FinCEN Proposes Rule to Fundamentally Reform Financial Institution Programs Designed to Fight Illicit Finance
Client Alert | April 15, 2026
Gibson Dunn is monitoring regulatory developments closely. Our lawyers are available to assist companies as they navigate the challenges and opportunities posed by the current, evolving legal landscape.
On April 7, 2026 the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (the Proposed Rule) revising regulation of financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs under the Bank Secrecy Act (BSA).[1] In support of the Proposed Rule, FinCEN issued a press release (the Press Release),[2] a fact sheet (the Fact Sheet),[3] and a list of “key changes” (the Key Changes Document).[4] FinCEN states that the Proposed Rule will fundamentally reform financial institution programs designed to fight illicit finance. FinCEN also intends for the Proposed Rule to modernize the U.S. AML/CFT regulatory framework by promoting risk-based programs and greater consistency across banks and financial institutions. FinCEN asserts that the Rule intends to ensure that AML/CFT programs better achieve the purposes of the BSA and lead to more effective outcomes for financial institutions and law enforcement.[5] The Proposed Rule has a sixty-day notice-and-comment period, ending on June 9.[6]
FinCEN advised that the Proposed Rule was “prepared in consultation with” the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Board of Governors of the Federal Reserve System (FRB) “in order to collectively issue proposed amendments to their respective BSA compliance program rules for the institutions they supervise.”[7] Concurrently with the Proposed Rule, on April 7, 2026, the OCC, FDIC, and NCUA issued a joint NPRM (Concurrent NPRM) meant to ensure “that their program requirements for banks remain consistent with those imposed by FinCEN” and prevent “any additional burden or confusion from needing to comply with differing standards between FinCEN and the Agencies.”[8] The Concurrent NPRM was also published in the Federal Register on April 10, 2026 and has a comment deadline of June 9, 2026.[9]
The below update summarizes some of the key changes and priorities described in the Proposed Rule, as analyzed by Gibson Dunn’s market-leading Anti-Money Laundering and Administrative Law and Regulatory Practice Groups.
1. The Proposed Rule reframes FinCEN enforcement and introduces a new supervisory role for banks’ AML/CFT programs. The Proposed Rule reforms AML/CFT supervision and enforcement related to banks. Banking regulators—including the OCC, FRB, FDIC, and NCUA—have independent authority under their own statutes to prescribe regulations requiring banks to establish and maintain procedures reasonably designed to assure and monitor compliance with the BSA. Under the Proposed Rule, the banking regulators must provide FinCEN at least 30 days’ advance written notice to review and provide input on any potential “significant supervisory action.”[10] The Proposed Rule defines a significant supervisory action as “any written communication or other formal supervisory determination issued by FinCEN or an Agency, when acting under supervisory authority delegated by FinCEN, that identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement.”[11] This excludes examiner observations, suggestions, or other informal comments,[12] and notably does not impose an affirmative notice obligation to FinCEN when banking regulators decline to bring a supervisory action. The notice to FinCEN should provide the relevant AML/CFT information underlying the proposed significant supervisory action.[13]
Additionally, as described below, the Proposed Rule outlines that FinCEN will generally not bring an enforcement action against a bank that has established an AML/CFT program under the Proposed Rule, unless there is a significant or systemic failure to implement that program.[14]
The Proposed Rule also establishes three factors that the FinCEN Director must weigh when either determining whether to bring an enforcement action or evaluating a proposed significant supervisory action from the federal banking agencies.[15] Those factors are (1) evaluation of the “four pillars” of an AML/CFT program, described further below, (2) whether the institution has advanced any of FinCEN’s AML/CFT Priorities such as providing useful information to law enforcement or effectively utilizing artificial intelligence, and (3) any other factor the Director deems appropriate, including the bank’s size, complexity, and risk profile.[16]
2. The Proposed Rule creates a “two-pronged framework” that deems a financial institution’s AML/CFT program effective if “the financial institution establishes and maintains their program.”[17] According to FinCEN, existing regulations do not provide standards for an AML/CFT program’s effectiveness.[18] While the 2024 NPRM would have required “effective, risk-based, and reasonably designed” AML/CFT programs, commenters complained to FinCEN that the meaning of each of these terms was unclear.[19]
FinCEN is replacing the language in the 2024 NPRM with a two-pronged framework. The Proposed Rule distinguishes between: (1) whether a financial institution has established an AML/CFT program at all; and (2) how the financial institution is maintaining that program, if established. FinCEN seeks through the Proposed Rule to establish standards for each of the two prongs. In the Fact Sheet, FinCEN argues that by so doing, the Proposed Rule will set clearer expectations for program effectiveness and “prevent conflating criticisms of program design with criticisms of day-to-day implementation.”[20]
To establish an AML/CFT program under the Proposed Rule, financial institutions must design a risk-based framework integrating “four core required pillars”[21] and providing for updates to the program as necessary to reflect significant risk changes.[22] The four core pillars, which are discussed in greater detail below, include (1) internal policies, procedures, and controls, (2) independent program testing, (3) a U.S.-based program head, and (4) ongoing employee training.[23]
Once a program is initially established, FinCEN states that a financial institution must continue to take appropriate steps to update the program to reflect current risk profiles.[24] A financial institution’s failure to update the program to reflect significant changes to the institution’s risk profile may result in the program no longer meeting the program establishment requirements.[25] Significant changes in a risk profile might include providing a new product or service or operating existing products or services in a new geographic location.[26]
In addition, the Proposed Rule would require financial institutions to maintain the AML/CFT program, once established, by “implementing it, in all material respects.”[27] FinCEN provides examples of an improperly maintained program, including where the program’s internal processes and policies are irregularly or inconsistently followed, or where deficiencies in risk assessment processes materially impact the mitigation of risk related to money laundering or terrorist financing.[28]
The proposed distinction between establishment and maintenance matters with respect to enforcement or “significant supervisory actions”[29] against banks (as opposed to other financial institutions). “[T]he Proposed Rule would not limit enforcement or supervisory actions [against banks] for failure to establish an AML/CFT program.” However, under the Proposed Rule, enforcement and significant supervisory actions against banks for failure to satisfy the maintenance prong should be limited “to a significant or systemic failure to implement an effective AML/CFT program.”[30] Compared to current regulations, that means the Proposed Rule’s two-pronged framework should result in a higher threshold for enforcement or significant supervisory actions against banks based on program implementation.[31]
3. The Proposed Rule reframes requirements for customer due diligence. Customer due diligence (CDD) has widely been known as the “fifth pillar” of an AML compliance program for those financial institutions required to implement CDD procedures.[32] While the Proposed Rule does not make substantive changes to financial institutions’ CDD requirements, FinCEN proposes to include them as part of the broader requirement that financial institutions “establish a risk-based set of internal policies, procedures, and controls that is reasonably designed.”[33] This, in effect, leaves “four pillars” of an AML compliance program, described above as (1) internal policies, procedures, and controls, (2) independent program testing, (3) a U.S.-based program head, and (4) ongoing employee training.[34]
4. The Proposed Rule requires financial institutions to establish and maintain risk assessment processes as a part of their risk-based internal policies, procedures, and controls.[35] The 2024 NPRM would have required financial institutions to implement risk assessments.[36] Many financial institutions already had engaged in regular risk assessments voluntarily or as required by federal regulators. The Proposed Rule supersedes the 2024 NPRM, and imposes an explicit requirement that banks, casinos, money-service businesses (MSBs), broker-dealers, mutual funds, future commission merchants (FCMs), and introducing brokers in commodities (IBs) must perform risk assessments as part of their AML program obligations.[37] The Proposed Rule does not prescribe “any particular processes or methodologies other than the critical elements described in [the] proposed rule,” but it does standardize the requirement for risk assessment processes across different types of financial institutions.[38]
Among other things, the critical elements include requirements that risk assessment processes (1) evaluate the money laundering and terrorist financing risks of the financial institution’s business activities, (2) review and incorporate FinCEN’s AML/CFT priorities as appropriate, and (3) are updated when the financial institution knows, or should know, there was a significant change to those risks.[39] The relevant business activities a risk assessment process should consider include products, services, distribution channels, customers, and geographic locations.[40]
5. The Proposed Rule instructs financial institutions to allocate more attention and resources toward higher-risk customers and activities rather than toward lower-risk customers and activities. Mirroring the requirement of the Anti-Money Laundering Act of 2020 (AML Act)[41] that AML/CFT programs be risk-based, the Proposed Rule calls for financial institutions to direct more attention and resources toward higher-risk customers and activities.[42] The Proposed Rule expresses FinCEN’s goal as to ensure that financial institutions “spend less time, energy, and resources on lower priority activities that may result in fewer resources devoted to, and potentially distract from, more serious threats.”[43] In line with this goal, FinCEN notes that it believes financial institutions are best positioned to determine their own money laundering and terrorist financing risks, and therefore, FinCEN does not contemplate second-guessing a financial institution’s reasonable determinations.[44] Although FinCEN’s position means examiners of financial institutions should not use “subjective judgment in place of the financial institution,” examiners should still assess whether: (1) a financial institution’s resource allocation decisions are based on reasonably designed risk assessment processes; and (2) the financial institution knows or should know of resource-related issues involving its internal policies, procedures, and controls.[45]
6. The Proposed Rule requires the financial institution’s AML/CFT Officer to be located in the United States.[46] Since the AML Act was enacted, there has been some lack of clarity about FinCEN’s expectations for the onshoring of compliance staff.[47] The Proposed Rule would require a financial institution’s AML/CFT Officer to be located in the United States in order to be accessible to, and subject to oversight and supervision by, FinCEN and any agency to which FinCEN has delegated examination authority.[48] This new requirement reflects similar language in the AML Act providing that “The duty to establish, maintain and enforce an anti-money laundering and countering the financing of terrorism program as required by this subsection shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator.”[49]
The Proposed Rule acknowledges that personnel located outside of the United States may still perform certain AML/CFT functions for cost efficiencies, cross-border operations, and other purposes.[50] Lastly, the Proposed Rule explicitly notes that there is no change to “existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States.”[51]
7. The Proposed Rule requires AML/CFT programs to be approved by the financial institution’s Board of Directors, an equivalent governing body, or appropriate senior management.[52] Some financial institutions are already required by the BSA or their functional regulator to have their AML/CTF programs approved by their Boards. The Proposed Rule would extend that requirement to all financial institutions.[53] The Proposed Rule is meant to simultaneously “reflec[t] the importance of a financial institution maintaining a strong culture of compliance,” while also providing flexibility by “allowing financial institutions to determine the appropriate approving authority consistent with their legal structure and other regulatory and legal requirements.”[54] For example, an equivalent governing body could be a sole proprietor, general partner, trustee, or senior officers. For the U.S. branch of a foreign bank, the equivalent governing body could be the foreign banking organization’s Board.[55]
8. The Proposed Rule allows use of technological innovation such as artificial intelligence to serve as evidence of an effective AML/CFT program. Under the Proposed Rule, the FinCEN Director will consider “whether the bank is employing innovative tools such as artificial intelligence that demonstrate the effectiveness of the bank’s AML/CFT program” as a factor in determining whether to pursue an enforcement action or a significant supervisory action.[56] FinCEN notes that this proposal aligns with one of the AML Act’s key purposes, namely to “encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and financing of terrorism.”[57] This does not mean that the Proposed Rule requires the use of any particular technology, but that “proactive analytics” or “other innovative activities producing demonstrable outputs” may serve as evidence of the effectiveness of an AML/CFT program.[58] FinCEN advises that responsible experimentation will not incur additional risk of AML/CFT enforcement or significant supervisory action.[59]
9. The Proposed Rule consolidates bank program requirements into a single standard. Under current regulations, banks with a federal functional regulator and banks without a federal functional regulator are subject to different AML/CFT program rules.[60] Since 2020, these rules have been almost identical, with the most significant difference being that banks lacking a federal functional regulator must (1) have their AML/CFT program approved by the board of directors or its equivalent governing body, and (2) make a copy of their AML program available to FinCEN or its designee upon request.[61]
The Proposed Rule would create one standard for banks regardless of whether they have a federal functional regulator.[62] As discussed above, the Proposed Rule would require that all banks have AML/CFT programs approved by their board, its equivalent governing body, or appropriate senior management.[63] Additionally, all banks must make AML/CFT programs available to FinCEN or its designee upon request.[64]
10. The Proposed Rule extends the implementation timeline. In the Proposed Rule, FinCEN also extends the implementation timeline to twelve months from issuance of the final rule, rather than the six-month compliance period contemplated by the 2024 NPRM.[65] In explaining that change, FinCEN notes that commenters to the 2024 NPRM reacted negatively to the six-month timeline and were “nearly unanimous” in requesting more time; some asked for at least one year, while others requested two years or more.[66] Commenters cited the need for additional time to review the final rule, make technological and process changes, incorporate the AML/CFT Priorities, reallocate resources, and provide training.[67]
If adopted, the Proposed Rule would significantly reform the BSA obligations of regulated entities. The Proposed Rule also provides an important indicator of the Trump Administration’s priorities in the AML/CFT space. Interested parties should provide comments proposing any changes or alternatives to the Proposed Rule by the comment deadline (June 9). We will continue to monitor the Proposed Rule and other developments, and report accordingly on steps individuals and entities should take to navigate the ever-evolving BSA/AML regulatory regime.
[1] https://www.federalregister.gov/documents/2026/04/10/2026-07033/anti-money-laundering-and-countering-the-financing-of-terrorism-programs, 91 Fed. Reg. 18704. The Proposed Rule supersedes and responds to comments made on FinCEN’s July 3, 2024 notice of proposed rulemaking (the 2024 NPRM), which is now withdrawn. The Proposed Rule was published in the Federal Register on April 10, 2026, triggering the 60-day comment period.
[2] FinCEN, FinCEN Proposes Rule to Fundamentally Reform Financial Institution Programs Designed to Fight Illicit Finance (Apr. 7, 2026), https://www.fincen.gov/news/news-releases/fincen-proposes-rule-fundamentally-reform-financial-institution-programs.
[3] FinCEN, Fact Sheet: Proposed Rule to Fundamentally Reform Financial Institution AML/CFT Programs (Apr. 7, 2026), https://www.fincen.gov/system/files/2026-04/Program-NPRM-FactSheet.pdf.
[4] FinCEN, Key Changes in FinCEN’s Proposed Rule to Refocus AML/CFT Programs on Higher-Risk Activity While Reducing Unnecessary Burden (Apr. 7, 2026), https://www.fincen.gov/system/files/2026-04/Key-Changes-Program-NPRM.pdf.
[5] The Press Release.
[6] Id.
[7] The Key Changes Document.
[8] 91 Fed. Reg. 18305 (April 10, 2026), https://www.govinfo.gov/content/pkg/FR-2026-04-10/pdf/2026-06948.pdf; The Office of the Comptroller of the Currency, Agencies Request Comment on Anti-Money Laundering/Countering the Financing of Terrorism Proposed Rule (April 7, 2026), https://www.occ.gov/news-issuances/news-releases/2026/nr-ia-2026-25.html. The Federal Reserve Board did not join the Concurrent NPRM and, as of the publication date, has not yet issued an NPRM related to the Proposed Rule.
[9] 91 Fed. Reg. 18304.
[10] Id. at 18722.
[11] Id. at 18721–22.
[12] Id. at 18722.
[13] Id.
[14] Fact Sheet at 5.
[15] Proposed Rule at 18722
[16] Id.
[17] Proposed Rule at 18713.
[18] The Key Changes Document.
[19] Proposed Rule at 18706.
[20] Fact Sheet at 3.
[21] Id.
[22] Id.
[23] Id.
[24] Proposed Rule at 18714.
[25] Id.
[26] Id.
[27] Id.
[28] Id.
[29] This term is defined further below.
[30] Proposed Rule at 18713.
[31] Id. at 18710.
[32] Id. at 18717. Such financial institutions are banks, broker-dealers, mutual funds, futures commission merchants and introducing brokers in commodities, and operators of credit card machines.
[33] Id.
[34] Fact Sheet at 3.
[35] Proposed Rule at 18715.
[36] Id. at 18706.
[37]Id. at 18715.
[38] Id.
[39] Id.
[40] Id.
[41] William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388 (Jan. 1, 2021).
[42] Proposed Rule at 18717.
[43] Id.
[44] Id.
[45] Id.
[46] Id. at 18720.
[47] The AML Act amended the BSA to state: “[t]he duty to establish, maintain and enforce an anti-money laundering and countering the financing of terrorism program as required by this subsection shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator . . . “ 31 U.S.C. § 5318(h)(5). Through the 2024 NPRM, FinCEN sought to issue a regulation to explicate this duty.
[48] Proposed Rule at 18720.
[49] 31 U.S.C. 5318(h)(5).
[50] Proposed Rule at 18720.
[51] Id.
[52] Id. at 18720–21.
[53] Id. This is consistent with language in the 2024 NPRM.
[54] Id. at 18721.
[55] Id.
[56] Fact Sheet at 5.
[57] Proposed Rule at 18712.
[58] Id. at 18722.
[59] Id. at 18712.
[60] Id. at 18723.
[61] Id.
[62] Id.
[63] Id.
[64] Id.
[65] Id. at 18707, 18724.
[66] Id. at 18707.
[67] Id.
Gibson Dunn has deep experience with issues relating to the Bank Secrecy Act, other AML and sanctions laws and regulations, and the defense of financial institutions more broadly. For assistance, please contact any of the authors, the Gibson Dunn lawyer with whom you usually work, or any of the leaders and members of the firm’s Anti-Money Laundering / Financial Institutions, Administrative Law & Regulatory, Financial Regulatory, and White Collar Defense & Investigations practice groups:
Anti-Money Laundering / Financial Institutions:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, sbrooker@gibsondunn.com)
Jason J. Cabral – New York (+1 212.351.6267, jcabral@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202.955.8220, kday@gibsondunn.com)
Ro Spaziani – New York (+1 212.351.6255, rspaziani@gibsondunn.com)
Ella Alves Capone – Washington, D.C. (+1 202.887.3511, ecapone@gibsondunn.com)
Sam Raymond – New York (+1 212.351.2499, sraymond@gibsondunn.com)
Administrative Law & Regulatory:
Stuart F. Delery – Washington, D.C. (+1 202.955.8515, sdelery@gibsondunn.com)
Matt Gregory – Washington, D.C. (+1 202.887.3635, mgregory@gibsondunn.com)
Eugene Scalia – Washington, D.C. (+1 202.955.8543, escalia@gibsondunn.com)
Helgi C. Walker – Washington, D.C. (+1 202.887.3599, hwalker@gibsondunn.com)
Financial Regulatory:
William R. Hallatt – Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)
Michelle M. Kirschner – London (:+44 20 7071 4212, mkirschner@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202.887.3632, jsteiner@gibsondunn.com)
White Collar Defense & Investigations:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, sbrooker@gibsondunn.com)
Winston Y. Chan – San Francisco (+1 415.393.8362, wchan@gibsondunn.com)
Amy Feagles – Washington, D.C. (+1 202.887.3699, afeagles@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213.229.7269, nhanna@gibsondunn.com)
F. Joseph Warin – Washington, D.C. (+1 202.887.3609, fwarin@gibsondunn.com)
© 2026 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.