US financial regulators are proposing a major overhaul of anti-money laundering (AML) and counter-terrorist financing (CFT) rules that would change how compliance programs are designed, assessed and defended.
Under proposals published by FinCEN alongside parallel rulemakings from the FDIC, Office of the Comptroller of the Currency (OCC) and National Credit Union Administration (NCUA), supervisors would move away from judging compliance by the volume of documentation produced. Instead, they would focus on whether AML and CFT frameworks actually work in practice and reduce financial crime risk.
For governance, risk and compliance leaders, this marks a clear shift in supervisory expectations. The emphasis would move from checklist-style compliance and audit-ready paperwork to outcomes-based assurance, which must assess whether controls are effective as well as companies’ ability to explain and evidence why they are appropriate for their risk profile.
At the heart of the proposals is a new approach to assessing program adequacy. Policies, training records and monitoring outputs would no longer be treated as sufficient on their own. Supervisors would expect firms to demonstrate that these elements drive meaningful decisions on controls, escalation and resourcing and ultimately contribute to risk reduction.
Enterprise-wide risk assessments take on a much more central role under the proposed rules. Regulators have indicated that risk assessments should function as active management tools, not static documents prepared for examinations. Companies would be expected to show that risk assessments directly influence how staff, technology and oversight are allocated, with clear prioritization of higher-risk customers, products and geographies.
This also raises expectations for risk-based resourcing. Boards and senior committees would need to justify how compliance budgets, staffing models and system investments align with the institution’s actual exposure to financial crime risks, rather than historical structures or equal distribution of resources.
Decision transparency becomes more important under the proposed framework. Companies would be expected to evidence that choices around transaction monitoring design, alert thresholds and investigative focus are driven by risk appetite and assessment, rather than legacy system settings or operational convenience. This has specific implications for organizations relying heavily on rules-based monitoring that generates high alert volumes without clear linkage to current risk typologies.
Supervisory discussions would place less emphasis on raw output measures such as alert volumes or case throughput. Instead, regulators would look for evidence that monitoring systems are calibrated to real risks, using indicators such as detection performance, false positive rates and coverage of relevant typologies. This materially raises expectations for governance teams’ oversight of model performance and control effectiveness.
The parallel proposals from the FDIC, OCC and NCUA reinforce this approach across the US banking system, pointing to a more consistent supervisory stance. While this may reduce fragmentation for firms subject to multiple regulators, it also increases the overall bar for demonstrating mature, risk-based AML and CFT governance.
For governance teams, the operational challenge is significant. Many existing AML frameworks were built to meet prescriptive requirements rather than to demonstrate adaptive risk management. Moving to an effectiveness-led model is likely to require stronger data foundations, better analytics and closer coordination between compliance, technology and business teams, with boards expected to oversee and challenge that transition.
Finally, regulators are signaling a greater focus on explainability. Companies will need to articulate not just what controls they have in place, but why those controls make sense for their specific risk profile and how they work together to reduce exposure to financial crime.