BSA/AML/CFT: FinCEN and Federal Banking Agency Reform Proposals
Modernizing the U.S. AML/CFT regulatory and supervisory framework
Download the Regulatory Alert
Download PDF
KPMG Regulatory Insights
- Modernization. Moving towards a focus on effectiveness of program design and implementation, explicitly encouraging risk-based allocation of resources toward higher-risk areas and use of proactive analytics and innovative technologies.
- Big Changes. Potential to codify risk assessments as a regulatory requirement, including consideration of the AML/CFT Priorities; introduction of new notice and consultation framework for banks that would shift supervisory and enforcement actions toward “significant or systemic implementation failures.”
- Independent Testing. Treasury and FinCEN suggest independent auditors of the AML/CFT programs should assess against objective criteria and not substitute their own subjective judgments for that of the financial institution.
- Potential Concerns. Broadly defined terms, such as “significant,” “systemic,” and “material” may need additional clarification for consistency across financial institutions and federal regulators; differing levels of requirements pose risk of inconsistent treatment between banks and non-banks.
The Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued a proposed rule that is intended to “fundamentally reform” financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs under the Bank Secrecy Act (BSA). The proposal is a part of what Treasury describes as its “broader efforts to modernize” the U.S. AML/CFT regulatory and supervisory framework while also implementing statutory changes made to the BSA by the Anti-Money Laundering Act of 2020 (AML Act).
Key proposed reforms would:
- Focus on program effectiveness, including:
- Distinguishing between program design and program implementation
- Directing more attention and resources to higher-risk customers and activities
- Incorporating AML/CFT Priorities into program requirements and supervisory/enforcement actions
- Introduce a two-prong review process, including a new supervisory and enforcement framework for banks
The current proposal supersedes a proposal FinCEN previously released in July 2024, and FinCEN is withdrawing that earlier proposal.
In conjunction with FinCEN’s release, the Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and the National Credit Union Administration (collectively, the “Agencies”) jointly issued a proposed rule that would amend each agency’s BSA compliance program requirements to align with FinCEN’s proposal. Notably, the Federal Reserve Board did not participate.
Comments on each of the proposals will be accepted through June 9, 2026.
Note on Scope. FinCEN’s proposed rule would apply to financial institutions defined to include banks; casinos and card clubs (casinos); money services businesses; brokers or dealers in securities (broker-dealers); mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises. FinCEN notes that it does not propose any amendments to the final rule establishing AML/CFT and suspicious activity report filing requirements for registered investment advisers and exempt reporting advisers, which has been delayed until January 1, 2028.
FinCEN Proposal on AML/CFT Program Reforms
Focus on Effectiveness
FinCEN states that the proposed rule aims to ensure that financial institutions establish and maintain effective AML/CFT programs that better achieve the purposes of the BSA and lead to more effective outcomes for financial institutions as well as law enforcement and national security agencies. To do so, the proposal distinguishes supervisory expectations for effectiveness based on program design (what they consider “establishment”) and effectiveness based on program implementation (termed “maintenance”). An effective AML/CFT program would be a program that is: 1) established in accordance with the requirements of the proposed rule, and 2) implemented in all material respects.
Under the proposal, a financial institution would be required to establish a risk-based AML/CFT program incorporating the following minimum components across four pillars:
Key AML/CFT Program Components | |
|---|---|
Pillar One: Internal Policies, Procedures, and Controls | Internal policies, procedures, and controls must be reasonably designed to:
Risk assessment processes must:
Note: Existing customer due diligence requirements would be moved to Pillar One but with no change to obligations. |
Pillar Two: Independent Testing | AML/CFT programs must undergo independent, periodic testing by individuals who are independent of the AML/CFT function (whether internal or external parties). Independent testing should be based on objective criteria designed to assess whether a financial institution has effectively established, implemented, and resourced an AML/CFT program consistent with its risk assessment processes. Treasury and FinCEN expect that an independent auditor should not substitute his or her own subjective judgment in place of the financial institution. Note: This requirement would be standardized across all financial institutions. |
Pillar Three: Designation of AML/CFT Program Officer(s) | One or more qualified individuals must be designated as an AML/CFT officer responsible for establishing, implementing, and overseeing day-to-day compliance with BSA requirements. The AML/CFT officer must be located in the United States and accessible to FinCEN. Other personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. |
Pillar Four: Ongoing Employee Training | Employee training programs must be ongoing, risk-based, and focused on current regulatory requirements as well as an institution’s internal controls and risk assessment results. The frequency of training should be commensurate with the risk profile of the financial institution and targeted to the roles and responsibilities of employees. |
The AML/CFT program would be required to be approved by the board of directors, an equivalent governing body, or appropriate senior management. Further, financial institutions would be required to maintain a written AML/CFT program that is available to FinCEN, appropriate federal regulators, and their designee.
Framework for Supervisory Actions
Supervisory examinations of a financial institution’s AML/CFT program would consider each of the two parts of an “effective” AML/CFT program:
- Establishing a Program. A financial institution would be required to keep its risk-based set of internal policies, procedures, and controls—and the risk assessment processes that inform them—current as the financial institution’s risk profile changes. Failure to update the program to reflect “significant” changes to the institution’s risk profile may result in the program no longer meeting the program establishment requirements, and the financial institution may accordingly be subject to supervisory or enforcement action for a failure to establish an effective AML/CFT program.
- Maintaining a Program. Maintaining an AML/CFT program (i.e., implementing the program) would require a financial institution to implement its program in all material respects (i.e., to execute the program in practice), including whether the financial institution is, in fact, allocating resources as contemplated in its established AML/CFT program, consistent with its risk assessment processes. Examples include inconsistent performance of internal policies, procedures, or controls; gaps in the risk assessment processes that result in missed higher ML/TF risks; and data-related issues or weaknesses that materially impact risk mitigation.
Banks. A new “Supervision and Enforcement” section would set forth a framework for bank AML/CFT programs. In particular, banks with a “significant or systemic failure to implement an effective AML/CFT program” (described in the proposal as deficiencies or issues that arise from failing to implement, in all material respects, a properly established AML/CFT program) may be subject to a “significant AML/CFT supervisory action” or “AML/CFT enforcement action” (as defined in the rule) by FinCEN or the Agencies. “Isolated, technical, or immaterial implementation deficiencies” would not be cause for such action.
Before initiating a “significant AML/CFT supervisory action,” the Agencies, when acting pursuant to authority delegated by FinCEN, must provide FinCEN opportunity to review the action and provide input. The information would be required to be submitted in writing at least 30 days prior to the proposed action “unless a shorter period is necessary, in the sole discretion of the Agencies, to remedy, prevent, or respond to an unsafe or unsound practice or condition.” As part of its review, FinCEN will consider the:
- Statutory factors set forth in the AML Act.
- Extent, if any, to which the bank—where appropriate in light of its size, complexity, and risk profile—has advanced the AML/CFT Priorities by providing “highly useful” information to law enforcement or national security officials.
- Bank’s use of proactive analytics or innovative activities to evaluate the effectiveness of the AML/CFT program (including effective use of artificial intelligence, federated learning, or other advanced monitoring tools).
Compliance. The proposed rule would become effective 12 months after publication of the final rule.
Agencies Proposal on AML/CFT Program Reforms
In conjunction with the release of FinCEN’s proposed rule, the Agencies issued a joint proposal that is intended to align each of the Agency’s AML/CFT rules with the changes in the FinCEN proposal, including:
- Establishing a risk-based AML/CFT program that includes the four pillars
- Prioritizing the allocation of attention and resources to higher-risk activities and customers
- Requiring a bank “establish,” “maintain,” and “implement” an AML/CFT program
- Reserving “AML/CFT enforcement actions” and “significant AML/CFT supervisory actions” for instances where the bank exhibits “significant or systemic implementation failures” in established AML/CFT programs
- Cooperation and coordination with the notice and consultation framework between the Agencies and FinCEN
Information Sharing: The Agencies’ proposal would create a new exception for information sharing related to an existing or potential “AML/CFT enforcement action” or “significant AML/CFT supervisory action” by authorizing an institution to provide the information to FinCEN while preserving applicable privileges and protections, including information that would otherwise be nonpublic under current Agency rules. Two options for permitting this information sharing are being considered:
- Option 1, where an institution could provide the information to FinCEN without also providing it to the Agency
- Option 2, where an institution could provide the information to FinCEN only if it also provides the same information to the relevant Agency simultaneously.
Compliance. The proposed rule would become effective 12 months after publication of the final rule.
Dive into our thinking:
BSA/AML/CFT: FinCEN and Federal Banking Agency Reform Proposals
Modernizing the U.S. AML/CFT regulatory and supervisory framework
Download PDFExplore more
Get the latest from KPMG Regulatory Insights
KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.
Meet our team
