The biggest AML overhaul in decades just told banks their current approach needs to change
On 7 April 2026, FinCEN dropped the most significant overhaul of AML/CFT program requirements in decades. Not a tweak. Not a clarification. A fundamental redesign of what an effective AML program looks like, and what “effective” now means in an examination room.
That last word is doing more work than it appears. FinCEN has made it the central standard without defining precisely what it looks like in practice.
The four-pillar model that has structured AML compliance for years is gone. In its place, a single standard: prove your program works. Mayer Brown called it a move away from “process-driven, technical compliance toward a regime focused on demonstrable outcomes.” Troutman Pepper Locke called it a full rewrite of the playbook. Comments close 9 June 2026. FinCEN proposes a 12-month implementation window after a final rule lands.
That window sounds generous. It isn’t for institutions that need to redesign their process and control frameworks.
The industry is reading and reacting right now. FinCEN’s own fact sheet states the rule is intended to produce more effective outcomes for law enforcement and national security agencies, not just financial institutions. Norton Rose Fulbright notes that DOJ and Treasury focus on fraud has heightened in parallel, suggesting supervisory attention on institutions’ ability to identify high-impact illicit activity will increase in practice. The practical consideration for a senior fraud or risk lead is whether the program they are running today would survive that scrutiny.
Most AML programs were built to pass audits. This rule was written to catch the ones that do exactly that.
|
Key takeaways For the first time, the quality of your SARs will factor into whether FinCEN pursues enforcement action against your institution. That starts with the quality of the alert and the narrative behind it. |
The establish vs. maintain distinction: Where enforcement lands
Most practitioners have read this rule as a compliance upgrade. But it is an enforcement redesign.
FinCEN has created a two-tier framework: “Establish” means designing a program calibrated to the institution’s actual ML/TF risk profile. “Maintain” goes further than most practitioners have read it. It is not simply implementing the program. It is ensuring the program continues to identify emerging risks, reflects the institution’s current risk reality, and adapts as that reality changes. And that means the full chain — risk assessment, detection, SAR filing — needs to be dynamic. A static model at any point breaks the loop. Typologies identified through SAR outcomes need to feed back into the detection model. Most institutions have not built that feedback mechanism.
They carry different enforcement consequences, and examiners will treat them differently.
The distinction may have a greater impact than most CCOs have registered. Here is why. FinCEN’s commentary is that it generally would not take significant supervisory action unless there are significant or systemic failures to maintain an AML/CFT program. That sounds like broad protection. It isn’t. That protection applies only to the maintain tier. Establish failures sit outside it entirely and are fully actionable regardless of how well the rest of the program runs.
One thing worth noting. “Significant or systemic” is not defined in the proposed rule. Banks cannot calibrate against a standard that has not been set. The prudent response is to demonstrate proactive, collaborative approaches to AML — dynamic detection, active information sharing, and a model that updates as typologies change. Institutions that can show that will be better placed regardless of how the standard is eventually interpreted.
A temporary backlog in alert reviews is a maintenance failure. An AML program that has not been updated since a new product line launched is a design failure. As Pillsbury notes, FinCEN places new emphasis on the obligation to continuously update programs pursuant to risk assessment processes. The word “maintain” is doing more work than it appears. And keeping it current means more than updating documentation. It means being able to demonstrate that resource allocation decisions are tied directly to identified and documented AML risks, and that those allocations are producing results. For many institutions, that is a fundamentally different conversation with the board.
What triggers a mandatory reassessment
FinCEN lists the following as material changes requiring a documented risk assessment, not a note in the governance log.
-
- New products or services
-
- Modified delivery channels
-
- Geographic expansion
-
- Mergers and acquisitions
Two things worth noting. First, this list is explicitly non-exhaustive. FinCEN reserves the right to treat other changes as material. That is an open-ended liability that most institutions have not accounted for in their governance frameworks. Evolving typologies and changes to FinCEN’s published National AML/CFT Priorities are equally capable of constituting a material change. An institution whose program has not kept pace with either is exposed, regardless of whether a new product has launched or a new market has been entered.
Second, the trigger is broader than most institutions have read it. A new product line is the obvious example. A change to credit risk appetite, underwriting criteria, or customer acceptance policy can equally alter the composition of the customer base without a single new product being introduced. A bank that loosened its credit risk acceptance criteria in 2024 and onboarded a meaningfully different customer profile has experienced a material change to its ML/TF risk profile.
If the AML program has not been updated to reflect that, it is already in the establish failure category under this framework. Today. Before a final rule lands. And yet most institutions have the data to monitor customer composition changes in real time. Customer risk rating systems already hold it. The practice of using those metrics as a trigger for AML program reassessment is what is missing.
The operational implication
An annual review cycle is not sufficient if material changes happen between reviews. Program governance needs a live trigger mechanism, an internal process that flags each of these events and initiates a formal reassessment before the new activity goes live, or promptly upon launch.
Which internal changes would trigger a review of your controls? Most governance frameworks can answer that for a new product launch. Fewer can answer it for a change to credit risk acceptance criteria, onboarding policy, or pricing that attracts a materially different customer profile. Those changes alter the risk reality the controls are designed to address.
A continuous controls review process is not something most institutions have. Building it is a governance design problem. The rule has just made it an enforcement one.
Risk assessment is now the document your examination turns on
FinCEN says institutions have flexibility in methodology and update frequency. And herein may lie the trap. What it also says is that examiners will assess the “totality” of risk assessment processes rather than the sufficiency of any single standalone process. Flexibility on frequency is not permission to update less often. The obligation to update is triggered by risk profile change, not by a calendar. Whatever you do must be documented, defensible, and demonstrably driving decisions.
The word “totality” is doing significant work here. An institution cannot point to one well-constructed risk assessment and consider the job done. Examiners will look across the full set, ask whether they are connected, and ask whether they are producing sound decisions. A risk assessment that sits in a folder and informs nothing is not a risk assessment under this framework. It is a liability.
ACAMS, representing over 100,000 members across 180 jurisdictions, has previously argued that the system’s failure to achieve desired impact stems not from a lack of activity but from inadequate incentives for effectiveness — precisely the position FinCEN is now codifying into regulation. The industry has been filing SARs, running training, and documenting processes for decades. Activity without a demonstrable outcome is no longer sufficient. One of those challenges, of course, is what a positive demonstrable outcome looks like. The feedback loop from law enforcement remains limited.
Most institutions will not know whether their SARs produced actionable intelligence. FinCEN’s feedback loop remains limited. A SAR filed in good faith enters the database and the institution rarely hears anything back. Needless to say, that creates a problem. The rule rewards SAR quality without providing the mechanism to measure it. The only lever institutions have is improving the accuracy of the detection model that drives SAR decisions in the first place.
The resource allocation provision
This is the most operationally consequential part of the proposal for a senior risk lead, and the most exposed.
The rule tells institutions to direct more resources toward higher-risk customers and fewer toward lower-risk ones. Examiners are told not to second-guess reasonable risk and resource decisions. That protection is conditional. It applies only where those decisions are traceable to documented risk assessment processes.
A BSA officer or Risk Officer who de-prioritizes a low-risk customer segment needs an audited, quantitative, risk-assessed paper trail, not a judgment call.
The harder problem the rule does not solve
What does your current risk model need to produce for a resource reallocation decision to be defensible in an examination? At a minimum, it must have clearly documented AML risk assessment and a bright line between those risks and the models it uses for detection.
For institutions whose customer risk ratings run on rules-based systems mapping to an AML risk assessment is relatively straightforward. A rules-based model produces consistent outputs and relies upon transparent rules. However, rules-based models are very imprecise and generate significant false positive alerts – which undermines the objective of demonstrating effectiveness.
A bank that leverages machine learning can produce more effective models and, with appropriate focus, can map its model coverage directly to its risk assessment. However, any rules-based or machine learning model is constrained by the breadth and completeness of the bank’s training data. Thus, shifts in typologies are generally only detected after the behavior has been observed by the bank. This is a fundamental problem of effectiveness – how does a bank demonstrate coverage for typologies for which it has little or training data?
Defending a resource allocation decision in an examination requires demonstrating that the underlying model is actually surfacing the right customers. Most institutions cannot currently demonstrate that with confidence.
The accuracy problem here is not a tuning problem. A model trained on one institution’s transaction history cannot surface typologies it has never seen, regardless of how well calibrated it is. In fact, a highly tuned model that is only ever learning from the answers it predicts may be causing effectiveness to decrease. The only way to see those typologies is to learn from patterns across institutions. That is not a vendor proposition. It is a structural conclusion that follows directly from what the rule now demands.
A documented process and a defensible outcome are not the same thing. Examination risk now lives in the space between them.
The SAR quality problem the rule has named without solving
FinCEN has made SAR quality an enforcement factor for the first time. For FinCEN, that is progress. For banks, it is a new liability. They are now accountable to a quality standard they cannot directly measure, without feedback on whether their filings are meeting it.
A 2020 Bank Policy Institute study found that American SARs elicited a law enforcement response in a median of 4% of reports, suggesting 90-95% of filings were false positives. That figure is not raw system output. It is what remained after first and second line reviews, after trained compliance professionals investigated and made a deliberate decision to file. The false positive problem runs deeper than a filtering problem.
FinCEN knows this. The proposed rule addresses it not by reducing SAR volume, but by making SAR quality an affirmative factor in the enforcement calculus. Demonstrable outputs from analytics and AI tools, high-quality information sharing through 314(a) and 314(b), and useful SARs can all weigh in a bank’s favour when FinCEN considers enforcement action.
The difficulty is that most banks have no reliable way of knowing whether their SARs are useful. Law enforcement feedback is limited. A SAR filed in good faith enters the FinCEN database, and the institution rarely hears anything back. The rule rewards quality without providing the feedback loop that would allow institutions to measure it. Collective intelligence across institutions provides what single-institution models cannot — a broader view of which patterns are producing actionable outcomes, without any institution sharing its underlying customer data.
Why tuning the model does not fix it
SAR quality depends heavily upon the accuracy of the underlying risk model. A model generating 95% false positives does not produce useful SARs. It produces volume. Tuning it down reduces volume. It does not improve quality, because the model still does not know what it does not know. The typologies absent from its own transaction history remain invisible to it. The model only knows what it has concluded before, reinforcing its own assumptions with no mechanism to surface what it has never encountered.
By way of example, the ACAMS Global Threats Report 2026 found that 75% of respondents rate the malicious use of generative AI as a high or very high risk to their financial crime programs over the next two years, making it the top external risk for the third consecutive year. AI-enabled fraud generates typologies that no single institution’s historical data will have seen at scale. The threat is moving faster than single-institution models can adapt.
The data architecture problem the rule has highlighted
The rule implies that institutions should be able to produce high-quality SARs, defensible resource allocation, accurate risk identification seeing risks that they haven’t seen before. How is that possible?
A model trained on one institution’s transaction history can become a self-reinforcing limited view. Regular below-the-line monitoring and retraining can surface new risks and shift detection focus. But even then, a single institution’s data will never contain the breadth of typologies to which it could be exposed. That is the structural limitation.
Collective intelligence solves this. Risk models that learn from patterns across institutions, without any institution sharing its underlying customer data, can see what single-institution models cannot. The rule has created a data architecture requirement. Institutions that meet it will be in a structurally stronger examination position than those that keep tuning a model with insufficient data.
Further reading: Beyond the 1%: How AI Federated Learning is catching more financial criminals
| Innovation is now a regulatory expectation The FATF February 2026 Plenary specifically approved a paper on cyber-enabled fraud, noting that as fraudsters continue to use digital innovations to accelerate the scale, speed, and complexity of fraud, partners across the AML/CFT regime must also use innovative techniques to better prevent fraud. The incoming FATF President — Giles Thomson of the United Kingdom, who takes over in July 2026 — has signaled the same direction. The US rule and the international standard-setting body are pointing at the same problem at the same time. |
The enforcement framework banks need to read carefully
The supervision provisions in this rule go further than most institutions have read them. Two things are worth reading closely.
The OCC and FDIC issued parallel conforming amendments alongside the FinCEN NPRM. The Federal Reserve did not join. Banks under Fed supervision are operating under a different set of expectations, at least for now.
This means CCOs at Fed-supervised institutions should not wait for examination guidance to clarify the picture. The more defensible position is to map current programs against the full range of supervisory expectations now. Institutions that wait for the guidance may find themselves behind it.
The 30-day consultation gate
Before a prudential regulatory agency can initiate a significant AML/CFT supervisory action, the following now applies.
-
- The agency must give the FinCEN Director written notice at least 30 days in advance
-
- It must share the underlying AML/CFT information with FinCEN
-
- FinCEN can provide input before the action proceeds
-
- The agency must respond to FinCEN requests for additional information where reasonably practicable
For banks that have historically navigated tensions between OCC priorities and FinCEN expectations, this creates a buffer. It also creates something else. More supervisory actors are now involved in the process, which means more information flowing between agencies about your institution. That cuts both ways.
What the gate does not cover
This is the point most commentary has missed.
The 30-day gate and the “significant or systemic” standard — undefined in the proposed rule — apply to maintenance failures only. Isolated execution misses, operational backlogs, inconsistent procedure execution. They offer genuine protection where program design is sound and day-to-day implementation has slipped.
They do not apply to establish failures. A bank whose program has not been updated since it launched a new product line, entered a new market, or completed an acquisition is exposed regardless of these protections. Establish failures remain fully actionable. The procedural safeguards the rule offers sit entirely within the maintain tier.
One point worth clarifying. The establish obligation does not end at program inception. It re-triggers with every material change to the institution’s risk profile. A bank operating an established program is in maintenance mode for existing elements. For any new product, market, or risk profile change that has not been addressed, it is back in establish territory. The two tiers can coexist within the same program at the same time.
A CCO who reads the 30-day gate as broad protection and eases up on program governance has misread the rule at the point that counts most.
2026: The year AML moves from rule-following to outcome-proving
Three things happened in 2026 before the comment period on this rule even closes. Each one points in the same direction.
In February, FinCEN issued an order granting exception relief from the CDD Rule’s requirement to identify and verify beneficial owners at each new account opening — relief the banking industry had requested since 2016. The order is another step forward in FinCEN’s efforts to modernize the compliance framework under the BSA. Then in April, the proposed rule replaced the four-pillar model with an effectiveness standard. And in the same month, FATF Ministers meeting in Washington committed to strengthening effective risk-based implementation of the FATF Standards, with FATF President Elisa de Anda Madrazo stating:
“When we mitigate risk intelligently, we protect people — not just systems.”
The US and EU are solving the same problem through different mechanisms
On the other side of the Atlantic, the EU built AMLA, a centralized AML authority, to achieve collective oversight that member states could not produce individually. The logic is the same as the US rule. Institutions operating in isolation, checking boxes against their own data and their own risk assessments, do not produce the outcomes the financial crime system needs. The EU answered that with institutional architecture. The US is answering it through regulatory standard-setting.
Different mechanisms. Same diagnosis.
Further reading: The conformity trap: How AML standardization is giving financial crime somewhere to hide
What this means for a senior risk lead
If examinations move toward assessing outcomes rather than procedures, the reporting infrastructure most institutions have today tells the wrong story. Volume of SARs filed. Alerts reviewed. Training hours completed. Those numbers demonstrate activity. They do not demonstrate that the activity produced accurate risk identification, useful law enforcement intelligence, or defensible resource allocation decisions.
The FATF ministerial commitment in April 2026 was explicit: deploying the full AML/CFT toolkit to disrupt fraud, deepening understanding of fraud in all its forms, and supporting full and effective implementation of the risk-based approach. That is the standard the international community has endorsed. The US rule operationalizes it domestically.
The institutions best positioned when a final rule lands are the ones that can prove their program worked. Passing the audit is no longer enough.
