FinCEN has proposed a new rule, RIN 1506-AB72, that would change how a BSA/AML program is judged. It published on April 7, 2026, and the comment period closed June 9, 2026. It is a proposal, not law. It would set an explicit standard that a program be effective, risk-based, and reasonably designed, make a documented risk assessment a named program component, require programs to account for FinCEN's national AML/CTF priorities, and separate the failure of building a program wrong from the failure of running a sound one badly. Nothing is required today; a final rule would carry roughly a twelve-month runway.
In 2020, Congress told FinCEN to modernize the rule that governs how a BSA/AML program is built and judged. The Anti-Money Laundering Act of 2020 amended the statute at 31 U.S.C. 5318(h) and directed the agency to write the details. In April 2026, FinCEN answered with a proposal: the Anti-Money Laundering and Countering the Financing of Terrorism Program rule, RIN 1506-AB72, published in the Federal Register on April 7, 2026. The comment period closed June 9, 2026.
This is a notice of proposed rulemaking. It is not law. FinCEN now reviews the comments it received and decides what a final rule looks like, and the final rule can differ from the proposal in ways that matter. Nothing below is required today. What follows is what the proposal would change, and how to read each change from the chair an examiner sits in.
What is FinCEN actually proposing?
The proposal replaces the long-standing instruction to maintain an AML program with an explicit performance standard. A program would have to be effective, risk-based, and reasonably designed. The phrase is doing real work. For years the program rule described the parts a program must contain without saying plainly that the parts have to function. The proposed standard says the function is the point, and it gives examiners language to hold a program to that.
Three pieces sit underneath the standard:
- A documented risk assessment process becomes a named program requirement, not an examiner expectation that lived outside the rule.
- The program would have to account for FinCEN's national AML/CTF priorities, the threat list the agency issued in June 2021 and updates over time.
- The rule draws a line between establishing a program and maintaining one, and treats those as different obligations.
The proposal also keeps the familiar program components and pairs them with a stated implementation period: roughly twelve months after any final rule before compliance is expected. If you want the foundation those components rest on, the BSA/AML program pillars guide walks the five-pillar structure this rule sits on top of.
The risk assessment moves inside the rule
Most programs already run a risk assessment. The change is where the obligation lives. Under the proposal, the risk assessment is a component of the program itself, with a process the institution documents and revisits as its risk changes.
Two practical consequences follow. First, the risk assessment has to connect to the national priorities, so a generic enterprise risk write-up that never mentions the threats FinCEN named would read as incomplete. Second, because the process is documented, an examiner can ask to see not only the assessment but how you arrived at it. A conclusion without a method behind it is the kind of gap that surfaces at the worst time.
Built wrong versus run well: establishment and maintenance
The proposal separates two failures that supervision has long collapsed into one. A program that was designed wrong is not the same as a program that was designed right and then run into the ground. The fixes differ. The timelines differ. The accountability differs.
By distinguishing the establishment of a program from its maintenance, the rule gives examiners a way to name which failure happened. That matters for you in a specific way: the evidence you keep should speak to both questions. Design records show the program was built to the institution's risk. Operating records, the alert dispositions and the calibration history and the testing results, show it was actually run.
A defensible program can answer both, with documents, not assertions.
The innovation line, and the open question inside it
The proposal signals that FinCEN will give weight to innovative approaches, including tools that use artificial intelligence, where they demonstrate the effectiveness of the program. For any institution evaluating new monitoring technology, that sounds like an invitation, and it is worth reading slowly.
The load-bearing word is demonstrate. A tool demonstrates effectiveness only if it can be measured against the same objective criteria as the rest of the program: detection coverage against known typologies, the quality of the alerts it produces, and whether it surfaced weaknesses that were then found and fixed. A tool that cannot be measured against those criteria is asserting effectiveness rather than showing it. The proposal does not define the word, which leaves the standard to be settled in examination practice. Until it is, the safe reading for a compliance officer is the strict one: be ready to show how any AI tool is measured, not just that you deployed one. This is the same governance question that AI in a compliance program raises under existing model-risk expectations, which the AI model governance guide covers against SR 11-7.
When would this take effect?
Not now, and not on a fixed date. The sequence is: the comment period closed June 9, 2026; FinCEN reviews comments and issues a final rule on its own timeline; the implementation period the proposal describes runs about twelve months from that final rule. A proposal can change before it is finalized, and the comment record exists precisely to shape it. Treat any specific obligation here as proposed until a final rule prints it.
What to do now
You do not need to change your program to comply with a proposal. You can use the proposal to find out where your program already stands against the direction supervision is moving.
- Read your program against the effective, risk-based, and reasonably designed standard. A program that documents its components but cannot show they work is the gap this rule is written to expose.
- Confirm your risk assessment is documented as a process, not just a finished memo, and that it speaks to FinCEN's national priorities by name.
- Make sure your records answer both the design question and the operating question, so a finding can be placed where it belongs.
- For any AI or advanced tool in your monitoring stack, write down how its effectiveness is measured. If you cannot, that is the work to do before an examiner asks.
Nothing here is law yet. The standard it describes is the one an examiner already carries into the room, whether the final rule prints it or not.
This guide explains a proposed federal rule for general information and is not legal advice. Verify any obligation against the final rule and your own regulator's guidance. Primary sources: FinCEN NPRM, Anti-Money Laundering and Countering the Financing of Terrorism Programs, RIN 1506-AB72 (Federal Register, April 7, 2026); Anti-Money Laundering Act of 2020 (amending 31 U.S.C. 5318(h)); FinCEN National AML/CFT Priorities (June 30, 2021).