On 7 April 2026, United States financial regulators took a step that compliance professionals have been anticipating — and debating — for years. FinCEN, together with the FDIC, OCC, and NCUA, issued a joint Notice of Proposed Rulemaking (NPRM) that seeks to fundamentally reform how financial institutions design, implement, and maintain their anti-money laundering and countering the financing of terrorism (AML/CFT) programmes under the Bank Secrecy Act. If the language from FinCEN itself is any indication — the agency described this as a proposal to “fundamentally reform” AML programmes — the industry should take notice.
From Checkbox Compliance to Risk-Based Effectiveness
For decades, the AML compliance framework in the United States has been criticised for incentivising a checkbox approach. Institutions have invested billions in compliance infrastructure, yet the regime has too often rewarded the volume of controls rather than the quality of outcomes. Suspicious Activity Reports (SARs) have proliferated, transaction monitoring systems have generated overwhelming false positives, and examiners have at times substituted their own judgement for that of the institution’s compliance team.
The proposed rule directly addresses this paradigm. At its core, it requires that AML/CFT programmes be “effective, risk-based, and reasonably designed” — language that signals a meaningful shift from procedural compliance to outcome-oriented risk management. Financial institutions would be expected to direct more attention and resources toward higher-risk customers, products, and activities, while proportionally reducing effort on lower-risk areas. The proposal reinforces that banks are “best positioned to identify and evaluate their illicit finance risks,” a statement that carries significant weight coming from the regulators themselves.
This is not merely aspirational language. The proposed rule would embed this risk-based standard into the regulatory text, making it the benchmark against which compliance programmes are assessed during examinations.Government-Wide AML/CFT Priorities Take Centre Stage
One of the most consequential elements of the NPRM is the requirement for financial institutions to review and incorporate FinCEN’s government-wide AML/CFT priorities into their risk-based programmes. These priorities — first published by FinCEN in June 2021 and updated periodically — identify the most significant illicit finance threats facing the United States, including corruption, cybercrime, terrorist financing, fraud, transnational criminal organisation activity, drug trafficking, human trafficking, and proliferation financing.
Under the proposed rule, institutions would need to demonstrate that their programmes are calibrated to address these priorities as they relate to the institution’s specific risk profile. This creates a direct connection between national security objectives and institutional compliance activity — a linkage that has existed conceptually but has never been codified into regulatory requirements with this degree of specificity.
For compliance teams, this means that risk assessments must evolve. Static, annual risk assessments that merely catalogue products and geographies will no longer suffice. Institutions will need dynamic frameworks that can absorb and operationalise evolving government priorities in near real time.
FinCEN’s New Supervisory Role: A Structural Shift
Perhaps the most structurally significant change in the proposal is the creation of a formal notice and consultation framework between the federal banking agencies and FinCEN. For the first time, federal banking regulators would be required to consult with FinCEN before initiating certain AML/CFT enforcement or significant supervisory actions against banks.
This is a notable elevation of FinCEN’s role in the supervisory architecture. Historically, FinCEN has administered the BSA framework while the prudential regulators — the OCC, FDIC, and NCUA — have conducted the actual examinations and brought enforcement actions. The proposed rule creates a mechanism for FinCEN’s Director to review and provide input on significant actions before they are initiated, ensuring greater consistency and coordination across the regulatory landscape.
The practical implication is significant: institutions may benefit from a more unified and predictable enforcement posture. At the same time, FinCEN’s enhanced oversight role means that the agency’s interpretive guidance, advisories, and priorities will carry even more weight in determining how compliance programmes are evaluated.A Higher Threshold for Enforcement — But Not a Free Pass
The proposed rule clarifies that only “significant or systemic failures” in implementing a properly established AML/CFT programme would warrant an enforcement action or significant supervisory action. This is a meaningful calibration. It suggests that isolated deficiencies or technical shortcomings, without evidence of broader programme failure, should not trigger the most severe regulatory consequences.
However, institutions should not interpret this as a relaxation of standards. The threshold applies to programme failures — meaning that institutions must first establish a properly designed, risk-based programme. Failure to do so, or a pattern of neglect that rises to the level of systemic deficiency, would remain firmly within scope for enforcement. The message is nuanced: regulators want quality, not quantity, but they expect the quality to be genuine.
Impact on FinTech, Crypto, Gaming, and MSBs
While the proposed rule directly targets federally supervised banks and credit unions, its ripple effects will be felt across the broader financial services ecosystem. FinTech companies, crypto exchanges, gaming platforms, and Money Service Businesses (MSBs) that partner with or rely on banking relationships should pay close attention.
The explicit endorsement of a risk-based approach could have positive implications for institutions that have struggled with de-risking — the practice of banks terminating relationships with entire categories of customers deemed too risky, regardless of the specific risk profile of the individual client. If regulators genuinely embrace risk-based differentiation, banks may have more confidence in maintaining relationships with well-managed FinTech firms, licensed MSBs, and compliant crypto businesses.
Additionally, FinCEN’s encouragement for institutions to “modernise” and “responsibly innovate” their AML/CFT programmes signals regulatory openness to technology-driven compliance solutions. This is welcome news for the RegTech sector and for compliance teams looking to deploy artificial intelligence, machine learning, and advanced analytics to improve the effectiveness of transaction monitoring and customer due diligence.
For the crypto and digital assets sector specifically, the passage of the GENIUS Act in July 2025 — which brought payment stablecoins under the BSA — has already expanded the compliance perimeter. This proposed rule, with its emphasis on risk-based programme design, provides a framework that could help stablecoin issuers and crypto-native businesses build programmes that are both effective and proportionate.What Should Your Organisation Do Now?
The comment period for this proposed rule is 60 days from publication in the Federal Register. Regardless of whether your organisation intends to submit formal comments, the following steps are prudent.
First, conduct a gap analysis of your existing AML/CFT programme against the proposed rule’s requirements. Assess whether your programme is genuinely risk-based or whether it has drifted toward a compliance-by-volume approach. Second, review how your risk assessment methodology incorporates FinCEN’s government-wide AML/CFT priorities. If the answer is “it does not,” that is a gap that will need to be addressed. Third, evaluate your compliance officer structure. The proposed rule reaffirms that a bank’s designated AML/CFT compliance officer must be located in the United States and accessible to regulators — a requirement that may have implications for institutions with offshore compliance functions.
Finally, consider whether your compliance technology stack is positioned to support a more dynamic, risk-based approach. Legacy systems that rely on rigid, rules-based transaction monitoring may struggle to deliver the kind of risk-prioritised outcomes that regulators are now explicitly demanding.
At FinCheck, we view this proposed rule as a long-overdue recalibration of the AML/CFT regulatory framework. Our team works with FinTech, crypto, gaming, and MSB clients to build compliance programmes that are not just compliant on paper but effective in practice — precisely the standard that regulators are now codifying. For guidance on assessing your programme against these proposed requirements, reach out to FinCheck LLC.
