91 FR 42363
FEDERAL RESERVE SYSTEM
12 CFR Part 208
[Docket No. R-1835]
RIN 7100-AG78
AGENCY:
The Board of Governors of the Federal Reserve System.
ACTION:
Notice of proposed rulemaking.
SUMMARY:
The Board of Governors of the Federal Reserve System (the Board) is inviting comment on a proposed rule that would require its supervised banks to establish and maintain effective anti-money laundering and countering the financing of terrorism (AML/CFT) programs reasonably designed to identify, assess, and mitigate risks of illicit finance. Among other changes, this proposed rule would ensure that Board-supervised banks establish and maintain effective AML/CFT programs that are intended to better achieve the purposes of the Bank Secrecy Act (BSA), culminating in the development of highly useful information related to illicit financial transactions for law enforcement and national security agencies. The amendments are intended to align with changes to AML/CFT program requirements proposed by the Financial Crimes Enforcement Network (FinCEN) to implement provisions of the Anti-Money Laundering Act of 2020 (AML Act) and corresponding changes proposed by the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, “the Agencies”) on April 10, 2026.
DATES:
Comments must be submitted on or before September 8, 2026.
ADDRESSES:
You may submit comments, identified by Docket No. R-1835 and RIN 7100-AG78, by any of the following methods:
• Agency Website: https://www.federalreserve.gov/apps/proposals/. Follow the instructions for submitting comments, including attachments. Preferred Method.
• Mail: Benjamin W. McDonough, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue NW, Washington, DC 20551.
• Hand Delivery/Courier: Same as mailing address.
• Other Means: publiccomments@frb.gov. You must include Docket No. R-1835 and RIN 7100-AG78 in the subject line of the message.
Comments received are subject to public disclosure. In general, comments received will be made available on the Board's website at https://www.federalreserve.gov/apps/proposals/ without change and will not be modified to remove personal or business information including confidential, contact, or other identifying information. Comments should not include any information such as confidential information that would not be appropriate for public disclosure. Public comments may also be viewed electronically or in person in Room M-4365A, 2001 C St. NW, Washington, DC 20551, between 9 a.m. and 5 p.m. during Federal business weekdays.
FOR FURTHER INFORMATION CONTACT:
Lara Lylozian, Deputy Associate Director, (202) 815-9088, lara.k.lylozian@frb.gov, Lee Davis, Lead BSA/AML Policy Analyst, (202) 740-8219, lee.h.davis@frb.gov, Division of Supervision and Regulation; or Jason Gonzalez, Deputy Associate General Counsel, (202) 452-3275, jason.a.gonzalez@frb.gov, Bernard Kim, Senior Special Counsel, (202) 452-3083, bernard.g.kim@frb.gov, Darien Capron, Senior Counsel, (202) 304-2531, darien.s.capron@frb.gov, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551. For users of TDD-TYY, (202) 263-4869 or dial 711 from any telephone anywhere in the United States.
SUPPLEMENTARY INFORMATION:
The proposed rule would amend the Board's regulations that prescribe AML/CFT program requirements 1 for banks 2 supervised by the Board in a way that aligns with the rules proposed by FinCEN and the Agencies 3 under the BSA on April 10, 2026. 4 While FinCEN has delegated its authority to examine Board-supervised banks for compliance with the BSA to the Board, the Board also has independent authority to prescribe regulations requiring banks to establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, under 12 U.S.C. 1818(s) (Section 8(s) of the Federal Deposit Insurance Act). The Board is proposing to amend its rules to align with FinCEN and the Agencies so that its program requirements for Board-supervised banks remain consistent with those imposed by FinCEN and the Agencies. Further, with consistent regulatory text, banks will not be subject to any additional burden or confusion from needing to comply with differing standards between regulatory agencies. The proposed changes are discussed in more detail below in the section-by-section analysis.
1 In Section IV.A., the Board describes the express incorporation of the countering the financing of terrorism (CFT) requirements as part of a bank's anti-money laundering (AML) program requirements. For consistency throughout this proposed rule, AML program requirements will be described as AML/CFT program requirements.
2 The term “bank” is defined in regulations implementing the BSA, 31 CFR 1010.100(d), and includes each agent, agency, branch, or office within the United States of banks, savings associations, credit unions, and foreign banks.
3 FinCEN and the Agencies are separately requesting comment on proposed amendments to their AML/CFT Program Rules for banks. See 91 FR 18704 (Apr.10, 2026) and 91 FR 18304 (Apr. 10, 2026). FinCEN, the Board, and the Agencies each have their own implementing regulations. See 31 CFR 1020.210 (FinCEN); 12 CFR 208.63 (Board); 12 CFR 21.21 (OCC); 12 CFR 326.8 (FDIC); and 12 CFR 748.2 (NCUA).
4 FinCEN currently defines the term “Bank Secrecy Act” in 31 CFR 1010.100(e). However, FinCEN's proposed rule also would make minor changes to the definitions in FinCEN regulations. These changes include the definition of “Bank Secrecy Act” at 31 CFR 1010.100(e), adding statutory references to the Anti-Money Laundering Act of 2020 (AML Act) and the Corporate Transparency Act, and removing the reference to “collection of statutes commonly referred to as. . . .” Certain criminal statutes—namely, 18 U.S.C. 1956, 1957, and 1960—are currently included in the BSA definition at 31 CFR 1010.100(e). Section 6003 of the AML Act, however, does not include these provisions in its BSA definition, and thus FinCEN is not considering them part of the BSA for the purposes of its proposed rule.
Enacted in 1970 and amended several times since, the BSA is designed to combat money laundering, the financing of terrorism, and other illicit finance activity risks (collectively, ML/TF risks). 5 Congress has authorized the Secretary of the Treasury (Secretary) to administer the BSA. The Secretary has in turn delegated the authority to implement, administer, and enforce compliance with the BSA and its associated regulations to the Director of FinCEN (FinCEN Director). 6
5 31 U.S.C. 5311(1).
6 Treasury Order 180-01 (Jan. 14, 2020), paragraph 3; see also 31 U.S.C. 310(b)(2)(I) (providing that the Director of FinCEN shall “[a]dminister the requirements of subchapter II of chapter 53 of this title, chapter 2 of title I of Public Law 91-508, and section 21 of the Federal Deposit Insurance Act, to the extent delegated such authority by the Secretary of the Treasury.”).
The Money Laundering Control Act of 1986 (MLCA) 7 amended 12 U.S.C. 1818(s) and 12 U.S.C. 1786(q) (Sections 8(s) of the Federal Deposit Insurance Act and 206(q) of the Federal Credit Union Act, respectively) to require the Board and the Agencies to issue regulations requiring their supervised banks to “establish and maintain procedures reasonably designed to assure and monitor their compliance” of their supervised banks with the requirements of the BSA. Consistent with the MLCA, on January 27, 1987, all the then-Federal bank regulatory agencies issued substantially similar regulations requiring their supervised banks to develop procedures for BSA compliance. 8
7 Public Law 99-570, 5318, 100 Stat. 3207, 3207-29 (1986).
8 52 FR 2858 (Jan. 27, 1987).
Since its original enactment, Congress has continued to address various aspects of AML/CFT compliance, including through expansion of the BSA. 9 In 1992, the Annunzio-Wylie Anti-Money Laundering Act 10 gave the Secretary authority to prescribe minimum standards for AML programs, including: “(A) the development of internal policies, procedures, and controls, (B) the designation of a compliance officer, (C) an ongoing employee training program, and (D) an independent audit function to test programs”—what are often called the “four pillars” of AML/CFT programs. 11 Later, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) further amended the BSA to include, among other things, customer identification program (CIP) requirements and the expansion of AML program rules to cover certain other financial industry participants ( e.g., credit unions and futures commission merchants). 12 The USA PATRIOT Act also made it mandatory for financial institutions to maintain AML programs that meet minimum prescribed standards. 13 Through the exercise of its delegated authority, FinCEN is authorized to require each financial institution to establish an AML/CFT program to ensure compliance with the BSA and guard against ML/TF risks. 14 Over time, FinCEN, the Board, and the Agencies incorporated many of these standards into their respective program rules, and FinCEN implemented additional requirements for certain covered financial institutions into their respective program rules. 15
9 Most recently, Congress enacted the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act on July 18, 2025. Pub. L. 119-27, codified at 12 U.S.C. 5901 et seq. The GENIUS Act requires that permitted payment stablecoin issuers (PPSIs) be treated as financial institutions under the BSA, including being required to maintain “an effective anti-money laundering program.” See 12 U.S.C. 5903(a)(5)(i). The GENIUS Act also requires the Board and the Agencies to issue regulations relating to PPSIs, including Bank Secrecy Act and sanctions compliance standards. These AML/CFT standards for PPSIs will be addressed separately from this rulemaking.
10 Section 1517 of the Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992) (Annunzio-Wylie).
11 31 U.S.C. 5318(h)(1), as added by section 1517(b) of Annunzio-Wylie. The proposed rule modifies the current sequencing of AML/CFT program components; however, the change in sequencing is not intended to modify or signify changes in any substantive requirements.
12 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272 (Oct. 26, 2001) (USA PATRIOT).
13 31 U.S.C. 5318(h), as added by section 352 of USA PATRIOT.
14 31 U.S.C. 5318(a)(2), (h)(1), and (h)(2).
15 See FinCEN, Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398 (May 11, 2016).
Although in practice the FinCEN AML program rule and the Board's compliance program rule for banks operate together, since the USA PATRIOT Act, banks have been required to maintain compliance programs under separate legal authorities administered by (i) FinCEN under Title 31 and (ii) the Board under Section 8(s). Because the authority for the Board's BSA compliance program rule derives from and is required by Section 8(s), the Board prescribed regulations requiring the banks they supervise to establish and maintain procedures reasonably designed to assure and monitor the compliance of such banks with the requirements of the BSA.
In 2003, FinCEN, the Board, the Agencies, the Securities and Exchange Commission, and the Commodity Futures Trading Commission jointly issued final rules on CIP requirements, 16 which were mandated by amendments to the BSA under the USA PATRIOT Act requiring financial institutions to implement a CIP as part of their BSA compliance program. 17 The CIP requirements became part of the separate AML program rules for banks administered by FinCEN, the Board, and the Agencies, although the rules continued to function together by allowing banks to satisfy FinCEN's rule by complying with their supervising agency's rule.
16 68 FR 25090 (May 9, 2003).
17 31 U.S.C. 5318(l), as added by section 326 of USA PATRIOT.
In 2016, FinCEN amended its AML compliance program rules to incorporate customer due diligence (CDD) requirements, including beneficial ownership information collection requirements for certain covered financial institutions, including banks. 18 Although the Board and the Agencies did not promulgate CDD requirements at that time, the agencies examine their supervised banks for compliance with those requirements under the authority of Sections 8(s) and 206(q). 19 With the exception of the CDD requirement, FinCEN's rule was substantially similar to the rules of the Agencies and the Board, and banks must currently comply with both FinCEN's AML bank program rule and the BSA compliance rules of the Board or the Agencies, as appropriate.
18 81 FR 29398 (May 11, 2016).
19 Press Release, Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (Aug. 13, 2020), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20200813a1.pdf.
On January 1, 2021, Congress enacted the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, of which the AML Act was a component. 20 With the passage of the AML Act, Congress stated that it was seeking to modernize and strengthen the AML/CFT regulatory framework, which “had not seen comprehensive reform or modernization” since the BSA was enacted in the 1970s. 21 Among other objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication, and feedback among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better focusing bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” 22
20 William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388 (Jan. 1, 2021).
21 Congress noted in its Joint Explanatory Statement (JES) of the Committee of Conference accompanying the FY21 NDAA that: “the current [AML/CFT] regulatory framework is an amalgamation of statutes and regulations that are grounded in the [BSA], which the Congress enacted in 1970. This decades-old regime, which has not seen comprehensive reform and modernization since its inception, is generally built on individual reporting mechanisms ( i.e., currency transaction reports (CTRs) and suspicious activity reports (SARs)) and contemplates aging, decades-old technology, rather than the current, sophisticated AML compliance systems now managed by most financial institutions.” Congress further stated that the AML Act “comprehensively update[s] the BSA for the first time in decades and provide[s] for the establishment of a coherent set of risk-based priorities.” Among other objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication, and feedback among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better focusing bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory Statement of the Committee of Conference) ( https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf ).
22 H.R. Rep. No. 6395 (2020) at 732 (Joint Explanatory Statement of the Committee of Conference).
Section 6101(b) of the AML Act made several changes to the BSA's AML/CFT program requirements.
First, section 6101(b) amended the BSA at 31 U.S.C. 5318(h)(2)(B) to state that, “[i]n prescribing the minimum standards for [AML/CFT programs], and in supervising and examining compliance with those standards, the Secretary of the Treasury, and the appropriate Federal functional regulator (as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)) shall take into account” certain factors.
Second, section 6101(b) requires the Secretary, in consultation with the Attorney General, appropriate Federal functional regulators, relevant State financial regulators, and relevant national security agencies, to establish and make public government-wide AML/CFT priorities (AML/CFT Priorities). After consultation with the Federal functional regulators and relevant State financial regulators, the Secretary must promulgate regulations, as appropriate, to incorporate those priorities into revised program rules, and incorporation of the priorities must be included as a measure on which financial institutions are supervised and examined. FinCEN issued the first AML/CFT Priorities on June 30, 2021. 23
23 See AML/CFT Priorities (June 30, 2021). As required by 31 U.S.C. 5318(h)(4)(C), the AML/CFT Priorities are consistent with Treasury's National Strategy for Combating Terrorist and Other Illicit Financing (May 16, 2024). The AML/CFT Priorities are supported by Treasury's National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing (Mar. 2026)). Additionally, Treasury is required to consult with the Board and the Agencies on the National Illicit Finance Strategy, which must include a risk assessment. See Combating Terrorism and Illicit Financing, Public Law 115-44, 131 Stat. 934 (2017). As also required by 31 U.S.C. 5318(h)(4)(B), the Secretary, in consultation with the Attorney General, Federal functional regulators, relevant State financial regulators, and relevant national security agencies, must update the AML/CFT Priorities not less frequently than once every four years.
Third, section 6101(b) expands the BSA's program rule requirement to formally include an express reference to CFT in addition to AML.
Fourth, section 6101(b) provides that the duty to establish, maintain, and enforce an AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator.
The proposed rule also builds upon other recent efforts by FinCEN, the Board, and the Agencies to modernize AML/CFT compliance program requirements for banks, both before and after the passage of the AML Act. These efforts include actions taken to revise the BSA regulatory regime through rulemakings, providing exemptive relief from regulatory requirements consistent with the purposes of the BSA, and clarifying regulatory requirements and supervisory standards through policy documents.
For example, on July 22, 2019, FinCEN, the Board, and the Agencies issued a joint statement to clarify and explain their existing risk-focused approach to examinations of banks' BSA/AML compliance programs. This statement was intended to increase transparency into the risk-focused approach used by the Board and the Agencies for planning and performing BSA/AML examinations, which included clarifying that the Board and the Agencies “generally allocate more resources to higher-risk areas, and fewer resources to lower-risk areas” based on the bank's unique risk profile. 24 FinCEN, the Board, and the Agencies have also taken steps to highlight that customer relationships present varying levels of ML/TF risk and, in turn, to encourage banks to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers. 25 More recently, the Board and the Agencies have, with FinCEN's concurrence, issued an order permitting banks, as part of their CIP obligations, to collect Taxpayer Identification Number information from a third party rather than directly from the bank's customer, subject to certain conditions. 26 FinCEN, the Board, and the Agencies have also issued Frequently Asked Questions to clarify certain obligations related to filing a suspicious activity report (SAR) to help ensure banks are not needlessly expending resources on efforts that do not provide law enforcement and national security agencies with the critical information they need to detect, combat, and deter criminal activity, as well as to combat misconceptions that banks are required to terminate customer relationships based on the filing of a SAR. 27
24 See Board SR letter 19-11, Joint Statement on the Risk-Focused Approach to BSA/AML Supervision (July 22, 2019), https://www.federalreserve.gov/supervisionreg/srletters/sr1911.htm.
25 See, e.g., Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence (July 6, 2022) (“Customer relationships present varying levels of money laundering, terrorist financing, and other illicit financial activity risks. The potential risk to a bank depends on the presence or absence of numerous factors, including facts and circumstances specific to the customer relationship. The [Board and the] Agencies continue to encourage banks to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers.”)
26 See OCC, FDIC, NCUA, FinCEN, Agencies Issue Exemption Order to Customer Identification Program Requirements, (Jun. 27, 2025), https://www.occ.gov/news-issuances/news-releases/2025/nr-ia-2025-60.html, and Board SR Letter 25-2, Order Granting an Exemption from the Customer Identification Program Rule Requirement Related to a Bank Obtaining Taxpayer Identification Number Information from the Customer, (August 15, 2025), https://www.federalreserve.gov/supervisionreg/srletters/SR2502.htm.
27 FinCEN et. al, Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other Anti-Money Laundering Considerations (Jan. 19, 2021) (clarifying, among other things, that there is no BSA regulatory requirement to terminate a customer relationship after the filing of a SAR or any specific number of SARs). See also FinCEN et. al, Frequently Asked Questions Regarding Suspicious Activity Reporting Requirements (Oct. 9, 2025), https://www.fincen.gov/system/files/2025-10/SAR-FAQs-October-2025.pdf (clarifying filing requirements related to potential structuring-related activity, documentation requirements related to not filing a SAR on potentially suspicious activity, and certain aspects of continuing activity reporting).
With respect to prior rulemaking efforts, prior to the enactment of the AML Act, FinCEN published an ANPRM seeking public comment on potential regulatory amendments intended to increase the effectiveness of program rule requirements (Effectiveness ANPRM), which was informed by recommendations of the AML Effectiveness Bank Secrecy Act Advisory Group working group. 28 While the Effectiveness ANPRM was issued by FinCEN on a standalone basis, the Board and the Agencies were consultative partners with FinCEN when developing the proposal. More recently, on July 3, 2024, FinCEN published an NPRM proposing revisions to its AML/CFT program requirements for all financial institutions, including those applicable to banks, 29 and on August 9, 2024, the Board and the Agencies issued an NPRM proposing substantially similar amendments to their respective AML program rules applicable to banks they supervise (the 2024 Program NPRM). 30 These proposed rules were never finalized.
28 FinCEN, Anti-Money Laundering Program Effectiveness, 85 FR 58023 (Sept. 17, 2020).
29 FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Requirements, 89 FR 55428 (Jul. 3, 2024).
30 OCC, Board, FDIC and the NCUA, Anti-Money Laundering and Countering the Financing of Terrorism Requirements, 89 FR 65242 (Aug. 9, 2024).
In proposing this rule in coordination with FinCEN and the Agencies, the Board considered applicable statutory requirements and prior feedback on these recent BSA modernization efforts, including comments provided on FinCEN's Effectiveness ANPRM and those received by FinCEN, the Board, and the Agencies on the 2024 Program NPRM. While building upon these prior modernization efforts, the proposed rule is distinct and separate from prior BSA modernization rulemaking efforts. 31
31 For an overview of the content of the Effectiveness ANPRM and the 2024 Program NPRM, and for an overview of comments received on both, refer to FinCEN's proposed revisions to its AML/CFT program requirements, issued on April 10, 2026. See 91 FR 18704 (Apr.10, 2026).
A central objective of the Board's and the Agencies' BSA modernization efforts is to create an AML/CFT supervisory and regulatory regime that is more effective in achieving the purposes of the BSA and culminating in the development of highly useful information related to illicit financial transactions for law enforcement and national security agencies. 32 The proposed rule would further that objective by explicitly defining the requirements for a bank to establish and maintain an effective AML/CFT program. It would also adopt into regulations the AML Act's expectation that AML/CFT programs should be risk-based, including ensuring that banks direct more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the bank, rather than toward lower-risk customers and activities. 33
32 31 U.S.C. 5311.
33 31 U.S.C. 5318(h)(2).
As noted above, the proposed rule would require Board-supervised banks to establish and maintain effective AML/CFT programs and define the requirements for doing so. In order for an AML/CFT program to be effective, the proposed rule would require a Board-supervised bank to establish an AML/CFT program and then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT program.
As described in more detail in section IV.D, a Board-supervised bank would be required to establish a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the BSA and its implementing regulations, 31 CFR chapter X. The risk-based set of internal policies, procedures, and controls must also be reasonably designed to (1) identify, assess, and document the bank's ML/TF risks through risk assessment processes that evaluate the risks of the bank's business activities, review and, as appropriate, incorporate the AML/CFT Priorities, and are updated promptly upon any change that the bank knows or has reason to know significantly changes the bank's ML/TF risks; (2) mitigate the bank's ML/TF risks consistent with the bank's risk assessment processes including by directing more attention and resources toward higher-risk customers and activities, rather than toward lower-risk customers and activities; and (3) conduct ongoing customer due diligence.
The proposed rule would also require a Board-supervised bank to establish an ongoing employee training program and independent AML/CFT program testing as part of its AML/CFT program. Finally, the proposed rule would require a Board-supervised bank to designate an individual responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; that individual would be required to be located in the United States and accessible to, and subject to oversight and supervision by, FinCEN or its designee and the Board.
Under the proposed rule, in addition to establishing an AML/CFT program, the bank would be required to maintain that program by implementing, in all material respects, its established AML/CFT program. By structuring the requirement to have an effective AML/CFT program as distinct obligations to establish and maintain (via implementation) an AML/CFT program, the proposed rule is intended to clarify and reinforce the distinction between failures to establish an AML/CFT program and failures to implement a properly established program.
The distinction between establishing a program and maintaining a program by implementing it in all material respects is particularly important under the proposed rule for potential supervisory and enforcement actions. The proposed rule would not limit enforcement or supervisory actions for failures to establish an AML/CFT program. However, once a Board-supervised bank has properly established an AML/CFT program, the proposed rule would raise the threshold for significant supervisory or enforcement actions based solely on implementation deficiencies. Only significant or systemic failures by a bank to implement in all material respects an established program would warrant an “AML/CFT enforcement action” or a “significant AML/CFT supervisory action,” as these terms are defined in the proposed rule. In this way, the proposed rule is intended to clarify and reinforce a supervisory and enforcement focus on addressing significant or systemic failures to implement a properly established AML/CFT program, rather than on isolated, technical, or immaterial implementation issues. 34
34 Board, FDIC, NCUA, OCC, Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements, (Aug. 13, 2020), https://www.federalreserve.gov/frrs/regulations/statement-on-bank-secrecy-act-anti-money-laundering-enforcement.htm.
Importantly, under the proposed regulations, having an effective AML/CFT program would be more than a one-time adoption of a risk-based set of internal policies, procedures, and controls. Rather, a Board-supervised bank would be required to keep its risk-based set of internal policies, procedures, and controls—and the risk assessment processes that inform them—current as the bank's risk profile changes. For example, while a bank's risk-based set of internal policies, procedures, and controls may, at one time, have been reasonably designed, they may no longer be reasonably designed given changes to the bank's risk profile. Similarly, an AML/CFT program would be more than a one-time creation of an employee training program or initiation of an independent testing mechanism: the bank would be required to keep such aspects of the AML/CFT program current as the bank's risk profile changes. Thus, even where a Board-supervised bank has previously established an AML/CFT program in accordance with the proposed rule, a failure to update the program to reflect significant changes in the bank's risk profile may result in the program no longer meeting the program establishment requirements, and the bank may accordingly be subject to supervisory or enforcement action for a failure to establish an effective AML/CFT program.
By explicitly defining the requirements for a bank to establish and maintain an effective AML/CFT program, and by standardizing the AML/CFT supervision and enforcement policy for banks and across the Board and the Agencies, the proposed rule is expected to better achieve the purposes of the BSA, culminating in the development of highly useful information related to illicit financial transactions for banks and law enforcement and national security agencies. However, the Board does not intend for the proposed rule to provide banks permission to establish an AML/CFT program that might be interpreted as meeting the proposed rule's technical requirements on their face, but do not effectively detect and prevent ML/TF activity. To establish a compliant AML/CFT program under the proposed rule, a Board-supervised bank must, among other things, establish a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the BSA and 31 CFR chapter X, including through the adoption of risk assessment processes. A critical element of this requirement is that the bank's s risk-based set of internal policies, procedures, and controls be “reasonably designed.” For example, if a bank's program testing reveals that a new customer type or new activity is high risk, but the bank does not take any action to revise the design of its risk-based set of internal policies, procedures, and controls and therefore treats the customer or activity as presenting low risk, then its program should not be considered reasonably designed. The Board believes that banks have a better understanding of their customer bases and businesses and are best positioned to identify and evaluate their ML/TF risks. Therefore, under this proposed rule Board-supervised banks will continue to have significant flexibility and discretion in their decisions and determinations related to risk identification and resource allocation. The Board will assess whether: (1) a bank's resource allocation decisions are consistent with a reasonably designed risk assessment processes; and (2) with respect to implementation, specifically, whether the bank knows or should know of resource-related issues involving its risk-based set of internal policies, procedures, and controls that may result in the bank failing to implement its AML/CFT program in all material respects and has failed to address such issues.
Similarly, the Board expects a bank to be examined for its implementation of the established AML/CFT program in all material respects. Merely designating an individual responsible for establishing and implementing the AML/CFT program and having that individual establish risk-based internal policies, procedures, and controls, an ongoing employee training program, and an independent AML/CFT program testing program, are not sufficient to satisfy the proposed rule's obligations for a bank to have an effective AML/CFT program. Rather, a Board-supervised bank would be examined for the implementation, in all material aspects, of its established AML/CFT program, including the determination that the bank is, in fact, allocating resources commensurate with its established AML/CFT program, which the proposed rule would require to be consistent with its reasonably designed risk assessment processes.
This section-by-section analysis describes the specific proposed changes to the Board's BSA compliance program rule. Section IV.A addresses the proposed incorporation of CFT into the program rule. Section IV.B discusses the requirements for an “effective” AML/CFT program to comply with the requirements of the proposed rule. Section IV.C explains what it means to “establish” and “maintain” an effective AML/CFT program. Section IV.D describes the components of program establishment, including (1) a risk-based set of internal policies, procedures, and controls (including risk assessment processes); (2) independent program testing; (3) an individual, located in the United States and accessible to FinCEN and the Board, responsible for establishing and maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing employee training. Section IV.E discusses the requirements that the AML/CFT program be written, accessible, and approved by a bank's Board of Directors, an equivalent governing body within the bank, or appropriate senior management. Section IV.F addresses the Customer Identification Program, Section IV.G addresses the supervision and enforcement section of the proposed rule, and Section IV.H discusses technical changes that the proposal makes to the existing rules to improve clarity and consistency across the program rules.
Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to reference “countering the financing of terrorism” 35 in addition to “anti-money laundering” when describing the requirement to establish an AML/CFT program. The Board proposes to update the AML/CFT program rule to reflect this new statutory language. For example, the proposed rule would change the title of the Board's program rule from “Bank Secrecy Act compliance” to “Anti-Money Laundering/Countering the Financing of Terrorism Compliance, Supervision, and Enforcement.” Similar changes would apply to the titles of relevant sections and subsections.
35 Countering the financing of terrorism (CFT) includes laws, rules, regulations, or other measures intended to detect and disrupt the solicitation, collection, or provision of funds to support terrorist acts or terrorist organizations, or other violent extremist groups.
The inclusion of “CFT” in the BSA compliance program rule would not create new obligations for banks, insofar as the USA PATRIOT Act already requires them to account for risks related to terrorist financing. Accordingly, the Board expects any changes to existing AML/CFT programs from the amendments described in this subsection to be technical and therefore not have any substantive impact on Board-supervised banks' compliance obligations.
In prescribing the minimum standards for an AML/CFT program and in supervising and examining compliance with those standards, the AML Act requires the Secretary and the appropriate Federal functional regulator to take into account that effective AML/CFT programs safeguard national security and help law enforcement prevent the flow of illicit funds in the financial system. 36 Further, the AML Act contemplates AML/CFT requirements focusing on achieving effective outcomes rather than dictating the processes used to reach those outcomes, an orientation the Board intends to reflect in the proposed rule. Consistent with the Board's long-standing expectations regarding what effective outcomes entail, the Board believes that, as a practical matter, it is not possible for a bank's AML/CFT program to detect and report all potentially illicit transactions that flow through the institution. 37 Similarly, a bank's AML/CFT program can be effective without preventing every minor instance of a bank falling prey to illicit finance misuse. Accordingly, the proposed rule would set out that, from a supervisory and enforcement perspective, an AML/CFT program is “effective” and complies with the Board's regulatory requirements promulgated under 12 U.S.C. 1818(s), as applicable, so long as it is established and maintained in accordance with applicable requirements.
36 See 31 U.S.C. 5318(h)(2)(B)(iii).
37 Fed. Fin. Inst. Examination Council, BSA/AML Assessing Compliance with BSA Regulatory Requirements — Suspicious Activity Reporting, https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04.
The proposed rule would provide that a Board-supervised bank has an “effective” program if it (1) is established in accordance with the proposed rule's establishment requirements; and (2) is maintained, meaning that a properly established AML/CFT program is implemented in all material respects.
One of the AML Act's key purposes is to “encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and financing of terrorism.” 38 Consistent with this purpose, the Board encourages banks to evaluate whether new technology or innovative approaches in other resources might help to combat financial crime more effectively. Innovative approaches could involve machine learning, generative artificial intelligence (GenAI), digital identity, blockchain monitoring and analytics, or application programming interfaces (APIs).
38 William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283, 134 Stat. 4547 at section 6002(3) (Jan. 1, 2021).
The Board recognizes that adopting new technologies for BSA compliance may not be suitable for all banks, particularly smaller ones, and the proposed rule therefore does not reference or require the use of any particular technology. A bank may find it beneficial to consider whether its AML/CFT program appropriately uses the bank's existing resources, including technology and data. However, consistent with longstanding guidance, the Board encourages banks to engage in responsible AML/CFT innovation. 39 Banks that responsibly incorporate innovative technologies into their AML/CFT programs will not incur on that basis any additional risk of being subject to a significant supervisory action or enforcement action solely based on the use of innovative technologies.
39 Board, FDIC, FinCEN, NCUA, OCC, Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing, (Dec. 3, 2018), https://www.fincen.gov/system/files/2018-12/Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_508.pdf.
The requirement that a bank establish and maintain an AML/CFT program is not new, although over time various formulations of this requirement have developed in statutes and regulations. 40
40 For instance, the provision of the BSA which requires financial institutions to have AML/CFT program rules states that “each financial institution shall establish” (emphasis added) such programs, including certain requirements as specified. See 31 U.S.C. 5318(h)(1). The corresponding Federal statute requiring banks regulated by the Federal banking agencies to have BSA compliance programs states that these banks must “establish and maintain procedures reasonably designed to assure and monitor the compliance” with the requirements of the BSA. 12 U.S.C. 1818(s)(1).
The proposed rule would harmonize and delineate the regulatory requirements that must be met for Board-supervised banks to have an effective AML/CFT program. That is, the proposed rule would create a two-pronged framework under which a Board-supervised bank's AML/CFT program would be deemed to be effective if the bank establishes and maintains its program. Under the proposed rule, a Board-supervised bank maintains its properly established AML/CFT program by implementing it in all material respects.
For a Board-supervised bank to have an effective AML/CFT program, the proposed rule would require a bank to establish an AML/CFT program and then maintain the AML/CFT program by implementing, in all material respects, the established AML/CFT program. The proposed rule describes the requirements for an effective AML/CFT program to be established and maintained. The AML/CFT program minimum components constituting program establishment, and described in further detail in Section IV.D below, are: (1) a risk-based set of internal policies, procedures, and controls (including risk assessment processes); (2) independent program testing; (3) an individual, located in the United States and accessible to FinCEN and the Board, responsible for establishing and maintaining the program, and coordinating and monitoring day-to-day compliance; and (4) ongoing employee training.
“Establishing” an AML/CFT program involves designing an AML/CFT program that incorporates all of the required components. “Maintaining,” by contrast, addresses whether the bank is implementing that program in practice. The regulation uses the term “implement” to describe this second prong. The distinction between establishing a program and maintaining a program by implementation matters because the proposed rule ties the availability of AML/CFT enforcement and significant supervisory actions based on the program rule for an established bank program to a significant or systemic failure to “implement” the properly established AML/CFT program. The distinction between establishing and “maintaining” an AML/CFT program is intended to make transparent how the individual elements of the proposed rule work together.
Separating program establishment from program maintenance therefore provides needed clarity regarding whether a supervisory concern relates to deficiencies stemming from the program's design, on the one hand, or failures in the program's operation, on the other. This two-prong framework would help promote consistent articulation of supervisory expectations and prevent conflating criticisms of program design—the remediation of which would likely be different in kind—with criticisms of day-to-day implementation. The proposed distinction does not change the substantive obligations for the bank.
As noted previously, the Board intends for the requirements of this proposed rule to not be limited to a one-time adoption of the elements required for program establishment, such as a risk-based set of internal policies, procedures, and controls. Rather, the Board intends a bank's establishment of its AML/CFT program to require the bank's risk-based set of internal policies, procedures, and controls—and the risk assessment processes that inform them—to remain current as the bank's risk profile changes. For example, if a Board-supervised bank begins providing a new product or service—or changes how it provides an existing product or service, such as operating in a new geographic location—under this proposed rule, the bank would need to incorporate its new product or service as part of its risk assessment processes. The proposed rule would require a bank to make a risk determination and, as appropriate, redesign its risk-based set of internal policies, procedures, and controls to account for the risks that it did not previously encounter prior to offering the new product or service, or operating in the new geographic location. Thus, under the proposed rule, even where a bank has previously established an AML/CFT program in accordance with the proposed rule, a failure to update the program to reflect significant changes in the bank's risk profile may result in the program no longer satisfying the proposed rule's requirements regarding establishment.
Once a Board-supervised bank has properly “established” an AML/CFT program, the bank must “maintain” the program by implementing it, in all material respects. Minor deficiencies of an AML/CFT program would not necessarily mean that a bank has failed to implement the program.
Although there are a variety of ways that a bank may not be implementing its program “in all material respects,” in the Board's experience, commonly observed examples may include, but would not be limited to: (1) internal policies, procedures, and controls are not being performed or not being performed on a consistent, regular, and timely basis ( e.g., consistently ignored warnings or red flags that a program was seriously deficient) due to the nature or extent of required resources becoming inadequate; (2) gaps in the risk assessment processes that result in the bank's program internal policies, procedures, and controls missing or inadequately covering higher ML/TF risks ( e.g., systems used to monitor for potentially suspicious activity failing to capture material volumes or types of transactions); or (3) deficiencies or weaknesses in the risk assessment processes that have a material impact on the bank's mitigation of ML/TF risks through its risk-based set of internal policies, procedures, and controls, including due to data-related issues involving relevant processes and systems.
Similarly, the Board expects that a bank could become aware of such implementation-related concerns through a variety of mechanisms, including but not limited to: (1) independent testing of the AML/CFT program; (2) examiner observations, suggestions, or other informal comments about the AML/CFT program; (3) management information systems and related reports or other outputs ( e.g., key performance indicators or key risk indicators, such as monitoring for potentially material backlogs in relevant AML/CFT processes); and (4) issues identified by personnel involved in the operation of the bank's AML/CFT program.
As noted earlier, pursuant to 31 U.S.C. 5318(h), the Board's AML/CFT program requirements for Board-supervised banks currently require certain minimum elements, including: (1) a risk-based set of internal policies, procedures, and controls; (2) an independent audit function to test programs; (3) a designated compliance officer; and (4) an ongoing employee training program. The majority of the proposed rule's AML/CFT program components are substantially similar to the existing regulatory requirements for banks. However, the Board is proposing certain additions and modifications to modernize and strengthen Board-supervised banks' AML/CFT programs to allow them to better mitigate illicit finance risks.
Banks are currently required to develop “a system of internal controls to assure ongoing compliance” with the requirements of the BSA as part of their AML/CFT programs. 41 Existing program rules, however, do not clearly articulate what it means to establish such a system of internal policies, procedures, and controls to ensure compliance.
41 See, 12 CFR 21.21(d)(1); 12 CFR 208.63(c)(1); 12 CFR 326.8(c)(1); 12 CFR 748.2(c)(1).
Under the proposal, the Board is amending and clarifying the current internal control pillar requirements. Specifically, the proposal provides that Board-supervised banks must establish a risk-based set of internal policies, procedures, and controls that is reasonably designed to: (1) identify, assess, and document ML/TF risks through risk assessment processes; (2) mitigate ML/TF risks consistent with the risk assessment processes, including by directing more attention and resources toward higher-risk customers and activities rather than toward lower-risk customers and activities; and (3) conduct ongoing CDD. The preamble addresses each of these features below.
Under this proposal, a Board-supervised bank's risk-based set of internal policies, procedures, and controls should be based upon, informed by, and consistent with a bank's risk assessment processes. The internal policies, procedures, and controls should be commensurate with the size, structure, risk profile, and complexity of the bank. The requirement that a bank's risk-based set of internal policies, procedures, and controls be “reasonably designed” gives banks flexibility in how they achieve compliance with the BSA and the proposed rule's other requirements. As part of having a risk-based set of internal policies, procedures, and controls, reasonably designed to ensure compliance, banks may choose to responsibly adopt new technologies or innovative approaches to comply with BSA requirements. Consistent with this purpose, the Board encourages banks to evaluate whether new technology or innovative approaches in other resources might help to more effectively combat financial crime. Innovative approaches could involve machine learning, GenAI, digital identity, blockchain monitoring and analytics, or APIs.
The Board is proposing that, as part of a Board-supervised bank's risk-based set of internal policies, procedures, and controls, the bank identify, assess, and document the bank's ML/TF risk through risk assessment processes that: (1) evaluate the ML/TF risks of the bank's business activities, including products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate the AML/CFT Priorities; and (3) update promptly upon any change that the bank knows or has reason to know significantly changes the bank's ML/TF risks.
The Board has traditionally viewed risk assessment processes as a critical tool of a reasonably designed BSA compliance program; a bank cannot implement a reasonably designed program to achieve compliance with the BSA unless it understands its risk profile. 42 Most banks already use risk assessments or risk assessment processes to structure their risk-based compliance programs. Despite being viewed as a critical tool, the Board's regulation does not currently explicitly require such risk assessment processes nor outline mandatory considerations for such processes. Thus, the proposed rule would codify into regulation the requirement for Board-supervised banks to establish risk assessment processes, thereby clarifying existing expectations and practices, as well as require specific factors for consideration that are responsive to the AML Act.
42 Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision (July 22, 2019), https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf. The Joint Statement on Risk Focused BSA/AML Supervision, July 22, 2019, clarifies that the Board and the Agencies' long-standing supervisory approach to examining for compliance with the BSA considers a financial institution's risk profile and notes that “[a] risk-based [AML] compliance program enables a bank to allocate compliance resources commensurate with its risk.” It further clarifies that a well-developed risk assessment process assists examiners in understanding a bank's risk profile and evaluating the adequacy of its AML program. The statement also explains that, as part of their risk-focused approach, examiners review a bank's risk management practices to evaluate whether a bank has developed and implemented a reasonable and effective process to identify, measure, monitor, and control risks.
Importantly, the proposed rule requires, as a part of a Board-supervised bank's risk-based set of internal policies, procedures and controls, that it identify, assess, and document its ML/TF risks using risk assessment processes. A bank would retain flexibility in how it would document the results of its risk assessment processes. As proposed, Board-supervised banks would not be required to establish a single, consolidated risk assessment document solely to comply with the proposed rule. While such a document may be appropriate under the proposal, the use of the term “risk assessment processes” is intended to reflect that a financial institution may rely on multiple processes—applied as appropriate within its AML/CFT program—to identify, assess, and document its ML/TF risks and will be examined based on the totality of these processes rather than the sufficiency of a single, standalone risk assessment document.
The Board believes banks are best positioned to identify and evaluate their ML/TF risk and is therefore not prescribing any particular risk assessment processes or methodologies other than the critical elements described in this proposed rule. Under the proposed rule, Board-supervised banks would be examined for whether they have established and maintained, in all material respects, reasonably designed risk assessment processes—which need not be in the form of a singular risk assessment process. Furthermore, the Board is not prescribing any particular time frame for banks to update their risk assessment processes.
The Board recognizes that banks vary significantly in size, structure, complexity, and risk profile. Under the proposed rule, a bank's risk-based set of internal policies, procedures, and controls—including its risk assessment processes—should be commensurate with the bank's size, structure, risk profile, and complexity. Accordingly, banks with broader product offerings, more complex corporate structures, or greater exposure to higher-risk customers, products, services, or geographic locations would be expected to establish correspondingly more formalized or analytically complex internal policies, procedures, and controls—including risk assessment processes. By contrast, many community banks operate with more limited business activities, traditional lending and deposit services, a narrower geographic footprint, and customer bases concentrated within defined local communities. For such banks, risk assessment processes may appropriately be more streamlined or qualitative in nature, and a risk-based set of internal policies, procedures, and controls that is reasonably designed for a large, complex financial organization would not necessarily be required or appropriate for a community bank with a more limited risk profile.
As noted previously, most banks already design their BSA compliance programs based on their assessment of ML/TF risks under existing risk assessment processes. The Board expects that most banks will be able to leverage their existing risk assessment processes to satisfy the proposed requirement without making significant changes.
The proposed rule would require Board-supervised banks' risk assessment processes to evaluate the ML/TF risks of the bank's business activities, including products, services, distribution channels, customers, and geographic locations. These factors are generally well known and often incorporated into current risk assessment processes of banks. While most banks are generally familiar with these concepts, “distribution channels” may be a newer term for some banks. For purposes of this rule, the Board considers “distribution channels” to refer to the methods and tools through which a bank opens accounts and provides products or services, including, for example, through remote or other non-face-to-face means.
Banks may use a variety of sources to inform their risk assessment processes. Such sources may include information obtained from other financial institutions, such as emerging risks and typologies identified through section 314(b) information sharing or payment transactions that other financial institutions returned or flagged due to ML/TF risks. 43 Information a bank generates or maintains could be another source. Internal information may include, for example, customer internet protocol (IP) addresses or device logins and related geolocation information.
43 See FinCEN, Section 314(b) Fact Sheet, (Dec. 2020), www.fincen.gov/system/files/shared/314bfactsheet.pdf.
Feedback from FinCEN, law enforcement, and financial regulators may also inform risk assessment processes. For example, if a bank receives feedback from law enforcement about a report it has filed or potential risks at the bank, the bank may incorporate that information into its risk assessment processes. Similarly, banks may consider information identified from responding to section 314(a) requests.
In addition to feedback, reports and analyses published by Treasury and FinCEN may be particularly relevant to a bank's business activities, thereby warranting consideration when evaluating ML/TF risks. For example, Treasury describes changes in the illicit finance risk environment in its biennial National Money Laundering Risk Assessment, National Terrorist Financing Risk Assessment, and National Proliferation Financing Risk Assessment, which highlight significant illicit finance threats, vulnerabilities, and risks. 44 Regardless of the source, banks should take measures in their risk assessment processes to ensure this information is reasonably current, complete, and accurate.
44 See U.S. Dep't of Treasury, 2026 Nat. Money Laundering Risk Assess. (Mar. 2026), https://home.treasury.gov/system/files/246/2026-NMLRA.pdf; U.S. Dep't of Treasury, 2026 Nat. Terrorist Financing Risk Assess. (Mar. 2026), https://home.treasury.gov/system/files/246/2026-NTFRA.pdf; U.S. Dep't of Treasury, 2026 Nat. Proliferation Financing Risk Assess. (Mar. 2026), https://home.treasury.gov/system/files/246/2026-NPFRA.pdf.
The AML/CFT Priorities set out the priorities for the U.S. government's AML/CFT policy as required by the AML Act and are designed to ensure that banks' AML/CFT programs are aligned with those priorities. Recognizing the diverse nature of ML/TF threats facing the U.S. financial system and national security, and that bank AML/CFT programs benefit U.S. national security by safeguarding the financial system from ML/TF risk, the AML/CFT Priorities are intended to ensure that banks are focusing on the greatest threats to U.S. national security, as defined by Treasury.
Section 6101 of the AML Act requires that a financial institution's review and appropriate incorporation of the AML/CFT Priorities into its AML/CFT program be subject to supervision and examination for compliance with the BSA and other AML/CFT laws and regulations. 45 The Board is implementing this statutory requirement by proposing that, as part of their risk assessment processes, Board-supervised banks must review and, as appropriate, incorporate the AML/CFT Priorities. The inclusion of the AML/CFT Priorities in risk assessment processes is meant to help ensure that banks understand their exposure to risks in areas that are of particular importance nationally, which may help banks develop risk-based and reasonably designed AML/CFT programs.
45 31 U.S.C. 5318(h)(4)(E).
The Board understands that the AML/CFT Priorities may not always be applicable to a bank's risk profile and activities. Therefore, the Board requires the incorporation of the AML/CFT Priorities in a bank's risk assessment processes, as appropriate. This means that, having reviewed the AML/CFT Priorities, a Board-supervised bank may determine the extent to which a particular Priority is applicable and whether and how a particular AML/CFT Priority should be appropriately incorporated into its risk assessment processes.
Further, a Board-supervised bank may use its judgment and apply a reasonable, risk-based determination on whether to focus on a specific aspect of an AML/CFT Priority, rather than addressing all aspects of a Priority that may either not be applicable or pose lower risks to the bank. However, the Board cautions that a surface-level, perfunctory review of an AML/CFT Priority by a bank and of the foreseeable ways in which it may manifest itself within the bank's customers, products and services, geographies, and distribution channels would not satisfy this requirement. For example, patterns of transactions that may be consistent with potential structuring should not automatically be dismissed as lower value to law enforcement and untethered to an AML/CFT Priority without determining whether there is a potential connection to various types of other illicit finance activity ( e.g., structuring or similar patterns involving transactions in narcotics trafficking proceeds).
Whenever the AML/CFT Priorities are updated, banks would no longer be required to incorporate prior versions of the AML/CFT Priorities. Banks would only be required, as appropriate, to incorporate the most recent AML/CFT Priorities into their risk-based AML/CFT programs.
The Board anticipates that some Board-supervised banks, such as community banks, may ultimately determine that their business models and risk profiles have limited exposure to some of the threats addressed in the AML/CFT Priorities but instead have greater exposure to other ML/TF risks. Additionally, some banks' risk assessment processes may determine that their AML/CFT programs already sufficiently incorporate to some extent, the AML/CFT Priorities. In either case, any changes to banks' AML/CFT program, such as internal policies, procedures, or controls would be based on the results of risk assessment processes and their impact on the AML/CFT program, including how to review and, as appropriate, incorporate the AML/CFT Priorities before making these determinations. 46 The Board requests comment from the public on whether additional guidance related to the consideration of the AML/CFT Priorities as part of a Board-supervised bank's risk assessment processes would be warranted.
46 FinCEN's April 10, 2026, proposal provides additional clarity on how FinCEN anticipates addressing the AML/CFT Priorities. See 91 FR 18704 (Apr.10, 2026).
The proposed rule would require Board-supervised banks to update their risk assessment processes promptly upon any change that the bank would know or have reason to know would significantly change their ML/TF risk profile. For example, a bank may need to update its risk assessment when new products, services, and customer types are introduced; existing products, services, and customer types undergo significant changes; when the bank adopts new risk mitigation technology; or the bank as a whole expands or contracts through mergers, acquisitions, and divestitures. Banks may also need to update their risk assessment processes based on factors external to their operations that they know or have reason to know significantly change their ML/TF risk profiles. The Board welcomes comments on whether it should further clarify when Board-supervised banks must review or update their risk assessment processes.
Section 6101(b) of the AML Act states that the AML/CFT programs of financial institutions should be “risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.” 47 The proposed rule would adopt this formulation as part of a bank's obligation to establish a risk-based set of internal policies, procedures, and controls. Under the proposed rule, a Board-supervised bank's efforts to mitigate its ML/TF risks would involve “directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of [a bank], rather than toward lower-risk customers and activities.”
47 31 U.S.C. 5318(h)(2)(B)(iv)(II).
The Board views risk-based allocation of resources as a critical step in realizing the AML Act's BSA modernization and reform ambitions, and consistent with the Board's and the Agencies' ongoing efforts to modernize AML/CFT compliance and supervision. The proposed rule envisions Board-supervised banks exercising more flexibility in deploying attention and resources in accordance with the proposed rule without fear of supervisory criticism or action from examiners for directing more attention and resources on higher risk customers and activities, rather than toward lower risk customers and activities.
The goal of risk-based resource allocation is for banks to spend less time, energy, and resources on lower priority activities that may result in less resources devoted to and potentially distract from more serious threats. The proposed rule would enable Board-supervised banks to focus more on higher risk customers and activities, which the Board has determined should result in banks being more effective at detecting, reporting, and preventing the flow of illicit funds and providing law enforcement with more valuable BSA reporting.
As noted above, the Board believes that banks are best positioned to identify and evaluate their ML/TF risk and to make decisions related to risk identification and resource allocation in accordance with risk identification. The proposed rule, therefore, does not contemplate second-guessing of a bank's reasonable determinations regarding appropriate resource allocation or conclusions regarding specific risks. However, while the Board does not believe that an examiner should substitute his or her own subjective judgment in place of the bank's, examiners will be expected to assess whether (1) a bank's resource allocation decisions are informed by, and consistent with, reasonably designed risk assessment processes; and (2) with respect to implementation, specifically, whether the bank knows or should know of resource-related issues involving its internal policies, procedures, and controls and other mandatory elements that may result in the bank failing to implement its AML/CFT program in all material respects and has failed to address such issues.
The proposed rule would add CDD as a required component of the Board's AML/CFT program rule. Appropriate risk-based procedures for conducting ongoing CDD—in the form of understanding the nature and purpose of customer relationships and conducting ongoing monitoring—is currently a required component in FinCEN's AML program rule, 48 and, therefore, banks are already required to comply with these ongoing CDD requirements under FinCEN's rule. The inclusion of risk-based procedures for conducting ongoing CDD in the Board's proposed rule would mirror FinCEN's existing rule and reflect the Board's long-standing supervisory expectations. Long before FinCEN amended its AML program rule to expressly include the CDD component requirement, the Board had considered CDD an integral component of a risk-based program, enabling the bank to understand its customers and its customers' activity to better identify suspicious activity. Adding the CDD component to the Board's AML/CFT program rule will eliminate confusion for Board-supervised banks concerning the current differences with FinCEN's rule. Because banks must already comply with FinCEN's CDD component requirement, the proposed change should not alter current compliance practices.
48 See 31 CFR 1020.210(a)(2)(v) and (b)(2)(v).
The proposed rule would incorporate CDD requirements not as a standalone pillar, but instead by making them part of the requirement that banks establish a risk-based and reasonably designed set of internal policies, procedures, and controls. As noted previously, the activities required to conduct ongoing CDD, such as monitoring customer relationships, maintaining and updating customer information on a risk basis, and identifying and reporting suspicious transactions are, in practice, subsumed by the obligation for a bank to have a risk-based and reasonably designed set of internal policies, procedures, and controls and have long been viewed by the Board and the Agencies as an integral component of a bank's internal controls. Accordingly, establishing these requirements within this pillar more accurately reflects how banks operationalize ongoing customer due diligence as part of their overall AML programs.
Since the original adoption of the BSA compliance program rule, the Board and the Agencies have required banks to perform independent testing. The AML Act did not change the BSA's separate requirement that each bank must independently test its AML/CFT program. 49 The proposed rule therefore retains the existing requirement for Board-supervised banks to establish independent AML/CFT program testing to be conducted by bank personnel or an outside party with minor, non-substantive clarifications that are not intended to change regulatory requirements.
49 31 U.S.C. 5318(h)(1)(D).
The purpose of independent testing is to assess the bank's compliance with AML/CFT statutory and regulatory requirements, relative to its risk profile. The independent AML/CFT program testing should be focused on whether the AML/CFT program is effective, and it should identify issues and areas for remediation accordingly.
To support the effective implementations of an AML/CFT program, independent testing should be based on objective criteria designed to assess whether a bank has established and implemented an effective AML/CFT program and allocated resources consistent with its risk assessment processes. These criteria should also assess whether related project governance is sufficient to manage risks and apply compensating controls where necessary, particularly in areas where remediation is underway. This evaluation helps to inform the bank's board of directors and senior management of weaknesses or areas in need of enhancement or stronger controls. Typically, this evaluation includes a conclusion about the bank's overall compliance with AML/CFT statutory and regulatory requirements and sufficient information for the reviewer ( e.g., board of directors, senior management, AML/CFT officer, outside auditor, or an examiner) to reach a conclusion about whether the set of internal policies, procedures, and controls is reasonably-designed, and resources are well-allocated consistent with the bank's risk assessment processes.
Additionally, while banks retain some flexibility regarding who conducts the audit or testing, the proposed rule would continue to require that testing be independent. Banks that do not employ outside auditors or consultants or that do not have internal audit departments may comply with this requirement by using internal staff who are not involved in the function being tested. For these banks and banks with other types of arrangements for independent testing, the AML/CFT officer or any party who directly, and in some cases indirectly, reports to the AML/CFT officer, or an equivalent role, would generally not be considered sufficiently independent. Any individual conducting the testing, whether internal or external, would be required to be independent of other parts of the bank's AML/CFT program, including its oversight. For banks that engage outside auditors or consultants, the bank would be required to ensure that the outside parties conducting the independent testing are not involved in functions related to the AML/CFT program at the bank that may present a conflict of interest or lack of independence, such as AML/CFT training or the development or enhancement of internal policies, procedures, and controls. Additionally, for the purposes of the independent testing component, outside parties would not include government agencies, entities, or instrumentalities, such as a bank's Federal or state functional regulators. Banks with less complex operations and lower risk profiles may consider utilizing a shared resource as part of a collaborative arrangement to conduct testing, as long as the testing is independent. 50
50 See Board, FDIC, NCUA, OCC, and FinCEN, Interagency Statement on Sharing Bank Secrecy Act Resources (Oct. 3, 2018), https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources.
The Board and the Agencies have required banks to “designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance” since the inception of their program requirements. The BSA separately requires that banks with AML/CFT program obligations must have a designated compliance officer, which was not altered by the AML Act. As in the Board's current BSA compliance program rule, the proposed rule would provide that an AML/CFT program must designate an individual (referred to as an AML/CFT officer) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance with the requirements and prohibitions of the BSA and FinCEN's implementing regulations. The Board's view is that the individual serving as the AML/CFT officer must be qualified for that role and not overburdened with other responsibilities at the institution. The Board is proposing clarifying and technical changes to the AML/CFT officer requirement, as well as changes to incorporate to FinCEN's interpretation of 31 U.S.C. 5318(h)(5), as discussed below. These changes are generally not expected to impose new obligations on banks.
Consistent with current requirements, the proposed rule is not intended to be primarily concerned about the formal title of the individual responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; instead, the proposed rule focuses on the AML/CFT officer's position in the bank's organizational structure that enables the AML/CFT officer to effectively establish and implement the bank's AML/CFT program. The AML/CFT officer's authority, independence, and access to resources within the bank are critical. An AML/CFT officer should have decision-making capability regarding the AML/CFT program and sufficient functional stature within the organization to ensure that the program meets BSA requirements.
The AML/CFT officer's access to resources may include: adequate compliance funds and staffing with the skills and expertise appropriate to the bank's risk profile, size, and complexity; an organizational structure that supports compliance and effectiveness; and sufficient technology and systems to support the timely identification, measurement, monitoring, reporting, and management of the bank's ML/TF risks. An AML/CFT officer with conflicting responsibilities that adversely impact the officer's ability to effectively coordinate and monitor day-to-day AML/CFT compliance generally would not fulfill this requirement. The addition of the explicit requirement that the AML/CFT officer be responsible for “establishing and maintaining the AML/CFT program” in the proposed rule would make explicit a long-standing supervisory expectation, rather than changing current supervisory expectations.
The AML Act provides that the duty to establish, maintain, and enforce a bank's AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator. 51 Because this is a new requirement under the AML Act, it is not currently reflected in the Board's program rule requirements. FinCEN's proposed revisions to its AML/CFT program rules interpret this requirement as applying to the AML/CFT officer, so the Board's proposed rule would amend the existing compliance officer requirements to align with FinCEN's proposal. 52
51 31 U.S.C. 5318(h)(5).
52 See 91 FR 18704 (April 10, 2026).
The Board recognizes banks may currently have AML/CFT staff and operations outside of the United States, or they may contract out or delegate parts of their AML/CFT operations to third-party providers located outside of the United States. These arrangements may serve to improve cost efficiencies; to enhance coordination, particularly with respect to cross-border operations; or serve other purposes not in conflict with goals underlying the BSA. Consequently, under the proposed rule, while the AML/CFT officer must be located in the United States, personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. This language does not alter existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States, other than in limited circumstances such as a bank's foreign head office or controlling company. 53 The Board requests comment on whether any further clarifications on this point would be useful.
53 See, e.g., FinCEN, Financial Crimes Enforcement Network; Confidentiality of Suspicious Activity Reports, 75 FR 75593 (Dec. 3, 2010); see also FinCEN, Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies (Jan. 20, 2006), https://www.fincen.gov/system/files/guidance/sarsharingguidance01122006.pdf.
The BSA requires AML/CFT programs to include an “ongoing employee training program.” 54 This statutory requirement is reflected in the current Board program rule employing different wording. 55 The proposed rule would harmonize the Board's program rule with that of other financial regulators by adopting the BSA's “ongoing employee training program” language uniformly. 56 This change is clarifying, not substantive.
54 31 U.S.C. 5318(h)(1)(C).
55 12 CFR 208.63.
56 Other financial regulators with stakeholders subject to the BSA currently utilize their own versions of this requirement. See 31 CFR 1020.210(a)(2)(iv), (b)(2)(iv) (banks); 1021.210(b)(2)(iii) (casinos); 1022.210(d)(3) (MSBs); 1023.210(b)(4) (broker-dealers); 1024.210(b)(4) (mutual funds); 1025.210(b)(3) (insurance companies); 1026.210(b)(4) (FCMs and IBCs); 1027.210(b)(3) (DPMSJs); 1028.210(b)(3) (operators of credit card systems); 1029.210(b)(3) (loan or finance companies); 1030.210(b)(3) (housing GSEs).
The Board would generally expect training to cover a bank's internal policies, procedures, and controls, which should in turn reflect the results of the bank's risk assessment processes, the latest AML/CFT regulatory requirements, and other relevant information. The frequency with which the training would occur, and the content of the training, would depend on the bank's ML/TF risk profile and the roles and responsibilities of the persons receiving the training. The Board welcomes comment on whether any further clarifications of the proposed training requirement are needed and recognizes that banks may have employees and non-employees who may have a variety of roles and responsibilities in relation to the AML/CFT program. The risk-based nature of an AML/CFT program provides flexibility for financial institutions to identify both employees and non-employees who must be trained on an ongoing basis.
The Board's current BSA compliance program rule generally requires a Board-supervised bank to have a written AML/CFT program that is approved by the bank's board of directors. 57 The proposed rule would modify these requirements and move them to a separate subsection and add clarifying text to harmonize the language with FinCEN's proposed rule. The Board requests comment on whether further clarification on this point would be useful.
57 See 12 CFR 208.63(b)(1).
Banks subject to Board supervision currently must have board approval for their AML/CFT programs under the Board's rule. The proposed rule would continue to require that a bank's written AML/CFT program be approved, though the proposal will expand the options available for a bank to obtain such approval. Specifically, the proposed rule will require that the AML/CFT program be approved by the bank's board of directors or an equivalent governing body within the bank, or appropriate senior management. The proposed rule specifies that approval encompasses each of the components of the AML/CFT program.
With respect to the new “equivalent governing body” language, FinCEN's current rule requires a bank lacking a Federal functional regulator to obtain approval of the bank's written AML program from either the bank's board or an equivalent governing body. 58 The Board `s proposed rule would also add a reference to an “equivalent governing body” to clarify that a bank can satisfy the requirement by having an equivalent governing body approve the program. The equivalent governing body can take different forms. For example, for the U.S. branch of a foreign bank, the equivalent governing body may be the foreign banking organization's board of directors or delegates acting under the board's express authority. Similarly, banks that do have a board of directors might instead reasonably delegate the approval requirement to a board committee exercising targeted oversight, such as a compliance committee, which would similarly qualify as an “equivalent governing body” under the proposal.
58 See 12 CFR 1020.210(b)(3).
Finally, the rule would also permit a bank's senior management to approve the AML/CFT program. Such individuals may include Chief Executive Officer, Chief Financial Officer, Chief Operations Officer, Chief Legal Officer, Chief Compliance Officer, Director, and individuals with similar status or functions. Also, banks may establish or utilize existing senior committees of appropriate senior management officials to perform these functions. The Board proposes permitting approval by senior management to reflect the division of roles and responsibilities between a bank's board of directors and senior management with respect to establishing and maintaining an AML/CFT program, as a bank's senior management is charged with the actual role of establishing and maintaining the AML/CFT program.
While the proposed rule will no longer require the bank's board to approve the AML/CFT program, this would not alter the Board's expectations regarding the responsibilities of a bank's board of directors for providing appropriate oversight of the bank's AML/CFT compliance. The Board has always expected bank boards, both as a whole or through appropriate committees, to provide appropriate oversight of senior management to maintain the bank's operations in a safe and sound manner, oversee compliance with applicable laws and regulations, and establish appropriate risk governance frameworks. A bank's board might reasonably permit appropriate senior management to have AML/CFT program approval authority to provide more effective, timely oversight on a day-to-day basis, while still fulfilling the board's obligations through other appropriate means.
The proposed rule would maintain the current Customer Identification Program requirements but would move them to a separate section. The Board proposes minor, non-substantive updates to reference the “AML/CFT” terminology and harmonize the language between the Board and the Agencies to “require a customer identification program to be implemented as part of the AML/CFT program.” These technical changes are not anticipated to establish new obligations.
The proposed rule would add new supervision and enforcement frameworks for banks' AML/CFT programs that are aligned with the AML Act's emphasis on effectiveness and risk-based supervision. The proposed rule defines key terms and describes the Board's enforcement and supervision policy with respect to AML/CFT program implementation failures. The enforcement requirements only apply to actions by the Board.
Proposed section (a) would define several terms used throughout the section. The term “AML/CFT requirement” would mean a requirement of the Bank Secrecy Act (as that term is defined in 31 CFR 1010.100) or of the regulations in title 31, chapter X, or a requirement prescribed under the proposed definition.
The term “AML/CFT enforcement action” would mean any formal or informal action taken by the Board under authority of 12 U.S.C. 1818 or other applicable law that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes a cease-and-desist order, written agreement, consent order, or memorandum of understanding, or the assessment of a civil money penalty.
The term “significant AML/CFT supervisory action” would mean any written communication or other formal supervisory determination issued by the Board that identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement; communicates supervisory expectations to a bank regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and contemplates significant or programmatic actions or remedial measures to be taken by the bank. The term does not include examiner observations, suggestions, or other informal comments.
The proposed rule would articulate the Board's enforcement and supervision policy as it relates to AML/CFT requirements. 59 Except with respect to a significant or systemic failure to implement in all material respects an established AML/CFT program in accordance with the proposed rule, a Board-supervised bank that has properly established an AML/CFT program would not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory action based on the program rule. At the same time, the proposed rule would clarify that nothing in this policy would restrict an AML/CFT enforcement action or a significant AML/CFT supervisory action with respect to a failure to establish an AML/CFT program. The proposal is only intended to affect actions by the Board.
59 The proposal would not be intended to affect or restrict criminal enforcement under the BSA or the authority of the Department of Justice to pursue such actions.
In addition to these policies, the Agencies' April 10, 2026, proposed rules include two provisions regarding consultation and information sharing with FinCEN. 60 The first provision would establish a FinCEN notice and consultation framework applicable when the Agencies intend to initiate an AML/CFT enforcement action or a significant AML/CFT supervisory action. The second provision would allow banks to share any information with the FinCEN Director that relates to an existing or potential AML/CFT enforcement action or significant AML/CFT supervisory action. The Board invites comment on whether it should consider including the same or similar provisions in its final rule, including with respect to the two options for sharing information outlined in the Agencies' proposals.
60 The two provisions are proposed 12 CFR 21.21(h) and (i) (OCC), 12 CFR 326.8(h) and (i) (FDIC), and 12 CFR 748.2(h) and (i) (NCUA). See 91 FR 18304 (Apr. 10, 2026).
In addition to the previously described changes, the proposed rule would make other revisions to increase clarity and consistency in the program rules. Most of these changes are technical, such as renumbering provisions, amending cross-references, and updating statutory references based on changes to the BSA by the AML Act. For example, along with FinCEN, references to “BSA/AML programs” are being updated to “AML/CFT programs” for financial institutions. This technical change is not anticipated to establish new obligations.
The Board proposes that if one portion of the proposed rule, if finalized, is found to be invalid, the invalidated portion of the regulation should be severed with the other portions of the proposed rule remaining in full force and effect. The Board's position is that invalidation of any one provision, or application thereof to any one person or circumstance, does not, and should not, affect any other provision in this proposed regulation or other existing regulations. Each provision serves an important, related, but distinct purpose and application, designed to benefit the public by protecting the U.S. financial system from illicit financial activity. The Board accordingly proposes incorporating this into its rules, such that invalidating one provision would not undermine the operability or usefulness of the other provisions.
The Board is proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient time for banks to review and implement the requirements of the proposed rule. The Board solicits comment on the proposed effective date.
The Board welcomes comment on all aspects of the proposed amendments but specifically seeks comment on the questions below. The Board encourages commenters to reference specific question numbers when responding.
1. The proposed rule sets forth the conditions for an effective AML/CFT program. Is the description of an effective program sufficiently clear or is there anything further that the Board should consider in the final rule adding to clarify program effectiveness?
2. The proposed rule reflects a determination by the Board that banks are best placed to identify risks and allocate resources, and that providing them with greater discretion in these areas will improve the quality of AML/CFT compliance and reporting to law enforcement. Is this correct or should the Board consider adding more requirements regarding allocation of resources? How might banks assess changes in the total allocation of resources devoted to an AML/CFT program in a changing risk and cost environment?
3. Do banks distinguish between establishing a program and maintaining a program by implementing the program? If so, how? Should the Board add anything to further define these terms in the final rule?
4. Should the proposed rule's distinction between “establishing” and “maintaining” a program be modified? Is the distinction between “establishing” and “maintaining” a compliance program useful for banks?
5. Should the proposed rule distinguish between “establishing” and “maintaining” at the program level and “establishing” and “maintaining” each individual element? For example, should the final rule more clearly differentiate between a failure to establish the program, as a whole, versus a failure to establish an individual mandatory component of the program?
6. Is clarification needed for banks to determine what constitutes a “significant or systemic failure” to implement in all material respects a properly established AML/CFT program?
7. Is clarification needed for banks to determine what constitutes a “failure to establish an AML/CFT program”?
8. How should the proposed rule ensure that the regulations issued by FinCEN, the Board, and the Agencies function harmoniously? How should the proposed rule differentiate between the Secretary of the Treasury's responsibility for regulations on establishing AML/CFT programs and the Board's responsibilities for regulations on establishing and maintaining programs?
9. Do banks expect any changes to their existing internal policies, procedures, and controls under the proposed rule, which requires that internal policies, procedures, and controls be “risk-based” and “reasonably designed” to ensure compliance with the BSA?
10. The proposed rule refers to risk assessment processes rather than a risk assessment process. This leaves banks free to use findings from one or more processes to assess their ML/TF risk. Does this description of how banks assess their ML/TF risk provide sufficient flexibility? How should the Board describe “risk assessment processes” to better reflect how banks assess ML/TF risks?
11. Should risk assessment processes be required to take into account additional or different criteria or risks than those listed in the proposed rule? If so, what additional factors should the Board consider requiring?
12. How long does it generally take a bank to incorporate the results of a risk assessment into its AML/CFT program? What factors determine this time frame?
13. What, if any, difficulties do banks anticipate when incorporating the AML/CFT Priorities as part of their risk assessment processes?
14. What additional guidance on how to incorporate the AML/CFT Priorities into a bank's risk assessment processes would be useful for the Board to provide?
15. The proposed rule requires that risk assessment processes are updated promptly upon any change that the bank knows or has reason to know significantly changes the bank's money laundering, terrorist financing, and other illicit finance activity risks. Would the proposed update requirement change the way banks currently update their risk assessment processes, and if so how? Is additional explanation needed concerning when a financial institution would be required to update its risk assessment? In particular, how might the Board clarify how risk assessment processes would be updated “promptly”? Would an alternative approach, such as periodic updates or a set schedule for updates, be preferable? Would an alternative standard, such as “materially changes,” be clearer than “significantly changes”?
16. How do a bank's ML/TF risks and its risk assessment processes affect one another? Put differently, if there is a feedback loop between the two, please describe it, including the typical amount of time between discovering new risks and incorporating those findings into risk assessment processes.
17. Under the proposed rule, a bank is required to conduct independent AML/CFT program testing. This requirement is already reflected in existing AML program rule requirements as is the requirement to include “an independent audit function to test programs.” 61 The Board solicits comment on how financial institutions may interpret and carry out this requirement, based on the proposed rule's description of an effective AML/CFT program. Are further clarifications on the independent AML/CFT program testing requirement necessary to ensure that audits carried out by bank personnel or outside third parties are well-tailored, risk-based, and focused on effectiveness?
61 12 CFR 21.21(d)(2); 12 CFR 208.63(c)(2); 12 CFR 326.8(c)(2); 12 CFR 748.2(c)(2).
18. Under the proposed rule, while the AML/CFT officer must be located in the United States, personnel located outside of the United States would still be permitted to perform certain AML/CFT functions. This language does not alter existing regulations and guidance that generally prohibit the sharing of SARs with personnel located outside of the United States other than limited circumstances such as a bank's foreign head office or controlling company. Are any further clarifications on this issue needed?
19. The proposed rule standardizes the long-standing requirement that an AML/CFT program be written. Should the Board further clarify which specific elements of an institution's AML/CFT program must be written, or is this requirement generally understood in its current form? In particular: (a) which program components—such as risk assessment processes; internal policies, procedures, and controls; transaction monitoring rules and parameters; escalation and reporting protocols; independent testing results; training materials; and documentation of designated personnel—should be required in writing; (b) what form ( e.g., narrative descriptions, checklists, system configurations, or electronic records) such documentation should take; and (c) what level of detail is appropriate for each component? Should the Board instead alter the requirement that an AML/CFT program be expressly required to be “written”? What would be the benefits or drawbacks of any such alterations to this requirement?
20. The proposed rule would require that a bank's written AML/CFT program be approved by its board of directors, an equivalent governing body within the bank, or appropriate senior management. Should the Board further clarify which aspects of the AML/CFT program must be subject to such approval? In particular: (a) should approval be required for each of the core program components ( e.g., the risk assessment processes framework; internal policies, procedures, and controls; transaction-monitoring and escalation frameworks; independent testing structure; training program; and designation of responsible personnel), or would approval of the overall program framework be sufficient; (b) should material revisions to particular components (such as significant changes to the institution's risk assessment methodology, monitoring architecture, or governance structure) require re-approval at the same level; and, (c) what level of specificity should the approving body be required to review and approve ( e.g., high-level program architecture versus detailed procedures or parameter-level settings)? Should the Board instead eliminate the specified approval requirement, allowing banks flexibility in determining how leadership oversight of the AML/CFT program is structured? What would be the benefits or drawbacks of not prescribing a mandatory approval requirement in the regulation? If the Board does not eliminate the specified approval requirement, should the Board consider amending the requirement? Are there alternatives to board of directors or an equivalent governing body, such as “appropriate senior management” that would be more appropriate?
21. Is clarification needed for banks to determine what constitutes a “significant or systemic failure” to implement an established AML/CFT program?
22. Is clarification needed for banks to determine what constitutes a “failure to establish an AML/CFT program”?
23. The Agencies included two provisions in their proposed rules that are not included in the Board's proposed rule regarding consultation and information sharing with FinCEN. Should the Board include the same or similar provisions in its rule?
24. The definition of significant AML/CFT supervisory action includes the term “any written communication.” Is the term “any written communication” too broad? Are there downsides and negative consequences to including the term “any written communication” in the proposed regulatory text? If so, please describe. Should the term “any written communication” be more clearly defined or removed altogether?
26. Is the definition of the term “significant AML/CFT supervisory action” sufficiently clear? Does the inclusion of “unsafe or unsound practices or conditions” introduce confusion about what types of supervisory actions are covered, since those terms are not found in the BSA?
28. Should the rule be revised to tailor program requirements or implementation timelines to the size, complexity, or risk profile of the bank?
29. The Board is proposing an effective date of 12 months from the date of issuance of the final rule to allow sufficient time for financial institutions to review and implement their requirements. The Board solicits comment on the proposed effective date.
The proposed rule, if finalized, would modernize and align the Board's AML/CFT program requirements at 12 CFR part 208 with the rules proposed separately by FinCEN under the BSA, as amended by the AML Act, 62 and the Agencies on April 10, 2026. 63 As described in Sections I-V of this SUPPLEMENTARY INFORMATION , the proposed rule would: clarify the elements of an effective, risk-based, and reasonably designed AML/CFT program; codify risk-assessment processes; distinguish program establishment from program implementation; and implement new supervision and enforcement frameworks. As a result of these changes, the Board expects that banks would recalibrate their AML/CFT programs to concentrate on higher-risk activities and deprioritize lower-risk activities, resulting in greater overall efficiency in their AML/CFT programs.
62 31 U.S.C. 5311-5336.
63 91 FR 18704 (Apr.10, 2026) and 91 FR 18304 (Apr. 10, 2026).
In accordance with OMB Circular A-4, the Board estimates the annual effect of the proposed rule as the difference in estimated economic outcomes between a state of the world in which the proposed rule is adopted and a baseline state of the world in which the proposed rule is not adopted. This analysis assumes that in both states of the world, all other relevant regulations and financial conditions data for all banks supervised by the Board as of the quarter ending September 30, 2025, with one exception: because the proposed rule is being promulgated in coordination with a rulemaking by FinCEN that will modify rules regarding AML/CFT for a broader set of institutions regulated by FinCEN, the analysis assumes FinCEN's rulemaking is finalized under both the baseline and under the proposed rule. This assumption allows the analysis to focus on the effects specific to the proposed rule. Because all banks are required to comply with the BSA, the proposed rule would apply to 858 banks supervised by the Board. 64
64 Call Report data as of September 30, 2025.
Under the baseline, banks must establish and maintain effective AML/CFT programs. These programs must include risk-based internal policies, procedures, and controls; a designated compliance officer; ongoing employee training; and independent testing. Banks also must meet FinCEN's CDD requirements. The analysis below evaluates incremental impacts of the proposal against that baseline.
Overall, the proposed rule is expected to provide direct benefits to banks through increased clarity of rules and increased consistency of enforcement for banks across financial regulators. The rule also codifies the general practice among banks to calibrate their AML/CFT programs to concentrate on higher-risk activities and deprioritize lower-risk activities. This recalibration would provide indirect benefits including the potential for reductions in crime due to greater deterrence and restriction of the flow of illicit funds as well as potentially increased access to financial services by low-risk members of the public. 65 The Board expects that the proposed rule would impose relatively small one-time adjustment costs on banks to update their AML/CFT programs to align with the newly-clarified requirements. Compliance costs are not anticipated to increase on an on-going basis, as overall program requirements have been clarified rather than increased and banks already maintain robust AML/CFT programs. The remainder of this section discusses these effects in turn.
65 For example, there is at least some anecdotal evidence that otherwise normal (low risk) customers could have reduced access as a result of BSA compliance. See https://www.banking.senate.gov/imo/media/doc/klein_testimony_2-5-25.pdf at 4.
Effective AML/CFT programs can deter illicit behavior by preventing the flow of illicit funds and assisting law enforcement and national security efforts to identify and prosecute criminals. By clarifying banks' AML/CFT obligations, the proposed rule may improve the effectiveness of AML/CFT programs for banks, relative to the baseline, by enabling them to reallocate AML/CFT resources toward higher-risk customers and activities. This recalibration may reduce the frequency and severity of harm caused by criminal activity.
Reductions in illicit financial activities from effective AML/CFT programs have several benefits, both for affected banks as well as for the broader society. For banks, effective AML/CFT programs may result in direct cost savings due to a decreased likelihood that they will be subject to illicit schemes, which in turn decreases the probability of disruptions to a bank's normal business operations. It could result in other potential cost savings due to a decreased probability that a bank may need to make victimized customer accounts whole, conduct internal investigations of successful illicit schemes, or implement remediation steps to address and prevent future recurrences of previously successful illicit schemes. 66
66 See Citizens Rulemaking Alliance comment letter (Nov. 17, 2025), p. 2, submitted in context of the recent proposed rulemaking 90 FR 48835: Unsafe or Unsound Practices; Matters Requiring Attention. The letter provided conservative estimates for general burden to community banks to address matters sufficiently deficient to warrant a supervisory action of a Matters Requiring Attention. Their provided estimates suggested 120 internal staff hours per MRA to scope, draft, implement, and document a written remediation plan; 20 board/committee hours for oversight and attestation; and $15,000 in external advisory/legal services for complex MRAs. Staff expect that costs would be even greater for larger, more complex banks to remediate significant deficiencies or system failures in their AML/CFT programs.
In terms of broader societal benefits, AML/CFT activities are often tied to other illicit activities such as but not limited to drug, weapons, wildlife, or human trafficking as well as terrorist activities. Any reduction in money laundering or terrorist financing is a benefit to society given the nature of the illegal activities that AML/CFT programs are designed to prevent. While it is inherently difficult to estimate the annual reduction in crime generally or financial crime specifically that could result from more effective AML/CFT programs, recent estimates suggest that those illicit activities run to the billions or trillions of dollars 67 and affect millions of Americans, 68 and given that scale, even a very small percentage decrease would result in a meaningful benefit.
67 The net annual cost of crime in the U.S. was estimated at approximately $3-4 trillion net of transfers in David A. Anderson, “The Aggregate Cost of Crime in the United States,” The Journal of Law and Economics, vol 64 no. 4 (2021). One specific type of financial crime, fraud, resulted in over $12 billion in reported losses in 2024 ( see the Federal Trade Commission, Consumer Sentinel Network Data Book 2024 (Mar. 2025), https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf ).
68 There were over 6 million reports according to the Consumer Sentinel Network in 2024 ( see Federal Trade Commission, Consumer Sentinel Network Data Book 2024 (Mar. 2025), https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf.
An additional benefit of a recalibration of AML/CFT programs towards higher-risk activities under the proposed rule is that fewer low-risk clients or customers, or potential clients and customers, of banks would be inadvertently or accidentally denied access to banking services due to their non-illicit transactions being incorrectly flagged by an AML/CFT program. The Board lacks the data to quantify the scale of this benefit.
The proposed rule would generate additional qualitative benefits from increased clarity and supervisory coherence, relative to the baseline. These benefits include: reducing regulatory fragmentation by harmonizing the Board and the Agencies' regulations imposing obligations on banks with FinCEN's corresponding regulations and eliminating overlap pertaining to the CDD requirements; enhancing outcomes related to national security and law enforcement by reinforcing risk-based approaches; and enabling more consistent identification and reporting of higher-priority illicit activity.
Having effective AML/CFT programs also reduces a bank's probability of regulatory and legal consequences, which may otherwise increase a bank's costs and adversely affect earnings. For example, ineffective programs that lead to significant AML/CFT activities may result in subsequent higher: operational risk capital requirements for larger banks currently subject to operational risk regulations; compliance costs from increased regulatory monitoring; or legal costs and financial penalties if program deficiencies result in violations of law, such as potential enforcement actions and civil money penalties.
Although these benefits are not readily quantifiable, they are expected to improve the focus of (1) AML/CFT supervision on mitigating significant or systemic failures in a bank's AML/CFT program and (2) bank compliance programs on higher-risk customers and activities.
If adopted, the proposed rule would require alignment of existing AML/CFT programs to the clarified requirements, however these costs are expected to be minimal. Possible one-time costs include:
—Labor costs associated with updating policy, procedure, and documentation to reflect risk assessment processes, to codify definitions of “establish,” “maintain,” and “implement”, and to comply with the requirement that the program be written, accessible upon request, and approved by the board (or equivalent governance).
—Potential labor costs or transitional productivity reductions associated with ensuring that the designated AML/CFT officer is located in the United States and has sufficient authority, stature, independence, and resourcing to comply with the requirements of the proposed rule.
—Training costs to refresh relevant personnel to reflect the revised expectations, risk prioritization, updated governance roles, and program documentation.
Given that most banks maintain AML/CFT programs that adhere with current regulations and supervisory expectations and given that the proposed rulemaking sets forth requirements that banks are already generally in compliance with, these incremental costs are expected to be minimal relative to current AML/CFT compliance costs. The Board does not have data available to estimate the one-time transition costs listed. In addition, the Board recognizes that these costs vary across banks based on their size, complexity, and the specific activities they engage in, as well as the sophistication of their current BSA compliance program. 69 Based on supervisory experience, Board staff believe that banks are already generally in compliance with the proposed requirements based on longstanding regulatory and supervisory expectations. Therefore, the Board anticipates that banks would expend de minimis incremental costs to update their AML/CFT compliance programs in conformance with the proposed requirements.
69 The Board expects there would be variation in the magnitude of these transition costs among affected institutions, depending on bank size, complexity of business model, transaction volume, and scope and nature of products, customers, services, and geographical operations. Smaller institutions would be expected to have significantly less transition costs to update policies, procedures, and documentation than larger institutions with more complex risk profiles, higher transaction volume, and greater diversity and volume of products, customers, services, and geographical operations. Smaller institutions also tend to have significantly less staff dedicated to AML/CFT compliance than larger institutions. As such, these smaller institutions would need to train fewer staff on the proposed rule's requirements than larger institutions, requiring them to allocate fewer total dollars to training. Furthermore, smaller institutions generally already have a designated AML/CFT officer domiciled in the United States whereas larger, internationally active institutions may not. This would result in no expected labor opportunity costs for smaller institutions, but possibly one-time costs for larger internationally active institutions that do not currently have a U.S. domiciled AML/CFT officer.
While the Board lacks the data necessary to estimate how compliance costs for banks would change under the proposed rule, several factors suggest that ongoing compliance costs would be similar to the baseline. 70 First, banks already maintain extensive AML/CFT programs, in many cases exceeding the minimum requirements under current rules. Second, the proposed rule would clarify existing requirements rather than imposing new ones, which suggests that banks may not find it necessary to devote additional resources to AML/CFT programs relative to the baseline.
70 The Board acknowledges that banks would have to incorporate any future AML/CFT priorities FinCEN issues as part of their ongoing costs. However, the Board believes that banks have already incorporated the current AML/CFT priorities into their BSA compliance programs because these “[p]riorities reflect longstanding and continuing AML/CFT concerns previously identified by FinCEN and other Treasury components and U.S. government departments and agencies” (see AML/CFT Priorities, page 3 (June 30, 2021)).
As a result, the Board anticipates no increase in ongoing compliance costs resulting from the proposed rule. Given the economic effects described above, the Board expects the benefits of the proposed rule would outweigh the costs.
The Board invites comments on all aspects of the economic analysis provided in this supplemental information. What, if any, additional significant benefits or costs should the Board consider and why?
The Board has considered several alternatives to the proposed rule which could meet the objectives of this rulemaking. For the reasons described, the Board views the proposed rule as the most appropriate and effective means of achieving its policy objectives with respect to the Anti-Money Laundering Act of 2020.
The Board considered taking no regulatory action. Under this alternative, banks would remain subject to separate, partially overlapping, and in some cases inconsistent AML/CFT program requirements across FinCEN and the Board. This would perpetuate regulatory fragmentation, increase compliance uncertainty, and risk inefficient resource allocation contrary to the AML Act's emphasis on risk-based programs. It would also fail to implement the AML Act's requirement that the AML/CFT Priorities be incorporated into program rules and examined accordingly, and it would not establish a uniform framework for distinguishing between program establishment and implementation. The Board therefore rejected this alternative.
The Board considered reissuing or finalizing the 2024 Notice of Proposed Rulemaking (2024 NPRM), which previously addressed these issues. However, public comments in response to the 2024 NPRM suggested that the 2024 NRPM did not adequately emphasize the increased flexibility of banks to recalibrate their BSA/AML programs to concentrate on higher-risk activities. In contrast, the proposed rule would provide such flexibility and, and as discussed in this section, result in greater benefits to the public. The proposed rule also includes provisions requiring FinCEN's consultation on supervisory actions and other measures to refocus supervision on substantive issues with bank AML/CFT programs rather than on procedural compliance. The Board therefore chose to issue the proposed rule.
The Board considered developing more prescriptive program requirements, such as mandatory risk assessment methodologies, specific governance structures, required technologies, or defined timelines for updating risk assessments. Such an approach would conflict with the AML Act's emphasis on risk-based, flexible, and outcome oriented AML/CFT programs, and would be inconsistent with the Board's stated view that banks are best positioned to identify and evaluate their own risks. The Board therefore rejected this alternative in favor of a flexible framework aligned with statutory intent.
The Board considered extending the implementation period beyond the proposed 12 months. A longer period would reduce near term adjustment costs for some banks but would delay the benefits of improved clarity, harmonization, and risk-based supervision. Given that most banks already maintain programs substantially consistent with the proposed requirements, the Board believes a 12 month period appropriately balances transition needs and timely realization of benefits.
The Board considered whether the proposed rule should apply only to larger or more complex banks or include tailored requirements by size or business model. Because all banks must comply with the BSA, and because the proposal is inherently risk-based and scalable to each bank's risk profile, the Board determined that formal tailoring was unnecessary. Explicit tailoring could also undermine consistency and create cliff effects as banks restrict their growth to remain under regulatory thresholds. Therefore, the Board retained full applicability while emphasizing flexibility in program design.
The Board invites comments on possible alternatives to the proposed rule.
The Board is providing an initial regulatory flexibility analysis with respect to this proposal. The RFA requires an agency to consider whether the rules it proposes will have a significant economic impact on a substantial number of small entities. Under regulations issued by the SBA, a “small” entity includes a depository institution, bank holding company, or savings and loan holding company with total assets of $850 million or less. 71 For purposes of this section, any reference to “small” entities is a reference to this definition.
71 See 13 CFR 121.201. Consistent with the SBA's General Principles of Affiliation, the Board includes the assets of all domestic and foreign affiliates toward the applicable size threshold when determining whether to classify a particular entity as a small entity. See 13 CFR 121.103.
In connection with a proposed rule, the RFA requires an agency to prepare an initial regulatory flexibility analysis describing the impact of the rule on small entities, unless the head of the agency certifies that the proposal will not have a significant economic impact on a substantial number of small entities and publishes such certification along with a statement providing the factual basis for such certification in the Federal Register . An initial regulatory flexibility analysis must contain (1) a description of the reasons why action by the agency is being considered; (2) a succinct statement of the objectives of, and legal basis for, the proposed rule; (3) a description of, and, where feasible, an estimate of the number of small entities to which the proposed rule will apply; (4) a description of the projected reporting, recordkeeping, and other compliance requirements of the proposed rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record; (5) an identification, to the extent practicable, of all relevant Federal rules which may duplicate, overlap with, or conflict with the proposed rule; and (6) a description of any significant alternatives to the proposed rule which accomplish its stated objectives and minimize any significant economic impact of the proposed rule on small entities. 72
72 5 U.S.C. 603(b)-(c).
The Board has considered the potential impact of the proposal on small entities in accordance with the RFA. Based on its analysis and for the reasons stated below, the Board believes that this proposed rule will not have a significant economic impact on a substantial number of small entities. Nevertheless, the Board is publishing and inviting comment on this initial regulatory flexibility analysis.
As explained above, the Board is proposing to amend its AML/CFT compliance program rule to align with changes that are being concurrently proposed by FinCEN and are required of FinCEN by the AML Act. The proposed rule would incorporate a risk assessment process in the Board's AML/CFT program rule that would require, among other things, consideration of the national AML/CFT Priorities published by FinCEN. It also would align other requirements, such as customer due diligence requirements, with FinCEN's rule and propose clarifying and other amendments to codify longstanding supervisory expectations.
The Board's intent is to have AML/CFT program requirements for applicable institutions remain consistent with those imposed by FinCEN. Further, with consistent regulatory text, these institutions would not be subject to any additional burden or confusion from needing to comply with differing standards between FinCEN and the Board. The Board proposes to promulgate this rule pursuant to its safety and soundness authority and under section 8(s) of the Federal Deposit Insurance Act, 12 U.S.C. 1818(s), which requires the Board to issue regulations requiring supervised institutions to “establish and maintain procedures reasonably designed to assure and monitor the compliance” of the institutions with the requirements of the BSA.
The proposal would apply to state member banks; Edge and agreement corporations; and branches, agencies, or representative offices of a foreign bank operating in the United States (other than a Federal branch or agency or a state branch that is insured by the FDIC) (“Board-supervised institutions”). 73 As of December 31, 2025, there were 703 insured State member banks, and approximately 439 Board-supervised institutions to which this proposed rule would apply that were small entities for purposes of the RFA. 74
73 12 CFR 208.63, 211.5(m), and 211.24(j).
74 The small entity information is based on Call Report data as of December 31, 2025.
The proposed rule would revise 12 CFR 208.63 to require Board-supervised institutions to establish and maintain effective anti-money laundering and countering the financing of terrorism (AML/CFT) programs reasonably designed to identify, assess, and mitigate risks of illicit finance. Such a program must include: a risk assessment process that will serve as the basis for the AML/CFT program and includes, among other things, consideration of national AML/CFT priorities; one or more qualified AML/CFT compliance officers; policies, procedures and internal controls commensurate to address the bank's illicit finance risks; risk-based procedures for conducting ongoing CDD; an ongoing employee training program; and, independent, periodic AML/CFT program testing performed by qualified persons. The proposed rule would also incorporate a statutory requirement of the AML Act that persons with a duty of establishing, maintaining, and enforcing the AML/CFT program be in the United States and accessible to oversight and supervision by the appropriate regulator.
The Board estimates a rate of $51.20 per hour as the compensation associated with complying with the proposed rule. 75 The estimated cost and burden to comply with the requirement to update programs to incorporate the new definition of “AML/CFT program” would be minimal, as this is essentially a change in terminology. Likewise, complying with the additional regulatory requirement to conduct a risk assessment incorporating the AML/CFT priorities would not impose significant additional burden because this is an existing, longstanding supervisory expectation for Board-supervised institutions and because the priorities reflect longstanding AML/CFT concerns previously identified by FinCEN and governmental agencies. 76 Accordingly, Board-supervised institutions should already have a risk assessment incorporating the AML/CFT priorities and the other components of the proposed rule in place. The Board estimates that the additional burden associated with these minimal changes on small entities to be approximately $760,218 (32 hours × $51.20 per hour × 464 small entities) in the first year after adoption, and approximately $190,054 (8 hours × $51.20 per hour × 464 small entities) in each successive year.
75 To estimate hourly compensation, the assumed distribution of occupation groups involved in the actions taken by institutions in response to the proposed rule in year 1 and in subsequent years include Executives and Managers (1 percent of hours), Compliance Officers (29 percent), and Clerical (70 percent). This combination of occupations results in an overall estimated hourly total compensation rate of $51.20. This average rate is derived from the U.S. Bureau of Labor Statistics (BLS) Specific Occupational Employment and Wage Estimates for May 2023, and March 2023 BLS Cost of Employee Compensation data for the Employment Cost Index between March 2023 and March 2024.
76 AML/CFT Priorities, page 3 (June 30, 2021).
The Board has not identified any Federal statutes or regulations that would duplicate, overlap, or conflict with the proposal, other than FinCEN's proposed AML/CFT program rule, described above. In addition, the Board considered the alternative of leaving its program rule unrevised but determined not to do so, for the reasons explained in the Alternatives section above.
Based on its analysis and for the reasons stated above, the Board believes that the proposal is unlikely to have a significant economic impact on substantial number of small entities supervised by the Board. The Board welcomes comment on all aspects of its analysis. In particular, the Board requests that commenters describe the nature of any impact on small entities and provide empirical data to illustrate and support the extent of the impact. Additionally, the Board requests that commenters describe the number of small entities under the RFA and the impact on small entities.
The Paperwork Reduction Act of 1995 77 (PRA) states that no agency may conduct or sponsor, nor is the respondent required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The Board has reviewed this proposed rule and determined that it does not create any information collection. The Board reviewed the proposed rule under the authority delegated to the Board by OMB.
77 44 U.S.C. 3501-3521.
Comments on aspects of this document that may affect reporting, recordkeeping, or disclosure requirements and burden estimates should be sent to the addresses listed in the ADDRESSES section of this document. Written comments and recommendations for these information collections also should be sent within 30 days of publication of this document to www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting “Currently under 30-day Review—Open for Public Comments” or by using the search function.
Pursuant to section 302(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 (RCDRIA), 78 in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on IDIs, each Federal banking agency must consider, consistent with principles of safety and soundness and the public interest, any administrative burdens that such regulations would place on affected depository institutions, including small depository institutions, and customers of depository institutions, as well as the benefits of such regulations. In addition, section 302(b) of the RCDRIA requires new regulations and amendments to regulations that impose additional reporting, disclosures, or other new requirements on IDIs generally to take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in final form. The Board invites comments that further will inform its consideration of the RCDRIA. 79
78 12 U.S.C. 4802(a).
79 12 U.S.C. 4802(b).
Section 722 of the Gramm-Leach-Bliley Act 80 requires the Federal banking agencies to use plain language in all proposed and final rulemakings published in the Federal Register after January 1, 2000. The Board invites your comments on how to make this proposed rule easier to understand. For example:
80 Public Law 106-102, section 722, 113 Stat. 1338, 1471 (1999), 12 U.S.C. 4809.
• Has the Board organized the material to suit your needs? If not, how could the proposed rule be more clearly stated?
• Are the requirements in the proposed rule clearly stated? If not, how could the proposed rule be more clearly stated?
• Does the proposed rule contain language or jargon that is not clear? If so, which language requires clarification?
• Would a different format (grouping and order of sections, use of headings, paragraphing) make the proposed rule easier to understand? If so, what changes to the format would make the proposed rule easier to understand?
• What else could the Board do to make the proposed rule easier to understand?
The Providing Accountability Through Transparency Act of 2023 requires that a notice of proposed rulemaking include the internet address of a summary of not more than 100 words in length of a proposed rule, in plain language, that shall be posted on the internet website under section 206(d) of the E-Government Act of 2002. 81
81 44 U.S.C. 3501 note.
The proposal and the required summary can be found for the Board at https://www.federalreserve.gov/apps/foia/proposedregs.aspx.
List of Subjects in 12 CFR Part 208
Accounting, Agriculture, Banks, Banking, Confidential business information, Consumer protection, Crime, Currency, Federal Reserve System, Flood insurance, Insurance, Investments, Mortgages, Reporting and recordkeeping requirements, Securities.
For the reasons set forth in the preamble, the Board of Governors of the Federal Reserve System proposes to amend 12 CFR part 208 as follows:
PART 208—MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL RESERVE SYSTEM (REGULATION H)
1. The authority citation for part 208 continues to read as follows:
Authority:
2 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a, 371d, 461, 481-486, 601, 611, 1814, 1816, 1817(a)(3), 1817(a)(12), 1818, 1820(d)(9), 1833(j), 1828(o), 1831, 1831o, 1831p-1, 1831r-1, 1831w, 1831x, 1835a, 1882, 2901-2907, 3105, 3310, 3331-3351, 3905-3909, 5371, and 5371 note; 15 U.S.C. 78b, 78I(b), 78l(i), 780-4(c)(5), 78q, 78q-1, 78w, 1681s, 1681w, 6801, and 6805; 31 U.S.C. 5318; 42 U.S.C. 4012a, 4104a, 4104b, 4106, and 4128.
2. Revise § 12 CFR 208.63 and republish to read as follows:
(a) Definitions. For purposes of this section:
(1) AML/CFT enforcement action means any formal or informal action taken by the Board under authority of 12 U.S.C. 1818 or other applicable law that seeks to penalize, remedy, prevent, or respond to noncompliance with past or ongoing violations of, or past or ongoing deficiencies relating to, an AML/CFT requirement. The term includes—
(i) A cease-and-desist order, written agreement, consent order, or memorandum of understanding; or
(ii) The assessment of a civil money penalty.
(2) AML/CFT requirement means:
(i) A requirement of the Bank Secrecy Act or the implementing regulations at 31 CFR chapter X; or
(ii) A requirement prescribed under 12 U.S.C. 1818(s) or this section.
(3) Bank Secrecy Act has the meaning given that term in 31 CFR 1010.100.
(4) Significant AML/CFT supervisory action means any written communication or other formal supervisory determination that—
(i) Identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement;
(ii) Communicates supervisory expectations to a state member bank regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and
(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the state member bank.
The term does not include examiner observations, suggestions, or other informal comments.
(b) AML/CFT program in general. Each state member bank must establish and maintain an effective AML/CFT program. A state member bank complies with this requirement if it:
(1) Establishes an AML/CFT program in accordance with paragraph (c) of this section; and
(2) Maintains an AML/CFT program by implementing the AML/CFT program in accordance with paragraph (d) of this section.
(c) AML/CFT program establishment. A state member bank establishes an AML/CFT program in accordance with this paragraph if it:
(1) Establishes a risk-based set of internal policies, procedures, and controls that is reasonably designed to ensure compliance with the Bank Secrecy Act and the implementing regulations at 31 CFR chapter X and to:
(i) Identify, assess, and document the state member bank's money laundering, terrorist financing, and other illicit finance activity risks through risk assessment processes that:
(A) Evaluate the money laundering, terrorist financing, and other illicit finance activity risks of the state member bank's business activities, including its products, services, distribution channels, customers, and geographic locations;
(B) Review and, as appropriate, incorporate the AML/CFT priorities as that term is defined in 31 CFR 1010.100; and
(C) Are updated promptly upon any change that the state member bank knows or has reason to know significantly changes the state member bank's money laundering, terrorist financing, and other illicit finance activity risks;
(ii) Mitigate the state member bank's money laundering, terrorist financing, and other illicit finance activity risks consistent with the risk assessment processes required under paragraph (c)(1)(i) of this section, including by directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the state member bank, rather than toward lower-risk customers and activities; and
(iii) Conduct ongoing customer due diligence, including to:
(A) Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
(B) Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including information regarding the beneficial owners of legal entity customers, as defined in 31 CFR 1010.230);
(2) Establishes independent AML/CFT program testing to be conducted by bank personnel or by an outside party;
(3) Designates an individual, who is (i) located in the United States, (ii) accessible to, and subject to oversight and supervision by, FinCEN and the Board, and (iii) responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance; and
(4) Establishes an ongoing employee training program.
(d) AML/CFT program implementation. A state member bank implements an AML/CFT program in accordance with this paragraph if the state member bank implements, in all material respects, the AML/CFT program required under paragraph (c) of this section.
(e) Written AML/CFT program and approval. A state member bank's AML/CFT program must be written and it must be approved by the state member bank's board of directors, an equivalent governing body within the state member bank, or appropriate senior management within the state member bank.
(f) Customer identification program. Each state member bank shall implement a customer identification program in accordance with 31 CFR 1020.220.
(g) Enforcement and supervision policy.
(1) In general. Except with respect to a significant or systemic failure to implement the AML/CFT program in accordance with paragraph (d) of this section, a state member bank that has established an AML/CFT program in accordance with paragraph (c) of this section will not be subject to an AML/CFT enforcement action or to a significant AML/CFT supervisory action related to the requirements of 12 U.S.C. 1818(s), 31 U.S.C. 5318(h)(1), this section, or 31 CFR 1020.210.
(2) Program establishment violations. Nothing in this paragraph (g) may be construed to restrict an AML/CFT enforcement action or a significant AML/CFT supervisory action with respect to any failure to establish an AML/CFT program in accordance with paragraph (c) of this section.
(3) Criminal Enforcement Unaffected. Nothing in this paragraph (g) may be construed to affect criminal enforcement under the BSA.
(h) Severability.
The provisions of this section are separate and severable from one another. If any provision of this section is held to be invalid, or the application thereof to any person or circumstance is held to be invalid, such invalidity shall not affect other provisions, or application of such provisions to other persons or circumstances, that can be given effect without the invalid provision or application.
By order of the Board of Governors of the Federal Reserve System.
Benjamin McDonough,
Secretary of the Board.
[FR Doc. 2026-13919 Filed 7-8-26; 8:45 am]
BILLING CODE 6210-01-P