On April 7, 2026, FinCEN published a proposed rule that Treasury Secretary Scott Bessent described as ending an era in which “Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats.” The comment period closes June 9. If finalized, the rule would represent the most significant structural change to BSA/AML compliance since the USA PATRIOT Act of 2001.
This article explains what the proposed rule actually changes, why it matters beyond the legal text, and what compliance leaders should be doing now — not after the final rule is published.
What the Rule Actually Says
The proposed rule does not create new obligations from scratch. It restructures how existing obligations are evaluated, supervised, and enforced. Six changes matter most.
Effectiveness over paperwork. Programs will be judged on their ability to identify, assess, and mitigate illicit finance risk — not on the volume of documentation they produce. This reverses the implicit incentive structure that has governed compliance for two decades.
Establishment vs. implementation. The rule creates a two-tiered enforcement framework. A properly established program with an isolated implementation failure would not automatically trigger a major enforcement action. Only “significant or systemic” failures would warrant serious supervisory consequences.
Risk-based resource allocation. The rule explicitly empowers institutions to direct more attention toward higher-risk customers and activities and away from lower-risk ones. The proposed rule gives regulatory permission to prioritize — and to deprioritize.
FinCEN’s expanded oversight role. Before a federal banking agency can take a significant AML/CFT supervisory action, it must give FinCEN thirty days’ written notice and consider FinCEN’s input.
Innovation as a mitigating factor. The proposed rule explicitly recognizes “innovative technologies” and law enforcement cooperation as factors FinCEN should consider before pursuing enforcement.
Mandatory risk assessment documentation. Programs must identify, assess, and document their specific ML/TF risks, incorporating FinCEN’s national priorities.
The proposed rule does not ask institutions to do more. It asks them to prove that what they do actually works. That is a harder standard than any amount of paperwork.
Why This Is Not Just a Technical Update
The legal text matters, but the signal matters more. The proposed rule validates arguments that compliance technology leaders have been making for years.
The false positive economy becomes a liability. Under a regime that evaluates effectiveness, a 95% false positive rate is no longer evidence of conservative screening. It is evidence that the program cannot distinguish genuine risk from noise.
Data quality becomes auditable. If a program must demonstrate that it effectively identifies and mitigates ML/TF risk, the data layer beneath the screening engine is no longer a back-office concern. Coverage, freshness, structure, provenance, and governance become audit-relevant properties.
Architecture choice becomes a regulatory decision. Under an effectiveness standard, deploying a rules-based system that cannot reduce false positives without increasing false negatives — when predictive alternatives demonstrably can — starts to look like a design deficiency.
The three-paradigm framework becomes operational. Generative AI for analyst acceleration, predictive AI for screening and detection, agentic AI for investigation orchestration — this is precisely the kind of deliberate, risk-based technology deployment the proposed rule rewards.
What Compliance Leaders Should Do Now
The comment period closes June 9, 2026. FinCEN proposes a twelve-month implementation period after the final rule. That means institutions likely have eighteen to twenty-four months before the effectiveness standard governs their next examination.
Audit your risk assessment for defensibility. If your current risk assessment is a static document updated annually for the exam, it will not survive scrutiny under an effectiveness standard.
Measure your false positive rate and its full cost. Under the current regime, nobody asks. Under the proposed regime, the question is implicit in every effectiveness evaluation.
Document your architecture decisions. If you are deploying predictive models, document the validation methodology and the false positive reduction achieved. If you are still running rules-based screening, document why.
Evaluate your data layer against the five dimensions. Coverage, freshness, structure, provenance, and governance are the properties an examiner will evaluate when determining whether your screening infrastructure is “reasonably designed.”
Submit comments. The comment period closes June 9. FinCEN has explicitly requested feedback on twenty-nine specific questions. Institutions that engage shape the final rule.
The institutions that will thrive under the new standard are not the ones scrambling to comply after the final rule is published. They are the ones whose programs already demonstrate effectiveness — because they were built that way, not retrofitted.
Conclusion
FinCEN’s proposed rule is not an incremental update. It is a philosophical reorientation of the entire BSA/AML framework — from measuring effort to measuring outcomes, from penalizing any deficiency to distinguishing design failures from execution errors, from treating all risk as equal to demanding that programs allocate resources to where the risk actually lives.
For compliance leaders who have been investing in better data, better models, and better architecture, the proposed rule is validation. For those who have been relying on volume-based screening and documentation-heavy programs that produce impressive binders and mediocre results, it is a warning.
The comment period closes June 9. The implementation clock starts when the final rule is published. The time to prepare is now.