What To Know About Newly Proposed AML/CFT Program Rules

A recently issued notice of proposed rulemaking (NPRM), jointly developed by the U.S. Department of the Treasury, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp., and the National Credit Union Administration in coordination with the Financial Crimes Enforcement Network (FinCEN), signals a potentially significant shift in how anti-money laundering (AML) and countering the financing of terrorism (CFT) programs will be evaluated. While the proposal does not fundamentally rewrite existing AML requirements, it significantly reframes supervisory expectations by placing greater emphasis on whether a financial services organization’s AML/CFT program can effectively identify, manage, and address illicit finance risk in practice. That distinction could carry substantial operational implications for financial services organizations of all sizes.

As regulators place greater emphasis on program effectiveness, organizations might need to reassess whether current risk assessments, transaction monitoring frameworks, governance structures, escalation processes, and internal testing programs are sufficiently aligned with an outcomes-focused supervisory model. Preparing for a potential final rule could require organizations to strengthen the connection between identified risks and operational controls, improve the quality and usefulness of suspicious activity reporting, enhance governance reporting regarding program effectiveness, and evaluate whether existing staffing, data, and technology capabilities are adequate to support evolving regulatory expectations.

Historically, AML compliance has been evaluated largely through the lens of process. Financial services organizations have focused on maintaining documented policies and procedures, implementing transaction monitoring systems, conducting periodic risk assessments, and evidencing ongoing testing and review. The proposed rule would not eliminate those foundational expectations, but it would recalibrate how regulators assess whether an AML/CFT program is effective. Under the framework outlined in the NPRM, financial services organizations would be expected to demonstrate that controls exist and that those controls meaningfully identify, manage, and mitigate illicit finance risk. The proposal reflects a broader shift toward outcomes-based supervision, and regulators seem to be signaling that technical compliance alone might not satisfy supervisory expectations if a program fails to identify suspicious activity or produce information that is useful to law enforcement and national security agencies.

Regulators might increasingly evaluate AML/CFT programs based on operational effectiveness rather than procedural completeness alone. Financial services organizations with extensive written policies and sophisticated monitoring tools could face scrutiny if those controls generate low-value alerts, fail to identify elevated risks, or produce suspicious activity reports with limited investigative utility. As a result, banks and other financial services organizations might need to reassess how AML/CFT effectiveness is measured internally by developing governance, testing, and reporting frameworks that better demonstrate how compliance activities support risk identification, escalation, and investigative outcomes. That assessment could include refining risk assessment methodologies, optimizing alert calibration and escalation processes, and improving the quality and usefulness of suspicious activity reporting.

The central role of risk assessments

The proposed rule places significant emphasis on the role of the AML/CFT risk assessment by elevating it from a periodic compliance exercise to a core component of program governance and operational decision-making. Under the NPRM, financial services organizations would be expected to maintain risk assessments that are updated regularly and responsive to material changes in the organization’s business activities, customer base, products, services, and geographic exposure. Additionally, the proposal suggests that risk assessments should directly inform the design and calibration of monitoring systems, customer due diligence processes, and broader resource allocation decisions across the AML/CFT program.

The operational implications could be significant. Regulators might increasingly evaluate whether identified risks lead to meaningful and timely adjustments in controls, oversight, and resource allocation rather than remain confined to periodic risk assessment documentation. As a result, financial services organizations might need to better integrate risk assessments into day-to-day compliance operations, strengthen governance of emerging risks, improve links between risk findings and monitoring decisions, and establish more responsive processes for updating controls as products, services, and risk profiles evolve.

AML/CFT program execution: As critical as program design

One of the more consequential aspects of the proposal is the distinction it draws between establishing an AML/CFT program and maintaining an effective one over time. The NPRM makes clear that a program that is well designed on paper could still draw supervisory criticism if it is not properly implemented, updated, or aligned with the organization’s evolving risk profile. In particular, the proposal suggests that AML/CFT programs that fail to adapt to changes in products, services, customer activity, geographic exposure, or emerging threats could be viewed as ineffective, even when foundational program components remain in place.

The proposal reinforces the need for AML/CFT compliance to function as an ongoing, adaptive control environment rather than a static set of policies and procedures. Financial services organizations might face increased scrutiny regarding how quickly and effectively AML/CFT controls are updated in response to business changes, new product offerings, acquisitions, or shifts in customer behavior. As a result, organizations could need more agile change management processes, stronger coordination between business and compliance functions, and clearer governance frameworks for assessing how strategic decisions affect AML/CFT risk exposure.

Increased scrutiny of monitoring systems

Given the potential for heightened supervisory focus on transaction monitoring systems and the effectiveness of the alerts and reporting they produce, financial services organizations could face increased expectations to demonstrate that monitoring scenarios, thresholds, and segmentation methodologies are reasonably designed, calibrated, and aligned with the organization’s current risk profile. Regulators might place greater emphasis on whether monitoring systems are operational and whether they are capable of meaningfully identifying suspicious activity while producing information that is useful for investigative and reporting purposes. As a practical matter, organizations should be prepared for regulators to increase scrutiny on monitoring systems that generate large volumes of low-value alerts or rely on outdated assumptions that no longer reflect the organization’s products, services, customer activity, or geographic exposure.

The proposal also suggests that organizations could face greater pressure to demonstrate how monitoring outputs translate into effective escalation, investigation, and suspicious activity reporting outcomes, particularly where legacy systems generate significant operational burden without corresponding compliance value. Organizations might need to implement more frequent tuning and optimization processes, strengthen model validation and governance practices, and establish clearer documentation supporting the design and performance of monitoring scenarios.

Governance and accountability at the top

In light of the NPRM, board and senior management should expect elevated expectations for oversight of AML/CFT programs. Under the framework outlined in the proposal, governance responsibilities could extend beyond approving policies and receiving periodic updates to include a more substantive understanding of program effectiveness, operational performance, and emerging risk exposure. Regulators might increasingly expect boards and senior leadership to demonstrate active oversight of how the AML/CFT program identifies, escalates, and responds to evolving risks across the organization.

As a result, financial services organizations might need to reassess the scope, breadth, and depth of AML/CFT reporting provided to senior management and boards of directors. Reporting frameworks might increasingly incorporate metrics tied to program effectiveness, suspicious activity detection trends, control deficiencies, remediation progress, and broader risk management outcomes rather than focusing primarily on operational volume metrics alone. In many respects, the proposal aligns AML/CFT oversight more closely with other enterprise risk disciplines, where governance structures are expected to incorporate performance indicators, trend analysis, and forward-looking risk assessments as part of ongoing oversight responsibilities.

Implications for internal audit and independent testing

If the proposed rule becomes final, internal audit functions and independent testing programs could experience significant implications. Traditional AML/CFT audit approaches have often focused primarily on control validation, including whether policies and procedures exist, required processes are followed, and documentation is maintained appropriately. Under the framework outlined in the NPRM, however, internal audit functions might be expected to evaluate whether AML/CFT controls are producing meaningful and effective outcomes in practice, including whether monitoring, escalation, and investigative processes are functioning as intended within the organization’s broader risk environment.

This shift could require financial services organizations to expand the scope and sophistication of AML/CFT audit methodologies. Internal audit teams might need to assess the effectiveness of monitoring systems, the responsiveness and integrity of the organization’s risk assessment framework, and whether identified risks are translating into appropriate control enhancements and governance actions. Organizations with complex operations or more advanced monitoring environments might also require greater use of data analytics, model evaluation capabilities, and testing methodologies designed to assess procedural compliance and overall program effectiveness.

A higher bar for enforcement risk

The NPRM, if made final, could also raise the enforcement stakes for financial services organizations by placing greater emphasis on operational effectiveness and program implementation. By distinguishing between the existence of an AML/CFT program and the effectiveness of its execution, the proposed rule suggests that regulators might view operational weaknesses, such as investigative backlogs, ineffective escalation practices, poor-quality case reviews, or delayed remediation efforts, as significant compliance deficiencies rather than merely operational shortcomings. This approach reflects a broader supervisory focus on whether AML/CFT programs function effectively in practice and produce outcomes consistent with regulatory expectations.

As a result, financial services organizations could face increased regulatory exposure when day-to-day program execution does not align with documented policies, stated risk tolerances, or evolving risk conditions. The proposal signals that AML/CFT compliance is becoming less centered on documentation alone and more focused on operational discipline, governance responsiveness, and the ability to demonstrate that controls are functioning effectively in real-world conditions. Consequently, organizations might need to place greater emphasis on staffing models, escalation procedures, quality assurance processes, and remediation governance to reduce the risk of operational breakdowns becoming supervisory or enforcement concerns.

Alignment with national priorities

The NPRM reinforces the growing connection between AML/CFT compliance obligations and broader national security and law enforcement priorities. Financial services organizations could face increased expectations to demonstrate that their AML/CFT programs are aligned with FinCEN’s national priorities and capable of producing information that is valuable to law enforcement and national security agencies. Regulators might place greater emphasis on the quality, relevance, and investigative usefulness of suspicious activity reporting rather than focusing solely on reporting volume or procedural completion.

At the same time, the proposal could promote greater consistency across the federal banking agencies and FinCEN by further aligning supervisory expectations regarding AML/CFT program effectiveness. For financial services organizations, however, that alignment could also raise expectations that AML/CFT compliance programs contribute more directly to broader financial crime prevention objectives. As a result, organizations might need to reassess how monitoring, investigations, escalation practices, and reporting processes support the identification of higher-risk activity and the production of actionable financial intelligence.

Strategic and operational impact

Although the agencies characterize the NPRM as a clarification of existing AML/CFT obligations rather than a substantive expansion of regulatory requirements, its operational impact on financial services organizations could nevertheless be significant. The proposal suggests that organizations might face increased pressure to demonstrate measurable program effectiveness, which could require additional investment in data management capabilities, analytics, monitoring technologies, governance frameworks, and program testing methodologies. Organizations also could experience greater demand for specialized AML/CFT personnel capable of supporting risk analytics, model governance, investigations, and program oversight in an increasingly outcomes-focused supervisory environment.

Closer coordination between compliance, enterprise risk management, operations, technology, and business leadership functions will be necessary. As AML/CFT programs become more closely tied to strategic risk management and operational decision-making, financial services organizations might need to strengthen cross-functional governance and improve how risk information flows across the organization. For smaller and midsize organizations in particular, these expectations could present more acute challenges due to limited staffing, budget constraints, and reliance on legacy systems that might be less adaptable to evolving supervisory expectations regarding effectiveness, monitoring quality, and program responsiveness.

Outcomes, not intentions

This NPRM represents a meaningful evolution in AML/CFT supervision as the regulatory question shifts from “Do you have a program?” to “Does your program work?” For financial services organizations, the answer will depend on their ability to demonstrate effectiveness through data, adapt quickly to changing risks, and embed AML/CFT considerations into the core of their risk management frameworks. Outcomes, not intentions, will increasingly define compliance.

For financial services organizations, preparing for that shift could require more than incremental policy updates. Organizations might need to reassess current-state capabilities across risk assessments, transaction monitoring, governance, staffing, escalation processes, and internal testing frameworks to determine whether existing controls can effectively support an outcomes-focused supervisory environment. As regulatory expectations continue to evolve, organizations that proactively evaluate operational gaps, strengthen governance integration, and enhance program effectiveness measures could be better positioned to adapt to heightened scrutiny and changing enforcement expectations. Experienced AML/CFT specialists can also play an important role in helping organizations assess preparedness, prioritize remediation efforts, and align compliance frameworks with emerging supervisory priorities.