BANKREGWIRE
Rule Navigator · BSA/AML Desk

FinCEN · OCC · FDIC · NCUA — joint rulemaking

AML/CFT Program Rule Navigator

FinCEN NPRM 91 FR 18704  ·  Joint banking NPRM 91 FR 18304  ·  RIN 1506-AB72  ·  Issued Apr 7 2026 · Published Apr 10 2026  ·  Comments close Jun 9 2026

On April 7 2026, FinCEN issued an NPRM to fundamentally reform AML/CFT program requirements under the Bank Secrecy Act — replacing the technical-compliance model with an effectiveness-based, risk-driven framework. The OCC, FDIC, and NCUA issued a concurrent joint NPRM for banks; the Federal Reserve did not join, the central fault line of this rulemaking. This navigator maps the proposed framework, the interagency picture, what it means by institution type, and the questions still open as the comment window closes.

Verified against FinCEN, OCC, FDIC, NCUA, and Federal Register primary sources; current as of June 1, 2026.

Comments on both the FinCEN NPRM (91 FR 18704) and the OCC/FDIC/NCUA joint NPRM (91 FR 18304) are due June 9, 2026 — a 60-day period from the April 10 Federal Register publication. FinCEN proposes a 12-month implementation period after a final rule. The 2024 FinCEN and banking-agency NPRMs (the latter joined by the Fed) have been withdrawn and superseded.
3 of 4
Banking agencies joined the joint NPRM (Fed absent)
2-tier
Establishment vs. implementation enforcement framework
30 days
Advance notice to FinCEN before significant supervisory action
12 mo.
Proposed implementation period after a final rule

FinCEN issued the lead NPRM covering all covered financial institutions. The OCC, FDIC, and NCUA issued a concurrent joint NPRM for banks. The Federal Reserve — which joined the 2024 Biden-era NPRM — did not join the 2026 proposal, creating a significant fault line.

Agency participation
FinCEN
Primary NPRM

Lead NPRM covering all 11 categories of covered financial institutions (banks; casinos & card clubs; MSBs; broker-dealers; mutual funds; insurers; FCMs/IBCs; dealers in precious metals/stones/jewels; credit-card-system operators; loan/finance companies; housing GSEs — at 31 CFR §§1020.210–1030.210). Supersedes the July 3 2024 NPRM. Expands FinCEN's supervisory consultation role.

OCC
Joined

Co-issued the joint banking-agency NPRM (Apr 7 2026). Applies to national banks and federal savings associations; aligns OCC BSA/AML program requirements with FinCEN's framework.

FDIC
Joined

Co-issued the joint NPRM; board approved issuance Apr 7 2026. Applies to FDIC-supervised state nonmember banks and savings associations.

NCUA
Joined

Co-issued the joint NPRM. Applies to federally insured credit unions; aligns credit-union AML/CFT requirements with the banking-agency framework.

Federal Reserve
Did not join

Joined the 2024 NPRM but not the 2026 proposal. FinCEN says the rule was "prepared in consultation with" the Fed, but it issued no NPRM of its own — a likely signal of disagreement with FinCEN's expanded consultation role.

Statutory basis
Legal authority
AML Act of 2020 — the mandate for effectiveness-based, risk-based programs
The Anti-Money Laundering Act of 2020 (enacted within the NDAA) directed FinCEN and the federal banking agencies to modernize the AML/CFT framework, expressly requiring programs to be risk-based — more attention and resources to higher-risk customers and activities — and directing FinCEN to issue government-wide AML/CFT priorities and fold them into program requirements. The 2026 NPRM implements these provisions five years on.
Context
Treasury Secretary Bessent: refocus AML/CFT on national security and higher-risk activity
The NPRM is framed around Treasury's BSA-modernization priority. The preamble quotes Bessent's April 2025 remarks that Treasury "will advocate for changes to the AML/CFT framework to truly focus on national security priorities and higher-risk areas and explicitly permit financial institutions to de-prioritize lower risks," and cites his critique of a "zero-tolerance focus on process and documentation." This sits within E.O. 14192, Unleashing Prosperity Through Deregulation — a top-down Treasury priority, not just an agency reform. (The widely circulated "volume of paperwork" line is Bessent's public messaging, not preamble text.)

The centerpiece is a two-tiered framework distinguishing program establishment from program implementation — designed to shield institutions from enforcement over minor technical implementation gaps once they have properly established a program.

The two-tiered framework
Tier 1
Program establishment
An institution must establish an AML/CFT program with the four existing BSA components: (1) risk-based internal policies and controls; (2) independent testing; (3) a designated U.S.-based AML/CFT compliance officer accessible to FinCEN; and (4) ongoing employee training — and must incorporate FinCEN's published AML/CFT priorities into its risk assessment. Full enforcement and supervisory authority applies to failures to establish a compliant program.
Tier 2
Program implementation
Once established, the program must be implemented "in all material respects." Only significant or systemic implementation failures — not minor technical or de minimis deficiencies — would warrant enforcement or significant supervisory action. This is the key structural change, aimed at the "check-the-box" culture that has driven disproportionate resources to lower-risk areas.
From technical compliance to effectiveness
Prior model
Technical, process-driven compliance
Success measured by the volume and completeness of documentation — SAR filings, CDD records, training logs, audits. Examiners could criticize process deficiencies regardless of actual ML/TF risk, incentivizing uniform treatment of all customer categories.
Proposed model
Effectiveness-based, risk-driven compliance
Resources flow to higher-risk customers and activities per the institution's risk profile; risk assessments must fold in FinCEN's priorities; examiners cannot substitute subjective judgment for a risk-based, reasonably designed program; technology/AI use is encouraged and cannot alone trigger significant action. Note: "effectiveness" layers on top of — not replaces — the statutory standard of controls "reasonably designed to ensure compliance" with the BSA.
FinCEN's expanded supervisory role
Structural change
30-day advance notice before significant supervisory actions
Under proposed 31 CFR 1020.221, banking agencies acting under FinCEN-delegated authority must give FinCEN at least 30 days' advance written notice — absent urgent circumstances — before any "significant supervisory action" related to AML/CFT, and must consider FinCEN's input. A "significant supervisory action" is a formal written communication identifying deficiencies, weaknesses, violations, or unsafe/unsound practices and contemplating significant or programmatic remediation; examiner observations and informal comments are excluded. The provision is structured as (a) definitions, (b) FinCEN policy, (c) consultation, and (d) considerations — a consultation and input role FinCEN has not previously held.

The key provisions of the April 2026 FinCEN NPRM and the concurrent OCC/FDIC/NCUA banking-agency NPRM. Select any provision to expand.

01
Two-tiered establishment vs. implementation framework
Core structural change — separates program design from execution
Core change
A two-pronged framework evaluating program "establishment" separately from "implementation." Establishment requires the four traditional BSA pillars plus risk-assessment processes incorporating FinCEN's priorities; implementation must be "in all material respects." Only significant or systemic implementation failures warrant enforcement or significant supervisory action — shielding institutions from action over minor technical or de minimis deficiencies. The single most consequential change in the proposal.
02
Mandatory risk-based resource allocation
More attention to higher-risk customers and activities
AML Act mandate
Implementing the AML Act, the rule mandates risk-based programs that direct more attention and resources to higher-risk customers and activities, and expressly permits directing resources away from lower-risk areas. A meaningful departure from a culture that incentivized uniform attention across all categories. For community banks with generally lower ML/TF risk, this could materially reduce burden on lower-risk segments.
03
FinCEN consultation role in significant supervisory actions
30-day advance notice; FinCEN input before major bank AML/CFT actions
Power shift
Banking regulators must give FinCEN ≥30 days' advance written notice (absent urgent circumstances) before a "significant supervisory action" — a formal written communication that (i) identifies AML/CFT deficiencies/violations/unsafe-or-unsound practices, (ii) communicates correction expectations, and (iii) contemplates significant or programmatic remediation — excluding examiner observations and informal comments. Agencies must consider FinCEN's input (proposed §1020.221(c)); a separate provision sets the factors the FinCEN Director weighs (§1020.221(d)). A key alternative is on the table: FinCEN expressly seeks comment on making consultation optional — bank-initiated rather than agency-initiated — which would convert it from a regulator obligation into a bank-elected tool. As drafted, the framework applies only to banks and does not reach state agencies that supervise and take BSA enforcement actions against banks — a meaningful centralization and a likely reason the Fed did not join.
04
Technology and AI: encouraged, cannot alone trigger enforcement
ML, generative AI, blockchain analytics, digital identity tools recognized
Innovation-friendly
The rule recognizes and encourages responsible adoption of innovative AML/CFT technologies — machine learning, generative AI, digital identity, blockchain analytics, and other advanced monitoring tools — and states that responsible adoption would not, on its own, expose a bank to significant supervisory or enforcement action. It addresses the long-standing concern that examiners implicitly discouraged technology adoption by treating unfamiliar approaches as suspect. Cooperation with law enforcement is also recognized as a mitigating factor.
05
U.S.-based AML/CFT compliance officer requirement
Officer must be located in the U.S. and accessible to FinCEN
New requirement
Implementing an AML Act mandate, the rule requires a designated AML/CFT compliance officer located in the U.S. and accessible to FinCEN — codifying a previously less-formal expectation. It preserves flexibility: personnel outside the U.S. may still perform certain AML/CFT functions, so institutions need not relocate the whole function, only ensure the designated officer is U.S.-based and reachable. Large internationally active banks with offshore compliance functions may need governance restructuring.
06
Integration of FinCEN's national AML/CFT priorities into risk assessments
Institutions must fold the 2021 priorities into program design
AML Act mandate
Institutions must incorporate the AML/CFT priorities FinCEN publishes under 31 U.S.C. 5318(h)(4) into their internal-controls risk-assessment processes. FinCEN's first priorities (June 30 2021) named eight areas: corruption, cybercrime, foreign and domestic terrorist financing, fraud, transnational criminal organization activity, drug trafficking, human trafficking/smuggling, and proliferation financing. The rule moves incorporation from suggestion to regulatory requirement.
07
CDD requirements incorporated into banking-agency program rules
Ongoing customer due diligence added to OCC/FDIC/NCUA program rules
Clarification
FinCEN's existing ongoing CDD requirement is proposed to be added to the banking agencies' program rules in the concurrent NPRM, closing a structural gap where FinCEN's CDD rule applied to banks but the agencies' own program rules did not incorporate it. Primarily clarifying and harmonizing; banks already subject to the 2018 CDD rule (beneficial-owner identification; nature and purpose of relationships) are unlikely to face new substantive requirements from this change alone.

Impact varies sharply by institution type. The shift from technical compliance to effectiveness is broadly welcomed, but its real-world effect turns on how examiners apply the new standards — and how the Fed's absence resolves.

Institution type Primary benefits Key considerations Watch for
Community banks (OCC / FDIC-supervised) Risk-based allocation formally allows less attention to lower-risk customers. OCC BSA/AML exam tailoring (Nov 2025) already moving this way. Two-tier framework shields minor implementation gaps. Must still establish a compliant four-pillar program. Risk assessments must address FinCEN priorities even where local risk is low. U.S.-based AML officer requirement already met for most. How examiners define "significant or systemic" failure. Community-bank trade groups filing on implementation burden before June 9.
Large national banks (OCC-supervised) Technology/AI use protected from triggering enforcement. Lower risk of action for de minimis technical gaps. FinCEN's 30-day notice may moderate aggressive actions. FinCEN's expanded consultation role adds a new actor to the supervisory relationship — potential delay or inconsistency. Cross-jurisdictional banks must ensure a U.S.-based AML officer structure. How FinCEN exercises consultation in practice. Whether the Fed's absence creates a two-tier experience for BHC vs. subsidiary-bank actions.
State member banks (Fed-supervised) FinCEN's NPRM applies to all banks; if finalized, effectiveness-based standards and the two-tier framework should benefit Fed-supervised banks too. The Fed issued no concurrent NPRM and announced no proposal. Unclear when/whether it aligns — raising the prospect of continued technical-compliance expectations for state member banks after the OCC/FDIC/NCUA rule is final. Whether the Fed issues its own NPRM, and how it treats the consultation role that may underlie its non-participation.
Non-bank FIs (MSBs, broker-dealers, etc.) FinCEN's NPRM applies directly to all 11 covered categories. Technology protection and effectiveness standards apply equally; lower enforcement risk for minor technical gaps where compliance infrastructure is leaner. No benefit from the concurrent banking-agency NPRM — they operate solely under FinCEN's authority. The consultation mechanism is less relevant where FinCEN is already primary regulator. How the priorities requirement is applied to sectors with very different risk profiles (insurers vs. MSBs).
Fintech / digital-asset firms Blockchain analytics and digital identity tools explicitly recognized. Risk-based allocation allows steering resources away from lower-risk crypto patterns. Less exposure to examiner skepticism of novel monitoring. Firms with bank-type AML duties (e.g., GENIUS Act stablecoin issuers; national bank/trust charters) must align programs to the new framework. FinCEN priorities include cybercrime — relevant to digital-asset programs. How GENIUS Act stablecoin-issuer AML duties interact with the new FinCEN framework. The OCC's stablecoin charter pipeline (Erebor, WLF) will operate under it.

The direction is widely welcomed. But several consequential structural and implementation questions remain unresolved — and the June 9 deadline makes this an active rulemaking moment.

Critical fault line
Why did the Federal Reserve not join — and what happens next?
The Fed joined the August 2024 joint NPRM but not the 2026 proposal. Multiple analyses read this as disagreement with the 30-day consultation mechanism, which would give FinCEN advance notice and input before the Fed takes significant action against state member banks and holding companies. If the Fed stays outside, state member banks and their holding companies may continue under a more process-oriented model even after OCC/FDIC/NCUA institutions move to the effectiveness-based standard. The Fed's silence is the largest structural uncertainty here.
Critical fault line
How will "significant or systemic" implementation failure be defined in practice?
The whole enforcement protection turns on the line between minor/de minimis deficiencies (no significant action) and significant or systemic failures (full enforcement). The rule defines "significant supervisory action" but not exhaustively when an implementation failure crosses the threshold. Industry — and CSBS — have a strong interest in objective, enforceable definitions rather than examiner discretion relabeled. The risk: recreating the process-driven model through vague implementation standards.
Watch closely
Preamble vs. regulatory text — where do the reforms actually live?
A recurring theme in the early commentary (Mondaq, Greenberg Traurig, and others): many of the most consequential expectations — on effectiveness, priorities, information sharing, and innovation — are articulated in the preamble rather than the operative regulatory text. Preamble statements guide interpretation but are not independently enforceable, so a program built to the preamble's spirit may still be examined against the narrower codified text. For commenters, the live ask is to move the load-bearing reforms into the rule itself — a point well suited to a state-regulator letter focused on enforceable, predictable standards.
Watch closely
How will FinCEN exercise its consultation role — a real check on aggressive actions?
The 30-day advance-notice window could, in theory, moderate overly process-oriented examiner actions — but only if FinCEN actively uses it, sets clear consultation standards, and the agencies treat its input as more than advisory. For CSBS and state supervisors, the question is whether FinCEN's expanded federal role creates a new layer of preemption over state-chartered bank AML/CFT supervision. The proposed optional/bank-initiated variant would change the mechanism's character as a check.
Watch closely
What happens to the 2021 national priorities — will they be updated?
The rule requires institutions to fold FinCEN's June 2021 priorities into risk assessments. Those reflect the prior administration's threat assessment; the current administration emphasizes immigration-related financial crime, fraud, and crypto-related illicit finance, and has not issued updated priorities. Requiring program design around the 2021 list while supervisory focus shifts elsewhere risks a mismatch between the rule and examination practice.
Watch closely
Does the rule effectively address the AML/CFT debanking nexus?
OCC Comptroller Gould has repeatedly tied BSA/AML supervision to unlawful debanking pressure. The NPRM's preamble does address it: in analyzing the AML Act factors, FinCEN frames the risk-based approach as a debanking mitigant — keeping account-closure decisions on legitimate ML/TF risk rather than broad de-risking — and ties the rule to E.O. 14331, Guaranteeing Fair Banking for All Americans. The caveat: that lives in the preamble's rationale; the operative text governs program design, not account termination. Whether it reduces debanking turns on examiner implementation and the parallel actions (OCC Sep 2025; reputation-risk final rule Apr 2026).
Positive signal
Technology-adoption protection is a meaningful modernization step
Among the most constructive features: explicit protection for responsible AI and advanced technology in AML/CFT programs. Years of implicit examiner skepticism of novel monitoring — even where it improved detection — discouraged investment. Stating that technology adoption cannot alone trigger significant action, paired with recognition of ML, generative AI, blockchain analytics, and digital identity tools, creates a safe harbor for modernization. The comment period is an opportunity to press for specificity on what "responsible" use means in supervision.

Primary sources. FinCEN NPRM, 91 FR 18704 (Apr 10 2026) · OCC/FDIC/NCUA joint NPRM, 91 FR 18304 · FinCEN Fact Sheet · Docket FINCEN-2026-0034 (RIN 1506-AB72).

Secondary synthesis from Gibson Dunn, Jones Day, Perkins Coie, Greenberg Traurig, Mondaq, Sullivan & Cromwell, Morrison Foerster, and Covington. Compiled for BankRegWire · informational tracker, not legal advice.