FinCEN's New BSA Whistleblower Program Changes the Math on Internal Escalation — Especially for Compliance Officers

TL;DR

• FinCEN published a proposed BSA whistleblower rule on April 1, 2026, implementing a 6-year-old statutory mandate from the Anti-Money Laundering Act of 2020
• Awards range from 10–30% of penalties in enforcement actions exceeding $1 million; both Treasury and DOJ can pursue covered violations
• Compliance officers and auditors who discover violations through their job responsibilities must wait 120 days before reporting externally — the intent is to give institutions time to self-remediate
• Business-side employees (deal teams, operations, front office) face no waiting period and can report immediately
• Comments due June 1, 2026

Six years after Congress told FinCEN to stand up a BSA whistleblower program, FinCEN published the proposed rule on April 1, 2026. It’s detailed, it’s consequential, and it lands at a moment when DOJ’s National Fraud Enforcement Division is actively ramping up financial crime enforcement. If you run a BSA/AML program, manage a compliance team, or are a CCO at any BSA-covered institution, this rule changes your internal escalation calculus.

Here’s what it says and what it means for your program.

The Statutory Background

The Anti-Money Laundering Act of 2020 (AMLA) — embedded in the National Defense Authorization Act — included a mandate at Section 6314 directing FinCEN to establish a whistleblower program. The program was supposed to mirror the SEC’s whistleblower structure: financial incentives for original information, anti-retaliation protections, and a mechanism for both insiders and outsiders to report BSA violations.

Congress passed AMLA in January 2021. FinCEN published this proposed rule in April 2026. The five-year delay is, per FinCEN’s preamble, largely attributable to the complexity of designing the award mechanism and coordinating with DOJ on covered violations.

The proposed rule isn’t final — the comment period closes June 1, 2026 — but the framework is substantively complete. This is what the final rule will likely look like.

What the Proposed Rule Covers

Covered violations include breaches involving:

• Bank Secrecy Act (BSA) and AML laws
• International Emergency Economic Powers Act (IEEPA) sanctions
• Trading with the Enemy Act (TWEA)
• Foreign Narcotics Kingpin Designation Act
• Outbound Investment Security Program (OISP)
• Data Security Program (DSP)

That’s a broader scope than some expected. The OISP and DSP coverage is new territory — this isn’t just an AML and sanctions program, it’s a financial crime whistleblower program with a wide aperture.

Covered agencies: Both Treasury (FinCEN, OFAC) and the Department of Justice can pursue covered violations. A whistleblower who provides information that leads to a DOJ enforcement action — not just a FinCEN civil penalty — may still qualify for an award.

The Award Structure

Awards range from 10% to 30% of monetary sanctions collected in successful enforcement actions where total penalties exceed $1 million.

FinCEN will weigh three statutory factors when setting the award percentage:

1. Significance of the whistleblower’s information to the enforcement outcome
2. Degree of assistance the whistleblower provided throughout the action
3. Programmatic interests of Treasury or DOJ in deterring the specific violation type

There is no statutory cap on individual award amounts. If FinCEN brings a $500 million enforcement action — as it has in prior BSA cases — and a whistleblower contributed the core evidence, the award could reach $150 million.

One constraint: The rule explicitly provides no immunity for violations the whistleblower was involved in. Someone who participated in structuring transactions can still submit a tip and potentially receive an award, but they remain exposed to civil and criminal liability for their own conduct. The award eligibility and the culpability question are treated as separate analyses.

The 120-Day Rule: What It Means for Compliance Professionals

This is the piece that should be driving internal policy changes now.

Under the proposed rule, whistleblowers are subject to a 120-calendar-day waiting period before they can submit a tip to FinCEN — if they learned about the violation through:

• Compliance or audit responsibilities
• Being an officer, director, trustee, or partner of the covered entity
• Working for an outside firm retained to perform audit or compliance functions

The rationale is sensible: institutions that invest in robust internal compliance programs should get a chance to use them. The 120-day clock gives a compliance officer — who discovers a potential SAR filing failure, for example — time to escalate internally, trigger remediation, and potentially self-disclose to regulators before an external whistleblower report bypasses the whole process.

But here’s the structural tension: the rule is also telling compliance officers that their exclusive internal escalation window is exactly four months. If you raise an issue internally and nothing happens — if leadership sits on it, if legal decides to run out the clock, if the business dismisses the finding — a compliance officer is now sitting on a potential $10 million award claim that matures in 120 days.

That changes the conversation around internal escalation. Compliance officers who previously had limited leverage over how quickly findings got remediated now have a credible external option with a hard deadline.

The Business Function Exception: No Waiting Period

Here’s the critical asymmetry: the 120-day waiting period applies only to compliance and audit professionals.

An employee in a business function — a trader who notices suspicious transaction patterns, a relationship manager who discovers a client is routing funds through shell accounts, a software engineer who realizes the SAR system has a bug that suppresses filings — faces no waiting period. They can submit a tip to FinCEN the same day.

This creates a compliance program design problem. If business-side employees have faster external access than compliance staff, institutions need to ensure that internal escalation paths are quick, responsive, and visibly taken seriously. A slow internal escalation process is now a reputational and competitive intelligence risk, not just a governance one.

The business function exception also means that institutions with significant front-office turnover — or with adversarial relationships between compliance and business lines — have less of a buffer than they might assume.

What This Means for Your BSA/AML Program

The FinCEN whistleblower rule, paired with FinCEN’s broader AML program reform NPRM, is reshaping the incentives around BSA compliance in real time. Here’s what practitioners should be doing now:

Audit Your Internal Escalation Process

If a business-line employee identifies a potential BSA violation today, what happens? Is there a clear path to the BSA officer? Is the escalation documented? Is there a documented SLA for response?

If the answer to any of those is “it depends” or “we’d figure it out,” you have a gap. The whistleblower rule just created a financial incentive for business-line employees to skip your escalation process entirely.

Strengthen the Compliance-to-BSA-Officer Pipeline

Compliance officers discovering violations internally should be able to document their discovery, track internal escalation, and demonstrate good-faith remediation within the 120-day window. That requires:

• A log of internally identified potential violations
• Documented escalation with timestamps
• Clear ownership of remediation
• Senior management or board visibility where appropriate

An issues management tracker isn’t optional here — it’s your evidence that the 120 days were used productively. If a whistleblower eventually reports and FinCEN asks why the issue wasn’t self-disclosed, you need a paper trail showing when you found it, who knew, and what you did.

Revisit Confidentiality Agreements

Many financial institutions have confidentiality or non-disparagement provisions in employment agreements that could be read to chill whistleblowing. Under the proposed rule, retaliation against a whistleblower is expressly prohibited, and provisions that restrict an employee’s ability to report to government agencies are likely unenforceable.

Legal should review standard employment agreement language before the rule is finalized. This is not a hypothetical — the SEC has brought enforcement actions against issuers whose agreements contained language deemed to impede whistleblower rights.

Train the Front Line — Not Just Compliance

If business-line employees have no waiting period, they need to know what a BSA violation looks like. AML training that covers only “report to compliance” without explaining what kinds of concerns are reportable — and why — leaves institutions exposed to uninformed external reports on issues that could have been handled internally.

Control Gap Table: Whistleblower Readiness

The Comment Letter Opportunity

The proposed rule is open for comment until June 1, 2026. A few areas where industry input could meaningfully shape the final rule:

120-day window length: Is 120 days the right period? For large institutions with complex findings, it may be too short. For simple violations, it may be unnecessarily long. Industry should articulate why the period should flex based on issue complexity.

Insider involvement standard: The rule doesn’t provide immunity but doesn’t disqualify involved whistleblowers from awards. The boundary between “participated” and “discovered” is fuzzy, especially in compliance functions where you’re often reviewing your own institution’s conduct. Clearer guidance here would reduce uncertainty.

Coordination with self-disclosure credit: The proposed rule is silent on how voluntary self-disclosure to FinCEN affects award eligibility. If an institution self-discloses within the 120-day window, should the compliance officer who discovered the issue still be eligible for a reduced award? The answer matters for internal escalation incentives.

30/60/90 Day Checklist

This month:

• Review the proposed rule and assess whether to submit comments by June 1, 2026
• Map your current internal escalation pathway for BSA/AML concerns
• Review employment agreement templates for any language that could chill whistleblowing

Next 60 days:

• Implement a documented issues log for internally identified potential BSA violations
• Define a written SLA for compliance-to-BSA-officer escalation response time
• Brief senior leadership and board risk committee on the whistleblower rule implications
• Verify your anti-retaliation policy is current and clearly communicated

By Q4 2026:

• Complete updated AML training that covers front-line reporting obligations and pathways
• Test your internal escalation process with a tabletop exercise
• Assess whether existing employment agreements require updating

An Issues Management Tracker with documented escalation logs, timestamps, and remediation owners is exactly what you need to demonstrate that the 120-day window was used productively — and to protect yourself if a whistleblower report eventually comes in on something you were already remediating.

Sources:

• Federal Register: FinCEN Whistleblower Incentives and Protections NPRM
• Akin Gump: FinCEN Proposes Rule Implementing Treasury Whistleblower Incentives
• Davis Polk: FinCEN Whistleblower Program Would Offer Financial Incentives
• Orrick: What Companies Need to Know About FinCEN’s Proposed Whistleblower Program
• Latham & Watkins: FinCEN Proposes Regulations to Implement Whistleblower Program