FinCEN’s April 7 proposed rule overhauling the Bank Secrecy Act and AML/CFT program requirements across all financial institutions — not just banks — continued to generate significant analysis through May. Comments closed June 9. The proposal is the most significant rewrite of AML program standards in years and introduces several changes with direct operational implications.
Key changes include: a formalized, continuous risk assessment process (not periodic or static) that must be updated as the institution’s risk profile changes; a requirement that the AML/CFT compliance officer be located in the United States and subject to FinCEN oversight; independent testing that focuses on program effectiveness (not just procedural compliance) and is conducted by truly independent parties free of conflicts; and a new two-prong enforcement framework that distinguishes between failures in program design (“establishment”) versus failures in day-to-day implementation, with significant enforcement action generally reserved for systemic or significant failures.
Notably, FinCEN explicitly stated that institutions responsibly experimenting with AI and other innovative technologies in their AML programs will not face additional enforcement risk solely from that use and that it strongly encourages such adoption. The proposal also provides a proportional framework for community banks, recognizing that smaller institutions often rely on direct customer knowledge and local market familiarity, and should not automatically be expected to implement complex model-driven systems.
What you should do: This is a genuine recalibration, not just a cosmetic update. The formalized risk assessment requirement, U.S.-based compliance officer requirement, and effectiveness-focused testing standards will all require some review of existing AML programs. For community banks, the proportionality language is helpful but doesn’t eliminate the need for updated written risk assessments as products, services, and customer types evolve. The AI safe harbor is an opportunity worth taking seriously. If you have been waiting for regulatory clarity before piloting AI in transaction monitoring, this proposal provides a meaningful signal that responsible experimentation is encouraged. Consider submitting a comment on any provisions that create operational challenges specific to your institution’s size or model.