Publications

#news-content { display: block; } .meta-tag-list { display: block !important; visibility: visible !important; }

^Memos ^{Go Back}

Treasury and Banking Regulators Propose Rules to Overhaul AML/CFT Supervision and Enforcement

04.16.26

On April 7, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) (collectively, the Banking Agencies),^[1] released two notices of proposed rulemakings (Proposed Rules) intended to “fundamentally reform” anti-money laundering and countering the financing of terrorism (AML/CFT) obligations of U.S. financial institutions^[2] under the Bank Secrecy Act (BSA). These Proposed Rules, if implemented, will be a step towards harmonizing AML/CFT obligations across covered financial institutions, implement certain provisions of the Anti-Money Laundering (AML) Act of 2020 (AML Act), and introduce significant changes around compliance expectations and enforcement, particularly in the banking context.

The Proposed Rules largely harmonize or codify current AML/CFT requirements and expectations. However, for financial institutions that were not already implementing certain measures covered by the Proposed Rules, such as the establishment of a risk assessment process, the rules would require compliance program changes and updates.

Added Flexibility on Program Approval: Similar to current requirements, financial institutions would be expected to establish a written AML/CFT program incorporating “four pillars”: (1) written internal policies, procedures, and controls, including, where applicable, customer due diligence; (2) independent program testing; (3) the designation of a S.-based compliance officer;^{^[3]} and (4) ongoing employee training. Currently, a bank’s AML/CFT program must be approved by the board and made available to FinCEN or the relevant Federal regulator upon request. The Proposed Rule would also permit the program to be approved by “an equivalent governing body” or appropriate senior management of the bank to provide additional flexibility for alternative corporate structures and “reflect the division of roles and responsibilities between a bank’s board of directors and senior management with respect to establishing and implementing an AML/CFT program.” The Banking Agencies note that this does not change their expectation that bank boards of directors provide appropriate oversight of the program and senior management, and establish appropriate risk-based governance frameworks.
New Risk Assessment Process: For the first time, all covered financial institutions will be required to implement a risk assessment process, which would have to: (1) evaluate the money laundering/terrorist financing (ML/TF) risks of the financial institution’s business activities, including products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate national AML/CFT priorities published annually by FinCEN; and (3) be updated upon any change that would significantly change the institution’s ML/TF risks. The financial institution’s policies, procedures, and controls would need to be reasonably designed to mitigate identified ML/TF risks—and be updated as risks evolve—and be designed to devote more attention and resources toward higher-risk than lower-risk activities and customers. In response to public comments received on a previous rulemaking attempt, the risk assessment process would not need to result in a single, consolidated document or rely on a specified methodology. Rather, the risk assessment process could be multiple processes that would be examined in their totality, taking into consideration the bank’s size, structure, risk profile, and complexity.

Importantly, the Proposed Rules would mark a significant shift in the AML/CFT enforcement process and priorities related to regulated U.S. banks. Enforcement actions (both formal and informal) and other supervisory findings related to AML/CFT compliance have been a constant for banks of all sizes for many years. As of the second quarter of 2025, the Federal Reserve Board reported that AML/CFT enforcement actions made up approximately 15% of all outstanding supervisory findings for regional banking organizations with assets between $10 billion and $100 billion in total assets.^{^[4]} The approach taken by the Proposed Rules reflects other recent actions by the Banking Agencies to generally reduce enforcement actions, refocus supervisory efforts on core financial risk, and move away from rigid governance and controls expectations that some view as disproportionately weighing against a bank’s overall supervisory ratings.

Emphasis on Program Design: FinCEN and the Banking Agencies propose to refocus enforcement on deficiencies stemming from a AML/CFT program’s design (“establishment”), rather than from the program’s ongoing operations (“maintenance”). This two prong approach would not change the substantive statutory or regulatory compliance requirements, rather, FinCEN proposes it will “help promote consistent articulation of supervisory expectations and prevent conflating criticisms of program design with criticisms of day-to-day implementation.” Establishing an AML/CFT program would require establishing a program that incorporates the four pillars described above and keeping the program current as a financial institution’s risk profile evolves. Maintaining the program would require an institution to implement its program in all material respects (e., executing the program in practice).
Material Shift in Tone on Enforcement Actions: FinCEN has delegated supervision and enforcement of the AML/CFT laws and regulations to the Banking Agencies, and the proposed rules would limit the Banking Agencies’ ability to bring enforcement or supervisory actions for compliance issues. Specifically, if a bank has properly established an AML/CFT program under the Proposed Rules, the Banking Agencies and FinCEN generally would not take an enforcement action related to issues stemming from day-to-day implementation. Rather, an “AML/CFT enforcement action”^{^[5]} or “significant AML/CFT supervisory action,” both defined broadly, against a bank would generally be reserved for instances in which the bank has a “significant or systemic failure” to maintain that program. As proposed, a “significant AML/CFT supervisory action” would include any written communication or other formal supervisory determination that identifies or alleges deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement, or communicates supervisory expectations to a bank regarding actions or remedial measures required to correct any such deficiency, and requires “significant or programmatic actions or remedial measures.”
Notice and Consultation With FinCEN for Supervisory Actions: In what might be the most material change in the Proposed Rules, absent urgent circumstances, the relevant Banking Agencies would need to notify FinCEN thirty days prior to initiating an AML/CFT enforcement action or a significant AML/CFT supervisory action against a bank and give FinCEN the opportunity to review and comment. This is a significant policy shift from a jurisdictional perspective, because the Banking Agencies historically have held firm to their independent statutory authority with respect to AML/CFT examination and enforcement. If finalized as drafted, this would dramatically impact the ability of the Banking Agencies to issue a wide variety of supervisory actions, including potentially Matters Requiring Attention, Matters Requiring Immediate Attention or similar actions, related to AML/CFT compliance.
Added Factors for Pursuing Enforcement Actions: In determining whether to pursue an enforcement action or significant supervisory action, FinCEN would need to consider specific factors, including (i) specific statutory factors laid out in the AML Act, (ii) whether the bank advances FinCEN’s AML/CFT priorities by providing highly useful information to law enforcement or national security officials, and (iii) whether the bank is employing innovative tools that demonstrate the effectiveness of the bank’s AML/CFT program. The Banking Agencies used the Proposed Rules as an opportunity to encourage banks to evaluate whether new technologies, such as generative AI or blockchain technology, may increase efficiencies and effectiveness. The Banking Agencies noted that banks that responsibly incorporate such technologies will not incur additional risk of enforcement actions based solely on the use of those technologies.

While these efforts to rationalize supervisory and enforcement expectations related to AML/CFT will be welcomed by many banks, the proposed changes to the Banking Agencies’ traditional enforcement methods and examination techniques may remain dependent on shifting political priorities related to oversight and enforcement. Additionally, the proposed changes to both program requirements and expectations will necessarily be subjective given the broad terminology in the Proposed Rules, the need to defer to “risk-based” decision making by banks, and natural variability in supervisory and examination staff expectations.

[1] The Proposed Rules would not apply to financial institutions whose primary regulator is the Board of Governors of the Federal Reserve System (Federal Reserve Board), including state member banks and bank holding companies. The Federal Reserve Board has not issued a complementary proposed rulemaking at the time of this alert, and it is not clear whether the Federal Reserve Board will do so given the impact of the Proposed Rules on enforcement authority. The Proposed Rules also do not implicate Security and Exchange Commission-supervised registered investment advisers and exempt reporting advisers, which are subject to a separate FinCEN rulemaking process.

[2] The “financial institutions” covered under the Proposed Rules are (1) banks, savings associations, credit unions and foreign banks whose primary regulator is either the OCC, the FDIC, or the NCUA; (2) casinos and card clubs (casinos); (3) money services businesses (MSBs); (4) brokers or dealers in securities (broker-dealers); (5) mutual funds; (6) insurance companies; (7) futures commission merchants and introducing brokers in commodities; (8) dealers in precious metals, precious stones, or jewels; (9) operators of credit card systems; (10) loan or finance companies; and (11) housing government sponsored enterprises. Permitted payment stablecoin issuers would be considered to be financial institution under a FinCEN/OFAC proposed rule issued on April 8, 2026. Read our client alert on the proposed rule here.

[3] The Proposed Rule clarifies that certain AML/CFT operations (excluding SARs) may be delegated to third-party providers or personnel located outside of the United States.

[4] https://www.federalreserve.gov/publications/files/202512-supervision-and-regulation-report.pdf.

[5] The term “AML/CFT enforcement action” would mean any formal or informal action taken by one of the Agencies under authority of 12 U.S.C. §§ 1818, 1786, or other applicable law that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes a cease-and-desist order, written agreement, consent order, or memorandum of understanding, or the assessment of a civil money penalty.