Proposed Rule2026-07033
Anti-Money Laundering and Countering the Financing of Terrorism Programs
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
April 10, 2026
Issuing agencies
Treasury DepartmentFinancial Crimes Enforcement Network
Abstract
Pursuant to the Department of the Treasury (Treasury) and FinCEN's efforts to modernize the Bank Secrecy Act (BSA) and to implement provisions of the Anti-Money Laundering Act of 2020 (AML Act), FinCEN is proposing a rule to fundamentally reform the requirements for financial institutions' anti-money laundering and countering the financing of terrorism (AML/CFT) programs. Among other changes, this proposed rule aims to ensure that financial institutions establish and maintain effective AML/CFT programs that better achieve the purposes of the BSA and lead to more effective outcomes for financial institutions as well as law enforcement and national security agencies. Through this rulemaking, consistent with its statutory authority as the administrator of the BSA, FinCEN is also proposing measures to modernize and reform Federal supervision of AML/CFT programs by enhancing FinCEN's role in AML/CFT supervision and enforcement in coordination with Federal banking regulators. In addition, FinCEN is proposing regulatory amendments to promote clarity and consistency across FinCEN's program rules for different types of financial institutions.
Full Text
<html>
<head>
<title>Federal Register, Volume 91 Issue 69 (Friday, April 10, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 69 (Friday, April 10, 2026)]
[Proposed Rules]
[Pages 18704-18761]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-07033]
[[Page 18703]]
Vol. 91
Friday,
No. 69
April 10, 2026
Part V
Department of the Treasury
-----------------------------------------------------------------------
Financial Crimes Enforcement Network
-----------------------------------------------------------------------
31 CFR Parts 1010, 1020, 1021, et al.
Anti-Money Laundering and Countering the Financing of Terrorism
Programs; Proposed Rule
��Federal Register / Vol. 91, No. 69 / Friday, April 10, 2026 /
Proposed Rules��
[[Page 18704]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027,
1028, 1029, and 1030
RIN 1506-AB72
Anti-Money Laundering and Countering the Financing of Terrorism
Programs
AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: Pursuant to the Department of the Treasury (Treasury) and
FinCEN's efforts to modernize the Bank Secrecy Act (BSA) and to
implement provisions of the Anti-Money Laundering Act of 2020 (AML
Act), FinCEN is proposing a rule to fundamentally reform the
requirements for financial institutions' anti-money laundering and
countering the financing of terrorism (AML/CFT) programs. Among other
changes, this proposed rule aims to ensure that financial institutions
establish and maintain effective AML/CFT programs that better achieve
the purposes of the BSA and lead to more effective outcomes for
financial institutions as well as law enforcement and national security
agencies. Through this rulemaking, consistent with its statutory
authority as the administrator of the BSA, FinCEN is also proposing
measures to modernize and reform Federal supervision of AML/CFT
programs by enhancing FinCEN's role in AML/CFT supervision and
enforcement in coordination with Federal banking regulators. In
addition, FinCEN is proposing regulatory amendments to promote clarity
and consistency across FinCEN's program rules for different types of
financial institutions.
DATES: Comments must be received by June 9, 2026.
ADDRESSES: Comments must be submitted in one of the following two ways
(please choose only one of the ways listed):
<bullet> Electronically at <a href="https://www.regulations.gov">https://www.regulations.gov</a>. Follow the
``Submit a comment'' instructions. If you are reading this document on
<a href="http://federalregister.gov">federalregister.gov</a>, you may use the green ``SUBMIT A PUBLIC COMMENT''
button beneath this rulemaking's title to submit a comment to the
<a href="http://regulations.gov">regulations.gov</a> docket. Refer to Docket Number FINCEN-2026-0034 and RIN
1506-AB72.
<bullet> You may mail written comments to the following address:
Regulatory and Strategic Affairs Division, Financial Crimes Enforcement
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2026-0034 and RIN 1506-AB72. Mailed comments must be received by the
close of the comment period.
Do not include any personally identifiable information (such as
name, address, or other contact information) or confidential business
information that you do not want publicly disclosed. All comments are
public records; they are publicly displayed exactly as received, and
will not be deleted, modified, or redacted. Comments may be submitted
anonymously.
Follow the search instructions on <a href="https://www.regulations.gov">https://www.regulations.gov</a> to
view public comments. In accordance with 5 U.S.C. 553(b)(4), a summary
of this rule may be found at <a href="http://www.regulations.gov">www.regulations.gov</a> under Docket FINCEN-
2026-0034.
FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section
at <a href="http://www.fincen.gov/contact">www.fincen.gov/contact</a>.
SUPPLEMENTARY INFORMATION:
I. Scope
The proposed rule would amend FinCEN's regulations that prescribe
anti-money laundering program requirements for financial institutions
(AML program rules) \1\ under the BSA.\2\ For purposes of the AML
program rules and this proposed rule, ``financial institutions'' are:
(1) banks; (2) casinos and card clubs (casinos); (3) money services
businesses (MSBs); (4) brokers or dealers in securities (broker-
dealers); (5) mutual funds; (6) insurance companies; (7) futures
commission merchants (FCMs) and introducing brokers in commodities
(IBCs); (8) dealers in precious metals, precious stones, or jewels
(DPMSJs); (9) operators of credit card systems; (10) loan or finance
companies; and (11) housing government sponsored enterprises (housing
GSEs).
---------------------------------------------------------------------------
\1\ When referring to the existing program rules, the term ``AML
program rules'' is used; when referring to the requirements that
this NPRM is proposing, the term ``AML/CFT program rules'' is used.
\2\ Certain parts of the Currency and Foreign Transactions
Reporting Act, its amendments, and the other statutes relating to
the subject matter of that Act, have come to be referred to as the
BSA. These statutes are codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-
1960, and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto, with
implementing regulations at 31 CFR chapter X. Certain criminal
statutes--namely, 18 U.S.C. 1956, 1957, and 1960--are included in
the BSA definition at 31 CFR 1010.100(e). Section 6003 of the AML
Act, however, does not include these provisions in its BSA
definition, and thus FinCEN is not considering them part of the BSA
for the purposes of this proposed rule. The AML program rules are
located at 31 CFR 1020.210 (banks), 1021.210 (casinos), 1022.210
(MSBs), 1023.210 (broker-dealers), 1024.210 (mutual funds), 1025.210
(insurance companies), 1026.210 (FCMs and IBCs), 1027.210 (DPMSJs),
1028.210 (operators of credit card systems), 1029.210 (loan or
finance companies), and 1030.210 (housing GSEs). FinCEN notes this
proposed rule does not propose any amendments to the final rule
establishing AML/CFT and suspicious activity report (SAR) filing
requirements for registered investment advisers and exempt reporting
advisers, which has been delayed until January 1, 2028. See FinCEN,
Delaying the Effective Date of the Anti-Money Laundering/Countering
the Financing of Terrorism Program and Suspicious Activity Report
Filing Requirements for Registered Investment Advisers and Exempt
Reporting Advisers Final Rule, 91 FR 36 (Jan. 2, 2026).
---------------------------------------------------------------------------
II. Background
A. Anti-Money Laundering Programs Under the Bank Secrecy Act
Enacted in 1970 and amended several times since, the BSA is
designed to combat money laundering, the financing of terrorism, and
other illicit finance activity risks \3\ (collectively, ML/TF
risks).\4\ Congress has authorized the Secretary of the Treasury
(Secretary) to administer the BSA. The Secretary has in turn delegated
the authority to implement, administer, and enforce compliance with the
BSA and its associated regulations to the Director of FinCEN
(Director).\5\
---------------------------------------------------------------------------
\3\ As defined in section 281(5) of the Countering America's
Adversaries Through Sanctions Act, the term ``illicit finance''
means ``the financing of terrorism, narcotics trafficking, or
proliferation, money laundering, or other forms of illicit financing
domestically or internationally, as defined by the President.''
Public Law 115-44 (Aug. 2, 2017).
\4\ 31 U.S.C. 5311.
\5\ Treasury Order 180-01 (Jan. 14, 2020), para. 3, <a href="https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01">https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01</a>; see also 31 U.S.C. 310(b)(2)(I) (providing
that the Director of FinCEN shall ``[a]dminister the requirements of
subchapter II of chapter 53 of this title, chapter 2 of title I of
Public Law 91-508, and section 21 of the Federal Deposit Insurance
Act, to the extent delegated such authority by the Secretary.'').
---------------------------------------------------------------------------
Since its original enactment, Congress has continued to address
various aspects of AML/CFT compliance, including through expansion of
the BSA.\6\ In 1992, the Annunzio-Wylie Anti-Money Laundering Act \7\
gave the Secretary authority to prescribe minimum standards for AML
programs, including: ``(A) the development of
[[Page 18705]]
internal policies, procedures, and controls, (B) the designation of a
compliance officer, (C) an ongoing employee training program, and (D)
an independent audit function to test programs''--what are often called
the ``four pillars'' of AML programs.\8\ Later, the Uniting and
Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) further
amended the BSA to include, among other things, customer identification
program (CIP) requirements and the expansion of AML program rules to
cover certain other financial industry participants (e.g., credit
unions and FCMs).\9\ The USA PATRIOT Act also made it mandatory for
financial institutions to maintain AML programs that meet minimum
prescribed standards.\10\ Through the exercise of its delegated
authority, FinCEN is authorized to require each financial institution
to establish an AML program to ensure compliance with the BSA and guard
against ML/TF risks.\11\ Over time, FinCEN incorporated these standards
into the AML program rules and implemented additional requirements for
certain covered financial institutions, such as customer due diligence
(CDD) requirements (sometimes referred to as the ``fifth pillar'' of
AML programs).\12\
---------------------------------------------------------------------------
\6\ Most recently, Congress enacted the Guiding and Establishing
National Innovation for U.S. Stablecoins (GENIUS) Act on July 18,
2025. Public Law 119-27, codified at 12 U.S.C. 5901 et seq. The
GENIUS Act requires that permitted payment stablecoin issuers be
treated as financial institutions for purposes of the BSA including
being required to maintain ``an effective anti-money laundering
program.'' See 12 U.S.C. 5903(a)(5)(A)(i). The GENIUS Act also
requires the Agencies to issue regulations relating to PPSIs,
including regulations pertaining to BSA compliance standards. 12
U.S.C. 5903(a)(4)(iv). These AML/CFT requirements and standards for
PPSIs are addressed separately from this rulemaking.
\7\ Section 1517 of the Annunzio-Wylie Anti-Money Laundering
Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992).
\8\ 31 U.S.C. 5318(h)(1), as added by section 1517(b) of the
Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550 (Oct.
28, 1992). FinCEN notes the proposed rule sequences these AML/CFT
program components--the four pillars--in the order of the existing
AML program rule for banks, rather than the order used in 31 U.S.C.
5318(h)(1): namely, (i) a system of internal controls to assure
ongoing compliance; (ii) independent testing for compliance to be
conducted by bank personnel or by an outside party; (iii)
designation of an individual or individuals responsible for
coordinating and monitoring day-to-day compliance; and (iv) training
for appropriate personnel. See 31 CFR 1020.210(a)(2). FinCEN,
however, does not intend the change in sequencing to modify or
signify changes in any substantive requirements.
\9\ 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by
section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272
(Oct. 26, 2001).
\10\ 31 U.S.C. 5318(h), as added by section 352 of the USA
PATRIOT Act, Public Law 107-56, 115 Stat. 272 (Oct. 26, 2001).
\11\ 31 U.S.C. 5318(a)(2), (h)(1), (h)(2); supra note 5
\12\ See FinCEN, Customer Due Diligence Requirements for
Financial Institutions, 81 FR 29398 (May 11, 2016).
---------------------------------------------------------------------------
On January 1, 2021, Congress enacted the William M. (Mac)
Thornberry National Defense Authorization Act for Fiscal Year 2021
(FY21 NDAA), of which the AML Act was a component.\13\ With the passage
of the AML Act, Congress stated that it was seeking to modernize and
strengthen the AML/CFT regulatory framework, which ``had not seen
comprehensive reform or modernization'' since the BSA was enacted in
the 1970s.\14\ Among other objectives, Congress intended for the AML
Act to require ``more routine and systemic coordination, communication,
and feedback among financial institutions, regulators, and law
enforcement to identify suspicious financial activities, better
focusing bank resources to the AML task, which will increase the
likelihood for better law enforcement outcomes.'' \15\
---------------------------------------------------------------------------
\13\ William M. (Mac) Thornberry National Defense Authorization
Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388 (Jan.
1, 2021).
\14\ Congress noted in its Joint Explanatory Statement of the
Committee of Conference accompanying the FY21 NDAA that: ``the
current [AML/CFT] regulatory framework is an amalgamation of
statutes and regulations that are grounded in the [BSA], which the
Congress enacted in 1970. This decades-old regime, which has not
seen comprehensive reform and modernization since its inception, is
generally built on individual reporting mechanisms (i.e., currency
transaction reports (CTRs) and SARs) and contemplates aging,
decades-old technology, rather than the current, sophisticated AML
compliance systems now managed by most financial institutions.''
Congress further stated that the AML Act ``comprehensively update[s]
the BSA for the first time in decades and provide[s] for the
establishment of a coherent set of risk-based priorities.'' Among
other objectives, Congress intended for the AML Act to require
``more routine and systemic coordination, communication, and
feedback among financial institutions, regulators, and law
enforcement to identify suspicious financial activities, better
focusing bank resources to the AML task, which will increase the
likelihood for better law enforcement outcomes.'' H.R. Rep. No. 6395
(2020) at pp. 731-732 (Joint Explanatory Statement of the Committee
of Conference).
\15\ H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory
Statement of the Committee of Conference).
---------------------------------------------------------------------------
Section 6101(b) of the AML Act made several changes to the BSA's
AML/CFT program requirements.
First, section 6101(b) amended the BSA at 31 U.S.C. 5318(h)(2)(B)
to state that, ``[i]n prescribing the minimum standards [for AML/CFT
programs], and in supervising and examining compliance with those
standards, the Secretary of the Treasury, and the appropriate Federal
functional regulator (as defined in section 509 of the Gramm-Leach-
Bliley Act) \16\ shall take into account'' certain factors, which are
further described in section IV.A.
---------------------------------------------------------------------------
\16\ 15 U.S.C. 6809(2).
---------------------------------------------------------------------------
Second, section 6101(b) requires the Secretary, in consultation
with the Attorney General, appropriate Federal functional regulators,
relevant State financial regulators, and relevant national security
agencies, to establish and make public government-wide AML/CFT
priorities (AML/CFT Priorities). After consultation with the Federal
functional regulators and relevant State financial regulators, the
Secretary must promulgate regulations, as appropriate, to incorporate
those priorities into revised program rules, and incorporation of the
priorities must be included as a measure on which financial
institutions are supervised and examined. FinCEN issued the first AML/
CFT Priorities on June 30, 2021.\17\
---------------------------------------------------------------------------
\17\ See FinCEN, AML/CFT Priorities (June 30, 2021). As required
by 31 U.S.C. 5318(h)(4)(C), the AML/CFT Priorities are consistent
with Treasury's National Strategy for Combating Terrorist and Other
Illicit Financing (May 16, 2024) and supported by Treasury's
National Risk Assessments on Money Laundering, Terrorist Financing,
and Proliferation Financing. See U.S. Department of the Treasury,
2026 National Money Laundering Risk Assessment (March 2026), <a href="https://home.treasury.gov/system/files/246/2026-NMLRA.pdf">https://home.treasury.gov/system/files/246/2026-NMLRA.pdf</a>; 2026 National
Terrorist Financing Risk Assessment (March 2026), <a href="https://home.treasury.gov/system/files/246/2026-NTFRA.pdf">https://home.treasury.gov/system/files/246/2026-NTFRA.pdf</a>; 2026 National
Proliferation Financing Risk Assessment (March 2026), <a href="https://home.treasury.gov/system/files/246/2026-NPFRA.pdf">https://home.treasury.gov/system/files/246/2026-NPFRA.pdf</a>. As also required
by 31 U.S.C. 5318(h)(4)(B), the Secretary, in consultation with the
Attorney General, Federal functional regulators, relevant State
financial regulators, and relevant national security agencies, must
update the AML/CFT Priorities not less frequently than once every
four years.
---------------------------------------------------------------------------
Third, section 6101(b) expands the BSA's program rule requirement
to formally include an express reference to CFT in addition to AML.
Fourth, section 6101(b) provides that the duty to establish,
maintain, and enforce an AML/CFT program shall remain the
responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to, oversight and supervision by,
the Secretary and the appropriate Federal functional regulator.
B. FinCEN's Effectiveness Advance Notice of Proposed Rulemaking (ANPRM)
Prior to the enactment of the AML Act, and as informed by the
recommendations of the AML Effectiveness Bank Secrecy Act Advisory
Group working group, FinCEN published an ANPRM seeking public comment
on potential regulatory amendments to increase the effectiveness of the
current program rules (Effectiveness ANPRM).\18\ The Effectiveness
ANPRM sought public comment on a number of issues, including whether
FinCEN should define an effective and reasonably designed AML program
as one that: (1) identifies, assesses, and reasonably mitigates the
risks resulting from illicit financial activity, including terrorist
financing, money laundering, and other related financial crimes,
consistent with both the institution's risk profile and the risks
communicated by relevant government authorities as national AML
[[Page 18706]]
priorities; (2) assures and monitors compliance with the recordkeeping
and reporting requirements of the BSA; and (3) provides information
with a high degree of usefulness to government authorities consistent
with both the financial institution's risk assessment and the risks
communicated by relevant government authorities as national AML
priorities.\19\
---------------------------------------------------------------------------
\18\ FinCEN, Anti-Money Laundering Program Effectiveness, 85 FR
58023 (Sept. 17, 2020).
\19\ 85 FR 58026.
---------------------------------------------------------------------------
Additionally, the Effectiveness ANPRM sought comment on whether
FinCEN should amend its regulations to explicitly require financial
institutions to implement risk assessment processes and whether FinCEN
should publish AML priorities that financial institutions would
incorporate into their risk assessments.\20\ Congress enacted the AML
Act shortly after FinCEN received comments on the Effectiveness ANPRM.
As a result, many of the Effectiveness ANPRM's proposals have been
superseded by statutory amendments.
---------------------------------------------------------------------------
\20\ Id.
---------------------------------------------------------------------------
FinCEN received 111 comments in response to the Effectiveness
ANPRM, many of which generally supported the goals underlying the
ANPRM. Some comments covered specific topics that would later be
addressed in section 6101 of the AML Act and that are related to the
proposed rule. For example, many commenters supported the Effectiveness
ANPRM's concepts of effective and reasonably designed AML programs.
Commenters further noted that prioritizing and allocating resources can
be challenging if there is regulatory ambiguity or if examiner
expectations are unclear or inconsistent, and that requirements for
effective and reasonably designed programs should be tailored based on
a financial institution's size, activities, or other characteristics.
Finally, commenters expressed widespread concern about added burden on
financial institutions, especially burden related to updating AML
programs to incorporate national AML priorities.
C. The 2024 Notice of Proposed Rulemaking Revising AML Programs
1. Summary of 2024 Program Notice of Proposed Rulemaking (NPRM)
On July 3, 2024, FinCEN published an NPRM proposing revisions to
AML/CFT program requirements (2024 Program NPRM).\21\ In issuing that
proposed rule, FinCEN consulted with the Federal functional regulators,
the Internal Revenue Service (IRS), and relevant State financial
regulators, as required under section 6101(b) of the AML Act.
Additionally, on August 9, 2024, the Office of the Comptroller of the
Currency (OCC), the Board of Governors of the Federal Reserve System
(FRB), the Federal Deposit Insurance Corporation (FDIC), and the
National Credit Union Administration (NCUA) (collectively, the
``Agencies'') \22\ issued an NPRM proposing amendments to their
respective AML program rules applicable to the financial institutions
they regulate.\23\
---------------------------------------------------------------------------
\21\ FinCEN, Anti-Money Laundering and Countering the Financing
of Terrorism Programs, 89 FR 55428 (July 3, 2024).
\22\ As discussed below, these Federal agencies are also known
as the Federal Financial Institutions Regulatory Agencies (FFIRAs)
and proposed 1010.100(ooo) defines these agencies using this term.
However, this preamble uses the term ``Agencies'' to refer to the
FFIRAs.
\23\ FRB, FDIC, NCUA, and OCC, Anti-Money Laundering and
Countering the Financing of Terrorism Program Requirements, 89 FR
65242 (Aug. 9, 2024).
---------------------------------------------------------------------------
The 2024 Program NPRM proposed that financial institutions
establish AML/CFT programs that would include, at minimum, the
following components: (1) a risk assessment process; (2) reasonable
management and mitigation of illicit finance risks through internal
policies, procedures, and controls; (3) a qualified AML/CFT officer;
(4) an ongoing employee training program; (5) independent, periodic
testing conducted by qualified personnel of the financial institution
or by a qualified outside party; and (6) other requirements (such as
customer due diligence) depending on the type of financial institution.
The 2024 Program NPRM further proposed that financial institutions
would be expected to base their AML/CFT program on the results of a
risk assessment process. The risk assessment process would identify,
evaluate, and document a financial institution's ML/TF risks, taking
into account the following considerations: (1) the AML/CFT Priorities
issued by FinCEN, as appropriate; (2) the ML/TF risks of the financial
institution based on the institution's business activities, including
products, services, distribution channels, customers, intermediaries,
and geographic locations; and (3) reports filed by the financial
institution pursuant to FinCEN's regulations at 31 CFR chapter X.
Additionally, the 2024 Program NPRM provided that financial
institutions would have to review and update their risk assessments on
a periodic basis, including, at a minimum, when there are material
changes to a financial institution's illicit finance risks.
The 2024 Program NPRM would have also required a financial
institution's AML/CFT program to be approved and overseen by the
financial institution's board of directors (board) or equivalent
governing body and would have made AML/CFT program approval and
oversight requirements consistent across financial institution types.
Furthermore, the 2024 Program NPRM reflected the requirement in the
BSA, as amended by the AML Act, that the duty to establish, maintain,
and enforce a financial institution's AML/CFT program shall remain the
responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to oversight and supervision by, the
Secretary and the appropriate Federal functional regulator.
FinCEN does not intend to finalize the 2024 Program NPRM, and it
should be considered withdrawn and superseded by this proposed rule.
2. Comments FinCEN Received on the 2024 Program NPRM
In response to the 2024 Program NPRM, FinCEN received 86 comments
from the public. Submissions came from a broad array of individuals and
organizations, including members of Congress, the financial industry
and related trade associations, groups representing small business
interests, corporate transparency advocacy groups, regulatory
associations, legal associations, and other interested groups and
individuals.
A small number of commenters expressed support for the 2024 Program
NPRM's effort to modernize and strengthen AML/CFT programs in line with
the reform goals of the AML Act. Some supporters of the 2024 Program
NPRM agreed with its emphasis on ``effective, risk-based, and
reasonably designed'' AML/CFT programs that would promote
``effectiveness, efficiency, innovation, and flexibility.'' \24\ Others
commended FinCEN's efforts to emphasize the risk-based nature of AML/
CFT programs and provide financial institutions with the flexibility to
provide financial services based on their risk profile and capacity to
manage customer relationships.
---------------------------------------------------------------------------
\24\ 89 FR 55430.
---------------------------------------------------------------------------
Commenters also expressed concerns with the 2024 Program NPRM, such
as the proposed program requirements being excessively prescriptive and
even redundant in light of the view that existing AML/CFT compliance
programs were already intended to be risk-based. A number of commenters
found the proposal to be an additive regulatory imposition that would
increase costs and burdens, particularly to smaller financial
institutions, without
[[Page 18707]]
any increase in program effectiveness, efficiency, or innovation.
On behalf of FinCEN, Treasury's Office of Tribal and Native Affairs
(OTNA) also solicited comments and conducted Tribal consultations and
coordination with Tribal Nations. OTNA received six comments from
Tribal representatives during this process.
Taken together, the comments submitted to the Effectiveness ANPRM
and 2024 Program NPRM provide helpful context that FinCEN has
considered in developing the current NPRM.
i. Risk-Based Resource Allocation
The 2024 Program NPRM proposed a formulation of risk-based resource
allocation as follows: ``an effective, risk-based, and reasonably
designed AML/CFT program focuses attention and resources in a manner
consistent with the bank's risk profile that takes into account higher
risk and lower-risk customers and activities.'' \25\ Commenters
criticized this formulation of risk-based resource allocation in the
NPRM and generally stated that this framing would not sufficiently
enable financial institutions to reallocate resources in the manner
intended by the AML Act by allowing financial institutions to direct
more resources toward higher-risk customers and activity rather than
lower-risk customers and activity, leaving open the concern that
examiners may penalize financial institutions for doing so. Commenters
strongly recommended that FinCEN adopt the statutory language from the
AML Act concerning risk-based resource allocation. No commenters
expressed support for the 2024 Program NPRM formulation.
---------------------------------------------------------------------------
\25\ 89 FR 55436.
---------------------------------------------------------------------------
ii. The Risk Assessment Process
Commenters to the 2024 Program NPRM were critical of the proposed
risk assessment process. Commenters generally supported the idea of a
risk assessment process requirement in the NPRM, as many financial
institutions already conduct risk assessments. Commenters argued,
however, that the proposal was insufficiently deferential to existing
risk assessment practices and would impose new compliance costs by
creating an additive ``check-the-box'' exercise for financial
institutions that already conduct risk assessments. Commenters also
stated that financial institutions should not be required to consider
BSA reports, including SARs and CTRs, as part of their risk assessment
process, noting language in the AML Act stating that BSA filings should
be guided by risk-based compliance programs, rather than the
opposite.\26\ Commenters also argued that even the idea of making the
risk assessment process serve as the basis of the AML/CFT program would
be too prescriptive and not correspond to the various ways financial
institutions incorporate these assessments into their programs.
Finally, commenters objected to the description of a risk assessment
process as a singular process that implied a one-time, annual exercise
whereas financial institutions conduct numerous and often continuous
risk assessments throughout the year.
---------------------------------------------------------------------------
\26\ ``Reports filed under this subsection shall be guided by
the compliance program of a covered financial institution with
respect to the Bank Secrecy Act, including the risk assessment
processes of the covered institution that should include a
consideration of priorities established by the Secretary of the
Treasury under section 5318.'' 31 U.S.C. 5318(g)(5)(C), as added by
section 6202 of the AML Act.
---------------------------------------------------------------------------
iii. ``Effective, Risk-Based, and Reasonably Designed'' AML/CFT
Programs
Commenters generally appreciated FinCEN's inclusion of the concept
of ``effective, risk-based, and reasonably designed'' AML/CFT programs,
but sought additional guidance on the meaning of these terms. Some
commenters requested that FinCEN adopt specific regulatory definitions
of these terms, while others requested principles or examples to
clarify how FinCEN understands them. Several commenters urged that the
final rule clarify that an ``effective, risk-based, and reasonably
designed'' program does not mean one that is ``perfect'' and completely
prevents financial crime.
iv. Other Provisions of the 2024 NPRM
Proposed Sec. 1020.210(c) of the 2024 Program NPRM provided that
``[t]he duty to establish, maintain, and enforce the AML/CFT program
must remain the responsibility of, and be performed by, persons in the
United States who are accessible to, and subject to oversight and
supervision by, FinCEN and the appropriate Federal functional
regulator,'' \27\ pursuant to the statutory requirement set forth in
section 6101 of the AML Act.\28\ Many commenters discussed this
provision. They generally stated that an appropriate interpretation of
this provision is critical for many financial institutions since many
have AML/CFT staff and operations overseas, and it would be extremely
costly and disruptive to require relocation to the United States. Many
commenters requested that FinCEN interpret this provision to allow
financial institutions to maintain staff and operations in non-U.S.
jurisdictions so long as the person with the ``duty to establish,
maintain, and enforce the AML/CFT program'' is located in the United
States. Some commenters also requested clarification on how this
provision would apply to financial institutions with third-party
service providers located outside the United States.
---------------------------------------------------------------------------
\27\ 89 FR 55485.
\28\ 31 U.S.C. 5318(h)(5).
---------------------------------------------------------------------------
The 2024 Program NPRM also proposed requiring that a financial
institution's board or an equivalent governing body approve and provide
oversight of AML/CFT programs.\29\ Commenters generally expressed
reservations about the board approval and oversight provision of the
NPRM. Some credit union commenters expressed concern that the
requirement would impose significant new burdens on boards and noted
that many credit union boards are volunteers. Commenters representing
Native Tribes were most critical of the board oversight and approval
requirement because of the potential impact on Tribal casinos and
Tribal Councils. Several of these commenters stated that many Tribal
gaming entities are not operated under the authority of a business
board. Commenters expressed concern that the proposed rule may require
Tribal Councils to approve and provide oversight of the AML/CFT program
adopted by the casino, detracting from other responsibilities of the
Tribal Council.
---------------------------------------------------------------------------
\29\ 89 FR 55444.
---------------------------------------------------------------------------
v. Effective Date
The 2024 Program NPRM proposed that financial institutions would
have six months from the date of issuance of the final rule to comply
with its requirements. A large number of commenters reacted negatively
to the six-month implementation period in the 2024 Program NPRM, and
they were nearly unanimous in requesting additional time. Some
commenters asked for at least one year after issuance of the final rule
to implement the rule, and other commenters requested two or more
years. Some commenters representing larger financial institutions cited
the need for additional time to review the final rule, make
technological changes or other changes to existing processes,
incorporate the AML/CFT Priorities into their risk assessment
processes, reallocate resources from lower- to higher-risk areas, and
provide training.
[[Page 18708]]
III. BSA Modernization
The Secretary has identified BSA reform and modernization as one of
Treasury's top priorities. In an April 2025 speech, the Secretary noted
that Treasury ``will advocate for changes to the AML/CFT framework to
truly focus on national security priorities and higher-risk areas and
explicitly permit financial institutions to de-prioritize lower
risks.'' \30\ Additionally, the Secretary has noted that supervision of
AML/CFT programs has too often involved a ``zero-tolerance focus on
process and documentation and wide latitude for supervisory
expectations and judgments that are not always consistent with the law
or our national security priorities.'' \31\ The Secretary noted that
this proposed rule would ensure that financial institutions' AML/CFT
programs are focused ``on higher value activities [that] will also
better serve our law enforcement and national security objectives.''
\32\
---------------------------------------------------------------------------
\30\ U.S. Department of the Treasury, Press Release, ``Treasury
Secretary Scott Bessent Remarks before the American Bankers
Association'' (Apr. 9, 2025), <a href="https://home.treasury.gov/news/press-releases/sb0078">https://home.treasury.gov/news/press-releases/sb0078</a>.
\31\ U.S. Department of the Treasury, Press Release, ``Remarks
by Secretary of the Treasury Scott Bessent Before the Fed Community
Bank Conference'' (Oct. 9, 2025), <a href="https://home.treasury.gov/news/press-releases/sb0276">https://home.treasury.gov/news/press-releases/sb0276</a>.
\32\ Id.
---------------------------------------------------------------------------
In June 2025, Treasury identified its guiding principles for BSA
reform, recognizing the urgent need to modernize the implementation of
the AML/CFT regime in the United States so that it is effective, risk-
based, and focused on the greatest threats to financial institutions
and national security.\33\ Treasury's vision of a modernized BSA
regulatory and supervisory regime is one where financial institutions:
---------------------------------------------------------------------------
\33\ U.S. Department of the Treasury, Press Release, ``Deputy
Secretary Faulkender Lays Out Guiding Principles for Bank Secrecy
Act Modernization'' (June 18, 2025), <a href="https://home.treasury.gov/news/press-releases/sb0173">https://home.treasury.gov/news/press-releases/sb0173</a>.
---------------------------------------------------------------------------
<bullet> comply with AML/CFT laws and regulations;
<bullet> are examined for the risk-based and reasonably designed
nature of their AML/CFT programs and set of internal policies,
procedures, and controls;
<bullet> direct more resources to higher-risk areas rather than to
lower-risk areas; and
<bullet> generate highly useful information for law enforcement and
national security agencies in priority areas defined by Treasury.
Treasury and FinCEN, in coordination with the Agencies, have taken
a number of steps to implement this vision of a modernized BSA
regulatory and supervisory regime. In June and July 2025, the Agencies,
with FinCEN's concurrence, issued an order permitting banks, as part of
their CIP obligations, to collect Taxpayer Identification Number
information from a third party rather than from the bank's
customer.\34\ In October 2025, FinCEN and the Agencies issued
Frequently Asked Questions to clarify certain SAR obligations to help
ensure financial institutions are not needlessly expending resources on
efforts that do not provide law enforcement and national security
agencies with the critical information they need to detect, combat, and
deter criminal activity.\35\ In February 2026, FinCEN issued an order
granting exceptive relief to covered financial institutions from
certain requirements under FinCEN's CDD Rule, supporting a more
efficient, risk-based approach to customer due diligence and reducing
unnecessary regulatory burden without weakening the foundational
requirements that protect the U.S. financial system.\36\
---------------------------------------------------------------------------
\34\ FinCEN, FinCEN Permits Banks to Use Alternative Collection
Method for Obtaining TIN Information (June 27, 2025), <a href="https://www.fincen.gov/news/news-releases/fincen-permits-banks-use-alternative-collection-method-obtaining-tin-information">https://www.fincen.gov/news/news-releases/fincen-permits-banks-use-alternative-collection-method-obtaining-tin-information</a>.
\35\ FinCEN, FinCEN Issues Frequently Asked Questions to Clarify
Suspicious Activity Reporting Requirements (Oct. 9, 2025), <a href="https://www.fincen.gov/news/news-releases/fincen-issues-frequently-asked-questions-clarify-suspicious-activity-reporting">https://www.fincen.gov/news/news-releases/fincen-issues-frequently-asked-questions-clarify-suspicious-activity-reporting</a>.
\36\ FinCEN, FinCEN Issues Exceptive Relief to Streamline
Customer Due Diligence Requirements (Feb. 13, 2026), <a href="https://www.fincen.gov/system/files/2026-02/FinCEN-Order-CCDExceptiveRelief.pdf">https://www.fincen.gov/system/files/2026-02/FinCEN-Order-CCDExceptiveRelief.pdf</a>.
---------------------------------------------------------------------------
In addition to advancing the goals of a modernized BSA regulatory
and supervisory regime, Treasury and FinCEN have played a leading role
in supporting Executive Order (E.O.) 14192, Unleashing Prosperity
Through Deregulation.\37\ The E.O. announced an Administration policy
to ``significantly reduce the private expenditures required to comply
with Federal regulations to secure America's economic prosperity and
national security and the highest possible quality of life for each
citizen'' and ``alleviate unnecessary regulatory burdens placed on the
American people.'' \38\ Consistent with E.O. 14192, FinCEN is issuing
this proposed rule to ensure that financial institutions' AML/CFT
programs are appropriately risk-based, such that compliance with their
program obligations is focused on the goals of the BSA, including
combatting and preventing ML/TF, rather than mere technical compliance.
Furthermore, the proposed rule for banks would help ensure that
supervisory and enforcement actions related to AML/CFT programs are
focused on significant or systemic failures to implement an effective
AML/CFT program (i.e., deficiencies or issues that arise from failing
to implement, in all material respects, a properly established AML/CFT
program). The proposal would also reflect FinCEN's key role, in
accordance with its statutory authority as the administrator of the
BSA, in ensuring a consistent and holistic approach to enforcement and
supervision of banks' AML/CFT programs that focuses on program
effectiveness rather than mere technical compliance. The Agencies have
a long history of coordination with FinCEN in exercising its delegated
supervisory authority, and FinCEN views this proposed rule as a way to
further strengthen that relationship to promote more consistent
supervision. FinCEN believes this enhanced coordination in AML/CFT
supervision and enforcement will support the goals of E.O. 14192.
---------------------------------------------------------------------------
\37\ E.O. 14192, Unleashing Prosperity Through Deregulation, 90
FR 9065 (issued Jan. 31, 2025; published Feb. 6, 2025).
\38\ Id.
---------------------------------------------------------------------------
Fulfilling the AML Act's goals of BSA modernization and reform is a
priority for Treasury and FinCEN, and this proposed rule is a major
part of that effort.
IV. Overview of the Proposed Rule
A central objective of Treasury and FinCEN's BSA modernization
efforts is to create an AML/CFT supervisory and regulatory regime that
is more effective in achieving the purposes of the BSA and promoting
better outcomes for law enforcement and national security agencies.\39\
This proposed rule would further that objective by explicitly defining
the requirements for a financial institution to establish and maintain
an effective AML/CFT program. It would also adopt into regulations the
AML Act's expectation that AML/CFT programs should be risk-based,
including ensuring that financial institutions direct more attention
and resources toward higher-risk customers and activities, consistent
with the risk profile of the financial institution, rather than toward
lower-risk customers and activities.\40\
---------------------------------------------------------------------------
\39\ 31 U.S.C. 5311.
\40\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------
As noted in the previous section, the proposed rule would also
revise the AML/CFT supervisory and examination process for banks by
enhancing FinCEN's role in the supervision and enforcement process. In
support of this objective, the proposed rule would establish a
mechanism in which
[[Page 18709]]
FinCEN--as the statutory administrator of the BSA--has an opportunity
to review and provide feedback to the Agencies prior to a significant
supervisory action. This change will promote consistent approaches to
AML/CFT supervision and better outcomes for both banks and the law
enforcement and national security agencies that depend upon those
financial institutions' critical BSA reporting.
A. Factors Rhat FinCEN Considered Pursuant to Section 6101(b)(2)(B) of
the AML Act (31 U.S.C. 5318(h)(2)(B))
Section 6101(b)(2)(B)(ii) of the AML Act (codified at 31 U.S.C.
5318(h)(2)(B)) requires FinCEN to take into account certain factors
when prescribing minimum AML/CFT program standards:
(i) Financial institutions are spending private compliance funds
for a public and private benefit, including protecting the United
States financial system from illicit finance risks.
(ii) The extension of financial services to the underbanked and the
facilitation of financial transactions, including remittances, coming
from the United States and abroad in ways that simultaneously prevent
criminal persons from abusing formal or informal financial services
networks are key policy goals of the United States.
(iii) Effective anti-money laundering and countering the financing
of terrorism programs safeguard national security and generate
significant public benefits by preventing the flow of illicit funds in
the financial system and by assisting law enforcement and national
security agencies with the identification and prosecution of persons
attempting to launder money and undertake other illicit activity
through the financial system.
(iv) Anti-money laundering and countering the financing of
terrorism programs . . . should be--
(I) reasonably designed to assure and monitor compliance with the
requirements of this subchapter and regulations promulgated under this
subchapter; and
(II) risk-based, including ensuring that more attention and
resources of financial institutions should be directed toward higher-
risk customers and activities, consistent with the risk profile of a
financial institution, rather than toward lower-risk customers and
activities.
FinCEN has considered all of these factors in developing this
proposed rule.
First, as required by 31 U.S.C. 5318(h)(2)(B)(i), FinCEN has
considered that, through their AML/CFT programs, financial institutions
are spending private compliance funds for a public and private benefit.
The proposed rule reflects this in several ways--especially in how it
endeavors to avoid imposing unnecessary regulatory burdens and ensuring
that financial institutions are able to tailor their AML/CFT programs
to their risk profiles. In this way, FinCEN seeks to ensure that
financial institutions are not required to expend private compliance
funds without meaningful benefit to both the public and their own
operations.
Second, section 5318(h)(2)(B)(ii) requires FinCEN to consider the
extension of financial services to the underbanked and the facilitation
of financial transactions, including remittances, while preventing
criminal persons from abusing formal or informal financial services
networks. Through its emphasis on risk-based AML/CFT programs, the
proposed rule seeks to provide financial institutions with the
flexibility to serve a broad range of customers and avoid one-size-
fits-all approaches to customer risk that can lead to financial
institutions declining to provide financial services to entire
categories of customers. The proposed rule would help ensure that
decisions taken by financial institutions with respect to closing
customer accounts are based on legitimate ML/TF risks and informed by
relevant facts and circumstances. The proposed rule is intended to
mitigate the risks of financial institutions potentially being
inappropriately pressured into closing customer accounts by emphasizing
the risk-based nature of AML/CFT programs. In doing so, the proposed
rule also furthers the objectives of E.O. 14331, Guaranteeing Fair
Banking for All Americans, which seeks to combat ``politicized or
unlawful debanking.'' \41\
---------------------------------------------------------------------------
\41\ E.O. 14331, Guaranteeing Fair Banking for All Americans, 90
FR 38925 (issued Aug. 7, 2025; published Aug. 12, 2025).
---------------------------------------------------------------------------
Moreover, by establishing a risk-based AML/CFT program that takes
into account a financial institution's specific business activities,
the proposed rule will enable financial institutions to avoid debanking
customers and extend financial services based on a financial
institution's evaluation of the ML/TF risks and the financial
institution's ability to manage those risks and customer relationships,
among other considerations. This flexibility would allow such financial
institutions to respond to changing circumstances and evolving risk
profiles, including through the use of emerging technologies that
support transparency and preserve privacy, which may deter debanking
and enable financial institutions to reach underbanked individuals and
facilitate financial transactions that simultaneously prevent criminal
persons from abusing formal or informal financial services networks.
The proposed rule would also provide financial institutions with
the ability to modernize their AML/CFT programs and to responsibly
innovate while still managing ML/TF risks, as the financial services
industry continues to innovate over time. Consistent with previous
guidance,\42\ FinCEN encourages financial institutions to manage
customer relationships on a case-by-case basis, and the proposed rule
would provide financial institutions with the framework to make such
evaluations and provide financial services accordingly, without broad
de-risking that can result in debanking that may increase the use of
financial services that exist outside of the regulated financial system
and complicate efforts to detect and deter illicit finance. FinCEN
believes that effective AML/CFT programs are an important component in
mitigating the effects of de-banking to national security and law
enforcement interests.
---------------------------------------------------------------------------
\42\ See FRB, FDIC, FinCEN, NCUA, and OCC, Joint Statement on
the Risk-Based Approach to Assessing Customer Relationships and
Conducting Customer Due Diligence (July 6, 2022), <a href="https://www.fincen.gov/news/news-releases/joint-statement-risk-based-approach-assessing-customer-relationships-and">https://www.fincen.gov/news/news-releases/joint-statement-risk-based-approach-assessing-customer-relationships-and</a>.
---------------------------------------------------------------------------
Third, as stated in 31 U.S.C. 5318(h)(2)(B)(iii), effective AML/CFT
programs safeguard national security and generate significant public
benefits by preventing the flow of illicit funds in the financial
system and by assisting law enforcement and national security agencies
with the identification and prosecution of persons attempting to
launder money or undertake other illicit activity through the financial
system.\43\ The proposed rule would advance the BSA modernization and
reform goals of the AML Act by providing financial institutions and
their regulators with clarity about the requirements to have effective
AML/CFT programs.
---------------------------------------------------------------------------
\43\ 31 U.S.C. 5318(h)(2)(B)(iii).
---------------------------------------------------------------------------
Likewise, 31 U.S.C. 5318(h)(2)(B)(iv)(I) provides that AML/CFT
programs should be ``reasonably designed to assure and monitor
compliance'' with the BSA and its implementing regulations and be risk-
based. As described in more detail in section IV, the proposed rule
advances these objectives by explicitly requiring financial
institutions to have effective AML/CFT programs and by describing the
minimum components for an AML/CFT program to be effective.
Specifically, as part of an effective AML/CFT program, the proposed
rule
[[Page 18710]]
requires that a financial institution establish and maintain a risk-
based set of internal policies, procedures, and controls that is
reasonably designed to ensure compliance with the BSA and FinCEN's
regulations.
The internal policies, procedures, and controls requirement in the
proposed rule also demonstrates FinCEN's consideration of 31 U.S.C.
5318(h)(2)(B)(iv)(II), which states that AML/CFT programs should be
risk-based, including ensuring that more attention and resources of
financial institutions should be directed toward higher-risk customers
and activities, consistent with a financial institution's risk profile,
rather than toward lower-risk customers and activities. While FinCEN
has previously expected financial institutions to adopt risk-based AML/
CFT programs, the proposed rule incorporates this directive by
explicitly requiring, as part of an institution's risk-based set of
internal policies, procedures, and controls, that an institution
identify, assess, and document its ML/TF risks through risk assessment
processes. These risk assessment processes require a financial
institution to evaluate ML/TF risks and review and, as appropriate,
incorporate the AML/CFT Priorities, with updates to risk assessment
processes promptly upon any change that the financial institution knows
or has reason to know significantly changes the financial institution's
ML/TF risks. These risk assessment processes are designed to help
financial institutions mitigate ML/TF risks and ensure that they are
allocating resources commensurate with their documented ML/TF risks,
directing more attention and resources toward higher-risk customers
rather than toward lower-risk customers and activities.
B. Proposed Rule
As noted above, the proposed rule would require financial
institutions to establish and maintain effective AML/CFT programs and
define the requirements for doing so. In order for an AML/CFT program
to be effective, the proposed rule would require a financial
institution to establish an AML/CFT program and then maintain the AML/
CFT program by implementing, in all material respects, the established
AML/CFT program.
As described in more detail in section V.D., a financial
institution would be required to establish a risk-based set of internal
policies, procedures, and controls that is reasonably designed to
ensure compliance with the BSA and 31 CFR chapter X. The risk-based set
of internal policies, procedures, and controls must also be reasonably
designed to: (1) identify, assess, and document the financial
institution's ML/TF risks through risk assessment processes that
evaluate the risks of the institution's business activities, review
and, as appropriate, incorporate the AML/CFT Priorities, and are
updated promptly upon any change that the financial institution knows
or has reason to know significantly changes the institution's ML/TF
risks; (2) mitigate the financial institution's ML/TF risks, consistent
with the financial institution's risk assessment processes; and, for
certain financial institutions, (3) conduct ongoing customer due
diligence.
The proposed rule would also require a financial institution to
establish an ongoing employee training program and independent AML/CFT
program testing as part of its AML/CFT program. Finally, the proposed
rule would require a financial institution to designate an individual
responsible for establishing and implementing the AML/CFT program and
coordinating and monitoring day-to-day compliance; that individual
would be required to be located in the United States and accessible to,
and subject to oversight and supervision by, FinCEN and its designee,
including the appropriate Federal functional regulator.
Under the proposed rule, in addition to establishing an AML/CFT
program, the financial institution would be required to maintain that
program by implementing, in all material respects, its established AML/
CFT program. By structuring the requirement to have an effective AML/
CFT program as distinct obligations to establish and maintain (via
implementation) an AML/CFT program, the proposed rule is intended to
clarify and reinforce the distinction between failures to establish an
AML/CFT program and failures to implement a properly established
program.
The distinction between establishing a program and implementing a
program is particularly important under the proposed rule for potential
supervisory and enforcement actions. The proposed rule would not limit
enforcement or supervisory actions for failures to establish an AML/CFT
program. However, with respect to banks, once a bank has properly
established an AML/CFT program, the proposed rule would raise the
threshold for significant actions based solely on implementation
deficiencies so only significant or systemic failures by a bank to
implement an effective AML/CFT program (i.e., deficiencies or issues
that arise from failing to implement, in all material respects, a
properly established AML/CFT program) would warrant an ``AML/CFT
enforcement action'' or a ``significant AML/CFT supervisory action,''
as these terms are defined in the proposed rule. In this way, the
proposed rule is intended to clarify and reinforce a supervisory and
enforcement focus on addressing significant or systemic failures to
implement an effective AML/CFT program, rather than on isolated,
technical, or immaterial implementation issues.\44\
---------------------------------------------------------------------------
\44\ FinCEN, FinCEN Statement on Enforcement of the Bank Secrecy
Act (Aug. 18, 2020), <a href="https://www.fincen.gov/news/news-releases/fincen-statement-enforcement-bank-secrecy-act">https://www.fincen.gov/news/news-releases/fincen-statement-enforcement-bank-secrecy-act</a>.
---------------------------------------------------------------------------
Importantly, under the proposed regulations, having an effective
AML/CFT program would be more than a one-time adoption of a risk-based
set of internal policies, procedures, and controls. Rather, a financial
institution would be required to keep its risk-based set of internal
policies, procedures, and controls--and the risk assessment processes
that inform them--current as the financial institution's risk profile
changes. For example, while a financial institution's risk-based set of
internal policies, procedures, and controls may, at one time, have been
reasonably designed, they may no longer be reasonably designed given
changes to the financial institution's risk profile. Similarly, an
effective AML/CFT program would involve more than a one-time creation
of an employee training program or initiation of an independent testing
mechanism: the financial institution would also be required to keep
such aspects of the AML/CFT program current as the financial
institution's risk profile changes. Thus, even where a financial
institution has previously established an AML/CFT program in accordance
with the proposed rule, a failure to update the program to reflect
significant changes to the institution's risk profile may result in the
program no longer meeting the program establishment requirements, and
the financial institution may accordingly be subject to supervisory or
enforcement action for a failure to establish an effective AML/CFT
program.
The proposed rule would provide FinCEN with a greater role in the
supervisory process with respect to banks and the relevant Agency. To
better ensure that bank examiners are performing ``risk focused''
supervision, the proposed rule would require that the Agencies, when
acting under supervisory authority delegated by FinCEN, consult with
FinCEN prior to taking a significant AML/CFT
[[Page 18711]]
supervisory action.\45\ FinCEN would require the Agencies, when acting
pursuant to FinCEN's delegated authority, to provide FinCEN written
notice at least 30 days prior to taking such an action. FinCEN would
have an opportunity to review the action and the underlying information
giving rise to it, and the Agencies would be required to consider any
input offered by FinCEN concerning the effectiveness of the bank's AML/
CFT program.\46\
---------------------------------------------------------------------------
\45\ Because FinCEN has not delegated any enforcement authority
to the Agencies, the Agencies have no authority to take an
enforcement action under 31 CFR chapter X. As a result, there is no
corresponding rule text related to enforcement actions by the
Agencies acting under authority provided by FinCEN.
\46\ FinCEN anticipates the Agencies imposing a similar
consultation requirement on themselves when the Agencies act under
other laws, including 12 U.S.C. 1786 or 1818.
---------------------------------------------------------------------------
By explicitly defining the requirements for an institution to
establish and maintain an effective AML/CFT program, and by
standardizing the AML/CFT supervision and enforcement process for banks
and the Agencies, the proposed rule is expected to better achieve the
purposes of the BSA and lead to better outcomes for financial
institutions, law enforcement, and national security agencies. Treasury
and FinCEN do not intend, however, for the proposed rule to provide
permission for financial institutions to establish ``paper programs''
that might be interpreted as meeting the proposed rule's technical
requirements on their face but do not achieve the desired outcomes of
more effectively and efficiently detecting and preventing ML/TF
activity. To establish a compliant AML/CFT program under the proposed
rule, a financial institution must, among other things, establish a
risk-based set of internal policies, procedures, and controls that is
reasonably designed to ensure compliance with the BSA and 31 CFR
chapter X, including through the adoption of risk assessment processes.
A critical element of this requirement is that the financial
institution's internal policies, procedures, and controls be
``reasonably designed.'' For example, if a financial institution's
program testing reveals that a new customer type or new activity is
high risk, but the financial institution does not take any action to
revise the design of its internal policies, procedures, and controls
and therefore treats the customer or activity as presenting low risk,
then its program should not be considered reasonably designed. Treasury
and FinCEN believe that financial institutions know their customer
base, businesses, and risks better than their regulators and the
government; thus, financial institutions are best positioned to
identify and evaluate their ML/TF risks. Financial institutions should
therefore, and would under this proposed rule, have significant
flexibility and discretion in their decisions and determinations
related to risk identification and resource allocation. However,
examiners would be expected to assess whether: (1) a financial
institution's resource allocation decisions are informed by, and
consistent with, reasonably designed risk assessment processes; and (2)
with respect to implementation, specifically, whether the financial
institution knows or should know of resource-related issues involving
its internal policies, procedures, and controls that may result in the
financial institution failing to implement its AML/CFT program in all
material respects and failing to address such issues.
Similarly, Treasury and FinCEN expect a financial institution to be
examined for its implementation of the established AML/CFT program in
all material respects. Merely designating an individual responsible for
establishing and implementing the AML/CFT program, and having that
individual establish internal policies, procedures, and controls, an
employee training program, and an independent testing program, are not
sufficient to satisfy the proposed rule's obligations for a financial
institution to have an effective AML/CFT program. Rather, a financial
institution would be examined for whether it has implemented, in all
material respects, its established AML/CFT program, including whether
the financial institution is, in fact, allocating resources as
contemplated in its established AML/CFT program, which the proposed
rule would require to be consistent with its reasonably designed risk
assessment processes. Banks with significant or systemic failures to
implement an effective AML/CFT program may be subject to a significant
supervisory action or enforcement action, whereas isolated, technical,
or immaterial implementation deficiencies would not be cause for such
actions.
V. Section-by-Section Analysis
This section-by-section analysis describes the specific proposed
changes to the program rules. Section V.A addresses the proposed
incorporation of CFT into the program rules. Section V.B discusses the
requirements for an ``effective'' AML/CFT program to comply with the
requirements of 31 U.S.C. 5318(h)(1) and the proposed rule. Section V.C
explains what it means to ``establish,'' ``maintain,'' and
``implement'' an effective AML/CFT program. Section V.D describes the
components of program establishment, including: (1) internal policies,
procedures, and controls (including risk assessment processes); (2)
independent program testing; (3) an individual, located in the United
States and accessible to FinCEN and the appropriate Federal functional
regulator, responsible for establishing and maintaining the program,
and coordinating and monitoring day-to-day compliance; and (4) ongoing
employee training. Section V.E discusses the requirements that the AML/
CFT program be written, accessible, and approved by financial
institution leadership. Section V.F addresses the supervision and
enforcement section of the proposed rule for banks, and Section V.G
describes several technical changes that the proposal makes to existing
AML program rules.
A. Inserting the Term ``CFT'' Into the AML Program Rules
Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to
reference ``countering the financing of terrorism'' \47\ in addition to
``anti-money laundering'' when describing the requirement to establish
an AML/CFT program. FinCEN proposes to update its regulations in 31 CFR
chapter X to reflect this new statutory language. For example, the
proposed rule would change the title of 31 CFR 1020.210 from ``Anti-
money laundering program requirements for banks'' to ``Anti-money
laundering/countering the financing of terrorism program requirements
for banks.'' Similar changes would apply to the titles of the other
program rules in chapter X.
---------------------------------------------------------------------------
\47\ Countering the financing of terrorism (CFT) includes laws,
rules, regulations, or other measures intended to detect and disrupt
the solicitation, collection, or provision of funds to support
terrorist acts or terrorist organizations, or other violent
extremist groups.
---------------------------------------------------------------------------
The inclusion of ``CFT'' in the program rules would not create new
obligations for financial institutions, insofar as the USA PATRIOT Act
already requires them to account for risks related to terrorist
financing. Accordingly, FinCEN expects any changes to existing AML/CFT
programs from the amendments described in this subsection to be
technical and therefore not have any substantive impact on financial
institutions' BSA compliance obligations.
B. An ``Effective'' AML/CFT Program
As discussed above in section IV.A, in prescribing the minimum
standards for
[[Page 18712]]
an AML/CFT program and in supervising and examining compliance with
those standards, the AML Act requires the Secretary and the appropriate
Federal functional regulator to take into account that effective AML/
CFT programs safeguard national security and help law enforcement
prevent the flow of illicit funds in the financial system.\48\ Further,
the AML Act instructs FinCEN to focus on achieving effective outcomes
rather than dictating the processes used to reach those outcomes, an
orientation reflected in the proposed rule. Consistent with FinCEN and
the Agencies' longstanding expectations regarding what effective
outcomes entail, FinCEN believes that, as a practical matter, it is not
possible for a financial institution to detect and report all
potentially illicit transactions that flow through the institution.\49\
Similarly, a financial institution's AML/CFT program can be effective
without preventing every minor instance of a financial institution
falling prey to illicit finance misuse. Accordingly, the proposed rule
would set out that an AML/CFT program is ``effective'' and complies
with the requirements of 31 U.S.C. 5318(h)(1) so long as it is
established and maintained in accordance with applicable requirements.
---------------------------------------------------------------------------
\48\ See 31 U.S.C. 5318(h)(2)(B)(iii).
\49\ Federal Financial Institutions Examination Council (FFIEC),
FFIEC BSA/AML Examination Manual, Assessing Compliance with BSA
Regulatory Requirements--Suspicious Activity Reporting, <a href="https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04">https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04</a>.
---------------------------------------------------------------------------
As noted in section II.B and section II.C, FinCEN has introduced
the concept of an ``effective'' AML/CFT program in prior rulemakings,
and the public has provided valuable feedback on this concept. For
example, the Effectiveness ANPRM considered proposing a definition of
an effective and reasonably designed program as one that: (1)
identifies, assesses, and reasonably mitigates the risks resulting from
illicit financial activity--including terrorist financing, money
laundering, and other related financial crimes--consistent with both
the institution's risk profile and the risks communicated by relevant
government authorities as national AML priorities; (2) assures and
monitors compliance with the recordkeeping and reporting requirements
of the BSA; and (3) provides information with a high degree of
usefulness to government authorities consistent with both the
institution's risk assessment and the risks communicated by relevant
government authorities as national AML priorities.\50\
---------------------------------------------------------------------------
\50\ 85 FR 58026.
---------------------------------------------------------------------------
The proposed rule would provide that a financial institution has an
``effective'' program if it (1) is established in accordance with the
proposed rule's establishment requirements; and (2) is maintained,
meaning that a properly established program is implemented in all
material respects.
One of the AML Act's key purposes is to ``encourage technological
innovation and the adoption of new technology by financial institutions
to more effectively counter money laundering and financing of
terrorism.'' \51\ Consistent with this purpose and pursuant to the
Executive order on Removing Barriers to American Leadership in
Artificial Intelligence, the Winning the Race America's AI Action Plan,
and the Executive order on Ensuring a National Policy Framework for
Artificial Intelligence, Treasury has undertaken various efforts to
research, promote, and take actions that reflect its commitment to the
role of innovation as part of a modernized AML/CFT framework.\52\
---------------------------------------------------------------------------
\51\ AML Act, section 6002(3) (Purposes).
\52\ E.O. 14179, Removing Barriers to American Leadership in
Artificial Intelligence, 90 FR 8741 (issued Jan. 23, 2025; published
Jan. 31, 2025); White House, Winning the Race America's AI Action
Plan (July 2025), <a href="https://www.whitehouse.gov/wp-content/uploads/2025/07/Americas-AI-Action-Plan.pdf">https://www.whitehouse.gov/wp-content/uploads/2025/07/Americas-AI-Action-Plan.pdf</a>; E.O. 14179, Ensuring a National
Policy Framework for Artificial Intelligence, 90 FR 58499 (issued
Dec. 11, 2025; published Dec. 16, 2025).
---------------------------------------------------------------------------
Treasury has highlighted the potential for innovative technologies
to strengthen AML/CFT programs in various strategies and public
engagements. The 2024 National Illicit Finance Strategy highlighted how
innovative technologies like machine learning and large language models
have potential to strengthen financial institutions' AML/CFT programs,
enabling financial institutions to more rapidly and effectively analyze
data to identify patterns, risks, trends, and typologies.\53\ In
addition to discussion of specific types of and applications for
technology, Treasury has expressed broad support for exploring areas
where AI, blockchain analysis, digital identity, and other tools can
produce a more efficient and more effective AML/CFT framework.\54\
---------------------------------------------------------------------------
\53\ U.S. Department of the Treasury, 2024 National Strategy for
Combating Terrorist and Other Illicit Financing (May 2024), <a href="https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf">https://home.treasury.gov/system/files/136/2024-Illicit-Finance-Strategy.pdf</a>.
\54\ U.S. Department of the Treasury, Press Release, ``Remarks
by Under Secretary for Terrorism and Financial Intelligence John K.
Hurley at the Association of Certified Anti-Money Laundering
Specialists Assembly Conference'' (Sept. 17, 2025), <a href="https://home.treasury.gov/news/press-releases/sb0251">https://home.treasury.gov/news/press-releases/sb0251</a>.
---------------------------------------------------------------------------
FinCEN encourages financial institutions to evaluate whether new
technology or innovative approaches might help to more effectively
combat financial crime. Innovative approaches could involve machine
learning, generative artificial intelligence (GenAI), digital identity,
blockchain monitoring and analytics, or application programming
interfaces (APIs). These technologies may be especially useful in
countering illicit finance activity involving digital assets, an effort
for which FinCEN supports financial institutions' responsible use of
novel models, techniques, or strategies. To that end, FinCEN encourages
financial institutions to review the White House report on
Strengthening American Leadership in Digital Financial Technology as
well as Treasury's report on Innovative Technologies to Counter Illicit
Finance Involving Digital Assets.\55\ This report explores how
financial institutions can employ innovative and novel methods to
detect and stop financial crime involving digital assets, and
encourages the responsible use of novel tools and techniques that can
improve the effectiveness of the U.S. AML/CFT regime.
---------------------------------------------------------------------------
\55\ White House, Strengthening American Leadership in Digital
Financial Technology (July 30, 2025), <a href="https://www.whitehouse.gov/wp-content/uploads/2025/07/Digital-Assets-Report-EO14178.pdf">https://www.whitehouse.gov/wp-content/uploads/2025/07/Digital-Assets-Report-EO14178.pdf</a>; U.S.
Department of the Treasury, Report to Congress from the Secretary of
the Treasury on Innovative Technologies to Counter Illicit Finance
Involving Digital Assets (Mar. 2026), <a href="https://home.treasury.gov/system/files/246/GENIUS-Act-Illicit-Finance-Innovation-Congressional-Report-March-2026.pdf">https://home.treasury.gov/system/files/246/GENIUS-Act-Illicit-Finance-Innovation-Congressional-Report-March-2026.pdf</a>.
---------------------------------------------------------------------------
FinCEN recognizes that adopting new technologies for BSA compliance
may not be suitable for every financial institution, particularly
smaller ones, and the proposed rule therefore does not reference or
require the use of any particular technology. A financial institution
may find it beneficial to consider whether its AML/CFT program
appropriately uses the financial institution's existing resources,
including technology and data. However, building on longstanding
guidance, FinCEN encourages institutions to engage in responsible AML/
CFT innovation.\56\ Institutions that responsibly experiment with
innovative technologies in their AML/CFT programs will not incur any
additional risk of being subject to a significant supervisory AML/CFT
action or AML/CFT enforcement action solely
[[Page 18713]]
based on the use of innovative technologies. To the contrary, FinCEN
recognizes that fostering the use of innovative technologies is vital
to improving financial crime compliance and fighting illicit finance
and strongly encourages their responsible use.
---------------------------------------------------------------------------
\56\ FRB, FDIC, FinCEN, NCUA, and OCC, Joint Statement on
Innovative Efforts to Combat Money Laundering and Terrorist
Financing (Dec. 3, 2018), <a href="https://www.fincen.gov/system/files/2018-12/Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_508.pdf">https://www.fincen.gov/system/files/2018-12/Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_508.pdf</a>.
---------------------------------------------------------------------------
In addition to new technology, FinCEN is aware of concerns
surrounding model risk management at financial institutions. FinCEN has
considered comments submitted in response to the 2021 Request for
Information and Comment: Extent to Which Model Risk Management
Principles Support Compliance With Bank Secrecy Act/Anti-Money
Laundering and Office of Foreign Assets Control Requirements (RFI).\57\
FinCEN received comments including concerns that supervisors may expect
financial institutions to apply the Supervisory Guidance on Model Risk
Management (MRMG) to AML/CFT and OFAC-related policies, procedures, and
controls.\58\
---------------------------------------------------------------------------
\57\ OCC, FRB, FDIC, NCUA, and FinCEN, Request for Information
and Comment: Extent to Which Model Risk Management Principles
Support Compliance With Bank Secrecy Act/Anti-Money Laundering and
Office of Foreign Assets Control Requirements, 86 FR 18978 (Apr. 12,
2021).
\58\ FRB and OCC, Supervisory Guidance on Model Risk Management,
(Apr. 4, 2011), <a href="https://www.federalreserve.gov/supervisionreg/srletters/sr1107a1.pdf">https://www.federalreserve.gov/supervisionreg/srletters/sr1107a1.pdf</a>.
---------------------------------------------------------------------------
While FinCEN has not issued or been party to any prior MRMG
guidance, FinCEN shares certain concerns articulated in the comments to
the RFI that these models, which are designed to assess different types
of risks with different information input, processing, and reporting
components may be overly burdensome and ill-fitted to address illicit
finance risks. FinCEN welcomes comment on this position and intends to
work with the Agencies to address these concerns.
C. Establishing and Maintaining an AML/CFT Program
The requirement that financial institutions establish and maintain
an AML/CFT program is not new, although over time various formulations
of this requirement have developed in statutes and regulations.\59\ The
proposed rule would set out uniform terms for an AML/CFT program across
FinCEN's regulations for all types of financial institutions regulated
under the BSA and delineate the requirements that must be met for
financial institutions to have an effective AML/CFT program. That is,
the proposed rule would create a two-pronged framework under which a
financial institution's AML/CFT program would be deemed to be effective
if the financial institution establishes and maintains their program.
Under the proposed rule, a financial institution maintains its properly
established AML/CFT program by implementing it in all material
respects.
---------------------------------------------------------------------------
\59\ For instance, the provision of the BSA which requires
financial institutions to have AML/CFT program rules states that
``each financial institution shall establish ''(emphasis added) such
programs, including certain requirements as specified. See 31 U.S.C.
5318(h)(1). The corresponding Federal statute requiring banks
regulated by the Federal banking agencies to have BSA compliance
programs states that these banks must ``establish and maintain
procedures reasonably designed to assure and monitor the
compliance'' with the requirements of the BSA. 12 U.S.C. 1818(s)(1).
In addition, the current program rules regulating financial
institutions use inconsistent terms to describe establishing,
implementing, and maintaining AML/CFT programs. For example, some
programs rules use the terms ``implements and maintains''--31 CFR
1020.210 (banks); 1021.210 (casinos); 1023.210 (broker-dealers);
1026.210 (FCMs and IBCs) while others use the terms ``develop,
implement, and maintain,'' 1022.210 (MSBs) and others use ``develop
and implement'' 1024.210 (mutual funds); 1025.210 (insurance
companies); 1027.210 (DPMSJs); 1028.210 (operators of credit card
systems); 1029.210 (loan or finance companies); and 1030.210
(housing GSEs)--with respect to the general AML program requirement.
---------------------------------------------------------------------------
1. Proposed 31 CFR 10XX.210(b)--Establishing Versus Maintaining an AML/
CFT Program
For a financial institution to have an effective AML/CFT program,
the proposed 31 CFR 10XX.210(b) (``31 CFR 10XX'' refers to proposed
changes to the AML program rules of all eleven financial institution
types) would require a financial institution to establish an AML/CFT
program and then maintain the AML/CFT program by implementing, in all
material respects, the established AML/CFT program. The proposed rule
describes the requirements for a financial institution to establish and
maintain an effective AML/CFT program that complies with the
requirements of 31 U.S.C. 5318(h)(1). The AML/CFT program minimum
components constituting program establishment, and described in further
detail in section V.D below, are: (1) internal policies, procedures,
and controls (including risk assessment processes); (2) independent
program testing; (3) an individual, located in the United States and
accessible to FinCEN and the Agencies, responsible for establishing and
maintaining the program, and coordinating and monitoring day-to-day
compliance; and (4) ongoing employee training. ``Establishing'' an AML/
CFT program involves designing an AML/CFT program that incorporates all
of the required components. ``Implementation,'' by contrast, addresses
whether the financial institution is executing that program in
practice. This distinction matters, particularly for banks, because
proposed 31 CFR 1020.221(b) ties the availability of AML/CFT
enforcement and significant supervisory actions based on the program
rule for an established bank program to a significant or systemic
failure to implement an effective AML/CFT program. The distinction
between establishing and implementing an AML/CFT program is intended to
make transparent how the individual elements of 31 CFR 1020.210 work
together to satisfy 31 U.S.C. 5318(h)(1).
The concepts of program establishment and program maintenance are
closely related to the supervision and enforcement provisions of the
proposed program rule for banks. In particular, as explained in more
detail in section V.F, a bank that has properly established an AML/CFT
program (i.e., satisfied the proposed rule's requirements regarding
establishment) will not be subject to an AML/CFT enforcement action or
a significant supervisory action based on the program rule except with
respect to a significant or systemic failure to implement an effective
AML/CFT program (i.e., a failure to implement, in all material
respects, a properly established AML/CFT program).\60\
---------------------------------------------------------------------------
\60\ The proposed rule would clarify that this limitation on
AML/CFT enforcement actions and significant AML/CFT supervisory
actions does not apply with respect to a failure to properly
establish an AML/CFT program.
---------------------------------------------------------------------------
Separating program establishment from program maintenance therefore
provides needed clarity regarding whether a supervisory concern relates
to deficiencies stemming from the program's design, on the one hand, or
failures in the program's operation, on the other. This two-prong
framework would help promote consistent articulation of supervisory
expectations and prevent conflating criticisms of program design--the
remediation of which would likely be different in kind--with criticisms
of day-to-day implementation. The proposed distinction does not change
the substantive obligations of 31 U.S.C. 5318(h)(1); rather, it
clarifies how those obligations map onto the two statutory requirements
at the core of section 5318(h)(1): having a risk-based and reasonably
designed program and adhering to it in operation.
As noted previously, FinCEN intends for the requirements of this
proposed rule to not be limited to a one-time adoption of the elements
required for program establishment, such as internal policies,
procedures, and controls. Rather, FinCEN intends a financial
[[Page 18714]]
institution's establishment of its AML/CFT program to require the
financial institution's risk-based set of internal policies,
procedures, and controls--and the risk assessment processes that inform
them--to remain current as the financial institution's risk profile
changes. For example, if a financial institution begins providing a new
product or service--or changes how it provides an existing product or
services, such as operating in a new geographic location--under this
proposed rule, a financial institution would need to incorporate its
new product or service as part of its risk assessment processes. The
proposed rule would require a financial institution to make a risk
determination and, as appropriate, redesign its internal policies,
procedures, and controls to account for the risks that it did not
previously encounter prior to offering the new product or service, or
operating in the new geographic location. Thus, under the proposed
rule, even where a financial institution has previously established an
AML/CFT program in accordance with the proposed rule, a failure to
update the program to reflect significant changes in the institution's
risk profile may result in the program no longer satisfying the
proposed rule's requirements regarding establishment.
2. Proposed 31 CFR 10XX.210(c)--Implementation of an AML/CFT Program
Once a financial institution has properly ``established'' an AML/
CFT program, the institution must ``maintain'' the program by
implementing it, in all material respects. Minor deficiencies of an
AML/CFT program would not necessarily mean that a financial institution
has failed to implement the program.
Although there are a variety of ways that a financial institution
may not be implementing its program ``in all material respects,'' in
FinCEN's experience, commonly observed examples may include, but would
not be limited to: (1) internal policies, procedures, and controls are
not being performed or not being performed on a consistent, regular,
and timely basis (e.g., consistently ignored warnings or red flags that
a program was seriously deficient) due to the nature or extent of
required resources becoming inadequate; (2) gaps in the risk assessment
processes that result in the financial institution's program missing or
inadequately covering higher ML/TF risks (e.g., systems used to monitor
for potentially suspicious activity failing to capture material volumes
or types of transactions); or (3) deficiencies or weaknesses in the
risk assessment processes that have a material impact on the financial
institution's mitigation of ML/TF risks through its internal policies,
procedures, and controls, including due to data-related issues
involving relevant processes and systems.
Similarly, FinCEN expects that a financial institution could become
aware of such implementation-related concerns through a variety of
mechanisms, including, but not limited to: (1) independent testing of
the AML/CFT program; (2) examiner observations, suggestions, or other
informal comments about the AML/CFT program from FinCEN (or its
designee, such as a Federal functional regulator); (3) management
information systems and related reports or other outputs (e.g., key
performance indicators or key risk indicators, such as monitoring for
potentially material backlogs in relevant AML/CFT processes); and (4)
issues identified by personnel involved in the operation of the
financial institution's AML/CFT program. A bank that fails to
reasonably address such warnings that its program is not being
implemented would be at risk of being subject to a significant AML/CFT
supervisory action, an AML/CFT enforcement action, or both.
D. Program Establishment
As noted earlier, pursuant to 31 U.S.C. 5318(h), the AML/CFT
program requirements for financial institutions must have certain
minimum elements comprised of: (1) internal policies, procedures, and
controls; (2) an independent audit function to test programs; (3) a
designated compliance officer; (4) an ongoing employee training
program; and (5) other components, depending on the type of financial
institution. The majority of the proposed rule's AML/CFT program
components are substantially similar to the existing statutory and
regulatory requirements for financial institutions. However, FinCEN is
proposing certain additions and modifications to modernize and
strengthen financial institutions' AML/CFT programs to enable financial
institutions to better mitigate illicit finance risks.
1. Proposed 31 CFR 10XX.210(b)(1)--Internal Policies, Procedures, and
Controls
The BSA requires financial institutions to develop ``internal
policies, procedures, and controls'' as part of their AML/CFT
programs.\61\ Existing AML program rules already impose internal
policies, procedures, and controls requirements to ensure compliance,
but with differing formulations. The proposed rule would standardize
these requirements for financial institutions required to comply with
FinCEN's program rules to establish a risk-based set of internal
policies, procedures, and controls in their AML/CFT programs.
---------------------------------------------------------------------------
\61\ 31 U.S.C. 5318(h)(1)(A).
---------------------------------------------------------------------------
Proposed 31 CFR 10XX.210(b)(1) provides that a financial
institution's risk-based set of internal policies, procedures, and
controls must be reasonably designed to: (1) identify, assess, and
document ML/TF risks through risk assessment processes; (2) mitigate
ML/TF risks consistent with the risk assessment processes, including by
allocating more attention and resources toward higher-risk customers
and activities rather than toward lower-risk customers and activities;
and, for certain financial institutions (3) conduct ongoing CDD. The
preamble addresses each of these features below.
Under this proposal, a financial institution's risk-based set of
internal policies, procedures, and controls should be based upon,
informed by, and consistent with the financial institution's risk
assessment processes. The level of sophistication of the internal
policies, procedures, and controls should be commensurate with the
size, structure, risk profile, and complexity of the financial
institution.
The requirement that a financial institution's risk-based set of
internal policies, procedures, and controls be ``reasonably designed''
gives financial institutions flexibility in how they achieve compliance
with the BSA and the proposed rule's other requirements. As part of
having risk-based set of internal policies, procedures, and controls
reasonably designed to ensure compliance with the BSA and FinCEN's
regulations, financial institutions may choose to responsibly adopt new
technologies or innovative approaches to comply with BSA requirements.
Consistent with this purpose, FinCEN encourages financial institutions
to evaluate whether new technology or innovative approaches in other
resources might help to more effectively combat financial crime.
Innovative approaches could involve machine learning, GenAI, digital
identity, blockchain monitoring and analytics, or APIs. These
technologies may be especially useful in countering illicit finance
activity involving digital assets, an effort for which FinCEN supports
the responsible use of novel models, techniques, or strategies.
[[Page 18715]]
i. Proposed 31 CFR 10XX.210(b)(1)(i)--Risk Assessment Processes
FinCEN is proposing in 31 CFR 10XX.210(b)(1)(i) that, as part of a
financial institution's risk-based set of internal policies,
procedures, and controls, the financial institution establish and
maintain risk assessment processes to: (1) evaluate the ML/TF risks of
the financial institution's business activities, including products,
services, distribution channels, customers, and geographic locations;
(2) review and, as appropriate, incorporate the AML/CFT Priorities; and
(3) be updated promptly upon any change that the financial institution
knows or has reason to know significantly changes the institution's ML/
TF risks.
While it is common practice among many financial institutions to
maintain a risk assessment process or processes, the requirement that
financial institutions have risk assessment processes when developing
their AML/CFT programs is not stated in a uniform manner for all
financial institutions under the current AML program rules. Under some
program rules, certain financial institutions--such as insurance
companies and loan and finance companies--are explicitly required to
``[i]ncorporate policies, procedures, and internal controls based upon
. . . [an] assessment of the . . . risks associated with its products
and services.'' \62\ Under other program rules, some financial
institutions--such as casinos and MSBs--must develop internal policies,
procedures, and controls, and independent testing ``commensurate with
the risks'' posed by their products.\63\ This latter requirement
implicitly requires risk assessment processes, as an institution cannot
develop a risk-based set of internal policies, procedures, and controls
without first identifying the institution's risks by way of some
process. Thus, the proposed rule would standardize the requirement for
risk assessment processes across different types of financial
institutions subject to program rules, thereby clarifying existing
expectations and practices.
---------------------------------------------------------------------------
\62\ See 31 CFR 1029.210 (loan or finance companies); 1030.210
(housing GSEs); see also 31 CFR 1025.210 (insurance companies);
1028.210 (operators of credit card systems).
\63\ See 31 CFR 1022.210 (MSBs); 1025.210 (insurance companies);
see also 31 CFR 1021.210 (casinos) (``commensurate with the money
laundering and terrorist financing risks posed by the products and
services'').
---------------------------------------------------------------------------
Importantly, the proposed rule requires, as part of a financial
institution's risk-based set of internal policies, procedures and
controls, that it identify, assess, and document its ML/TF risks using
risk assessment processes. FinCEN understands that many financial
institutions currently maintain a single, or standalone, risk
assessment process either voluntarily or as required or expected by
Federal regulators. This risk assessment process, generally conducted
on an annual basis, results in a documented ML/TF risk assessment.
While such a risk assessment process may be appropriate under the
proposal, the use of the term ``risk assessment processes'' is intended
to reflect that a financial institution may rely on multiple
processes--applied as appropriate within its AML/CFT program--to
identify, assess, and document its ML/TF risks and will be examined
based on the totality of these processes rather than the sufficiency of
a single, standalone risk assessment process.
FinCEN believes financial institutions are best positioned to
identify and evaluate their ML/TF risks and is therefore not
prescribing any particular risk assessment processes or methodologies
other than the critical elements described in this proposed rule. Under
the proposed rule, financial institutions will be examined for whether
they have established and implemented, in all material respects,
reasonably designed risk assessment processes--which need not be in the
form of a singular risk assessment process. Furthermore, as discussed
further below, FinCEN is not prescribing any particular timeframe for
institutions to update their risk assessment processes.
The explicit requirement to have risk assessment processes will be
new for banks, casinos, MSBs, broker-dealers, mutual funds, and FCMs
and IBCs.\64\
---------------------------------------------------------------------------
\64\ The current program rules without explicit risk assessment
requirements are located at 31 CFR 1020.210 (banks); 1021.210
(casinos); 1022.210 (MSBs); 1023.210 (broker-dealers); 1024.210
(mutual funds); and 1026.210 (FCMs and IBCs).
---------------------------------------------------------------------------
a. Proposed 31 CFR 10XX.210(b)(1)(i)(A)--ML/TF Risks
Proposed 31 CFR 10XX.210(b)(1)(i)(A) would require a financial
institution's risk assessment processes to evaluate the ML/TF risks of
its business activities, including products, services, distribution
channels, customers, and geographic locations. These factors are
generally well known and often incorporated into current risk
assessment processes of some financial institutions. FinCEN considers
``distribution channels'' to refer to the methods and tools through
which a financial institution opens accounts and provides products or
services, including, for example, through remote or other non-face-to-
face means.
Financial institutions may use a variety of sources to inform their
risk assessment processes. Such sources may include information
obtained from other financial institutions, such as emerging risks and
typologies identified through section 314(b) information sharing or
payment transactions that other financial institutions returned or
flagged due to ML/TF risks.\65\ Information a financial institution
generates or maintains could be another source. Such internal
information may include, for example, customer internet protocol (IP)
addresses or device logins and related geolocation information.
---------------------------------------------------------------------------
\65\ See FinCEN, Section 314(b) Fact Sheet, (Dec. 2020), <a href="https://www.fincen.gov/system/files/shared/314bfactsheet.pdf">https://www.fincen.gov/system/files/shared/314bfactsheet.pdf</a>.
---------------------------------------------------------------------------
Feedback from FinCEN, law enforcement, and financial regulators may
also inform risk assessment processes. For example, if a financial
institution receives feedback from law enforcement about a report it
has filed or potential risks at the financial institution, the
financial institution may incorporate that information into its risk
assessment processes. Similarly, a financial institution may consider
information identified from responding to section 314(a) requests.
In addition to feedback, reports, and analyses published by
Treasury and FinCEN, the Federal functional regulators, or self-
regulatory organizations (SROs) may be particularly relevant to a
financial institution's business activities, thereby warranting
consideration when evaluating ML/TF risks. Treasury describes changes
in the illicit finance risk environment in its biennial National Money
Laundering Risk Assessment, National Terrorist Financing Risk
Assessment, and National Proliferation Financing Risk Assessment, which
highlight significant illicit finance threats, vulnerabilities, and
risks.\66\ FinCEN also publishes advisories and analyses on emerging
risks and typologies, including Financial Trend Analyses issued
pursuant to section 6206 of the AML Act. These reports contain threat
pattern and trend information derived from BSA filings and may help
inform financial institutions' understanding of
[[Page 18716]]
risks associated with different threats and vulnerabilities as they
evolve.\67\ Regardless of the source, financial institutions should
take measures in their risk assessment processes to ensure this
information is reasonably current, complete, and accurate.
---------------------------------------------------------------------------
\66\ See U.S. Department of the Treasury, 2026 National Money
Laundering Risk Assessment (March 2026), <a href="https://home.treasury.gov/system/files/246/2026-NMLRA.pdf">https://home.treasury.gov/system/files/246/2026-NMLRA.pdf</a>; 2026 National Terrorist Financing
Risk Assessment (March 2026), <a href="https://home.treasury.gov/system/files/246/2026-NTFRA.pdf">https://home.treasury.gov/system/files/246/2026-NTFRA.pdf</a>; 2026 National Proliferation Financing Risk
Assessment (March 2026), <a href="https://home.treasury.gov/system/files/246/2026-NPFRA.pdf">https://home.treasury.gov/system/files/246/2026-NPFRA.pdf</a>.
\67\ See, e.g., FinCEN, Financial Trend Analyses, <a href="https://www.fincen.gov/resources/financial-trend-analyses">https://www.fincen.gov/resources/financial-trend-analyses</a>.
---------------------------------------------------------------------------
b. Proposed 31 CFR 10XX.210(b)(1)(i)(B)--AML/CFT Priorities
Proposed 31 CFR 10XX.210(b)(1)(i)(B) would require financial
institutions to review and incorporate the AML/CFT Priorities. The AML/
CFT Priorities set out the priorities for the U.S. government's AML/CFT
policy as required by the AML Act and are designed to ensure that
financial institutions' AML/CFT programs are aligned with those
priorities. Recognizing the diverse nature of ML/TF threats facing the
U.S. financial system and national security, and that financial
institution AML/CFT programs benefit U.S. national security by
safeguarding the financial system from ML/TF risks, the AML/CFT
Priorities are intended to ensure that financial institutions are
focusing on the greatest threats to U.S. national security, as defined
by Treasury.
Section 6101 of the AML Act requires that a financial institution's
review and appropriate incorporation of the AML/CFT Priorities into its
AML/CFT program be subject to supervision and examination for
compliance with the BSA and other AML/CFT laws and regulations.\68\
FinCEN is implementing this statutory requirement by proposing that, as
part of their risk assessment processes, financial institutions must
review and, as appropriate, incorporate the AML/CFT Priorities. The
inclusion of the AML/CFT Priorities in risk assessment processes is
meant to help ensure that financial institutions understand their
exposure to risks in areas that are of particular importance
nationally, which may help financial institutions develop risk-based
and reasonably designed AML/CFT programs.
---------------------------------------------------------------------------
\68\ 31 U.S.C. 5318(h)(4)(E).
---------------------------------------------------------------------------
FinCEN understands that the AML/CFT Priorities may not always be
applicable to a financial institution's risk profile and activities.
Therefore, FinCEN requires the incorporation of the AML/CFT Priorities
in financial institution's risk assessment processes as appropriate.
This means that, having reviewed the AML/CFT Priorities, a financial
institution may determine the extent to which a particular priority is
applicable and whether and how a particular AML/CFT Priority should be
incorporated into its risk assessment processes.
Further, a financial institution may use its judgment and apply a
reasonable, risk-based determination on whether to focus on a specific
aspect of an AML/CFT Priority (e.g., cyber-enabled fraud), rather than
addressing all aspects of a AML/CFT Priority that may either not be
applicable (e.g., digital assets cybercrime for a financial institution
that does not offer any digital asset products or services, or have any
digital asset customers) or pose lower risks to the financial
institution (e.g., proliferation financing risks for a financial
institution with no cross-border operations, customers, transactions,
or activities). However, FinCEN cautions that a surface-level,
perfunctory review of an AML/CFT Priority by a financial institution
and the foreseeable ways in which it may manifest itself within the
financial institution's customers, products and services, geographies,
and distribution channels would not satisfy this requirement. For
example, patterns of transactions that may be consistent with potential
structuring should not automatically be dismissed as lower value to law
enforcement and untethered to an AML/CFT Priority without determining
whether there is a potential connection to various types of other
illicit finance activity (e.g., structuring or similar patterns
involving transactions in narcotics trafficking proceeds).
Under the AML Act, FinCEN is required to update the AML/CFT
Priorities not less than once every four years.\69\ Whenever the AML/
CFT Priorities are updated, financial institutions would no longer be
required to incorporate prior versions of the AML/CFT Priorities.
Financial institutions would only be required to incorporate the most
recent AML/CFT Priorities into their risk assessment processes.
---------------------------------------------------------------------------
\69\ 31 U.S.C. 5318(h)(4)(B).
---------------------------------------------------------------------------
FinCEN anticipates that some financial institutions may ultimately
determine that their business models and risk profiles have limited
exposure to some of the threats addressed in the AML/CFT Priorities but
instead have greater exposure to other ML/TF risks not addressed in the
AML/CFT Priorities. Additionally, some financial institutions' risk
assessment processes may determine that their AML/CFT programs already
sufficiently take into account some, or all, of the AML/CFT Priorities.
In either case, any changes to financial institutions' AML/CFT
programs, such as internal policies, procedures, or controls, would be
based on the results of risk assessment processes and their impact on
the AML/CFT program, including how to review and, as appropriate,
incorporate the AML/CFT Priorities before making these determinations.
FinCEN recognizes that some AML/CFT Priorities describe threats at
a high level, or at a point in time, and that financial institutions
may lack the context or information necessary on which specific
threats, or what time frames, to consider or focus on when conducting
their risk assessments. For instance, the AML/CFT Priorities that
FinCEN issued in June 2021 describes ``fraud'' as one of the eight
priorities and discusses specific examples of fraud that were
especially salient in 2021. However, the government's priorities may
have changed since the publication of the AML/CFT Priorities due to
emergent ML/TF typologies (e.g., sanctions evasions by Russian
oligarchs) or ML/TF threats (e.g., pig butchering) not addressed
specifically in the AML/CFT Priorities. For example, FinCEN's support
to Treasury's efforts to combat rampant government benefits fraud is
just one example of how the government's focus on specific types of
fraud evolves over time.\70\ This type of fraud may not have been a
concern for a financial institution in prior risk assessment processes,
but a financial institution may decide to conduct and apply risk
assessment processes to identify whether such a risk is significant for
a financial institution, and that determination may necessitate changes
to a financial institution's AML/CFT program.
---------------------------------------------------------------------------
\70\ U.S. Department of the Treasury, Press Release, ``Secretary
Bessent Announces Initiatives to Combat Rampant Fraud in Minnesota''
(Jan. 9, 2026), <a href="https://home.treasury.gov/news/press-releases/sb0354">https://home.treasury.gov/news/press-releases/sb0354</a>.
---------------------------------------------------------------------------
To assist financial institutions with their risk assessment
processes, and to better identify activity related to the AML/CFT
Priorities, FinCEN issues products under its Financial Institution
Advisory Program (Advisory Program).\71\ FinCEN's Advisory Program
communicates priority ML/TF threats and vulnerabilities to the U.S.
financial system. Financial institutions may use this information to
support effective, risk-based, and reasonably designed AML/CFT programs
and suspicious activity monitoring systems to help generate highly
useful information for
[[Page 18717]]
law enforcement and national security agencies.
---------------------------------------------------------------------------
\71\ FinCEN, Alerts/Advisories/Notices/Bulletins/Fact Sheets,
<a href="https://www.fincen.gov/resources/advisoriesbulletinsfact-sheets">https://www.fincen.gov/resources/advisoriesbulletinsfact-sheets</a>.
---------------------------------------------------------------------------
Relatedly, since 2021, FinCEN has published Financial Trends
Analyses (FTA) highlighting threat pattern and trend information
derived from BSA data on additional fraud-related topics, including an
FTA on fraud schemes targeting digital identities, mail theft-related
check fraud, and elder financial exploitation.\72\ More recently,
FinCEN issued an Alert on Fraud Rings and their Exploitation of Federal
Child Nutrition programs in Minnesota given the rampant financial fraud
and improper payments in Minnesota.\73\ As noted in the alert, ongoing
investigations into fraudsters in Minnesota by the U.S. Department of
Justice have identified potentially billions of dollars stolen from the
Federal child nutrition programs and other Federal and State government
benefits programs, including Medicaid.
---------------------------------------------------------------------------
\72\ FinCEN, Financial Trend Analyses, <a href="https://www.fincen.gov/resources/financial-trend-analyses">https://www.fincen.gov/resources/financial-trend-analyses</a>.
\73\ FinCEN, FinCEN Alert on Fraud Rings and their Exploitation
of Federal Child Nutrition programs in Minnesota, (Jan. 9, 2026),
<a href="https://www.fincen.gov/system/files/2026-01/FinCEN-Alert-Federal-Child-Nutrition-Programs.pdf">https://www.fincen.gov/system/files/2026-01/FinCEN-Alert-Federal-Child-Nutrition-Programs.pdf</a>.
---------------------------------------------------------------------------
FinCEN requests comment from the public on whether additional
guidance related to the consideration of the AML/CFT Priorities as part
of an institution's risk assessment processes would be warranted.
c. Proposed 31 CFR 10XX.210(b)(1)(i)(C)--Updates to Risk Assessment
Processes
Proposed 31 CFR 10XX.210(b)(1)(i)(C) would require financial
institutions to update their risk assessment processes promptly upon
any change that the financial institution knows or has reason to know
significantly changes their ML/TF risk profiles. For example, a
financial institution may need to update its risk assessment when new
products, services, and customer types are introduced; if existing
products, services, and customer types undergo significant changes;
when the financial institution adopts new risk mitigation technology;
or if the financial institution as a whole expands or contracts through
mergers, acquisitions, divestitures, dissolutions, and liquidations.
Financial institutions may also need to update their risk assessment
processes based on factors external to their operations that they know
or have reason to know significantly change their ML/TF risk profiles.
FinCEN welcomes comments on whether it should further clarify when
financial institutions must review or update their risk assessment
processes.
ii. Proposed 31 CFR 10XX.210(b)(1)(ii)--Mitigate ML/TF Risks Through
Risk-Based Allocation of Attention and Resources
Section 6101(b) of the AML Act states that the AML/CFT programs of
financial institutions should be ``risk-based, including ensuring that
more attention and resources of financial institutions should be
directed toward higher-risk customers and activities, consistent with
the risk profile of a financial institution, rather than toward lower-
risk customers and activities.'' \74\ Proposed 31 CFR
10XX.210(b)(1)(ii) would adopt this formulation as part of a financial
institution's obligation to establish a risk-based set of internal
policies, procedures, and controls. Under the proposed rule, a
financial institution's efforts to mitigate its ML/TF risks would
involve ``directing more attention and resources toward higher-risk
customers and activities, consistent with the risk profile of the
[financial institution], rather than toward lower-risk customers and
activities.''
---------------------------------------------------------------------------
\74\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------
FinCEN views risk-based allocation of resources as a critical step
in realizing the AML Act's BSA modernization and reform ambitions, and
an important departure from the status quo of AML/CFT compliance and
supervision. The proposed rule envisions financial institutions
exercising more flexibility in deploying attention and resources in
accordance with the proposed rule without fear of supervisory criticism
or action from examiners for directing more attention and resources on
higher risk customers and activities rather than toward lower risk
customers and activities.
The goal of risk-based resource allocation is for financial
institutions to spend less time, energy, and resources on lower
priority activities that may result in fewer resources devoted to, and
potentially distract from, more serious threats. The proposed rule
would thus enable financial institutions to focus more on higher risk
customers and activities, which FinCEN has determined should result in
financial institutions being more effective at detecting, reporting,
and preventing the flow of illicit funds and providing law enforcement
with more valuable BSA reporting.
As noted above, Treasury and FinCEN believe that financial
institutions are best positioned to identify and evaluate their ML/TF
risks and to make decisions related to risk identification and resource
allocation in accordance with risk identification. The proposed rule,
therefore, does not contemplate regulatory second-guessing of a
financial institution's reasonable determinations regarding appropriate
resource allocation or conclusions regarding specific risks. However,
while Treasury and FinCEN do not believe that an examiner should
substitute his or her own subjective judgment in place of the financial
institution, examiners will be expected to assess whether: (1) a
financial institution's resource allocation decisions are informed by,
and consistent with, reasonably designed risk assessment processes; and
(2) with respect to implementation, specifically, whether the financial
institution knows or should know of resource-related issues involving
its internal policies, procedures, and controls and other mandatory
elements that may result in the financial institution failing to
implement its AML/CFT program in all material respects and failing to
address such issues.
iii. Proposed 31 CFR 1020.210(b)(1)(iii), 1023.210(b)(1)(iii),
1024.210(b)(1)(iii), 1026.210(b)(1)(iii), and 1028.210(b)(1)(iii)--
Conduct Ongoing Customer Due Diligence
The existing program rules for certain financial institutions,
referred to here as covered financial institutions, contain CDD
requirements that have commonly been referred to as the ``fifth
pillar'' of AML program rules for those types of financial
institutions.\75\ Under these requirements, covered financial
institutions must establish and maintain a written AML program that
includes: ``appropriate risk-based procedures for conducting ongoing
customer due diligence, to include, but not be limited to:
understanding the nature and purpose of customer relationships for the
purpose of developing a customer risk profile; and conducting ongoing
monitoring to identify and report suspicious transactions and, on a
risk basis, to maintain and update customer information.''
---------------------------------------------------------------------------
\75\ See applicable program rules with CDD requirements for
covered financial institutions located at 31 CFR 1020.210(a)(2)(v)
and (b)(2)(v) (banks); 1023.210(b)(5) (broker-dealers);
1024.210(b)(5) (mutual funds); and 1026.210(b)(5) (FCMs and IBCs).
---------------------------------------------------------------------------
Proposed 31 CFR 1020.210(b)(1)(iii), 1023.210(b)(1)(iii),
1024.210(b)(1)(iii), 1026.210(b)(1)(iii), and 1028.210(b)(1)(iii) would
retain these ongoing CDD obligations without alteration but would make
them part of the requirement that covered financial institutions
establish a risk-based set of internal policies, procedures, and
controls that is reasonably designed.
[[Page 18718]]
FinCEN proposes this organizational change because the activities
required by the CDD pillar are, in practice, subsumed by the obligation
for a covered financial institution to have a risk-based set of
internal policies, procedures, and controls that is reasonably
designed. The organizational change more accurately reflects how
covered financial institutions operationalize such ongoing customer due
diligence as part of their overall AML programs. This organizational
change, however, is not intended to have any substantive effect on
existing obligations under 31 CFR 1010.230.
iv. Application to Community Banks
FinCEN recognizes that financial institutions vary significantly in
size, structure, complexity, and risk profile. Under the proposed rule,
the level of sophistication of a financial institution's internal
policies, procedures, and controls--including its risk assessment
processes--should be commensurate with the financial institution's
size, structure, risk profile, and complexity. Accordingly, financial
institutions with broader product offerings, more complex corporate
structures, or greater exposure to higher-risk customers, products,
services, or geographic locations would be expected to establish
correspondingly more formalized or analytically complex internal
policies, procedures, and controls--including risk assessment
processes. By contrast, many community banks operate with more limited
business activities, traditional lending and deposit services, a
narrower geographic footprint, and customer bases concentrated within
defined local communities. For such banks, risk assessment processes
may appropriately be more streamlined or qualitative in nature, and a
risk-based set of internal policies, procedures, and controls that is
reasonably designed for a large, complex financial organization would
not necessarily be required or appropriate for a community bank with a
more limited risk profile.
The proposed rule does not prescribe any specific methodology for
identifying, assessing, and documenting ML/TF risks. Community banks
may use risk assessment processes that are tailored to their business
model and operational scale, including processes that rely on direct
knowledge of products, services, customers, and geographic locations
rather than highly parameterized or model-driven approaches. Many
community banks maintain longstanding customer relationships and
operate within defined local markets, which may provide bank personnel
with meaningful information relevant to identifying, assessing, and
mitigating ML/TF risks. Familiarity with local businesses, direct
interaction between bank staff and customers, and an understanding of
ordinary patterns of activity within the bank's community may
appropriately inform the bank's risk assessment processes and the
design of reasonably designed internal policies, procedures, and
controls. While such characteristics do not reduce a community bank's
obligation to establish and maintain an effective AML/CFT program in
accordance with the proposed rule, they may influence how a community
bank documents its ML/TF risks and allocates attention and resources
consistent with those risks.
Further, under the proposed rule's requirement that a financial
institution review and, as appropriate, incorporate the AML/CFT
Priorities, a community bank may determine, based on its risk
assessment processes, that certain AML/CFT Priorities may not be
applicable to its business activities. In such cases, the community
bank would not be required to allocate attention or resources to risks
for which it has no identified exposure. Rather, the bank would be
expected to direct its attention and resources in a manner consistent
with its documented ML/TF risks.
2. Proposed 31 CFR 10XX.210(b)(2)--Independent Testing
The AML Act did not change the BSA requirement that each financial
institution include ``an independent audit function to test programs,''
\76\ which is already reflected in AML/CFT program rule
requirements,\77\ and proposed 31 CFR 10XX.210(b)(2). The purpose of
independent testing is to assess the financial institution's compliance
with AML/CFT statutory and regulatory requirements, relative to its
risk profile. The independent AML/CFT program testing should be focused
on whether the AML/CFT program is effective, and it should identify
issues and areas for remediation accordingly. Similar to the
expectations outlined above for examiners, Treasury and FinCEN do not
believe that an auditor should substitute his or her own subjective
judgment in place of the financial institution. To support the
effective implementation of an AML/CFT program, independent testing
should be based on objective criteria designed to assess whether a
financial institution has established and maintained an effective AML/
CFT program and allocated resources consistent with its risk assessment
processes. These criteria should also assess whether related program
governance is sufficient to manage risks and apply compensating
controls where necessary, particularly in areas where remediation is
underway. This evaluation helps to inform the financial institution's
senior management of weaknesses or areas in need of enhancement or
stronger controls. Typically, this evaluation includes a conclusion
about the financial institution's overall compliance with AML/CFT
statutory and regulatory requirements and sufficient information for
the reviewer (e.g., board of directors, senior management, AML/CFT
officer, outside auditor, or an examiner) to reach a conclusion about
whether the risk-based set of internal policies, procedures, and
controls is reasonably designed and resources are well-allocated
consistent with the institution's risk assessment processes.
---------------------------------------------------------------------------
\76\ 31 U.S.C. 5318(h)(1)(D).
\77\ See 31 CFR 1020.210(a)(2)(ii), (b)(2)(ii) (banks);
1021.210(b)(2)(ii) (casinos); 1022.210(d)(4) (MSBs); 1023.210(b)(2)
(broker-dealers); 1024.210(b)(2) (mutual funds); 1025.210(b)(4)
(insurance companies); 1026.210(b)(2) (FCMs and IBCs);
1027.210(b)(4) (DPMSJs); 1028.210(b)(4) (operators of a credit card
system); 1029.210(b)(4) (loan or finance companies); 1030.210(b)(4)
(housing GSEs).
---------------------------------------------------------------------------
Additionally, while financial institutions retain some flexibility
regarding who conducts the audit or testing, the proposed rule would
continue to require that testing be independent. Financial institutions
that do not employ outside auditors or consultants or that do not have
internal audit departments may comply with this requirement by using
internal staff who are not involved in the function being tested. For
these financial institutions and financial institutions with other
types of arrangements for independent testing, the AML/CFT officer or
any party who directly, and in some cases, indirectly reports to the
AML/CFT officer, or an equivalent role, would generally not be
considered sufficiently independent.\78\ Any
[[Page 18719]]
individual conducting the testing, whether internal or external, would
be required to be independent of other parts of the financial
institution's AML/CFT program, including its oversight. For financial
institutions that engage outside auditors or consultants, the financial
institution would be required to ensure that the outside parties
conducting the independent testing are not involved in functions
related to the AML/CFT program at the financial institution that may
present a conflict of interest or lack of independence, such as AML/CFT
training or the development or enhancement of internal policies,
procedures, and controls. Additionally, for the purposes of the
independent testing component, outside parties would not include
government agencies, entities, or instrumentalities, such as a
financial institution's Federal or State functional regulators.
Financial institutions with less complex operations, and lower risk
profiles may consider utilizing a shared resource as part of a
collaborative arrangement to conduct testing, as long as the testing is
independent.\79\
---------------------------------------------------------------------------
\78\ This is consistent with current 31 CFR 1022.210, which
provides that independent testing review may be conducted by an
officer or employee of the MSB so long as the tester is not the AML/
CFT officer. Similarly, current 31 CFR 1025.210, 1029.210, and
1030.210 provide that independent testing at insurance companies,
loan or finance companies, and housing GSEs, respectively, may be
conducted by a third party or by any officer or employee of the
financial institution, other than the AML/CFT officer. Likewise, 31
CFR 1027.210(b)(4) and 1028.210(b)(4) provide that independent
testing of a DPMSJ or an operator of a credit card system,
respectively, can be conducted by an officer or employee of the
institution, so long as the tester is not the AML/CFT officer or a
person involved in the operation of the AML/CFT program. Determining
whether testing at U.S. operations of foreign financial institutions
is adequately ``independent'' may include a review of the reporting
arrangements between the party conducting the independent testing
and the AML/CFT officer, or equivalent management function such as a
head of business line or a general manager, to assess any conflicts
of interests and the level of independence with the party conducting
the independent testing.
\79\ See FRB, FDIC, NCUA, OCC and FinCEN, Interagency Statement
on Sharing Bank Secrecy Act Resources (Oct. 3, 2018), <a href="https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources">https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources</a>.
---------------------------------------------------------------------------
While all financial institutions are required under existing
regulations to establish independent testing, FinCEN is standardizing
this requirement across all financial institution types. For example,
the current rules for broker-dealers, mutual funds, and FCMs and IBCs
require outside parties conducting the independent testing to be
qualified; \80\ however, FinCEN does not find it necessary to add this
``qualified'' description as it does not establish a new substantive
requirement. FinCEN would generally expect, as with the AML/CFT officer
component, independent testers to have the expertise and experience
necessary to perform such testing effectively, including having
sufficient knowledge of the financial institution's risk profile and
AML/CFT laws and regulations.
---------------------------------------------------------------------------
\80\ See applicable program rules located at 31 CFR
1023.210(b)(2) (broker-dealers); 1024.210(b)(2) (mutual funds); and
1026.210(b)(2) (FCMs and IBCs).
---------------------------------------------------------------------------
3. Proposed 31 CFR 10XX.210(b)(3)--Designate an AML/CFT Officer Located
in the United States
i. Duties of the AML/CFT Officer
The BSA requires that financial institutions with AML/CFT program
obligations must have a designated compliance officer. While FinCEN has
adopted this obligation--commonly referred to as the BSA/AML officer--
in existing guidance and regulations, the program rules use slight
variations in the specific language to describe this requirement for
different types of financial institutions. The proposed rule provides
technical changes to promote clarity and consistency.
As in the current program rules, proposed 31 CFR 10XX.210(b)(3)
would provide that an AML/CFT program must designate an individual
(referred to as an AML/CFT officer) responsible for establishing and
implementing the AML/CFT program and coordinating and monitoring day-
to-day compliance with the requirements and prohibitions of the BSA and
FinCEN's implementing regulations. FinCEN's view is that the individual
serving as the AML/CFT officer must be qualified for that role and not
overburdened with other responsibilities at the institution.
The proposed rule is not intended to be primarily concerned with
the formal title of the individual responsible for establishing and
implementing the AML/CFT program and coordinating and monitoring day-
to-day compliance; instead, the proposed rule focuses on the AML/CFT
officer's position in the financial institution's organizational
structure that enables the AML/CFT officer to effectively establish and
implement the financial institution's AML/CFT program. The AML/CFT
officer's authority, independence, and access to resources within the
financial institution are critical. An AML/CFT officer should have
decision-making capability regarding the AML/CFT program and sufficient
functional stature within the organization to ensure that the program
meets BSA requirements.
The AML/CFT officer's access to resources may include the
following: adequate compliance funds and staffing with the skills and
expertise appropriate to the financial institution's risk profile,
size, and complexity; an organizational structure that supports
compliance and effectiveness; and sufficient technology and systems to
support the timely identification, measurement, monitoring, reporting,
and management of the financial institution's ML/TF risks. An AML/CFT
officer with conflicting responsibilities that adversely impact the
officer's ability to effectively coordinate and monitor day-to-day AML/
CFT compliance generally would not fulfill this requirement. The
addition of the explicit requirement that the AML/CFT officer be
responsible for ``establishing and implementing the AML/CFT program''
in the proposed rule would make explicit a long-standing supervisory
expectation, rather than changing current supervisory or regulatory
requirements or expectations.
To promote consistency and reduce redundancy, the proposed rule
would remove some examples of what it means to coordinate and monitor
day-to-day compliance with AML/CFT requirements that are currently
listed in the AML program rules for MSBs; insurance companies; DPMSJs;
operators of credit card systems; loan or finance companies; and
housing GSEs.\81\ For example, those AML program rules currently
provide that an AML/CFT officer is responsible for updating the
financial institution's AML program and ensuring that employees are
educated or trained in accordance with the financial institution's AML
program training obligation. Removing this type of language in the
proposed rule does not indicate that an AML/CFT officer is not
responsible for these activities, but rather reflects that such
examples in the regulatory text are not necessary, and that each
financial institution should decide for itself the specific activities
that an AML/CFT officer should undertake to establish, maintain, and
implement an AML/CFT program.
---------------------------------------------------------------------------
\81\ See 31 CFR 1022.210(d)(2) (MSBs); 1025.210(b)(2) (insurance
companies); 1027.210(b)(2) (DPMSJs); 1028.210(b)(2) (operators of
credit card systems); 1029.210(b)(2) (loan or finance companies);
1030.210(b)(2) (housing GSEs).
---------------------------------------------------------------------------
Likewise, the proposed rule would remove unnecessary provisions in
certain current program rules--those applicable to DPMSJs; operators of
credit card systems; loan or finance companies; and housing GSEs--
requiring AML/CFT officers to ensure that a financial institution's
AML/CFT program is implemented effectively.\82\ That expectation is
embedded in the proposed rule's requirement that AML/CFT officers
coordinate and monitor day-to-day compliance.
---------------------------------------------------------------------------
\82\ See 31 CFR 1027.210(b)(2)(i) (DPMSJs); 1028.210(b)(2)(i)
(operators of credit card systems); 1029.210(b)(2)(i) (loan or
finance companies); 1030.210(b)(2)(i) (housing GSEs).
---------------------------------------------------------------------------
Similarly, the proposed rule would delete an unnecessary reference
from current 31 CFR 1022.210(d)(2)(i). That provision provides that an
MSB's AML/CFT officer must ensure that the MSB properly files reports,
and creates and retains records, in accordance with the
[[Page 18720]]
BSA. These activities are and remain part of the AML/CFT officer's duty
to monitor and coordinate day-to-day compliance, and thus it is not
necessary to separately list them in the rule. This deletion and the
removal of the other redundant references will ensure consistent
language across program rules.
ii. Proposed 31 CFR 10XX.210(b)(3)--The AML/CFT Officer Must Be Located
in the United States and Accessible to Regulators
The AML Act provides that the duty to establish, maintain, and
enforce a financial institution's AML/CFT program shall remain the
responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to oversight and supervision by, the
Secretary and the appropriate Federal functional regulator.\83\
Proposed 31 CFR 10XX.210(b)(3) therefore requires the very same, noting
that the designated individual must be accessible to, and subject to
oversight and supervision by, FinCEN and its designee. FinCEN's
designee, in this instance, includes any agency to which FinCEN has
delegated examination authority or the appropriate SRO.
---------------------------------------------------------------------------
\83\ 31 U.S.C. 5318(h)(5).
---------------------------------------------------------------------------
FinCEN recognizes financial institutions may currently have AML/CFT
staff and operations outside of the United States, or they may contract
out or delegate parts of their AML/CFT operations to third-party
providers located outside of the United States. These arrangements may
serve to improve cost efficiencies, to enhance coordination,
particularly with respect to cross-border operations, or serve other
purposes not in conflict with goals underlying the BSA. Consequently,
under the proposed rule, while the AML/CFT officer must be located in
the United States, personnel located outside of the United States would
still be permitted to perform certain AML/CFT functions. This language
does not alter existing regulations and guidance that generally
prohibit the sharing of SARs with personnel located outside of the
United States other than in limited circumstances such as a bank's
foreign head office or controlling company.\84\ FinCEN requests comment
on whether any further clarifications on this point would be useful.
---------------------------------------------------------------------------
\84\ See, e.g., FinCEN, Financial Crimes Enforcement Network;
Confidentiality of Suspicious Activity Reports, 75 FR 75593 (Dec. 3,
2010); see also FinCEN, FRB, FDIC, OCC, and Office of Thrift
Supervision, Interagency Guidance on Sharing Suspicious Activity
Reports with Head Offices and Controlling Companies (Jan. 20, 2006),
<a href="https://www.fincen.gov/system/files/guidance/sarsharingguidance01122006.pdf">https://www.fincen.gov/system/files/guidance/sarsharingguidance01122006.pdf</a>.
---------------------------------------------------------------------------
4. Proposed 31 CFR 10XX.210(b)(4)--Ongoing Employee Training Program
The BSA requires AML/CFT programs to include an ``ongoing employee
training program.'' \85\ This statutory requirement is reflected in all
current AML program rules, but in different formulations.\86\ Proposed
31 CFR 10XX.210(b)(4) would eliminate inconsistency in the AML program
rules' training requirement by adopting the BSA's ``ongoing employee
training program'' language uniformly. This change is clarifying, not
substantive.
---------------------------------------------------------------------------
\85\ 31 U.S.C. 5318(h)(1)(C).
\86\ See 31 CFR 1020.210(a)(2)(iv), (b)(2)(iv) (banks);
1021.210(b)(2)(iii) (casinos); 1022.210(d)(3) (MSBs); 1023.210(b)(4)
(broker-dealers); 1024.210(b)(4) (mutual funds); 1025.210(b)(3)
(insurance companies); 1026.210(b)(4) (FCMs and IBCs);
1027.210(b)(3) (DPMSJs); 1028.210(b)(3) (operators of credit card
systems); 1029.210(b)(3) (loan or finance companies); 1030.210(b)(3)
(housing GSEs).
---------------------------------------------------------------------------
FinCEN would generally expect training to cover the financial
institution's internal policies, procedures, and controls, which should
in turn reflect the results of the financial institution's risk
assessment processes, the latest AML/CFT regulatory requirements, and
other relevant information. The frequency with which the training would
occur, and the content of the training, would depend on the financial
institution's ML/TF risk profile and the roles and responsibilities of
the persons receiving the training. FinCEN welcomes comment on whether
any further clarifications of the proposed training requirement are
needed. FinCEN recognizes that financial institutions may have
employees and non-employees who may have a variety of roles and
responsibilities in relation to the AML/CFT program. The risk-based
nature of an AML/CFT program provides flexibility for financial
institutions to identify both employees and non-employees who must be
trained on an ongoing basis.
E. Access to and Approval of a Written AML/CFT Program
1. Proposed 31 CFR 10XX.210(d)--Written AML/CFT Programs Must Be Made
Available Upon Request
Current program rules generally require financial institutions to
have written AML/CFT programs, but there is variation in how the
requirement is formulated in FinCEN's regulations for certain types of
financial institutions.\87\ Proposed 31 CFR 10XX.210(d) would provide a
consistent standard by requiring that an AML/CFT program be written,
and that a financial institution, upon request, make available a copy
of its written AML/CFT program to FinCEN or its designee. FinCEN's
designee, in this instance, includes any agency to which FinCEN has
delegated examination authority or the appropriate SRO. It is thus
assured that agencies with original or delegated examination authority
over a financial institution, including for example an agency with
examination authorities delegated by FinCEN \88\ or the appropriate SRO
\89\ will be among the agencies able to access a financial
institution's written AML/CFT program. In addition to promoting
consistency across the program rules, these clarifications are intended
to help financial institutions develop a structured AML/CFT program
understood across the enterprise.
---------------------------------------------------------------------------
\87\ Current 31 CFR 1020.210(b) requires banks lacking a Federal
functional regulator to establish, maintain, and make available a
written anti-money laundering program. Banks with a Federal
functional regulator are required to have written anti-money
laundering programs under the regulators' existing rules. See 12 CFR
21.21(c)(1), 208.63(b)(1), 326.8(b)(1), 748.2(b)(1). The current
program rules require other types of financial institutions to have
written programs at 31 CFR 1021.210(b)(1) (casinos); 1022.210(c)
(MSBs); 1023.210 (broker-dealers); 1024.210(a) (mutual funds);
1025.210(a) (insurance companies); 1026.210 (FCMs and IBCs);
1027.210(a)(1) (DPMSJs); 1028.210(a) (operators of credit card
systems); 1029.210(a) (loan or finance companies); 1030.210(a)
(housing GSEs).
\88\ See 31 CFR 1010.810(b) (FinCEN's delegation of
``[a]uthority to examine institutions to determine compliance with
the requirements of this chapter'').
\89\ For broker-dealers, FinCEN recognizes the SEC as the
relevant Federal functional regulator. See id. 1010.810(b)(6)
(delegating examination authority to SEC for broker-dealers). FinCEN
recognizes registered national securities exchanges or a national
securities association, such as the Financial Industry Regulatory
Authority (FINRA), as the relevant SROs for member broker-dealers.
Similarly, for FCMs and IBCs, FinCEN recognizes the CFTC as the
relevant Federal functional regulator, 31 CFR 1010.810(b)(9), and
the National Futures Association (NFA) as the SRO.
---------------------------------------------------------------------------
2. Proposed 31 CFR 10XX.210(d)--Financial Institution Approval of a
Written AML/CFT Program
Proposed 31 CFR 10XX.210(d) would also require that a financial
institution's written AML/CFT program be approved by the financial
institution's board of directors or an equivalent governing body within
the financial institution, or appropriate senior management.
Current program rules generally require a financial institution's
board or an equivalent governing body within the institution, or
appropriate senior management, to approve the financial institution's
written AML program. However, the proposed rule
[[Page 18721]]
standardizes this language across all financial institution types and
provides financial institutions with significant flexibility in its
chosen approval method. While some financial institutions may choose to
have their boards approve the written AML/CFT program, for others, an
equivalent governing body might be a sole proprietor, general partner,
or trustee, or a grouping of owners, senior officers (including board
committees or other groups with oversight responsibilities), senior
management, or other persons having functions and authority similar to
that of a board. For the U.S. branch of a foreign bank, the equivalent
governing body may be the foreign banking organization's board of
directors or delegates acting under the board's express authority.\90\
---------------------------------------------------------------------------
\90\ The FRB, FDIC, and OCC each require the U.S. branches,
agencies, and representative offices of the foreign banks they
supervise operating in the United States to develop written BSA
compliance programs that are approved by their respective bank's
board and noted in the minutes, or that are approved by delegates
acting under the express authority of their respective bank's board
to approve the BSA compliance programs. See 208.63(b)(1), 12 CFR
21.21(c)(1), 326.8(b)(1), and 748.2(b)(1). ``Express authority''
means the head office must be aware of its U.S. AML program
requirements and there must be some indication of purposeful
delegation.
---------------------------------------------------------------------------
Alternatively, some financial institutions might have other
individuals or groups with similar status or functions as directors
approve the AML/CFT program. Such individuals may include Chief
Executive Officer, Chief Financial Officer, Chief Operations Officer,
Chief Legal Officer, Chief Compliance Officer, Director, and
individuals with similar status or functions. Also, groups with
oversight responsibilities may include board committees such as
compliance or audit committees as well as a group of some, or all of
these individuals with aforementioned titles, as senior management that
can provide effective oversight of the AML/CFT program to comply with
the proposed rule.
Although some financial institutions must already obtain board
approval for their AML/CFT programs or be subject to oversight by a
board of directors, or an equivalent governing body, this board or
senior management approval requirement will represent a change in
requirements for other financial institutions. In some cases, the
proposed rule would provide greater flexibility than current program
rules provide. For example, a bank lacking a Federal functional
regulator must have an AML/CFT program that is approved by the board or
equivalent governing body within the bank.\91\ Banks with a Federal
functional regulator must also have board approval for their AML/CFT
programs under their regulators' existing rules, although not
FinCEN's.\92\ On the other hand, broker-dealers; insurance companies;
FCMs and IBCs; DPMSJs; operators of credit card systems; loan or
finance companies; and housing GSEs, must currently obtain senior
management level approval for their AML/CFT programs.\93\ Board
approval is not required for these entities currently, so the proposed
rule would not be a change. The existing program rules for casinos and
MSBs do not contain specific board or senior management approval
requirements, so the proposed rule would constitute a change for these
entities.\94\
---------------------------------------------------------------------------
\91\ See 31 CFR 1020.210(b)(3) (banks lacking a Federal
functional regulator).
\92\ See 12 CFR 21.21(c)(1), 208.63(b)(1), 326.8(b)(1),
748.2(b)(1).
\93\ See 31 CFR 1023.210 (broker-dealers); 1025.210(a)
(insurance companies); 1026.210 (FCMs and IBCs); 1027.210(a)(1)
(DPMSJs); 1028.210(a) (operators of credit card systems);
1029.210(a) (loan or finance companies); 1030.210(a) (housing GSEs).
\94\ See applicable AML program rules located at 31 CFR 1021.210
(casinos) and 1022.210 (MSBs).
---------------------------------------------------------------------------
In the case of some financial institutions, there may be existing
statutes or regulations (other than the BSA and its implementing
regulations) that will determine whether a financial institution must
have its board approve its AML/CFT program. The proposed rule would not
interfere with any such requirements. For instance, mutual funds must
comply with Rule 38a-1 under the Investment Company Act of 1940
requiring board approval of a mutual fund's written policies and
procedures, which would include its AML/CFT Program.\95\ Because of
this requirement, FinCEN understands that Rule 38a-1 would be
controlling in practice and require a mutual fund's board to approve
its AML/CFT program; needless to say, such approval would also satisfy
FinCEN's proposed rule.
---------------------------------------------------------------------------
\95\ See 17 CFR 270.38a-1(a)(2).
---------------------------------------------------------------------------
The proposed rule's provision requiring the approval of the AML/CFT
program by a financial institution's board of directors, equivalent
body, or appropriate senior management reflects the importance of a
financial institution maintaining a strong culture of compliance. A
culture of compliance involves demonstrable support and visible
commitment from leadership, the dedication of adequate resources to
AML/CFT compliance, effective information sharing throughout the
financial institution, qualified and independent testing, and
understanding across leadership and staff levels of the importance of
BSA reports. Adherence to these principles is critical to ensuring that
AML/CFT programs are effective.
At the same time, an alternative approach is to refrain from
prescribing corporate-governance detail in the proposed rule, instead
allowing financial institutions to determine the appropriate approving
authority consistent with their legal structure and other regulatory
and legal requirements. Leaving firm-level choices to financial
institutions would preserve flexibility across differing corporate
structures, avoid imposing a single model for allocating
responsibilities, and reduce the risk of unintended conflict with other
regulatory or legal requirements.
F. Proposed 31 CFR 1020.221--Supervision and Enforcement
The proposed rule would add new 31 CFR 1020.221 to set forth a
supervision and enforcement framework for banks' AML/CFT programs that
is aligned with the AML Act's emphasis on effectiveness and risk-based
supervision. The proposed section defines key terms, describes FinCEN's
enforcement and supervision policy with respect to the requirements of
the BSA or 31 CFR chapter X, establishes consultation requirements
between FinCEN and the Agencies, when acting under supervisory
authority delegated by FinCEN, and specifies factors that the Director
would consider in determining whether to take, or in reviewing, an AML/
CFT enforcement action or significant AML/CFT supervisory action. The
supervision and enforcement requirements apply only to banks and the
Agencies in the proposed rule, but FinCEN welcomes comment on whether
these provisions should apply to other financial institutions.
Likewise, the enforcement requirements do not apply to and in no way
affect criminal enforcement liability under the Bank Secrecy Act.
1. Proposed 31 CFR 1020.221(a)--Definitions
Proposed 31 CFR 1020.221(a) would define several terms used
throughout the section. The term ``AML/CFT requirement'' would mean a
requirement of the BSA or 31 CFR chapter X.
The term ``AML/CFT enforcement action'' as proposed in 31 CFR
1020.211(a)(1) would mean any formal or informal action taken by FinCEN
that seeks to penalize, remedy, prevent, or respond to noncompliance
with, past or ongoing violations of, or past or ongoing deficiencies
relating to, an AML/CFT requirement.
The term ``significant AML/CFT supervisory action'' as proposed in
31
[[Page 18722]]
CFR 1020.221(a)(3) would mean any written communication or other formal
supervisory determination issued by FinCEN or an Agency, when acting
under supervisory authority delegated by FinCEN, that identifies one or
more alleged deficiencies, weaknesses, violations of law, or unsafe or
unsound practices or conditions relating to an AML/CFT requirement;
communicates supervisory expectations regarding actions or remedial
measures required to correct the issue; and contemplates significant or
programmatic actions or remedial measures to be taken by the bank.
Examiner observations, suggestions, or other informal comments would be
expressly excluded from this definition.
2. Proposed 31 CFR 1020.221(b)--FinCEN Enforcement and Supervision
Policy
Proposed 31 CFR 1020.221(b) would articulate FinCEN's enforcement
and supervision policy as it relates to AML/CFT requirements applicable
to banks.\96\ Except with respect to a significant or systemic failure
to implement an effective AML/CFT program (i.e., deficiencies or issues
that arise from failing to implement, in all material respects, a
properly established AML/CFT program), a bank that has properly
established an AML/CFT program would not be subject to an AML/CFT
enforcement action based on the program rule by FinCEN or to a
significant AML/CFT supervisory action based on the program rule by
FinCEN or by the Agencies, when acting under supervisory authority
delegated by FinCEN.
---------------------------------------------------------------------------
\96\ The proposal is not intended to and does not affect
criminal enforcement liability under the BSA, or the related
authority of the Department of Justice.
---------------------------------------------------------------------------
At the same time, the proposed rule would clarify that nothing in
this policy would restrict an AML/CFT enforcement action or a
significant AML/CFT supervisory action with respect to a failure to
properly establish an AML/CFT program. Moreover, the proposed rule
would not affect the factors that FinCEN applies in the disposition of
a violation \97\ once FinCEN has determined that such violation
involves either: (1) a failure to properly establish an AML/CFT
program, or (2) a significant or systemic failure to implement an
effective AML/CFT program.
---------------------------------------------------------------------------
\97\ FinCEN, FinCEN Statement on Enforcement of the Bank Secrecy
Act (Aug. 18, 2020), at pp. 2-3, <a href="https://www.fincen.gov/system/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf">https://www.fincen.gov/system/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf</a>.
---------------------------------------------------------------------------
3. 31 CFR 1020.221(c)--FinCEN Consultation
Proposed 31 CFR 1020.221(c) would establish a notice and
consultation framework applicable when the Agencies, acting under
supervisory authority delegated by FinCEN, intend to initiate a
significant AML/CFT supervisory action. Before initiating such an
action, the Agencies would be required to provide the Director with an
opportunity to review the action and consider any input offered by the
Director, which may include any view as to the effectiveness of the
bank's AML/CFT program. To facilitate that review, the Agencies would
be required to provide written notice to the Director of their intent
to take the action at least 30 days in advance of the proposed action,
unless a shorter period is necessary, in the sole discretion of the
Agencies, to remedy, prevent, or respond to an unsafe or unsound
practice or condition.
The notice would be accompanied by the relevant AML/CFT information
underlying the proposed action. Relevant AML/CFT information may
include, but is not limited to: the relevant portions of the draft
report enforcement action; the relevant examination workpapers
supporting the proposed action and the relevant AML/CFT information
submitted by the bank to the Agency. FinCEN notes the Agencies would
not be obligated to provide information over which the bank may claim
privilege under Federal or State law. The Agencies would also be
required to respond to requests for additional AML/CFT information from
the Director regarding the proposed action.
4. 31 CFR 1020.221(d)--FinCEN Considerations
Proposed 31 CFR 1020.221(d) specifies the factors that the Director
would consider in determining whether to take an enforcement action or
significant supervisory action with respect to banks, or when reviewing
a proposed action by the Agencies.\98\ These factors would include the
factors set forth in 31 U.S.C. 5318(h)(2)(B), as applicable; the
extent, if any, to which the bank--where appropriate in light of its
size, complexity, and risk profile--has advanced the AML/CFT Priorities
by providing highly useful information to law enforcement or national
security officials, conducting proactive analytics or performing other
innovative activities producing demonstrable outputs evincing the
effectiveness of the bank's AML/CFT program (including effective use of
artificial intelligence, federated learning, or other advanced
monitoring tools); and any other factor the Director deems appropriate,
including the bank's size, complexity, and risk profile, and, as
relevant, circumstances in which the bank's low-risk customers or
limited business activities naturally limit the extent to which the
bank can meaningfully contribute to AML/CFT Priorities.
---------------------------------------------------------------------------
\98\ This includes when the Agencies are consulting with FinCEN
as required under the proposed rule, or under a consultation
requirement they have imposed on themselves (which may include
enforcement actions).
---------------------------------------------------------------------------
The Director's consideration of the extent to which a bank has
provided highly useful information to law enforcement or national
security agencies reflects that FinCEN considers information sharing to
be an important element of an effective AML/CFT program. Financial
institutions may share useful information by responding to 314(a)
requests or may use 314(b) authorities to share information with other
financial institutions to identify and report to the Federal Government
activities that may involve ML/TF. Financial institutions may also
elect to participate in the FinCEN Exchange Program, a voluntary
public-private information sharing partnership among FinCEN, law
enforcement agencies, national security agencies, and financial
institutions and other private sector entities that aims to support
priority national security and counter-illicit finance objectives.\99\
FinCEN strongly encourages information sharing for the purpose of
advancing the AML/CFT Priorities.
---------------------------------------------------------------------------
\99\ FinCEN, FinCEN Exchange, <a href="https://www.fincen.gov/resources/fincen-exchange">https://www.fincen.gov/resources/fincen-exchange</a>.
---------------------------------------------------------------------------
The Director may consider the above alongside other factors,
including those outlined in the FinCEN Statement on Enforcement of the
Bank Secrecy Act, such as the nature and seriousness of violations,
including the extent of possible harm to the public and amounts
involved; impact or harm of the violations on FinCEN's mission to
safeguard the financial system from illicit use, combat money
laundering, and promote national security; or financial gain or other
benefit resulting from, or attributable to, the violations, amongst
others.\100\
---------------------------------------------------------------------------
\100\ FinCEN, FinCEN Statement on Enforcement of the Bank
Secrecy Act (Aug. 18, 2020), <a href="https://www.fincen.gov/system/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf">https://www.fincen.gov/system/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf</a>.
---------------------------------------------------------------------------
G. Other Changes for Modernization, Clarification, and Consistency
In addition to the previously described changes, the proposed rule
would make other revisions to increase
[[Page 18723]]
clarity and consistency in the program rules. Most of these changes are
technical, such as renumbering provisions, amending cross-references,
and updating statutory references based on changes to the BSA by the
AML Act. For example, along with the Agencies, references to ``BSA/AML
programs'' are being updated to ``AML/CFT programs'' for financial
institutions subject to CIP requirements.\101\ These technical changes
are not anticipated to establish new obligations.
---------------------------------------------------------------------------
\101\ The CIP rules are located at 31 CFR 1020.220 (banks),
1023.220 (broker-dealers), 1024.220 (mutual funds), and 1026.220
(FCMs and IBCs).
---------------------------------------------------------------------------
The proposed rule also would make minor changes to the definitions
in FinCEN regulations, including the definition of ``Bank Secrecy Act''
at 31 CFR 1010.100(e).\102\ The proposed rule would also amend the
definition of ``Federal functional regulator'' at Sec. 1010.100(r) to
remove reference to the defunct Office of Thrift Supervision and insert
``The Federal Deposit Insurance Corporation'' in place of ``The Board
of Directors of the Federal Deposit Insurance Corporation.'' The
proposed rule would also add a definition of ``AML/CFT priorities'' at
Sec. 1010.100(nnn) to mean the most recent statement of Anti-Money
Laundering and Countering the Financing of Terrorism National
Priorities issued pursuant to 31 U.S.C. 5318(h)(4). Finally, as noted
above, the proposed rule adds a definition of ``Federal Financial
Institutions Regulatory Agency'' at Sec. 1010.100(ooo).\103\
---------------------------------------------------------------------------
\102\ In particular, FinCEN first proposes to simplify this BSA
definition to refer only to the U.S. Code provisions codifying the
BSA, rather than to any act of Congress from which these provisions
were originally derived. Second, FinCEN proposes removing 18 U.S.C.
1956, 1957, and 1960 from the regulatory BSA definition. These
criminal provisions were included in FinCEN's BSA definition given
their relationship to money laundering but are not otherwise linked
to the other BSA provisions and are not included in the AML Act's
BSA definition in section 6003(1) of the Act. Third, FinCEN proposes
amending its BSA definition to include 31 U.S.C. 5336 (i.e., the
operative provisions of the Corporate Transparency Act), which was
added to the BSA by section 6403 of the AML Act.
\103\ Additionally, FinCEN proposes amending the authority
citations in the relevant CFR sections to account for relevant
statutory changes.
---------------------------------------------------------------------------
Additionally, as required under section 6101(b) of the AML Act,
FinCEN consulted with Federal functional regulators, particularly the
Agencies, to inform this rulemaking and coordinate updates to the bank
program rule. The proposed rule is removing the provision in FinCEN's
program rule for banks requiring them to comply with the parallel
program rule for banks adopted by the Federal functional regulators
since these program rules are consistent. As the delegated
administrator of the BSA, FinCEN expects banks to adhere to FinCEN's
rule as promulgated via the Secretary's explicit authority to prescribe
minimum standards for AML/CFT programs.
The proposed rules for broker-dealers and FCMs and IBCs would
retain requirements to comply with the rules, regulations, or
requirements of their SROs, provided those rules, regulations, or
requirements have been made effective under the Securities Exchange Act
of 1934 for broker-dealers,\104\ or the Commodity Exchange Act for FCMs
and IBCs,\105\ or by the appropriate Federal functional regulator in
consultation with FinCEN.
---------------------------------------------------------------------------
\104\ 15 U.S.C. 78a et seq.
\105\ 7 U.S.C. 1 et seq.
---------------------------------------------------------------------------
The following subsections describe more significant changes.
1. Combining the Bank Rules
Since 2020, banks lacking a Federal functional regulator have been
subject to substantially similar AML/CFT program requirements (31 CFR
1020.210(b)) as banks with a Federal functional regulator (31 CFR
1020.210(a)).\106\ The proposed rule would combine the program rules
for both bank types.
---------------------------------------------------------------------------
\106\ See FinCEN, Customer Identification Programs, Anti-Money
Laundering Programs, and Beneficial Ownership Requirements for Banks
Lacking a Federal Functional Regulator, 85 FR 57129 (Sept. 15,
2020).
---------------------------------------------------------------------------
The most significant difference between the existing AML program
rules is that 31 CFR 1020.210(b)(3) requires banks lacking a Federal
functional regulator to: (1) have their AML programs approved by the
board of directors or, if the bank does not have a board of directors,
an equivalent governing body within the bank; and (2) make a copy of
its AML program available to FinCEN or its designee upon request.
FinCEN's designee, in this instance, includes any agency to which
FinCEN has delegated examination authority or the appropriate SRO. As
previously discussed, the proposed rule would require banks to obtain
the approval of their AML/CFT programs from the board of directors, an
equivalent governing body within the bank, or appropriate senior
management, and it would require that the AML/CFT program be made
available to FinCEN or its designee upon request. With these changes,
FinCEN believes it would no longer be necessary to have two sets of
program rules for banks. Therefore, the proposed rule would consolidate
31 CFR 1020.210(a) and (b) into a single set of rules applicable to all
banks.
2. Conforming and Modernizing Program Rules
For purposes of consistency and clarity, the proposed rule would
harmonize certain elements, as described below, of the program rules
for casinos and MSBs to the program rules for banks; broker-dealers;
mutual funds; insurance companies; FCMs and IBCs; DPMSJs; operators of
credit card systems; loan or finance companies; and housing GSEs.
Additionally, for casinos, the proposed rule would remove the
following language in 31 CFR 1021.210(b)(2)(vi): ``For casinos that
have automated data processing systems, the use of automated programs
to aid in assuring compliance.'' Similarly, for MSBs, the proposed rule
would remove the following language in 31 CFR 1022.210(d)(1)(ii):
``Money services businesses that have automated data processing systems
should integrate their compliance procedures with such systems.'' The
removal of automated data processing language is not intended to
eliminate any substantive BSA compliance obligations for casinos or
MSBs. Rather, it reflects that the application of the same risk-based
approach used in the other program rules, which allows--but does not
mandate--the use of automated data processing systems.
A few unique elements of the existing program rule for MSBs would
be carried over into the new rule language. In particular, the customer
identification provisions of current 31 CFR 1022.210(d)(1)(i)(A) and
(d)(1)(iv), and the agent responsibility provision of current 31 CFR
1022.210(d)(1)(iii), would all be retained in the new MSB program rule
language. This language reflects FinCEN's longstanding appreciation of
the special circumstances applicable to many members of the
extraordinarily diverse category of MSB, an appreciation that remains
as accurate now as it was when these unique elements were included in
FinCEN's regulations.
3. Compliance and Implementation Dates
Current 31 CFR 1022.210(e), 1027.210(c), 1029.210(d), and
1030.210(d) contain compliance and implementation dates for MSBs;
DPMSJs; loan or finance companies; and housing GSEs, respectively. The
proposed rule would retain implementation dates for MSBs and DPMSJs,
respectively, since they set the time frames in which those specific
financial institution types are required to comply once they conduct
certain
[[Page 18724]]
activities or pass thresholds that subject them to AML/CFT program
requirements. The proposed rule would also update the citations for
these provisions (to 31 CFR 1022.210(d) and 1027.210(e)) to reflect
other changes made to Sec. Sec. 1022.210(d) and 1027.210(e).
The proposed rule, however, would amend these provisions, as well
as those of other types of financial institutions, such as loan or
finance companies and housing GSEs, to remove compliance dates that
have passed and are therefore irrelevant.
4. Compliance With Other Rules
For consistency and clarity, the proposed rule would delete certain
unnecessary cross-references to other regulations. Specifically, the
proposed rule would no longer state that banks, broker-dealers, and
FCMs and IBCs must comply with the 31 CFR 1010.610 and 1010.620 due
diligence requirements for foreign correspondent and private banking
accounts.\107\ Additionally, the proposed rule would no longer state
that banks must comply with the regulations of their Federal functional
regulators. Those regulations and requirements apply irrespective of
cross-references in the program rules, so FinCEN is proposing to remove
the cross-references to streamline the program rules and promote
consistency. FinCEN does not intend for these changes to have any
substantive effect.
---------------------------------------------------------------------------
\107\ See applicable program rules located at 31 CFR
1020.210(a)(1), (b)(1) (banks); 1023.210(a) (broker-dealers); and
1026.210(a) (FCMs and IBCs).
---------------------------------------------------------------------------
VI. Final Rule Effective Date
FinCEN is proposing an effective date of 12 months from the date of
issuance of the final rule to allow sufficient time for financial
institutions to review and implement the requirements of the proposed
rule. FinCEN solicits comment on the proposed effective date.
VII. Request for Comment
FinCEN welcomes comment on all aspects of the proposed amendments
and specifically seeks comment on the questions below. FinCEN
encourages commenters to reference specific question numbers when
responding.
An ``Effective'' AML/CFT Program (V.B.)
1. The proposed rule sets forth the conditions for an effective
AML/CFT program. Is the description of an effective program
sufficiently clear or is there anything further that FinCEN should
consider adding in the final rule to clarify the concept of program
effectiveness?
2. The proposed rule reflects a determination by FinCEN that
financial institutions are best placed to identify risks and allocate
resources, and that providing them with greater discretion in these
areas will improve the quality of AML/CFT compliance and reporting to
law enforcement. Is this correct or should FinCEN consider adding more
requirements regarding allocation of resources? How might financial
institutions assess changes in the total allocation of resources
devoted to an AML/CFT program in a changing risk and cost environment?
Establishing and Maintaining an AML/CFT Program (V.C.)
3. Do financial institutions distinguish between ``establishing a
program'' and ``maintaining a program by implementing the program''? If
so, how? Should FinCEN add anything to further define these terms in
the final rule?
4. Should the proposed rule's distinction between ``establishing''
and ``maintaining'' a program be modified? Is the distinction between
``establishing'' and ``maintaining'' a compliance program useful for
financial institutions?
5. Is clarification needed for banks to determine what constitutes
a ``significant or systemic failure'' to implement an effective AML/CFT
program (i.e., a failure to implement, in all material respects, a
properly established AML/CFT program)?
6. Is clarification needed for banks to determine what constitutes
a ``failure to establish an AML/CFT program''?
7. How should the proposed rule ensure that the regulations issued
by FinCEN and the appropriate Agencies function harmoniously? How
should the proposed rule differentiate between the Secretary's
responsibility for issuing regulations on establishing and maintaining
AML/CFT programs and the Agencies' responsibilities for issuing
regulations on establishing and maintaining AML/CFT programs under
their respective authorities?
Internal Policies, Procedures, and Controls (V.D.1.)
8. Do financial institutions expect any changes to their existing
internal policies, procedures, and controls under the proposed rule,
which requires that internal policies, procedures, and controls be
``risk-based'' and ``reasonably designed'' to ensure compliance with
the BSA?
Risk Assessment Processes (Generally) (V.D.1.i.)
9. The proposed rule refers to risk assessment processes rather
than a risk assessment process. This leaves financial institutions free
to use findings from one or more processes to holistically assess their
ML/TF risks. Does this description of how financial institutions would
assess their ML/TF risk under the proposed rule provide sufficient
flexibility? How should FinCEN describe ``risk assessment processes''
to better reflect how financial institutions assess ML/TF risks?
10. Should risk assessment processes be required to take into
account additional or different criteria or risks than those listed in
the proposed rule? If so, what additional factors should FinCEN
consider requiring?
11. How long does it generally take a financial institution to
incorporate the results of a risk assessment into the other aspects of
its AML/CFT program? What factors determine this timeframe?
Risk Assessment Processes (AML/CFT Priorities) (V.D.1.i.b.)
12. What, if any, difficulties do financial institutions anticipate
when incorporating the AML/CFT Priorities as part of their risk
assessment processes?
13. What additional guidance on how to incorporate the AML/CFT
Priorities into a financial institution's risk assessment processes
would it be useful for FinCEN to provide?
Risk Assessment Processes (Updates) (V.D.1.i.c.)
14. The proposed rule requires that risk assessment processes are
updated promptly upon any change that the bank knows or has reason to
know significantly changes the bank's ML/FT risks. Would the proposed
update requirement change the way financial institutions currently
update their risk assessment processes, and if so, how? Is additional
explanation needed concerning when a financial institution would be
required to update its risk assessment? In particular, how might FinCEN
clarify how risk assessment processes would be updated ``promptly''?
Would an alternative approach, such as periodic updates or a set
schedule for updates, be preferable? Would an alternative standard,
such as ``materially changes,'' be clearer than ``significantly
changes''?
15. How does a financial institution's monitoring for ML/TF risks
and its risk assessment processes affect one another? Put differently,
if there is a feedback loop between the two, please describe it,
including the typical amount of time between discovering new risks and
incorporating those findings into risk assessment processes.
[[Page 18725]]
Independent AML/CFT Program Testing To Be Conducted by Bank Personnel
or by an Outside Party (V.D.2.)
16. Under the proposed rule, a financial institution is required to
conduct independent AML/CFT program testing. This requirement is
already reflected in existing AML program rule requirements \108\ as
the requirement to include ``an independent audit function to test
programs.'' \109\ FinCEN solicits comment on how financial institutions
may interpret and carry out this requirement, based on the proposed
rule's description of an effective AML/CFT program. Are further
clarifications on the independent AML/CFT program testing requirement
necessary to ensure that audits carried out by bank personnel or
outside third parties are well-tailored, risk-based, and focused on
effectiveness?
---------------------------------------------------------------------------
\108\ See 31 CFR 1020.210(a)(2)(ii), (b)(2)(ii) (banks);
1021.210(b)(2)(ii) (casinos); 1022.210(d)(4) (MSBs); 1023.210(b)(2)
(broker-dealers); 1024.210(b)(2) (mutual funds); 1025.210(b)(4)
(insurance companies); 1026.210(b)(2) (FCMs and IBCs);
1027.210(b)(4) (DPMSJs); 1028.210(b)(4) (operators of a credit card
system); 1029.210(b)(4) (loan or finance companies); 1030.210(b)(4)
(housing GSEs).
\109\ 31 U.S.C. 5318(h)(1)(D).
---------------------------------------------------------------------------
AML/CFT Officer Located in the United States (V.D.3.)
17. Under the proposed rule, while the AML/CFT officer must be
located in the United States, personnel located outside of the United
States would still be permitted to perform certain AML/CFT functions.
This language does not alter existing regulations and guidance that
generally prohibit the sharing of SARs with personnel located outside
of the United States other than limited circumstances, such as a bank's
foreign head office or controlling company. Are any further
clarifications on what duties personnel outside the United States may
perform needed?
Written AML/CFT Program and Approval (V.E.1)
18. The proposed rule standardizes the long-standing requirement
that an AML/CFT program be written. Should FinCEN further clarify which
specific elements of an institution's AML/CFT program must be written,
or is this requirement generally understood in its current form? In
particular: (a) which program components--such as risk assessment
processes; internal policies, procedures, and controls; transaction
monitoring rules and parameters; escalation and reporting protocols;
independent testing results; training materials; and documentation of
designated personnel--should be required in writing; (b) what form
(e.g., narrative descriptions, checklists, system configurations, or
electronic records) should such documentation take; and (c) what level
of detail is appropriate for each component? Should FinCEN instead
eliminate the requirement that an AML/CFT program be expressly required
to be ``written'' because, among other reasons, financial institutions
may be subject to other applicable recordkeeping and documentation
requirements? What would be the benefits or drawbacks of not
prescribing a mandatory written requirement in the regulation?
19. The proposed rule would require that a financial institution's
written AML/CFT program be approved by its board of directors, an
equivalent governing body, or appropriate senior management. Should
FinCEN further clarify which aspects of the AML/CFT program must be
subject to such approval? In particular: (a) should approval be
required for each of the core program components (e.g., the risk
assessment processes framework; internal policies, procedures, and
controls; transaction-monitoring and escalation frameworks; independent
testing structure; training program; and designation of responsible
personnel), or would approval of the overall program framework be
sufficient; (b) should material revisions to particular components
(such as significant changes to the institution's risk assessment
methodology, monitoring architecture, or governance structure) require
re-approval at the same level; and (c) what level of specificity should
the approving body be required to review and approve (e.g., high-level
program architecture versus detailed procedures or parameter-level
settings)? Should FinCEN instead eliminate the specified approval
requirement, allowing financial institutions flexibility in determining
how leadership oversight of the AML/CFT program is structured? What
would be the benefits or drawbacks of not prescribing a mandatory
approval requirement in the regulation? If FinCEN does not eliminate
the specified approval requirement, should FinCEN consider amending the
requirement? Are there alternatives to board of directors, an
equivalent governing body, or appropriate senior management that would
be more appropriate?
Supervision and Enforcement (V.F.)
20. The proposed rule would add a new Sec. 1020.221 to set forth a
supervision and enforcement framework for banks. The new supervision
and enforcement requirements would apply only to banks and the Federal
banking agencies in the proposed rule. FinCEN welcomes comment on
whether these provisions should apply to other financial institutions.
21. Is further clarification needed for financial institutions to
determine what constitutes a ``significant or systemic failure to
implement an AML/CFT program in accordance with Sec. 1020.210(c)''?
22. Is further clarification needed for financial institutions to
determine what constitutes a ``failure to establish an AML/CFT program
in accordance with Sec. 1020.210(b)''?
23. The proposed rule refers to FinCEN's ``enforcement and
supervision policy.'' Does it introduce confusion to label regulatory
provisions having the force of law as ``policy''? If so, how should the
proposed regulatory language be amended to eliminate that confusion?
24. The proposed rule would add a requirement for an Agency to
notify and consider information provided by FinCEN before initiating a
significant AML/CFT supervisory action when acting pursuant to
authority delegated under this chapter. Should the proposed
consultation process include an asset threshold--e.g., consultation is
required for any significant AML/CFT supervisory actions involving
banks with $10 billion or more in assets? In addition, or as an
alternative, should the proposed rule not require but instead provide
the option for banks to request their Agency consult with FinCEN prior
to initiating a significant AML/CFT supervisory action?
25. The definition of significant AML/CFT supervisory action
includes the term ``any written communication.'' Is the term ``any
written communication'' too broad? Are there negative consequences to
including the term ``any written communication'' in the proposed
regulatory text? If so, please describe. Should the term ``any written
communication'' be more clearly defined or removed altogether?
26. As described above, the purpose of the FinCEN consultation
requirement is to ensure consistency in BSA/AML enforcement and
supervision across banks, and for FinCEN to provide relevant
information on the effectiveness and impact of an institution's AML/CFT
program. While Treasury, FinCEN, and the Agencies believe the benefits
of a required consultation process outweigh the costs, the parties
recognize this adds additional layers of review for financial
institutions and the Agencies during an examination. Are there any
avenues, communication channels, or methods in
[[Page 18726]]
which FinCEN and the Agencies can streamline the consultation process
and prevent logistical burdens for financial institutions or delays in
exam report issuance?
27. Is the definition of the term ``significant AML/CFT supervisory
action'' sufficiently clear? Does the inclusion of ``unsafe or unsound
practices or conditions'' introduce confusion about what types of
supervisory actions would be subject to the FinCEN consultation
requirement, since those terms are not found in the BSA?
28. FinCEN welcomes comment on provisions related to the use of
innovative tools to achieve effective outcomes, specifically on how the
Director may consider the performance of innovative activities that
produce demonstrable outputs under the proposed supervision and
enforcement framework.
Final Rule Effective Date (VI.)
29. FinCEN is proposing an effective date of 12 months from the
date of issuance of the final rule to allow sufficient time for
financial institutions to review and implement its requirements. FinCEN
solicits comment on the proposed effective date.
VIII. Severability
As a part of this proposal, FinCEN proposes that if one portion of
the proposed rule, if finalized, is found to be invalid, the
invalidated portion of the regulation should be severed with the other
portions of the proposed rule, as well as the existing FinCEN
regulations for each type of financial institution in chapter X,
remaining in full force and effect. FinCEN's position is that
invalidation of any one provision, or application thereof to any one
person or circumstance, does not, and should not, affect any other
provision in this proposed regulation or existing regulations under
chapter X. Each provision serves an important, related, but distinct
purpose and application, designed to benefit the public by protecting
the U.S. financial system from illicit financial activity. FinCEN
accordingly has proposed to incorporate this position into the
respective rules for each type of financial institution, such that
invalidity to one provision would not undermine the operability or
usefulness of the other provisions.
IX. E.O. 14294
Section 5 of E.O. 14294 directs that all future notices of proposed
rulemaking and final rules published in the Federal Register, the
violation of which may constitute criminal regulatory offenses, should
include a statement identifying that the rule or proposed rule is a
criminal regulatory offense and the authorizing statute.\110\ E.O.
14294 directs agencies to draft this statement in consultation with the
Department of Justice.
---------------------------------------------------------------------------
\110\ E.O. 14294, Fighting Overcriminalization in Federal
Regulations, 90 FR 20367 (issued May 9, 2025; published May 14,
2025).
---------------------------------------------------------------------------
E.O. 14294 further directs that the regulatory text of all NPRMs
and final rules with criminal consequences published in the Federal
Register after May 9, 2025, should explicitly state a mens rea
requirement for each element of a criminal regulatory offense,
accompanied by citations to the relevant provisions of the authorizing
statute.
Willful violations of the regulations set forth in this proposed
rule may be subject to criminal penalties pursuant to 31 U.S.C. 5322
and regulations promulgated 31 CFR chapter X. The statutory authority
for criminal liability requires a mens rea of willfulness as an element
under 31 U.S.C. 5322(a) and 31 U.S.C. 5322(b). FinCEN's existing
regulation, 31 CFR 1010.840, that sets out criminal penalties for
violations of regulations promulgated in 31 CFR chapter X also includes
a mens rea of willfulness. In drafting this statement, FinCEN has
consulted with the Department of Justice.
X. Regulatory Impact Analysis
FinCEN has analyzed the proposed rule as required under E.O.
12866,\111\ E.O. 13563,\112\ E.O. 14192,\113\ the Regulatory
Flexibility Act (RFA),\114\ the Unfunded Mandates Reform Act of 1995
(UMRA),\115\ and the Paperwork Reduction Act (PRA).\116\
---------------------------------------------------------------------------
\111\ E.O. 12866, Regulatory Planning and Review, 58 FR 51735
(issued Sept. 30, 1993; published Oct. 4, 1993).
\112\ E.O. 13563, Improving Regulation and Regulatory Review, 76
FR 3821 (issued Jan. 18, 2011; published Jan. 21, 2011).
\113\ See E.O. 14192, Unleashing Prosperity Through
Deregulation, 90 FR 9065 (issued Jan. 31, 2025; published Feb. 6,
2025); Office of Management and Budget, Guidance Implementing
Section 3 of Executive Order 14192, Titled ``Unleashing Prosperity
Through Deregulation,'' M-25-20 (Mar. 26, 2025), <a href="https://www.whitehouse.gov/wp-content/uploads/2025/02/M-25-20-Guidance-Implementing-Section-3-of-Executive-Order-14192-Titled-Unleashing-Prosperity-Through-Deregulation.pdf">https://www.whitehouse.gov/wp-content/uploads/2025/02/M-25-20-Guidance-Implementing-Section-3-of-Executive-Order-14192-Titled-Unleashing-Prosperity-Through-Deregulation.pdf</a>.
\114\ 5 U.S.C. 601 et seq.
\115\ 2 U.S.C. 1532.
\116\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------
This proposed rule has been determined to be a ``significant
regulatory action'' under section 3(f)(1) of E.O. 12866, as it may have
an annual effect on the economy of $100 million or more. FinCEN has
included an Initial Regulatory Flexibility Analysis (IRFA) pursuant to
the RFA as the proposed rule may have a significant economic impact on
a substantial number of certain types of affected small entities.\117\
Pursuant to analysis required by UMRA, FinCEN concludes it unlikely
that the proposed rule, if implemented, would result in a novel annual
expenditure of more than $193 million by State, local, and Tribal
governments or by the private sector.\118\ While the PRA analysis
included in this NPRM introduces certain new pro forma accounting
estimates to the existing Office of Management and Budget (OMB) control
numbers covered by the rulemaking, these burdens and costs largely
reflect administrative updates that are being introduced to more
accurately represent the activity currently undertaken by covered
financial institutions to comply with existing program requirements
unchanged by the proposed rule. The aggregate PRA estimates do not
represent, and should not be interpreted to reflect, novel incremental
costs attributable to the proposed rule.\119\
---------------------------------------------------------------------------
\117\ This economic expectation is sensitive to key assumptions
about how potentially affected financial institutions would respond
to the proposed requirements. FinCEN requests comment on whether it
would instead be more reasonable to certify that the proposed rule
would not have a significant economic impact on a substantial number
of small entities. See infra section X.F #16.
\118\ The UMRA requires an assessment of mandates with an annual
expenditure of $100 million or more, adjusted for inflation. 2
U.S.C. 1532(a). FinCEN has not anticipated material changes in
expenditures for State, local, and Tribal governments, insofar as
they would not participate in the primary activities of monitoring
or enforcing compliance of the newly proposed requirements in a way
that differs from current involvement, thereby incurring novel
incremental costs. But because the proposed rule would affect
entities in the private sector that are covered financial
institutions, FinCEN has considered expenditures these private
entities may incur, pursuant to UMRA, as part of the regulatory
impact in its assessment below.
\119\ See infra section X.E.
---------------------------------------------------------------------------
In its totality, FinCEN's regulatory impact analysis (RIA)
anticipates that the primary aggregate economic effects of the proposed
rule would be reallocative insofar as the requirement for programs to
support law enforcement and national security and advance AML/CFT
Priorities remains unchanged. Thus, while total expenditures on program
compliance may not be reduced, the distribution of which financial
institutions incur costs and what they expended those resources on
would be expected to change responsively to the incentives introduced
by the proposed rule that better align institutions' attention and
activities with its unique ML/TF risks. While aggregate costs would not
be expected to decrease, FinCEN's analysis
[[Page 18727]]
concludes that they would also not be expected to increase, and because
the proposed rule would enable financial institutions to more
efficiently focus their resources on higher-risk items, the same level
of expenditures may generate more effective outcomes--for the financial
institution, the integrity of the financial system, law enforcement,
national security, and the American public, generally.
As described above,\120\ the proposed rule would require covered
financial institutions to establish and maintain effective AML/CFT
programs with certain minimum components, such as: (1) a risk-based set
of internal policies, procedures, and controls; (2) independent AML/CFT
program testing; (3) the designation of an individual, who is located
in the United States, accessible to FinCEN and/or the appropriate
Federal functional regulator (FFR), and responsible for establishing
and implementing the AML/CFT program and coordinating compliance; and
(4) an ongoing training program. The proposed rule would also, in
certain instances, alter the scope of conditions under which FinCEN--
and regulators to whom FinCEN has delegated supervisory authority such
as the Agencies--could issue supervisory or enforcement actions based
solely on implementation deficiencies in cases where a covered
financial institution has properly established a program. Further, the
proposed rule would provide FinCEN with a consultative role in certain
aspects of the supervisory process for banks.\121\
---------------------------------------------------------------------------
\120\ See supra section IV.B.
\121\ Banks include covered financial institutions defined under
31 CFR 1010.100(t)(1) and (d).
---------------------------------------------------------------------------
In so doing, FinCEN contemplates a number of benefits for covered
financial institutions, regulators and other compliance examiners, law
enforcement and national security agencies, and the general public that
would flow from (1) ensuring that AML/CFT programs are risk based, (2)
modernizing and reforming Federal supervision of AML/CFT programs, and
(3) promoting clarity and consistency across FinCEN's program rules for
the different covered financial institution types.
This RIA begins by describing the broad economic analysis FinCEN
undertook to inform its expectations of the proposed rule's economic
impact and burden.\122\ This is followed by pieces of additional and,
in some cases, more specifically tailored analysis as required by E.O.s
12866, 13563, and 14192; \123\ the RFA; \124\ the UMRA; \125\ and the
PRA.\126\ Requests for comments related to the RIA--regarding specific
findings, assumptions, or expectations, or with respect to the analysis
in its entirety--can be found in the final subsection.\127\ These
requests for comments have been previewed and cross-referenced
throughout the RIA.
---------------------------------------------------------------------------
\122\ See infra section X.A.
\123\ See infra section X.B.
\124\ See infra section X.C.
\125\ See infra section X.D.
\126\ See infra section X.E.
\127\ See infra section X.F.
---------------------------------------------------------------------------
A. Assessment of Impact
Consistent with best practices in regulatory economic analysis,
FinCEN's assessment of impact begins with an overview of broad economic
considerations, identifying, among other things, the need for the
policy intervention.\128\ Next, FinCEN (1) establishes baseline
estimates of the number of covered financial institutions and other
entities that could be affected by the proposed rule and (2) describes
the current regulatory requirements and background practices against
which the proposed rule would introduce changes.\129\ The analysis then
briefly reviews elements of the proposed rule that most directly inform
how foreseeable economic impacts would flow from how covered financial
institutions and their respective regulators would engage in otherwise-
not-undertaken activities to comply.\130\ Next, the RIA presents the
anticipated benefits and estimated costs to the respective affected
parties that would be associated with compliance.\131\ Finally, the
assessment concludes with a brief discussion of alternative policies
FinCEN considered and could have proposed, including an evaluation of
the relative economic merits of each against the expected value of the
rule as proposed.\132\
---------------------------------------------------------------------------
\128\ See infra section X.A.1.
\129\ See infra section X.A.2.
\130\ See infra section X.A.3.
\131\ See infra section X.A.4.
\132\ See infra section X.A.5.
---------------------------------------------------------------------------
1. Broad Economic Considerations
Because this NPRM is being issued pursuant to statutory
obligations, the necessity for FinCEN to independently identify and
articulate fundamental economic problems that the proposed rule is
intended to address, as the basis for regulatory action,\133\ is
attenuated because at best this activity would complement the problem
identification already performed by Congress.\134\ Nevertheless, FinCEN
has remained mindful of these animating considerations as well as the
general social and economic costs that may ensue from an ineffective
AML/CFT regime.\135\
---------------------------------------------------------------------------
\133\ See E.O. 12866, supra note 111, sec 1(b)(1), (``Each
agency shall identify the problem that it intends to address
(including, where applicable, the failures of private markets or
public institutions that warrant new agency action) as well as
assess the significance of that problem.''); see also OMB, Circular
A-4 (2003), sec. B, The Need for Federal Regulatory Action, <a href="https://www.whitehouse.gov/wp-content/uploads/2025/08/CircularA-4.pdf">https://www.whitehouse.gov/wp-content/uploads/2025/0
[…truncated; see source link]Indexed from Federal Register on April 10, 2026.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.