FinCEN’s New AML Rule: What Community Banks Need to Know About the Biggest BSA Change in Decades

FinCEN just dropped the NPRM we’ve all been waiting to see for years. The proposed AML/CFT Program Rule represents the most significant overhaul of Bank Secrecy Act requirements since the original framework was established. And for BSA officers at community banks and credit unions, this isn’t just another regulatory update. It’s a fundamental shift in how we think about compliance.

After years of hearing industry complaints about checkbox compliance and examination inconsistencies, FinCEN is finally addressing the core problems. The proposed rule distinguishes between program design and program implementation, refocuses supervision on effectiveness rather than technical compliance, and gives institutions more flexibility to allocate resources based on actual risk.

The Two-Prong Framework: Establishment vs. Maintenance

The most important change is how FinCEN separates “establishing” a program from “maintaining” it. This distinction matters because it changes how examiners evaluate your AML program.

Establishing your program means designing a risk-based framework with the four required pillars: internal policies and procedures, independent testing, a U.S.-based compliance officer, and ongoing training. You need to keep this framework current as your risk profile evolves.

Maintaining your program means implementing it in all material respects. This is about execution, not design.

This separation should reduce those frustrating examination findings where examiners criticize your program design when the real issue is day-to-day implementation. It also means that if you’ve properly established your program, FinCEN generally won’t take enforcement action unless there’s a significant or systematic failure in maintenance.

Risk Assessment Requirements Become Mandatory

Risk assessments are no longer optional best practices. The proposed rule requires all institutions to have formal risk assessment processes as part of their internal policies and procedures.

At RiskRator, we’ve built our platform around these same principles, helping community banks focus their limited resources on actual risks rather than checking every possible box.

Your risk assessment must evaluate money laundering and terrorist financing risks across your business activities, products, services, distribution channels, customers, and geographic locations. You’ll also need to review and incorporate FinCEN’s AML/CFT Priorities as appropriate.

The rule requires updates “promptly upon any change that the financial institution knows or has reason to know significantly changes the institution’s ML/TF risks.” This means your risk assessment can’t be an annual exercise that sits on a shelf. It needs to be a living document that drives your program decisions.

Independent Testing Gets Clearer Guidelines

The proposed rule clarifies what independent testing should actually accomplish. Auditors should assess whether you’ve effectively established, implemented, and resourced your AML program, consistent with your risk assessment. And they shouldn’t substitute their judgment for yours.

This addresses a common problem where auditors impose their own preferences rather than evaluating whether your risk-based approach is reasonable and effective. The rule emphasizes that testing must be conducted by truly independent parties who avoid conflicts of interest, but it preserves flexibility in how you meet this requirement.

FinCEN Takes a Bigger Role in Bank Supervision

The proposed rule introduces a notice and consultation framework that requires federal banking supervisors to give FinCEN’s Director at least 30 days’ advance notice before taking significant AML supervisory actions. This should promote more consistent supervision across different regulators.

When deciding whether to pursue enforcement or supervisory actions, FinCEN will consider factors like whether your bank provides highly useful information to law enforcement and whether you’re using innovative tools like artificial intelligence effectively. This suggests that demonstrating value to law enforcement agencies could provide some protection from enforcement actions.

The proposed rule represents FinCEN’s recognition that the current system often prioritizes compliance theater over actual effectiveness. For community banks that have been struggling with inconsistent examination standards and resource constraints, this shift toward risk-based, effectiveness-focused supervision should be welcome news.

At RiskRator, we’ve built our platform around these same principles, helping community banks focus their limited resources on actual risks rather than checking every possible box. Ready to experience the benefits of a bottom-up, objective, risk assessment?