Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

The new AML/CFT program rule: Aligning with the FinCEN priorities

Terri Luttrell, CAMS-Audit, CFCS
Michelle M. Lucci, CSS, CRCM
July 9, 2024
Read Time: 0 min

What the rule means for financial institutions

FinCEN aims to get AML/CFT programs to redirect their focus on the highest-risk areas, so banks and credit unions should begin preparing. 

Would you like other articles like this in your inbox?

Proposed NPRM

FinCEN's anticipated AML/CFT program rule

The Financial Crimes Enforcement Network (FinCEN) recently unveiled its Notice of Proposed Rulemaking (NPRM) for AML/CFT programs, federal regulators’ latest move to enhance the integrity and effectiveness of anti-money laundering and countering the financing of terrorism (AML/CFT) efforts.

On June 28, 2024, FinCEN issued the long-awaited Proposed Rule to Strengthen and Modernize Financial Institution AML/CFT Programs. As proposed, the new AML/CFT program rule is intended to redirect AML/CFT programs to focus on the highest-risk areas using innovative techniques with a goals-oriented approach.

Financial institutions should be proactive and develop an implementation plan to ensure they are ready to comply by the effective date. The implementation timeline is six months from the issuance of the final rule, which allows institutions sufficient time to review and apply new requirements.

Codifies expectations

The need to modernize AML/CFT efforts

The proposed rule doesn’t include any real industry surprises, but final rule approval will codify and clarify existing regulatory expectations for financial institutions. Nevertheless, understanding the details will help financial institutions and their AML professionals better prepare for the requirements. Notably, these would include a change to long-standing industry terminology. AML/CFT Officer is expected to replace the title BSA Officer, so financial institutions should prepare for the formalization of this change once the final rule is approved.

The need to modernize AML/CFT programs has been at the forefront of AML professionals' minds for some time. The financial services industry consistently implements new technologies and payment methods to serve its customers better and remain competitive. However, criminals continue to exploit these innovative improvements, seemingly always a step ahead of financial institutions and credit unions to the tune of $3.1 trillion in illicit flow of funds. For many financial institutions, what worked five years ago may no longer be effective.

The AML Act of 2020, which amended the Bank Secrecy Act, directed FinCEN to reevaluate and update AML/CFT requirements to enhance program effectiveness, efficiency, and flexibility. It also required that FinCEN integrate its AML/CFT policy priorities into financial institutions’ risk assessments.

The proposed rule would amend existing regulations to require that programs be effective, risk-based, and reasonably designed so that financial institutions focus resources and attention in a manner consistent with their risk profiles.

Balancing act

Program requirements for financial institutions

The proposed rule clarifies that financial institutions must have an effective, risk-based, and reasonably designed AML/CFT program. This is pivotal to ensuring resources and attention are focused on each financial institution’s unique risks. Program design involves a careful balancing act that considers both higher-risk and lower-risk customers and activities.

To achieve this, the AML/CFT program must be meticulously documented and approved by the financial institution’s board of directors. Such documentation isn't only a formality; if passed as a final rule, it must be readily available to FinCEN upon request. The proposed rule’s requirement that boards of directors not only approve programs but also oversee them emphasizes the importance of top-level governance and a strong culture of compliance. The proposed rule also outlines several measures for ensuring robust and appropriate board AML/CFT program oversight. These include establishing:

  • Governance mechanisms.
  • Clear escalation lines.
  • Clear reporting lines.

Other financial institution requirements include:

  • Establishing a risk assessment process that serves as the basis for the bank’s AML/CFT program.
  • Reasonably managing and mitigating money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls commensurate with those risks and ensuring ongoing compliance with the Bank Secrecy Act (BSA) and the proposed rule.
  • Designating at least one qualified individual to be responsible for coordinating and monitoring day-to-day compliance. The designee(s), referred to as the AML/CFT Officer (formerly known as the BSA Officer), are to:
  • Be adequately trained to ensure and monitor compliance with the BSA and FinCEN's implementing regulations, which will depend on the financial institution’s risk profile.
  • Have the expertise and experience to perform the position’s duties. The actual title is not the most critical aspect of the position, and the proposed rule states that the AML/CFT Officer does not need to be an "officer" of the financial institution. However, for banks and credit unions, this designation is crucial to providing the AML/CFT Officer the authority they are required to have.

The individual's authority, independence, and access to resources within the financial institution are critical. The position should have decision-making capability regarding the program and sufficient stature to ensure the program meets requirements.

  • Including a risk-based ongoing employee training program. Training should focus on areas of risk identified by the risk assessment. Training frequency would depend on the financial institution's risk profile, and the program should include flexibility to recognize employees and non-employees who must be trained on an ongoing basis.

Learn best practices for assessing risk. 
Watch this webinar on the future of risk assessments

Watch Webinar

Formal process

A deeper dive into the AML risk assessment process

A critical component of this framework under the new AML/CF program rule would be the establishment of a risk assessment process (RA process). The RA process must meticulously identify, evaluate, and document the financial institution’s risks related to money laundering, terrorist financing, and other illicit finance activities. The proposed rule says this includes considering the following elements:
  • AML/CFT priorities: The risk assessment process must consider FinCEN’s AML/CFT priorities to ensure that the institution’s risk assessments align with national priorities. This will be a dynamic process as events in the global environment evolve.
  • Business activity risks: The AML risk assessment process must also consider the specific risks associated with the financial institution’s business activities, including:
  • Products
  • Services
  • Distribution channels (defined as the methods and tools through which a financial institution opens accounts and provides products or services)
  • Customers
  • Intermediaries, and
  • Geographic locations (including IP addresses and device logins).
Including distribution channels in the risk assessment process is a new requirement. Intermediaries refer to the variety of financial relationships beyond customers and counterparties that allow activities by, at, or through the institution.
  • Regulatory reporting: The risk assessment process must include reviewing and evaluating reports filed by the financial institution (such as SARs, CTRs, and Form 8300) to ensure compliance with regulatory requirements. This analysis can assist in identifying known or detected threat patterns or trends to incorporate into the risk assessment.
The risk assessment process is not static, according to the proposed rule, although it did not specify a frequency for updates. Once finalized, the new AML/CFT rule would require periodic updates, particularly when there are material changes to the financial institution’s risk profile related to money laundering, terrorist financing, or changes to the FinCEN national priorities. This expectation for ongoing assessments requires current, complete, and accurate information to ensure that the financial institution’s AML/CFT program remains responsive and effective in addressing emerging risks.


Integrating FinCEN’s priorities into compliance

Integrating FinCEN’s AML/CFT priorities into financial institutions' compliance frameworks is a central requirement of the changes regulators are making.

Specifically, the proposed rule directs financial institutions to incorporate the priorities into their AML risk assessment processes. These FinCEN priorities highlight significant threats to the U.S. financial system and national security and aim to ensure institutions focus on the most pressing risks.

As noted above, institutions should regularly update their risk assessments to reflect these most current priorities. Doing so, FinCEN says:

  • Enhances program effectiveness: Financial institutions should develop robust internal mechanisms to evaluate how well their programs align with these priorities and adjust their strategies accordingly. Aligning their AML risk assessments with FinCEN priorities will help institutions better identify and address critical risks and direct resources to the most significant threats.
  • Supports law enforcement and national security: Financial institutions should establish strong communication channels with regulators and law enforcement partners to ensure their reports and information are helpful and timely. Institutions provide valuable information to law enforcement and national security agencies, and updating risk assessments to current priorities aids in identifying and prosecuting illicit activities, strengthening national security.
  • Promotes a risk-based approach: Financial institutions should build flexible frameworks that allow them to reallocate resources as their risk profiles change. Priority-focused updates help manage risks and resources effectively, ensuring compliance efforts are proportionate to the level of risk.
  • Ensures regulatory consistency: Financial institutions should strive for consistency in their internal policies and procedures, ensuring all departments and branches adhere to the same standards. Standardizing how institutions incorporate FinCEN priorities reduces variability in compliance practices and enhances the coherence of the AML/CFT regime.
  • Promotes responsiveness to evolving risks. Financial institutions should set up a schedule for regular reviews and updates of their AML/CFT programs, ensuring they stay current with regulatory changes. The AML Act mandates that the FinCEN priorities are updated at least every four years to reflect emerging threats.


Other critical components

In addition to the above, the proposed rule introduces several vital components to enhance AML/CFT compliance:

  • Encouragement of innovation: Automated transaction monitoring and fraud detection systems can significantly improve the detection and prevention of illicit activities. The proposed rule encourages institutions to explore new technologies, such as machine learning and artificial intelligence, to enhance their AML/CFT efforts.
  • Responsibility of U.S. Persons: The duty to establish, maintain, and enforce AML/CFT programs must rest with individuals in the United States who are accessible to and subject to oversight by FinCEN and federal regulators. This ensures accountability within the U.S. jurisdiction. Institutions should review their staffing and operational structures to ensure compliance with this obligation.
  • Global operations and third-party providers: FinCEN recognizes that institutions may have AML/CFT staff and operations outside the U.S. or may delegate tasks to third-party providers abroad. Institutions must ensure these arrangements comply with U.S. oversight requirements. Institutions should conduct thorough due diligence on third-party providers and establish clear oversight mechanisms.
  • Modernization and clarification of program rules: Updates include renumbering provisions, updating statutory references, and removing outdated compliance dates. Specific updates address the use of automated systems for casinos and MSBs, reflecting a risk-based approach similar to other financial institutions. Institutions should stay informed about these changes and update their internal documentation accordingly.

Actions for banks & credit unions

Practical implications for financial institutions

Financial institutions will need to undertake several actions to comply with the proposed rule in anticipation of the final AML/CFT program rule:

  • Incorporate FinCEN Priorities: Financial institutions must integrate FinCEN’s AML/CFT priorities into their risk assessment processes, ensuring alignment with national security objectives and regulatory requirements. This includes setting up regular reviews and updates to ensure ongoing compliance.
  • Enhance risk assessments: Financial institutions should refine their AML risk assessment processes to consider the most current threats and adjust their AML/CFT programs accordingly. This may involve adopting new technologies or methodologies to identify better and assess risks.
  • Update internal policies and controls: Internal policies, procedures, and controls must be revised to reflect the results of risk assessments and ensure they are commensurate with the institution’s risk profile. Institutions should conduct a comprehensive review of their internal controls and make necessary adjustments.
  • Leverage technology and innovation: Financial institutions are encouraged to adopt new technologies and innovative approaches to enhance the effectiveness and efficiency of their AML/CFT programs. This might include implementing machine learning algorithms for transaction monitoring or using blockchain technology for better transparency and traceability.
  • Ensure U.S. accountability: Institutions with global operations must ensure that U.S.-based individuals are responsible for AML/CFT compliance and accessible to oversight by FinCEN and relevant regulators. This may involve reassigning responsibilities or setting up new roles to ensure compliance.
  • Prepare for BOD approval and oversight: AML/CFT programs must be approved and overseen by the institution’s board or an equivalent governing body, ensuring robust governance and accountability. Institutions should establish clear reporting lines and governance structures to support this requirement.


The new AML/CFT rule proposed by FinCEN enhances financial institutions' ability to detect, prevent, and mitigate illicit financial activities by aligning program efforts with national AML/CFT priorities, promoting technological innovation, and ensuring consistent and effective compliance practices.

The wait for this proposed rule was longer than expected, and financial institutions may find that their AML/CFT program already meets the new requirements. If they haven’t already done so, financial institutions should take proactive steps to integrate these requirements into their AML/CFT programs to ensure they remain responsive to evolving threats and aligned with national security objectives. Through these efforts, institutions can better safeguard the financial system and contribute to the broader goal of preventing money laundering and terrorism financing.

Comments are due September 3, 2024, and can be submitted here.

Note: ChatGPT was used to analyze and summarize the 178-page proposed rule and create an outline for this blog. Subject-matter experts reviewed and revised the summaries as appropriate.




Need help with AML/CFT risk assessments?
Download this checklist and meet regulatory requirements.

Download for Banks Download for credit unions
About the Authors

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

Michelle M. Lucci, CSS, CRCM

Regulatory Compliance Director
Michelle Lucci, Abrigo’s Regulatory Compliance Director, has over 30 years of banking experience and is a Certified Sanctions Specialist (CSS), a Certified Regulatory Reporting Manager (CRCM) and a Certified Anti–money Laundering Specialist (CAMS). Prior to joining Abrigo, she served as a Commissioned FDIC Bank Examiner for both Risk Management and Consumer Compliance in the New York and Atlanta FDIC regions, acted as Examiner-In-Charge

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.