FinCEN Proposes Sweeping Changes to AML/CFT Compliance Structure

The Financial Crimes Enforcement Network’s April 2026 notice of proposed rulemaking marks a deliberate effort to recalibrate the architecture of AML/CFT compliance under the Bank Secrecy Act. The proposal does not expand core obligations in the traditional sense. Instead, it restructures how those obligations are defined, evaluated, and enforced. The stated objective is to align compliance with actual illicit finance risk while reducing low-value burden. The operative question becomes whether programs are reasonably designed and materially implemented, rather than whether institutions can demonstrate procedural completeness.

At a structural level, the proposal attempts to resolve a longstanding tension within the BSA framework. Financial institutions have been directed for years to adopt risk-based programs, yet supervision has often operated in a manner that rewards uniformity and volume. The result has been a system in which documentation and alert generation function as proxies for effectiveness. FinCEN’s proposal seeks to revise that model.

I. Establishment Versus Maintenance

The proposal’s most consequential feature is its separation of program “establishment” from “maintenance.” Establishment refers to the design of an AML/CFT program, including the institution’s risk assessment processes, internal controls, and governance framework. Maintenance refers to implementation in all material respects.

This distinction creates a framework where deficiencies in design are analytically separate from operational shortcomings. For banks, the proposal suggests that significant supervisory or enforcement action, once a program is properly established, should generally be tied to significant or systemic failures in maintenance, rather than isolated or technical implementation gaps.

That approach has two implications. First, it provides institutions with a clearer basis to defend reasonable program design choices, even where execution is imperfect. Second, it introduces a threshold concept into supervision, narrowing the circumstances under which implementation issues escalate into program-level violations.

II. Risk Assessment as the Organizing Principle

The proposal codifies risk assessment processes as the organizing core of AML/CFT programs. Institutions would be required to identify, assess, and document their exposure to money laundering, terrorist financing, and other illicit finance risks across customers, products, services, distribution channels, and geographies.

FinCEN does not mandate a single methodology or a discrete annual exercise. Instead, it allows institutions to rely on a combination of processes, evaluated collectively. This flexibility is intentional. It reflects an acknowledgment that risk profiles differ meaningfully across institutions and that prescriptive frameworks can undermine rather than enhance effectiveness.

At the same time, the proposal requires that these processes be dynamic. Institutions must update their risk assessments when they know or have reason to know that their risk profile has materially changed. The concept of a “reasonably designed” program is therefore linked not only to initial design but also to responsiveness.

III. Resource Allocation and the Rejection of Uniform Compliance

The proposal incorporates the Anti-Money Laundering Act’s directive that institutions allocate more attention and resources to higher-risk customers and activities. FinCEN is explicit that this entails a corresponding reduction of effort in lower-risk areas.

The significance of this point lies in its treatment of supervisory expectations. The proposal states that institutions should be able to reallocate resources toward higher-risk areas without incurring criticism solely because they are doing less in lower-risk areas, provided those decisions are grounded in their risk assessment processes.

This language addresses a central criticism of the current regime. Risk-based compliance has often been implemented in a manner that discourages meaningful prioritization. By contrast, the proposal attempts to normalize differentiated treatment across risk categories, subject to documentation and justification.

IV. Constraining Examiner and Auditor Subjectivity

The proposal includes several provisions designed to limit the substitution of supervisory judgment for institutional judgment. Examiners are directed not to replace an institution’s risk-based decisions with their own preferences, but to evaluate whether those decisions are supported by reasonably designed processes and whether the institution has addressed known or reasonably knowable deficiencies.

Independent testing is framed in similar terms. Auditors are expected to apply objective criteria and to assess whether the program has been effectively established, implemented, and resourced. The emphasis is on alignment with the institution’s risk framework, rather than adherence to an external template.

Whether these constraints alter supervisory practice will depend on implementation. The proposal establishes the principle, but its effect will be mediated through examination culture.

V. Centralizing FinCEN’s Role in Bank Supervision

For banks, the proposal introduces a formal notice and consultation framework between federal banking agencies and FinCEN with respect to significant AML/CFT supervisory actions. Regulators would be required to provide advance notice to FinCEN and share underlying materials supporting the proposed action, subject to certain limitations.

This mechanism reinforces FinCEN’s role as the central authority in AML/CFT policy and is intended to promote consistency across agencies. It may also function as a moderating influence on supervisory escalation, particularly in cases where program design is defensible but implementation issues are present.

VI. Program Governance and Structural Requirements

The proposal retains the traditional AML/CFT pillars while refining their content. Institutions must maintain internal policies, procedures, and controls that incorporate risk assessment processes and, where applicable, ongoing customer due diligence obligations. They must conduct independent testing, designate an AML/CFT officer located in the United States and accessible to regulators, and provide ongoing employee training.

Governance requirements are standardized through a requirement that the program be approved by the board of directors, an equivalent governing body, or appropriate senior management. These provisions elevate the role of internal governance in supporting and evidencing program design.

VII. Alignment with Broader Policy Direction

The proposal is consistent with FinCEN’s recent efforts to reduce low-value compliance burden. Guidance issued in 2025 regarding suspicious activity reporting emphasized the importance of focusing resources on activity that produces meaningful law enforcement value. Similarly, recent relief from certain customer due diligence requirements reflects an effort to eliminate repetitive processes that do not materially enhance risk detection.

Viewed in that context, the proposal represents a continuation of a broader policy direction. The objective is not deregulation, but reallocation.

VIII. Implications

If adopted as proposed, the rule would shift the locus of AML/CFT compliance from procedural execution to analytical justification. Institutions will need to articulate and document the rationale underlying their risk assessments, resource allocation decisions, and control design.

Programs that rely on inherited controls without a clear connection to current risk profiles may face increased scrutiny. Conversely, institutions that can demonstrate that their programs are calibrated to their specific risks, and that they adjust those programs as risks evolve, are likely to be better positioned.

The proposal also introduces a more structured basis for engaging with supervisors. The distinction between design and implementation, combined with the emphasis on objective evaluation, provides a framework for more substantive dialogue around program effectiveness.

Conclusion

FinCEN’s 2026 proposal reflects a policy judgment that the AML/CFT regime has become overly focused on process at the expense of outcomes. By emphasizing effectiveness, risk-based allocation, and supervisory discipline, the agency is attempting to realign compliance with its underlying purpose.

The success of that effort will depend on how these principles are applied in practice. The rule provides a decent framework. Whether it produces a corresponding shift in supervisory behavior remains an open question.

That’s all for now,

Braeden

***********************

About the author

K. Braeden Anderson is a Partner at Gesmer Updegrove, where he leads the firm’s Securities Enforcement & Investigations practice, and chairs Mackrell International’s Blockchain & Digital Assets Group and Securities Enforcement & Investigations Group. He is a nationally recognized securities regulatory and enforcement attorney whose practice sits at the intersection of traditional financial regulation and emerging technology. He has been recognized in Best Lawyers: Ones to Watch® in America (2025) for Financial Services Regulation Law and Securities Regulation, and was named the #1 most-read fintech thought leader in the United States in Mondaq’s Spring 2025 Thought Leadership Awards.

Before joining Gesmer Updegrove, he previously served as Assistant General Counsel at Robinhood Markets, Inc. (NASDAQ: HOOD), advising on high-stakes regulatory and enforcement matters, and earlier practiced at Kirkland & Ellis LLP and Sidley Austin LLP in New York and Washington, D.C.

Braeden publishes a weekly newsletter reaching more than 20,000 legal and financial professionals, runs a YouTube channel with over 160,000 subscribers, and regularly produces written and multimedia thought leadership through his blog, Anderson Insights. His work focuses on enforcement trends, fintech regulation, and the evolving role of digital assets in capital markets.