities by providing highly useful information to law enforcement or national security officials, conducting proactive analytics, or performing other innovative activities producing demonstrable outputs evincing the effectiveness of the bank’s AML/CFT program (including effective use of artificial intelligence, federated learning, or other advanced monitoring tools); and (iii) any other factor the Director deems appropriate, including the bank’s size, complexity, and risk-profile. The Proposed Rule’s embrace of innovative technologies is notable and signals FinCEN’s receptiveness to financial institutions leveraging new tools to enhance their AML/CFT programs.

In addition, the Proposed Rule would establish a notice-and-consultation framework applicable when the federal banking agencies, acting under supervisory authority delegated by FinCEN, intend to initiate a significant AML/CFT supervisory action. Before initiating such an action, the federal banking agencies would be required to provide the Director with an opportunity to review the action and consider any input offered by the Director. Importantly, the Proposed Rule's supervision and enforcement framework applies to AML/CFT program-related supervisory and civil enforcement actions. It does not limit criminal referrals to or prosecutions by the Department of Justice for willful BSA violations, which remain governed by separate standards. If the Proposed Rule is adopted in its current form, it remains to be seen how FinCEN intends to adapt to its expanded role in overseeing AML/CFT supervisory and civil enforcement actions, including whether FinCEN will require additional staffing and resources to fulfill its obligations under this notice and consultation framework.

Key Takeaways and Practical Considerations

The Proposed Rule represents the most significant overhaul of AML/CFT program requirements in decades. That said, the Proposed Rule primarily restructures and streamlines the AML/CFT program requirements rather than imposing new substantive requirements upon financial institutions. These reforms build on FinCEN’s recent efforts to reduce AML compliance burdens, including its October 2025 FAQs reducing certain burdens associated with suspicious activity report (“SAR”) filings (discussed in our Legal Update addressing the FAQs), and its February 2026 order granting exceptive relief from repeat beneficial ownership verification requirements (discussed in our Legal Update addressing FinCEN’s order), among others.

The Proposed Rule’s emphasis on risk-based resource allocation and its explicit statement that institutions may direct resources away from lower-risk areas represent a meaningful departure from the prevailing compliance culture, which has often incentivized institutions to apply uniform attention across all customer and product categories regardless of risk to satisfy technical compliance requirements. Financial institutions should consider conducting gap assessments of their existing risk assessment processes and evaluating whether their current programs would satisfy the Proposed Rule’s “establishment” prong.

In addition, the new consultation framework between FinCEN and the federal banking agencies represents a significant elevation of FinCEN’s role in AML/CFT supervision. Financial institutions should consider how this may affect the examination process and interaction with their primary regulators, particularly where FinCEN’s assessment of program effectiveness may differ from that of the institution’s primary federal banking agency.

Given the breadth and significance of the proposed changes, financial institutions should consider submitting comments to help shape the contours of the final rule, particularly on the definition of “significant or systemic failure” and the threshold for what constitutes a “material” failure to implement a properly established program. Although FinCEN expects that the revised supervisory and enforcement standard would reduce the volume of enforcement and supervisory actions in the aggregate and save personnel time that may otherwise be allocated to unproductive supervisory inquiries, it remains unclear how the proposed standard would differ meaningfully from the current supervisory and enforcement framework, absent further clarification from FinCEN. In the interim, institutions may wish to begin evaluating their existing AML/CFT programs against the Proposed Rule’s two-prong framework (including the adequacy of existing risk assessment processes) and identifying areas where enhanced documentation or resource reallocation may be warranted in advance of a final rule. We will continue to monitor developments related to the Proposed Rule and related AML/CFT reform efforts.

 

 

1 The AML Act directed FinCEN to issue government-wide AML/CFT priorities, and FinCEN first published these priorities on June 30, 2021. The eight priorities are: (1) corruption; (2) cybercrime; (3) domestic and international terrorist financing; (4) fraud; (5) transnational criminal organization activity; (6) drug trafficking organization activity; (7) human trafficking and human smuggling; and (8) proliferation financing. Given that it has been almost five years since FinCEN last published its AML/CFT priorities, and FinCEN is required under the AML Act to update its AML/CFT priorities at least once every four years, FinCEN is overdue for a formal update. That said, FinCEN has since issued substantial guidance that financial institutions should treat as reflective of the agency’s current priorities.  

Autoren

verwandte Beratungsfelder und Industrien

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2026 Mayer Brown. All Rights Reserved

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.