FinCEN’s Revisions to AML/CFT Program: Considerations for Financial Institutions

On 7 April 2026, The Financial Crimes Enforcement Network (FinCEN) issued its notice of proposed rulemaking[1] (NPRM or proposed rule) that would revise the requirements for anti-money laundering and countering the financing of terrorism (AML/CFT) compliance programs for financial institutions.[2] If adopted as is, the final program rules would become effective 12 months from their date of issuance. The comment period for the proposed rule ends on 9 June 2026.

In parallel, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and National Credit Union Administration (NCUA) have issued a joint proposed rule that would revise the AML/CFT program requirements for their regulated institutions in order to align with the FinCEN proposed rule.[3] The Federal Reserve Board of Governors is also expected to publish a similar proposed rule.

This alert identifies some key features of the NPRM and considerations for financial institutions.

Overview and Context

The proposed rule represents FinCEN’s effort to achieve Treasury Secretary Bessent’s goal to “make changes to the AML/CFT framework to truly focus on national security priorities and higher-risk areas and explicitly permit financial institutions to de-prioritize lower risks.”[4] It does so by refining program requirements, recalibrating supervisory thresholds, and expanding FinCEN’s role in oversight.

In its proposed rule, FinCEN faces the onerous task of meeting heightened expectations for a substantial revamp of the U.S. AML/CFT framework. The proposed rule is a small but meaningful step toward modernizing the AML/CFT framework. Its success will depend on factors beyond the rule itself—for example, supervisory consistency, clearer articulation of effectiveness standards, and alignment between regulators, law enforcement, and financial institutions.

The Anti-Money Laundering Act of 2020 (AML Act)[5] identifies additional areas of reform to enhance the ability of the overall AML/CFT framework to prevent financial crime effectively and efficiently and to maintain the integrity and security of the U.S. financial system. These areas include, among others, effective examiner training and supervision; modifications to the FFIEC Manual; revisions to Bank Secrecy Act (BSA) reporting requirements, such as SARs (suspicious activity reports) and CTRs (currency transaction reports); enhanced transparency by law enforcement and FinCEN regarding their use of BSA reporting; effective deployment of artificial intelligence/machine learning tools; better coordination between FinCEN, law enforcement, and supervisors; and improved legal authorities and use of public-private information sharing mechanisms such as 314(a), 314(b), and the FinCEN Exchange program, among others. These areas of reform are not covered by the proposed rule but require considered attention by FinCEN, supervisory agencies, law enforcement, financial institutions, and civil society to ensure effective implementation of the AML/CFT framework. All proposed requirements and additional areas of reform will need increased staffing and resources to implement and sustain these changes successfully.

Ultimately, the test of the proposed rule will not be whether it reduces technical deficiencies and day-to-day friction between examiners and financial institutions, but whether it results in more targeted, higher-quality reporting and a demonstrable improvement in the ability of law enforcement to identify and disrupt illicit finance. This goal will depend as much on the text itself as well as on how supervisors interpret and apply it in practice.

“The test of the proposed rule will not be whether it reduces technical deficiencies and day-to-day friction between examiners and financial institutions, but whether it results in more targeted, higher-quality reporting and a demonstrable improvement in the ability of law enforcement to identify and disrupt illicit finance. This goal will depend as much on the text itself as well as on how supervisors interpret and apply it in practice.”

Key Features

This 2026 proposed rule builds on prior FinCEN proposals and considerable industry feedback, including responses to FinCEN’s 2020 advanced notice of proposed rulemaking on effectiveness[6] and its 2024 proposed rule on AML/CFT programs.[7] While the 2024 rule was criticized for its failure to achieve the goals of the AML Act, the new NPRM in many respects retains core features of the 2024 proposal while adding a revised supervisory and enforcement framework.

The NPRM would generally:

• Amend AML compliance program requirements at FinCEN-regulated financial institutions;
• Modify presumptions for BSA supervisory and enforcement findings;
• Provide FinCEN with an increased role in supervisory actions;
• Delineate factors evaluating AML/CFT program effectiveness, including adoption of innovative technologies and participation in information sharing mechanisms.

Reliance on preamble over regulatory text. A notable feature of the proposed rulemaking is that many of the most consequential expectations—particularly around priorities, effectiveness, information sharing, and innovation—are articulated in the preamble rather than the regulatory text. This creates some structural ambiguity: while the preamble provides important interpretive guidance, its weight in supervisory and enforcement contexts is less certain. The success of the rule will therefore depend on the treatment of and adherence to the expectations set by the preamble by FinCEN and the federal banking agencies.

Revised AML/CFT compliance program requirements. The proposed rule would require financial institutions to (1) “establish” an AML/CFT program and (2) “maintain” that program by implementing the program “in all material respects.”[8] As the proposed rule explains, this bifurcation is relevant for potential supervisory and enforcement action. Under the proposed rule, a financial institution’s AML/CFT program would include four pillars:

1. Establish and maintain a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure BSA compliance.
2. Establish independent AML/CFT program testing to be conducted by bank personnel or by an outside party.
3. Designate an individual who is located in the United States and is accessible to, and subject to, FinCEN oversight. That individual would be responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance.
4. Establish an ongoing employee training program.

With respect to the first pillar, the policies, procedures, and controls for the AML/CFT program must be reasonably designed to achieve three elements:

• Identify, assess, and document the financial institution’s ML/TF risks through risk assessment processes that evaluate the risks of the institution’s business activities, that incorporate the AML/CFT Priorities as appropriate, and that are updated promptly upon any change that the financial institution knows or has reason to know significantly changes the institution’s ML/TF risks;
• Mitigate the financial institution’s ML/TF risks, consistent with the financial institution’s risk assessment processes, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the bank, rather than toward lower-risk customers and activities; and,
• For certain financial institutions, conduct ongoing customer due diligence.

While the regulatory text prescribes only four pillars for an effective AML/CFT program, additional considerations may be relevant for a program’s effectiveness, as reflected in the preamble to the proposed rule. For example, the proposed rule states that FinCEN considers “information sharing to be an important element of an effective AML/CFT program”[9] through 314(a) requests, 314(b) information sharing, and participation in the FinCEN Exchange Program, despite the omission of information sharing from the regulatory text for an effective AML/CFT program.

Modified presumptions for supervisory and enforcement actions. The proposed rule articulates a new FinCEN enforcement and supervision policy, but only for banks’ AML/CFT programs. The proposed rule invites comments on whether these provisions should apply to other financial institutions, such as money services businesses (MSBs) or casinos and card clubs, at a time when non-bank financial institutions, particularly MSBs, require this regulatory clarity more than ever.

As stated in the proposed rule, separating program establishment from program maintenance is intended to clarify whether a supervisory concern relates to deficiencies stemming from the program’s design on the one hand, or failures in the program’s operation on the other. A poorly designed program should carry greater enforcement risk than execution gaps in a well-designed program.

The new policy would provide that a bank that has properly established an AML/CFT program will be subject to a FinCEN or supervisory action by the federal banking agencies only for a “significant or systemic failure” to implement its AML/CFT program. In other words, a bank that has properly established an AML/CFT program would not be subject to an “AML/CFT enforcement action” (i.e., an action by FinCEN) or a “significant AML/CFT supervisory action” (i.e., an action by one of the federal banking agencies acting under BSA authority) unless there were deficiencies or issues that arose from its failure to implement, in all material respects, that program.

In contrast, the proposed rule clarifies that nothing restricts the ability of FinCEN or the federal banking agencies to initiate an enforcement action or significant supervisory action with respect to a financial institution’s failure to establish an AML/CFT program. Similarly, the new policy would not apply to criminal enforcement liability under the BSA.

The preamble describes some “commonly observed examples” of a financial institution’s failure to implement its AML/CFT program “in all material respects”:

• Internal policies, procedures, and controls are not being performed or not being performed on a consistent, regular, and timely basis (e.g., consistently ignored warnings or red flags that a program was seriously deficient) due to the nature or extent of required resources becoming inadequate;
• Gaps in the risk assessment processes that result in the financial institution’s program missing or inadequately covering higher ML/TF risks (e.g., systems used to monitor for potentially suspicious activity failing to capture material volumes or types of transactions); or
• Deficiencies or weaknesses in the risk assessment processes that have a material impact on the financial institution’s mitigation of ML/TF risks through its internal policies, procedures, and controls, including due to data-related issues involving relevant processes and systems.

At the same time, FinCEN cautions that the proposed rule does not provide permission for financial institutions to establish “paper programs” that might be interpreted as meeting the proposed rule’s technical requirements on their face but do not achieve the desired outcomes of more effectively and efficiently detecting and preventing ML/TF activity. The proposed rule provides an example of a poorly established program:

[I]f a financial institution’s program testing reveals that a new customer type or new activity is high risk, but the financial institution does not take any action to revise the design of its internal policies, procedures, and controls and therefore treats the customer or activity as presenting low risk, then its program should not be considered reasonably designed.[10]

Enhanced FinCEN role in supervisory actions. For banks, the proposed rule would also require the federal banking agencies to provide FinCEN with the opportunity to review any “significant AML/CFT supervisory action” at least 30 days in advance of the proposed action. The federal banking agencies would need to consider any FinCEN input on the proposed action, which could include views on the “effectiveness of the bank’s AML/CFT program.” This review process does not apply to other FinCEN regulated financial institutions.

Factors for evaluating AML/CFT program effectiveness. The proposed rule further specifies a non-exclusive list of factors that FinCEN can consider in reviewing a proposed action by the federal banking agencies or deciding whether to take an enforcement action or significant supervisory action with respect to banks:

• The FinCEN Statement on Enforcement of the Bank Secrecy Act;
• The factors set forth in the AML Act of 2020 describing high-level objectives for the overall U.S. AML/CFT framework;
• The extent, if any, to which the bank—where appropriate in light of its size, complexity, and risk profile—has advanced the AML/CFT Priorities by providing highly useful information to law enforcement or national security officials, such as by responding to 314(a) requests, using 314(b) authorities to share information with other financial institutions to identify and report suspicious activity, or participation in the FinCEN Exchange Program.
• Whether the financial institution conducts proactive analytics or performs other innovative activities producing demonstrable outputs evincing “the effectiveness of the bank’s AML/CFT program.” The proposed rule singles out innovative technologies such as the effective use of artificial intelligence, federated learning, or other advanced monitoring tools.
• Whether there are circumstances in which the bank’s low-risk customers or limited business activities naturally restrict the extent to which the bank can meaningfully contribute to AML/CFT Priorities.

Key Strengths of the Proposed Rule Focuses financial institutions on ML/TF risks stemming from customers and activities. Provides flexibility to financial institutions to allocate attention and resources to high-risk activities—and, notably, away from lower risk activities. Establishes effectiveness as a central objective for AML/CFT programs. Establishes framework to standard examination outcomes and focus on risk-based approach. Highlights importance of financial institutions participating in information-sharing mechanisms and adopting innovative technologies.

Considerations for Financial Institutions

In reviewing potential implementation challenges for the proposed rule and areas for comments, financial institutions should (1) focus on specific risks that a financial institution faces as a driver for designing an effective AML/CFT program; (2) identify challenges that could undermine the effectiveness of a financial institution’s AML/CFT program; and (3) consider actions to deliver useful reporting to law enforcement, including through information-sharing mechanisms and the deployment of innovative technologies, rather than documentation and defensive SAR filings.

Financial institutions should review their risk assessment framework against expectations set by the proposed rule. The scope of the risk assessment processes, triggers for updates to the assessments and controls, and documentation required for identification of ML/TF risks are particularly relevant.

For example, under the proposed rule, a financial institution would need to evaluate risks stemming from a new product or service—or changes to how it provides existing products or services, such as operating in a new geographic location—as part of its risk assessment process. Additional circumstances in which a financial institution may need to update its risk assessment include, for example, when new products, services, and customer types are introduced; when existing products, services, and customer types undergo significant changes; when the financial institution adopts new risk mitigation technology; or if the financial institution as a whole expands or contracts through mergers, acquisitions, divestitures, dissolutions, or liquidations. These examples all reflect a common theme where the scope and scale of a financial institution’s product offerings exceeding its AML/CFT control framework frequently leads to enforcement.

The risk assessment process should reflect the simple proposition that a financial institution should understand its customers and transactions and tailor policies and controls to those risks on an ongoing basis. Financial institutions could seek additional clarity on supervisory expectations for the process; circumstances in which a financial institution “knows or has reason to know” of a change that requires its risk assessment to be updated; and how “promptly” updates need to occur; and any required documentation.

Financial institutions would have an ongoing responsibility to mitigate ML/TF risks through updated policies, procedures, and controls. The requirement to establish an effective AML/CFT program is not limited to a one-time adoption of policies, procedures, and controls. Instead, the establishment of an AML/CFT program will need to “remain current as the financial institution’s risk profile changes.”[11] Financial institutions would need to make a risk determination and redesign their policies, procedures, and controls to account for risks arising from a new product or service or operating in a new geographic location. FinCEN makes this subject to the highest enforcement risk: even where a financial institution has previously established an AML/CFT program, a failure to update the program to reflect significant changes in the institution’s risk profile may result in the program no longer satisfying the proposed rule’s requirements regarding establishment.

Both the 2024 NPRM and the current proposed rule also share the new requirement that AML/CFT programs must be reasonably designed to “mitigate” their ML/TF risks. In contrast, the existing program rules for financial institutions only require that a program include a “system of internal controls to assure ongoing compliance.”[12] The requirement to “mitigate” is informed largely through the prism of resource allocation, e.g., “directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the [financial institution], rather than toward lower-risk customers and activities.”[13] Mitigation could be viewed, however, as a discrete requirement for compliance programs under the proposed rule, and its inclusion in the regulatory text creates the potential for measures or standards applicable to risk mitigation.

Financial institutions should evaluate customer and transaction risk to identify circumstances where attention and resources dedicated to lower-risk activities can be re-allocated to higher-risk activities. Under the proposed rule, financial institutions retain significant flexibility and discretion in their decisions and determinations related to risk identification and resource allocation. FinCEN rightly notes that this is because financial institutions are best positioned to identify and evaluate their ML/TF risks and to make decisions related to risk identification and resource allocation.

At the same time, financial institutions should exercise a degree of care in resource allocation decisions. The proposed rule provides direction to examiners to assess whether (1) a financial institution’s resource allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes; and (2) with respect to implementation, specifically, whether the financial institution knows or should know of resource-related issues involving its internal policies, procedures, and controls that may result in the financial institution failing to implement its AML/CFT program in all material respects and failing to address such issues.

The AML/CFT Priorities continue to play an unclear, evolving role. The proposed rule formalizes the requirement that financial institutions incorporate AML/CFT Priorities into their risk assessments, consistent with Section 6101 of the AML Act.[14]

The AML/CFT Priorities “describe threats at a high level, or at a point in time.”[15] The preamble to the proposed rule notes that a financial institution may use its judgment and apply a reasonable, risk-based approach to determining whether to focus on an identified priority, but at the same time, cautions that “a surface-level, perfunctory review” would not satisfy this requirement. Helpfully, the preamble notes that “a community bank may determine, based on its risk assessment processes, that certain AML/CFT Priorities may not be applicable to its business activities. In such cases, the community bank would not be required to allocate attention or resources to risks for which it has no identified exposure.”[16] The same should be true for other financial institutions as well, depending on their size, customer base, and activities.

In addition, the proposed rule points to FinCEN advisories, alerts, and notices, as well as FinCEN’s Financial Trends Analyses, that the agency uses to highlight threat patterns, trends, red flags, and typologies to help financial institutions refine their risk assessment processes and better identify activity related to the AML/CFT Priorities.

The proposed rule, however, stops short of resolving a central question: whether the AML/CFT Priorities are intended to meaningfully redirect institutional resources or function primarily as a signaling mechanism. In practice, financial institutions will need to balance their own risk profiles against government-wide priorities drawn from a broader set of resources. A potential criticism of the proposed rule is that this lack of clarification may lead to defensive compliance or supervisory second-guessing in the absence of clearer direction regarding priorities to guide an institution’s risk-based decision making.

Auditors will need to evolve in their approach to independent testing. While it continues the BSA’s existing independent audit requirement, the proposed rule would change the tenor of the independent audit for financial institutions in at least two ways. First, the preamble indicates that the independent AML/CFT program testing should be focused on “whether the AML/CFT program is effective” and “should identify issues and areas for remediation accordingly.”[17] Auditors will accordingly need to establish “objective criteria” that assess whether the financial institution “established and maintained an effective AML/CFT program” and “allocated resources consistent with its risk assessment processes.” Second, as with expectations for examiners, the preamble states “that an auditor should [not] substitute his or her own subjective judgment in place of the financial institution.”[18]

Financial institutions will need to consider how to better delineate and document decisions to establish their AML/CFT programs, in contrast to actions to implement their programs. Such a distinction will be relevant for supervisory and enforcement purposes as FinCEN and the federal banking agencies strive to structurally rebalance the examination process in order to reduce examination friction and the technical irrelevance of check-the-box exercises. As the proposed rule notes, minor deficiencies of an AML/CFT program would not necessarily mean that a financial institution has failed to implement the program.

“Establishing” an AML/CFT program involves designing an AML/CFT program that incorporates all the required components, as discussed above.[19] “Implementation,” by contrast, addresses whether the financial institution is executing that program in practice.[20]

Financial institutions will need to be sensitive to feedback loops through which they could become aware of such implementation-related concerns, for example: (1) independent testing of the AML/CFT program; (2) examiner observations, suggestions, or other informal comments about the AML/CFT program from FinCEN or other regulators; (3) management information systems and related reports or other outputs (e.g., key performance indicators or key risk indicators, such as monitoring for potentially material backlogs in relevant AML/CFT processes); and (4) issues identified by personnel involved in the operation of the financial institution’s AML/CFT program. As the proposed rule notes, a bank that fails to reasonably address warnings that its program is not being implemented would risk a significant supervisory action or enforcement action.[21]

The line between program “establishment” and program “implementation” will not be precise and FinCEN is unlikely to clarify these distinctions in the final rule. As such, financial institutions should begin considering how to delineate program elements that may have overlapping considerations.

Banks will need to navigate new supervisory and enforcement incentives based on revised standards for supervisory reviews. The proposed rule seeks to pivot supervisory and enforcement focus away from “isolated, technical, or immaterial implementation issues” and towards addressing “significant or systemic failures” to implement an effective AML/CFT program.

Banks will need to work with FinCEN and supervisors to ensure that the application of the new standards achieves the overall objective of increasing efficiency and effectiveness. First, one stated objective is to avoid “regulatory second-guessing of a financial institution’s reasonable determinations regarding appropriate resource allocation or conclusions regarding specific risks.”[22] That flexibility is currently premised on whether the program is “risk-based” and “reasonably designed,” rather than on the supervisory standard of review applicable to whether a financial institution “established” an AML/CFT program. Second, the proposed rule would benefit from examples of types of shortcomings that constitute “significant or systemic failures” by a bank to implement an effective AML/CFT program. Those types of failures are not described in the preamble or rule text, and the proposed rule specifically requests views on this point. Third, the line between “establishment” and “implementation” may be difficult to operationalize and thus create examination friction. Additional examples of the difference may be helpful to guidance compliance teams. Lastly, financial institutions will be examined for their implementation of the established AML/CFT program “in all material respects.” It is likely that this “materiality” standard is tied to program effectiveness, but it is unclear how it will be operationalized.

With respect to banks, the proposed rule would provide FinCEN with a new and greater role in the supervisory process. In making this change, the proposed rule recognizes the importance of supervisory calibration and the standardization of the AML/CFT supervision across the federal banking agencies. Financial institutions are unlikely to meaningfully reallocate resources to higher-risk activities and focus on effective reporting unless FinCEN and examiners consistently support those decisions in practice.

The new supervisory process has three parts: (1) notice to FinCEN regarding any significant AML/CFT supervisory action; (2) sharing of “relevant AML/CFT information” underlying the proposed action, which may include the relevant portions of the draft report enforcement action, the relevant examination workpapers supporting the proposed action, and the relevant AML/CFT information submitted by the bank; and (3) consideration of input from FinCEN. Banks do not appear to have the opportunity to engage directly with FinCEN on proposed actions.

The impact of FinCEN’s envisioned role largely depends on the framework implemented by FinCEN and the supervisory agencies; the degree of standardization that FinCEN is able to achieve across institutions depending on size, customer base, and business activities; the inputs into FinCEN’s evaluation, including outreach to law enforcement, analysis of SAR reporting, and additional factors; and importantly, FinCEN’s allocation of resources and expertise to the engagement.

Program effectiveness may become a new, additional consideration for supervisory and enforcement purposes. Financial institutions should consider how best to document demonstrable outputs evincing the effectiveness of the bank’s AML/CFT program. Under the proposed rule, participation in public-private partnerships and information-sharing mechanisms (such as 314(a), 314(b), and the FinCEN Exchange Program), and the adoption of innovative approaches could provide “extra credit” for institutions subject to potential supervisory or enforcement action.

The introduction of “effectiveness” as a supervisory consideration is directionally important but remains underdeveloped. The proposed rule points to outputs such as useful reporting, information-sharing mechanisms, and the adoption of innovative approaches and technologies, yet it does not establish a clear framework for measuring or benchmarking effectiveness across institutions. Without greater specificity, effectiveness risks becoming an ex post justification for supervisory conclusions rather than an objective standard.

Financial institutions should seek to use innovative technologies and data, with appropriate guardrails.[23] The proposed rule confirms that innovative technologies can strengthen AML/CFT programs and “strongly encourages” their “responsible use.” In particular, institutions should consider whether new technology or innovative approaches—such as machine learning, GenAI, digital identity, blockchain monitoring and analytics, or APIs—might help the institution to more effectively combat financial crime.

For banks, FinCEN may credit for supervisory or enforcement purposes the use of innovative technologies that produce demonstrable outputs evincing the effectiveness of the bank’s AML/CFT program. No parallel provision is in place for other financial institutions such as money services businesses or in the FDIC/OCC/NCUA proposed rule as a proactive element of bank supervision. As an incentive for the adoption of innovative technologies, however, the preamble to both the FinCEN proposed rule, as well as the FDIC/OCC/NCUA proposed rule, notes that institutions that responsibly experiment with innovative technologies in their AML/CFT programs will not incur any additional risk of being subject to a significant supervisory AML/CFT action or AML/CFT enforcement action solely based on the use of innovative technologies.

While encouraging institutions to engage in responsible AML/CFT innovation, the proposed rule would not obligate them to adopt new technologies and recognizes that adopting new technologies for BSA compliance may not be suitable for every financial institution, particularly smaller ones.

Potential Challenges of the Proposed Rule Additional resources needed to support FinCEN’s stated objectives for standardized approach to effectiveness and risk-based supervision. Increasing adoption of “responsible innovation” requires specificity and sandboxes to define principles and standards. New, undefined terms and supervisory standards have potential to perpetuate subjective outcomes, continuing examination friction. Regulatory text may benefit from revisions incorporating helpful clarifications in preambular paragraphs.

FinCEN’s positive approach can spur the adoption of innovative technologies, particularly given the potential to enhance efficiencies and reduce compliance costs, but the proposed rule fails to describe what “responsible innovation” means in practice. Absent clearer guardrails for “responsible innovation”—particularly around model risk management, explainability, and accountability—institutions may continue to remain cautious in adopting advanced technologies at scale.

The proposed rule reorients expectations, shifting compliance attention and resources toward higher‑risk activities and placing greater weight on risk‑based judgment, prioritization, and demonstrable effectiveness. As financial institutions review their existing AML programs against the proposed requirements, K2 Integrity can support institutions by:

• Conducting AML/CFT risk and gap assessments to evaluate alignment with the proposed rule
• Designing and enhancing risk-based policies, procedures, and controls
• Advising on resource allocation and program effectiveness
• Advising on the adoption of innovative technologies and information-sharing mechanisms
• Providing targeted training for boards, senior management, and compliance teams

Financial institutions should also take advantage of the comment period to provide targeted input to FinCEN. Substantive, well-defined recommendations, particularly on unclear or undefined elements of the rule, will help improve regulatory clarity, increase program efficiency, and enhance the overall effectiveness of the AML/CFT framework. Thoughtful engagement will also increase the likelihood that FinCEN meaningfully incorporates stakeholder feedback.

 

---

[1] FinCEN, “Notice of Proposed Rulemaking on AML/CFT Programs,” 89 FR 55428 (7 April 2026).

[2] The proposed rules apply to banks, casinos and card clubs, money services businesses, brokers and dealers in securities, mutual funds, insurance companies, futures commission merchants and introducing brokers in commodities, dealers in precious metals, precious stones, or jewels, and other financial institutions subject to AML/CFT program requirements.

[3] OCC, FDIC, NCUA Notice of Proposed Rulemaking: AML/CFT Program Requirements, 2026-06948.pdf (7 April 2026).

[4] U.S. Department of the Treasury, Press Release, “Treasury Secretary Scott Bessent Remarks before the American Bankers Association” (9 April 2025), https://home.treasury.gov/news/press-releases/sb0078.

[5] Public Law 116-283 (1 January 2021), https://www.congress.gov/bill/116th-congress/house-bill/6395/text.

[6] FinCEN, “Anti-Money Laundering Program Effectiveness,” 85 FR 58023 (17 September 2020).

[7] FinCEN, “Anti-Money Laundering and Countering the Financing of Terrorism Programs,” 89 FR 55428 (3 July 2024).

[8] FinCEN, “Notice of Proposed Rulemaking on AML/CFT Programs.”

[9] https://www.federalregister.gov/d/2026-07033/p-257.

[10] https://www.federalregister.gov/d/2026-07033/p-118.

[11] https://www.federalregister.gov/d/2026-07033/p-150.

[12] 31 CFR 1010.210(a)(2)(i).

[13] https://www.federalregister.gov/d/2026-07033/p-192.

[14] 31 U.S.C. § 5318(h)(4).

[15] https://www.federalregister.gov/d/2026-07033/p-183.

[16] https://www.federalregister.gov/d/2026-07033/p-202.

[17] https://www.federalregister.gov/d/2026-07033/p-203.

[18] https://www.federalregister.gov/d/2026-07033/p-196.

[19] https://www.federalregister.gov/d/2026-07033/p-146.

[20] Id.

[21] https://www.federalregister.gov/d/2026-07033/p-153.

[22] https://www.federalregister.gov/d/2026-07033/p-196.

[23] https://www.federalregister.gov/d/2026-07033/p-138.