FinCEN’s Proposed AML/CFT Program Reform: What Financial Institutions and Auditors Need to Know

In April 2026, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) that would fundamentally reshape how financial institutions design, implement, and are examined on their anti-money laundering and countering the financing of terrorism (AML/CFT) programs. If finalized, this proposal represents the most significant rethink of Bank Secrecy Act (BSA) compliance in decades, particularly in how program effectiveness is evaluated.

For banks, credit unions, money services businesses, and other covered entities, the message is clear: success will no longer be defined by the volume of documentation, but by the institution’s ability to identify and mitigate real illicit-finance risk.

Why FinCEN Is Proposing Change

FinCEN’s proposal is part of the Treasury Department’s broader effort to modernize the U.S. AML/CFT framework under the Anti-Money Laundering Act of 2020. Treasury officials have expressed concern that the current system incentivizes check-the-box compliance rather than meaningful risk management.

The proposed rule fully withdraws and replaces FinCEN’s July 3, 2024 AML program proposal, signaling a decisive change in regulatory philosophy.

A Shift to Risk-Based and Reasonably Designed Programs

At the heart of the proposal is a new standard: financial institutions must establish and maintain AML/CFT programs that are risk-based, reasonably designed, and effective. Institutions will be expected to identify their own illicit-finance risks and concentrate resources where those risks are highest.

Clearer Distinction Between Design and Execution Failures

FinCEN’s proposal emphasizes distinguishing between failures in AML/CFT program design and failures in implementation. Only significant or systemic failures to implement an otherwise sound program would warrant enforcement action.

Implications for Independent Testing and Audit Functions

Independent testing will be expected to assess program effectiveness rather than simply validate technical compliance. Auditors should evaluate whether risk-based decisions are reasonable and supported, without substituting their own judgment when programs are properly designed.

FinCEN’s Expanded Supervisory Role

The proposal reinforces FinCEN’s central role in AML/CFT supervision, including a new notice and consultation framework with federal banking regulators to ensure consistent supervisory outcomes.

What Financial Institutions Should Do Now

Institutions should begin preparing by reassessing risk assessments, reviewing governance frameworks, aligning audit approaches, and training staff on the new effectiveness-focused expectations.

How Audit Firms Add Value in the New Framework

Audit firms will play a critical role in helping institutions evaluate whether AML/CFT programs are reasonably designed, risk-aligned, and effectively governed, moving compliance from a paperwork exercise to a true risk-management discipline.

Final Thought

FinCEN’s proposed rule signals a major shift in AML/CFT oversight. Institutions that embrace risk-based design, documented decision-making, and effective governance will be best positioned for future examinations and regulatory success.