On April 7, 2026, FinCEN published a Notice of Proposed Rulemaking in the Federal Register that represents the most significant proposed reform of Bank Secrecy Act compliance program requirements since Congress passed the Anti-Money Laundering Act of 2020. The OCC, FDIC, and NCUA issued parallel NPRMs on the same day, aligning their regulated institutionsโ€™ AML/CFT requirements with FinCENโ€™s proposed framework. Comments are due June 9, 2026.

The proposal does not tweak the existing framework around the edges. It recasts the foundational logic of what an AML/CFT compliance program is supposed to do โ€” moving from a rule-following model toward a risk-identification and mitigation model. The implications for banks, credit unions, and the compliance professionals responsible for BSA programs are substantial.

This article explains what the proposed rule would change, what stays the same, what the enforcement framework looks like, and what financial institutions should be doing before the comment deadline.

What Drove the Rulemaking

The AML Act of 2020, enacted as part of the National Defense Authorization Act, imposed a statutory mandate on FinCEN to update the BSAโ€™s program requirements. The law directed FinCEN to prioritize โ€” rather than treat uniformly โ€” AML/CFT requirements based on actual risk and national priorities.

The April 2026 NPRM is FinCEN executing on that mandate.

The existing BSA framework has been criticized for years by regulators, financial institutions, and academic researchers for producing enormous volumes of compliance activity โ€” Suspicious Activity Reports, Currency Transaction Reports, customer due diligence records โ€” that is of limited utility to law enforcement. A 2023 Treasury study estimated that U.S. financial institutions file approximately 3.5 million SARs annually. Law enforcement uses a small fraction. The rest creates compliance cost and record-keeping burden without producing intelligence value.

The NPRM is designed to fix this by requiring institutions to allocate compliance effort where the actual risk is, not where the regulatory checklist points.

The Four Core Program Elements

The proposed rule retains the existing โ€œfour pillarsโ€ structure but significantly recasts their content and emphasis:

1. A Risk-Based Set of Policies, Procedures, and Controls

The existing framework requires policies, procedures, and controls, but does not explicitly require that they be calibrated to the institutionโ€™s risk profile. The NPRM would make risk-based calibration explicit and mandatory.

Under the proposed rule, an institutionโ€™s policies, procedures, and controls must be demonstrably designed to identify, assess, and mitigate the actual illicit finance risks the institution faces โ€” based on its products, services, customers, geographic footprint, and distribution channels. Generic, industry-standard controls applied uniformly regardless of the institutionโ€™s specific risk profile would not satisfy the requirement.

This is a meaningful shift for community banks and credit unions that have historically implemented compliance programs modeled on larger institutionsโ€™ frameworks regardless of relevance to their actual risk exposure.

2. Independent Testing

The proposed rule retains the existing independent testing requirement but clarifies that testing must assess whether the compliance program is effectively identifying, assessing, and mitigating risk โ€” not merely whether controls exist and are documented. Effectiveness testing, not just control presence testing, becomes the explicit standard.

3. A U.S.-Based, Regulator-Accessible Compliance Officer

The proposed rule would require that the individual responsible for establishing and implementing the AML/CFT program be U.S.-based and directly accessible to regulators. This provision responds to enforcement cases in which compliance responsibilities were nominally assigned to overseas personnel in ways that insulated senior management and created gaps in regulatory access.

The compliance officer requirement is not new โ€” what is new is the explicit U.S. presence and regulatory accessibility requirement.

4. An Employee Training Program

The training pillar is retained with modest updates emphasizing that training must be current, relevant to the institutionโ€™s specific risk profile and product set, and delivered to personnel whose roles create AML/CFT exposure โ€” not merely to all employees uniformly.

The Risk-Based Prioritization Mandate

The most operationally significant change in the proposed rule is the explicit direction to institutions to direct more attention and resources toward higher-risk customers and activities โ€” and, by implication, to reduce compliance intensity for lower-risk relationships.

This is a direct regulatory invitation to de-emphasize SAR and CTR filing activity for low-risk customers and to concentrate compliance resources on the customers and products that actually generate illicit finance risk. For compliance programs that have been calibrated to avoid any regulatory criticism for under-filing, this represents a significant posture shift.

The NPRM does not eliminate existing SAR and CTR filing obligations. It does, however, signal that regulators expect the compliance resource allocation to match the risk distribution โ€” and that uniform high-intensity monitoring of low-risk customer relationships is not what the framework requires.

The Enforcement Threshold Change

Under the proposed rule, only significant or systemic failures to implement a properly established program would warrant a formal AML/CFT enforcement action or significant supervisory action.

This provision is intended to address the perception โ€” widely held in the financial industry โ€” that technical compliance deficiencies in otherwise-functional programs have been treated as enforcement triggers. The NPRM explicitly signals that regulators intend to focus enforcement energy on programs that fail in meaningful ways, not on programs that have isolated documentation gaps or control exceptions in a context of overall program effectiveness.

For compliance professionals, this is a mixed signal. On one hand, it reduces the enforcement risk from technical deficiencies. On the other, it raises the standard for what โ€œfailureโ€ means โ€” a program that is administratively complete but not effectively identifying risk may be more exposed under the new framework than under the old one.

What Does Not Change

Several core BSA obligations are not addressed in the NPRM and remain in force as-is:

  • SAR and CTR filing requirements (retained, enforced separately)
  • Customer Identification Program (CIP) requirements
  • Customer Due Diligence (CDD) and Beneficial Ownership requirements (the 2024 Corporate Transparency Act framework)
  • OFAC sanctions compliance (separate regulatory regime)
  • Recordkeeping requirements

The NPRM is specifically about the AML/CFT program requirements โ€” the framework within which all of the above operates. It is not a wholesale rewrite of BSA obligations.

What the Proposed Rule Means for Credit Unions

The NCUAโ€™s parallel NPRM is significant for the credit union sector specifically. Credit unions have historically operated under AML/CFT program requirements that paralleled but were technically separate from the bank regulatory framework. The April 2026 NPRM aligns credit union AML/CFT program requirements with the FinCEN and banking agency framework in a way that had not previously been achieved.

For NCUA-regulated credit unions, the proposed rule represents a convergence with the banking sectorโ€™s compliance framework โ€” including the risk-based calibration requirement, the U.S.-based officer provision, and the enforcement threshold language.

Comment Period and Timeline

Comments on the proposed rule are due June 9, 2026 โ€” 60 days after Federal Register publication on April 10, 2026.

Financial institutions that want to shape the final rule have approximately six weeks to prepare comments. The proposed rule is technically complex, and the most valuable industry comments typically address:

  • Specific aspects of the risk-based calibration requirement and how regulators should evaluate compliance with it
  • The independent testing effectiveness standard and what documentation should demonstrate it
  • The enforcement threshold language and how institutions should interpret โ€œsignificant or systemic failureโ€
  • Implementation timelines, particularly for community banks and smaller credit unions

The comment record will directly influence the final rule. Institutions that have concerns about specific provisions are better positioned to address those concerns in the comment period than in a future enforcement context.

What Financial Institutions Should Do Now

Map your existing program against the proposed framework. The four-pillar structure is preserved, but each pillarโ€™s content expectations shift. A gap analysis against the proposed ruleโ€™s specific language โ€” not just the current regulatory text โ€” identifies where remediation will be required.

Assess your risk-based calibration. Can you demonstrate, with documented evidence, that your compliance controls are scaled to your institutionโ€™s actual risk profile? Are high-risk customer segments receiving materially more intensive monitoring than low-risk segments? The answer to this question determines whether your existing program satisfies the proposed standard.

Review your independent testing scope. If your most recent independent audit tested control presence rather than control effectiveness, plan for expanded scope under the final rule. Effectiveness testing requires different methodology and typically more time.

Evaluate your compliance officer structure. If AML/CFT program responsibilities are shared with or delegated to overseas personnel, assess whether the proposed U.S. presence and regulatory accessibility requirement changes that structure.

Consider whether to file a comment. The comment deadline is June 9, 2026. Institutions with substantive views on the proposed rule โ€” particularly smaller institutions for whom the risk-based calibration requirements may create practical challenges โ€” should assess whether participating in the comment process serves their interests.

The April 2026 AML/CFT NPRM is not a compliance-by-year-end event. It is a proposed rule that, if finalized, will reshape the operating logic of BSA compliance programs across every federally supervised financial institution. The comment period is the moment to shape it. The implementation period โ€” once the final rule is published โ€” will be the moment to execute.

Sources: FinCEN NPRM, Federal Register April 10, 2026 (2026-06948); OCC Bulletin 2026-11; FDIC Financial Institution Letter; NCUA Press Release; Perkins Coie AML/CFT Analysis; Gibson Dunn FinCEN Proposed Rule Analysis; Covington & Burling FinCEN AML/CFT Reform Update. This article is for informational purposes only and does not constitute legal advice.