On April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) issued a proposed rule intended to fundamentally reform the Bank Secrecy Act’s (BSA) Anti-Money Laundering (AML)/Combating the Financing of Terrorism (CFT) program requirements. According to FinCEN, it is shifting regulatory expectations away from technical, prescriptive compliance and toward demonstrable program effectiveness tied to financial crime risk. FinCEN wants to transition from rule interpretation and box-checking to more strategic assessments of risk governance, program design and operational execution.

What the Proposed Rule Entails

An important facet of the proposed rule is to create a clear distinction between establishing an AML/CFT program (design and structure) and maintaining one (day-to-day implementation). The proposal requires a risk-based AML/CFT framework incorporating four core required pillars:

1. Internal policies, procedures and controls, including risk assessment processes, and, when applicable, ongoing customer due diligence.
2. Independent program testing.
3. Designation of a U.S.-based compliance officer.
4. Ongoing employee training.

The proposed rule also requires a risk assessment process that includes the following:

• Evaluation of the BSA-related risks of the financial institution’s business activities, including products, services, distribution channels, customers and geographic locations.
• A review and, as appropriate, incorporation of the AML/CFT priorities.
• Prompt updates upon any change the financial institution knows, or has reason to know, that significantly changes the institution’s risks.

The proposal clarifies independent testing should be based on objective criteria designed to assess whether a financial institution has effectively established, implemented and resourced an AML/CFT program consistent with its risk assessment processes. The proposal is clear that “auditors” should not substitute their own subjective judgment in place of the financial institution.

The rule would require the BSA officer be located in the United States. However, while the BSA officer must be in the United States, personnel located outside of the United States would still be permitted to perform certain BSA functions.

According to the proposal, if a financial institution has established its BSA program pursuant to the proposed rule, FinCEN generally would not take an enforcement action. FinCEN generally would not take a significant supervisory action against a financial institution unless it has a significant or systemic failure to maintain that program. The proposed rule requires federal banking supervisors, before initiating a significant BSA supervisory action, to give FinCEN’s at least 30 days’ advance written notice, absent urgent circumstances, to review and provide input on the potential action.

Doeren Mayhew’s credit union and bank compliance pros will continue to monitor this proposed rule, as well as other regulatory updates impacting institutions. Should you have questions regarding how this rule would impact your institution specifically, contact us today.