US Regulators Propose Sweeping AML Reform: What the New Risk-Based Framework Means for Financial Institutions
- TrustSphere Network
- May 13
- 3 min read
A Fundamental Shift in AML Program Design
On 7 April 2026, the FDIC, OCC, and NCUA jointly issued a Notice of Proposed Rulemaking that could fundamentally reshape how American financial institutions design and operate their anti-money laundering and countering the financing of terrorism programmes. The proposed rule, developed in coordination with FinCEN, represents the most significant structural reform to BSA/AML requirements in over a decade, moving the regulatory paradigm from prescriptive compliance checklists toward genuinely risk-based programme design.
The core principle is deceptively simple: institutions should direct more attention and resources toward higher-risk customers and activities, and less toward lower-risk ones. In practice, this demands a level of institutional self-awareness and analytical capability that many banks have yet to develop. Risk-based is easy to say but extraordinarily difficult to implement at scale, particularly for institutions with legacy technology stacks and siloed compliance functions.
What the Proposed Rule Actually Changes
The proposed amendments codify several requirements that have existed as regulatory guidance but lacked the force of formal rulemaking. First, the AML Act requirement that programmes be explicitly risk-based is now embedded in each agency's regulations. Second, FinCEN's ongoing customer due diligence requirement is incorporated directly into the agencies' programme standards. Third, and perhaps most consequentially, the designated AML/CFT compliance officer must now be located in the United States and accessible to regulators.
This last provision carries significant implications for global institutions that have centralised compliance functions offshore. Banks with compliance leadership in London, Singapore, or Dublin will need to reassess their organisational structures and ensure meaningful decision-making authority resides within US borders. The comment period runs sixty days from Federal Register publication, giving institutions a narrow window to shape the final rule.
The FCA's Parallel Warning on Due Diligence
Across the Atlantic, the UK Financial Conduct Authority released findings from a thematic review of customer due diligence practices that should give every compliance leader pause. While most firms had documented CDD procedures, the FCA found that few provided sufficient practical guidance for frontline staff on what to do when customers lack standard identification. The gap between policy and practice remains a persistent vulnerability.
This finding echoes a recurring theme in enforcement actions globally: regulators are no longer satisfied with well-written policies. They want evidence that those policies translate into effective action at the point of customer interaction. The era of compliance-by-documentation is ending.
Implications for Technology and Operations
For compliance technology leaders, the shift to risk-based programmes creates both challenge and opportunity. Static, rules-based transaction monitoring systems will struggle to deliver the dynamic risk assessment that regulators now expect. Institutions will need technology that can continuously evaluate customer risk profiles, adjust monitoring intensity in real time, and demonstrate to examiners that resources are being allocated proportionally to risk.
Machine learning models, entity resolution platforms, and graph analytics tools become not just efficiency enhancers but regulatory necessities. The institutions that will thrive under the new framework are those that have already invested in data infrastructure capable of supporting genuinely risk-proportionate compliance programmes.
What Institutions Should Do Now
Compliance teams should begin gap analyses immediately. Map your current programme against the proposed requirements, identify where your risk assessment methodology falls short of genuinely risk-based allocation, and evaluate whether your technology stack can deliver the dynamic capabilities the new framework demands. The sixty-day comment period is also an opportunity to shape the final rule, particularly around implementation timelines and the treatment of emerging technologies like AI-driven risk scoring.
The direction of travel is clear: regulators want smarter, more targeted AML programmes that focus resources where risks are greatest. Institutions that embrace this shift proactively will find themselves better positioned not only for regulatory compliance but for genuine financial crime prevention.
Comments