On April 7, 2026, FinCEN and three federal banking agencies proposed a sweeping overhaul of AML CFT program requirements for US financial institutions. The joint proposal from FinCEN, the FDIC, the OCC and the NCUA represents one of the most significant reforms to Bank Secrecy Act compliance in decades. The proposal further formalizes and reinforces a risk-based approach to AML/CFT compliance. The proposal would require institutions to direct more resources toward higher-risk customers and activities rather than spreading efforts uniformly. The proposal also codifies ongoing customer due diligence as a formal program requirement and demands that compliance officers be US-based and accessible to regulators. Whether your institution is a traditional bank, a credit union or a fintech operating under a bank partnership, these changes will reshape how you build and run your compliance program. Here is what you need to know.
Why FinCEN is reforming AML CFT program requirements
For years, compliance professionals have argued that the existing BSA framework focuses too heavily on box-ticking. Regulators heard those concerns. On April 7, 2026, FinCEN and three federal banking agencies responded with a proposal that would fundamentally reshape how financial institutions approach AML CFT program requirements under the Bank Secrecy Act.
The proposal responds directly to mandates in the Anti-Money Laundering Act of 2020. That legislation called for a shift toward effectiveness and risk-based compliance. However, rulemaking takes time and the April 2026 notice of proposed rulemaking finally translates those mandates into concrete regulatory expectations.
The current framework treats most institutions similarly, regardless of size or risk profile. A community bank with no international exposure faces the same structural requirements as a multinational institution handling correspondent banking across high-risk jurisdictions. As a result, compliance teams often spread their resources too thin, dedicating equal attention to low-risk and high-risk activities. The proposal aims to correct this imbalance by explicitly requiring a risk-based approach.
Who issued the proposal and what does it cover?
FinCEN issued the proposal jointly with the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the National Credit Union Administration (NCUA). Together, these agencies supervise the vast majority of US banks and credit unions. Therefore, the proposal will affect nearly every depository institution in the country.
The proposal applies to banks, savings associations, credit unions and their branches. Fintechs that operate through bank partnerships should also pay close attention. Because many fintechs rely on partner banks for their regulatory infrastructure, changes to the partner bank’s AML CFT program requirements may indirectly impact fintech operations, particularly where they rely on partner banks for compliance infrastructure.
The FATF has long advocated for risk-based AML programs globally. Countries like the UK, Australia and the UAE already require regulated entities to demonstrate that their controls are proportionate to their risk exposure. This proposal brings the US closer to that international standard.
Key changes in the proposed AML CFT program requirements
The proposal introduces several significant changes. Each one builds on the other, creating a more integrated and risk-focused compliance framework.
A formal risk-based mandate
For the first time at the program rule level, the proposal explicitly requires AML/CFT programs to be “effective, risk-based and reasonably designed.” This language goes beyond the current obligation to simply maintain a program. Institutions must now demonstrate that their controls reflect their actual risk profile. Consequently, higher-risk customers, products and geographies must receive proportionally more scrutiny, while lower-risk areas may warrant simplified controls.
Integration of national AML/CFT priorities
FinCEN publishes national AML/CFT priorities that highlight the most pressing illicit finance threats facing the United States. Under the proposal, institutions must incorporate these priorities into their risk assessment processes. In practice, this means your risk assessment can no longer exist as a static document. It must function as a living tool that reflects both your institution’s specific risks and the broader national threat landscape.
Ongoing customer due diligence becomes a core requirement
FinCEN’s existing CDD Rule requires ongoing monitoring of customer relationships as part of broader CDD obligations. However, the proposal would more explicitly integrate these obligations into core AML/CFT program requirements enforced by banking regulators. The practical effect is significant. Ongoing CDD will receive greater supervisory focus during examinations and examiners will expect documented procedures that demonstrate how your institution monitors customer relationships over time.
US-based compliance officer
The proposal codifies the AML Act’s requirement that the designated AML/CFT compliance officer is expected to be based in, or readily accessible from, the United States for regulatory engagement and remain accessible to regulators. For institutions that currently rely on offshore compliance leadership or shared services arrangements, this change may require structural adjustments. The compliance officer must also hold sufficient seniority to act independently and have direct access to the board or senior management.
What the risk-based approach means in practice
Adopting a risk-based approach sounds simple in theory. In practice, it requires a fundamental rethinking of how compliance teams allocate their time and budget.
Start with your risk assessment. Regulators expect this document to identify and evaluate the specific money laundering and terrorist financing risks your institution faces. It should account for your customer base, the products and services you offer, the geographies you operate in and the delivery channels you use. A thorough risk assessment forms the foundation of everything that follows.
From there, your policies, procedures and controls must map directly to those identified risks. For example, if your institution serves a large population of customers in jurisdictions with weak AML controls, your enhanced due diligence procedures for those relationships should be robust and well documented. On the other hand, if a particular product line presents minimal risk, you should be able to demonstrate why simplified controls are appropriate.
Transaction monitoring deserves particular attention. Regulators will evaluate whether your monitoring scenarios detect the typologies most relevant to your risk profile. Generic, off-the-shelf monitoring rules that generate excessive false positives while missing genuine risks may draw regulatory scrutiny. Calibrating your scenarios to your actual risk exposure is increasingly expected by regulators.
The connection to FinCEN’s CDD exceptive relief
In February 2026, FinCEN issued an Exceptive Relief Order that streamlined beneficial ownership verification requirements. Previously, covered financial institutions had to identify and verify the beneficial owners of legal entity customers every time a new account was opened. The Exceptive Relief Order removed the obligation to re-verify beneficial ownership every time a legal entity opens a new account. Re-verification is now required only when the institution learns facts that call into question the reliability of previously collected information, or when the institution’s own risk-based procedures demand it.
Together with the April proposal, this change signals a clear regulatory direction. FinCEN wants less paperwork and more meaningful compliance. Institutions that can demonstrate strong, risk-based processes will find regulatory engagement more collaborative. Those still relying on checklist-driven approaches may face increased scrutiny.
Five steps your compliance team can consider now
The 60-day comment period gives institutions time to review the proposal and submit feedback. However, forward-thinking compliance teams should also use this window to begin preparing for implementation.
Review your risk assessment methodology. Does it already incorporate FinCEN’s national AML/CFT priorities? If not, begin mapping those priorities to your institution’s specific risk factors. Regulators will expect to see this integration once the final rule takes effect.
Evaluate your CDD and ongoing monitoring procedures. The formal integration of ongoing CDD into program requirements means examiners will scrutinize these processes more carefully. Make sure your procedures are documented, consistently applied and supported by adequate technology.
Assess your compliance officer structure. If your designated BSA/AML officer is not currently based in the United States, begin planning for the transition. Regulators will expect accessibility, so consider whether your current reporting lines support direct engagement with supervisory authorities.
Calibrate your transaction monitoring. Review your monitoring scenarios against your risk assessment. Are you detecting the typologies that matter most for your risk profile? Are your alert investigation processes efficient and well documented?
Engage with the rulemaking process. The comment period is your opportunity to shape the final rule. If aspects of the proposal would create unintended burdens for your institution, submit a detailed comment explaining the practical challenges and proposing alternatives.
Global context: Why this matters beyond the US
The FinCEN proposal does not exist in isolation. Regulatory authorities worldwide are converging on the same principles. The EU’s new Anti-Money Laundering Authority (AMLA) is developing harmonized technical standards for CDD, risk classification and transaction monitoring across all EU member states. Meanwhile, the UAE is preparing for an upcoming FATF mutual evaluation, with regulators focusing on whether compliance controls work effectively in practice rather than simply existing on paper.
For multinational institutions and fintechs operating across borders, these parallel developments create both challenges and opportunities. A strong, risk-based AML program that meets FinCEN’s proposed standards will likely satisfy many of the same expectations in other jurisdictions. Compliance teams that invest in genuine risk-based frameworks now will find themselves better positioned to navigate regulatory requirements globally.
Preparing for what comes next
FinCEN’s proposal marks a turning point for AML/CFT compliance in the United States. By formally mandating a risk-based approach, integrating national priorities into program requirements and codifying ongoing CDD obligations, regulators are signaling an increased emphasis on effectiveness over formality. For compliance teams, this means less time on low-value activities and more focus on the risks that genuinely matter.
The comment period is open now, with comments due by June 6, 2026. Use it to review the proposal, assess your current program against the new expectations and submit feedback where appropriate. If you need help evaluating your AML/CFT program or preparing for these changes, Compliance7 offers free consultations to help you build a compliance framework that meets regulatory expectations while supporting your business objectives.
This article is for informational purposes only and does not constitute legal or regulatory advice. For guidance specific to your business, consult a qualified compliance professional.
