FinCEN Proposes Landmark Overhaul of AML/CFT Programme Requirements Under BSA

On April 7, 2026, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a wide-ranging Notice of Proposed Rulemaking (NPRM) that would fundamentally reshape anti-money laundering and countering the financing of terrorism (AML/CFT) compliance for every category of financial institution regulated under the Bank Secrecy Act (BSA).

The proposal marks the most significant overhaul of AML/CFT programme standards in roughly 25 years. Its core shift: from a largely process-driven, ‘tick-the-box’ compliance model to one explicitly focused on demonstrated effectiveness and risk-based outcomes. Institutions would no longer satisfy regulators simply by having documented procedures in place — they must show that programmes actively detect and deter illicit activity, calibrated to their specific risk profile.

Key provisions include: (1) a mandatory risk assessment process that incorporates the government-wide AML/CFT priorities published under the AML Act of 2020; (2) explicit incorporation of FinCEN’s Customer Due Diligence (CDD) rule into formal programme requirements; (3) a requirement that the designated AML/CFT compliance officer be located in the U.S. and accessible to regulators; (4) a new 30-day advance consultation mechanism before banking regulators can initiate significant AML-related supervisory or enforcement actions — giving FinCEN a central coordination role it has historically lacked.

The rule would also expressly distinguish between ‘establishment’ failures (programme design deficiencies) and ‘implementation’ failures (operational gaps), with major enforcement actions reserved for material or systemic shortcomings rather than isolated technical lapses. This distinction has significant implications for how examiners approach findings and how institutions frame remediation.

Critically for technology adoption, the NPRM signals regulatory preference for AI-enabled compliance: FinCEN’s director would explicitly consider AI deployment as a marker of programme effectiveness when deciding whether to pursue enforcement. The public comment window runs to June 9, 2026, with a proposed 12-month implementation period after the final rule. For compliance officers, the immediate action item is a gap assessment on risk-methodology, officer structure, and how to evidence programme effectiveness.