Book an intro

US prepares for financial services AML overhaul

US authorities are preparing for one of the most significant changes to its anti-money laundering framework in decades. What began in April with FinCEN and the banking agencies has now moved into a second phase, with the Federal Reserve publishing its own proposal for the institutions it supervises.

The main aims are that US AML/CFT supervision is being pushed away from a technical, paperwork-heavy model and toward a more risk-based and outcomes-focused framework. The aim is that financial institutions should spend less time proving that every formal process exists, and more time showing that their AML/CFT programmes are identifying, assessing and mitigating real illicit finance risk.

In April of 2026, FinCEN proposed reforms to AML/CFT programme rules under the Bank Secrecy Act, stating that the changes were intended to modernise the US AML/CFT regulatory and supervisory framework and reduce unnecessary compliance burden. The proposal would promote risk-based, reasonably designed programmes and a more consistent approach to evaluating banks for effectiveness.

The April proposals were the main regulatory reset. FinCEN, joined by the OCC, FDIC and NCUA, set out the new architecture for effective, risk-based AML/CFT programmes under the BSA. The Federal Reserve’s July proposal is not a separate overhaul in a different direction. It is the Fed’s companion rulemaking for the banks it supervises, designed to bring its own AML/CFT programme rules into alignment with the April package. While the main policy direction is the same, the Fed proposal leaves open some important questions around FinCEN consultation, information sharing and the threshold for significant supervisory or enforcement action.

In general, the Fed’s proposals would require Board-supervised banks to maintain effective AML/CFT programmes reasonably designed to identify, assess and mitigate illicit finance risks, with more attention and resources directed toward higher-risk customers and activities. The Fed proposal applies to state member banks, Edge and agreement corporations, and certain US branches, agencies and representative offices of foreign banks operating in the United States.

From April proposals to July alignment

The April package was led by FinCEN and accompanied by proposals from the OCC, FDIC and NCUA. It covered a wide range of financial institutions subject to AML/CFT programme requirements, including depository institutions, casinos, insurance, money services businesses, mortgage companies and brokers, precious metals and jewellery businesses, and securities and futures firms.

FinCEN’s package of proposals in April put effectiveness at the centre of AML/CFT programme expectations. FinCEN framed the reform as a move away from measuring success by “the volume of paperwork” and toward the ability of financial institutions to stop illicit finance threats.

This effectively elevated the risk-based approach which has been the bedrock of AML in the UK and EU since the Fourth Money Laundering Directive. Under the changes, financial institutions would need to identify, assess and document their money laundering and terrorist financing risks, and then use those risk assessment processes to shape policies, procedures, controls, monitoring and resource allocation. Institutions would be expected to review those priorities and, where appropriate, incorporate them into risk assessment processes.

The proposals also drew a clearer distinction between establishing a programme and maintaining it. Establishing the programme is about design: risk-based controls, independent testing, training, a designated compliance officer and ongoing customer due diligence where applicable. Maintaining the programme is about implementation in practice. Both elements need to be considered and balanced.

What is the timeline for transition to the new rules?

The April FinCEN proposal was issued on 7 April 2026, with comments due by 9 June 2026. FinCEN also confirmed that the April 2026 proposal superseded and withdrew its earlier July 2024 proposed rule. The Federal Reserve proposal was published in the Federal Register on 9 July 2026. Comments on the Fed proposal are due by 8 September 2026.

A final rule is therefore unlikely to take effect immediately. The Fed is proposing an effective date 12 months from the date the final rule is issued, and is specifically asking for comment on that proposed transition period. Therefore we would likely see changes in the second half of 2027 or perhaps early 2028.

That gives firms some breathing room, although it’s worth starting to think about what efforts will be required. The most significant work will be showing that the firm’s risk assessment methodology is current, reasoned, documented and connected to how the programme actually operates.

Are there differences between the approaches?

The July Fed proposal is largely consistent with the April direction, although there are some important differences. The most practical difference is the Fed’s treatment of FinCEN consultation and information sharing. The April proposals from the OCC, FDIC and NCUA included provisions for a FinCEN notice and consultation framework before certain AML/CFT supervisory or enforcement actions. They also included a provision allowing banks to share information with the FinCEN Director relating to existing or potential AML/CFT supervisory or enforcement action.

The Fed proposal does not include those provisions. Instead, the Fed asks whether it should include the same or similar provisions in the final rule. That creates a potential asymmetry between Fed-supervised banks and institutions supervised by the other agencies. It also gives banks and industry bodies a clear issue to address in comment letters.

There is also a live debate around the “significant or systemic” standard. The Fed proposal states that once a Board-supervised bank has properly established an AML/CFT programme, only significant or systemic failures to implement that programme in all material respects would warrant an AML/CFT enforcement action or significant AML/CFT supervisory action.

That is intended to focus supervisory attention on serious implementation failures rather than isolated, technical or immaterial deficiencies. Yet the standard is already attracting scrutiny. Governor Michael Barr dissented from the Fed proposal, warning that the new, undefined standard could have unknown effects on the Fed’s ability to substantiate AML/CFT failures.

The Fed itself appears to recognise that this needs more clarity. It asks directly whether further clarification is needed on what constitutes a “significant or systemic failure” to implement a properly established AML/CFT programme.

The risk-based approach becomes the organising principle

For firms, the centre of gravity is the risk-based approach. That means identifying and assessing the risks created by customers, products, services, geographies, delivery channels, transactions, ownership structures and typologies, then allocating controls in proportion to those risks.

This is familiar in the UK and EU, where the risk-based approach has long been the foundation of AML compliance. The US version, however, is not simply a copy of the European model. The proposals are tied closely to the Bank Secrecy Act’s purpose of producing highly useful information for law enforcement and national security agencies. It means the risk-based approach is not just about proportionality for firms. It is also about improving the quality of financial intelligence flowing to the government.

The Fed proposal makes that connection clear. A bank’s internal policies, procedures and controls must be risk-based and reasonably designed to identify, assess and document AML risks, mitigate those risks consistently with the bank’s risk assessment, and conduct ongoing CDD. The risk assessment must also be updated promptly where the bank knows, or has reason to know, that its risk profile has significantly changed.

This is where many firms will need to focus. A risk assessment that sits in a file is not enough. The assessment has to drive customer risk scoring, onboarding, enhanced due diligence, monitoring scenarios, alert thresholds, escalation routes, staffing decisions, training priorities, independent testing and senior management reporting.

What banks and covered firms should do now

Financial institutions should not treat the proposals as a simple burden-reduction exercise. Firms may get more flexibility in allocating resources, although only if their decisions are grounded in a credible risk assessment and supported by evidence.

The first step is to review the risk assessment methodology. Firms should be able to explain what risk factors they use, how those factors are weighted, what data sources inform the assessment, how FinCEN priorities are considered, how inherent and residual risk are distinguished, and when the assessment is updated. A generic enterprise-wide assessment is unlikely to be persuasive under a regime that gives firms more discretion.

The second step is to test whether the risk assessment changes behaviour. High-risk customers and activities should attract stronger controls, more senior approval, closer monitoring and more frequent review. Lower-risk activity may justify a lighter touch, although firms will need to document why that is appropriate. A decision to reduce activity in a lower-risk area should be as well evidenced as a decision to strengthen controls in a higher-risk one.

The third step is to look at governance. The Fed proposal would require the AML/CFT programme to be written, accessible and approved by the board, equivalent governing body or appropriate senior management. Firms should consider whether their board and senior management information is sufficient to approve a risk-based programme in a meaningful way, rather than simply signing off a policy annually.

The fourth step is to review independent testing. The April materials emphasised that audit and testing functions should not simply substitute their own subjective judgement for the firm’s risk-based design decisions. At the same time, independent testing will still need to assess whether the programme is properly established, maintained and implemented against objective criteria.

The fifth step is to prepare for technology scrutiny. The proposals encourage responsible innovation, including technologies that may improve monitoring, segmentation, detection and intelligence quality. The Fed proposal says banks that responsibly incorporate innovative technologies into their AML/CFT programmes will not face additional supervisory or enforcement risk solely because of that use.

That does not mean AI or analytics can be dropped into AML processes without governance. Firms will need to evidence data quality, explainability, testing, escalation, human oversight and model or tool performance. Technology may help firms become more risk-based, although it will also create new questions about controls and accountability.

A more flexible regime requires stronger evidence

The main shift is in how compliance will be judged. A firm that can show a current, tailored and well-governed risk assessment should have more room to focus resources where they matter most. A firm that uses “risk-based” as a label for weaker controls will be exposed. The new model may reduce unnecessary burden, yet it also raises the standard for explaining why the programme is designed as it is.

For banks and covered financial institutions, the immediate task is therefore to start building the evidence trail now: risk assessment methodology, governance minutes, monitoring rationale, resource allocation, escalation decisions, testing outcomes and updates when the risk profile changes.

That is what a defensible risk-based AML/CFT programme will need to look like under the next phase of US financial services regulation.

Get your firm ready for the risk-based approach with VinciWorks AML courses

Be the first to know about releases and industry news and insights.

By filling in this form you agree to share your information with VinciWorks. We take privacy seriously, click here to read our privacy notice.