Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

IFSLeaseWorks is now part of Abrigo.

Diversify your portfolio and earn additional interest income. End-to-end lease origination and administration automation make it possible.

Read the press announcement

Looking for TPG Software? You are in the right place!

TPG Software is now part of Abrigo. You can continue to count on the world-class Investment Accounting software and services you’ve come to expect, plus all that Abrigo has to offer.

Make yourself at home – we hope you enjoy being part of our community.

AML/CFT BSA Rules and Regulation

The new AML/CFT program rule: What it requires & how to prepare

Terri Luttrell, CAMS-Audit, CFCS
May 29, 2026
0 min read

New AML/CFT program rule: What it requires & how to prepare

What the FinCEN proposal means for financial institutions

FinCEN emphasizes risk-based programs and redefines program effectiveness in the proposed rule to combat money laundering and terrorism financing.

 

This article covers these key topics: 

 

NPRM updating AML/CFT program requirements

Financial institutions have been anticipating meaningful Bank Secrecy Act reform for years. With the Financial Crimes Enforcement Network’s (FinCEN’s) proposed new anti-money laundering/countering the financing of terrorism (AML/CFT) program rule, the changes expected of banks and credit unions are now taking shape and will affect how institutions design, resource, and defend their AML/CFT programs.

While the proposed rule is not final, it signals a clear direction to focus on the highest-risk areas. Institutions that begin aligning now will be better positioned to manage risk, demonstrate effectiveness, and respond confidently during exams.

Staying on top of fraud is a full-time job. Let our Advisory Services team help when you need it.

Connect with an expert

 

An intentional focus on risk-based programs

The AML Act of 2020, which amended the Bank Secrecy Act, directed FinCEN to reevaluate and update AML/CFT requirements to enhance program effectiveness, efficiency, and flexibility. It also required that FinCEN integrate its AML/CFT policy priorities into financial institutions’ risk assessments.

The FinCEN proposed AML rule would amend existing regulations and supersede the 2024 Program NPRM, with an effective date of 12 months after the final rule is issued.

At its core, the new AML/CFT program rule reinforces something many institutions already strive for but have struggled to operationalize consistently. Programs must be risk-based, dynamic, and aligned with FinCEN’s national priorities.

FinCEN makes it clear that financial institutions are expected to focus more attention and resources on higher-risk customers and activities while de-emphasizing lower-risk areas. This is a philosophical and structural shift that places the risk assessment process at the center of the entire program.

The risk-based approach gives institutions flexibility, but it also raises expectations. A program that is not clearly tied to identified risks or that cannot demonstrate how resources align with those risks may face increased scrutiny.

 

Required AML risk assessment processes

One of the most significant elements of the new AML/CFT program rule is the formalization of risk assessment processes as a required and ongoing component of the program.

Rather than relying on a static annual risk assessment, institutions are expected to use multiple processes to identify, assess, and document money laundering and terrorist financing risks across:

  • products
  • services
  • customers
  • geographies
  • distribution channels.

These risk assessment processes must also incorporate evolving inputs such as:

Best practices suggest updates every 12-18 months or when risk changes, not only on a fixed schedule.

For many institutions, this will require a more integrated approach to data, analytics, and internal communication. It may also require revisiting how risk assessment outputs are documented and used to drive decisions across the program.

 

Redefining program effectiveness

The proposed rule introduces an important distinction between establishing a program and maintaining it. Financial institutions must first establish an AML/CFT program that includes required components. Required components of an AML/CFT program include internal controls, independent testing, a designated compliance officer, and training. Once a program is established, the supervisory focus shifts to how financial institutions maintain and implement that program in all material respects.

This distinction matters because it changes how regulators may approach supervisory and enforcement actions. Under the new AML/CFT program rule, significant compliance actions are more likely to focus on systemic or material failures rather than isolated implementation issues, assuming the program is fundamentally sound.

At the same time, institutions are expected to identify and address warning signs such as:

  • backlogs
  • monitoring gaps
  • data issues.

Ignoring these indicators could still lead to supervisory action.

 

Aligning with FinCEN’s AML/CFT priorities

Another central component of the changes regulators are making to the AML/CFT program rule is the requirement that financial institutions review and incorporate FinCEN’s AML/CFT priorities into their programs. These priorities are designed to ensure that institutions address the risks that matter most at the national level.

However, FinCEN emphasizes that this is not a check-the-box exercise. A superficial review of priorities will not meet expectations. Institutions must evaluate how each priority could realistically manifest within their own risk profile and determine where to focus.

Institutions must balance FinCEN’s national priorities with their own risk exposure and clearly document the rationale behind those decisions. Incorporating these priorities into AML/CFT programs strengthens the value of information provided to law enforcement, particularly around threats to the U.S. financial system and national security. In turn, this supports more effective investigations, prosecutions, analytics, and policy decisions tied to AML/CFT priorities.

 

Practical implications of AML/CFT rules for financial institutions

While the final AML/CFT program rule is expected in the near term, implementation timelines may extend several years beyond issuance. Even so, the regulatory direction is clear. Financial institutions should begin preparing now by evaluating whether their current programs:

  • Clearly link risk assessments to controls and resource allocation

  • Incorporate relevant internal and external data sources

  • Address AML/CFT priorities in a meaningful, documented way

  • Identify and respond to operational weaknesses proactively

  • Leverage technology where it enhances effectiveness

As with other major regulatory changes, waiting until final rules are issued can create unnecessary pressure. Early assessment and incremental adjustments can make the transition more manageable.

Preparing for what comes next

The new AML/CFT program rule represents more than a regulatory update. It reflects a broader expectation that AML/CFT programs be demonstrably effective, adaptable, and aligned with real-world risks.

Financial institutions already manage complex compliance responsibilities alongside evolving fraud threats, staffing challenges, and technology decisions. This proposed rule does not reduce that complexity, but it does provide a clearer framework for prioritizing efforts.

Institutions that take a proactive, risk-based approach today will be better positioned to meet those expectations tomorrow while continuing to protect their organizations and the communities they serve.

Find out how Abrigo Fraud Detection stops check fraud in its tracks.

Fraud detection software
Webinar

Soft skills for hard BSA compliance

Read More
Webinar

Bold intelligence: AI’s expanding role in AML & fraud

Read More
Webinar

Telegram fraud exposed: Inside the cybercrime economy fueling financial fraud

Read More
About the Author

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.