On April 7, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) that could represent the most significant structural overhaul of American AML/CFT program requirements in a generation. For compliance officers, MLROs, MSBs, fintechs, and payment institutions operating under the Bank Secrecy Act, the proposed rule demands immediate attention — not because enforcement is imminent, but because the underlying philosophy of what constitutes a compliant AML/CFT program is being fundamentally rewritten.
HOW COMPLYFACTOR CAN HELP
FinCEN’s proposed reforms require financial institutions to rethink AML/CFT program design from the ground up — shifting from technical box-checking to demonstrable effectiveness. ComplyFactor provides fractional AML Officer support, AML/CFT compliance program design, independent testing, and expert advisory services to help US MSBs, fintechs, banks, and payment institutions align with the new risk-based, effectiveness-focused framework. Contact our team today to assess your programme’s readiness before the final rule takes effect.
What Is the FinCEN AML/CFT Program NPRM?
The proposed rule — formally titled the AML/CFT Program Rule NPRM and assigned Docket Number FINCEN-2026-0034, RIN 1506-AB72 — was published by FinCEN on April 7, 2026. It fully supersedes and withdraws a prior proposed rule that FinCEN had published on July 3, 2024, signalling a materially different direction from that earlier draft.
The NPRM was prepared in consultation with four Federal banking agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC). Each of those supervisors will issue their own proposed AML/CFT program rules, applicable to the institutions they supervise, in substantive alignment with FinCEN’s NPRM.
At its core, the proposed rule implements statutory changes introduced by the Anti-Money Laundering Act of 2020 (AML Act) and represents Treasury’s broader ambition to modernise the US AML/CFT regulatory and supervisory framework. Treasury Secretary Scott Bessent publicly criticised the existing approach as one that rewards paperwork volume over genuine impact on illicit finance — and the proposed rule is the legislative and regulatory vehicle for changing that.
For any financial institution trying to build or maintain a sound AML compliance programme, this is not an academic exercise. It will reshape how programmes are designed, how auditors conduct independent testing, and critically, how regulators evaluate whether a programme is effective versus merely technically compliant.
Why This Rule Matters: The Shift from Compliance Volume to Programme Effectiveness
The dominant critique embedded throughout FinCEN’s NPRM is that the existing AML/CFT framework has, over decades, produced a culture of compliance-as-paperwork. Institutions have poured resources into generating high volumes of suspicious activity reports, conducting blanket due diligence regardless of risk differentiation, and documenting controls to satisfy examiner checklists — all without necessarily generating the high-quality, actionable intelligence that law enforcement and national security agencies actually need.
The AML Act of 2020 gave FinCEN the statutory mandate to change this. Among the factors Congress required FinCEN to consider when prescribing minimum programme standards are:
- That financial institutions are spending private compliance funds for both public and private benefit — meaning resources should be deployed efficiently, not exhaustively
- That the AML Act has a policy goal of extending financial services to the underbanked while preventing criminal abuse of the financial system — recognising that over-compliance can produce financial exclusion
- That effective AML/CFT programmes safeguard national security and generate significant public benefits, and must be reasonably designed to ensure BSA compliance
- That programmes must be risk-based, directing more attention and resources toward higher-risk customers and activities rather than lower-risk ones
These statutory factors have directly shaped the structure and tone of the proposed rule. The shift is away from “check-the-box” compliance and toward outcomes that actually serve the purposes of the BSA: identifying, preventing, and reporting financial crime in ways that matter. Compliance officers who have spent years justifying programme expenditure on the basis of transaction monitoring volume will need to reframe that calculus entirely.
For practitioners who want to understand how this fits within the broader evolution of global AML regulations and frameworks, the US NPRM reflects trends already visible in FATF’s effectiveness methodology, the UK’s risk-based approach under the Money Laundering Regulations, and MiCA’s proportionality principles in the EU — a convergence toward quality over quantity.
PRO TIP
Start documenting your AML/CFT programme’s outcomes now — not just its controls. When the final rule takes effect, FinCEN and examiners will be evaluating whether your programme is producing useful intelligence, not just whether it has a policy binder. MLROs who can demonstrate impact through SAR quality, risk-tiered resource allocation, and training effectiveness will be far better positioned than those who rely on volume metrics alone.
The Establishment vs. Maintenance Framework Explained
Perhaps the single most consequential structural innovation in the NPRM is the distinction FinCEN draws between establishing an AML/CFT programme and maintaining one. This two-prong framework is intended to bring clarity to supervisory expectations and — critically — to prevent examiners from conflating criticisms of programme design with criticisms of day-to-day operational failures.
| Dimension | Establishment | Maintenance |
|---|---|---|
| What it means | Designing a risk-based AML/CFT framework | Implementing the programme in all material respects in practice |
| Focus | Programme architecture and structure | Day-to-day execution and operation |
| Key question | Is the programme well-designed for the institution’s risk profile? | Is the programme being run as designed? |
| Enforcement implication | FinCEN generally will not take enforcement action if properly established | FinCEN will act only for significant or systemic failure to maintain |
| Supervisory implication | Design deficiencies and operational failures treated separately | Criticism of execution will not be conflated with design criticism |
Establishing a programme requires a financial institution to design a risk-based AML/CFT framework incorporating the four core required pillars (detailed below), and to keep the programme current as the institution’s risk profile evolves. Critically, establishment is not a one-time event — if the institution’s business model, products, customer base, or geographic footprint changes materially, the programme design must be updated to reflect those changes.
Maintaining a programme requires the institution to actually implement its programme in practice — to execute what is written, not simply to have a well-drafted policy document sitting in a shared drive. This distinction directly addresses one of the most persistent pathologies in BSA compliance: institutions that have sophisticated written programmes but whose operational reality bears little resemblance to the documented framework.
The enforcement implications of this two-prong framework are significant. Under the proposed rule, FinCEN’s general posture would be that if a bank has properly established its AML/CFT programme, FinCEN would not take an enforcement action — and other agencies acting under delegated authority could only bring a significant supervisory action for the most serious deficiencies in programme maintenance. This represents a meaningful recalibration away from penalties for technical or design imperfections, and toward accountability for genuine operational failures.
The Four Core Pillars Under the Proposed Rule
The proposed rule retains the four foundational programme pillars that have long anchored BSA compliance. However, it introduces important clarifications, modernisations, and — in some cases — new requirements within each pillar.
Pillar 1: Internal Policies, Procedures, and Controls
This pillar has always been the structural backbone of an AML/CFT programme, but the proposed rule significantly expands its scope and specificity in three ways.
First, a financial institution’s internal policies, procedures, and controls must now be reasonably designed to identify, assess, and document ML/TF risks through formal risk assessment processes. This is a material elevation — risk assessment moves from a common practice to a required programme component.
Second, the institution must mitigate ML/TF risks consistent with its risk assessment processes, specifically by allocating more attention and resources toward higher-risk customers and activities rather than lower-risk ones. This is the operational expression of the risk-based approach the AML Act mandates.
Third, the proposed rule places the ongoing CDD obligation under this pillar. Organisationally, this is a clarifying change — FinCEN’s view is that ongoing CDD is properly understood as part of a firm’s internal controls, not as a separate programme element. The substantive content of ongoing CDD obligations is unchanged; this is a structural reclassification, not a new requirement.
Pillar 2: Independent Testing
Independent testing — the AML audit function — undergoes significant clarification under the proposed rule. The core requirement is retained: financial institutions must have an independent audit function to test their AML/CFT programmes. But the NPRM introduces critical language about what that testing must and must not do.
Independent testing must:
- Be based on objective criteria designed to assess whether the institution has effectively established, implemented, and resourced its AML/CFT programme consistent with its risk assessment processes
- Assess compliance with BSA requirements
- Focus on programme effectiveness — not merely process adherence
- Be conducted by individuals or parties who are truly independent of the AML/CFT function
- Avoid conflicts of interest
Most significantly, the proposed rule explicitly states that auditors must not substitute their own subjective judgment for the financial institution’s risk-based and reasonably designed AML/CFT programme. This is a pointed message to both internal and external auditors who have historically second-guessed institution-specific risk decisions that were, by all objective measures, reasonable and well-documented.
For MSBs navigating BSA/AML independent testing requirements, this clarification provides meaningful protection against examiner overreach — but it also places the burden squarely on institutions to document, clearly and persuasively, why their risk-based decisions are reasonable. The distinction between an AML audit and an AML review will become increasingly important as institutions determine what type of independent testing best suits their risk profile and regulatory obligations.
Pillar 3: US-Based AML/CFT Compliance Officer
The existing programme rules contain variations in how the compliance officer requirement is described across different institution types. The proposed rule harmonises this by introducing consistent language: financial institutions must designate a person responsible for establishing, implementing, and overseeing day-to-day compliance with BSA requirements — designated the “AML/CFT Officer.”
Consistent with the AML Act, the proposed rule requires that the AML/CFT Officer must be located in the United States and accessible to FinCEN and the appropriate Federal regulators. This is a non-negotiable jurisdictional requirement — not a preference, but a hard rule.
Importantly, the proposed rule does not prohibit personnel located outside the United States from performing certain AML/CFT functions. The requirement is that the designated officer — the person with programme ownership and accountability — must be US-based. Firms with globally distributed compliance teams can continue to leverage international expertise, provided the programme leadership and FinCEN-facing accountability sits with a US-based individual.
This requirement will have significant practical implications for fintech firms and VASPs that operate with lean, globally distributed teams and have historically relied on overseas compliance leadership. It also reinforces the value of fractional MLRO and AML Officer services that can provide US-based programme leadership without requiring a full-time senior hire — a consideration worth exploring for smaller institutions where a dedicated US-based officer may not be economically viable from day one.
Pillar 4: Ongoing Employee Training Programme
The proposed rule standardises the training requirement across all programme rules by uniformly adopting the BSA’s statutory language — “ongoing employee training programme” — replacing the varied formulations that currently exist across different institution types. This is a clarifying change rather than a substantive expansion.
FinCEN’s expectation is that training should reflect the institution’s internal controls, risk assessment results, and current regulatory requirements, with frequency and content tailored to the institution’s risk profile and the specific roles of the personnel being trained. The risk-based approach gives institutions meaningful flexibility in determining which employees — and in some cases, non-employees — require ongoing training, and at what frequency.
For MSBs and fintechs building or overhauling their AML training programmes, the message is clear: generic, one-size-fits-all annual training modules are unlikely to satisfy an examiner who is evaluating programme effectiveness. Training must be demonstrably tied to the institution’s actual risk environment.
Risk Assessment Processes: Now a Formal Programme Requirement
One of the most practically significant changes in the NPRM is the formalisation of risk assessment processes as a required component of the internal policies, procedures, and controls pillar. While most sophisticated financial institutions have maintained some form of AML/CFT risk assessment for years, current programme rules do not require them in a uniform manner across institution types.
Under the proposed rule, risk assessment processes must:
- Evaluate ML/TF risks across the institution’s full business footprint — products, services, distribution channels, customers, and geographic locations
- Review and, where appropriate, incorporate the AML/CFT Priorities established by FinCEN (more on this below)
- Be updated promptly upon any change that the institution knows or has reason to know significantly alters its ML/TF risk profile
The third requirement is particularly important for fintech firms operating in fast-moving product and market environments. A new product launch, entry into a new geographic market, onboarding of a new distribution channel, or a material shift in customer demographics can all trigger an obligation to update the risk assessment. Firms that treat risk assessment as an annual compliance exercise — rather than a dynamic, responsive process — will be exposed under this framework.
To help institutions benchmark their current risk exposure, ComplyFactor’s AML risk assessment calculator provides a structured starting point for identifying gaps before a formal programme review. For institutions that need to build a complete risk-based framework from scratch, the complete AML programme blueprint covers the design, build, and implementation stages in detail.
COMMON MISTAKE
Treating the AML/CFT risk assessment as a static annual document rather than a living instrument is one of the most common programme failures FinCEN examiners encounter. Under the proposed rule, an institution that launches a new product line, enters a high-risk jurisdiction, or onboards a materially different customer segment must update its risk assessment promptly — not at the next scheduled review cycle. Build this trigger into your change management process now.
The US-Based AML/CFT Officer Requirement
The requirement that the designated AML/CFT Officer be located in the United States warrants further attention given its operational implications. The proposed rule is explicit: the officer must be both US-based and accessible to FinCEN and the appropriate Federal regulators. This is not merely a preference for domestic leadership — it is a programme design requirement.
That said, the proposed rule preserves an important carve-out: personnel located outside the United States may still perform certain AML/CFT functions. The constraint applies specifically to the designated officer, not to the broader compliance function. Firms with global compliance operations can continue to leverage overseas expertise for transaction monitoring, customer due diligence, investigations, and training — provided the programme’s leadership and regulatory interface is anchored in the US.
The proposed rule also preserves existing restrictions on sharing SARs with personnel located outside the United States, other than in limited circumstances such as sharing with a foreign head office or controlling company. This is an area where firms with internationally distributed compliance teams need to exercise particular care in structuring their information flow and access controls.
For smaller MSBs and fintechs that operate lean compliance functions, the fractional or outsourced compliance model becomes increasingly relevant. Rather than either over-hiring or non-compliantly assigning programme responsibility to an overseas officer, outsourcing the MLRO or AML Officer function to a qualified US-based professional provides both programme quality and regulatory legitimacy. ComplyFactor’s global MLRO services are structured precisely to meet this kind of need.
Independent Testing and Audit: Clarified Expectations
The NPRM’s treatment of independent testing is one of the most practically consequential elements of the proposed rule, and deserves careful reading by both compliance officers and the external auditors and consultants who conduct BSA/AML independent testing engagements.
The proposed rule clarifies that independent testing serves a specific and bounded purpose: assessing whether the financial institution has effectively established, implemented, and resourced its AML/CFT programme consistent with the institution’s own risk assessment processes. Auditors are not being asked to re-adjudicate the institution’s risk judgements. They are being asked to evaluate whether those judgements are being executed.
This has direct implications for the scope and methodology of AML audit services engagements. Specifically:
- Auditors who find that an institution’s transaction monitoring thresholds are lower than what the auditor would personally prefer cannot simply cite this as a programme deficiency — if the thresholds are supported by the institution’s documented risk assessment, they reflect a reasonable risk-based decision
- Auditors who disagree with an institution’s customer risk tier classifications cannot override those classifications on the basis of subjective preference — the question is whether the classification methodology is documented, reasonable, and consistently applied
- The focus of independent testing must be on programme effectiveness, not process completeness — meaning auditors should be asking whether the programme is working, not whether every policy box has been ticked
For MSBs specifically, understanding MSB AML audit requirements in the context of this new framework is essential before the final rule takes effect. Institutions that have historically experienced overly prescriptive audits — where examiners or third-party auditors substituted their own risk judgements for the institution’s — will find meaningful protection in the proposed rule’s explicit language.
The requirement that independent testing be conducted by individuals who are truly independent of the AML/CFT function and avoid conflicts of interest is consistent with best practice, but the proposed rule’s emphasis on this point signals that FinCEN has observed instances where the independence requirement was not meaningfully honoured. Internal audit functions that are too closely integrated with the first line, or external auditors with operational roles in the programme, will not satisfy this standard.
FinCEN’s Supervisory and Enforcement Policy Under the Proposed Rule
The NPRM introduces a notable shift in FinCEN’s stated enforcement posture for banks. Under the proposed framework:
- If a bank has properly established its AML/CFT programme (i.e., has a well-designed risk-based framework incorporating the four pillars), FinCEN generally would not take an enforcement action
- Significant supervisory actions would be reserved for cases where a bank has a significant or systemic failure to maintain its programme — not for isolated or technical deficiencies
This represents a meaningful recalibration of supervisory risk for institutions that invest genuinely in programme design and documentation. It does not, however, represent a relaxation of substantive obligations — the bar for “proper establishment” requires genuine risk assessment, genuine risk-based resource allocation, and genuine programme governance.
Perhaps more structurally significant is the notice and consultation framework the proposed rule introduces between Federal banking supervisors and FinCEN. Before initiating a significant AML/CFT supervisory action under delegated authority, Federal banking supervisors must give FinCEN’s Director at least 30 days’ advance written notice, absent urgent circumstances, to review and provide input on the proposed action.
This is unprecedented in its formal elevation of FinCEN’s role in bank supervision. It effectively creates a check on Federal banking supervisors’ unilateral authority to take AML/CFT programme actions, and reflects FinCEN’s view that consistent, holistic programme assessment — rather than institution-specific examiner judgements — should drive supervisory outcomes.
In determining whether to pursue or endorse enforcement or significant supervisory actions, FinCEN’s Director would consider:
- The four AML Act statutory factors described above
- The extent to which the institution advances AML/CFT Priorities by providing highly useful information to law enforcement or national security agencies
- Whether the institution employs innovative tools such as artificial intelligence that demonstrate programme effectiveness
- Other considerations the Director deems appropriate
The explicit mention of AI as a factor in enforcement analysis is significant and is discussed further below.
The AML/CFT Priorities and Their Role in Risk Assessment
The AML Act requires FinCEN to establish government-wide AML/CFT Priorities and to incorporate them into programme requirements. The proposed rule implements this by requiring financial institutions to review the AML/CFT Priorities and, as appropriate, incorporate them into their risk assessment processes.
A critical timing note: financial institutions will not be required to incorporate the AML/CFT Priorities into their risk-based AML/CFT programmes until the final rule comes into effect. The proposed rule, as an NPRM, does not impose new legal obligations — the comment period must close, the final rule must be issued, and any designated effective date must pass before compliance becomes mandatory.
This provides a runway for institutions to familiarise themselves with the Priorities, assess their relevance to their specific business model and risk profile, and build the necessary updates into their risk assessment methodology before they become a hard requirement. Institutions that wait until the final rule’s effective date to begin this work will find themselves compressed — particularly if their risk assessment processes require material restructuring to accommodate the new inputs.
What Changes for MSBs, Casinos, and Non-Bank Financial Institutions
The proposed rule does not leave non-bank financial institutions behind. For MSBs in particular, the NPRM proposes to harmonise and modernise requirements while retaining certain MSB-specific provisions that reflect the distinct nature of MSB business models, customer bases, and risk profiles.
Practically, this means:
- The proposed rule would consolidate separate bank programme rules into a single standard applicable to all banks — bringing greater consistency to examiner expectations
- Separate MSB and casino programme rules would be harmonised with the new unified framework while preserving institution-type-specific elements where the risk profile demands differentiation
- Outdated compliance dates and unnecessary cross-references to other regulations would be removed, reducing navigational complexity for compliance officers working through the regulatory text
For MSBs that have historically operated under a distinct regulatory framework, the convergence toward a harmonised standard should be understood as both an opportunity and a challenge. The opportunity: greater clarity and consistency in examiner expectations, and a clearer path to demonstrating programme effectiveness. The challenge: MSBs that have relied on a lower-scrutiny, checkbox-oriented approach to BSA compliance will need to invest in genuine risk assessment and programme design in a way they may not have previously.
MSBs operating in Canada who also have US obligations will benefit from understanding how US BSA requirements interact with FINTRAC AML programme requirements — the two frameworks share conceptual DNA but diverge significantly in procedural specifics. Cross-border MSBs should ensure their programme design accounts for both regulatory environments.
For a current snapshot of how these reforms fit into evolving AML trends in regulatory compliance, compliance officers should note that the US NPRM is part of a coordinated global movement — driven by FATF’s effectiveness methodology, the UK’s FCA thematic reviews, and FinCEN’s own AML/CFT Priorities — toward outcome-oriented programme assessment.
The Role of Innovative Technology, Including AI
One of the more forward-looking elements of the proposed rule is FinCEN’s explicit recognition of artificial intelligence and other innovative tools as factors that can demonstrate AML/CFT programme effectiveness. The proposed rule states that in determining whether to pursue enforcement or significant supervisory actions, FinCEN’s Director would consider whether the institution “is employing innovative tools such as artificial intelligence that demonstrate the effectiveness of the bank’s AML/CFT programme.”
This is a notable signal. It reflects FinCEN’s awareness that AI-driven transaction monitoring, anomaly detection, and network analysis tools can meaningfully enhance programme effectiveness — and that regulators should credit institutions that invest in these capabilities, rather than treating technological innovation as irrelevant to supervisory assessment.
For compliance officers evaluating technology investments, this creates a genuine compliance business case for AI adoption. An institution that can demonstrate that its AI-driven monitoring system produces more accurate and actionable alerts than a legacy rule-based system — and can document this with data — is likely to be viewed more favourably in an enforcement or supervisory context than one that runs an identical volume of alerts through outdated technology.
This does not mean that AI adoption alone satisfies programme requirements. The four pillars, the risk assessment obligation, the US-based officer requirement, and the independent testing framework all remain in place. Technology is a supplement to — not a substitute for — sound programme design and governance.
How to Prepare: A Practical Roadmap for Compliance Officers
The proposed rule is still in the comment stage, and no compliance obligations change until a final rule is issued and an effective date passes. However, institutions that begin preparing now will be materially better positioned than those who wait. Below is a practical sequencing of preparation steps.
Immediate (now through comment period close):
- Read the NPRM in full and assess its specific implications for your institution’s programme design. FinCEN has published a fact sheet and key changes summary alongside the proposed rule text — these are useful orientation documents
- Identify whether your institution’s current programme documentation can support a clear “establishment” narrative — i.e., whether it demonstrates a risk-based, reasoned programme design
- Determine whether your designated AML/CFT Officer is US-based and would satisfy the access requirement under the proposed rule. If not, begin evaluating remediation options
- Consider submitting a public comment to FinCEN via regulations.gov (Docket FINCEN-2026-0034) — institutions have 60 days from Federal Register publication to do so, and industry input genuinely shapes final rule text
Near-term (next 3–6 months):
- Commission or conduct an internal gap analysis of your current risk assessment process against the proposed rule’s requirements. Does your current assessment cover all required dimensions — products, services, channels, customers, geography? Is it updated on a trigger basis, or only annually?
- Review your independent testing programme against the proposed rule’s clarified standards. Is your testing function genuinely independent? Are auditors documenting their findings in terms of programme effectiveness, not just process completeness?
- Begin mapping your AML/CFT Priorities coverage. Identify which Priorities are relevant to your institution’s risk profile and what — if anything — your current programme does to address them
- Review your AML training programme to confirm it is risk-based, role-differentiated, and reflects current regulatory requirements
Medium-term (preparing for final rule):
- Build a programme refreshment roadmap that can be activated once the final rule’s effective date is announced. Don’t wait for the final rule to begin drafting updated policies, procedures, and training materials
- Engage your board or senior management in the programme approval conversation now. The proposed rule requires written programme approval by the board, equivalent governing body, or senior management — confirming that governance documentation is in place before the final rule takes effect avoids a last-minute scramble
- If your institution is considering AI or other technology tools for transaction monitoring or risk assessment, begin the procurement and validation process now — these implementations take time, and getting ahead of the curve has regulatory as well as operational benefits
ComplyFactor’s AML advisory services and AML compliance programme design practice are structured to support institutions through exactly this kind of programme gap analysis and remediation. Our AML audit checklist provides a practical framework for assessing current programme health before a formal independent review.
What Happens Next: Comment Period and Timeline
The proposed rule was published by FinCEN on April 7, 2026. The public comment period runs for 60 days from the date of publication in the Federal Register. Comments can be submitted electronically at regulations.gov under Docket Number FINCEN-2026-0034 (RIN 1506-AB72), or by mail to FinCEN’s Regulatory and Strategic Affairs Division in Vienna, Virginia.
FinCEN has explicitly stated it welcomes public comment on all aspects of the proposed rule. This is not a formality — the AML community’s response to the 2024 proposed rule materially influenced the direction of this replacement NPRM, and substantive, well-reasoned industry input can shape the final rule text. Compliance officers, MLROs, and general counsels at affected institutions should consider whether submitting a comment is appropriate.
After the comment period closes, FinCEN will review submissions and issue a final rule. No timeline for the final rule has been announced, but given that this NPRM supersedes a prior 2024 proposal, FinCEN has significant invested work to draw on. The four Federal banking agencies will issue their own corresponding rules on a parallel track.
Current AML/CFT programme requirements remain fully in effect until a final rule is issued and any designated effective date passes. No institution should interpret this NPRM as permission to relax current compliance obligations.
Frequently Asked Questions
Does the proposed rule change what I am currently required to do under the BSA?
No. The NPRM is a proposed rule — it does not alter current legal obligations. All existing BSA programme requirements remain fully in force until a final rule is issued and an effective date passes. The time to prepare is now, but the time to comply with the new framework is after the final rule.
What is the difference between “establishing” and “maintaining” an AML/CFT programme under the proposed rule?
Establishing a programme means designing a risk-based AML/CFT framework that incorporates the four core pillars and reflects the institution’s risk profile. Maintaining a programme means actually implementing and operating that framework in practice. FinCEN’s proposed enforcement posture treats these separately — enforcement is reserved primarily for significant or systemic failures to maintain a properly established programme, not for design imperfections.
Does the AML/CFT Officer have to be a full-time employee, or can this role be outsourced?
The proposed rule requires a designated AML/CFT Officer who is US-based and accessible to FinCEN and Federal regulators. It does not require the officer to be a full-time employee. Many smaller MSBs and fintechs meet this requirement through qualified fractional or outsourced AML Officers — provided that person genuinely exercises programme ownership and FinCEN-facing accountability.
Can overseas compliance personnel still perform AML/CFT work under the proposed rule?
Yes. The US-based requirement applies to the designated AML/CFT Officer, not to all personnel performing AML/CFT functions. Overseas personnel may continue to perform transaction monitoring, CDD, investigations, training, and other compliance functions. Existing SAR-sharing restrictions with non-US personnel are preserved.
What are the AML/CFT Priorities and when do I need to incorporate them into my programme?
The AML/CFT Priorities are government-wide risk priorities established by FinCEN under the AML Act. Financial institutions must review them and, where appropriate, incorporate them into their risk assessment processes. However, this is not required until the final rule takes effect — the NPRM does not impose this obligation immediately.
How does the proposed rule change independent testing expectations?
The proposed rule clarifies that independent testing must focus on programme effectiveness, not just process adherence. Critically, auditors must not substitute their own subjective judgement for the institution’s risk-based programme decisions. If an institution’s risk-based decisions are reasonable and well-documented, auditors cannot simply substitute their preferences as a finding.
Does the proposed rule apply to non-bank MSBs and fintechs, or only banks?
The proposed rule applies to financial institutions broadly, including non-bank MSBs, fintechs, casinos, and payment institutions, not only banks. For non-bank institutions, the proposed rule harmonises and modernises requirements while retaining institution-type-specific provisions. MSBs should read the proposed rule carefully in light of their existing MSB AML audit requirements.
What role does artificial intelligence play under the proposed rule?
AI is not a programme requirement, but FinCEN has explicitly stated that employing innovative tools such as AI — in ways that demonstrably enhance programme effectiveness — would be a factor considered favourably in enforcement and supervisory contexts. This creates a genuine compliance business case for AI adoption in transaction monitoring, risk assessment, and anomaly detection.
How do I submit a public comment on the NPRM?
Comments can be submitted electronically via regulations.gov using Docket Number FINCEN-2026-0034 (RIN 1506-AB72), or by mail to FinCEN’s Regulatory and Strategic Affairs Division. Comments must be received within 60 days of the NPRM’s Federal Register publication date.
Where can I get help assessing whether my current programme is ready for the proposed changes?
ComplyFactor’s specialist team provides AML advisory services, programme gap analysis, independent AML audit services, and fractional AML Officer support. Whether you need a full programme assessment or targeted advice on a specific element of the proposed rule, contact our team to discuss your situation.