Professionals Services Insights Community
About Offices Careers
Home / Insights / Federal Regulators Propose ...
PDF

April 15, 2026

Ellen Traupman Berge Andrew E. Bigart Christopher L. Boone Michael J. Bresnick Jonathan L. Pompan James Williams

Federal Regulators Propose Major Reforms to AML Requirements

8 min

The Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration (collectively, the "Banking Agencies") have issued coordinated proposed rulemakings to revise the anti-money laundering and countering the financing of terrorism (AML/CFT) requirements for financial institutions, including banks, money transmitters, and broker-dealers, among others.

The proposed rulemakings implement provisions of the Anti-Money Laundering Act of 2020 (AML Act) and reflect a broader regulatory focus on modernizing the AML framework through risk-based approaches and more efficient allocation of compliance resources. While the proposed rules do not fundamentally alter the core structure of AML/CFT programs, they would mandate risk-assessments, place greater regulatory emphasis on institution-specific risks identified in those assessments, and focus on whether institutions have sufficient AML/CFT programs rather than isolated or immaterial issues, among other things. Comments for the rulemakings are due on June 9, 2026.

The AML Act and Recent Developments in AML/CFT Modernization

With the enactment of the AML Act, Congress directed FinCEN and the Banking Agencies to modernize and strengthen the AML/CFT framework, which has remained largely unchanged since the Bank Secrecy Act was adopted in the 1970s. This push toward modernization has developed in parallel with industry challenges related to the cost and operational burden of AML/CFT compliance and the difficulty of adopting new technologies in a risk-sensitive regulatory environment.

These forces have driven a broader shift toward more effective, risk-based AML/CFT programs. In an April 2025 speech, the Secretary noted that Treasury "will advocate for changes to the AML/CFT framework to truly focus on national security priorities and higher-risk areas and explicitly permit financial institutions to de-prioritize lower risks." Reflecting this trend, in June and July 2025, the Agencies, with FinCEN's support, permitted banks to collect Taxpayer Identification Number information from a third party rather than from the bank's customer as part of their CIP obligations. Later in 2025, FinCEN and the Agencies issued FAQs clarifying SAR obligations, and then in February 2026, FinCEN granted targeted relief from certain CDD Rule requirements.

Together, these developments have set the stage for a broader recalibration of AML/CFT program requirements, culminating in the current proposed rulemakings.

Overview of the Proposed Rulemakings

On April 7, 2026, FinCEN and the Banking Agencies announced complementary proposed rulemakings to revise and update the requirements for financial institutions to establish and maintain effective AML/CFT programs. FinCEN's proposal establishes the overarching AML/CFT program requirements under the Bank Secrecy Act, while the Banking Agencies' proposal aligns their supervisory and examination frameworks to implement and enforce those requirements for banks. The FinCEN rulemaking supersedes a prior rule proposed by FinCEN in 2024. For ease of reference, this alert refers to the two proposals collectively as the "Proposed Rule."

While the Proposed Rule does not fundamentally alter the core structure of AML/CFT programs, it reframes program obligations around an express standard that programs be reasonably designed, risk-based, and effective. The Proposed Rule would require financial institutions to implement AML/CFT programs based on the following familiar core pillars: (1) internal policies, procedures, and controls, including risk assessment processes and, where applicable, customer due diligence; (2) independent testing; (3) designation of a U.S.-based compliance officer; and (4) ongoing employee training. The proposal would integrate customer due diligence requirements within the broader internal controls framework, rather than maintaining them as a separate "pillar."

The Proposed Rule would apply broadly to financial institutions subject to the BSA, including banks, broker-dealers, mutual funds, insurance companies, money services businesses, and other covered entities. Although the proposal does not expand the scope of entities subject to AML/CFT program requirements, it would harmonize and clarify those requirements across institution types. As a result, some non-bank financial institutions may experience a relative increase in expectations, particularly where existing requirements have been less prescriptive or have varied across sectors.

The following outlines key provisions of the Proposed Rule:

  • Risk Assessment Processes. Although many financial institutions already incorporate risk assessments into their AML/CFT programs, the Proposed Rule would mandate formal risk assessment processes as part of a financial institution's internal policies, procedures, and controls. These processes must evaluate the institution's AML/CFT risks across its activities and serve as the foundation for the design and calibration of its AML/CFT program.
  • Independent Testing. The Proposed Rule retains the requirement for independent testing of AML/CFT programs but clarifies that such testing should be objective and risk based. Relatedly, the proposal states that auditors should not substitute their own subjective judgment for that of the financial institution but instead should assess whether the program is reasonably designed and effectively implemented in light of the institution's risk profile.
  • Ongoing Employee Training Program. The Proposed Rule clarifies that AML/CFT programs must include an ongoing employee training program, with training expected to be risk based and tailored to the institution's activities and personnel roles.
  • Supervision and Enforcement of Banks' AML/CFT Programs. The Proposed Rule would revise the AML/CFT supervisory and examination framework for banks by formalizing and enhancing FinCEN's role in supervision and enforcement. It would establish a coordination mechanism requiring the Banking Agencies to provide FinCEN advance notice (generally 30 days) and an opportunity to review and provide input on certain significant supervisory and enforcement actions.
  • Focus on Implementation Failures. For supervisory and enforcement purposes, the Proposed Rule draws a distinction between failures to establish an AML/CFT program and failures to implement the program. Where a bank has established an AML/CFT program, regulators would generally take significant supervisory or enforcement action only in cases of material or systemic failures to implement the program in a manner consistent with the bank's risk profile. The Proposed Rule emphasizes that regulators should focus on such material deficiencies rather than isolated or immaterial issues, while also noting that institutions remain responsible for updating their programs to reflect changes in risk.
  • Incorporation of U.S. AML/CFT Priorities. The Proposed Rule would require financial institutions to review and incorporate, as appropriate, the U.S. government's AML/CFT priorities into their risk assessment processes to help ensure alignment with national security and law enforcement objectives. FinCEN publishes these priorities periodically, in consultation with other federal agencies, to identify key illicit finance threats facing the U.S. financial system.
  • U.S.-Based Compliance Officer. The Proposed Rule would require an institution's AML/CFT compliance officer to be located in the United States, while permitting certain supporting functions to be performed by personnel outside the United States.
  • Board Approval of AML/CFT Program. The Proposed Rule would require a financial institution's AML/CFT program to be approved by its board of directors (or equivalent governing body) or appropriate senior management, and to be made available to FinCEN and relevant regulators upon request.

Key Considerations and Next Steps

The Proposed Rule is part of a broader legislative and regulatory effort to modernize the AML/CFT framework for financial institutions and is just one of several related developments that institutions should be monitoring.

The focus on modernizing the AML/CFT framework is reflected in the Proposed Rule's support for responsible innovation in AML/CFT programs. As FinCEN explains, financial institutions are encouraged to evaluate whether new technologies or innovative approaches, including machine learning, generative artificial intelligence, digital identity solutions, or advanced data analytics, may enhance the effectiveness of their programs. FinCEN further states that institutions that responsibly experiment with innovative technologies will not incur additional risk of significant supervisory or enforcement action solely because of their use of such technologies. At the same time, institutions remain responsible for ensuring that any such technologies are appropriately implemented and support an effective, risk-based AML/CFT program.

Another recurring theme is the Proposed Rule's discouragement of "de-risking" of customers or industries. The rule emphasizes flexibility and risk-based decision making, aiming to move institutions away from one-size-fits-all risk categorizations that can result in the wholesale exclusion of customer segments. Instead, it reinforces that customer onboarding and account closure decisions should be grounded in specific, demonstrable risks and informed by relevant facts and circumstances. More broadly, the proposal aligns with ongoing regulatory and policy efforts to address concerns regarding categorical de-risking, including recent executive action by the Trump administration directing federal agencies to review and address de-risking practices, as well as a proposed rulemaking by federal banking agencies aimed at promoting more transparent and risk-based account access decisions.

In the short term, financial institutions should review the Proposed Rule in detail and consider whether to submit comments (either directly or through an industry organization), including by providing responses to the specific questions raised by FinCEN and the Banking Agencies. The proposal presents an opportunity for institutions to seek additional clarity on key requirements and to influence how the new AML/CFT framework is implemented in practice.

More broadly, financial institutions should begin reviewing their existing AML/CFT programs with a view to potential revisions needed to align with the proposed requirements.

  • Assess whether existing risk assessment methodologies, documentation, and update processes satisfy the proposed requirement for a formal, risk-driven framework, and whether controls are appropriately calibrated to the institution's risk profile
  • Review board and senior management reporting to ensure clear oversight of AML/CFT effectiveness, risk appetite, and resource allocation decisions
  • Evaluate whether current staffing, technology, and budget allocations are aligned with higher-risk areas and can be justified under a risk-based framework
  • Reevaluate customer segmentation, account closure, and risk-rating practices in light of the proposal's emphasis on avoiding categorical de-risking
  • Explore opportunities to leverage new technologies and innovative approaches, such as advanced analytics or AI, to enhance program effectiveness and support more targeted, risk-based monitoring

Although the final contours of the Proposed Rule will depend on the outcome of the comment and rulemaking process, the proposal reflects a shift in regulatory expectations that will impact how financial institutions implement their AML/CFT programs. Regulators are increasingly emphasizing AML/CFT programs that are risk based, tailored to an institution's specific risk profile, and demonstrably effective in addressing higher-risk activity. At the same time, the Proposed Rule would encourage innovation and provide regulatory relief from supervisory scrutiny of technical or isolated violations. Accordingly, financial institutions should begin aligning their programs with these principles now, including by enhancing risk assessment processes, strengthening the linkage between risk and controls, and ensuring that resources are allocated in a manner consistent with evolving regulatory expectations.

Related Services

Industries

Related Insights

NYC’s SHIELD Rule Reshapes Debt Collection Compliance—Original Creditors Now Squarely in Scope
NYC’s SHIELD Rule Reshapes Debt Collection Compliance—Original Creditors Now Squarely in Scope

April 02, 2026

1min
Financial Services and Fintech Digest
Financial Services and Fintech Digest

March 2026

3min
NYC’s SHIELD Rule Reshapes Debt Collection Compliance—Original Creditors Now Squarely in Scope
NYC’s SHIELD Rule Reshapes Debt Collection Compliance—Original Creditors Now Squarely in Scope

March 13, 2026

7min
View More

Events

A Cautionary Tale in Private Credit: Lessons Learned from First Brands
A Cautionary Tale in Private Credit: Lessons Learned from First Brands

April 20, 2026

Register for the Event
Nacha Faster Smarter Payments Conference 2026
Nacha Faster Smarter Payments Conference 2026

April 26 - 29, 2026 San Diego, CA

Recent News

Venable Ranks Among American Lawyer's Top 100 Firms
Venable Ranks Among American Lawyer's Top 100 Firms

April 15, 2026

1min
Venable’s Transactional Tax Group Adds 20-Year Veteran in Baltimore
Venable’s Transactional Tax Group Adds 20-Year Veteran in Baltimore

April 13, 2026

2min
Variety Spotlights Eight Venable Attorneys in Its 2026 Legal Impact Report
Variety Spotlights Eight Venable Attorneys in Its 2026 Legal Impact Report

April 08, 2026

2min
View More