FinCEN Proposal Shifts AML Focus to Real Risk, Not Checklists

Money laundering has often been glamorized by the entertainment industry. The crime has been central to the plots of TV shows and movies ranging from “Ozark”, a Netflix show in which financial advisor Marty Byrd agrees to launder money for a murderous Mexican drug cartel, to “The Laundromat”, a 2019 movie that focuses on the Panama Papers scandal.On April 7, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a proposed new rule that would fundamentally change how community financial institutions (CFIs) design and run their anti-money laundering and countering the financing of terrorism (AML/CFT) programs. According to FinCEN, the goal of the proposal is to modernize the nation’s AML/CFT regulatory and supervisory framework in order to reduce the compliance burden on CFIs. In announcing the proposed new rule, Secretary of the Treasury Scott Bessent stated:  “For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats. Our proposal restores common sense with a focus on keeping bad actors out of the financial system, not burying America’s banks in more red tape.”Moving Away From “Box Checking”The proposed new rule would move away from “box checking,” instead focusing on making sure financial institutions’ AML/CFT programs are actually working based on each institution’s real risks. It would reinforce the Treasury’s belief that CFIs are best positioned to identify and evaluate their own risks while empowering them to devote more attention and resources to higher risks.In addition, it would clarify the Treasury’s expectations related to certain program requirements and functions (including independent testing and audit functions) to ensure that examiners and auditors do not substitute their subjective judgment in place of CFIs’ risk-based and reasonably designed AML/CFT programs.One of the key changes of the proposed rule is a clearer definition of the word “effective.” Currently, the AML/CFT rules focus on having the required program pieces in place (such as policies, a BSA officer, training, and independent testing) and being “reasonably designed” to follow the law. The word “effective” is used, but its meaning is not spelled out in the regulation; instead, it mostly lives in guidance and exam manuals.The proposed rule defines a program as “effective” when it is built around a CFI’s actual risks and helps the institution find, investigate, and report suspicious activity that matters. It also distinguishes between deficiencies stemming from program design and those stemming from program implementation.Risk-Based and “Effective”Under the proposed rule, AML/CFT programs must be risk-based and “effective,” not one-size-fits-all. Higher-risk areas should receive more attention and resources, while lower-risk areas should receive less.A written risk assessment will become a core requirement for CFIs. This assessment should spell out what the institution’s specific AML/CFT risks are (by products, services, customers, and geographies) and demonstrate how the institution considered FinCEN’s national AML/CFT priorities. Examiners are being asked to focus on how well the overall AML/CFT program works and whether there are significant weaknesses, instead of small technical mistakes that might have been made. This is a positive development for CFIs.The proposal recognizes that CFIs know their customers and markets better than anyone, and this local knowledge can and should be used in risk assessment and monitoring. Expectations should be scaled to the size and risk of each CFI.How To Prepare for the RuleEven if your AML/CFT program is in good shape, you may need to tighten up how you explain and document the program, including how you took FinCEN’s AML/CFT priorities into account. It may be a good idea to write down how your local knowledge (e.g., long-standing relationships, small-town context, understanding of local businesses) influences your risk ratings and decisions about when to monitor and investigate more or escalate.Also, make sure your policies, procedures, and board or senior management materials clearly show how the AML/CFT program is designed (the “establishment” piece) and carried out on a day-to-day (the “maintenance” piece) basis. Be prepared to walk examiners through the areas you consider to be lower risk (and why), as well as how this allows you to devote more time and resources to higher-risk areas for your CFI.An All-Encompassing RuleNote that the AML/CFT proposal is a draft rule that’s not yet final. If it is finalized, the rule would apply to financial institutions of all sizes, including CFIs. Institutions will likely have at least one year from the date the rule is finalized to comply.FinCEN welcomes public comment on the proposed new rule until June 9, 2026, at https://www.regulations.gov.