Published April 7, 2026, FinCEN’s latest Notice of Proposed Rulemaking (NPRM) is a sweeping overhaul of anti-money laundering (AML) and countering the financing of terrorism (CFT) programmes, recasting them around effectiveness, risk-based design and the fight against illicit finance. “For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats,” said Secretary of the Treasury Scott Bessent. “Our proposal restores common sense with a focus on keeping bad actors out of the financial system, not burying America’s banks in more red tape.
This proposal formally supersedes FinCEN’s earlier July 2024 proposal, replacing it with a broader reset that distinguishes more clearly between failures in programme design and failures in programme implementation. FinCEN says comments are due 60 days after Federal Register publication, and the proposal states that, if finalised, the rule would generally become effective 12 months after the final rule is issued.Becki LaPorte, Principal – AML Strategy and Innovation at FinScan, an Innovative Systems solution, shared her thoughts with RegTech Insight on the implications for firms’ governance and compliance operations – “FinCEN’s proposed rule represents a significant structural shift in AML/CFT compliance obligations, with immediate and concrete implications for compliance officers. The most consequential change is the move from an existence standard to an effectiveness standard – meaning a well-documented program that produces no meaningful risk outcomes is now explicitly exposed.” She continues, “Paired with this, the rule formally requires a mandatory, structured risk assessment as a legal obligation, requiring institutions to identify, assess, and document AML/CFT risks in direct alignment with FinCEN’s published National Priorities, with prompt updates whenever the risk profile materially changes. These two shifts alone demand that compliance officers begin building outcome-measurement frameworks and defensible, living risk assessment processes – not just policy libraries.”
For compliance operations, the burden moves upstream-trigger events, escalation paths, customer review processes, scenario tuning, suspicious activity reports (SARs), workflows and customer exit decisions all need to be connected to a living AML/CFT risk assessment.
A mandatory, structured and continuously refreshed risk assessment process creates new demands on data and explainable decision records. Institutions will need to show how customer, product, channel and geographic data feeds into risk classification, how those classifications affect controls and monitoring, and how those decisions are reviewed when risk conditions change. FinCEN’s model gives firms flexibility on methodology, but not on evidence quality.LaPorte draws out the implication – “The rule also puts real regulatory teeth behind risk-based compliance and directly challenges blanket de-risking practices. Institutions are now explicitly required to allocate more resources to high-risk customers and focus less on low-risk customers. Account closure or customer exit decisions must be grounded in individualized AML/CFT risk analysis, not broad category-based policies.”
A Global Trend
The FinCEN NPR is the latest in a round of AML/CFT reviews across the jurisdictions. In the European Union, the new Anti-Money Laundering Authority (AMLA) and the Anti-Money Laundering Regulation (AMLR) are designed to create a more harmonised supervisory and rulebook architecture, especially for high-risk cross-border institutions.
In the United Kingdom, the Financial Conduct Authority’s (FCA’s) Office for Professional Body Anti-Money Laundering Supervision (OPBAS) said last month that supervision “is more effective than at any time since 2018 but enforcement lacks the teeth to deter firms from falling short of minimum standards.” In 2025 the government has decided the FCA will take over anti-money laundering and counter-terrorist financing supervision in the legal and accountancy sectors.
The Hong Kong Monetary Authority (HKMA) continues to frame AML and CFT obligations around risk-based supervisory expectations for authorised institutions. HKMA’s most recent AML and CTF materials include work on transaction monitoring design and AI, including for stored value facility licensees.
Australia’s AML and CFT reforms likewise emphasise governing body and senior management responsibility, a fit and proper compliance officer, and more targeted customer due diligence requirements that come into force for current reporting entities on March 31, 2026.
Institutional models differ across the European Union, United Kingdom, Hong Kong and Australia. But the regulatory direction is converging around the same question: can firms show that AML and CFT controls are risk-based, current, demonstrable and capable of producing useful outcomes?
FinCEN’s proposal sharpens that question for the United States. It is unlikely to be the last jurisdiction to do so as LaPorte concludes, “FinCEN isn’t asking institutions to do more compliance, it’s demanding smarter, more defensible, and outcome-driven compliance.”
Subscribe to our newsletter
