Home/Federal/Federal Register/2026-06948

Proposed Rule2026-06948

Anti-Money Laundering and Countering the Financing of Terrorism Programs

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published

April 10, 2026

Issuing agencies

Treasury DepartmentComptroller of the CurrencyFederal Deposit Insurance CorporationNational Credit Union Administration

Abstract

The Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, "the Agencies" or "Agency" when referencing the singular) are inviting comment on a proposed rule that would require banks to establish and maintain effective anti-money laundering and countering the financing of terrorism (AML/CFT) programs reasonably designed to identify, assess, and mitigate risks of illicit finance. The amendments are intended to align with changes that are being concurrently proposed by the Financial Crimes Enforcement Network (FinCEN) to implement provisions of the Anti-Money Laundering Act of 2020 (AML Act). Among other changes, this proposed rule would ensure that institutions establish and maintain effective AML/CFT programs that are intended to better achieve the purposes of the Bank Secrecy Act (BSA), culminating in the development of highly useful information related to illicit financial transactions for law enforcement and national security agencies. Through this rulemaking, the Agencies also intend to modernize and reform Federal supervision of AML/CFT programs by enhancing FinCEN's role in AML/CFT supervision and enforcement.

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 69 (Friday, April 10, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 69 (Friday, April 10, 2026)]
[Proposed Rules]
[Pages 18304-18330]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-06948]

========================================================================
Proposed Rules
Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of
the proposed issuance of rules and regulations. The purpose of these
notices is to give interested persons an opportunity to participate in
the rule making prior to the adoption of the final rules.

========================================================================

Federal Register / Vol. 91, No. 69 / Friday, April 10, 2026 /
Proposed Rules

[[Page 18304]]

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

[Docket ID OCC-2024-0005]
RIN 1557-AF14

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

RIN 3064-AF34

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

[Docket ID NCUA-2024-0033]
RIN 3133-AG08

Anti-Money Laundering and Countering the Financing of Terrorism
Programs

AGENCY: Office of the Comptroller of the Currency, Treasury; Federal
Deposit Insurance Corporation; and the National Credit Union
Administration.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Office of the Comptroller of the Currency (OCC), Federal
Deposit Insurance Corporation (FDIC), and the National Credit Union
Administration (NCUA) (collectively, ``the Agencies'' or ``Agency''
when referencing the singular) are inviting comment on a proposed rule
that would require banks to establish and maintain effective anti-money
laundering and countering the financing of terrorism (AML/CFT) programs
reasonably designed to identify, assess, and mitigate risks of illicit
finance. The amendments are intended to align with changes that are
being concurrently proposed by the Financial Crimes Enforcement Network
(FinCEN) to implement provisions of the Anti-Money Laundering Act of
2020 (AML Act). Among other changes, this proposed rule would ensure
that institutions establish and maintain effective AML/CFT programs
that are intended to better achieve the purposes of the Bank Secrecy
Act (BSA), culminating in the development of highly useful information
related to illicit financial transactions for law enforcement and
national security agencies. Through this rulemaking, the Agencies also
intend to modernize and reform Federal supervision of AML/CFT programs
by enhancing FinCEN's role in AML/CFT supervision and enforcement.

DATES: Written comments may be submitted on or before June 9, 2026.

ADDRESSES: Comments should be directed to:
OCC: Commenters are encouraged to submit comments through the
Federal eRulemaking Portal. Please use the title ``Anti-Money
Laundering and Countering the Financing of Terrorism Programs'' to
facilitate the organization and distribution of the comments. You may
submit comments by any of the following methods:
<bullet> Federal eRulemaking Portal--<a href="http://Regulations.gov">Regulations.gov</a>:
Go to <a href="https://regulations.gov/">https://regulations.gov/</a>. Enter Docket ID ``OCC-2024-0005''
in the Search Box and click ``Search.'' Public comments can be
submitted via the ``Comment'' box below the displayed document
information or by clicking on the document title and then clicking the
``Comment'' box on the top-left side of the screen. For help with
submitting effective comments, please click on ``Commenter's
Checklist.'' For assistance with the <a href="http://Regulations.gov">Regulations.gov</a> site, please call
1-866-498-2945 (toll free) Monday-Friday, 9 a.m.-5 p.m. EST, or email
<a href="/cdn-cgi/l/email-protection#40322527352c2134292f2e3328252c302425332b002733216e272f36">[email&#160;protected]</a>.
<bullet> Mail: Chief Counsel's Office, Attention: Comment
Processing, Office of the Comptroller of the Currency, 400 7th Street
SW, Suite 3E-218, Washington, DC 20219.
<bullet> Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218,
Washington, DC 20219.
Instructions: You must include ``OCC'' as the agency name and
Docket ID ``OCC-2024-0005'' in your comment. In general, the OCC will
enter all comments received into the docket and publish the comments on
the <a href="http://Regulations.gov">Regulations.gov</a> website without change, including any business or
personal information provided such as name and address information,
email addresses, or phone numbers. Comments received, including
attachments and other supporting materials, are part of the public
record and subject to public disclosure. Do not include any information
in your comment or supporting materials that you consider confidential
or inappropriate for public disclosure.
You may review comments and other related materials that pertain to
this action by the following method:
<bullet> Viewing Comments Electronically--<a href="http://Regulations.gov">Regulations.gov</a>:
Go to <a href="https://regulations.gov/">https://regulations.gov/</a>. Enter Docket ID ``OCC-2024-0005''
in the Search Box and click ``Search.'' Click on the ``Dockets'' tab
and then the document's title. After clicking the document's title,
click the ``Browse All Comments'' tab. Comments can be viewed and
filtered by clicking on the ``Sort By'' drop-down on the right side of
the screen or the ``Refine Comments Results'' options on the left side
of the screen. Supporting materials can be viewed by clicking on the
``Browse Documents'' tab. Click on the ``Sort By'' drop-down on the
right side of the screen or the ``Refine Results'' options on the left
side of the screen checking the ``Supporting & Related Material''
checkbox. For assistance with the <a href="http://Regulations.gov">Regulations.gov</a> site, please call 1-
866-498-2945 (toll free) Monday-Friday, 9 a.m.-5 p.m. EST, or email
<a href="/cdn-cgi/l/email-protection#36445351435a57425f5958455e535a465253455d7651455718515940">[email&#160;protected]</a>.
The docket may be viewed after the close of the comment period in
the same manner as during the comment period.
FDIC: The FDIC encourages interested parties to submit written
comments. Please include your name, affiliation, address, email
address, and telephone number(s) in your comment. You may submit
comments to the FDIC, identified by RIN 3064-AF34, by any of the
following methods:
<bullet> Agency Website: <a href="https://www.fdic.gov/resources/regulations/federal-register">https://www.fdic.gov/resources/regulations/federal-register</a>-publications. Follow instructions for
submitting comments on the FDIC's website.
<bullet> Mail: Jennifer M. Jones, Deputy Executive Secretary,
Attention: Comments/Legal OES (RIN 3064-AF34), Federal Deposit
Insurance Corporation, 550 17th Street NW, Washington, DC 20429.
<bullet> Hand Delivered/Courier: Comments may be hand-delivered to
the guard station at the rear of the 550 17th Street NW, building
(located on F Street NW)

[[Page 18305]]

on business days between 7 a.m. and 5 p.m., eastern time.
<bullet> Email: <a href="/cdn-cgi/l/email-protection#cba8a4a6a6aea5bfb88badafa2a8e5aca4bd">[email&#160;protected]</a>. Include the RIN 3064-AF34 on the
subject line of the message.
<bullet> Public Inspection: Comments received, including any
personal information provided, may be posted without change to <a href="https://www.fdic.gov/resources/regulations/federal-register">https://www.fdic.gov/resources/regulations/federal-register</a> publications.
Commenters should submit only information that the commenter wishes to
make available publicly. The FDIC may review, redact, or refrain from
posting all or any portion of any comment that it may deem to be
inappropriate for publication, such as irrelevant or obscene material.
The FDIC may post only a single representative example of identical or
substantially identical comments, and in such cases will generally
identify the number of identical or substantially identical comments
represented by the posted example. All comments that have been
redacted, as well as those that have not been posted, that contain
comments on the merits of this document will be retained in the public
comment file and will be considered as required under all applicable
laws. All comments may be accessible under the Freedom of Information
Act.
NCUA: You may submit comments, identified by RIN 3133-AG08, by any
of the following methods (please send comments by one method only):
<bullet> Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
The docket number for this proposed rule is NCUA-2024-0033. Follow the
instructions for submitting comments. A plain language summary of the
proposed rule is also available on the docket website.
<bullet> Mail: Address to Melane Conyers-Ausbrooks, Secretary of
the Board, National Credit Union Administration, 1775 Duke Street,
Alexandria, Virginia 22314-3428.
<bullet> Hand Delivery/Courier: Same as mailing address.
<bullet> Public Inspection: You may view all public comments on the
Federal eRulemaking Portal at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, as
submitted, except for those we cannot post for technical reasons. The
NCUA will not edit or remove any identifying or contact information
from the public comments submitted. If you are unable to access public
comments on the internet, you may contact the NCUA for alternative
access by calling (703) 518-6540 or emailing <a href="/cdn-cgi/l/email-protection#aae5ede9e7cbc3c6eac4c9dfcb84cdc5dc">[email&#160;protected]</a>.

FOR FURTHER INFORMATION CONTACT:
OCC: Kenneth Kohrs, BSA/AML Lead Expert, Office of the Chief
National Bank Examiner; Jina Cheon, Assistant Director, Melissa
Lisenbee, Counsel, Scott Burnett, Counsel, or Henry Barkhausen,
Counsel, Bank Advisory Group, Chief Counsel's Office, (202) 649-5490,
Office of the Comptroller of the Currency, 400 7th Street SW,
Washington, DC 20219. If you are deaf, hard of hearing, or have a
speech disability, please dial 7-1-1 to access telecommunications relay
services.
FDIC: Patricia Colohan, Deputy Director, (202) 898-7283,
<a href="/cdn-cgi/l/email-protection#1060737f7c7f78717e50767479733e777f66">[email&#160;protected]</a>, Division of Risk Management Supervision; Chase
Lubbock, Associate Director, (703) 254-0802, <a href="/cdn-cgi/l/email-protection#cfaca3baadada0aca48fa9aba6ace1a8a0b9">[email&#160;protected]</a>,
Division of Risk Management Supervision; Christy Cornell-Pape, Acting
Chief, Financial Crimes, (415) 808-8090, <a href="/cdn-cgi/l/email-protection#29484a465b474c4545045948594c694f4d404a074e465f">[email&#160;protected]</a>,
Division of Risk Management Supervision; Deborah Tobolowsky, Counsel,
(571) 309-2415, <a href="/cdn-cgi/l/email-protection#d8bcacb7bab7b4b7afabb3a198bebcb1bbf6bfb7ae">[email&#160;protected]</a>, Legal Division; Thomas Krepp,
Senior Attorney, (678) 916-2265, <a href="/cdn-cgi/l/email-protection#2d59465f485d5d6d4b49444e034a425b">[email&#160;protected]</a>, Legal Division; J.
Spencer Culp, Senior Attorney, (816) 234-8049, <a href="/cdn-cgi/l/email-protection#02686361776e724264666b612c656d74">[email&#160;protected]</a>, Legal
Division; Nicholas Kazmerski, Counsel, (571) 309-3136,
<a href="/cdn-cgi/l/email-protection#5e30353f24333b2c2d35371e383a373d70393128">[email&#160;protected]</a>, Legal Division.
NCUA: Michael Dondarski, Associate Director, Office of Examination
& Insurance, (703) 772-4751, <a href="/cdn-cgi/l/email-protection#a3cec7cccdc7c2d1d0c8cae3cdc0d6c28dc4ccd5">[email&#160;protected]</a>; Janell Portare,
Director, Fraud and Anti-Money Laundering Division, Office of
Examination & Insurance, (703) 548-2752, <a href="/cdn-cgi/l/email-protection#2349534c5157425146634d4056420d444c55">[email&#160;protected]</a>; Gira Bose,
Senior Staff Attorney, Office of General Counsel, (703) 518-6540,
<a href="/cdn-cgi/l/email-protection#3354515c4056735d5046521d545c45">[email&#160;protected]</a>; Damon P. Frank, Senior Trial Attorney, Office of
General Counsel, (703) 518-6540, <a href="/cdn-cgi/l/email-protection#f3979581929d98b39d908692dd949c85">[email&#160;protected]</a>.

SUPPLEMENTARY INFORMATION:

I. Scope

The proposed rule would amend the Agencies' regulations that
prescribe AML/CFT program requirements \1\ for banks \2\ supervised by
each of the Agencies in a way that aligns with the rule concurrently
proposed by FinCEN \3\ under the BSA.\4\ While FinCEN has delegated its
authority to examine banks for compliance with the BSA to the Agencies,
the Agencies also have independent authority to prescribe regulations
requiring banks to establish and maintain procedures reasonably
designed to assure and monitor their compliance with the requirements
of subchapter II of chapter 53 of title 31, under 12 U.S.C. 1818(s) and
12 U.S.C. 1786(q) (Sections 8(s) of the Federal Deposit Insurance Act
and 206(q) of the Federal Credit Union Act, respectively). The Agencies
are proposing to amend their rules concurrently with FinCEN so that
their program requirements for banks remain consistent with those
imposed by FinCEN. Further, with consistent regulatory text, banks will
not be subject to any additional burden or confusion from needing to
comply with differing standards between FinCEN and the Agencies. The
proposed changes are discussed in more detail below in the section-by-
section analysis.
---------------------------------------------------------------------------

\1\ In Section V.A., the Agencies describe the express
incorporation of the countering the financing of terrorism (CFT)
requirements as part of a bank's anti-money laundering (AML) program
requirements. For consistency throughout this proposed rule, AML
program requirements will be described as AML/CFT program
requirements.
\2\ The term ``bank'' is defined in regulations implementing the
BSA, 31 CFR 1010.100(d), and includes each agent, agency, branch, or
office within the United States of banks, savings associations,
credit unions, and foreign banks. For purposes of this proposed
rule, the term bank solely refers to institutions whose primary
regulator is one of the Agencies. The proposed rule would remove
language in 12 CFR 21.21, which contains the OCC's program rule
requirements, applicable to state savings associations. This
language was adopted as part of the transfer of authorities from the
Office of Thrift Supervision. In 2020, the FDIC issued a final rule
making 12 CFR part 326 applicable to State savings associations,
meaning it is no longer necessary to cover State savings
associations in 12 CFR 21.21.
\3\ FinCEN is requesting comment on proposed amendments to its
AML/CFT program rule for banks at the same time as this proposed
rule from the Agencies. FinCEN's bank program rule is located at 31
CFR 1020.210, while each Agency has its own implementing regulation.
See 12 CFR 21.21 (OCC); 12 CFR 326.8 (FDIC); and 12 CFR 748.2
(NCUA).
\4\ FinCEN currently defines this term in 31 CFR 1010.100(e).
However, FinCEN notes in the preamble to its concurrently issued
rule that the proposed rule also would make minor changes to the
definitions in FinCEN regulations. These changes include the
definition of ``Bank Secrecy Act'' at 31 CFR 1010.100(e), adding
statutory references to the Anti-Money Laundering Act of 2020 (AML
Act) and the Corporate Transparency Act, and removing the reference
to ``collection of statutes commonly referred to as . . . .''
Certain criminal statutes--namely, 18 U.S.C. 1956, 1957, and 1960--
are currently included in the BSA definition at 31 CFR 1010.100(e).
Section 6003 of the AML Act, however, does not include these
provisions in its BSA definition, and thus FinCEN is not considering
them part of the BSA for the purposes of its proposed rule.
---------------------------------------------------------------------------

II. Background

A. Anti-Money Laundering Programs Under the Bank Secrecy Act and
History of the BSA Compliance Program Rules for the Agencies

Enacted in 1970 and amended several times since, the BSA is
designed to combat money laundering, the financing of terrorism, and
other illicit finance activity risks (collectively, ML/TF risks).\5\
Congress has authorized the Secretary of the Treasury (Secretary) to
administer the BSA. The Secretary has in turn delegated the authority
to implement, administer, and enforce

[[Page 18306]]

compliance with the BSA and its associated regulations to the Director
of FinCEN (FinCEN Director).\6\
---------------------------------------------------------------------------

\5\ 31 U.S.C. 5311(1).
\6\ Treasury Order 180-01 (Jan. 14, 2020), paragraph 3; see also
31 U.S.C. 310(b)(2)(I) (providing that the Director of FinCEN shall
``[a]dminister the requirements of subchapter II of chapter 53 of
this title, chapter 2 of title I of Public Law 91-508, and section
21 of the Federal Deposit Insurance Act, to the extent delegated
such authority by the Secretary of the Treasury.'').
---------------------------------------------------------------------------

The Money Laundering Control Act of 1986 (MLCA) \7\ amended 12
U.S.C. 1818(s) and 12 U.S.C. 1786(q) (sections 8(s) of the Federal
Deposit Insurance Act and 206(q) of the Federal Credit Union Act,
respectively) to require the Agencies and the Board of Governors of the
Federal Reserve System (Federal Reserve Board) to issue regulations
requiring their supervised banks to ``establish and maintain procedures
reasonably designed to assure and monitor their compliance'' with the
requirements of the BSA. Consistent with the MLCA, on January 27, 1987,
all the then-Federal bank regulatory agencies issued substantially
similar regulations requiring their supervised banks to develop
procedures for BSA compliance.\8\
---------------------------------------------------------------------------

\7\ Public Law 99-570, section 5318, 100 Stat. 3207, 3207-29
(1986).
\8\ 52 FR 2858 (Jan. 27, 1987).
---------------------------------------------------------------------------

Since its original enactment, Congress has continued to address
various aspects of AML/CFT compliance, including through expansion of
the BSA.\9\ In 1992, the Annunzio-Wylie Anti-Money Laundering Act \10\
gave the Secretary authority to prescribe minimum standards for AML
programs, including: ``(A) the development of internal policies,
procedures, and controls, (B) the designation of a compliance officer,
(C) an ongoing employee training program, and (D) an independent audit
function to test programs''--what are often called the ``four pillars''
of AML/CFT programs.\11\ Later, the Uniting and Strengthening America
by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001 (USA PATRIOT Act) further amended the BSA to
include, among other things, customer identification program (CIP)
requirements and the expansion of AML program rules to cover certain
other financial industry participants (e.g., credit unions and futures
commission merchants).\12\ The USA PATRIOT Act also made it mandatory
for financial institutions to maintain AML programs that meet minimum
prescribed standards.\13\ Through the exercise of its delegated
authority, FinCEN is authorized to require each financial institution
to establish an AML/CFT program to ensure compliance with the BSA and
guard against ML/TF risks.\14\ Over time, FinCEN, the Agencies, and the
Federal Reserve Board incorporated many of these standards into their
respective program rules, and FinCEN implemented additional
requirements for certain covered financial institutions into their
respective program rules.\15\
---------------------------------------------------------------------------

\9\ Most recently, Congress enacted the Guiding and Establishing
National Innovation for U.S. Stablecoins (GENIUS) Act on July 18,
2025. Public Law 119-27, codified at 12 U.S.C. 5901 et seq. The
GENIUS Act requires that permitted payment stablecoin issuers
(PPSIs) be treated as financial institutions under the BSA,
including being required to maintain ``an effective anti-money
laundering program.'' See 12 U.S.C. 5903(a)(5)(i). The GENIUS Act
also requires the primary Federal payment stablecoin regulators,
which are the Agencies and the Federal Reserve Board to issue
regulations relating to PPSIs, including Bank Secrecy Act and
sanctions compliance standards. These AML/CFT standards for PPSIs
will be addressed separately from this rulemaking.
\10\ Section 1517 of the Annunzio-Wylie Anti-Money Laundering
Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992) (Annunzio-
Wylie).
\11\ 31 U.S.C. 5318(h)(1), as added by section 1517(b) of
Annunzio-Wylie. The Agencies note the proposed rule modifies the
current sequencing of AML/CFT program components; however, the
Agencies do not intend the change in sequencing to modify or signify
changes in any substantive requirements.
\12\ 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by
section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272
(Oct. 26, 2001) (USA PATRIOT Act).
\13\ 31 U.S.C. 5318(h), as added by section 352 of the USA
PATRIOT Act.
\14\ 31 U.S.C. 5318(a)(2), (h)(1), and (h)(2).
\15\ See FinCEN, Customer Due Diligence Requirements for
Financial Institutions, 81 FR 29398 (May 11, 2016).
---------------------------------------------------------------------------

Although in practice the FinCEN AML program rule and the Agencies'
compliance program rules for banks they supervise operate together,
since the USA PATRIOT Act, banks under the Agencies' supervision have
been required to maintain compliance programs under separate legal
authorities administered by (i) FinCEN under Title 31 and (ii) the
Agencies under sections 8(s) and 206(q). Because the authority for each
Agency's BSA compliance program rule derives from and is required by
sections 8(s) and 206(q), each Agency prescribes regulations requiring
the banks they supervise to establish and maintain procedures
reasonably designed to assure and monitor the compliance of such banks
with the requirements of the BSA.
In 2003, FinCEN, the Agencies, the Federal Reserve Board, the
Securities and Exchange Commission, and the Commodity Futures Trading
Commission jointly issued final rules on CIP requirements,\16\ which
were mandated by amendments to the BSA under the USA PATRIOT Act
requiring financial institutions to implement a CIP as part of their
BSA compliance program.\17\ The CIP requirements became part of the
separate AML program rules for banks administered by FinCEN and each of
the Agencies as well as the Federal Reserve Board, although the rules
continued to function together by allowing banks to satisfy FinCEN's
rule by complying with their Agency's rule or, as appropriate, the
Federal Reserve Board's rule.
---------------------------------------------------------------------------

\16\ 68 FR 25090 (May 9, 2003).
\17\ 31 U.S.C. 5318(l), as added by section 326 of the USA
PATRIOT Act.
---------------------------------------------------------------------------

In 2016, FinCEN amended its AML compliance program rules to
incorporate customer due diligence (CDD) requirements, including
beneficial ownership information collection requirements for certain
covered financial institutions, including banks.\18\ Although the
Agencies did not promulgate CDD requirements at that time, the Agencies
examined supervised banks for compliance with those requirements under
the authority of sections 8(s) and 206(q).\19\ With the exception of
the CDD requirement, FinCEN's rule was substantially similar to the
rules of the Agencies and the Federal Reserve Board's rules, and banks
must currently comply with both FinCEN's AML bank program rule and the
BSA compliance rules of the Agencies and, as appropriate, the Federal
Reserve Board.
---------------------------------------------------------------------------

\18\ 81 FR 29398 (May 11, 2016).
\19\ Press Release, Joint Statement on Enforcement of Bank
Secrecy Act/Anti-Money Laundering Requirements (Aug. 13, 2020),
<a href="https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-75.html">https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-75.html</a> and <a href="https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf">https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf</a>.
---------------------------------------------------------------------------

B. The Anti-Money Laundering Act of 2020

On January 1, 2021, Congress enacted the William M. (Mac)
Thornberry National Defense Authorization Act for Fiscal Year 2021, of
which the AML Act was a component.\20\ With the passage of the AML Act,
Congress stated that it was seeking to modernize and strengthen the
AML/CFT regulatory framework, which ``had not seen comprehensive reform
or modernization'' since the BSA was enacted in the 1970s.\21\ Among
other

[[Page 18307]]

objectives, Congress intended for the AML Act to require ``more routine
and systemic coordination, communication, and feedback among financial
institutions, regulators, and law enforcement to identify suspicious
financial activities, better focusing bank resources to the AML task,
which will increase the likelihood for better law enforcement
outcomes.'' \22\
---------------------------------------------------------------------------

\20\ William M. (Mac) Thornberry National Defense Authorization
Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388 (Jan.
1, 2021).
\21\ Congress noted in its Joint Explanatory Statement (JES) of
the Committee of Conference accompanying the FY21 NDAA that: ``the
current [AML/CFT] regulatory framework is an amalgamation of
statutes and regulations that are grounded in the [BSA], which the
Congress enacted in 1970. This decades-old regime, which has not
seen comprehensive reform and modernization since its inception, is
generally built on individual reporting mechanisms (i.e., currency
transaction reports (CTRs) and suspicious activity reports (SARs))
and contemplates aging, decades-old technology, rather than the
current, sophisticated AML compliance systems now managed by most
financial institutions.'' Congress further stated that the AML Act
``comprehensively update[s] the BSA for the first time in decades
and provide[s] for the establishment of a coherent set of risk-based
priorities.'' Among other objectives, Congress intended for the AML
Act to require ``more routine and systemic coordination,
communication, and feedback among financial institutions,
regulators, and law enforcement to identify suspicious financial
activities, better focusing bank resources to the AML task, which
will increase the likelihood for better law enforcement outcomes.''
H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory
Statement of the Committee of Conference).
\22\ H.R. Rep. No. 6395 (2020) at 732 (Joint Explanatory
Statement of the Committee of Conference), <a href="https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf">https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf</a>.
---------------------------------------------------------------------------

Section 6101(b) of the AML Act made several changes to the BSA's
AML/CFT program requirements.
First, section 6101(b) amended the BSA at 31 U.S.C. 5318(h)(2)(B)
to state that, ``[i]n prescribing the minimum standards for [AML/CFT
programs], and in supervising and examining compliance with those
standards, the Secretary of the Treasury, and the appropriate Federal
functional regulator (as defined in section 509 of the Gramm-Leach-
Bliley Act (15 U.S.C. 6809)) shall take into account'' certain factors.
Second, section 6101(b) requires the Secretary, in consultation
with the Attorney General, appropriate Federal functional regulators,
relevant State financial regulators, and relevant national security
agencies, to establish and make public government-wide AML/CFT
priorities (AML/CFT Priorities). After consultation with the Federal
functional regulators and relevant State financial regulators, the
Secretary must promulgate regulations, as appropriate, to incorporate
those priorities into revised program rules, and incorporation of the
priorities must be included as a measure on which financial
institutions are supervised and examined. FinCEN issued the first AML/
CFT Priorities on June 30, 2021.\23\
---------------------------------------------------------------------------

\23\ See AML/CFT Priorities (June 30, 2021). As required by 31
U.S.C. 5318(h)(4)(C), the AML/CFT Priorities are consistent with
Treasury's National Strategy for Combating Terrorist and Other
Illicit Financing (May 16, 2024). The AML/CFT Priorities are
supported by Treasury's National Risk Assessments on Money
Laundering, Terrorist Financing, and Proliferation Financing (Mar.
2026). Additionally, Treasury is required to consult with the
Agencies on the National Illicit Finance Strategy, which must
include a risk assessment. See Combating Terrorism and Illicit
Financing, Public Law 115-44, 131 Stat. 934 (2017). As also required
by 31 U.S.C. 5318(h)(4)(B), the Secretary, in consultation with the
Attorney General, Federal functional regulators, relevant State
financial regulators, and relevant national security agencies, must
update the AML/CFT Priorities not less frequently than once every
four years.
---------------------------------------------------------------------------

Third, section 6101(b) expands the BSA's program rule requirement
to formally include an express reference to CFT in addition to AML.
Fourth, section 6101(b) provides that the duty to establish,
maintain, and enforce an AML/CFT program shall remain the
responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to oversight and supervision by, the
Secretary and the appropriate Federal functional regulator.

C. Prior BSA Modernization Efforts

The proposed rule also builds upon other recent efforts by FinCEN,
the Agencies, and the Federal Reserve Board to modernize AML/CFT
compliance program requirements for banks, both before and after the
passage of the AML Act. These efforts include actions taken to revise
the BSA regulatory regime through rulemakings, providing exemptive
relief from regulatory requirements consistent with the purposes of the
BSA, and clarifying regulatory requirements and supervisory standards
through policy documents.
For example, on July 22, 2019, FinCEN, the Agencies, and the
Federal Reserve Board issued a joint statement to clarify and explain
their existing risk-focused approach to examinations of banks' BSA/AML
compliance program. This statement was intended to increase
transparency into the risk-focused approach used by the Agencies and
the Federal Reserve Board for planning and performing BSA/AML
examinations, which included clarifying that the Agencies and the
Federal Reserve Board ``generally allocate more resources to higher-
risk areas, and fewer resources to lower-risk areas'' based on the
bank's unique risk profile.\24\ FinCEN, the Agencies, and the Federal
Reserve Board have also taken steps to highlight that customer
relationships present varying levels of ML/TF risk and, in turn, to
encourage banks to manage customer relationships and mitigate risks
based on customer relationships, rather than decline to provide banking
services to entire categories of customers.\25\ More recently, the
Agencies and the Federal Reserve Board have, with FinCEN's concurrence,
issued an order permitting banks, as part of their CIP obligations, to
collect Taxpayer Identification Number information from a third party
rather than directly from the bank's customer, subject to certain
conditions.\26\ FinCEN, the Agencies, and the Federal Reserve Board
have also issued Frequently Asked Questions to clarify certain
obligations related to filing a suspicious activity report (SAR) to
help ensure banks are not needlessly expending resources on efforts
that do not provide law enforcement and national security agencies with
the critical information they need to detect, combat, and deter
criminal activity, as well as to combat misconceptions that banks are
required to terminate customer relationships based on the filing of a
SAR.\27\
---------------------------------------------------------------------------

\24\ See OCC Bulletin 23019-33, Bank Secrecy Act/Anti-Money
Laundering: Joint Statement on the Risk-Focused Approach to BSA/AML
Supervision (July 22, 2019).
\25\ See, e.g., Joint Statement on the Risk-Based Approach to
Assessing Customer Relationships and Conducting Customer Due
Diligence (July 6, 2022) (``Customer relationships present varying
levels of money laundering, terrorist financing, and other illicit
financial activity risks. The potential risk to a bank depends on
the presence or absence of numerous factors, including facts and
circumstances specific to the customer relationship. The Agencies
continue to encourage banks to manage customer relationships and
mitigate risks based on customer relationships, rather than decline
to provide banking services to entire categories of customers.'')
\26\ OCC, FDIC, NCUA, FinCEN, Agencies Issue Exemption Order to
Customer Identification Program Requirements, (Jun. 27, 2025),
<a href="https://www.occ.gov/news-issuances/news-releases/2025/nr-ia-2025-60.html">https://www.occ.gov/news-issuances/news-releases/2025/nr-ia-2025-60.html</a>.
\27\ FinCEN et. al, Answers to Frequently Asked Questions
Regarding Suspicious Activity Reporting and Other Anti-Money
Laundering Considerations (Jan. 19, 2021) (clarifying, among other
things, that there is no BSA regulatory requirement to terminate a
customer relationship after the filing of a SAR or any specific
number of SARs). See also FinCEN et. al, Frequently Asked Questions
Regarding Suspicious Activity Reporting Requirements (Oct. 9, 2025),
<a href="https://www.fincen.gov/system/files/2025-10/SAR-FAQs-October-2025.pdf">https://www.fincen.gov/system/files/2025-10/SAR-FAQs-October-2025.pdf</a> (clarifying filing requirements related to potential
structuring-related activity, documentation requirements related to
not filing a SAR on potentially suspicious activity, and certain
aspects of continuing activity reporting).
---------------------------------------------------------------------------

With respect to prior rulemaking efforts, prior to the enactment of
the AML Act, FinCEN published an ANPRM seeking public comment on
potential regulatory amendments intended to increase the effectiveness
of program rule requirements (Effectiveness ANPRM), which was informed
by recommendations of the AML Effectiveness Bank Secrecy Act Advisory
Group working group.\28\ While the Effectiveness ANPRM was issued by
FinCEN on a standalone basis, the Agencies and Federal Reserve Board
were consultative partners with FinCEN

[[Page 18308]]

when developing the proposal. More recently, on July 3, 2024, FinCEN
published an NPRM proposing revisions to its AML/CFT program
requirements for all financial institutions, including those applicable
to banks,\29\ and on August 9, 2024, the Agencies, along with the
Federal Reserve Board, issued an NPRM proposing substantially similar
amendments to their respective AML program rules applicable to banks
they supervise (the 2024 Program NPRM).\30\
---------------------------------------------------------------------------

\28\ FinCEN, Anti-Money Laundering Program Effectiveness, 85 FR
58023 (Sept. 17, 2020).
\29\ FinCEN, Anti-Money Laundering and Countering the Financing
of Terrorism Requirements, 89 FR 55428 (Jul. 3, 2024).
\30\ OCC, Federal Reserve Board, FDIC and the NCUA, Anti-Money
Laundering and Countering the Financing of Terrorism Requirements,
89 FR 65242 (Aug. 9, 2024).
---------------------------------------------------------------------------

In proposing this rule in coordination with FinCEN, the Agencies
considered applicable statutory requirements and prior feedback on
these recent BSA modernization efforts, including comments provided on
FinCEN's Effectiveness ANPRM and those received on the 2024 Program
NPRMs. While building upon these prior modernization efforts, the
proposed rule is distinct and separate from prior BSA modernization
rulemaking efforts.\31\
---------------------------------------------------------------------------

\31\ For an overview of the content of the Effectiveness ANPRM
and the 2024 Program NPRM, and for an overview of comments received
on both, refer to FinCEN's proposed revisions to its AML/CFT program
requirements, issued concurrently with this NPRM.
---------------------------------------------------------------------------

III. Overview of the Proposed Rule

A central objective of the Agencies' BSA modernization efforts is
to create an AML/CFT supervisory and regulatory regime that is more
effective in achieving the purposes of the BSA and culminating in the
development of highly useful information related to illicit financial
transactions for law enforcement and national security agencies.\32\
The proposed rule would further that objective by explicitly defining
the requirements for a bank to establish and maintain an effective AML/
CFT program. It would also adopt into regulations the AML Act's
expectation that AML/CFT programs should be risk-based, including
ensuring that banks direct more attention and resources toward higher-
risk customers and activities, consistent with the risk profile of the
bank, rather than toward lower-risk customers and activities.\33\
---------------------------------------------------------------------------

\32\ 31 U.S.C. 5311.
\33\ 31 U.S.C. 5318(h)(2).
---------------------------------------------------------------------------

The proposed rule would also revise the AML/CFT supervisory and
examination process for banks by enhancing FinCEN's role in the
Agencies' AML/CFT-related supervision and enforcement process. In
support of this objective, the proposed rule would establish a
mechanism in which FinCEN--as the statutory administrator of the BSA--
has an opportunity to review and provide feedback to the Agencies prior
to certain AML/CFT-related enforcement and supervisory actions. This
change will promote consistent approaches to AML/CFT supervision,
culminating in the development of highly useful information related to
illicit financial transactions for both banks and the law enforcement
and national security agencies that depend upon those banks' critical
BSA reporting. The enforcement requirements only apply to actions by
the Agencies.

Proposed Rule

As noted above, the proposed rule would require banks to establish
and maintain effective AML/CFT programs and define the requirements for
doing so. In order for an AML/CFT program to be effective, the proposed
rule would require a bank to establish an AML/CFT program and then
maintain the AML/CFT program by implementing, in all material respects,
the established AML/CFT program.
As described in more detail in section IV.D a bank would be
required to establish a risk-based set of internal policies,
procedures, and controls that is reasonably designed to ensure
compliance with the BSA and its implementing regulations, 31 CFR
chapter X. The risk-based set of internal policies, procedures, and
controls must also be reasonably designed to (1) identify, assess, and
document the bank's ML/TF risks through risk assessment processes that
evaluate the risks of the bank's business activities, review and, as
appropriate, incorporate the AML/CFT Priorities, and are updated
promptly upon any change that the bank knows or has reason to know
significantly changes the bank's ML/TF risks; (2) mitigate the bank's
ML/TF risks consistent with the bank's risk assessment processes
including by directing more attention and resources toward higher-risk
customers and activities, rather than toward lower-risk customers and
activities; and (3) conduct ongoing customer due diligence.
The proposed rule would also require a bank to establish an ongoing
employee training program and independent AML/CFT program testing as
part of its AML/CFT program. Finally, the proposed rule would require a
bank to designate an individual responsible for establishing and
implementing the AML/CFT program and coordinating and monitoring day-
to-day compliance; that individual would be required to be located in
the United States and accessible to, and subject to oversight and
supervision by, FinCEN or its designee and the appropriate Agency.
Under the proposed rule, in addition to establishing an AML/CFT
program, the bank would be required to maintain that program by
implementing, in all material respects, its established AML/CFT
program. By structuring the requirement to have an effective AML/CFT
program as distinct obligations to establish and maintain (via
implementation) an AML/CFT program, the proposed rule is intended to
clarify and reinforce the distinction between failures to establish an
AML/CFT program and failures to implement a properly established
program.
The distinction between establishing a program and maintaining a
program by implementing it in all material respects is particularly
important under the proposed rule for potential supervisory and
enforcement actions. The proposed rule would not limit enforcement or
supervisory actions for failures to establish an AML/CFT program.
However, once a bank has properly established an AML/CFT program, the
proposed rule would raise the threshold for significant supervisory or
enforcement actions based solely on implementation deficiencies. Only
significant or systemic failures by a bank to implement in all material
respects an established program would warrant an ``AML/CFT enforcement
action'' or a ``significant AML/CFT supervisory action,'' as these
terms are defined in the proposed rule. In this way, the proposed rule
is intended to clarify and reinforce a supervisory and enforcement
focus on addressing significant or systemic failures to implement a
properly established AML/CFT program, rather than on isolated,
technical, or immaterial implementation issues.\34\
---------------------------------------------------------------------------

\34\ Federal Reserve Board, FDIC, NCUA, OCC, Joint Statement on
Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements,
(Aug. 13, 2020), <a href="https://www.federalreserve.gov/frrs/regulations/statement-on-bank-secrecy-act-anti-money-laundering-enforcement.htm">https://www.federalreserve.gov/frrs/regulations/statement-on-bank-secrecy-act-anti-money-laundering-enforcement.htm</a>.
---------------------------------------------------------------------------

Importantly, under the proposed regulations, having an effective
AML/CFT program would be more than a one-time adoption of a risk-based
set of internal policies, procedures, and controls. Rather, a bank
would be required to keep its risk-based set of internal policies,
procedures, and controls--and the risk assessment processes that inform
them--current as the bank's risk profile changes. For example, while a
bank's risk-based set

[[Page 18309]]

of internal policies, procedures, and controls may, at one time, have
been reasonably designed, they may no longer be reasonably designed
given changes to the bank's risk profile. Similarly, an AML/CFT program
would be more than a one-time creation of an employee training program
or initiation of an independent testing mechanism: the bank would be
required to keep such aspects of the AML/CFT program current as the
bank's risk profile changes. Thus, even where a bank has previously
established an AML/CFT program in accordance with the proposed rule, a
failure to update the program to reflect significant changes in the
bank's risk profile may result in the program no longer meeting the
program establishment requirements, and the bank may accordingly be
subject to supervisory or enforcement action for a failure to establish
an effective AML/CFT program.
The proposed rule would also provide FinCEN with a greater role in
the Agencies' supervisory process. To better ensure that the Agencies
are performing ``risk-focused'' BSA supervision, the proposed rule
would require that the Agencies consult with FinCEN prior to taking an
AML/CFT enforcement action or a significant AML/CFT supervisory action.
The Agencies would be required to give FinCEN written notice at least
30 days prior to taking such an action. FinCEN would have an
opportunity to review the action and the relevant underlying
information giving rise to it, and the Agencies would be required to
consider any input offered by FinCEN concerning the effectiveness of
the bank's AML/CFT program.
By explicitly defining the requirements for a bank to establish and
maintain an effective AML/CFT program, and by standardizing the AML/CFT
supervision and enforcement process for banks and across the Agencies,
the proposed rule is expected to better achieve the purposes of the
BSA, culminating in the development of highly useful information
related to illicit financial transactions for banks and law enforcement
and national security agencies. However, the Agencies do not intend for
the proposed rule to provide banks permission to establish an AML/CFT
program that might be interpreted as meeting the proposed rule's
technical requirements on their face, but do not effectively detect and
prevent ML/TF activity. To establish a compliant AML/CFT program under
the proposed rule, a bank must, among other things, establish a risk-
based set of internal policies, procedures, and controls that is
reasonably designed to ensure compliance with the BSA and 31 CFR
chapter X, including through the adoption of risk assessment processes.
A critical element of this requirement is that the bank's s risk-based
set of internal policies, procedures, and controls be ``reasonably
designed.'' For example, if a bank's program testing reveals that a new
customer type or new activity is high risk, but the bank does not take
any action to revise the design of its risk-based set of internal
policies, procedures, and controls and therefore treats the customer or
activity as presenting low risk, then its program should not be
considered reasonably designed. The Agencies believe that banks have a
better understanding of their customer bases and businesses and are
best positioned to identify and evaluate their ML/TF risks. Therefore,
under this proposed rule banks will continue to have significant
flexibility and discretion in their decisions and determinations
related to risk identification and resource allocation. The Agencies
will assess whether: (1) a bank's resource allocation decisions are
consistent with a reasonably designed risk assessment processes; and
(2) with respect to implementation, specifically, whether the bank
knows or should know of resource-related issues involving its risk-
based set of internal policies, procedures, and controls that may
result in the bank failing to implement its AML/CFT program in all
material respects and has failed to address such issues.
Similarly, the Agencies expect a bank to be examined for its
implementation of the established AML/CFT program in all material
respects. Merely designating an individual responsible for establishing
and implementing the AML/CFT program and having that individual
establish risk-based internal policies, procedures, and controls, an
ongoing employee training program, and an independent AML/CFT program
testing program, are not sufficient to satisfy the proposed rule's
obligations for a bank to have an effective AML/CFT program. Rather, a
bank would be examined for the implementation, in all material aspects,
of its established AML/CFT program, including the determination that
the bank is, in fact, allocating resources commensurate with its
established AML/CFT program, which the proposed rule would require to
be consistent with and its reasonably designed risk assessment
processes.

IV. Section-by-Section Analysis

This section-by-section analysis describes the specific proposed
changes to the Agencies' BSA compliance program rules. Section IV.A
addresses the proposed incorporation of CFT into the program rules.
Section IV.B discusses the requirements for an ``effective'' AML/CFT
program to comply with the requirements of the proposed rule. Section
IV.C explains what it means to ``establish'' and ``maintain'' an
effective AML/CFT program. Section IV.D describes the components of
program establishment, including (1) a risk-based set of internal
policies, procedures, and controls (including risk assessment
processes); (2) independent program testing; (3) an individual, located
in the United States and accessible to FinCEN and the Agencies,
responsible for establishing and maintaining the program, and
coordinating and monitoring day-to-day compliance; and (4) ongoing
employee training. Section IV.E discusses the requirements that the
AML/CFT program be written, accessible, and approved by a bank's Board
of Directors, an equivalent governing body within the bank, or
appropriate senior management. Section IV.F addresses the Customer
Identification Program, Section IV.G addresses the supervision and
enforcement section of the proposed rule, and Section IV.H discusses
technical changes that the proposal makes to the existing rules to
improve clarity and consistency across the program rules. Lastly,
Section IV.I discusses disclosure of supervisory information.

A. Inserting the Term ``CFT'' Into the Program Rules

Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to
reference ``countering the financing of terrorism'' \35\ in addition to
``anti-money laundering'' when describing the requirement to establish
an AML/CFT program. The Agencies propose to update the AML/CFT program
rules to reflect this new statutory language. For example, the proposed
rule would change the title of the Agencies' program rules from ``Bank
Secrecy Act compliance'' to ``Anti-Money Laundering/Countering the
Financing of Terrorism Compliance, Supervision, and Enforcement.''
Similar changes would apply to the titles of relevant parts and
subparts.
---------------------------------------------------------------------------

\35\ Countering the financing of terrorism (CFT) includes laws,
rules, regulations, or other measures intended to detect and disrupt
the solicitation, collection, or provision of funds to support
terrorist acts or terrorist organizations, or other violent
extremist groups.
---------------------------------------------------------------------------

The inclusion of ``CFT'' in the BSA compliance program rule would
not create new obligations for banks, insofar as the USA PATRIOT Act
already requires them to account for risks

[[Page 18310]]

related to terrorist financing. Accordingly, the Agencies expect any
changes to existing AML/CFT programs from the amendments described in
this subsection to be technical and therefore not have any substantive
impact on banks' compliance obligations.

B. An ``Effective'' AML/CFT Program

In prescribing the minimum standards for an AML/CFT program and in
supervising and examining compliance with those standards, the AML Act
requires the Secretary and the appropriate Federal functional regulator
to take into account that effective AML/CFT programs safeguard national
security and help law enforcement prevent the flow of illicit funds in
the financial system.\36\ Further, the AML Act contemplates AML/CFT
requirements focusing on achieving effective outcomes rather than
dictating the processes used to reach those outcomes, an orientation
the Agencies intend to reflect in the proposed rule. Consistent with
the Agencies' long-standing expectations regarding what effective
outcomes entail, the Agencies believe that, as a practical matter, it
is not possible for a bank's AML/CFT program to detect and report all
potentially illicit transactions that flow through the institution.\37\
Similarly, a bank's AML/CFT program can be effective without preventing
every minor instance of a bank falling prey to illicit finance misuse.
Accordingly, the proposed rule would set out that, from a supervisory
and enforcement perspective, an AML/CFT program is ``effective'' and
complies with the Agencies' regulatory requirements promulgated under
12 U.S.C. 1818(s) or 12 U.S.C. 1786(q), as applicable, so long as it is
established and maintained in accordance with applicable requirements.
---------------------------------------------------------------------------

\36\ See 31 U.S.C. 5318(h)(2)(B)(iii).
\37\ Federal Financial Institution Examination Council, BSA/AML
Assessing Compliance with BSA Regulatory Requirements -- Suspicious
Activity Reporting, <a href="https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04">https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04</a>.
---------------------------------------------------------------------------

The proposed rule would provide that a bank has an ``effective''
program if it (1) is established in accordance with the proposed rule's
establishment requirements; and (2) is maintained, meaning that a
properly established AML/CFT program is implemented in all material
respects.
One of the AML Act's key purposes is to ``encourage technological
innovation and the adoption of new technology by financial institutions
to more effectively counter money laundering and financing of
terrorism.'' \38\ Consistent with this purpose, the Agencies encourage
banks to evaluate whether new technology or innovative approaches in
other resources might help to combat financial crime more effectively.
Innovative approaches could involve machine learning, generative
artificial intelligence (GenAI), digital identity, blockchain
monitoring and analytics, or application programming interfaces (APIs).
---------------------------------------------------------------------------

\38\ William M. (Mac) Thornberry National Defense Authorization
Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 4547 at
section 6002(3) (Jan. 1, 2021).
---------------------------------------------------------------------------

The Agencies recognize that adopting new technologies for BSA
compliance may not be suitable for all banks, particularly smaller
ones, and the proposed rule therefore does not reference or require the
use of any particular technology. A bank may find it beneficial to
consider whether its AML/CFT program appropriately uses the bank's
existing resources, including technology and data. However, consistent
with longstanding guidance, the Agencies encourage banks to engage in
responsible AML/CFT innovation.\39\ Banks that responsibly incorporate
innovative technologies into their AML/CFT programs will not incur on
that basis any additional risk of being subject to a significant
supervisory action or enforcement action solely based on the use of
innovative technologies.
---------------------------------------------------------------------------

\39\ Federal Reserve Board, FDIC, FinCEN, NCUA, OCC, Joint
Statement on Innovative Efforts to Combat Money Laundering and
Terrorist Financing, (Dec. 3, 2018), <a href="https://www.fincen.gov/system/files/2018-12/Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_508.pdf">https://www.fincen.gov/system/files/2018-12/Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_508.pdf</a>.
---------------------------------------------------------------------------

C. Establishing and Maintaining an AML/CFT Program

The requirement that a bank establish and maintain an AML/CFT
program is not new, although over time various formulations of this
requirement have developed in statutes and regulations.\40\
---------------------------------------------------------------------------

\40\ For instance, the provision of the BSA which requires
financial institutions to have AML/CFT program rules states that
``each financial institution shall establish'' (emphasis added) such
programs, including certain requirements as specified. See 31 U.S.C.
5318(h)(1). The corresponding Federal statute requiring each
appropriate Federal banking agency to prescribe regulations
requiring their supervised institutions to have BSA compliance
programs states that these banks must ``establish and maintain
procedures reasonably designed to assure and monitor the
compliance'' with the requirements of the BSA. 12 U.S.C. 1818(s)(1).
---------------------------------------------------------------------------

The proposed rule would harmonize and delineate the regulatory
requirements that must be met for banks to have an effective AML/CFT
program. That is, the proposed rule would create a two-pronged
framework under which a bank's AML/CFT program would be deemed to be
effective if the bank establishes and maintains its program. Under the
proposed rule, a bank maintains its properly established AML/CFT
program by implementing it in all material respects.
1. Establishing Versus Maintaining an AML/CFT Program
For a bank to have an effective AML/CFT program, the proposed rule
would require a bank to establish an AML/CFT program and then maintain
the AML/CFT program by implementing, in all material respects, the
established AML/CFT program. The proposed rule describes the
requirements for an effective AML/CFT program to be established and
maintained. The AML/CFT program minimum components constituting program
establishment, and described in further detail in Section V.D below,
are: (1) a risk-based set of internal policies, procedures, and
controls (including risk assessment processes); (2) independent program
testing; (3) an individual, located in the United States and accessible
to FinCEN and the appropriate Agency, responsible for establishing and
maintaining the program, and coordinating and monitoring day-to-day
compliance; and (4) ongoing employee training.
``Establishing'' an AML/CFT program involves designing an AML/CFT
program that incorporates all of the required components.
``Maintaining,'' by contrast, addresses whether the bank is
implementing that program in practice. The regulation uses the term
``implement'' to describe this second prong. The distinction between
establishing a program and maintaining a program by implementation
matters because the proposed rule ties the availability of AML/CFT
enforcement and significant supervisory actions based on the program
rule for an established bank program to a significant or systemic
failure to ``implement'' the properly established AML/CFT program. The
distinction between establishing and ``maintaining'' an AML/CFT program
is intended to make transparent how the individual elements of the
proposed rule work together.
Separating program establishment from program maintenance therefore
provides needed clarity regarding whether a supervisory concern relates
to deficiencies stemming from the program's design, on the one hand, or
failures in the program's operation, on the other. This two-prong
framework would help promote consistent articulation of supervisory
expectations and prevent conflating criticisms of program design--the
remediation of

[[Page 18311]]

which would likely be different in kind--with criticisms of day-to-day
implementation. The proposed distinction does not change the
substantive obligations for the bank.
As noted previously, the Agencies intend for the requirements of
this proposed rule to not be limited to a one-time adoption of the
elements required for program establishment, such as a risk-based set
of internal policies, procedures, and controls. Rather, the Agencies
intend a bank's establishment of its AML/CFT program to require the
bank's risk-based set of internal policies, procedures, and controls--
and the risk assessment processes that inform them--to remain current
as the bank's risk profile changes. For example, if a bank begins
providing a new product or service--or changes how it provides an
existing product or service, such as operating in a new geographic
location--under this proposed rule, a bank would need to incorporate
its new product or service as part of its risk assessment processes.
The proposed rule would require a bank to make a risk determination
and, as appropriate, redesign its risk-based set of internal policies,
procedures, and controls to account for the risks that it did not
previously encounter prior to offering the new product or service, or
operating in the new geographic location. Thus, under the proposed
rule, even where a bank has previously established an AML/CFT program
in accordance with the proposed rule, a failure to update the program
to reflect significant changes in the bank's risk profile may result in
the program no longer satisfying the proposed rule's requirements
regarding establishment.
2. Implementation of an AML/CFT Program
Once a bank has properly ``established'' an AML/CFT program, the
bank must ``maintain'' the program by implementing it, in all material
respects. Minor deficiencies of an AML/CFT program would not
necessarily mean that a bank has failed to implement the program.
Although there are a variety of ways that a bank may not be
implementing its program ``in all material respects,'' in the Agencies'
experience, commonly observed examples may include, but would not be
limited to: (1) internal policies, procedures, and controls are not
being performed or not being performed on a consistent, regular, and
timely basis (e.g., consistently ignored warnings or red flags that a
program was seriously deficient) due to the nature or extent of
required resources becoming inadequate; (2) gaps in the risk assessment
processes that result in the bank's program internal policies,
procedures, and controls missing or inadequately covering higher ML/TF
risks (e.g., systems used to monitor for potentially suspicious
activity failing to capture material volumes or types of transactions);
or (3) deficiencies or weaknesses in the risk assessment processes that
have a material impact on the bank's mitigation of ML/TF risks through
its risk-based set of internal policies, procedures, and controls,
including due to data-related issues involving relevant processes and
systems.
Similarly, the Agencies expect that a bank could become aware of
such implementation-related concerns through a variety of mechanisms,
including but not limited to: (1) independent testing of the AML/CFT
program; (2) examiner observations, suggestions, or other informal
comments about the AML/CFT program;, (3) management information systems
and related reports or other outputs (e.g., key performance indicators
or key risk indicators, such as monitoring for potentially material
backlogs in relevant AML/CFT processes), and (4) issues identified by
personnel involved in the operation of the bank's AML/CFT program.

D. Program Establishment

As noted earlier, pursuant to 31 U.S.C. 5318(h), the Agencies' AML/
CFT program requirements for banks currently require certain minimum
elements, including: (1) a risk-based set of internal policies,
procedures, and controls; (2) an independent audit function to test
programs; (3) a designated compliance officer; and (4) an ongoing
employee training program. The majority of the proposed rule's AML/CFT
program components are substantially similar to the existing regulatory
requirements for banks. However, the Agencies are proposing certain
additions and modifications to modernize and strengthen banks' AML/CFT
programs to allow banks to better mitigate illicit finance risks.
1. Internal Policies, Procedures, and Controls
The Agencies' rules currently require banks to develop ``a system
of internal controls to assure ongoing compliance'' with the
requirements of the BSA as part of their AML/CFT programs.\41\ The
Agencies' existing program rules, however, do not clearly articulate
what it means to establish such a system of internal policies,
procedures, and controls to ensure compliance.
---------------------------------------------------------------------------

\41\ See, 12 CFR 21.21(d)(1) (OCC); 12 CFR 326.8(c)(1) (FDIC);
and 12 CFR 748.2(c)(1) (NCUA).
---------------------------------------------------------------------------

Under the proposal, the Agencies are amending and clarifying the
current internal control pillar requirements. Specifically, the
proposal provides that banks must establish a risk-based set of
internal policies, procedures, and controls that is reasonably designed
to: (1) identify, assess, and document ML/TF risks through risk
assessment processes; (2) mitigate ML/TF risks consistent with the risk
assessment processes, including by directing more attention and
resources toward higher-risk customers and activities rather than
toward lower-risk customers and activities; and, (3) conduct ongoing
CDD. The preamble addresses each of these features below.
Under this proposal, a bank's risk-based set of internal policies,
procedures, and controls should be based upon, informed by, and
consistent with a bank's risk assessment processes. The internal
policies, procedures, and controls should be commensurate with the
size, structure, risk profile, and complexity of the bank. The
requirement that a bank's risk-based set of internal policies,
procedures, and controls be ``reasonably designed'' gives banks
flexibility in how they achieve compliance with the BSA and the
proposed rule's other requirements. As part of having a risk-based set
of internal policies, procedures, and controls, reasonably designed to
ensure compliance, banks may choose to responsibly adopt new
technologies or innovative approaches to comply with BSA requirements.
Consistent with this purpose, the Agencies encourage banks to evaluate
whether new technology or innovative approaches in other resources
might help to more effectively combat financial crime. Innovative
approaches could involve machine learning, GenAI, digital identity,
blockchain monitoring and analytics, or APIs.
i. Risk Assessment Processes
The Agencies are proposing that, as part of a bank's risk-based set
of internal policies, procedures, and controls, the bank identify,
assess, and document the bank's ML/TF risk through risk assessment
processes that: (1) evaluate the ML/TF risks of the bank's business
activities, including products, services, distribution channels,
customers, and geographic locations; (2) review and, as appropriate,
incorporate the AML/CFT Priorities; and (3) update promptly upon any
change that the bank knows or has reason to know significantly changes
the bank's ML/TF risks.

[[Page 18312]]

The Agencies have traditionally viewed risk assessment processes as
a critical tool of a reasonably designed BSA compliance program; a bank
cannot implement a reasonably designed program to achieve compliance
with the BSA unless it understands its risk profile.\42\ Most banks
already use risk assessments or risk assessment processes to structure
their risk-based compliance programs. Despite being viewed as a
critical tool, the Agencies' regulations do not currently explicitly
require such risk assessment processes nor outline mandatory
considerations for such processes. Thus, the proposed rule would codify
into regulations the requirement for banks to establish risk assessment
processes, thereby clarifying existing expectations and practices, as
well as require specific factors for consideration that are responsive
to the AML Act.
---------------------------------------------------------------------------

\42\ Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money
Laundering Supervision (July 22, 2019), <a href="https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf">https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf</a>. The Joint Statement on Risk
Focused BSA/AML Supervision, July 22, 2019, clarifies the Agencies'
and the Federal Reserve Board's long-standing supervisory approach
to examining for compliance with the BSA considers a financial
institution's risk profile and notes that ``[a] risk-based [AML]
compliance program enables a bank to allocate compliance resources
commensurate with its risk.'' It further clarifies that a well-
developed risk assessment process assists examiners in understanding
a bank's risk profile and evaluating the adequacy of its AML
program. The statement also explains that, as part of their risk-
focused approach, examiners review a bank's risk management
practices to evaluate whether a bank has developed and implemented a
reasonable and effective process to identify, measure, monitor, and
control risks.
---------------------------------------------------------------------------

Importantly, the proposed rule requires, as a part of a bank's
risk-based set of internal policies, procedures and controls, that it
identify, assess, and document its ML/TF risks using risk assessment
processes. A bank would retain flexibility in how it would document the
results of its risk assessment processes. As proposed, banks would not
be required to establish a single, consolidated risk assessment
document solely to comply with the proposed rule. While such a document
may be appropriate under the proposal, the use of the term ``risk
assessment processes'' is intended to reflect that a financial
institution may rely on multiple processes--applied as appropriate
within its AML/CFT program--to identify, assess, and document its ML/TF
risks and will be examined based on the totality of these processes
rather than the sufficiency of a single, standalone risk assessment
document.
The Agencies believe banks are best positioned to identify and
evaluate their ML/TF risk and are therefore not prescribing any
particular risk assessment processes or methodologies other than the
critical elements described in this proposed rule. Under the proposed
rule, banks would be examined for whether they have established and
maintained, in all material respects, reasonably designed risk
assessment processes--which need not be in the form of a singular risk
assessment process. Furthermore, the Agencies are not prescribing any
particular time frame for banks to update their risk assessment
processes.
The Agencies recognize that banks vary significantly in size,
structure, complexity, and risk profile. Under the proposed rule,
bank's risk-based set of internal policies, procedures, and controls--
including its risk assessment processes--should be commensurate with
the bank's size, structure, risk profile, and complexity. Accordingly,
banks with broader product offerings, more complex corporate
structures, or greater exposure to higher-risk customers, products,
services, or geographic locations would be expected to establish
correspondingly more formalized or analytically complex internal
policies, procedures, and controls--including risk assessment
processes. By contrast, many community banks operate with more limited
business activities, traditional lending and deposit services, a
narrower geographic footprint, and customer bases concentrated within
defined local communities. For such banks, risk assessment processes
may appropriately be more streamlined or qualitative in nature, and a
risk-based set of internal policies, procedures, and controls that is
reasonably designed for a large, complex financial organization would
not necessarily be required or appropriate for a community bank with a
more limited risk profile.
As noted previously, most banks already design their BSA compliance
programs based on their assessment of ML/TF risks under existing risk
assessment processes. The Agencies expect that most banks will be able
to leverage their existing risk assessment processes to satisfy the
proposed requirement without making significant changes.
a. ML/TF Risks
The proposed rule would require banks' risk assessment processes to
evaluate the ML/TF risks of the bank's business activities, including
products, services, distribution channels, customers, and geographic
locations. These factors are generally well known and often
incorporated into current risk assessment processes of banks. While
most banks are generally familiar with these concepts, ``distribution
channels'' may be a newer term for some banks. For purposes of this
rule, the Agencies consider ``distribution channels'' to refer to the
methods and tools through which a bank opens accounts and provides
products or services, including, for example, through remote or other
non-face-to-face means.
Banks may use a variety of sources to inform their risk assessment
processes. Such sources may include information obtained from other
financial institutions, such as emerging risks and typologies
identified through section 314(b) information sharing or payment
transactions that other financial institutions returned or flagged due
to ML/TF risks.\43\ Information a bank generates or maintains could be
another source. Internal information may include, for example, customer
internet protocol addresses or device logins and related geolocation
information.
---------------------------------------------------------------------------

\43\ See FinCEN, Section 314(b) Fact Sheet, (Dec. 2020),
<a href="http://www.fincen.gov/system/files/shared/314bfactsheet.pdf">www.fincen.gov/system/files/shared/314bfactsheet.pdf</a>.
---------------------------------------------------------------------------

Feedback from FinCEN, law enforcement, and financial regulators may
also inform risk assessment processes. For example, if a bank receives
feedback from law enforcement about a report it has filed or potential
risks at the bank, the bank may incorporate that information into its
risk assessment processes. Similarly, banks may consider information
identified from responding to section 314(a) requests.
In addition to feedback, reports and analyses published by Treasury
and FinCEN may be particularly relevant to a bank's business
activities, thereby warranting consideration when evaluating ML/TF
risks. For example, Treasury describes changes in the illicit finance
risk environment in its biennial National Money Laundering Risk
Assessment, National Terrorist Financing Risk Assessment, and National
Proliferation Financing Risk Assessment, which highlight significant
illicit finance threats, vulnerabilities, and risks.\44\ Regardless of
the source, banks should take measures in their risk assessment
processes to ensure this

[[Page 18313]]

information is reasonably current, complete, and accurate.
---------------------------------------------------------------------------

\44\ See U.S. Dep't of Treasury, 2026 Nat. Money Laundering Risk
Assess. (Mar. 2026), <a href="https://home.treasury.gov/system/files/246/2026-NMLRA.pdf">https://home.treasury.gov/system/files/246/2026-NMLRA.pdf</a>; U.S. Dep't of Treasury, 2026 Nat. Terrorist
Financing Risk Assess. (Mar. 2026), <a href="https://home.treasury.gov/system/files/246/2026-NTFRA.pdf">https://home.treasury.gov/system/files/246/2026-NTFRA.pdf</a>; U.S. Dep't of Treasury, 2026 Nat.
Proliferation Financing Risk Assess. (Mar. 2026), <a href="https://home.treasury.gov/system/files/246/2026-NPFRA.pdf">https://home.treasury.gov/system/files/246/2026-NPFRA.pdf</a>.
---------------------------------------------------------------------------

b. AML/CFT Priorities
The AML/CFT Priorities set out the priorities for the U.S.
government's AML/CFT policy as required by the AML Act and are designed
to ensure that banks' AML/CFT programs are aligned with those
priorities. Recognizing the diverse nature of ML/TF threats facing the
U.S. financial system and national security, and that bank AML/CFT
programs benefit U.S. national security by safeguarding the financial
system from ML/TF risk, the AML/CFT Priorities are intended to ensure
that banks are focusing on the greatest threats to U.S. national
security, as defined by Treasury.
Section 6101 of the AML Act requires that a financial institution's
review and appropriate incorporation of the AML/CFT Priorities into its
AML/CFT program be subject to supervision and examination for
compliance with the BSA and other AML/CFT laws and regulations.\45\ The
Agencies are implementing this statutory requirement by proposing that,
as part of their risk assessment processes, banks must review and, as
appropriate, incorporate the AML/CFT Priorities. The inclusion of the
AML/CFT Priorities in risk assessment processes is meant to help ensure
that banks understand their exposure to risks in areas that are of
particular importance nationally, which may help banks develop risk-
based and reasonably designed AML/CFT programs.
---------------------------------------------------------------------------

\45\ 31 U.S.C. 5318(h)(4)(E).
---------------------------------------------------------------------------

The Agencies understand that the AML/CFT Priorities may not always
be applicable to a bank's risk profile and activities. Therefore, the
Agencies require the incorporation of the AML/CFT Priorities in a
bank's risk assessment processes, as appropriate. This means that,
having reviewed the AML/CFT Priorities, a bank may determine the extent
to which a particular Priority is applicable and whether and how a
particular AML/CFT Priority should be appropriately incorporated into
its risk assessment processes.
Further, a bank may use its judgment and apply a reasonable, risk-
based determination on whether to focus on a specific aspect of an AML/
CFT Priority, rather than addressing all aspects of a Priority that may
either not be applicable or pose lower risks to the bank. However, the
Agencies caution that a surface-level, perfunctory review of an AML/CFT
Priority by a bank and of the foreseeable ways in which it may manifest
itself within the bank's customers, products and services, geographies,
and distribution channels would not satisfy this requirement. For
example, patterns of transactions that may be consistent with potential
structuring should not automatically be dismissed as lower value to law
enforcement and untethered to an AML/CFT Priority without determining
whether there is a potential connection to various types of other
illicit finance activity (e.g., structuring or similar patterns
involving transactions in narcotics trafficking proceeds).
Whenever the AML/CFT Priorities are updated, banks would no longer
be required to incorporate prior versions of the AML/CFT Priorities.
Banks would only be required, as appropriate, to incorporate the most
recent AML/CFT Priorities into their risk-based AML/CFT programs.
The Agencies anticipate that some banks, such as community banks,
may ultimately determine that their business models and risk profiles
have limited exposure to some of the threats addressed in the AML/CFT
Priorities but instead have greater exposure to other ML/TF risks.
Additionally, some banks' risk assessment processes may determine that
their AML/CFT programs already sufficiently incorporate to some extent,
the AML/CFT Priorities. In either case, any changes to banks' AML/CFT
program, such as internal policies, procedures, or controls would be
based on the results of risk assessment processes and their impact on
the AML/CFT program, including how to review and, as appropriate,
incorporate the AML/CFT Priorities before making these
determinations.\46\ The Agencies request comment from the public on
whether additional guidance related to the consideration of the AML/CFT
Priorities as part of an institution's risk assessment processes would
be warranted.
---------------------------------------------------------------------------

\46\ FinCEN's concurrently issued proposal provides additional
clarity on how FinCEN anticipates addressing the AML/CFT Priorities.
---------------------------------------------------------------------------

c. Updates to Risk Assessment Processes
The proposed rule would require banks to update their risk
assessment processes promptly upon any change that the bank would know
or have reason to know would significantly change their ML/TF risk
profile. For example, a bank may need to update its risk assessment
when new products, services, and customer types are introduced;
existing products, services, and customer types undergo significant
changes; when the bank adopts new risk mitigation technology; or the
bank as a whole expands or contracts through mergers, acquisitions, and
divestitures. Banks may also need to update their risk assessment
processes based on factors external to their operations that they know
or have reason to know significantly change their ML/TF risk profiles.
The Agencies welcome comments on whether it should further clarify when
banks must review or update their risk assessment processes.
ii. Mitigate ML/TF Risks Through Risk-Based Allocation of Attention and
Resources
Section 6101(b) of the AML Act states that the AML/CFT programs of
financial institutions should be ``risk-based, including ensuring that
more attention and resources of financial institutions should be
directed toward higher-risk customers and activities, consistent with
the risk profile of a financial institution, rather than toward lower-
risk customers and activities.'' \47\ The proposed rule would adopt
this formulation as part of a bank's obligation to establish a risk-
based set of internal policies, procedures, and controls. Under the
proposed rule, a bank's efforts to mitigate its ML/TF risks would
involve ``directing more attention and resources toward higher-risk
customers and activities, consistent with the risk profile of [a bank],
rather than toward lower-risk customers and activities.''
---------------------------------------------------------------------------

\47\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------

The Agencies view risk-based allocation of resources as a critical
step in realizing the AML Act's BSA modernization and reform ambitions,
and consistent with the Agencies' ongoing efforts to modernize AML/CFT
compliance and supervision. The proposed rule envisions banks
exercising more flexibility in deploying attention and resources in
accordance with the proposed rule without fear of supervisory criticism
or action from examiners for directing more attention and resources on
higher risk customers and activities, rather than toward lower risk
customers and activities.
The goal of risk-based resource allocation is for banks to spend
less time, energy, and resources on lower priority activities that may
result in less resources devoted to and potentially distract from more
serious threats. The proposed rule would enable banks to focus more on
higher risk customers and activities, which the Agencies have
determined should result in banks being more effective at detecting,
reporting, and preventing the flow of illicit funds and providing law
enforcement with more valuable BSA reporting.

[[Page 18314]]

As noted above, the Agencies believe that banks are best positioned
to identify and evaluate their ML/TF risk and to make decisions related
to risk identification and resource allocation in accordance with risk
identification. The proposed rule, therefore, does not contemplate
second-guessing of a bank's reasonable determinations regarding
appropriate resource allocation or conclusions regarding specific
risks. However, while the Agencies do not believe that an examiner
should substitute his or her own subjective judgment in place of the
bank's, examiners will be expected to assess whether (1) a bank's
resource allocation decisions are informed by, and consistent with,
reasonably designed risk assessment processes; and (2) with respect to
implementation, specifically, whether the bank knows or should know of
resource-related issues involving its internal policies, procedures,
and controls and other mandatory elements that may result in the bank
failing to implement its AML/CFT program in all material respects and
has failed to address such issues.
iii. Conduct Ongoing Customer Due Diligence
The proposed rule would add CDD as a required component of the
Agencies' AML/CFT program rule. Appropriate risk-based procedures for
conducting ongoing CDD--in the form of understanding the nature and
purpose of customer relationships and conducting ongoing monitoring--is
currently a required component in FinCEN's AML program rule,\48\ and,
therefore, banks are already required to comply with these ongoing CDD
requirements under FinCEN's rule. The inclusion of risk-based
procedures for conducting ongoing CDD in the Agencies' proposed rules
would mirror FinCEN's existing rule and reflect the Agencies' long-
standing supervisory expectations. Long before FinCEN amended its AML
program rule to expressly include the CDD component requirement, the
Agencies had considered CDD an integral component of a risk-based
program, enabling the bank to understand its customers and its
customers' activity to better identify suspicious activity. Adding the
CDD component to the Agencies' AML/CFT program rule will eliminate
confusion for banks concerning the current differences with FinCEN's
rule. Because banks must already comply with FinCEN's CDD component
requirement, the proposed change should not alter current compliance
practices.
---------------------------------------------------------------------------

\48\ See 31 CFR 1020.210(a)(2)(v) and (b)(2)(v).
---------------------------------------------------------------------------

The proposed rule would incorporate CDD requirements not as a
standalone pillar, but instead by making them part of the requirement
that banks establish a risk-based and reasonably designed set of
internal policies, procedures, and controls. As noted previously, the
activities required to conduct ongoing CDD, such as monitoring customer
relationships, maintaining and updating customer information on a risk
basis, and identifying and reporting suspicious transactions are, in
practice, subsumed by the obligation for a bank to have a risk-based
and reasonably designed set of internal policies, procedures, and
controls and have long been viewed by the Agencies as integral to
component of a bank's internal controls. Accordingly, establishing
these requirements within this pillar more accurately reflects how
banks operationalize ongoing customer due diligence as part of their
overall AML programs.
2. Independent Testing
The Agencies have required banks to perform independent testing
since the original adoption of their BSA compliance program rules. The
AML Act did not change the BSA's separate requirement that each bank
must independently test its AML/CFT program.\49\ The proposed rule
therefore retains the existing requirement for banks to establish
independent AML/CFT program testing to be conducted by bank personnel
or an outside party with minor, non-substantive clarifications that are
not intended to change regulatory requirements.
---------------------------------------------------------------------------

\49\ 31 U.S.C. 5318(h)(1)(D).
---------------------------------------------------------------------------

The purpose of independent testing is to assess the bank's
compliance with AML/CFT statutory and regulatory requirements, relative
to its risk profile. The independent AML/CFT program testing should be
focused on whether the AML/CFT program is effective, and it should
identify issues and areas for remediation accordingly.
To support the effective implementations of an AML/CFT program,
independent testing should be based on objective criteria designed to
assess whether a bank has established and implemented an effective AML/
CFT program and allocated resources consistent with its risk assessment
processes. These criteria should also assess whether related project
governance is sufficient to manage risks and apply compensating
controls where necessary, particularly in areas where remediation is
underway. This evaluation helps to inform the bank's board of directors
and senior management of weaknesses or areas in need of enhancement or
stronger controls. Typically, this evaluation includes a conclusion
about the bank's overall compliance with AML/CFT statutory and
regulatory requirements and sufficient information for the reviewer
(e.g., board of directors, senior management, AML/CFT officer, outside
auditor, or an examiner) to reach a conclusion about whether the set of
internal policies, procedures, and controls is reasonably-designed, and
resources are well-allocated consistent with the bank's risk assessment
processes.
Additionally, while banks retain some flexibility regarding who
conducts the audit or testing, the proposed rule would continue to
require that testing be independent. Banks that do not employ outside
auditors or consultants or that do not have internal audit departments
may comply with this requirement by using internal staff who are not
involved in the function being tested. For these banks and banks with
other types of arrangements for independent testing, the AML/CFT
officer or any party who directly, and in some cases indirectly,
reports to the AML/CFT officer, or an equivalent role, would generally
not be considered sufficiently independent. Any individual conducting
the testing, whether internal or external, would be required to be
independent of other parts of the bank's AML/CFT program, including its
oversight. For banks that engage outside auditors or consultants, the
bank would be required to ensure that the outside parties conducting
the independent testing are not involved in functions related to the
AML/CFT program at the bank that may present a conflict of interest or
lack of independence, such as AML/CFT training or the development or
enhancement of internal policies, procedures, and controls.
Additionally, for the purposes of the independent testing component,
outside parties would not include government agencies, entities, or
instrumentalities, such as a bank's Federal or state functional
regulators. Banks with less complex operations and lower risk profiles
may consider utilizing a shared resource as part of a collaborative
arrangement to conduct testing, as long as the testing is
independent.\50\
---------------------------------------------------------------------------

\50\ See Federal Reserve Board, FDIC, NCUA, OCC, and FinCEN,
Interagency Statement on Sharing Bank Secrecy Act Resources (Oct. 3,
2018), <a href="https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources">https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources</a>.

---------------------------------------------------------------------------

[[Page 18315]]

3. Designate an AML/CFT Officer Located in the United States
i. Duties of the AML/CFT Officer
The Agencies have required banks to ``designate an individual or
individuals responsible for coordinating and monitoring day-to-day
compliance'' since the inception of their program requirements. The BSA
separately requires that banks with AML/CFT program obligations must
have a designated compliance officer, which was not altered by the AML
Act. As in the Agencies' current BSA compliance program rules, the
proposed rule would provide that an AML/CFT program must designate an
individual(s) (referred to as an AML/CFT officer) responsible for
establishing and implementing the AML/CFT program and coordinating and
monitoring day-to-day compliance with the requirements and prohibitions
of the BSA and FinCEN's implementing regulations. The Agencies' view is
that the individual serving as the AML/CFT officer must be qualified
for that role and not overburdened with other responsibilities at the
institution. The Agencies are proposing clarifying and technical
changes to the AML/CFT officer requirement, as well as changes to
incorporate to FinCEN's interpretation of 31 U.S.C. 5318(h)(5), as
discussed below. These changes are generally not expected to impose new
obligations on banks.
Consistent with current requirements, the proposed rule is not
intended to be primarily concerned about the formal title of the
individual(s) responsible for establishing and implementing the AML/CFT
program and coordinating and monitoring day-to-day compliance; instead,
the proposed rule focuses on the AML/CFT officer's position in the
bank's organizational structure that enables the AML/CFT officer to
effectively establish and implement the bank's AML/CFT program. The
AML/CFT officer's authority, independence, and access to resources
within the bank are critical. An AML/CFT officer should have decision-
making capability regarding the AML/CFT program and sufficient
functional stature within the organization to ensure that the program
meets BSA requirements.
The AML/CFT officer's access to resources may include: adequate
compliance funds and staffing with the skills and expertise appropriate
to the bank's risk profile, size, and complexity; an organizational
structure that supports compliance and effectiveness; and sufficient
technology and systems to support the timely identification,
measurement, monitoring, reporting, and management of the bank's ML/TF
risks. An AML/CFT officer with conflicting responsibilities that
adversely impact the officer's ability to effectively coordinate and
monitor day-to-day AML/CFT compliance generally would not fulfill this
requirement. The addition of the explicit requirement that the AML/CFT
officer be responsible for ``establishing and implementing the AML/CFT
program'' in the proposed rule would make explicit a long-standing
supervisory expectation, rather than changing current supervisory
expectations.
ii. The AML/CFT Officer Must Be Located in the United States and
Accessible to Regulators
The AML Act provides that the duty to establish, maintain, and
enforce a bank's AML/CFT program shall remain the responsibility of,
and be performed by, persons in the United States who are accessible
to, and subject to oversight and supervision by, the Secretary and the
appropriate Federal functional regulator.\51\ Because this is a new
requirement under the AML Act, it is not currently reflected in the
Agencies' program rule requirements. FinCEN's concurrently proposed
revisions to its AML/CFT program rules interpret this requirement as
applying to the AML/CFT officer, so the Agencies' proposed rule would
amend the existing compliance officer requirements to align with
FinCEN's proposal.
---------------------------------------------------------------------------

\51\ 31 U.S.C. 5318(h)(5).
---------------------------------------------------------------------------

The Agencies recognize banks may currently have AML/CFT staff and
operations outside of the United States, or they may contract out or
delegate parts of their AML/CFT operations to third-party providers
located outside of the United States. These arrangements may serve to
improve cost efficiencies; to enhance coordination, particularly with
respect to cross-border operations; or serve other purposes not in
conflict with goals underlying the BSA. Consequently, under the
proposed rule, while the AML/CFT officer must be located in the United
States, personnel located outside of the United States would still be
permitted to perform certain AML/CFT functions. This language does not
alter existing regulations and guidance that generally prohibit the
sharing of SARs with personnel located outside of the United States,
other than in limited circumstances such as a bank's foreign head
office or controlling company.\52\ The Agencies request comment on
whether any further clarifications on this point would be useful.
---------------------------------------------------------------------------

\52\ See, e.g., FinCEN, Financial Crimes Enforcement Network;
Confidentiality of Suspicious Activity Reports, 75 FR 75593 (Dec. 3,
2010); see also FinCEN, Interagency Guidance on Sharing Suspicious
Activity Reports with Head Offices and Controlling Companies (Jan.
20, 2006), <a href="https://www.fincen.gov/system/files/guidance/sarsharingguidance01122006.pdf">https://www.fincen.gov/system/files/guidance/sarsharingguidance01122006.pdf</a>.
---------------------------------------------------------------------------

4. Ongoing Employee Training Program
The BSA requires AML/CFT programs to include an ``ongoing employee
training program.'' \53\ This statutory requirement is reflected in all
current Agency program rules employing different wording.\54\ The
proposed rule would harmonize the Agencies' program rules with that of
other financial regulators by adopting the BSA's ``ongoing employee
training program'' language uniformly.\55\ This change is clarifying,
not substantive.
---------------------------------------------------------------------------

\53\ 31 U.S.C. 5318(h)(1)(C).
\54\ 12 CFR 21.21(d) (OCC); 12 CFR 326.8 (FDIC); and 12 CFR
748.2 (NCUA).
\55\ Other financial regulators with stakeholders subject to the
BSA currently utilize their own versions of this requirement. See 31
CFR 1020.210(a)(2)(iv), (b)(2)(iv) (banks); 1021.210(b)(2)(iii)
(casinos); 1022.210(d)(3) (MSBs); 1023.210(b)(4) (broker-dealers);
1024.210(b)(4) (mutual funds); 1025.210(b)(3) (insurance companies);
1026.210(b)(4) (FCMs and IBCs); 1027.210(b)(3) (DPMSJs);
1028.210(b)(3) (operators of credit card systems); 1029.210(b)(3)
(loan or finance companies); 1030.210(b)(3) (housing GSEs).
---------------------------------------------------------------------------

The Agencies would generally expect training to cover a bank's
internal policies, procedures, and controls, which should in turn
reflect the results of the bank's risk assessment processes, the latest
AML/CFT regulatory requirements, and other relevant information. The
frequency with which the training would occur, and the content of the
training, would depend on the bank's ML/TF risk profile and the roles
and responsibilities of the persons receiving the training. The
Agencies welcome comment on whether any further clarifications of the
proposed training requirement are needed and recognize that banks may
have employees and non-employees who may have a variety of roles and
responsibilities in relation to the AML/CFT program. The risk-based
nature of an AML/CFT program provides flexibility for financial
institutions to identify both employees and non-employees who must be
trained on an ongoing basis.

E. Access to and Approval of a Written AML/CFT Program

1. Written AML/CFT Programs Must Be Made Available Upon Request
The Agencies' current BSA compliance program rule generally
requires a bank to have a written AML/CFT program that is approved by
the

[[Page 18316]]

bank's board of directors.\56\ The proposed rule would modify these
requirements and move them to a separate subsection and add clarifying
text to harmonize the language with FinCEN's proposed rule. The
Agencies request comment on whether further clarification on this point
would be useful.
---------------------------------------------------------------------------

\56\ See 12 CFR 21.21(c)(1) (OCC), 326.8(b)(1) (FDIC), and
748.2(b)(1) (NCUA).
---------------------------------------------------------------------------

2. Bank Approval of a Written AML/CFT Program
Banks subject to Agency supervision currently must have board
approval for their AML/CFT programs under the Agencies' rules. The
proposed rule would continue to require that a bank's written AML/CFT
program be approved, though the proposal will expand the options
available for a bank to obtain such approval. Specifically, the
proposed rule will require that the AML/CFT program be approved by the
bank's board of directors or an equivalent governing body within the
bank, or appropriate senior management. The proposed rule specifies
that approval encompasses each of the components of the AML/CFT
program.
With respect to the new ``equivalent governing body'' language,
FinCEN's current rule requires a bank lacking a Federal functional
regulator to obtain approval of the bank's written AML program from
either the bank's board or an equivalent governing body.\57\ The
Agencies' proposed rule would also add a reference to an ``equivalent
governing body'' to clarify that a bank can satisfy the requirement by
having an equivalent governing body approve the program. The equivalent
governing body can take different forms. For example, for the U.S.
branch of a foreign bank, the equivalent governing body may be the
foreign banking organization's board of directors or delegates acting
under the board's express authority. Similarly, banks that do have a
board of directors might instead reasonably delegate the approval
requirement to a board committee exercising targeted oversight, such as
a compliance committee, which would similarly qualify as an
``equivalent governing body'' under the proposal.
---------------------------------------------------------------------------

\57\ See 12 CFR 1020.210(b)(3).
---------------------------------------------------------------------------

Finally, the rule would also permit a bank's senior management to
approve the AML/CFT program. Such individuals may include Chief
Executive Officer, Chief Financial Officer, Chief Operations Officer,
Chief Legal Officer, Chief Compliance Officer, Director, and
individuals with similar status or functions. Also, banks may establish
or utilize existing senior committees of appropriate senior management
officials to perform these functions. The Agencies propose permitting
approval by senior management to reflect the division of roles and
responsibilities between a bank's board of directors and senior
management with respect to establishing and implementing an AML/CFT
program, as a bank's senior management is charged with the actual role
of establishing and implementing the AML/CFT program.
While the proposed rule will no longer require the bank's board to
approve the AML/CFT program, this would not alter the Agencies'
expectations regarding the responsibilities of a bank's board of
directors for providing appropriate oversight of the bank's AML/CFT
compliance. The Agencies have always expected bank boards, both as a
whole or through appropriate committees, to provide appropriate
oversight of senior management to maintain the bank's operations in a
safe and sound manner, oversee compliance with applicable laws and
regulations, and establish appropriate risk governance frameworks. A
bank's board might reasonably permit appropriate senior management to
have AML/CFT program approval authority to provide more effective,
timely oversight on a day-to-day basis, while still fulfilling the
board's obligations through other appropriate means.

F. Customer Identification Program

The proposed rule would maintain the current Customer
Identification Program requirements but would move them to a separate
section. The Agencies propose minor, non-substantive updates to
reference the ``AML/CFT'' terminology and harmonize the language
between the Agencies to ``require a customer identification program to
be implemented as part of the AML/CFT program.'' These technical
changes are not anticipated to establish new obligations.

G. Supervision and Enforcement

The proposed rule would add new supervision and enforcement
frameworks for banks' AML/CFT programs that are aligned with the AML
Act's emphasis on effectiveness and risk-based supervision. The
proposed rule defines key terms, describes the Agencies' enforcement
and supervision policy with respect to AML/CFT program implementation
failures, and establishes a consultation process between FinCEN and the
Agencies relating to AML/CFT enforcement actions or significant AML/CFT
supervisory actions. The enforcement requirements only apply to actions
by the Agencies.
1. Definitions
Proposed section (a) would define several terms used throughout the
section. The term ``AML/CFT requirement'' would mean a requirement of
the Bank Secrecy Act (as that term is defined in 31 CFR 1010.100) or of
the regulations in title 31, chapter X, or a requirement prescribed
under the proposed definition.
The term ``AML/CFT enforcement action'' would mean any formal or
informal action taken by one of the Agencies under authority of 12
U.S.C. 1818, 1786, or other applicable law that seeks to penalize,
remedy, prevent, or respond to noncompliance with past or ongoing
violations of, or past or ongoing deficiencies relating to, an AML/CFT
requirement. The term includes a cease-and-desist order, written
agreement, consent order, or memorandum of understanding, or the
assessment of a civil money penalty.
The term ``significant AML/CFT supervisory action'' would mean any
written communication or other formal supervisory determination issued
by one of the Agencies that identifies one or more alleged
deficiencies, weaknesses, violations of law, or unsafe or unsound
practices or conditions relating to an AML/CFT requirement;
communicates supervisory expectations to a bank regarding actions or
remedial measures required to correct the deficiency, weakness,
violation, or practice or condition; and contemplates significant or
programmatic actions or remedial measures to be taken by the bank. The
term does not include examiner observations, suggestions, or other
informal comments.
The FDIC is also adding a definition that is currently in 12 CFR
326.1. Previously, the FDIC's text referred to the definitions section
in Subpart A of Part 326. This proposal would include a definitions
section within Subpart B, and so FDIC is adding one definition needed
from the section in Subpart A. This is not a substantive change.
2. Enforcement and Supervision Policy
The proposed rule would articulate the Agencies' enforcement and
supervision policy as it relates to AML/CFT requirements.\58\ Except
with respect to a significant or systemic

[[Page 18317]]

failure to implement in all material respects an established AML/CFT
program in accordance with the proposed rule, a bank that has properly
established an AML/CFT program would not be subject to an AML/CFT
enforcement action or to a significant AML/CFT supervisory action based
on the program rule. At the same time, the proposed rule would clarify
that nothing in this policy would restrict an AML/CFT enforcement
action or a significant AML/CFT supervisory action with respect to a
failure to establish an AML/CFT program. The proposal is only intended
to affect actions by the Agencies.
---------------------------------------------------------------------------

\58\ The proposal would not be intended to affect or restrict
criminal enforcement under the BSA or the authority of the
Department of Justice to pursue such actions.
---------------------------------------------------------------------------

3. FinCEN Consultation
The proposed rule would establish a notice and consultation
framework applicable when one of the Agencies intends to initiate an
AML/CFT enforcement action or a significant AML/CFT supervisory action,
as those terms are defined in the proposed regulation. Before
initiating such an action, the Agency would provide the Director of
FinCEN with an opportunity to review the action and would consider any
input offered by the Director of FinCEN, which may include any view as
to the effectiveness of the bank's AML/CFT program. To facilitate that
review, the Agency would be required to provide written notice to the
Director of FinCEN of the Agency's intent to take the action at least
30 days in advance of the proposed action, unless a shorter period is
necessary, at the sole discretion of the Agency, to remedy, prevent, or
respond to an unsafe or unsound practice or condition.
The notice would be accompanied by the relevant AML/CFT information
underlying the proposed action. Relevant AML/CFT information may
include, but is not limited to, relevant portions of draft report of
examination; relevant portions of a draft enforcement action;
examination workpapers supporting the proposed action; and the relevant
AML/CFT information submitted by the bank to the Agency. The Agency
would not be obligated to provide information over which the bank may
claim privilege under Federal or State law. The Agency would also
respond, to the extent reasonably practicable, to requests for
additional AML/CFT information from the Director of FinCEN regarding
the proposed action.

H. Other Changes for Modernization, Clarification, and Consistency

In addition to the previously described changes, the proposed rule
would make other revisions to increase clarity and consistency in the
program rules. Most of these changes are technical, such as renumbering
provisions, amending cross-references, and updating statutory
references based on changes to the BSA by the AML Act. For example,
along with FinCEN, references to ``BSA/AML programs'' are being updated
to ``AML/CFT programs'' for financial institutions. This technical
change is not anticipated to establish new obligations.

I. Disclosure of Supervisory Information

Each Agency has issued regulations that generally prohibit the
disclosure of the Agency's non-public information, except as provided
under such regulations.\59\ This prohibition generally applies to
disclosure of any portion of a report of examination, supervisory
correspondence, and any representations concerning such reports or
supervisory correspondence, or their findings, including conclusions
regarding compliance with AML/CFT compliance program requirements.
---------------------------------------------------------------------------

\59\ 12 CFR part 4, subpart C (OCC); 12 CFR 309.6 (FDIC); and 12
CFR part 792, subpart C (NCUA).
---------------------------------------------------------------------------

Consistent with the proposed rule's goal of enhancing FinCEN's role
in the AML/CFT enforcement and supervisory process, the proposed rule
would clarify that banks may share any information with the FinCEN
Director that relates to an existing or potential AML/CFT enforcement
action or significant AML/CFT supervisory action. This proposed rule
specifically provides that this authorization to share information
includes information that would ordinarily be considered non-public
information under the Agencies' respective rules. To qualify for this
information sharing, the information at issue must have an appropriate
nexus to an existing or potential AML/CFT enforcement action or
significant AML/CFT supervisory action. The Agencies are proposing this
clarification to ensure that banks can share appropriate information
with the FinCEN Director, including in the context of actions subject
to the newly established consultation requirement. Otherwise, banks may
be unable to provide thorough information to the FinCEN Director,
whether proactively or in response to the Director's requests.
While the proposed rule intends to permit such sharing, the
Agencies are proposing two alternative methods for permitting such
information sharing with the FinCEN Director. Under the first approach,
referred to as Option 1 in the amendatory text below, the Agency would
authorize the disclosure of covered information on the Agency's behalf
to the FinCEN Director and separately permit the FinCEN Director to use
such information. This phrasing is intended to mirror the permissible
scope of information sharing by the Agencies under 12 U.S.C. 1821(t),
which provides that a ``covered agency, in any capacity, shall not be
deemed to have waived any privilege applicable to any information by
transferring that information to or permitting that information to be
used by'' another Federal agency.
Under the alternative approach, referred to as Option 2 in the
amendatory text below, the Agency would similarly authorize the
disclosure of covered information on the Agency's behalf, as well as
similarly authorize the use of such information by the FinCEN Director.
The Agencies, however, would expressly require that any such
information shared on the Agency's behalf be contemporaneously
disclosed by the bank to the Agency. While the Agency will necessarily
already have access to its own non-public information, this additional
requirement is potentially more consistent with the retention of
privilege contemplated under 12 U.S.C. 1821(t) and, therefore,
potentially provides a greater safeguard against the unintended
destruction of privilege. The Agencies also recognize that banks'
willingness to share timely, thorough information with the FinCEN
Director is essential to the success of the consultation framework; and
requiring banks to contemporaneously disclose to an Agency the same
non-public information they provide to FinCEN may discourage proactive
reporting and thereby undermine the rule's objective of enhancing
FinCEN's role.
Importantly, both of the options outlined above only permit the
FinCEN Director to use the Agencies' non-public information. This
authorization to use the information does not include an authorization
by the Agencies to further disclose the received non-public
information. Any dissemination by a bank to a party other than the
FinCEN Director or by the FinCEN Director to any party would be subject
to the Agencies' respective rules governing disclosure of non-public
information.
Regardless, the proposed rule would include additional clarifying
text intended to preserve all applicable privileges. The destruction of
privilege over non-public supervisory information could prove harmful
both to the Agency and the bank, so the additional language is intended
to prevent such consequences.
The Agencies invite comment on these options for permitting greater
information sharing with the FinCEN

[[Page 18318]]

Director regarding existing or potential AML/CFT enforcement actions or
significant AML/CFT supervisory actions, including possible alternative
methods of accomplishing the rule's objectives without unintentionally
impeding applicable privileges.

IV. Severability

The Agencies propose that if one portion of the proposed rule, if
finalized, is found to be invalid, the invalidated portion of the
regulation should be severed with the other portions of the proposed
rule remaining in full force and effect. The Agencies' position is that
invalidation of any one provision, or application thereof to any one
person or circumstance, does not, and should not, affect any other
provision in this proposed regulation or other existing regulations.
Each provision serves an important, related, but distinct purpose and
application, designed to benefit the public by protecting the U.S.
financial system from illicit financial activity. The Agencies
accordingly propose incorporating this into their respective rules,
such that invalidating one provision would not undermine the
operability or usefulness of the other provisions.

V. Final Rule Effective Date

The Agencies are proposing an effective date of 12 months from the
date of issuance of the final rule to allow sufficient time for banks
to review and implement the requirements of the proposed rule. The
Agencies solicit comment on the proposed effective date.

VI. Request for Comment

The Agencies welcome comment on all aspects of the proposed
amendments but specifically seek comment on the questions below. The
Agencies encourage commenters to reference specific question numbers
when responding.

An ``Effective'' AML/CFT Program (IV.B)

1. The proposed rule sets forth the conditions for an effective
AML/CFT program. Is the description of an effective program
sufficiently clear or is there anything further that the Agencies
should consider in the final rule adding to clarify program
effectiveness?
2. The proposed rule reflects a determination by the Agencies that
banks are best placed to identify risks and allocate resources, and
that providing them with greater discretion in these areas will improve
the quality of AML/CFT compliance and reporting to law enforcement. Is
this correct or should the Agencies consider adding more requirements
regarding allocation of resources? How might banks assess changes in
the total allocation of resources devoted to an AML/CFT program in a
changing risk and cost environment?

Establishing and Maintaining an AML/CFT Program (IV.C)

3. Do banks distinguish between establishing a program and
maintaining a program by implementing the program? Do banks distinguish
between establishing a program and maintaining a program by
implementing the program? If so, how? Should the Agencies add anything
to further define these terms in the final rule?
4. Should the proposed rule's distinction between ``establishing''
and ``maintaining'' a program be modified? Is the distinction between
``establishing'' and ``maintaining'' a compliance program useful for
banks?
5. Should the proposed rule distinguish between ``establishing''
and ``maintaining'' at the program level and ``establishing'' and
``maintaining'' each individual element? For example, should the final
rule more clearly differentiate between a failure to establish the
program, as a whole, versus a failure to establish an individual
mandatory component of the program?
6. Is clarification needed for banks to determine what constitutes
a ``significant or systemic failure'' to implement in all material
respects a properly established AML/CFT program?
7. Is clarification needed for banks to determine what constitutes
a ``failure to establish an AML/CFT program''?
8. How should the proposed rule ensure that the regulations issued
by FinCEN and the appropriate Agencies function harmoniously? How
should the proposed rule differentiate between the Secretary of the
Treasury's responsibility for regulations on establishing AML/CFT
programs and the Agencies' responsibilities for regulations on
establishing and maintaining programs?
Internal Policies, Procedures, and Controls (IV.D.1)
9. Do banks expect any changes to their existing internal policies,
procedures, and controls under the proposed rule, which requires that
internal policies, procedures, and controls be ``risk-based'' and
``reasonably designed'' to ensure compliance with the BSA?
Risk Assessment Processes (Generally) (IV.D.1.i)
10. The proposed rule refers to risk assessment processes rather
than a risk assessment process. This leaves banks free to use findings
from one or more processes to assess their ML/TF risk. Does this
description of how banks assess their ML/TF risk provide sufficient
flexibility? How should the Agencies describe ``risk assessment
processes'' to better reflect how banks assess ML/TF risks?
11. Should risk assessment processes be required to take into
account additional or different criteria or risks than those listed in
the proposed rule? If so, what additional factors should the Agencies
consider requiring?
12. How long does it generally take a bank to incorporate the
results of a risk assessment into its AML/CFT program? What factors
determine this time frame?
Risk Assessment Processes (AML/CFT Priorities) (IV.D.1.i.b)
13. What, if any, difficulties do banks anticipate when
incorporating the AML/CFT Priorities as part of their risk assessment
processes?
14. What additional guidance on how to incorporate the AML/CFT
Priorities into a bank's risk assessment processes would it be useful
for the Agencies to provide?
Risk Assessment Processes (Updates) (IV.D.1.i.c)
15. The proposed rule requires that risk assessment processes are
updated promptly upon any change that the bank knows or has reason to
know significantly changes the bank's money laundering, terrorist
financing, and other illicit finance activity risks. Would the proposed
update requirement change the way banks currently update their risk
assessment processes, and if so how? Is additional explanation needed
concerning when a financial institution would be required to update its
risk assessment? In particular, how might the Agencies clarify how risk
assessment processes would be updated ``promptly''? Would an
alternative approach, such as periodic updates or a set schedule for
updates, be preferable? Would an alternative standard, such as
``materially changes,'' be clearer than ``significantly changes''?
16. How do a bank's ML/TF risks and its risk assessment processes
affect one another? Put differently, if there is a feedback loop
between the two, please describe it, including the typical amount of
time between discovering new risks and incorporating those findings
into risk assessment processes.

[[Page 18319]]

Independent AML/CFT Program Testing To Be Conducted by Bank Personnel
or by an Outside Party (IV.D.2)
17. Under the proposed rule, a bank is required to conduct
independent AML/CFT program testing. This requirement is already
reflected in existing AML program rule requirements as is the
requirement to include ``an independent audit function to test
programs.'' \60\ The Agencies solicit comment on how financial
institutions may interpret and carry out this requirement, based on the
proposed rule's description of an effective AML/CFT program. Are
further clarifications on the independent AML/CFT program testing
requirement necessary to ensure that audits carried out by bank
personnel or outside third parties are well-tailored, risk-based, and
focused on effectiveness?
---------------------------------------------------------------------------

\60\ 12 CFR 21.21(d)(2) (OCC); 12 CFR 326.8(c)(2) (FDIC); and 12
CFR 748.2(c)(2) (NCUA).
---------------------------------------------------------------------------

AML/CFT Officer Located in the United States (IV.D.3.ii)
18. Under the proposed rule, while the AML/CFT officer must be
located in the United States, personnel located outside of the United
States would still be permitted to perform certain AML/CFT functions.
This language does not alter existing regulations and guidance that
generally prohibit the sharing of SARs with personnel located outside
of the United States other than limited circumstances such as a bank's
foreign head office or controlling company. Are any further
clarifications on this issue needed?
Written AML/CFT Program and Approval (IV.E)
19. The proposed rule standardizes the long-standing requirement
that an AML/CFT program be written. Should the Agencies further clarify
which specific elements of an institution's AML/CFT program must be
written, or is this requirement generally understood in its current
form? In particular: (a) which program components--such as risk
assessment processes; internal policies, procedures, and controls;
transaction monitoring rules and parameters; escalation and reporting
protocols; independent testing results; training materials; and
documentation of designated personnel--should be required in writing;
(b) what form (e.g., narrative descriptions, checklists, system
configurations, or electronic records) such documentation should take;
and (c) what level of detail is appropriate for each component? Should
the Agencies instead alter the requirement that an AML/CFT program be
expressly required to be ``written''? What would be the benefits or
drawbacks of any such alterations to this requirement?
20. The proposed rule would require that a bank's written AML/CFT
program be approved by its board of directors, an equivalent governing
body within the bank, or appropriate senior management. Should the
Agencies further clarify which aspects of the AML/CFT program must be
subject to such approval? In particular: (a) should approval be
required for each of the core program components (e.g., the risk
assessment processes framework; internal policies, procedures, and
controls; transaction-monitoring and escalation frameworks; independent
testing structure; training program; and designation of responsible
personnel), or would approval of the overall program framework be
sufficient; (b) should material revisions to particular components
(such as significant changes to the institution's risk assessment
methodology, monitoring architecture, or governance structure) require
re-approval at the same level; and, (c) what level of specificity
should the approving body be required to review and approve (e.g.,
high-level program architecture versus detailed procedures or
parameter-level settings)? Should the Agencies instead eliminate the
specified approval requirement, allowing banks flexibility in
determining how leadership oversight of the AML/CFT program is
structured? What would be the benefits or drawbacks of not prescribing
a mandatory approval requirement in the regulation? If the Agencies do
not eliminate the specified approval requirement, should the Agencies
consider amending the requirement? Are there alternatives to board of
directors or an equivalent governing body, such as ``appropriate senior
management'' that would be more appropriate?

Supervision and Enforcement (IV.G)

21. Is clarification needed for banks to determine what constitutes
a ``significant or systemic failure'' to implement an established AML/
CFT program?
22. Is clarification needed for banks to determine what constitutes
a ``failure to establish an AML/CFT program''?
23. The proposed rule would add a requirement for an agency to
notify and consider information provided by FinCEN before initiating a
significant AML/CFT supervisory action when acting pursuant to
authority delegated under this chapter. Should the proposed
consultation process include an asset threshold--e.g., consultation is
required for any significant AML/CFT supervisory actions involving
banks with $10 billion or more in assets? In addition, or as an
alternative, should the proposed rule not require but instead provide
the option for banks to request their agency consult with FinCEN prior
to initiating a significant AML/CFT supervisory action?
24. The definition of significant AML/CFT supervisory action
includes the term ``any written communication.'' Is the term ``any
written communication'' too broad? Are there downsides and negative
consequences to including the term ``any written communication'' in the
proposed regulatory text? If so, please describe. Should the term ``any
written communication'' be more clearly defined or removed altogether?
25. As described above, the purpose of the FinCEN consultation
requirement is to ensure consistency in BSA/AML enforcement and
supervision across banks, and for FinCEN to provide relevant
information on the effectiveness and impact of an institution's AML/CFT
program. While Treasury, FinCEN, and the Agencies believe the benefits
of a required consultation process outweigh the costs, the parties
recognize this adds additional layers of review for banks and the
Agencies during an examination. Are there any avenues, communication
channels, or methods in which FinCEN and the Agencies can streamline
the consultation process and prevent logistical burdens for banks or
delays in exam report issuance?
26. Is the definition of the term ``significant AML/CFT supervisory
action'' sufficiently clear? Does the inclusion of ``unsafe or unsound
practices or conditions'' introduce confusion about what types of
supervisory actions would be subject to the FinCEN consultation
requirement, since those terms are not found in the BSA?

Disclosure of Supervisory Information (IV.I)

27. The Agencies invite comment on the two options for permitting
greater information sharing with the FinCEN Director regarding AML/CFT
enforcement actions or significant AML/CFT supervisory actions. In
particular, would the disclosure of confidential supervisory
information to FinCEN compromise attorney-client privilege, other
applicable privileges, or otherwise undermine the preservation of
privilege in 12 U.S.C. 1821(t)?

Other Topics

28. Should the rule be revised to tailor program requirements or

[[Page 18320]]

implementation timelines to the size, complexity, or risk profile of
the bank?

Final Rule Effective Date (V.)

29. The Agencies are proposing an effective date of 12 months from
the date of issuance of the final rule to allow sufficient time for
financial institutions to review and implement their requirements. The
Agencies solicit comment on the proposed effective date.

VII. Regulatory Impact Analysis

The proposed rule, if finalized, would modernize and align the
Agencies' AML/CFT program requirements at 12 CFR parts 21 (OCC), 326
(FDIC), and 748 (NCUA) with the rule concurrently proposed by FinCEN
under the BSA, as amended by the AML Act.\61\ As described in Sections
I-V of this SUPPLEMENTARY INFORMATION, the proposed rule would: clarify
the elements of an effective, risk-based, and reasonably designed AML/
CFT program; codify risk-assessment processes; distinguish program
establishment from program implementation; and enhance FinCEN's role in
supervision and enforcement through a structured consultation
mechanism. As a result of these changes, the Agencies expect that banks
would recalibrate their AML/CFT programs to concentrate on higher-risk
activities and deprioritize lower-risk activities, resulting in greater
overall efficiency in their AML/CFT programs.
---------------------------------------------------------------------------

\61\ 31 U.S.C. 5311-5336.
---------------------------------------------------------------------------

In accordance with OMB Circular A-4, the Agencies estimate the
annual effect of the proposed rule as the difference in estimated
economic outcomes between a state of the world in which the proposed
rule is adopted and a baseline state of the world in which the proposed
rule is not adopted. This analysis assumes that in both states of the
world, all other relevant regulations and financial conditions data for
all banks supervised by each of the Agencies as of the quarter ending
September 30, 2025, with one exception: because the proposed rule is
being promulgated simultaneously with a rulemaking by FinCEN that will
modify rules regarding AML/CFT for a broader set of institutions
regulated by FinCEN, the analysis assumes FinCEN's rulemaking is
finalized under both the baseline and under the proposed rule. This
assumption allows the analysis to focus on the effects specific to the
proposed rule. Because banks supervised by each of the Agencies are
required to comply with the BSA, the proposed rule would apply to
approximately 3,775 banks supervised by the FDIC and the OCC and
another 4,331 credit unions supervised by the NCUA for an approximate
total population of 8,100 banks.\62\
---------------------------------------------------------------------------

\62\ Consolidated Reports of Condition and Income (September 30,
2025).
---------------------------------------------------------------------------

Under the baseline, banks must establish and maintain effective
AML/CFT programs. These programs must include risk-based internal
policies, procedures, and controls; a designated compliance officer;
ongoing employee training; and independent testing. Banks also must
meet FinCEN's CDD requirements. The analysis below evaluates
incremental impacts of the proposal against that baseline.
Overall, the proposed rule is expected to provide direct benefits
to banks through increased clarity of rules and increased consistency
of enforcement for banks across financial regulators. The rule also
codifies the general practice among banks to calibrate their AML/CFT
programs to concentrate on higher-risk activities and deprioritize
lower-risk activities. This recalibration would provide indirect
benefits including the potential for reductions in crime due to greater
deterrence and restriction of the flow of illicit funds as well as
potentially increased access to financial services by low-risk members
of the public.\63\ The Agencies expect that the proposed rule would
impose relatively small one-time adjustment costs on banks to update
their AML/CFT programs to align with the newly-clarified requirements.
Compliance costs are not anticipated to increase on an on-going basis,
as overall program requirements have been clarified rather than
increased and banks already maintain robust AML/CFT programs. The
remainder of this section discusses these effects in turn.
---------------------------------------------------------------------------

\63\ For example, there is at least some anecdotal evidence that
otherwise normal (low risk) customers could have reduced access as a
result of BSA compliance. See <a href="https://www.banking.senate.gov/imo/media/doc/klein_testimony_2-5-25.pdf">https://www.banking.senate.gov/imo/media/doc/klein_testimony_2-5-25.pdf</a> at 4.
---------------------------------------------------------------------------

A. Benefits

1. Benefit to the Public: Reduction in Money Laundering and Terrorist
Financing
Effective AML/CFT programs can deter illicit behavior by preventing
the flow of illicit funds and assisting law enforcement and national
security efforts to identify and prosecute criminals. By clarifying
banks' AML/CFT obligations, the proposed rule may improve the
effectiveness of AML/CFT programs for banks, relative to the baseline,
by enabling them to reallocate AML/CFT resources toward higher-risk
customers and activities. This recalibration may reduce the frequency
and severity of harm caused by criminal activity.
Reductions in illicit financial activities from effective AML/CFT
programs have several benefits, both for affected banks as well as for
the broader society. For banks, effective AML/CFT programs may result
in direct cost savings due to a decreased likelihood that they will be
subject to illicit schemes, which in turn decreases the probability of
disruptions to a bank's normal business operations. It could result in
other potential cost savings due to a decreased probability that a bank
may need to make victimized customer accounts whole, conduct internal
investigations of successful illicit schemes, or implement remediation
steps to address and prevent future recurrences of previously
successful illicit schemes.\64\
---------------------------------------------------------------------------

\64\ See Citizens Rulemaking Alliance comment letter (Nov. 17,
2025), p. 2, submitted in context of the recent proposed rulemaking
90 FR 48835: Unsafe or Unsound Practices; Matters Requiring
Attention. The letter provided conservative estimates for general
burden to community banks to address matters sufficiently deficient
to warrant a supervisory action of a Matters Requiring Attention.
Their provided estimates suggested 120 internal staff hours per MRA
to scope, draft, implement, and document a written remediation plan;
20 board/committee hours for oversight and attestation; and $15,000
in external advisory/legal services for complex MRAs. Agency staff
expect that costs would be even greater for larger, more complex
banks to remediate significant deficiencies or system failures in
their AML/CFT programs.
---------------------------------------------------------------------------

In terms of broader societal benefits, AML/CFT activities are often
tied to other illicit activities such as but not limited to drug,
weapons, wildlife, or human trafficking as well as terrorist
activities. Any reduction in money laundering or terrorist financing is
a benefit to society given the nature of the illegal activities that
AML/CFT programs are designed to prevent. While it is inherently
difficult to estimate the annual reduction in crime generally or
financial crime specifically that could result from more effective AML/
CFT programs, recent estimates suggest that those illicit activities
run to the billions or trillions of dollars \65\ and affect millions of
Americans,\66\ and given that

[[Page 18321]]

scale, even a very small percentage decrease would result in a
meaningful benefit.
---------------------------------------------------------------------------

\65\ The net annual cost of crime in the U.S. was estimated at
approximately $3-4 trillion net of transfers in David A. Anderson,
``The Aggregate Cost of Crime in the United States,'' The Journal of
Law and Economics, vol 64 no. 4 (2021). One specific type of
financial crime, fraud, resulted in over $12 billion in reported
losses in 2024 (see the Federal Trade Commission, Consumer Sentinel
Network Data Book 2024 (Mar. 2025), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf</a>.
\66\ There were over 6 million reports according to the Consumer
Sentinel Network in 2024 (see Federal Trade Commission, Consumer
Sentinel Network Data Book 2024 (Mar. 2025), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf</a>.
---------------------------------------------------------------------------

2. Benefit to the Public: Increased Access to Financial Services
An additional benefit of a recalibration of AML/CFT programs
towards higher-risk activities under the proposed rule is that fewer
low-risk clients or customers, or potential clients and customers, of
banks would be inadvertently or accidentally denied access to banking
services due to their non-illicit transactions being incorrectly
flagged by an AML/CFT program. The Agencies lack the data to quantify
the scale of this benefit.
3. Benefit to Banks: Increased Clarity, Supervisory Coherence, and More
Effective AML/CFT Programs
The proposed rule would generate additional qualitative benefits
from increased clarity and supervisory coherence, relative to the
baseline. These benefits include: reducing regulatory fragmentation by
harmonizing the Agencies' regulations with FinCEN's corresponding
regulations and eliminating overlap pertaining to the CDD requirements;
providing clarity regarding supervisory expectations, which will
promote consistent supervisory outcomes across Agencies; enhancing
outcomes related to national security and law enforcement by
reinforcing risk-based approaches; and enabling more consistent
identification and reporting of higher-priority illicit activity.
Having an effective AML/CFT program also reduces a bank's
probability of regulatory and legal consequences, which may otherwise
increase a bank's costs and adversely affect earnings. For example,
ineffective programs that lead to significant AML/CFT activities may
result in subsequent higher: operational risk capital requirements for
larger banks currently subject to operational risk regulations;
compliance costs from increased regulatory monitoring; or legal costs
and financial penalties if program deficiencies result in violations of
law, such as potential enforcement actions and civil money penalties.
Although these benefits are not readily quantifiable, they are
expected to improve the focus of (1) AML/CFT supervision on mitigating
significant or systemic failures in a bank's AML/CFT program and (2)
bank compliance programs on higher-risk customers and activities.

B. Costs

1. One-Time Adjustment Costs to Banks
If adopted, the proposed rule would require alignment of existing
AML/CFT programs to the clarified requirements. However, these costs
are expected to be minimal. Possible one-time costs include:

--Labor costs associated with updating policy, procedure, and
documentation to reflect risk-assessment processes, to codify
definitions of ``establish,'' ``maintain,'' and ``implement'', and to
comply with the requirement that the program be written, accessible
upon request, and approved by the board (or equivalent governance).
--Potential labor costs or transitional productivity reductions
associated with ensuring that the designated AML/CFT officer is located
in the United States and has sufficient authority, stature,
independence, and resourcing to comply with the requirements of the
proposed rule.
--Training costs to refresh relevant personnel to reflect the revised
expectations, risk prioritization, updated governance roles, and
program documentation.

Given that most banks maintain AML/CFT programs that adhere with
current regulations and supervisory expectations and given that the
proposed rulemaking sets forth requirements that banks are already
generally in compliance with, these incremental costs are expected to
be minimal relative to current AML/CFT compliance costs. The Agencies
do not have data available to estimate the one-time transition costs
listed. In addition, the Agencies recognize that these costs vary
across banks based on their size, complexity, and the specific
activities they engage in, as well as the sophistication of their
current BSA compliance program.\67\ Based on supervisory experience,
Agency staff believe that banks are already generally in compliance
with the proposed requirements based on longstanding regulatory and
supervisory expectations. Therefore, the Agencies anticipate that banks
would expend de minimis incremental costs to update their AML/CFT
compliance programs in conformance with the proposed requirements.
---------------------------------------------------------------------------

\67\ The Agencies expect there would be variation in the
magnitude of these transition costs among affected institutions,
depending on bank size, complexity of business model, transaction
volume, and scope and nature of products, customers, services, and
geographical operations. Smaller institutions would be expected to
have significantly less transition costs to update policies,
procedures, and documentation than larger institutions with more
complex risk profiles, higher transaction volume, and greater
diversity and volume of products, customers, services, and
geographical operations. Smaller institutions also tend to have
significantly less staff dedicated to AML/CFT compliance than larger
institutions. As such, these smaller institutions would need to
train fewer staff on the proposed rule's requirements than larger
institutions, requiring them to allocate fewer total dollars to
training. Furthermore, smaller institutions generally already have a
designated AML/CFT officer domiciled in the United States whereas
larger, internationally active institutions may not. This would
result in no expected labor opportunity costs for smaller
institutions, but possibly one-time costs for larger internationally
active institutions that do not currently have a U.S. domiciled AML/
CFT officer.
---------------------------------------------------------------------------

2. Ongoing Costs to Banks
While the Agencies lack the data necessary to estimate how
compliance costs for banks would change under the proposed rule,
several factors suggest that ongoing compliance costs would be similar
to the baseline.\68\ First, banks already maintain extensive AML/CFT
programs, in many cases exceeding the minimum requirements under
current rules. Second, the proposed rule would clarify existing
requirements rather than imposing new ones, which suggests that banks
may not find it necessary to devote additional resources to AML/CFT
programs relative to the baseline.
---------------------------------------------------------------------------

\68\ The Agencies acknowledge that banks would have to
incorporate any future AML/CFT priorities FinCEN issues as part of
their ongoing costs. However, the Agencies believe that banks have
already incorporated the current AML/CFT priorities into their BSA
compliance programs because these ``[p]riorities reflect
longstanding and continuing AML/CFT concerns previously identified
by FinCEN and other Treasury components and U.S. government
departments and agencies'' (see AML/CFT Priorities, page 3 (June 30,
2021)).
---------------------------------------------------------------------------

As a result, the Agencies anticipate no increase in ongoing
compliance costs resulting from the proposed rule. Given the economic
effects described above, the Agencies expect the benefits of the
proposed rule would justify the costs.
The Agencies invite comments on all aspects of the economic
analysis provided in this supplemental information. What, if any,
additional significant benefits or costs should the Agencies consider
and why?

VIII. Alternatives Considered

The Agencies have considered several alternatives to the proposed
rule which could meet the objectives of this rulemaking. For the
reasons described, the Agencies view the proposed rule as the most
appropriate and effective means of achieving their policy objectives
with respect to the Anti-Money Laundering Act of 2020.
The Agencies considered taking no regulatory action. Under this
alternative, banks would remain subject to separate, partially
overlapping, and in some cases

[[Page 18322]]

inconsistent AML/CFT program requirements across FinCEN and the
Agencies. This would perpetuate regulatory fragmentation, increase
compliance uncertainty, and risk inefficient resource allocation
contrary to the AML Act's emphasis on risk-based programs. It would
also fail to implement the AML Act's requirement that the AML/CFT
Priorities be incorporated into program rules and examined accordingly,
and it would not establish a uniform framework for distinguishing
between program establishment and implementation. The Agencies
therefore rejected this alternative.
The Agencies considered reissuing or finalizing the 2024 Notice of
Proposed Rulemaking (2024 NPRM), which previously addressed these
issues. However, public comments in response to the 2024 NPRM suggested
that the 2024 NRPM did not adequately emphasize the increased
flexibility of banks to recalibrate their BSA/AML programs to
concentrate on higher-risk activities. In contrast, the proposed rule
would provide such flexibility, and as discussed in this section,
result in greater benefits to the public. The proposed rule also
includes provisions requiring FinCEN's consultation on supervisory
actions and other measures to refocus supervision on substantive issues
with banks' BSA/AML programs rather than on procedural compliance. The
Agencies therefore chose to issue the proposed rule.
The Agencies considered developing more prescriptive program
requirements, such as mandatory risk-assessment methodologies, specific
governance structures, required technologies, or defined timelines for
updating risk assessments. Such an approach would conflict with the AML
Act's emphasis on risk-based, flexible, and outcome-oriented AML/CFT
programs, and would be inconsistent with the Agencies' stated view that
banks are best positioned to identify and evaluate their own risks. The
Agencies therefore rejected this alternative in favor of a flexible
framework aligned with statutory intent.
The Agencies considered extending the implementation period beyond
the proposed 12 months. A longer period would reduce near-term
adjustment costs for some banks but would delay the benefits of
improved clarity, harmonization, and risk-based supervision. Given that
most banks already maintain programs substantially consistent with the
proposed requirements, the Agencies believe a 12-month period
appropriately balances transition needs and timely realization of
benefits.
The Agencies considered whether the proposed rule should apply only
to larger or more complex banks or include tailored requirements by
size or business model. Because all banks must comply with the BSA, and
because the proposal is inherently risk-based and scalable to each
bank's risk profile, the Agencies determined that formal tailoring was
unnecessary. Explicit tailoring could also undermine consistency and
create cliff effects as banks restrict their growth to remain under
regulatory thresholds. Therefore, the Agencies retained full
applicability while emphasizing flexibility in program design.
The Agencies invite comments on possible alternatives to the
proposed rule.

IX. Administrative Law Matters

A. Regulatory Flexibility Act (RFA)

OCC RFA
The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq.,
requires an agency, in connection with a proposed rule, to prepare an
initial Regulatory Flexibility Analysis describing the impact of the
rule on small entities (defined by the U.S. Small Business
Administration (SBA) for purposes of the RFA to include commercial
banks and savings institutions with total assets of $850 million or
less and trust companies with total assets of $47 million or less) or
to certify that the rule will not have a significant economic impact on
a substantial number of small entities. The OCC currently supervises
approximately 609 small entities, all of which would be subject to the
proposed rule. In general, the OCC classifies the economic impact on an
individual small entity as significant if the total estimated impact in
one year is greater than 5 percent of the small entity's total annual
salaries and benefits or greater than 2.5 percent of the small entity's
total non-interest expense. Furthermore, the OCC considers 5 percent or
more of OCC-supervised small entities to be a substantial number. Thus,
at present, 30 OCC-supervised small entities would constitute a
substantial number.
The OCC's proposed rulemaking imposes no additional mandates, and
thus no incremental direct costs beyond FinCEN's proposed rule, on
affected OCC-supervised institutions.\69\ Therefore, the OCC certifies
that the proposed rule would not have a significant economic impact on
a substantial number of OCC-supervised small entities.
---------------------------------------------------------------------------

\69\ A 2018 study considering compliance costs in community
banks found that small bank compliance costs typically were about 10
percent of noninterest expense and the portion of this attributable
to BSA was about 22 percent. This implies that total BSA compliance
costs for small banks are 22 percent; this would need to increase
more than two-fold in order for the rule to have a significant
economic impact on small institutions because of the OCC's
methodology of using a 2.5 percent noninterest expense threshold to
establish significant impact on small entities. However, because the
rule generally reinforces and codifies existing practices, the OCC
expects the rule would not have a significant economic impact on a
substantial number of small entities. See <a href="https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf">https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf</a> for details.
---------------------------------------------------------------------------

FDIC
The RFA generally requires an agency, in connection with a proposed
rule, to prepare and make available for public comment an initial
regulatory flexibility analysis that describes the impact of the
proposed rule on small entities.\70\ However, an initial regulatory
flexibility analysis is not required if the agency certifies that the
proposed rule will not, if promulgated, have a significant economic
impact on a substantial number of small entities. The SBA has defined
``small entities'' to include banking organizations with total assets
of less than or equal to $850 million.\71\ Generally, the FDIC
considers a significant economic impact to be a quantified effect in
excess of 5 percent of total annual salaries and benefits or 2.5
percent of total noninterest expenses. The FDIC believes that effects
in excess of one or more of these thresholds typically represent
significant economic impacts for FDIC-supervised institutions. For the
reasons provided below, the FDIC certifies that the proposed rule would
not have a significant economic impact on a substantial number of small
banking organizations. Accordingly, a regulatory flexibility analysis
is not required.
---------------------------------------------------------------------------

\70\ 5 U.S.C. 601 et seq.
\71\ Assets for purposes of classifying ``small entities'' are
determined by averaging the assets reported on its four quarterly
financial statements for the preceding year. See 13 CFR 121.201 (as
amended by 87 FR 69118, effective Dec. 19, 2022). In its
determination, the ``SBA counts the receipts, employees, or other
measure of size of the concern whose size is at issue and all of its
domestic and foreign affiliates.'' See 13 CFR 121.103. Following
these regulations, the FDIC uses an insured depository institution's
affiliated and acquired assets, averaged over the preceding four
quarters, to determine whether the FDIC insured depository
institution is ``small'' for the purposes of RFA.
---------------------------------------------------------------------------

As previously discussed, the proposed rule, if finalized, would
modernize and align the Agencies' AML/CFT program requirements with
FinCEN's concurrently proposed BSA

[[Page 18323]]

rule, as amended by the AML Act.\72\ It would clarify the components of
an effective, risk based AML/CFT program; codify risk assessment
processes; distinguish program establishment from implementation; and
strengthen FinCEN's supervisory and enforcement role through structured
consultation, if adopted. All FDIC-supervised Insured Depository
Institutions (IDIs) are required to comply with AML/CFT program
requirements. As of the quarter ending September 30, 2025, the FDIC
supervised 2,778 institutions,\73\ of which 2,064 are considered small
entities for the purposes of RFA.\74\ Therefore, the FDIC estimates
that the proposed rule would directly affect 2,064 small, FDIC-
supervised IDIs.
---------------------------------------------------------------------------

\72\ See William M. (Mac) Thornberry National Defense
Authorization Act for Fiscal Year 2021, Public Law 116-283, 134
Stat. 3388 (Jan. 1, 2021).
\73\ FDIC-supervised institutions are set forth in 12 U.S.C.
1813(q)(2).
\74\ Consolidated Reports of Condition and Income (Sept. 30,
2025).
---------------------------------------------------------------------------

As noted in section VII, the FDIC estimates the effect of the
proposed rule on each small FDIC-supervised IDI as the difference in
estimated economic outcomes between a state of the world in which the
proposed rule is adopted and a baseline state of the world in which the
proposed rule is not adopted. This analysis assumes that in both states
all other relevant statutes and regulations applicable to IDIs that
existed as of September 30, 2025 would be in place, with one exception:
because the proposed rule is being promulgated simultaneously with a
rulemaking by FinCEN that will modify rules regarding AML/CFT for a
broader set of institutions regulated by FinCEN, the analysis assumes
FinCEN's rulemaking is finalized under both the baseline and under the
proposed rule. This assumption allows the analysis to focus on the
effects specific to the proposed rule. Under the baseline, small, FDIC-
supervised IDIs would continue to be required to maintain AML/CFT
programs that adhere to current regulations and supervisory
expectations. These requirements include internal policies, procedures,
and controls; a designated compliance officer; ongoing employee
training; and independent testing. Small, FDIC-supervised institutions
would also continue to be required to meet FinCEN's CDD requirements
and are expected, though not uniformly codified, to maintain risk
assessment processes.
The proposed rule introduces changes that are unlikely to result in
significant direct effects to small, FDIC-supervised IDIs. As discussed
in section VII, small, FDIC-supervised IDIs are already generally in
compliance with the proposed requirements based on longstanding
regulatory and supervisory expectations. Therefore, small, FDIC-
supervised IDIs would incur de minimis incremental costs to update
their AML/CFT compliance programs to conform with the proposed
requirements. In addition, the FDIC anticipates no small, FDIC-
supervised IDI would incur a significant increase in ongoing compliance
costs as a result of the proposed rule.\75\
---------------------------------------------------------------------------

\75\ A 2018 study considering compliance costs in community
banks found that small bank compliance costs typically were about 10
percent of noninterest expenses, and the portion of this
attributable to BSA was about 22 percent. This implies that total
BSA compliance costs for small banks are approximately 2.2 percent
of noninterest expenses. For the proposed rule to have a significant
impact on a small FDIC-supervised IDI, that IDI's BSA compliance
costs would need to increase more than two-fold under the proposed
rule. Because the proposed rule generally reinforces and codifies
existing practices, the FDIC expects such an increase to be
implausible. See <a href="https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf">https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf</a>.
---------------------------------------------------------------------------

As a result, the FDIC certifies that the rule would not have a
significant economic impact on a substantial number of small entities.
The FDIC invites comments on all aspects of the supporting
information provided in this section, and in particular, whether the
proposed rule would have any significant effects on small entities that
the FDIC has not identified.
NCUA
The Regulatory Flexibility Act generally requires an agency to
conduct a regulatory flexibility analysis of any rule subject to notice
and comment rulemaking requirements, unless the agency certifies that
the rule will not have a significant economic impact on a substantial
number of small entities.\76\ If the agency makes such a certification,
it shall publish the certification at the time of publication of either
the proposed rule or the final rule, along with a statement providing
the factual basis for such certification.\77\ For purposes of this
analysis, the NCUA considers small credit unions to be those having
under $100 million in assets.\78\
---------------------------------------------------------------------------

\76\ 5 U.S.C. 601 et seq.
\77\ 5 U.S.C. 605(b).
\78\ 80 FR 57512 (Sept. 24, 2015).
---------------------------------------------------------------------------

As of September 30, 2025, the NCUA supervised 4,331 Federally
insured credit unions (FICUs. Typically, credit unions are much smaller
than commercial banks. For example, median asset size for those 4,331
credit unions was $63.63 million; the comparable figure for FDIC-
insured banks was $370.84 million (nearly six times the FICU
figure).\79\ The NCUA considers FICUs with fewer than $100 million in
assets to be small entities for RFA purposes. As of 2025: Q3, 2,553
FICUs, or 58.9 percent of supervised institutions, qualified as small.
Median asset size for small FICUs was $21.24 million. The median number
of full-time equivalent employees (FTEs) for small credit unions was
five. Because this rule applies to FICUs of all sizes, it will
undoubtedly affect small credit unions. Both qualitative and
quantitative evidence, however, point to an economically insignificant
impact on small FICUs.
---------------------------------------------------------------------------

\79\ Viewed another way, the FDIC considers small entities to be
those holding fewer than $850 million in assets--88.0 percent of
FICUs are smaller than that threshold.
---------------------------------------------------------------------------

As for qualitative evidence, the NCUA already expects FICUs to
maintain robust BSA-AML policies, consistent with the size and scope of
the credit union. Because the agency believes the proposed rule largely
codifies existing supervisory expectations, it should not prove a
burden for most FICUs. Some credit unions, however, may find
supervisory expectations marginally tighter relative to the current
regime. Of course, adapting to marginal changes could still challenge
credit unions with as few as five FTEs. For that reason, the NCUA makes
resources available to help small credit unions meet such challenges
and, more broadly, support overall growth and development.
As for quantitative evidence, the OCC and FDIC present analysis
showing the number of supervised institutions for whom compliance will
potentially be burdensome. Their threshold for ``burdensome'' is a
compliance cost exceeding five percent of compensation expense or 2.5
percent of total non-interest expense. The NCUA believes these hurdles
do not automatically carry over to FICUs because of the significant
differences between the size, structure, and operating models of banks
and credit unions. Unlike commercial banks, for example, credit unions
are cooperatives. On average, credit-union compensation expense per
employee is lower than bank compensation expense. Finally, many small
credit unions have relied historically on volunteers and sponsor
support to contain expenses. These factors collectively suggest the
materiality threshold should be higher for credit unions. But even
assuming every small credit union needs 32 hours to comply with the
rule, that all credit unions pay the average hourly wage for

[[Page 18324]]

FICUs with fewer than $100 million in assets, and the bank thresholds
for materiality are appropriate, the number of credit unions facing a
significant compliance burden is roughly in line with the figures
obtained by the FDIC.

B. Paperwork Reduction Act (PRA)

The Paperwork Reduction Act of 1995 \80\ (PRA) states that no
agency may conduct or sponsor, nor is the respondent required to
respond to, an information collection unless it displays a currently
valid Office of Management and Budget (OMB) control number. The OCC and
FDIC have reviewed this proposed rule and determined that it does not
create any information collection.
---------------------------------------------------------------------------

\80\ 44 U.S.C. 3501-3521.
---------------------------------------------------------------------------

The NCUA is proposing to extend for three years, with revision, its
information collection. This revision will be submitted to OMB for
approval under the PRA.
Title of Information Collection: Anti-Money Laundering and
Countering the Financing of Terrorism Program Requirements.
OMB Control Number: 3133-0108.
Respondents: All federal insured credit unions.
Estimated Annual Burden: 80,856.

NCUA Summary of Estimated Annual Burden (OMB No. 3133-0108)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total
Number of Average estimated
Information collection (obligation to respond) Type of burden (frequency of Number of respondents responses per time per annual
response) respondent response burden
(hours) (hours)
--------------------------------------------------------------------------------------------------------------------------------------------------------
1. Establish AML/CFT Program. (Implementation) Recordkeeping (One Time)........... 4,331 .3 32 46,208
12 CFR 748.2(b) and (c) (Mandatory).
2. Maintain AML/CFT Program. (Ongoing) 12 CFR Recordkeeping (Annual)............. 4,331 1 8 34,648
748.2(b) and (c) (Mandatory).
------------------------------------------------------------------
Total Estimated Annual Burden (Hours)....... ................................... ....................... .............. ........... 80,856
--------------------------------------------------------------------------------------------------------------------------------------------------------

The NCUA invites comments on:
(a) Whether the collections of information are necessary for the
proper performance of the Agencies' functions, including whether the
information has practical utility;
(b) The accuracy of the Agencies estimates of the burden of the
information collections, including the validity of the methodology and
assumptions used;
(c) Ways to enhance the quality, utility, and clarity of the
information to be collected;
(d) Ways to minimize the burden of the information collections on
respondents, including through the use of automated collection
techniques or other forms of information technology; and
(e) Estimates of capital or start-up costs and costs of operation,
maintenance, and purchase of services to provide information.
Comments on aspects of this document that may affect reporting,
recordkeeping, or disclosure requirements and burden estimates should
be sent to the addresses listed in the ADDRESSES section of this
document. Written comments and recommendations for these information
collections also should be sent within 30 days of publication of this
document to <a href="http://www.reginfo.gov/public/do/PRAMain">www.reginfo.gov/public/do/PRAMain</a>. Find this particular
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.

C. Riegle Community Development and Regulatory Improvement Act

Pursuant to section 302(a) of the Riegle Community Development and
Regulatory Improvement Act of 1994 (RCDRIA),\81\ in determining the
effective date and administrative compliance requirements for new
regulations that impose additional reporting, disclosure, or other
requirements on IDIs, each Federal banking agency must consider,
consistent with principles of safety and soundness and the public
interest, any administrative burdens that such regulations would place
on affected depository institutions, including small depository
institutions, and customers of depository institutions, as well as the
benefits of such regulations. In addition, section 302(b) of the RCDRIA
requires new regulations and amendments to regulations that impose
additional reporting, disclosures, or other new requirements on IDIs
generally to take effect on the first day of a calendar quarter that
begins on or after the date on which the regulations are published in
final form. The Agencies invite comments that further will inform their
consideration of the RCDRIA.\82\
---------------------------------------------------------------------------

\81\ 12 U.S.C. 4802(a).
\82\ 12 U.S.C. 4802(b).
---------------------------------------------------------------------------

D. Plain Language

Section 722 of the Gramm-Leach-Bliley Act \83\ requires the Federal
banking Agencies to use plain language in all proposed and final
rulemakings published in the Federal Register after January 1, 2000.
The Agencies invite your comments on how to make this proposed rule
easier to understand. For example:
---------------------------------------------------------------------------

\83\ Public Law 106-102, section 722, 113 Stat. 1338, 1471
(1999), 12 U.S.C. 4809.
---------------------------------------------------------------------------

<bullet> Have the Agencies organized the material to suit your
needs? If not, how could the proposed rule be more clearly stated?
<bullet> Are the requirements in the proposed rule clearly stated?
If not, how could the proposed rule be more clearly stated?
<bullet> Does the proposed rule contain language or jargon that is
not clear? If so, which language requires clarification?
<bullet> Would a different format (grouping and order of sections,
use of headings, paragraphing) make the proposed rule easier to
understand? If so, what changes to the format would make the proposed
rule easier to understand?
<bullet> What else could the Agencies do to make the proposed rule
easier to understand?

E. Providing Accountability Through Transparency Act of 2023

The Providing Accountability Through Transparency Act of 2023
requires that a notice of proposed rulemaking include the internet
address of a summary of not more than 100 words in length of a proposed
rule, in plain language, that shall be posted on the internet website
under section

[[Page 18325]]

206(d) of the E-Government Act of 2002.\84\
---------------------------------------------------------------------------

\84\ 44 U.S.C. 3501 note.
---------------------------------------------------------------------------

The proposal and the required summary can be found for the Agencies
at <a href="https://www.regulations.gov">https://www.regulations.gov</a> by searching for Docket ID OCC-2024-0005
and <a href="https://occ.gov/topics/laws-and-regulations/occ-regulations/proposed-issuances/index-proposed-issuances.html">https://occ.gov/topics/laws-and-regulations/occ-regulations/proposed-issuances/index-proposed-issuances.html</a>, <a href="https://www.fdic.gov/resources/regulations/federal-register">https://www.fdic.gov/resources/regulations/federal-register</a>-publications/index.html#, and
<a href="https://www.regulations.gov">https://www.regulations.gov</a> by searching for Docket ID NCUA-2024-0033.

F. Executive Orders 12866, 13563, and 14192

Executive Order 12866, as affirmed and supplemented by Executive
Order 13563, directs agencies to assess the costs and benefits of
available regulatory alternatives and, if regulation is necessary, to
select regulatory approaches that maximize net benefits. This proposed
rule was drafted and reviewed in accordance with Executive Order 12866.
Within OMB, the Office of Information and Regulatory Affairs (OIRA) has
determined that this rulemaking is an ``economically significant
regulatory action'' pursuant to Executive Order 12866 section 3(f)(1).
Accordingly, the draft rule was submitted to OIRA for review. As noted
in other sections of the SUPPLEMENTARY INFORMATION of this document,
the Agencies have assessed the costs and benefits of this rulemaking
and have made a reasoned determination that the benefits of this
rulemaking justify its costs. This proposed rule, if finalized as
proposed, is not expected to be a regulatory action under Executive
Order 14192 because it imposes no more than de minimis costs.

G. Unfunded Mandates Reform Act

The OCC has analyzed the proposed rule under the factors in the
Unfunded Mandates Reform Act of 1995 (UMRA). Under this analysis, the
OCC considered whether the proposed rule includes a Federal mandate
that may result in the expenditure by State, local, and tribal
governments, in the aggregate, or by the private sector, of $100
million or more in any one year ($187 million as adjusted annually for
inflation). Pursuant to section 202 of the UMRA, if a proposed rule
meets this UMRA threshold, the OCC would need to prepare a written
statement that includes, among other things, a cost-benefit analysis of
the proposal. The UMRA does not apply to regulations that incorporate
requirements specifically set forth in law.
The OCC estimates that the proposed rule would not require
additional expenditures from OCC regulated entities. As noted earlier,
there are no additional mandated costs associated with the OCC's
proposed rule beyond those required by FinCEN's concurrently issued
proposal. Therefore, there are no UMRA costs associated with the OCC's
proposal. The OCC's proposed rule would not result in an expenditure of
$187 million or more annually by State, local, and tribal governments,
or by the private sector.

H. NCUA Analysis on Executive Order 13132 on Federalism

Executive Order 13132 encourages certain regulatory agencies to
consider the impact of their actions on State and local interests. The
NCUA, an agency as defined in 44 U.S.C. 3502(5), complies with the
executive order to adhere to fundamental Federalism principles. This
proposed rule would apply to all Federally insured credit unions,
including State-chartered credit unions. This scope is set by statute.
The NCUA works cooperatively with State regulatory agencies on all
supervisory matters, including AML/CFT matters, and will continue to do
so. The NCUA expects that any effect on States or on the distribution
of power and responsibilities among the various levels of government
will be minor. The NCUA welcomes comments on ways to eliminate, or at
least minimize, any potential impact in this area.

I. NCUA Assessment of Federal Regulations and Policies on Families

The NCUA has determined that this proposed rule would not affect
family well-being within the meaning of section 654 of the Treasury and
General Government Appropriations Act, 1999.\85\ The proposed rule
relates to Federally insured credit unions' AML/CFT programs, and any
effect on family well-being is expected to be indirect.
---------------------------------------------------------------------------

\85\ Public Law 105-277, section 654, 112 Stat. 2681, 2681-528
(1998).
---------------------------------------------------------------------------

List of Subjects

12 CFR Part 21

Crime, Currency, National banks, Reporting and recordkeeping
requirements, Security measures.

12 CFR Part 326

Banks, Banking, Currency, Reporting and recordkeeping requirements,
Security measures.

12 CFR Part 748

Computer technology, Confidential business information, Credit
unions, Crime, Currency, Internet, Personally identifiable information,
Privacy, Reporting and recordkeeping requirements, Security measures.

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

Authority and Issuance

For the reasons set forth in the preamble, the Office of the
Comptroller of the Currency proposes to amend 12 CFR part 21 as
follows:

PART 21--MINIMUM SECURITY DEVICES AND PROCEDURES AND ANTI-MONEY
LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE

0
1. The authority citation for part 21 continues to read as follows:

Authority: 12 U.S.C. 1, 93a, 161, 1462a, 1463, 1464, 1818,
1881-1884, and 3401- 3422; 31 U.S.C. 5318.

0
2. The heading of part 21 is revised to read as set forth above.
0
3. Revise and republish subpart C to read as follows:

Subpart C--Procedures for Anti-Money Laundering/Countering the
Financing of Terrorism Compliance

Sec. 21.21 Anti-Money Laundering/Countering the Financing of
Terrorism Compliance, Supervision, and Enforcement.

(a) Definitions. For purposes of this section:
(1) AML/CFT enforcement action means any formal or informal action
taken by the OCC under authority of 12 U.S.C. 1818 or other applicable
law, that seeks to penalize, remedy, prevent, or respond to
noncompliance with past or ongoing violations of, or past or ongoing
deficiencies relating to, an AML/CFT requirement. The term includes--
(i) A cease-and-desist order, written agreement, consent order, or
memorandum of understanding; or
(ii) The assessment of a civil money penalty.
(2) AML/CFT requirement means:
(i) A requirement of the Bank Secrecy Act or the implementing
regulations at 31 CFR chapter X; or
(ii) A requirement prescribed under 12 U.S.C. 1818(s) or this
section.
(3) Bank Secrecy Act has the meaning given that term in 31 CFR
1010.100
(4) Significant AML/CFT supervisory action means any written
communication or other formal supervisory determination that--
(i) Identifies one or more alleged deficiencies, weaknesses,
violations of

[[Page 18326]]

law, or unsafe or unsound practices or conditions relating to an AML/
CFT requirement;
(ii) Communicates supervisory expectations to a national bank or
Federal savings association regarding actions or remedial measures
required to correct the deficiency, weakness, violation, or practice or
condition; and
(iii) Contemplates significant or programmatic actions or remedial
measures to be taken by the national bank or Federal savings
association.
The term does not include examiner observations, suggestions, or
other informal comments.
(b) AML/CFT program in general. Each national bank or Federal
savings association must establish and maintain an effective AML/CFT
program. A national bank or Federal savings association complies with
this requirement if it:
(1) Establishes an AML/CFT program in accordance with paragraph (c)
of this section; and
(2) Maintains an AML/CFT program by implementing the AML/CFT
program in accordance with paragraph (d) of this section.
(c) AML/CFT program establishment. A national bank or Federal
savings association establishes an AML/CFT program in accordance with
this paragraph if it:
(1) Establishes a risk-based set of internal policies, procedures,
and controls that is reasonably designed to ensure compliance with the
Bank Secrecy Act and the implementing regulations at 31 CFR chapter X
and to:
(i) Identify, assess, and document the national bank's or Federal
savings association's money laundering, terrorist financing, and other
illicit finance activity risks through risk assessment processes that:
(A) Evaluate the money laundering, terrorist financing, and other
illicit finance activity risks of the national bank's or Federal
savings association's business activities, including its products,
services, distribution channels, customers, and geographic locations;
(B) Review and, as appropriate, incorporate the AML/CFT priorities
as that term is defined in 31 CFR 1010.100; and
(C) Are updated promptly upon any change that the national bank or
Federal savings association knows or has reason to know significantly
changes the national bank's or Federal savings association's money
laundering, terrorist financing, and other illicit finance activity
risks;
(ii) Mitigate the national bank's or Federal savings association's
money laundering, terrorist financing, and other illicit finance
activity risks consistent with the risk assessment processes required
under paragraph (c)(1)(i) of this section, including by directing more
attention and resources toward higher-risk customers and activities,
consistent with the risk profile of the national bank or Federal
savings association, rather than toward lower-risk customers and
activities; and
(iii) Conduct ongoing customer due diligence, including to:
(A) Understand the nature and purpose of customer relationships for
the purpose of developing a customer risk profile; and
(B) Conduct ongoing monitoring to identify and report suspicious
transactions and, on a risk basis, to maintain and update customer
information (including information regarding the beneficial owners of
legal entity customers, as defined in 31 CFR 1010.230);
(2) Establishes independent AML/CFT program testing to be conducted
by bank or savings-association personnel or by an outside party;
(3) Designates an individual, who is (i) located in the United
States; (ii) accessible to, and subject to oversight and supervision
by, FinCEN and the OCC; and (iii) responsible for establishing and
implementing the AML/CFT program and coordinating and monitoring day-
to-day compliance; and
(4) Establishes an ongoing employee training program.
(d) AML/CFT program implementation. A national bank or Federal
savings association implements an AML/CFT program in accordance with
this paragraph if the national bank or Federal savings association
implements, in all material respects, the AML/CFT program required
under paragraph (c) of this section.
(e) Written AML/CFT program and approval. A national bank's or
Federal savings association's AML/CFT program must be written, and it
must be approved by the national bank's or Federal savings
association's board of directors, an equivalent governing body within
the national bank or Federal savings association, or appropriate senior
management within the national bank or Federal savings association.
(f) Customer identification program. Each national bank or Federal
savings association shall implement a customer identification program
in accordance with 31 CFR 1020.220.
(g) Enforcement and supervision policy.
(1) In general. Except with respect to a significant or systemic
failure to implement the AML/CFT program in accordance with paragraph
(d) of this section, a national bank or Federal savings association
that has established an AML/CFT program in accordance with paragraph
(c) of this section will not be subject to an AML/CFT enforcement
action or to a significant AML/CFT supervisory action related to the
requirements of 12 U.S.C. 1818(s), 31 U.S.C. 5318(h)(1), this section,
or 31 CFR 1020.210.
(2) Program establishment violations. Nothing in this paragraph (g)
may be construed to restrict an AML/CFT enforcement action or a
significant AML/CFT supervisory action with respect to any failure to
establish an AML/CFT program in accordance with paragraph (c)of this
section.
(3) Criminal Enforcement Unaffected. Nothing in this subpart may be
construed to affect criminal enforcement under the BSA.
(h) FinCEN consultation.
(1) Consultation and consideration requirement. Before initiating
an AML/CFT enforcement action or a significant AML/CFT supervisory
action, the OCC will provide the FinCEN Director an opportunity to
review the action and consider any input offered by the FinCEN Director
on the action, which may include any view as to the effectiveness of
the national bank's or Federal savings association's AML/CFT program.
(2) Notice requirement. To provide the FinCEN Director an
opportunity to provide a view under paragraph (h)(1) of this section,
the OCC will:
(i) Send written notice to the FinCEN Director of its intent to
take that action at least 30 days before taking the action (unless a
shorter period of time is necessary, in the sole discretion of the
Comptroller of the Currency, to remedy, prevent, or respond to an
unsafe or unsound practice or condition), accompanied by the relevant
AML/CFT information underlying the proposed action, including the
relevant portions of the draft report or enforcement action, the
relevant examination workpapers supporting the proposed action, and the
relevant AML/CFT information submitted by the national bank or Federal
savings association to the OCC, other than information over which the
national bank or Federal savings association may claim privilege under
Federal or State law; and
(ii) Respond to the extent reasonably practicable to requests for
additional information from the FinCEN Director regarding the proposed
action.
(i) Disclosure of supervisory information to FinCEN.

[[Page 18327]]

[OPTION 1 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 4, the OCC permits a national bank
or Federal savings associations, on behalf of OCC, to disclose to the
FinCEN Director, and permits the FinCEN Director to use, any
information relating to an existing or potential AML/CFT enforcement
action or significant AML/CFT supervisory action to which the national
bank or Federal savings association has access.

[OPTION 2 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 4, the OCC permits a national bank
or Federal savings association, on behalf of the OCC, to disclose to
the FinCEN Director, and permits the FinCEN Director to use, any
information relating to an existing or potential AML/CFT enforcement
action or significant AML/CFT supervisory action to which the national
bank or Federal savings association has access upon the contemporaneous
disclosure of such information to the OCC.
(2) A national bank's or Federal savings association's disclosure
of information to the FinCEN Director under paragraph (i)(1) of this
section does not waive, invalidate, destroy, or otherwise affect any
privilege or protection available under Federal or State law, including
the attorney-client privilege, the work-product doctrine, the bank-
examination privilege, or any other confidentiality or evidentiary
privilege.
(3) Any disclosure made by a national bank or Federal savings
association under paragraph (i)(1) of this section is made on behalf of
the OCC pursuant to the OCC's authorization under 12 U.S.C. 1821(t).
(j) Severability.
The provisions of this subpart are separate and severable from one
another. If any provision of this subpart is held to be invalid, or the
application thereof to any person or circumstance is held to be
invalid, such invalidity shall not affect other provisions, or
application of such provisions to other persons or circumstances, that
can be given effect without the invalid provision or application.

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

Authority and Issuance

For the reasons set forth in the preamble, the Federal Deposit
Insurance Corporation proposes to amend 12 CFR part 326 as follows:

PART 326--MINIMUM SECURITY DEVICES AND PROCEDURES AND ANTI-MONEY
LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE

0
4. The authority citation for part 326 is revised to read as follows:

Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth),
1829b, 1881-1883, 5412; 31 U.S.C. 5311-5314, 5316-5336.

0
5. The heading of part 326 is revised to read as set forth above.
0
6. Revise and republish subpart B to read as follows:

Subpart B--Procedures for Monitoring Anti-Money Laundering/
Countering the Financing of Terrorism Compliance

Sec. 326.8 Anti-Money Laundering/Countering the Financing of
Terrorism Compliance, Supervision, and Enforcement.

(a) Definitions. For purposes of this section:
(1) AML/CFT enforcement action means any formal or informal action
taken by the FDIC under authority of 12 U.S.C. 1818 or other applicable
law, that seeks to penalize, remedy, prevent, or respond to
noncompliance with past or ongoing violations of, or past or ongoing
deficiencies relating to, an AML/CFT requirement. The term includes--
(i) A cease-and-desist order, written agreement, consent order, or
memorandum of understanding; or
(ii) The assessment of a civil money penalty.
(2) AML/CFT requirement means:
(i) A requirement of the Bank Secrecy Act or the implementing
regulations at 31 CFR chapter X; or
(ii) A requirement prescribed under 12 U.S.C. 1818(s) or this
section.
(3) Bank Secrecy Act has the meaning given that term in 31 CFR
1010.100.
(4) Significant AML/CFT supervisory action means any written
communication or other formal supervisory determination that--
(i) Identifies one or more alleged deficiencies, weaknesses,
violations of law, or unsafe or unsound practices or conditions
relating to an AML/CFT requirement;
(ii) Communicates supervisory expectations to an FDIC-supervised
institution regarding actions or remedial measures required to correct
the deficiency, weakness, violation, or practice or condition; and
(iii) Contemplates significant or programmatic actions or remedial
measures to be taken by the FDIC-supervised institution.
The term does not include examiner observations, suggestions, or
other informal comments.
(5) FDIC-supervised institution or institution means any entity for
which the Federal Deposit Insurance Corporation is the appropriate
Federal banking agency pursuant to section 3(q) of the Federal Deposit
Insurance Act, 12 U.S.C. 1813(q).
(b) AML/CFT program in general. Each FDIC-supervised institution
must establish and maintain an effective AML/CFT program. A FDIC-
supervised institution complies with this requirement if it:
(1) Establishes an AML/CFT program in accordance with paragraph (c)
of this section; and
(2) Maintains an AML/CFT program by implementing the AML/CFT
program in accordance with paragraph (d) of this section.
(c) AML/CFT program establishment. An FDIC-supervised institution
establishes an AML/CFT program in accordance with this paragraph if it:
(1) Establishes a risk-based set of internal policies, procedures,
and controls that is reasonably designed to ensure compliance with the
Bank Secrecy Act and the implementing regulations at 31 CFR chapter X
and to:
(i) Identify, assess, and document the FDIC-supervised
institution's money laundering, terrorist financing, and other illicit
finance activity risks through risk assessment processes that:
(A) Evaluate the money laundering, terrorist financing, and other
illicit finance activity risks of the FDIC-supervised institution's
business activities, including its products, services, distribution
channels, customers, and geographic locations;
(B) Review and, as appropriate, incorporate the AML/CFT priorities
as that term is defined in 31 CFR 1010.100; and
(C) Are updated promptly upon any change that the FDIC-supervised
institution knows or has reason to know significantly changes the FDIC-
supervised institution's money laundering, terrorist financing, and
other illicit finance activity risks;
(ii) Mitigate the FDIC-supervised institution's money laundering,
terrorist financing, and other illicit finance activity risks
consistent with the risk assessment processes required under paragraph
(c)(1)(i) of this section, including by directing more attention and
resources toward higher-risk customers and activities, consistent with
the risk profile of the FDIC-supervised institution, rather than toward
lower-risk customers and activities; and
(iii) Conduct ongoing customer due diligence, including to:

[[Page 18328]]

(A) Understand the nature and purpose of customer relationships for
the purpose of developing a customer risk profile; and
(B) Conduct ongoing monitoring to identify and report suspicious
transactions and, on a risk basis, to maintain and update customer
information (including information regarding the beneficial owners of
legal entity customers, as defined in 31 CFR 1010.230);
(2) Establishes independent AML/CFT program testing to be conducted
by institution personnel or by an outside party;
(3) Designates an individual, who is (i) located in the United
States, (ii) accessible to, and subject to oversight and supervision
by, FinCEN and the FDIC, and (iii) responsible for establishing and
implementing the AML/CFT program and coordinating and monitoring day-
to-day compliance; and
(4) Establishes an ongoing employee training program.
(d) AML/CFT program implementation. An FDIC-supervised institution
implements an AML/CFT program in accordance with this paragraph if the
FDIC-supervised institution implements, in all material respects, the
AML/CFT program required under paragraph (c) of this section.
(e) Written AML/CFT program and approval. A FDIC-supervised
institution's AML/CFT program must be written and it must be approved
by the FDIC-supervised institution's board of directors, an equivalent
governing body within the FDIC-supervised institution, or appropriate
senior management within the FDIC-supervised institution.
(f) Customer identification program. Each FDIC-supervised
institution shall implement a customer identification program in
accordance with 31 CFR 1020.220.
(g) Enforcement and supervision policy.
(1) In general. Except with respect to a significant or systemic
failure to implement the AML/CFT program in accordance with paragraph
(d) of this section, an FDIC-supervised institution that has
established an AML/CFT program in accordance with paragraph (c) of this
section will not be subject to an AML/CFT enforcement action or to a
significant AML/CFT supervisory action related to the requirements of
12 U.S.C. 1818(s), 31 U.S.C. 5318(h)(1), this section, or 31 CFR
1020.210.
(2) Program establishment violations. Nothing in this paragraph (g)
may be construed to restrict an AML/CFT enforcement action or a
significant AML/CFT supervisory action with respect to any failure to
establish an AML/CFT program in accordance with paragraph (c) of this
section.
(3) Criminal Enforcement Unaffected. Nothing in this subpart may be
construed to affect criminal enforcement under the BSA.
(h) FinCEN consultation.
(1) Consultation and consideration requirement. Before initiating
an AML/CFT enforcement action or a significant AML/CFT supervisory
action, the FDIC will provide the FinCEN Director an opportunity to
review the action and consider any input offered by the FinCEN Director
on the action, which may include any view as to the effectiveness of
the FDIC-supervised institution's AML/CFT program.
(2) Notice requirement. To provide the FinCEN Director an
opportunity to provide a view under paragraph (h)(1) of this section,
the FDIC will:
(i) Send written notice to the FinCEN Director of its intent to
take that action at least 30 days before taking the action (unless a
shorter period of time is necessary, in the sole discretion of the
FDIC, to remedy, prevent, or respond to an unsafe or unsound practice
or condition), accompanied by the relevant AML/CFT information
underlying the proposed action, including the relevant portions of the
draft report or enforcement action, the relevant examination workpapers
supporting the proposed action, and the relevant AML/CFT information
submitted by the FDIC-supervised institution to the FDIC, other than
information over which the FDIC-supervised institution may claim
privilege under Federal or State law; and
(ii) Respond to the extent reasonably practicable to requests for
additional information from the FinCEN Director regarding the proposed
action.
(i) Disclosure of supervisory information to FinCEN.

[OPTION 1 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 309, the FDIC permits an FDIC-
supervised institution, on behalf of FDIC, to disclose to the FinCEN
Director, and permits the FinCEN Director to use, any information
relating to an existing or potential AML/CFT enforcement action or
significant AML/CFT supervisory action to which the FDIC-supervised
institution has access.

[OPTION 2 FOR PARAGRAPH (i)(1):]

(1) Notwithstanding 12 CFR part 309, the FDIC permits an FDIC-
supervised institution, on behalf of the FDIC, to disclose to the
FinCEN Director, and permits the FinCEN Director to use, any
information relating to an existing or potential AML/CFT enforcement
action or significant AML/

[…truncated; see source link]

View on FederalRegister.gov →Plain-text source

Indexed from Federal Register on April 10, 2026.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.