FinCEN and the federal banking agencies released proposed AML/CFT program rules that largely reorganize the compliance requirements that were initially proposed in 2024 and introduce a new FinCEN consultation framework that ostensibly raises the bar for AML/CFT supervisory and enforcement actions for banks.

This client update is the first part of our coverage on the Department of the Treasury’s proposed rules that would update requirements for anti-money laundering and countering the financing of terrorism (AML/CFT) compliance programs. A full summary of the proposed rules, including the key changes relevant to financial institutions, is provided in our visual memo available here

The administration has made clear that Bank Secrecy Act (BSA) reform is a cornerstone of its financial regulatory agenda, citing from day one the need to modernize the U.S. AML/CFT regulatory framework. Shortly after taking office, Treasury leadership previewed sweeping changes to reduce compliance burdens under the BSA by, among other things, reworking Biden-era rules and refocusing supervision on the effectiveness of AML/CFT compliance programs, rather than rote check-the-box compliance processes.[1]

After much anticipation, on April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking that would standardize the requirements governing AML/CFT compliance programs for all financial institutions regulated under the BSA, introduce new requirements related to risk assessments, and expand Treasury’s and FinCEN’s oversight of AML/CFT supervisory and, presumably, enforcement taken actions taken by the federal banking agencies.[2] In parallel, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (collectively, the Agencies),[3] announced a joint notice of proposed rulemaking to align their respective AML/CFT program requirements with FinCEN’s proposed changes (together, with FinCEN’s proposed AML/CFT program rule, the Proposed Rule).[4] The Proposed Rule withdraws and replaces proposed AML/CFT program rules that FinCEN and the federal banking agencies issued in 2024 (the 2024 NPRM). 

Although Treasury states that the Proposed Rule would “fundamentally reform” requirements for AML/CFT programs and curb overly-aggressive enforcement,[5] it is unclear if the Proposed Rule, at least in its current form, would materially reduce banks’ and other financial institutions’ compliance burdens in practice. Further, the expanded role of Treasury in the supervisory process may have unintended consequences in a future administration because, as a practical matter, FinCEN would have a window into all of the Agencies’ AML/CFT supervisory and enforcement actions. The impact of the Proposed Rule should be measured and evaluated when the requirements are finalized and we encourage financial institutions to provide feedback to FinCEN and the Agencies during the comment period, which concludes on June 9, 2026.

Below, we provide three key takeaways that industry stakeholders should consider.

1. While the Proposed Rule reorganizes certain AML/CFT program requirements, the Rule’s compliance obligations are essentially the same as those proposed in the 2024 NPRM.

Both the 2024 NPRM and Proposed Rule were issued pursuant to the Anti-Money Laundering Act of 2020 (AMLA), which was enacted over five years ago but remains largely unimplemented. Among other things, AMLA requires FinCEN to review and update the AML/CFT program compliance requirements for financial institutions, [6] taking into account a range of new requirements and considerations, such as a codification of the requirement that AML/CFT programs are risk-based (i.e., tailored to the risk profile of the institution) and incorporate national AML/CFT Priorities issued and periodically updated by FinCEN.[7] Many industry stakeholders argued at the time that the 2024 NPRM would have expanded, rather than modernized, the BSA’s compliance obligations (as discussed in our client update). Treasury officials indicated last year that they planned to rework the 2024 NPRM and, more broadly, reform supervisory standards to focus on the output of AML/CFT compliance programs (i.e., how well the program “captures and proactively reports what law enforcement needs”) [8] rather than mechanical adherence to “process and documentation.”[9] The Proposed Rule appears designed to reorient supervisory focus along those lines, but it would not appear to meaningfully reduce compliance obligations for financial institutions relative to the 2024 NPRM.

One of the most notable (and controversial) requirements under the 2024 NPRM was the introduction of risk assessments as a new AML/CFT program “pillar”—as noted above, many financial institutions pushed back on the creation of new formal requirements, particularly in areas that were viewed as standard industry practice. Perhaps in response to industry feedback, the Proposed Rule would not make risk assessments a stand-alone regulatory requirement (i.e., a separate “pillar” of AML/CFT programs) but would instead fold the risk assessment requirements into the internal controls “pillar.” While this structural change may affect how regulators treat deficiencies in a financial institution’s risk assessment processes (which may not necessarily constitute a “pillar violation”), it seems unlikely to materially change supervisory expectations and, objectively, represents a new compliance requirement. While the Proposed Rule is responsive to public comments in other areas – for example, by clarifying that AML/CFT compliance functions may be performed by staff and vendors outside the United States – it does not appear that the Rule would reduce the scope of existing compliance obligations, at least meaningfully.

2. The Proposed Rule separates (and qualifies) requirements to “establish” and “maintain” an AML/CFT program, but the practical consequences are unclear.

The Proposed Rule’s primary mechanism for providing compliance relief appears to be: (i) establishing a formal distinction between the concepts of “establishing” and “maintaining” an AML/CFT program, and (ii) raising the bar for supervisory (and presumably enforcement) actions related to a failure to “maintain” an AML/CFT program. Conceptually, the Proposed Rule would define an “effective” AML/CFT program as one that is “established” and “maintained,” in all material respects,[10] and the Agencies would only bring enforcement actions for failures to “maintain” an AML/CFT program if there are significant or systemic issues (generally, the approach and standard the Agencies employ today).

Specifically, the Proposed Rule provides that a financial institution will be deemed to have an “effective” AML/CFT program if the institution:

  1. Establishes an AML/CFT program in accordance with specific standards set out in the Proposed Rule. Establishing an AML/CFT program would include implementing risk-based policies, procedures, and internal controls; appointing an AML/CFT officer based in the United States;[11] establishing an employee training program; and independent AML/CFT program testing.[12] Importantly, establishing an AML/CFT program “would also require keeping the program current as a financial institution’s risk profile evolves.”
  2. Maintains the AML/CFT program by “implementing” the program “in all material respects.” FinCEN notes in the Proposed Rule that, “Minor deficiencies of an AML/CFT program would not necessarily mean that a financial institution has failed to implement the program.” Although FinCEN does not define what it means to implement an AML/CFT program “in all material respects,” it provides common examples of “implementation” failures, which include: (a) internal policies, procedures, and controls not being performed due to inadequate resources; (b) gaps in the risk assessment processes that result in a lack of coverage for higher risks; or (c) deficiencies or weaknesses in risk assessments that result in a material impact on a financial institution’s mitigation of money laundering and terrorist financing risks through internal policies, procedures, and controls.

The requirements with respect to “establishing” an AML/CFT program are consistent with longstanding supervisory expectations and do not break new ground. For example, while the Proposed Rule explicitly states that AML/CFT programs should allocate resources to higher risk customers and activities rather than lower risk customers and activities (incorporating language from AMLA), the underlying principle of risk-based resource allocation is not new, and it is unclear if this would meaningfully change supervisory expectations. The Proposed Rule also makes clear that it would not “limit enforcement or supervisory actions for failures to establish an AML/CFT program,” which would include the failure to update the program based on changes to an institution’s risk profile (currently one of the common bases for enforcement actions). 

By adopting a materiality standard for “implementation” deficiencies, the Proposed Rule aims to refocus supervisory attention on issues that are material to the effectiveness of AML/CFT programs. It is unclear, however, if that goal can be achieved simply by inserting a materiality qualifier into the regulatory language. As noted, the Proposed Rule does not provide clear guidelines on the meaning of “in all material respects,” and examiners across the Agencies may (and likely will) adopt varying interpretations of the term. In fact, many of the examples of “material” failures cited in the Proposal (e.g., “internal policies, procedures, and controls are not being performed on a consistent, regular, and timely basis”) overlap with longstanding regulatory expectations and common reasons for supervisory criticism. It is also unclear if the “significant or systemic” standard is meaningfully different from existing standards and expectations. For example, regulatory guidance, including the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, provides that agencies should consider enforcement actions for “systemic” or repeat violations of BSA regulatory requirements (and most enforcement actions are predicated on systemic issues in a bank’s AML/CFT program).[13] Likewise, regulatory guidance already distinguishes between “systemic” issues relative to “isolated or technical violations.”[14]

In sum, the Proposed Rule would still provide ample room for the Agencies’ examiners to recommend supervisory and/or enforcement actions for implementation deficiencies that they consider material, and the Proposed Rule would not prevent the Agencies from taking such actions where examiners believe an AML/CFT program is incommensurate with a bank’s risk profile (i.e., because the institution failed to “establish” an AML/CFT program that complies with regulatory requirements).

3. The Proposed Rule would expand FinCEN’s oversight of the Agencies’ supervisory and enforcement actions, but the arrangement may have unintended consequences.

The Proposed Rule would introduce a notice and consultation framework wherein FinCEN would act as a gatekeeper for “significant AML/CFT supervisory actions” and “AML/CFT enforcement actions,” which are defined as follows:

  1. “Significant AML/CFT supervisory action” means any written communication or other formal supervisory determination issued by FinCEN or a federal banking agency that: (i) identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement; (ii) communicates supervisory expectations regarding actions or remedial measures required to correct the issue; and (iii) contemplates significant or programmatic actions or remedial measures to be taken.
  2. “AML/CFT enforcement action” means any formal or informal action taken by FinCEN or the Agencies that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement.[15]

Before initiating a “significant AML/CFT supervisory action,” the Agencies would be required to provide at least 30 days’ advance notice to FinCEN (absent urgent circumstances) and give the agency the opportunity to review and provide input on the potential action. Interestingly, while the preamble of the Proposed Rule evinces that the FinCEN consultation process would include a review of AML/CFT enforcement actions, the plain language of the rule only applies the consultation requirement to significant AML/CFT supervisory actions.[16] It is unclear whether this omission is intentional;[17] however, in practice, the FinCEN consultation process would very likely include a review of AML/CFT enforcement actions because such actions are generally extensions of and accompany relevant supervisory actions (e.g., in an OCC AML/CFT enforcement action, a bank would likely receive a Supervisory Letter that details the deficiencies that led to the enforcement action, the latter of which would be subject to FinCEN’s review under the proposed framework.)

In addition to 30 days’ notice, the Agencies must also provide FinCEN all “relevant AML/CFT information underlying the proposed action,” including confidential supervisory information (CSI), such as the relevant examination workpapers supporting the proposed action. FinCEN would consider a range of factors when providing input on the proposed action, including (among other things) the extent to which the institution has advanced the AML/CFT Priorities by providing highly useful information to law enforcement or “is performing other innovative activities producing demonstrable outputs evincing the effectiveness of the bank’s AML/CFT program (including effective use of artificial intelligence, federated learning, and other advanced monitoring tools).” It is important to note that the Proposed Rule does not provide FinCEN the authority to approve / disapprove supervisory actions, but instead the Agencies would be required to “consider any input offered by [FinCEN], which may include the effectiveness of the bank’s AML/CFT program.”

While the consultation arrangement is intended to create more consistency in BSA/AML enforcement and supervision, there are practical challenges that may limit the utility of the process for banks. For example, according to Office of Personnel Management (OPM) data, as of January 2026, FinCEN maintains a staff of approximately 225 employees[18] and does not employ bank examiners, which raises the question of whether FinCEN has the personnel necessary to efficiently review every significant AML/CFT supervisory action without introducing delays into the supervisory process. Moreover, it is possible that the FinCEN consultation framework may actually increase enforcement risk for financial institutions in the long term. The consultation arrangement ostensibly provides FinCEN enforcement staff an extensive record (including CSI) on the AML/CFT compliance deficiencies identified by examiners, which necessarily must be material and significant to rise to the level of a formal supervisory action. It is possible that, over time, different administrations take a more aggressive enforcement posture and leverage the consultation process to increase FinCEN’s scrutiny of bank’s AML/CFT programs during the supervisory process.

Finally, it should be noted that under 12 USC 1, “[t]he Secretary of the Treasury … may not intervene in any matter or proceeding before the Comptroller of the Currency (including agency enforcement actions), unless otherwise specifically provided by law.” It is not clear whether the FinCEN consultative process set forth in the Proposed Rule constitutes “intervening” and, if so, whether the Proposed Rule or the BSA itself specifically provides by law the necessary authority for such intervention.

Looking forward

While the Proposed Rule has been framed as a sweeping overhaul of the AML/CFT regulatory framework, in its current form, it is unclear whether the Proposed Rule represents a fundamental reformation of the U.S. AML/CFT framework or a meaningful reduction in financial institutions’ AML/CFT compliance burdens. Although the Proposed Rule would, on its face, raise the bar for AML/CFT supervisory actions (and, presumably AML/CFT enforcement actions), it does not remove or reduce compliance obligations for financial institutions under the BSA, and the standards articulated do not appear to depart from longstanding expectations and guidance. As in other areas, therefore, the net impact of the Proposed Rule will depend on how the standards are applied by examiners once the Proposed Rule is finalized. 

[1] See, e.g., U.S. Department of the Treasury, Remarks by Secretary of the Treasury Scott Bessent Before the Fed Community Bank Conference (Oct. 9, 2025), https://home.treasury.gov/news/press-releases/sb0276.

[2] FinCEN, Proposed Rule, Anti-Money Laundering and Countering the Financing of Terrorism Programs, 91 Fed. Reg. 18704 (Apr. 10, 2026).

[3] Notably, the Federal Reserve did not join in the rulemaking by the Agencies.

[4] Office of the Comptroller of the Currency, Treasury; Federal Deposit Insurance Corporation; and the National Credit Union Administration, Anti-Money Laundering and Countering the Financing of Terrorism Programs, 91 Fed. Reg. 18304 (Apr. 10, 2026).

[5] FinCEN, Fact Sheet: Proposed Rule to Fundamentally Reform Financial Institution AML/CFT Programs (Apr. 7, 2026), https://www.fincen.gov/system/files/2026-04/Program-NPRM-FactSheet.pdf.  

[6] The BSA requires regulated financial institutions to, among other things, implement an AML/CFT compliance program that includes four pillars: (i) internal policies, procedures, and controls; (ii) a designated compliance officer; (iii) ongoing employee training; and (iv) an independent audit function to test the program. FinCEN’s Customer Due Diligence Rule (CDD Rule) further requires a subset of “covered financial institutions” (including banks, broker-dealers, and others) to establish a “fifth pillar” providing for ongoing customer due diligence.

[8] U. S. Department of the Treasury, Remarks by Under Secretary for Terrorism and Financial Intelligence John K. Hurley at the Association of Certified Anti-Money Laundering Specialists Assembly Conference (Sept. 17, 2025), https://home.treasury.gov/news/press-releases/sb0251 .

[9] U.S. Department of the Treasury, Remarks by Secretary of the Treasury Scott Bessent Before the Fed Community Bank Conference.

[10] Note, FinCEN does not provide clear guidance as to what “in all material respects” means in this context and so the standard will very likely be a subjective determination by bank examiners, which is largely consistent with current practices.

[11] The Proposed Rule clarifies that the AML/CFT Officer must be based in the United States, but it is permissible for other functions to be performed by persons outside the United States (e.g., vendors or non-U.S. employees). 

[12] The Proposed Rule incorporates a number of requirements specific to financial institution’s internal controls pillar, including that it (i) is informed by periodic risk assessments (incorporating the AML/CFT Priorities), (ii) mitigate AML/CFT risks “including by directing more attention and resources toward higher-risk customers and activities” rather than “lower risk customers and activities,” and (iii) for covered financial institutions subject to FinCEN’s CDD Rule, conduct ongoing CDD.

[13] See, e.g., FFIEC, BSA/AML Examination Manual, Developing Conclusions and Finalizing the Exam,  https://bsaaml.ffiec.gov/manual/DevelopingConclusionsAndFinalizingTheExam/01.

[14] Id.

[15] Note, the Agencies’ companion proposals extend the definition of “significant AML/CFT supervisory action” to any formal or informal action taken by those agencies under the authority of 12 U.S.C. 1818, 1786, or other applicable law. The distinction here is important from a legal perspective because, while FinCEN maintains the authority to administer and enforce the BSA, the Agencies maintain separate statutory authority to impose AML compliance obligations on the banks that each Agency regulates. In practice, the Agencies issue AML/CFT-related supervisory actions pursuant to their own regulations and statutory authority, not the BSA.

[16] Indeed, as currently written, 31 CFR 1020.221(c)(1) states: “Before initiating a significant AML/CFT supervisory action, a Federal Financial Institutions Regulatory Agency when acting pursuant to authority delegated under this chapter will provide the Director, FinCEN an opportunity to review the action and consider any input offered by the Director, FinCEN on the action, which may include any view as to the effectiveness of the bank’s AML/CFT program.”

[17] For example, the preamble of the Proposed Rule states that the Agencies would, as part of the consultation process, provide FinCEN “the relevant portions of the draft report enforcement action” and Question 26 in the “Request for Comment” section states that “the purpose of the FinCEN consultation requirement is to ensure consistency in BSA/AML enforcement and supervision across banks.”

If you have any questions regarding the matters covered in this publication, please reach out to any of the lawyers listed below or your usual Davis Polk contact.

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.
Copy link to share post