On April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) announced a proposed rule (Proposed Rule) that would "fundamentally reform" financial institutions' anti-money laundering (AML) and countering the financing of terrorism (CFT) programs under the Bank Secrecy Act (BSA). According to FinCEN, "[t]he proposed rule supports Treasury's efforts to modernize the U.S. AML/CFT regulatory and supervisory framework, and to ultimately reduce compliance burden." The Proposed Rule also seeks to promote compliance program effectiveness over "mere technical compliance." Comments are due by June 9, 2026. While currently there is no target date for finalizing the Proposed Rule, FinCEN proposes a 12-month effective date to allow financial institutions sufficient time to review and implement the requirements.

The Proposed Rule is designed to implement provisions of the Anti-Money Laundering Act of 2020 (AMLA), key aspects of which remain unimplemented. This Proposed Rule supersedes a prior proposed rule published by FinCEN in 2024 (2024 NPRM). Notably, however, various aspects of the 2024 NPRM appear in the Proposed Rule. 

Concurrently with the release of FinCEN's Proposed Rule, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and the National Credit Union Administration (NCUA) jointly released a related proposed rule to align their regulations with FinCEN's proposed requirements. 

Our key takeaways are as follows: 

1. "Establishing" and "Maintaining" Framework to Determine Program Effectiveness

The Proposed Rule puts forth a two-pronged framework for all covered financial institutions that focuses on whether the financial institution both established and maintained an AML/CFT program. According to the Proposed Rule, the two-prong framework seeks to promote "consistent articulation of supervisory expectations and prevent conflating criticisms of program design — the remediation of which would likely be different in kind — with criticisms of day-to-day implementation."

To "establish" a sufficient program, financial institutions would need to design a program that incorporates four reformulated but familiar pillars (described below), and also update their programs promptly based on changes to their risk profile. 

To "maintain" an AML/CFT program, financial institutions would be expected to subsequently implement the established program "in all material respects." Minor deficiencies in the program would not necessarily indicate the financial institution failed at implementation. For example, FinCEN explained that an institution's failure to consistently perform controls on a timely basis or identify higher-risk activities through the risk assessment process could indicate the financial institution is not adequately maintaining its AML/CFT compliance program. 

FinCEN notes, "[t]he distinction between establishing a program and implementing a program is particularly important under the proposed rule for potential supervisory and enforcement actions. The proposed rule would not limit enforcement or supervisory actions for failures to establish an AML/CFT program. However, with respect to banks, once a bank has properly established an AML/CFT program, the proposed rule would raise the threshold for significant actions based solely on implementation deficiencies so only significant or systemic failures by a bank to implement an effective AML/CFT program… would warrant an 'AML/CFT enforcement action' or a 'significant AML/CFT supervisory action'" (italics emphasized in original; bold emphasis added). While BSA enforcement actions have generally targeted significant or systemic AML/CFT program failures, this update may shape examiner approaches by driving closer alignment of findings and remediation with the "significant or systemic failures" threshold. As currently proposed, this threshold applies only to banks, but FinCEN specifically requested comments on whether the same supervision and enforcement framework should apply to other financial institutions. 

2. Updated/Reorganized AML/CFT Program Pillars, Including Standardizing Requirement for Risk Assessment Process

The Proposed Rule retains the traditional four-pillar structure of AML/CFT program establishment, with certain modifications: 

• Pillar 1: Internal Policies, Procedures, and Controls (Including Risk Assessment Processes): 
  • Similar to the current regulations, financial institutions would be required to establish reasonably designed, risk-based AML/CTF policies, procedures, and controls. FinCEN notes that financial institutions may "responsibly adopt new technologies or innovative approaches" to achieve these requirements. 
  • The Proposed Rule would expressly require financial institutions to establish risk assessment processes to identify, assess, and document risks related to money laundering, terrorist financing, and other illicit finance. These processes must incorporate AML/CFT Priorities set periodically by the Secretary of the Treasury and serve as the foundation for the institution's policies, procedures, and controls. The Proposed Rule also requires institutions to update their risk assessments whenever their risk profile changes significantly. Though many financial institutions are currently required, either explicitly or implicitly, to conduct risk assessments, the Proposed Rule would formalize this requirement across all covered financial institution types. FinCEN also makes clear that it expects AML/CFT programs to evolve over time — as informed by the risk assessment process — to fit the financial institution's risk profile. If an AML/CFT program is not updated in response to changes in risk profile, the financial institution's program may no longer satisfy the "establishment" prong. Notably, the Proposed Rule would require institutions to update their risk assessments "promptly" upon any change that the institution knows, or has reason to know, materially alters its money laundering or terrorist financing risk, such as the introduction or significant modification of products, services, or customer types. FinCEN has specifically requested comment on whether further clarification is needed regarding the timing and triggers for such risk assessment process updates, perhaps in acknowledgement of the potential operational burden of such a requirement. 
  • This pillar also incorporates the pre-existing requirement that financial institutions establish ongoing customer due diligence (CDD) processes. FinCEN noted that it does not intend to alter the substance of the CDD requirement applicable to certain financial institutions (often known as the "fifth pillar"), but it formally includes that requirement as part of this first pillar.
• Pillar 2: Independent Program Testing: Consistent with pre-existing requirements, financial institutions must establish an independent AML/CFT testing process. The proposed rule does not make significant changes to the requirement to conduct independent testing of the AML/CFT program. 
• Pillar 3: U.S.-Based Compliance Officer: As before, financial institutions would be required to designate an individual who is responsible for establishing and maintaining the AML/CFT program. The Proposed Rule would now explicitly require the designated individual to be based in the U.S. and both accessible to FinCEN and subject to FinCEN's oversight, which is more closely aligned to statutory requirements included in the AMLA. In releasing the Proposed Rule, FinCEN noted that the individual serving in this role "must be qualified for that role and not overburdened with other responsibilities." Additionally, the individual's "authority, independence, and access to resources within the financial institution are critical." Notably, financial institutions are still allowed to have overseas AML/CFT compliance teams, but the designated officer must sit in the U.S.
• Pillar 4: Ongoing Employee Training: Finally, as similarly reflected in existing regulations, financial institutions would continue to be required to establish an ongoing employee training program. 

3. FinCEN Notice and Consultation Requirement 

Significantly, the Proposed Rule contemplates that FinCEN would also assume an enhanced and more centralized role in connection with certain types of supervisory or enforcement actions related to the AML/CFT programs of banks. Under the Proposed Rule, if a banking regulator is contemplating a "significant AML/CFT supervisory action", the regulator would be required to engage in a new notice and consultation process with FinCEN. Under this process, the regulator would generally need to provide FinCEN with written notice at least 30 days prior to taking the action. FinCEN would be able to review the proposed action and offer any relevant input regarding the effectiveness of the bank's AML/CFT program. The regulator would then be expected to consider FinCEN's input and respond to any additional requests for information regarding the action from the FinCEN Director. "Significant" supervisory actions would include determinations by FinCEN or a banking regulator that "(i) [i]dentifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement (ii) [c]ommunicates supervisory expectations to a bank regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and (iii) [c]ontemplates significant or programmatic actions or remedial measures to be taken by the bank." 

When FinCEN is deciding whether to bring an enforcement action or is evaluating a regulator's proposed supervisory action, the FinCEN Director would be required to weigh certain factors, including those listed by the AMLA. In addition, FinCEN will consider whether the institution has advanced the AML/CFT priorities by providing information to law enforcement, including by responding to section 314(a) requests or participating in the FinCEN Exchange Program. FinCEN will also consider the extent to which the bank conducts proactive analytics or utilizes other innovative activities demonstrating the effectiveness of the AML/CFT program, "including effective use of artificial intelligence, federated learning, and other advanced monitoring tools." 

As noted above, on paper, the Proposed Rule elevates the threshold for actions against banks, requiring "significant or systemic failures," potentially giving banks more leverage in interactions with examiners and other enforcement authorities. 

4. Board of Director AML/CFT Program Approval 

All financial institutions would now be required to have their AML/CFT programs approved by the board of directors, an equivalent governing body, or appropriate senior management. The approval requirement currently exists in different forms for certain types of financial institutions, but this revision would formalize and standardize the requirement for all institution types. For foreign-headquartered banks, FinCEN noted that the approval body "may be the foreign banking organization's board of directors or delegates."

For certain financial institutions, this may require more formal reporting to the board or its committees on AML/CFT issues, board training, and documentation of approvals. 

5. Use of AI and Innovative Technologies

The Proposed Rule encourages but does not mandate the use of artificial intelligence (AI) and other innovative technologies. FinCEN underscored that the U.S. Department of the Treasury "has expressed broad support for exploring areas where AI, blockchain analysis, digital identity, and other tools can produce a more efficient and more effective AML/CFT framework," including in its 2024 National Strategy for Combating Terrorist and Other Illicit Financing. The Proposed Rule encourages financial institutions to consider whether innovative technology, such as machine learning, generative AI, digital identity, blockchain monitoring and analytics, or application programming interfaces, could enhance the effectiveness of their AML/CFT programs. For those hesitant to incorporate these technologies, FinCEN affirmed that it does not require the use of any particular technology. Indeed, FinCEN recognized that new technologies "may not be suitable for every financial institution, particularly smaller ones." For those that do adopt such technologies, FinCEN also explicitly noted that financial institutions will not be subject to additional enforcement or supervisory action risk solely because they incorporated innovative technologies into their AML/CFT programs. 

For more information, please contact:

Ian A. Herbert, iherbert@milchev.com, 202-626-1496

Leah Moushey, lmoushey@milchev.com, 202-626-5896

James G. Tillen, jtillen@milchev.com, 202-626-6068

Alexandra Beaulieu, abeaulieu@milchev.com, 202-626-5922

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.