This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

A Fresh Take

Insights on M&A, litigation, and corporate governance in the US.

| 7 minutes read

FinCEN Proposes Comprehensive Updates to AML/CFT Program Rules

On June 28, 2024, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a proposed rule (the Proposed Rule) to update anti-money laundering (AML) and countering the financing of terrorism (CFT) compliance obligations to reflect revisions to the Bank Secrecy Act (BSA) contained in the Anti-Money Laundering Act of 2020 (AML Act).[1]

FinCEN’s release marks the latest step in the ongoing implementation of the AML Act, which adopted the most significant revisions to the U.S. AML/CFT framework since the adoption of the USA PATRIOT Act in 2001. Although the Proposed Rule in large part clarifies, streamlines, and updates existing regulations, it includes several provisions that materially change AML/CFT compliance obligations for many financial institutions, including most notably a mandatory risk assessment process. 

Below, we briefly summarize the Proposed Rule, including its scope, requirements, and potential implications, and highlight open questions and next steps.  

Why Is FinCEN Updating the BSA/AML Program Rules?

The BSA and its implementing regulations have long required various types of “financial institutions”[2] to maintain an AML compliance program “reasonably designed” to promote compliance with applicable statutory and regulatory requirements.[3] Minimum requirements for these programs generally include the development of internal policies, procedures, and controls; designation of a compliance officer; an ongoing employee training program; and an independent audit function to test programs.[4]

Over time, FinCEN has expanded and clarified both the definition of “financial institution” and the scope of these BSA-related compliance program requirements – which, together with the requirements of the related but distinct Customer Due Diligence (CDD) Rule that applies to some financial institutions, have come to be known as the “five pillars.”[5] However, these regulations were adopted piecemeal and have not been comprehensively revised since the AML Act came into force. The result is a patchwork of disparate rules and differing language being used to achieve the same statutory objectives—not least in the nomenclature applied to these requirements, which the Proposed Rule explains are now to be designated as “AML/CFT” compliance programs (adopting the AML Act formulation over the prior “AML” or “BSA/AML” terminology).[6] 

According to FinCEN, the proposed revisions to the AML/CFT program requirements are intended to:

  • Reinforce the risk-based approach for AML/CFT programs;
  • Make AML/CFT programs more dynamic and responsive to evolving money laundering and terrorist financing risks; 
  • Improve the effectiveness of AML/CFT programs in achieving the purposes of the BSA; and 
  • Reinforce the focus of AML/CFT programs towards a more risk-based, innovative, and outcomes-oriented approach to combating illicit finance activity risks and safeguarding national security, as opposed to technical compliance. 

What Is FinCEN Proposing?

The Proposed Rule generally maintains existing requirements for financial institutions to establish, implement, and maintain risk-based and reasonably designed AML/CFT programs. Many of its provisions are broadly consistent with financial institutions’ current AML/CFT practices and do not introduce new obligations (for example, adding the phrase “countering the financing of terrorism” to the program requirement). 

Perhaps the most significant substantive change comes in the form of a universal requirement, discussed in greater detail below, for financial institutions to adopt a formal risk assessment process that identifies, evaluates, and documents AML/CFT risks and incorporates national AML/CFT priorities into their programs. This is not the only meaningful change, however. The Proposed Rule also would: 

  • Require a financial institution’s AML/CFT compliance program to be approved by the board of directors or equivalent governing body, an obligation that today applies only to a subset of entities subject to BSA compliance requirements;[7] and 
  • Implement a controversial provision of the AML Act, specifying that a financial institution’s duty to “establish, maintain, and enforce” an AML/CFT program must “remain the responsibility of, and be performed by,” persons in the U.S. who are accessible to regulatory and law enforcement authorities in the U.S. This language was the subject of considerable interest and concern immediately after passage but has remained dormant to date.

Risk Assessment – A Sixth Pillar? 

Although some financial institutions are already required to have a risk assessment process as part of their AML/CFT program, the Proposed Rule would require every financial institution to conduct a risk assessment to identify and evaluate its specific AML/CFT risks and adapt its compliance program accordingly. Financial institutions would be required to integrate the results of this risk assessment process into internal policies, procedures, and controls for fulfilling their obligations under the BSA. Risk assessment processes under the Proposed Rule also would need to be “reasonably designed” and consider specific inputs, including: 

  • National AML/CFT priorities identified by FinCEN and the Department of Treasury in mandatory reports required under the AML Act;
  • Financial institution-specific money laundering and terrorist financing risks based on a periodic evaluation of business activities (including, but not limited to, products, services, channels, customers, intermediaries, and geographic locations);[8] and
  • Suspicious activity reports, currency transaction reports, and other filings required under the BSA. 

Financial institutions would be required to review and update their risk assessment policies on a periodic basis. Although the Proposed Rule indicates that the frequency of this review could vary based on the characteristics and risk profile of the relevant institution, an update is mandatory any time “material changes” occur to a financial institution’s money laundering/terrorist financing risks. Moreover, the Proposed Rule “contemplates any risk-based considerations of a financial institution’s attention and resources to be subject to an appropriate governance framework that is documented or otherwise supported.”[9]

FinCEN notes that many financial institutions already maintain risk assessment processes with respect to their AML/CFT programs—either because the applicable regulation requires it, their supervisory agency expects it, or as a voluntary measure. However, the Proposed Rule’s substantive requirements to reflect national AML/CFT priorities and specific sources of risk in the financial institution’s business activities, as well as the procedural requirements of regular updates to the risk assessment process, likely will require changes even for these institutions.

Onshoring AML/CFT Compliance? 

FinCEN acknowledges in the Proposed Rule that many financial institutions administer their AML/CFT compliance programs in part through personnel located outside the United States, including third-party vendors that may rely on offshore resources “to improve cost efficiencies.”[10] Nevertheless, the agency recites language in the AML Act requiring that “the duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by” U.S. authorities and explains that the Proposed Rule would “incorporate” this requirement by “restating” the statutory provision without elaboration.[11]

Rather than explain what it means to “establish, maintain, and enforce” an AML/CFT compliance program—or how the statutory text can be implemented by institutions with significant cross-border operations, such as foreign banks operating in the U.S.—FinCEN requests comment on “questions that may arise for financial institutions as they address this statutory requirement” and explains that it will consider whether clarifying amendments should be made in the final rule. These include: 

  • “[T]he reasons financial institutions have AML/CFT staff and operations located outside of the United States [and] how financial institutions ensure AML/CFT staff and operations located outside of the United States fulfill and comply with the BSA”;
  • Whether “[i]ncluding this statutory language in the rule, as proposed, sufficient or is it necessary to otherwise clarify its meaning further in the rule”;
  • “[W]hat types of functions, ministerial or otherwise, may not be subject to these statutory requirements”; and
  • “How would financial institutions expect the[se] requirements . . . to affect their AML/CFT operations that may be currently based wholly or partially outside of the United States?”

This is a curious dodge on a provision that could require sweeping changes in how many financial institutions manage their AML/CFT compliance programs and we expect robust discussion during the comment period, especially among the foreign bank community. 

What Comes Next? 

Immediate implications of the Proposed Rule are limited. A 60-day comment period will follow official publication of the Proposed Rule in the Federal Register and it is too soon to tell what a final rule would look like or when it could take effect. The Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and National Credit Union Administration are also expected to propose revisions to their respective BSA/AML program rules for federally supervised banking organizations that would align with FinCEN’s proposed changes, which will also be subject to comment. 

Looking forward, FinCEN has indicated that the Proposed Rule is intended to “set a critical foundation for potential future changes in the AML/CFT framework as part of the multi-step, multi-year implementation of the AML Act.”[12] The Proposed Rule acknowledges—but generally does not make substantial revisions to implement—a broad range of policy objectives including encouraging innovation, limiting the impact of de-risking on the availability of financial services for underbanked and underserved communities, and supporting feedback loops between financial institutions and federal regulators and/or law enforcement. 

While it is always advisable to carefully review and consider the potential impact of proposed regulations, it is particularly important for financial institutions subject to AML/CFT program requirements to carefully review all elements of the Proposed Rule, including the commentary, in light of FinCEN’s stated objective to use it as a foundation for future changes to the AML/CFT program requirements. Foreign-based financial institutions in particular may want to consider how the apparent onshoring requirements, if adopted, could be implemented in their AML/CFT compliance programs. Finally, although the Proposed Rule has not been finalized, it may be advisable for all financial institutions to evaluate their existing risk assessment processes, if any, in light of the requirements in the Proposed Rule and determine whether the other proposed revisions would affect their existing programs. 

* * * * * 

We will continue monitoring developments and provide additional updates as warranted.



[1] Financial Crimes Enforcement Network, Anti-Money Laundering and Countering the Financing of Terrorism Programs, Proposed Rule, 89 Fed. Reg. 55428 (July 3, 2024), available here.

[2] 31 U.S.C. § 5312(a)(2). Banks, broker-dealers, insurance companies, money services businesses, and investment companies, among others, are “financial institutions” subject to these rules.

[3] See, e.g., 12 CFR 208.63(a).

[4] 31 U.S.C. § 5318(h).

[5] See generally 31 CFR Parts 1010 and 1020–1030.

[6] This is not the first time that FinCEN has suggested that the BSA/AML program rules require updating and alignment. In 2020, prior to the enactment of the AML Act, FinCEN published an advanced notice of proposed rulemaking soliciting comment on potential revisions to the BSA/AML program rules, including potential risk assessment requirements, that received 111 comments. Anti-Money Laundering Program Effectiveness, 85 Fed. Reg. 58023 (Sept. 17, 2020), available here.

[7] Proposed Rule at 55444.

[8] Under the Proposed Rule, the program rule for dealers in precious metals, precious stones, or jewels will also retain the current risk assessment factors that are tailored to practices at these financial institutions. Proposed Rule at 55438, n.89.

[9] Proposed Rule, at 55436.

[10] Proposed Rule, at 55445.

[11] Id.

[12] Financial Crimes Enforcement Network, Fact Sheet: Proposed Rule to Strengthen and Modernize Financial Institution AML/CFT Programs, FIN-2024-FCT1 (June 28, 2024), available here.