The Financial Crimes Enforcement Network (FinCEN) is a bureau of the U.S. Department of the Treasury responsible for safeguarding the financial system from illicit activity, including money laundering, terrorist financing, and other financial crimes. FinCEN plays a central role in collecting and analyzing financial intelligence and enforcing compliance with the Bank Secrecy Act (BSA). By issuing regulations and guidance, FinCEN ensures that financial institutions and increasingly other types of covered entities maintain strong internal controls to detect and report suspicious activity. Its broader mission is to promote national security and protect the integrity of the U.S. financial system.
In early April 2026, FinCEN issued a proposed rule aimed at strengthening Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) programs across regulated institutions. This proposal reflects an effort to modernize AML/CFT compliance frameworks and better align them with evolving financial risks, technological advancements, and emerging threats. The rule builds upon existing BSA requirements but introduces more structured expectations around governance, documentation, and accountability. Most importantly, the proposal reinforces that compliance is not a static procedural obligation, but a dynamic, risk-informed function that must mature alongside the institution’s business model, risk profile, and external threat landscape.
A key driver behind the proposed rule is FinCEN’s recognition that current AML programs often lack consistency, transparency, and measurable effectiveness. Many institutions have historically focused on meeting minimum regulatory requirements without fully integrating risk-based decision-making processes. As financial crimes grow more sophisticated through leveraging digital assets, cross-border transactions, and complex corporate structures, FinCEN is seeking to ensure that AML programs are both proactive and adaptable. The proposal also aligns with FinCEN’s broader strategic priorities, including improving the usefulness of financial intelligence and enhancing coordination between government agencies and the private sector.
One of the most significant components of the proposed rule is the elevation of the risk assessment to a central pillar of the AML/CFT program. Institutions will be required to develop and maintain a formal, documented, and current risk assessment that drives all aspects of their compliance program. This includes identifying and evaluating risks across customers, products, services, geographies, and transaction types. The risk assessment must incorporate FinCEN’s established AML/CFT priorities, which include areas such as corruption, cybercrime, fraud, and terrorist financing. By embedding these priorities into their assessments, institutions will be better positioned to allocate resources, design controls, and tailor monitoring systems in a way that directly addresses the most significant risks.
To better illustrate this concept, the proposed framework can be visualized as follows:
This model highlights how the risk assessment sits at the center of the framework, informing policies, internal controls, transaction monitoring, and reporting processes, while also integrating regulatory priorities. The feedback loop ensures that programs are continuously improved based on results, emerging risks, and regulatory expectations.
Overall, the proposed rule represents a shift toward a more mature and integrated AML/CFT compliance environment. By emphasizing risk-based decision-making, clearer governance, and alignment with national priorities, FinCEN aims to improve the effectiveness of financial crime prevention efforts across the board. For institutions, this will require not only enhancements to documentation and processes, but also a cultural shift toward viewing AML compliance as a strategic function rather than a regulatory obligation. In the long term, these changes are expected to strengthen the financial system’s resilience against illicit activity and enhance the overall quality of financial intelligence available to regulators and law enforcement.
This shift toward a more explicitly risk-based, effectiveness-oriented AML/CFT framework will have a direct and meaningful impact on how institutions design, govern, and evidence their internal controls. While the implications will extend across the broader compliance program, the most significant changes are concentrated in six core areas: risk assessment, governance and oversight, customer due diligence (“know your customer”), transaction monitoring, suspicious activity reporting processes, and sanctions and watchlist screening.
Under FinCEN’s 2026 proposed rule, the risk assessment is explicitly elevated to the core driver of an effective AML/CFT program and is no longer an implied or informal expectation. The proposal requires financial institutions to establish and maintain documented risk assessment processes that identify, assess, and update money laundering and terrorist financing risks across customers, products, services, distribution channels, and geographies. Importantly, institutions must review and incorporate FinCEN’s government wide AML/CFT priorities into their assessments and promptly update them when material risk changes occur. This control area is critical as the proposed rule makes clear that AML/CFT programs must be risk based and reasonably designed; examiners will now evaluate whether controls, monitoring, and resource allocation are demonstrably grounded in the institution’s documented risk assessment.
The proposed rule strengthens governance expectations by requiring that AML/CFT programs be established, approved, and overseen by the financial institution’s board of directors or appropriate senior management. FinCEN emphasizes that accountability for AML/CFT compliance must rest with clearly designated leadership, including a qualified AML/CFT officer located in the United States and accessible to meet with. Qualified AML/CFT officers possess sufficient knowledge, relevant experience, and independent authority to design, implement, and oversee a risk‑based AML/CFT program that is effective and aligned with the institution’s risk profile and FinCEN requirements. Under the new framework, regulators are directed to distinguish between failures to establish a program vs. failures to implement a program, making strong governance a key factor in preventing regulatory and enforcement actions.
FinCEN’s proposed rule incorporates Customer Due Diligence (CDD) as an integral component of the risk based internal policies, procedures, and controls required for program establishment. Institutions must understand the nature and purpose of customer relationships, develop customer risk profiles, and conduct ongoing monitoring and updates based on risk. The concept of Know Your Customer (KYC) goes beyond basic identification as it requires institutions to establish a clear understanding of the customer’s background, source of funds, expected account activity, and overall purpose for engaging with the institution. These controls are critical because the proposed rule reinforces that effective AML/CFT programs depend on accurate customer risk identification; weaknesses in CDD/KYC directly undermine transaction monitoring, decision making, and the institution’s ability to align with AML/CFT priorities.
While the proposed rule does not prescribe specific monitoring technologies, it clearly requires that institutions mitigate identified AML/CFT risks consistent with their risk assessment processes, by directing greater attention and resources to higher risk customers and activities. Transaction monitoring systems must therefore be calibrated, governed, and updated in a manner that reflects documented risks and national priorities. This control is essential because FinCEN’s proposal shifts regulatory focus away from the volume of alerts generated. Instead, the emphasis is on whether monitoring systems are reasonably designed to identify higher-risk activity and produce useful information for law enforcement. Ineffective or misaligned monitoring may be viewed as a failure to properly implement a risk based AML/CFT program.
The proposed rule reinforces Suspicious Activity Reporting (SAR) as a core outcome of an effective AML/CFT program, while clarifying that SAR should be informed by the institution’s risk assessment and AML/CFT priorities. FinCEN emphasizes that AML/CFT programs should produce information with a “high degree of usefulness” to law enforcement, rather than excessive or low value reporting. Strong SAR controls, including investigation procedures, escalation protocols, and documented decision rationales, are therefore critical to demonstrating program effectiveness. Under the proposal, regulators will consider whether SAR processes reflect risk based decision making and support national security and law enforcement objectives.
Although sanctions compliance is often addressed through separate regulatory organizations, FinCEN’s proposed rule incorporates sanctions risk within the broader concept of illicit finance risk – as such, institutions must identify and mitigate sanctions risk through their AML/CFT programs. Screening controls must be aligned with the institution’s risk assessment and supported by effective governance, escalation, and documentation processes. Failures in sanctions screening can represent significant compliance breakdowns and expose institutions to severe enforcement consequences. Under the proposed rule’s emphasis on program effectiveness, sanctions screening must function as part of a cohesive, risk based control environment rather than as a standalone procedural obligation.
This proposal is a positive step forward which modernizes AML/CFT expectations around a risk-based approach. This framework ties program design to a documented, continuously refreshed risk assessment aligned with FinCEN priorities. With the key internal controls operating as an integrated system, institutions can better focus resources on higher-risk activity, improve the quality of financial intelligence, and reduce exposure to money laundering and terrorist financing risk.
Eliassen Group brings deep, hands-on expertise in AML/CFT program design, assessment, and validation, supported by our work with well-known global financial and technology organizations. Our team has conducted comprehensive testing across the full spectrum of critical AML/CFT internal controls, including risk assessment, governance and oversight, CDD and KYC, transaction monitoring, SAR, and sanctions and watchlist screening. Our approach is grounded in a strong understanding of evolving FinCEN expectations, particularly the shift toward risk-based, effectiveness-driven programs. We not only evaluate whether controls exist, but whether they are properly designed, operationally effective, and aligned to the institution’s risk profile and regulatory priorities. Eliassen Group is positioned as a trusted partner for organizations seeking to enhance the maturity, defensibility, and overall effectiveness of their AML/CFT frameworks while meeting increasing regulatory scrutiny.
Ryan O'Malley
Manager, SOX Compliance & Internal Audit Solutions