FinCEN Just Rewrote the AML Rulebook: What the 2026 BSA Program NPRM Means for Your Compliance Team

TL;DR

• FinCEN published a landmark proposed rule on April 10, 2026 to “fundamentally reform” BSA AML/CFT program requirements across all financial institutions
• The core shift: from measuring compliance by paperwork volume to demonstrating program effectiveness in detecting and preventing illicit finance
• Key changes include a formal “effectiveness” standard, risk-based resource allocation, a mandatory US-based BSA officer, board approval requirements, and examination standards that protect risk-based decisions
• Comment deadline is June 9, 2026; if finalized, a 12-month implementation period follows — but program review should start now

The AML rulebook just got rewritten.

On April 10, 2026, FinCEN published its Notice of Proposed Rulemaking (NPRM) in the Federal Register to fundamentally reform financial institution programs under the Bank Secrecy Act. The FDIC, OCC, and NCUA issued parallel proposals the same day. If finalized, this represents the most significant structural change to BSA/AML program requirements since the BSA was enacted in 1970.

Treasury Secretary Scott Bessent put it plainly: “For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats.”

That sentence is the whole thesis. If your BSA program is built around filing SARs on time, running transaction monitoring, and checking the compliance boxes your last exam required — you’re going to need to rethink it.

Why FinCEN Scrapped the 2024 NPRM

This isn’t a revision of the prior proposed rule. The 2026 NPRM completely replaces and withdraws FinCEN’s July 3, 2024 proposed rule on AML/CFT programs, which had taken a more prescriptive, add-more-requirements approach.

The philosophy changed. Where the 2024 rule was additive — layer more requirements on top of existing ones — the 2026 proposal is structural. It reorients the entire regulatory framework around a single question: Is your program actually effective at identifying, mitigating, and reporting money laundering and terrorist financing risks?

That shift matters enormously for how your program gets built, resourced, and examined.

The Four Pillars (Mandatory Program Components)

The NPRM maintains the familiar four-component structure of BSA programs but reframes each component around risk-based effectiveness rather than technical compliance:

The changes aren’t in the structure — they’re in how each pillar is evaluated.

What “Effectiveness” Actually Means

The NPRM formally defines an “effective” AML/CFT program for the first time. An effective program must be:

1. Properly established — meeting the regulatory minimum requirements, and
2. Maintained in all material respects — implemented with a reasonable design to ensure BSA compliance and generate useful information for law enforcement

Importantly, FinCEN explicitly states that programs need not eliminate all illicit activity — they must be “reasonably designed” to identify, mitigate, and report risks. This is a meaningful standard shift: regulators cannot cite a program solely because a bad actor slipped through. The question becomes whether the program was reasonably designed and maintained.

Risk Assessment Gets Teeth

Under the current framework, many AML risk assessments are compliance artifacts — annual exercises that produce documents nobody acts on. The NPRM changes that.

Institutions must:

• Incorporate FinCEN’s national AML/CFT priorities into their assessments. Superficial treatment won’t satisfy examiners — you must document whether each national priority is material to your specific business and explain why or why not.
• Update risk assessments when risk profiles significantly change — new products, new geographies, new distribution channels, mergers, significant customer base shifts.
• Document resource allocation decisions — specifically, why resources are being allocated away from lower-risk areas toward higher-risk ones. This documentation protects you if an examiner second-guesses the call.

The last point is new and significant. Banks have historically been afraid to reduce monitoring in low-risk areas because it creates exam findings. The NPRM explicitly protects documented risk-based reallocation decisions from adverse citation.

Board-Level Accountability

The proposal introduces a board approval requirement for the AML/CFT program. This isn’t unprecedented — many institutions already have board sign-off on their BSA programs — but codifying it in regulation raises the stakes.

For BSA Officers: your program now has board-level sponsorship requirements baked into the rule. If your institution hasn’t been presenting the AML program to the board regularly, that needs to change well before finalization.

For Compliance Officers and CCOs: board approval creates a governance trail. Make sure your annual program review presentations are documented in board minutes.

How Examination Standards Change

This may be the most significant change for day-to-day compliance operations.

Under the proposal, for banks with properly established programs, examiners and FinCEN:

• Cannot base enforcement actions solely on program rule violations without demonstrating a “significant or systemic failure to implement”
• Must consult FinCEN before major supervisory actions related to program requirements
• Cannot substitute examiner judgment for a bank’s documented risk-based decisions

Read that again. If your program is properly established and you’ve documented your risk-based decisions, an examiner who personally disagrees with your risk appetite cannot cite you for it. This is a substantial protection for institutions that have been caught in the “examiner lottery” — where outcome depended heavily on who showed up and what they were looking for.

The caveat: “properly established.” If there are foundational program gaps — missing risk assessments, untrained staff, no independent testing, no US-based BSA officer — none of these protections apply.

Multi-Agency Coordination: Why It Matters

FinCEN isn’t acting alone. The FDIC, OCC, and NCUA each published parallel NPRMs to align their supervised institutions’ requirements with the FinCEN framework. The FDIC Chairman specifically noted this represents reforms Congress mandated through the Anti-Money Laundering Act of 2020, the most significant BSA reform since the PATRIOT Act.

For supervised institutions, this means your primary federal regulator and FinCEN are now working from the same playbook. The days of inconsistent exam findings where one examiner focuses on transaction monitoring thresholds and FinCEN focuses on risk assessment integration should, in theory, decrease.

In practice: watch how the final rule is implemented and whether supervisory expectations actually converge. File your comment if there’s a gap between what the rule says and what examiners are likely to do.

What Your Program Gaps Look Like Now

Run this checklist against your current BSA/AML program before the June 9 comment deadline:

Practitioner Takeaways by Role

BSA Officer / MLRO:

• Map your current policies to the new “establishment” criteria now — before finalization creates urgency
• Confirm your location and access requirements meet the US-based designation requirement
• Document how your risk assessment currently addresses FinCEN’s national AML/CFT priorities — and where gaps exist

Chief Compliance Officer:

• Prepare a board briefing on the proposed rule and what program changes will be needed
• Work with Internal Audit to reorient your AML testing program toward effectiveness metrics, not technical completeness
• Review your last exam findings: do any reflect “significant or systemic failure” issues that would remain exposures even under the new standard?

Model Risk / Transaction Monitoring Team:

• Start documenting the logic behind alert threshold settings and filtering rules — the NPRM protects risk-based decisions but only if they’re documented
• Identify where monitoring resources are concentrated in low-risk areas because “that’s how it was always done” vs. genuine risk rationale

Compliance Counsel:

• The comment period closes June 9, 2026. If there are specific definitions (particularly the “effectiveness” standard and “significant or systemic failure” threshold) that could cut against your institution, get comments in
• Review the interplay between the new examination standards and existing consent orders or MRAs — the new framework may not modify existing obligations

30/60/90 Day Action Items

30 days (by May 11):

• Read the NPRM summary and FinCEN’s Key Changes fact sheet
• Assign a team to conduct a gap analysis against the four pillars
• Confirm BSA Officer location and board approval process
• Flag to board/audit committee that a regulatory change is in progress

60 days (by June 9 — comment deadline):

• Complete gap analysis and document findings
• Decide whether to submit a comment (particularly on the “effectiveness” and “significant/systemic failure” definitions)
• Map your current risk assessment against FinCEN’s national AML/CFT priorities
• Document current resource allocation rationale for monitoring and control activities

90 days (by July 11):

• Present program gap analysis to board or risk committee
• Begin drafting updated risk assessment framework (risk trigger criteria, priority mapping)
• Review and refresh independent testing scope toward effectiveness metrics
• Build a project plan for program updates with estimated timeline against 12-month implementation window

The Bottom Line

This NPRM is a philosophical overhaul, not a technical tweak. BSA/AML programs built around satisfying the last exam cycle — filing SARs, checking monitoring thresholds, keeping training completion rates high — will not survive contact with the new effectiveness standard.

The institutions that come out ahead are the ones who can demonstrate, with documentation, that their program is intelligently designed around their actual risk profile. Not the ones with the thickest binders.

If your program has unresolved findings or documented gaps from prior exams, those don’t go away under the new framework — in fact, they become examples of the “significant or systemic failures” that remain enforceable regardless of the new protections. Tracking and remediating those findings systematically is exactly the kind of work the Issues Management Tracker & Template is designed for.

For context on how regulators have been enforcing AML programs before this rule takes effect, see FinCEN’s $80M BSA penalty against Canaccord Genuity — the largest ever against a broker-dealer and our breakdown of how to build a regulatory change management program when the rules under you shift mid-cycle.

Source: FinCEN NPRM Press Release | Federal Register Publication | ABA Banking Journal Coverage | Troutman Pepper Analysis | FDIC Parallel NPRM