The US Federal Reserve is signalling a fundamental shift in AML/CFT compliance, moving away from ‘check-the-box’ requirements toward a model of risk-based efficacy. For supervised banks, the focus is shifting from the volume of paperwork to the ability to demonstrate a dynamic operational model that evolves alongside real-world risk. Rohini Gupta, CEO of FinregE, reports.
The Federal Reserve has issued an important update on Bank Secrecy Act (BSA) compliance. On July 9, 2026, its Board of Governors issued a Notice of Proposed Rulemaking that would change the approach used by supervised banks to develop and maintain successful Anti-Money Laundering and Countering Terrorism Financing (AML/CFT) programmes.
In compliance with the Anti-Money Laundering Act of 2020 (AML Act), and in cooperation with FinCEN, this plan will shift the emphasis from “checking boxes” to risk-based efficacy. Compliance teams need to begin evaluating the effect, with comments due September 8, 2026.
Treasury Secretary Scott Bessent framed the policy direction as moving away from the “volume of paperwork” and toward stopping illicit finance threats.
So, for compliance leaders, the question is not: “Do we have an AML policy?”
It is: “Can we demonstrate that our AML/CFT operating model understands our current risks, prioritises the right activity and keeps pace with how the business evolves?”
What the Federal Reserve is proposing
The proposed amendment to 12 CFR Part 208 would cover institutions under the supervision of the Board, such as state member banks, Edge and agreement corporations, and certain foreign bank operations in the US. The key proposal is that a supervised bank should have in place and maintain an effective AML/CFT programme that is reasonably designed to identify, assess and mitigate illicit finance risk.
- A risk-based programme of internal policies, procedures and controls – These must be reasonably designed to ensure compliance with the BSA, identify and document ML/TF risk, mitigate those risks and support ongoing customer due diligence.
- Risk assessment processes – These should consider the bank’s business activities, products, services, distribution channels, customers and geographic locations; review and incorporate AML/CFT Priorities where appropriate; and be updated promptly when the bank knows, or has reason to know, that its risk has significantly changed.
- Independent programme testing – Testing must be part of the AML/CFT programme, but the proposal is designed to avoid examiners or auditors substituting subjective judgement for a reasonably designed risk-based programme.
- A designated AML/CFT individual in the United States – The designated person must be subject to the supervision and oversight of FinCEN or its designee and the Federal Reserve and be available to them.
- Ongoing employee training – Training remains a core pillar, but under the proposal it should remain aligned with the bank’s current risk profile rather than being treated as a static annual exercise.
The real shift: from static compliance to dynamic AML governance
The difference between starting and sustaining an AML/CFT program is crucial. Determining if the bank has the appropriate policies, controls, risk assessment procedures, testing, ownership, and training is the design question. The operational inquiry is, “Is that program implemented in all material respects?”
The conversation is altered by that distinction. A bank may place a lot of emphasis on whether it can demonstrate a policy, procedure, training record or audit trail under a typical compliance approach. The bank must also demonstrate how these artefacts relate to real risk choices and daily operations to adopt an effectiveness mentality.
For example, if a bank launches a new product, enters a new market, changes onboarding channels, adopts a new payment mechanism or begins serving a fundamentally different customer type, the AML/CFT program cannot be stopped. Risk assessment, controls, monitoring logic, training and escalation procedures may all have to evolve alongside the business.
- The risk assessment becomes an ongoing supervisory record.
The proposal doesn’t require all banks to keep a single consolidated risk assessment document. Flexibility is important. However, it also implies that banks require a consistent body of evidence demonstrating how risk is discovered, assessed, documented and refreshed throughout the AML/CFT process. In practice, examiners will look for a cohesive story involving business change, risk assessment, control calibration, monitoring, testing, issues and remedy.
- Resource allocation needs to be explainable.
A risk-based programme is more than just a programme that flags some clients as high-risk. It is a programme in which attention and resources are clearly focused on higher-risk consumers and operations. This raises a governance challenge. Banks will have to demonstrate why particular areas receive extra monitoring, review, testing or senior oversight, while lower-risk sectors receive proportionate treatment.
- AML/CFT Priorities becomes board and management considerations
The plan requires banks to assess and, where applicable, implement the AML/CFT Priorities. The phrase “where appropriate” is significant because not every priority will apply equally to all banks. However, a superficial review is not going to be sufficient. Boards and senior management should require a documented justification that explains which priorities are important, how they show in the bank’s risk profile and what control response is appropriate.
- Technology adoption becomes part of the efficacy discussion
The idea does not require banks to deploy AI or any specific technology. However, it acknowledges that innovation can help combat financial crime more effectively. This provides a realistic chance for banks to assess whether old rules, manual processes and fragmented data flows are still appropriate for their risk profile. Responsible usage of machine learning, generative AI, graph analytics, digital identification, blockchain monitoring and APIs may become more important as they enhance risk detection, triage, explainability and auditability.
- Supervisory materiality may minimise noise, but not accountability
The proposal proposes that, after a bank has properly created an AML/CFT program, major supervisory or enforcement action should focus on significant or systemic failures. This should not be interpreted as a reduction of expectations. Instead, it is a more precise accountability model: minor technical difficulties should not be given the same weight as material control failures, but gaps that limit the bank’s capacity to implement the programme in practice will be problematic.
A practical readiness checklist for compliance leaders
- Map your current AML/CFT programme against the proposed establishment and maintenance framework.
- Ensure that your risk assessment methods are current, documented and connected to business change.
- Determine how FinCEN AML/CFT Priorities affect your customers, products, geography and channels.
- Assess monitoring, due diligence, QA and governance for higher-risk activities to ensure adequate attention and resources are allocated
- Evaluate whether independent testing findings result in program design changes, not merely issue resolution.
- Verify that the designated AML/CFT owner is properly placed, accessible and empowered.
- Prioritise explainability, auditability, data quality and control ownership when evaluating technological prospects, rather than solely focusing on AI adoption.
- Conduct a board-level impact assessment by the September 8, 2026, comment deadline.
Conclusion: AML effectiveness will be judged through operating evidence
The Federal Reserve’s 2026 proposal should be interpreted as a signal that AML/CFT compliance has entered a new phase. The future programme will not be evaluated based on whether it has more documentation than the previous edition. It will be determined whether the bank can demonstrate, through evidence, that it understands its risks, allocates resources proportionally, keeps its programme current and implements it in the areas that are most important.
Banks have the option to exploit this suggestion as a stimulus. The institutions that respond best will not merely change their AML policy wording. They will develop an AML/CFT operational model that is dynamic, defendable and linked to the actual movement of regulatory, customer and transaction risk.
How FinregE can help
The proposal reinforces the need for a regulatory compliance operating model that can connect regulatory change, risk assessment, controls, policies, evidence and governance.
FinregE’s AI-powered platform is designed for precisely this kind of regulatory agility:
- Dynamic Horizon Scanning: Automatically ingest Federal Register updates, FinCEN priorities and global regulatory changes in real time.
- AI-Powered Impact Assessment: Our Regulatory Insights Generator (RIG) immediately compares proposed laws to your current policies, identifying gaps in your risk assessment process before they become enforcement concerns.
- End-to-End Traceability: Maintain a complete audit trail from regulatory signal to obligation extraction, policy update and control testing. Demonstrate to examiners that your program is not only established but actively maintained.
- Workflow Governance: Assign responsibility, track implementation dates and manage the “human-in-the-loop” review procedure mandated by the new US-personnel guideline.
Book a demo to learn how FinregE can assist your team transform AML/CFT regulatory changes into structured obligations, mapped controls and evidence-ready implementation.


