FinCEN’s proposed rule would offer significant financial incentives to individuals who report corporate violations of anti-money laundering, sanctions and national security laws across industries.

The Financial Crimes Enforcement Network (FinCEN) published a Notice of Proposed Rulemaking (the NPRM)[1] on April 1, 2026, that would establish a comprehensive whistleblower incentive and protection program covering violations of anti-money laundering (AML) rules, economic sanctions, and a range of other national security regimes (the Whistleblower Program). The Whistleblower Program is not limited to FinCEN-regulated entities but applies to any violation of the covered statutes. The NPRM would fully implement a statutory framework enacted by Congress under the Anti-Money Laundering Act of 2020 (AMLA) and the Anti-Money Laundering Whistleblower Improvement Act of 2022. If finalized, the Whistleblower Program would establish enforceable procedures and financial incentives for individuals who voluntarily report violations of the Bank Secrecy Act (BSA), the International Emergency Economic Powers Act (IEEPA), the Trading with the Enemy Act (TWEA), and the Foreign Narcotics Kingpin Designation Act, as well as implementing regulations promulgated under those laws (collectively, the covered statutes). 

Notably, the scope of the covered statutes is broad—the Whistleblower Program would cover not only violations of AML requirements under the BSA and its implementing regulations, but also violations of sanctions programs administered by the Office of Foreign Assets Control (OFAC) and other national security regimes implemented under IEEPA, including the Outbound Investment Security Program (OISP) and the Justice Department’s Data Security Program (DSP).[2] Individuals (including employees serving in compliance functions) who report violations through the Whistleblower Program may receive 10 to 30 percent of any monetary sanctions collected through subsequent enforcement actions (subject to certain conditions, including a minimum penalty amount). 

In conjunction with the NPRM, FinCEN released an advisory on fraud schemes targeting federal and state health care benefit programs (the Health Care Fraud Advisory). The Health Care Fraud Advisory urges financial institutions to be vigilant in identifying health care fraud by criminal actors and transnational criminal organizations (TCOs)[3] and encourages individuals to report suspected violations through the Whistleblower Program. Both the NPRM and the Health Care Fraud Advisory underscore the administration’s “whole-of-government effort to combat fraud, waste, and abuse involving [f]ederal payments.” As discussed in our client update, the administration’s specific focus on government benefits fraud was brought into sharp relief by FinCEN’s recent Geographic Targeting Order (GTO) in Minnesota.

We encourage all clients with exposure to the relevant AML, sanctions, and national security laws to closely review the NPRM, as the broad scope of the Whistleblower Program will likely increase compliance risk exposure for industry stakeholders and amplify pressure to voluntarily self-disclose violations (consistent with broader regulatory efforts in recent years). Public comments on the NPRM are due by June 1, 2026. Below, we provide a summary of the key takeaways from both the NPRM and the Health Care Fraud Advisory.

What would the NPRM do?

The NPRM would amend and replace FinCEN’s existing regulations governing rewards for individuals (31 CFR 1010.930) and fully implement the whistleblower framework established under AMLA and the AML Whistleblower Improvement Act of December 2022.[4] While the core elements and general framework for FinCEN’s Whistleblower Program was already codified under those statutes – and FinCEN released a portal for whistleblower tips in February 2026 – FinCEN had not, until the issuance of the NPRM, implemented regulations governing the terms and procedures for the program. 

Who is eligible for an award?

The NPRM would make awards available to “whistleblowers,” which are defined as individuals (both U.S. and non-U.S.) who provide, or any two or more individuals acting jointly who provide, “information relating to a possible violation of a covered statute or a possible conspiracy to violate a covered statute to Treasury or to DOJ, or to the employer of the individual or individuals, including as part of the job duties of the individual or individuals.” Legal entities and legal arrangements would not be eligible for whistleblower awards,[5] and certain individuals are also excluded from eligibility, including government employees or persons who abuse the program.[6] Although FinCEN primarily deals with financial institutions, whistleblower awards are available regardless of the industry of the violator.

Awards would be available for tips that lead to “covered actions,” which are judicial or administrative actions by Treasury or DOJ under a covered statute that have been successfully enforced and result in monetary sanctions exceeding $1,000,000.[7] FinCEN would be responsible for determining award eligibility after the action has been “successfully enforced” (i.e., after there has been a final judgment and all appeals have been exhausted or the time for appeals has expired). Tips must be submitted to FinCEN through the agency’s “Tip, Complaint, or Referral” form on FinCEN’s online portal. To be eligible, a whistleblower’s tip must be based on “original information,” meaning, among other things, that it is based on the whistleblower’s “independent knowledge” or “independent analysis”[8] of which the whistleblower is the “original source” (i.e., the information was not already known to Treasury or DOJ from a source other than the whistleblower). Eligible whistleblowers would receive 10 – 30 percent of monetary sanctions collected in a covered action, with a presumptive award at the 30 percent maximum when total sanctions do not exceed $15 million. 

Implications for employers

Both U.S. and non-U.S. employees would be eligible to receive awards, including employees who serve in compliance and audit functions. Whistleblowers would remain eligible for an award if they previously provided information to their employer (or to a part of Treasury, other than FinCEN, or to DOJ), but they must also submit that same information to FinCEN within a “reasonable time” (to be defined by FinCEN). However, whistleblowers are subject to a 120-calendar-day waiting period to be eligible for an award if: (A) the whistleblower obtained the reported information because the whistleblower was an officer, director, trustee, or partner of an entity, or the whistleblower learned the information in connection with the entity’s processes for identifying, reporting, and addressing possible violations of law; or (B) the whistleblower obtained reported information because the whistleblower was an employee whose principal duties involve audit or compliance responsibilities, or an employee or individual associated with a firm retained to perform audit or compliance functions for an entity. The waiting period requires whistleblowers to wait at least 120 calendar days from the date they obtained information before providing it to FinCEN to be eligible for an award.

In effect, this 120-day waiting period allows employers to assess the information and decide if the violation should be disclosed to a regulator. Notably, the 120-day waiting period would not apply to employees in business-level functions – e.g., a U.S. or non-U.S. employee on a deal team would not be required to wait before submitting a tip regarding a violation of the OISP. Finally, the NPRM provides that a whistleblower is ineligible to receive an award if they obtained original information through a communication that was subject to attorney-client privilege or work product doctrine (or a similar legal concept provided for under foreign law), unless the disclosure is otherwise permitted by the applicable federal or state law and/or attorney conduct rules.

The NPRM also establishes anti-retaliation protections, which prohibit employers from directly or indirectly discharging, demoting, suspending, threatening, blacklisting, harassing, or otherwise discriminating against a whistleblower in the terms and conditions of employment or post-employment because of the whistleblower’s lawful actions in reporting the violation.

For employers, the NPRM and Whistleblower Program will increase the importance of implementing policies and procedures governing internal investigations, reporting, and issues management, as well as processes for regulatory engagement and voluntary self-disclosures. While the NPRM’s 120-day waiting period may allow companies to evaluate potential violations, at least in certain instances, the Whistleblower Program as a whole may increase pressure on companies to timely remediate and self-disclose violations to the government. This is consistent with broader efforts among federal regulators in recent years to encourage companies to submit voluntary self-disclosures of potential or confirmed violations of law. As described in our client update, for example, DOJ recently announced a new corporate-wide enforcement policy for all criminal cases that creates significant incentives for companies to self-report misconduct. DOJ’s National Security Division (NSD) also recently encouraged companies to “voluntarily self-disclose to NSD any potential criminal violations of U.S. law relating to matters conducted, handled, or supervised by the NSD,” including violations relating to U.S. export control laws and regulations or the Committee on Foreign Investment in the United States (CFIUS) regulations.[9]

The Health Care Fraud Advisory

On the same day it announced the NPRM, FinCEN also released the Health Care Fraud Advisory, which urges financial institutions “to be vigilant in identifying and reporting suspicious transactions potentially related to health care fraud schemes targeting Medicare, Medicaid, and other federal and state health care benefit programs.” Treasury framed both the Health Care Fraud Advisory and the NPRM as part and parcel of the administration’s efforts to reduce fraud, waste, and abuse.[10] Both issuances follow FinCEN’s January 2026 GTO, which imposed expansive reporting requirements on banks and money services businesses in the Hennepin and Ramsey Counties of Minnesota. When announced, Treasury stated that the GTO was intended to address government benefits fraud in Minnesota, including the exploitation of child nutrition programs by TCOs.[11]

The Health Care Fraud Advisory, among other things, describes money laundering typologies and red flags associated with the exploitation of federal and state health care benefits programs, such as false and fraudulent claims for reimbursement. Notably, Treasury reported a 20% increase in suspicious activity reports related to heath care fraud in 2025 (relative to 2024) but stated that the reporting “likely represents only a small fraction of the illicit activity connected to health care fraud in the United States.”[12] Health care fraud was similarly a key area of focus in Treasury’s recently released 2026 National Money Laundering Risk Assessment (consistent with prior years).[13] The administration has made clear that targeting fraud in government benefits is both a policy and enforcement priority and has been willing to leverage its entire toolkit under the BSA to that end. This, in turn, will likely continue to raise the bar for financial institutions to detect and report suspected fraud.

Looking forward

The NPRM and Whistleblower Program may significantly increase exposure for companies under a wide range of national security laws. While whistleblower incentives have long been in place for violations of the BSA, the new whistleblower framework presents risks for a broader universe of companies beyond financial institutions that operate internationally (e.g., funds that engage in investments covered by the OISP). Moreover, although violations of export control laws and CFIUS rules would not be within the scope of the NPRM, it is plausible that similar whistleblower frameworks may one day follow for those regimes, given the continuing focus on corporate whistleblowing and self-disclosure.

The administration’s focus on health care and government benefits fraud is also likely to continue (and potentially accelerate) for the foreseeable future. While health care fraud is not directly in the scope of the covered statutes, we expect the administration would prioritize any tips with a nexus to fraud in government programs. FinCEN and other regulators are also likely to scrutinize compliance failures that result in undetected or unreported fraud against the government. Despite having endorsed a deregulatory approach in certain areas, the administration has signaled that it will enforce violations that overlap with its policy priorities. 

[1]  FinCEN, Whistleblower Incentives and Protections, 91 Fed. Reg. 16328 (Apr. 1, 2026).

[2]  As noted below, violations of export control regulations would not be covered by the NPRM because they are implemented under statutory authorities that are not covered by the Whistleblower Program.

[3]  FinCEN, FIN-2026-A001, FinCEN Advisory on Health Care Fraud Schemes Targeting Medicare, Medicaid, and Other Federal and State Health Care Benefit Programs (March 2026), available at: https://www.fincen.gov/system/files/2026-03/FinCEN-Advisory-Health-Care-Fraud.pdf.

[4]  AMLA amended the BSA to establish a whistleblower framework for BSA violations comparable to other federal regulatory regimes (e.g., the Securities and Exchange Commission’s Whistleblower Program).  The AML Whistleblower Improvement Act of 2022 expanded this framework to cover violations of IEEPA, TWEA, and the Kingpin Act and established the Financial Integrity Fund—a $300 million revolving fund financed by collected penalties – to pay out awards to eligible whistleblowers.

[5] FinCEN specifically refers to corporations, limited liability companies, and trusts as being ineligible for whistleblower awards.

[6] Specifically, any person meeting the following requirements would not be eligible for the Whistleblower Program: any (1) member, officer, employee, or contractor of an appropriate regulatory or banking agency, Treasury, DOJ, a law enforcement agency, Congress (including a committee of Congress), or a self-regulatory organization, that is (2) acting in the normal course of their job duties.

[7]  Monetary sanctions “would include all qualifying monies agreed to or ordered to be paid by all defendants or respondents, and arising from all claims that are brought within that action without regard to which specific defendants or respondents, or which specific claims, were included in the action as a result of the information that the whistleblower provided.” The definition excludes, among other things, blocked and forfeited property. Any “related actions” based on the original information provided by a whistleblower would count towards the $1,000,0000 threshold (including actions taken by other federal or state authorities).

[8]  “Independent Knowledge” would be defined as factual information “known to the whistleblower that is not exclusively obtained from publicly available sources.” “Independent Analysis” would mean the “evaluation of information, including information that may be generally known or available to the public, by the whistleblower, acting alone or in combination with others, in a manner that results in material insights into or interpretations of the significance of such information that are not generally known or available to the public.”

[9]  DOJ, Press Release, Reporting Voluntary Self-Disclosures of Violations of National Security Laws Under the Department-wide Corporate Enforcement Policy (March 30, 2026), https://www.justice.gov/opa/pr/reporting-voluntary-self-disclosures-violations-national-security-laws-under-department-wide.

[10]  See FinCEN, Press Release, FinCEN Proposes Rule to Pay Whistleblowers (March 30, 2026), https://www.fincen.gov/news/news-releases/fincen-proposes-rule-pay-whistleblowers.

[11]  U.S. Department of the Treasury, Press Release, Secretary Bessent Announces Initiatives to Combat Rampant Fraud in Minnesota (January 9, 2026), https://home.treasury.gov/news/press-releases/sb0354.

[12]  U.S. Department of the Treasury, Press Release, Treasury Targets Fraud Schemes Exploiting Government Health Care Benefits (March 30, 2026), https://home.treasury.gov/news/press-releases/sb0426.

[13]  U.S. Department of the Treasury, 2026 National Money Laundering Risk Assessment (March 2026), https://home.treasury.gov/system/files/246/2026-NMLRA.pdf.

If you have any questions regarding the matters covered in this publication, please reach out to any of the lawyers listed below or your usual Davis Polk contact.

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.
Copy link to share post