The days of “check-the-box” compliance are over. FinCEN’s landmark proposed rule would replace paper-heavy AML programs with a results-driven framework. Here’s what changes, and how to get ahead of it.
On April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) dropped a major Notice of Proposed Rulemaking (NPRM) that would transform Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) compliance for every Bank Secrecy Act-covered institution in the country.
Banks, credit unions, broker-dealers, money services businesses, insurance companies, mortgage lenders, if you’re subject to the BSA, this rule affects you. The core message from FinCEN is clear: effective programs matter more than thicker binders.
FinCEN wants AML/CFT programs that deliver “genuinely useful information to law enforcement and national security agencies” not just paperwork. This is the biggest compliance shift in years.
The New Four-Pillar Framework
The proposed rule standardizes four mandatory pillars that every AML/CFT program must satisfy. Think of these as the new foundation of financial compliance:
Each pillar comes with real teeth. Under Pillar 1, a formal risk assessment is now mandatory, covering your products, services, distribution channels, customers, and geographic footprint. Customer Due Diligence intensity must flow directly from that assessment. Under Pillar 2, auditors must evaluate whether your program actually works, not just whether it technically exists.
The officer must be in the U.S.
Pillar 3 is worth highlighting separately: your designated AML/CFT Officer must be physically located in the United States and accessible to FinCEN and federal regulators. Offshore personnel can still support the function, but cannot hold the designated role. If your current structure doesn’t meet that bar, now is the time to fix it.
A Critical New Distinction: “Establishment” vs. “Maintenance”
One of the most significant, and misunderstood, elements of the proposed rule is the distinction between how you design your program versus how you run it day to day.
Establishment refers to the design of the program: does your written framework actually meet the four pillars? This is where regulators will focus their heaviest scrutiny. A poorly designed program, one that was never built right, carries the highest enforcement risk under the new structure.
Maintenance refers to day-to-day implementation. Significant, systemic failures here still carry real enforcement risk, but examiners will now be able to distinguish between “we never built it right” and “we built it right but had some execution gaps.” That distinction is a meaningful improvement for institutions operating in good faith.
Good-faith, well-documented, risk-based programs that deliver useful Suspicious Activity Reports (SARs) should face materially lower enforcement exposure under this framework. Document everything.
Risk Assessments Are Now Central, Not Optional
Under the proposed rule, your risk assessment isn’t a once-a-year checkbox exercise. It becomes the operational backbone of your entire compliance program. Key changes include:
- A trigger-based update protocol, you must update your risk assessment whenever you “know or have reason to know” of a material change (new products, M&A, geographic expansion, new customer segments)
- Mandatory integration of FinCEN’s published AML/CFT Priorities once the rule takes effect
- Resources must be allocated proportionally, higher-risk areas get more attention and controls
Technology and Innovation Get a Regulatory Boost
Here’s a headline that should get RegTech teams excited: the proposed rule explicitly treats the use of AI, machine learning, and advanced analytics as a positive factor in enforcement reviews. Institutions investing in innovative monitoring tools won’t just be doing good compliance, they’ll be getting credit for it.
This is a clear signal that FinCEN wants the industry to move away from legacy, rules-based systems toward smarter, more effective financial crime detection. For firms already exploring RegTech solutions, now is the time to document and showcase that investment.
Supervision and Enforcement: A More Balanced Approach
The proposed rule also restructures the supervisory process. Federal banking supervisors would be required to give FinCEN’s Director at least 30 days’ written notice before taking significant AML/CFT enforcement action (with exceptions for urgent matters). Enforcement decisions will explicitly consider:
- Whether the program provides “highly useful” information to law enforcement
- Use of innovative compliance tools (positive factor)
- Cost/benefit considerations, financial inclusion, national security, and whether a risk-based approach was genuinely followed
What Your Institution Should Do Right Now
The final rule is expected 12–18 months after publication. That sounds like plenty of time, but institutions that wait will be scrambling. Here’s a practical action list:
- Assign an NPRM project owner and run a gap assessment against the four pillars
- Confirm your AML/CFT Officer is U.S.-based and properly documented in your governance structure
- Begin drafting or updating your formal risk assessment methodology and trigger update protocol
- Evaluate your use of innovative RegTech tools and document the law enforcement value your program delivers
- Update audit scope instructions so your auditors are testing program effectiveness, not just technical compliance
- Brief your Board or senior management on the rule’s implications, board approval of the AML/CFT program will be required
The Bottom Line
FinCEN’s 2026 NPRM is the clearest signal yet that the era of compliance-by-paperwork is ending. Institutions that align their AML/CFT programs with genuine risk, documented effectiveness, and modern RegTech will be well ahead of the curve when the final rule drops.
Those that treat this as just another regulatory update risk landing in the “establishment failure” category, the highest-scrutiny outcome under the new framework. The compliance transformation is coming. Get ahead of it now.
