Everything you need to know about FinCEN's 2026 proposed rule

On April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) to reform the US AML/CFT framework. This proposal aims to reinforce compliance programs by making them more efficient, faster, and agile.

For compliance teams in the US, this marks a turning point, changing how day-to-day resource allocation and interactions with regulators and auditors work. In this article, we combed through the FinCEN’s proposed rule and highlighted its core components to help financial institutions (FIs) prepare for the new era of compliance.

FinCEN’s 2026 proposed rule in a nutshell

What is the most significant change in this new rule?

The proposal suggests replacing a process-based standard with an effectiveness-based standard. Before, for an FI to have basic anti-money laundering (AML) required components was enough. Moving forward, the regulator will evaluate whether the FI’s program is actually effective at detecting financial crime activity and reporting useful information to law enforcement.

“The proposal would also reflect FinCEN’s key role, in accordance with its statutory authority as the administrator of the BSA, in ensuring a consistent and holistic approach to enforcement and supervision of banks’ AML/CFT programs that focuses on program effectiveness rather than mere technical compliance. The Agencies have a long history of coordination with FinCEN in exercising its delegated supervisory authority, and FinCEN views this proposed rule as a way to further strengthen that relationship to promote more consistent supervision.” 

Why is FinCEN making this change now?

This reform aligns with the implementation of the Anti-Money Laundering Act of 2020 (AML Act), a joint effort by FinCEN and the Treasury Department to modernize the Bank Secrecy Act (BSA) regime, which had not undergone a radical reform in decades. The idea is for regulators to move away from a zero-tolerance focus on process and documentation toward a stronger system that empowers FIs to focus on everything else in the business.

What does an effective AML/CFT program look like under this new rule?

Implementing an effective AML/CFT program under the FinCEN’s new rule should be:

• Properly established: An FI should design a compliance program tailored to its unique money laundering and terrorist financing (ML/TF) risk profile. It should test the program independently, designate a US-based compliance officer, and provide ongoing training.
• Maintained: An institution needs to integrate its intelligently designed program into all materials and daily operations.

By doing so, the institution benefits from a crucial buffer, during which it can evaluate whether an isolated mistake won’t trigger a major enforcement action, which shouldn’t happen with a solid program foundation. 

About risk assessment and resource allocation

How does this change our approach to risk assessments?

Under FinCEN’s new rule, institutions need to conduct the required risk assessments as part of their internal compliance programs. 

An FI should:

• Maintain mandatory documentation: Identify, assess, and document the specific ML/TF risks inherent to its business.
• Update documents in real time: FIs are required to update their risk assessment processes whenever they become aware of – or anticipate – a change that could significantly alter their risk profile, such as launching new products, entering new markets, or integrating new technology.
• Incorporate national priorities: FIs should regularly review FinCEN’s list of national priorities (e.g., fraud or sanctions evasion). Although it’s flexible to decide that a priority isn’t a risk or relevant to their business, FIs should always document the reason for making that decision. 

Is this rule cost-effective against low-risk areas?

Yes, the proposed rule requires a compliance program to focus “more attention and resources [on] higher-risk customers and activities… rather than toward lower-risk customers and activities.” This approach aims to de-prioritize low-risk areas so FIs can focus budget and resources on other essential areas.

Should an entire AML/CFT team be based in the US?

No. While only one designated individual responsible for the program (the AML/CFT Officer) should be based in the US and remain available to regulators, other AML/CFT team members can work outside the US. However, sharing suspicious activity reports (SARs) with staff located abroad remains strictly prohibited, except under certain limited circumstances.

What are the new requirements for board or senior management approval?

The proposal lightens the approval process, requiring every FI’s written AML/CFT program to be approved by one of the following:

• The board of directors.
• An equivalent governing body (e.g., a sole proprietor or board committee).
• Appropriate senior management.

This makes the AML/CFT approval process much more flexible. For money service businesses (MSBs) and casinos that had no specific approval process in place, this is now an obligation.

About enforcement and regulator audits

What’s the difference between an establishment and an implementation failure?

• An establishment failure is a flaw in the program’s design: When an institution launches a new high-risk product but fails to update its risk assessment or define any monitoring controls for that product, the program itself is deficient.
• An implementation failure is a flaw in the program’s execution: When an institution has a well-designed alert review process in place, but an analyst misses a single alert due to human error, that is an isolated implementation issue.

Under the new FinCEN rule proposal, the establishment failure is a much more serious offense. In other words, a bank with a properly established program would not face an enforcement action for an isolated implementation failure.

What qualifies as a significant failure that could trigger enforcement?

While the proposed rule does not provide a legally binding definition, it indicates that a significant failure would involve more than just minor issues. Some instances could be as follows, but not limited to:

• Consistently failing to perform required controls.
• Ignoring clear warnings or red flags that a core part of the program is seriously deficient.
• Using monitoring systems that fail to detect entire categories of high-risk transactions.
• Failing to address known resource gaps that materially impact the program.

What does the new rule change in interactions with regulators?

There are two significant changes designed to make the supervisory experience more consistent, predictable, and focused on what truly matters:

• Documented decisions will carry more weight: This way, examiners and auditors cannot second-guess an institution’s risk-based decisions simply because they “would have approached it differently”. In practice, this means that if an FI’s risk assessment and resource allocation are well documented and reasonable, its decisions carry more weight while its teams operate with greater confidence.
• Regulators will be more consistent: To reduce the common “it depends on the examiner’s problem” issue, federal regulators will consult with FinCEN for 30 days before taking any significant supervisory action, promoting a more uniform approach to regulation across the industry.

About using AI-powered compliance programs

Is using AI-driven systems encouraged by FinCEN?

Yes. Designed as an incentive for FIs to innovate responsibly, the proposed rule emphasizes that those trialing new technologies will receive the same level of attention as those that aren’t. The use of AI isn’t mandatory, but FinCEN strongly encourages innovative systems, especially if they make an FI’s compliance program more effective. 

Without AI, will FI’s programs be considered deficient?

No. The rule does not require the use of AI nor any specific technology. As long as it’s properly adapted, a low-risk institution can still deliver a highly effective program without AI embedded in its systems. However, for larger or more complex institutions, leveraging more advanced technology such as AI may be the most practical way to manage compliance efficiently.

What’s next?

Although the rule isn’t set in stone yet, right now, your compliance teams should start going through these steps:

• Pressure-test your risk assessment: 
  • Does it truly drive your day-to-day compliance decisions? 
  • If an auditor asked you to show how your risk assessment determined your transaction monitoring rule set, could you?

• Start measuring what matters: 
  • What is your productive SAR rate? 
  • What is your alert-to-SAR conversion ratio for high-risk categories? 
  • How long does it take to close an investigation? 

• Re-evaluate your compliance roadmap: Review the tools that can improve detection, automate manual tasks, and deliver the analytics you need.

Key timeline and deadlines

• April 10, 2026: The proposed rule was published in the Federal Register, which officially started the public comment period.
• June 9, 2026: This is the final deadline for the public to submit comments on the proposed rule.
• 12 months post-final rule: FinCEN has proposed that the new rule will become effective 12 months after the final version is published, giving institutions a 1-year implementation period.

Leveraging the use of AI as incentivized by FinCEN with ComplyAdvantage Mesh

Meeting the new effectiveness-based standard requires a new generation of compliance technology. ComplyAdvantage Mesh can help you address the core requirements in three ways:

• Unifying a view of risk: Integrating solutions for Customer Screening, Ongoing Monitoring, Payment Screening, and Transaction Monitoring into a single, cohesive environment to break down data and operational silos. 
• Connecting data to find the risk that matters: Our architecture connects disparate data points to model real-world financial crime – such as layered ownership or undeclared relationships – so you can focus on the genuine threats regulators now prioritize.
• Augmenting your team with agentic AI: To deliver the demonstrable outputs the rule incentivizes, our agentic AI automates high-volume, low-risk alert reviews, freeing your expert analysts for the most complex cases and providing the clear, outcome-based metrics needed to prove your program’s effectiveness.