US regulators have just redefined what a compliant AML/CFT programme looks like. The standard has moved from ‘documented’ to ‘evidenced.’
For years, AML/CFT compliance has been largely a design exercise. Build a programme. Document the policies. Train the staff. File the SARs. Tick the boxes. Pass the exam. That era is ending.
On April 10, 2026, US regulators released a set of proposed AML/CFT reforms that could have a big impact on how businesses build, keep up, and show that their compliance frameworks are working. FinCEN proposed a broad rule that would apply to many types of financial institutions. The OCC, FDIC, and NCUA (collectively called The Agencies) also made a proposal for banks that would be in line with FinCEN’s approach. The deadline to comment on both the proposals is June 9, 2026.
This isn’t just an update on the technology. The proposals show that regulators expect things to change in a more basic way. The message is clear in both notices: AML/CFT programs should work, be based on risk, be updated often, and focus on high-risk activities instead of being too focused on technical compliance or low-value procedural burden.
The two-prong test that will define every future examination
The regulatory architecture here matters — because firms across multiple institution types must track both proposals as parts of the same coherent package, not as independent rulemakings.
FinCEN’s proposal is the wider instrument. It governs all eleven categories of financial institution under the Bank Secrecy Act: banks, money services businesses, broker-dealers, mutual funds, insurance companies, casinos, futures commission merchants, precious metals dealers, credit card operators, loan or finance companies, and housing GSEs. At roughly 98% small business representation, the scope reflects a deliberate attempt to set a universal effectiveness standard across a fragmented industry.
The Agencies’ proposal — covering the approximately 8,100 banks, savings associations and federally insured credit unions supervised by the OCC, FDIC and NCUA — adds bank-specific precision. Most consequentially, it formalises the distinction between failing to establish an AML/CFT programme and failing to implement one in all material respects. That distinction will shape supervisory and enforcement actions for years to come.
FOR BANKS SPECIFICALLY
Dual compliance obligations apply. Your institution must navigate both FinCEN’s Title 31 AML/CFT programme rule and your primary federal banking regulator’s separate compliance rules — both proposed simultaneously and designed to remain consistent, but requiring parallel monitoring and mapping. The comment deadline for both proposals is 9 June 2026. Treat them as one reform package.
What is changing and why it matters more than you think
To understand these proposals, compliance leaders need to move past the headline obligations and interrogate the underlying philosophy. What is changing is not the list of programme components. It is the standard those components must meet.
Previous AML/CFT frameworks placed emphasis on structural adequacy. Do you have written policies? Is your compliance officer designated? The new framework asks fundamentally different questions:
- Does your programme reflect your real risk profile — not the one documented two years ago?
- Are you directing resources proportionately toward higher-risk customers and activities — with evidence to show it?
- Can you demonstrate — not just assert — that your controls are working in practice, not just on paper?
- When your business changes, does your programme change promptly to match?
From structural compliance to evidenced effectiveness
The proposals make explicit that an AML/CFT programme must be not only established, written, approved, implemented but also maintained through implementation in all material respects. That shifts the compliance standard from a snapshot (what your programme says) to a motion picture (what your programme does, over time, in practice). The documentation is no longer the destination. It is the starting line.
Risk assessment becomes the centre of gravity
Under the proposed framework, risk assessment is no longer a supporting document. It is the foundation upon which the entire programme must be built, continuously updated, and evidenced. Firms must identify, evaluate, and document ML/TF risks across business activities, products, services, customer types, intermediaries, distribution channels, and geographic exposure and must update those assessments promptly when the risk profile changes materially.
That word ‘promptly’ is not decorative. A firm launching a new product, entering a new market, or seeing material shifts in its customer base cannot wait for the annual review cycle. The framework expects the compliance programme to move with the business.
Genuine risk-based resource allocation
Both proposals reinforce that AML/CFT programmes must allocate compliance effort in proportion to risk. Higher-risk customers and activities should receive commensurately greater attention. In practice, this requires documented visibility into where risk exposure is concentrated — and evidence that resource allocation decisions reflect that analysis. For many compliance functions, that level of evidenced proportionality does not yet exist.
The establishment versus implementation distinction — and why it matters for banks
For banks, the Agencies’ proposal creates a clearer and consequential line between design failure and execution failure. Where a programme is credibly designed but operationally deficient, supervisory response should target material and systemic failures — not minor or technical ones. This creates protection for firms with well-designed programmes and raises the stakes for those whose programmes exist primarily on paper. Regulators are signalling that they know the difference.
What the best compliance teams are doing right now
The comment period closes 9 June 2026. The final rule is not yet published. But the direction of travel is clear enough that waiting for finalisation before beginning internal assessment is a strategic mistake — one that turns a 12-month implementation window into a six-month sprint.
Impact assessment
Understand which elements of your existing AML/CFT programme need to be redesigned, updated, or evidenced more robustly. Not all changes are structural. Some are about documentation quality. Others are about governance linkage. The analysis needs to be institution-specific and granular.
Risk assessment refresh
Does your current risk assessment process meet the proposed standard? Does it cover all required dimensions – business lines, products, customer types, distribution channels, geography? Is it directly connected to your control environment? Is there a documented process for updating it when risk profile shifts materially?
Resource allocation review
Can you demonstrate, not just assert that compliance effort is proportionate to risk? Do your monitoring, due diligence, and escalation processes reflect the risk hierarchy you have documented? If a supervisor asked for evidence tomorrow, what would you show them?
Implementation traceability
Can you answer when a regulator asks how a regulatory obligation was identified, interpreted, assigned, remediated, and evidenced? Is that information in a single, auditable trail, or scattered across email chains, shared drives, and spreadsheets that no-one has reconciled?
The conventional approach will not get you there in time
When a major regulatory proposal lands, most compliance teams do the same thing. Someone downloads the Federal Register notice. A working group is formed. A spreadsheet is built. Obligations are manually extracted and assigned to owners. Gap analysis happens in parallel email threads. Weeks pass. By the time you have a coherent picture of what needs to change, you have consumed a month of SME time and produced something that is already out of date.
That approach is slow, error-prone, and — for a reform of this structural significance — genuinely dangerous. These proposals do not ask you to update a policy. They ask you to demonstrate that your entire compliance architecture is calibrated to your institution’s documented risk profile, continuously maintained, and evidenced end-to-end. A spreadsheet is not built for that. Neither is email.
Without FinregE | With FinregE |
Download 90+ pages of Federal Register text and begin manual extraction | AI RIG processes both NPRMs, extracts obligations by institution type and topic, and delivers structured, queryable intelligence in hours |
Build a gap analysis spreadsheet that captures obligations but cannot link them to existing controls, policies, or evidence | RIGMAPS maps proposed requirements against your existing programme — identifying full gaps, partial gaps, and areas of alignment with suggested remediation language |
Send email chains to business line owners asking whether products or services have changed; wait weeks for responses | Obligation tracking and horizon scanning flag risk assessment triggers automatically when business or regulatory changes occur |
Produce a gap assessment report that shows what needs to change, but provides no traceable pathway from obligation to evidence | Every obligation is linked to a mapped control, an implementation action, an owner, a deadline, and an evidence record — creating the audit trail examiners will look for |
Compress implementation into the weeks before the compliance date, with senior management asking for progress reports that take days to compile | Management reporting is generated continuously from the implementation workflow — no separate reporting effort required |
Turning regulatory complexity into implementation confidence
This is where the right technology changes the compliance equation — not as a shortcut, but as the enabler of the structured, evidenced, repeatable compliance operation that this new standard demands.
FinregE is built precisely for regulatory moments like this: when a significant development lands and compliance teams need to move quickly from reading the rule to understanding its implications, mapping it against existing frameworks, assigning ownership, and tracking implementation to evidenced closure — with a full audit trail at every stage.
The difference between a compliance team with FinregE and one without is not the quality of their lawyers or the rigour of their intent. It is the speed, structure, and traceability with which they convert regulatory complexity into operational action.
From regulatory text to structured obligation in minutes, not hours
The proposed rules run to thousands of words across two interconnected documents. FinregE’s AI RIG (Regulatory Insights Generator) ingests both proposals and extracts structured obligations — identifying scope, applicability, affected business lines, required actions, and key deadlines. What typically takes compliance teams two to three weeks of senior SME time completes in a fraction of that, with greater consistency and completeness. That is the starting point for everything that follows.
Gap analysis that is specific to your institution, not a generic checklist
These proposals raise the bar on existing programmes. FinregE’s RIGMAPS maps incoming regulatory requirements against a firm’s existing internal policies, procedures, risks, and controls — identifying where requirements are fully met, partially met, or absent. For the risk assessment obligations in these proposals specifically, RIGMAPS surfaces whether current frameworks cover all required dimensions, and where documentation, governance, or control linkage needs to be strengthened. The result is a prioritised, institution-specific remediation agenda.
Connecting risk profile to programme design, with documented evidence
One of the most demanding aspects of the proposals is the requirement for demonstrable alignment between documented risk assessments and actual programme design. Firms must show that where they identified higher risk, they built proportionately stronger controls. FinregE supports that linkage, connecting risk assessment outputs to obligations, control mappings, and governance decisions in a single structured workflow. The connection is visible, documented, and auditable.
Implementation tracking from obligation to evidenced closure
The establishment versus implementation distinction is ultimately an evidencing challenge. FinregE tracks every stage of the implementation lifecycle, from initial regulatory interpretation through assigned actions, completed remediation, supporting evidence, and sign-off in a single auditable record. When a supervisor asks whether a requirement was implemented in all material respects, the answer is in the platform. Not in a folder. Not in someone’s inbox. In the platform.
Compressing the front end of the compliance lifecycle
The 12-month transition window will compress quickly when layered against other regulatory priorities and business-as-usual demands. FinregE eliminates the most time-intensive phase: reading, interpreting, extracting, mapping, and assigning, freeing capacity for genuine remediation and programme enhancement. Firms using FinregE do not just implement faster. They implement better, with the documentation to prove it.
What firms should be doing and when
The proposals are detailed enough to warrant immediate internal impact assessment. Do not wait for finalisation. Critical actions should start now.
Required Action | Owner | By When | Priority |
Read both NPRMs in full; confirm institution-type applicability | CCO / Regulatory Affairs | Within 2 weeks | Critical |
Gap assessment: establish/implement framework vs current programme | AML/CFT Officer, Compliance, Audit | By 15 May 2026 | Critical |
Evaluate risk assessment processes against new requirements | AML/CFT Officer, Risk | By 15 May 2026 | Critical |
Assess AML/CFT officer US-residency and authority sufficiency | CEO, CHRO, AML/CFT Officer | By 15 May 2026 | High |
Prepare and submit comment letter on areas of concern | Legal, Regulatory Affairs, Senior Mgmt | By 9 Jun 2026 | High |
Review resource allocation: higher-risk vs lower-risk areas | AML/CFT Officer, Business Lines, Risk | By 30 Jun 2026 | High |
Map AML/CFT priorities into risk assessment documentation | Compliance Team | By 30 Jun 2026 | High |
Review CDD processes for alignment to internal controls pillar | Compliance, Operations | By 31 Jul 2026 | Medium-High |
Stress-test independent testing for sufficiency and true independence | Internal Audit, CAE | By 31 Jul 2026 | Medium-High |
Develop board/senior management programme approval process | Board Secretary, AML/CFT Officer, Legal | By 31 Aug 2026 | Medium-High |
Evaluate AI/ML options for AML/CFT programme enhancement | Technology, Compliance, Risk | By 30 Sep 2026 | Medium |
Build 12-month implementation plan against final rule publication | Programme Mgmt, Compliance | On final rule pub. | High |
Train staff on establish vs maintain and risk-based allocation | L&D, AML/CFT Officer | Before compliance date | High |
For banks: establish FinCEN consultation process | Legal, Regulatory Affairs | Before compliance date | Medium-High |
Update written AML/CFT programme documentation fully | AML/CFT Officer, Legal | Before compliance date | Critical |
The firms that win this are already moving
The April 2026 proposals from FinCEN and the federal banking agencies are not a technicality. They represent a deliberate, coordinated shift, away from structural box-ticking and toward something more demanding: programmes that demonstrably work, that move with the business, and that can be evidenced to a supervisor in real time.
The comment period closes 9 June 2026. The 12-month implementation clock begins when the final rule is published. But the firms that will navigate this most effectively are not waiting for either of those dates.
They are starting now. Assessing their current programmes against the proposed standard. Identifying where design is credible and where evidencing is weak. Building the operational infrastructure to turn regulatory text into structured, tracked, auditable implementation.
Regulators have changed the question. They are no longer asking: do you have a programme? They are asking: can you prove it works? FinregE is built to answer that question.
Ready to see how FinregE handles AML/CFT reform?
See how AI RIG and RIGMAPS can take your team from regulatory text to evidenced, auditable implementation; faster, with zero ambiguity.
