The Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and National Credit Union Administration (NCUA) jointly issued a notice of proposed rulemaking to modernize anti-money laundering and countering the financing of terrorism (AML/CFT) compliance program requirements. The proposed rule is intended to align their rules with FinCEN’s parallel amendments under the Bank Secrecy Act and the Anti-Money Laundering Act of 2020 (discussed here). FinCEN’s proposal lays out the big-picture requirements for AML/CFT programs under the Bank Secrecy Act, while the federal banking agencies’ proposal takes those rules and aligns them to their own supervisory and examination frameworks so they can actually oversee and enforce the requirements for financial institutions. Comments are due no later than June 9, 2026.

Defining an “Effective” Risk-Based AML/CFT Program

A central feature of the proposal is an explicit definition of what constitutes an “effective” AML/CFT program. A program would be considered effective if it is properly established in accordance with specified minimum components and then maintained by being implemented “in all material respects” on an ongoing basis. The rule emphasizes a risk-based approach that formally directs more attention and resources to higher-risk customers and activities and less to lower-risk areas, consistent with the institution’s risk profile. The banking agencies are clear that perfection is not the standard. Rather, the focus is on reasonable design and material implementation.

Core Program Components and New Emphases

The proposal retains the traditional elements of an AML program, but it sharpens and clarifies them. Financial institutions would be required to adopt written, risk-based internal policies, procedures, and controls that are reasonably designed to ensure compliance with the BSA and its implementing regulations. Those controls must be grounded in documented risk assessment processes that evaluate products, services, customers, distribution channels, and geographies, and that review and, where appropriate, incorporate FinCEN’s AML/CFT Priorities. Risk assessments must be updated when the institution knows or has reason to know that its risk profile has significantly changed.

The proposal expressly incorporates ongoing customer due diligence (CDD) into the prudential regulators’ rules, harmonizing them with FinCEN’s existing CDD requirements. Independent AML/CFT testing remains a requirement, and must be performed by parties who are functionally independent of the AML/CFT function they review. The AML/CFT officer must have sufficient authority, resources, and independence, and, reflecting new statutory language, must be located in the U.S. and be accessible to both FinCEN and the relevant agency. The rule also codifies the expectation of an ongoing employee training program suited to the institution’s risk profile and personnel responsibilities.

The AML/CFT program must be in writing and made available upon request. Unlike the current rules, which focus on board approval, the proposal would allow approval by the board, an equivalent governing body, or appropriate senior management, while preserving the expectation that boards continue to exercise meaningful oversight of AML/CFT risk.

Supervision, Enforcement, and FinCEN’s Expanded Role

The proposed rule also seeks to modernize supervision and enforcement. It draws a clearer distinction between failures to establish a compliant AML/CFT program (a design problem) and failures to implement an established program (an operational problem). Once a program has been properly established, enforcement or significant supervisory actions based solely on implementation deficiencies would generally be reserved for “significant or systemic” failures, not isolated or technical issues.

To promote consistency and a risk-focused approach, the rule would require the banking agencies to notify FinCEN before initiating AML/CFT enforcement actions or significant AML/CFT supervisory actions and to provide FinCEN with relevant underlying information. FinCEN would have an opportunity to review the matter and provide input, and institutions would be expressly permitted to share certain non‑public supervisory information with FinCEN in this context, subject to safeguards intended to preserve applicable privileges.

Key Takeaways and Next Steps

While the proposed rule does not broaden the category of institutions required to maintain AML/CFT programs, it seeks to add clarity to the applicable program obligations across different institution types. Consequently, certain non-bank financial institutions may experience heightened regulatory expectations.  For banks and credit unions supervised by the OCC, FDIC, or NCUA, this proposal largely builds on existing expectations but raises the bar on documentation, governance, and demonstrable risk-based allocation of resources. Financial institutions should review how their current programs distinguish between design and implementation, how they document and update risk assessments, and whether governance structures, including the location and authority of the AML/CFT officer, align with the proposed framework.

Financial institutions may consider submitting comments, including by responding to the specific questions posed by the banking regulators to seize this opportunity to seek additional clarity and to shape how the new AML/CFT framework is actually implemented.