The comment window closes on June 9, 2026 — and with it, the industry’s best chance to shape the most consequential rewrite of U.S. anti-money laundering program rules in a generation. On April 7, FinCEN issued a proposed rule that would fundamentally reform the AML/CFT program requirements sitting at the heart of every Bank Secrecy Act obligation. For FinTechs, money services businesses, crypto platforms, and gaming operators, this is not a technical footnote. It changes the question examiners will ask from “Did you check the boxes?” to “Did your program actually work?”
Here is what is changing, why it matters, and how to position your program before the standard takes hold.
From Boxes to Outcomes: The Two-Prong Standard
For decades, the BSA’s “four pillars” (and later five, with customer due diligence) defined a compliant program largely by its components. The proposed rule shifts the test. AML/CFT programs would now be required to be effective, risk-based, and reasonably designed. In practice, this is a two-prong framework: a program must be reasonably designed to ensure compliance with the BSA through a risk-based set of internal policies, procedures, and controls — and it must be effective, meaning it actually identifies, manages, and mitigates illicit-finance risk and produces information useful to law enforcement and national security.
The distinction is more than semantics. A program can be fully “designed” — polished policies, a named BSA officer, a training calendar — and still fail the effectiveness test if alerts go uninvestigated, risk ratings are stale, or suspicious activity slips through. Examiners will increasingly look past documentation to outcomes.
The Mandatory, Documented Risk Assessment
The centerpiece of the proposal is an explicit requirement to establish, document, and maintain a risk assessment process. This codifies what strong programs already do — but it raises the floor for everyone. Under the rule, your risk assessment would need to:
- Evaluate the risks arising from your products, services, distribution channels, customers, and geographic footprint;
- Review and incorporate FinCEN’s AML/CFT National Priorities into your risk profile, rather than treating them as a separate compliance exercise;
- Update the assessment promptly when you know, or have reason to know, that your risk profile has materially changed — a new product line, a new corridor, a new customer segment.
For high-growth businesses, that third point is the sleeper issue. Risk profiles in FinTech, crypto, and sweepstakes/social gaming shift quarterly, not annually. A once-a-year PDF risk assessment will no longer be defensible if the business it describes no longer exists.
National Priorities Become Operational, Not Optional
FinCEN published its first AML/CFT National Priorities in 2021, but firms were never formally required to act on them until corresponding program rules were finalized. The proposed rule closes that loop. The Priorities — spanning corruption, cybercrime and ransomware, fraud, terrorist financing, drug and human trafficking, proliferation financing, and transnational criminal organizations — would now flow directly into your risk assessment and, from there, into your controls and monitoring scenarios. Saying “we reviewed the Priorities” will not be enough; you will need to show how they shaped what you actually monitor and report.
What This Means for FinTech, MSB, Crypto, and Gaming
The reform is principles-based by design, which cuts both ways. It gives smaller and mid-sized firms welcome room to right-size controls to genuine risk rather than over-engineering for a checklist. But “risk-based” is only a gift if you can evidence the reasoning behind every calibration decision.
- MSBs and money transmitters: a documented, current risk assessment is now table stakes for bank-partner and sponsor-bank due diligence. Expect partners to ask for it directly.
- Crypto and VASPs: the effectiveness standard meets fast-moving typologies — mixers, cross-chain laundering, and sanctions evasion — head-on. Static rules will not satisfy it.
- Sweepstakes and social gaming operators: geolocation and onboarding controls must connect back to a written risk rationale, not just vendor certifications.
- Scaling FinTechs: the new standard formalizes the expectation that scaling a product without scaling compliance is itself a finding waiting to happen.
FinCheck’s Perspective & The Way Forward
We see this reform as a long-overdue move toward what effective compliance professionals have always argued for: programs measured by results, not paperwork. But the transition will expose firms that have leaned on template policies and annual rituals. The work to get ready is not exotic — it is disciplined.
- Refresh your enterprise risk assessment now and tie every control back to a specific, documented risk. If a control has no risk behind it, ask why you have it.
- Map FinCEN’s National Priorities to your monitoring scenarios explicitly, line by line, so the linkage is auditable.
- Build a trigger-based update process so material changes — not the calendar — drive reassessment.
- Stress-test for effectiveness: sample your alerts, your SAR decisions, and your case backlog the way an examiner will.
- Consider submitting a comment before June 9 — the principles-based approach is still being shaped, and the industry’s voice matters most right now.
Whether this rule is finalized as written or refined, the direction of travel is clear. Regulators want programs that work. The firms that start evidencing effectiveness today will treat the final rule as a formality rather than a fire drill.
Is your AML program built to pass an effectiveness test? FinCheck LLC helps FinTechs, MSBs, crypto platforms, and gaming operators build risk assessments, policies, and monitoring frameworks that stand up to the new standard — from independent AML audits and BSA/AML risk assessments to fractional Chief Compliance Officer support. With 25+ years of compliance experience and 100+ clients served globally, we turn regulatory change into operational readiness.