The US Treasury's Financial Crimes Enforcement Network, the FDIC, the Office of the Comptroller of the Currency, and the National Credit Union Administration published a joint proposed rulemaking on April 7 that would rewrite the compliance framework underpinning the Bank Secrecy Act. The proposal replaces the current paperwork-volume model with a risk-based standard and raises the enforcement bar to "significant or systemic failures" before regulators can pursue penalties.
Treasury Secretary Scott Bessent framed the existing system as one that measured "success by the volume of paperwork rather than their ability to stop illicit finance threats." The proposal is the first joint rulemaking from all four agencies on AML since the Anti-Money Laundering Act of 2020 passed. It fully supersedes a July 2024 proposed rule from FinCEN that never reached final status.
What the Rule Actually Changes
The current BSA framework treats compliance as a documentation exercise. Banks and other financial institutions file Suspicious Activity Reports, maintain transaction logs, and build customer due diligence programs primarily to satisfy examiner checklists. The volume of SARs filed per year has ballooned, but the system's catch rate for actual illicit finance has not kept pace.
The proposed rule restructures programs around four pillars:
-
Internal controls and risk assessment. Institutions must build a risk assessment process that incorporates FinCEN's national AML/CFT priorities, then allocate resources toward higher-risk customers and activities rather than spreading compliance effort uniformly.
-
Independent testing. Compliance audits must be conducted by individuals "truly independent" of the AML/CFT function, not by the same team that built the program.
-
A US-based compliance officer. The designated AML officer must be located in the United States and accessible to regulators. Other compliance staff can work remotely.
-
Employee training. Training programs must be tailored to the institution's specific risk profile and individual employee roles, not generic annual certifications.
The enforcement threshold is the sharpest departure. Under the current system, examiners can cite deficiencies for procedural gaps even when no illicit activity slipped through. The new standard requires a "significant or systemic" failure before regulators pursue formal action.
The Crypto Angle Nobody Is Highlighting
Every crypto exchange registered as a Money Services Business with FinCEN falls under this proposal. So does every stablecoin issuer operating under the GENIUS Act framework, every crypto ATM operator, and every payment processor touching digital assets.
For crypto firms, the shift from checkbox compliance to risk-based compliance could reduce overhead. A small exchange handling $50 million in annual volume currently faces roughly the same reporting template as JPMorgan. Under the proposed framework, that exchange could build a leaner program calibrated to its actual risk profile, provided it addresses FinCEN's national priorities (which currently include ransomware, fentanyl-related financing, and corruption).
The "significant or systemic" enforcement bar also matters. Several crypto firms have faced consent orders not because they failed to catch illicit transactions, but because their documentation did not match examiner expectations. The new standard, if finalized, would narrow the universe of actionable violations.
That said, the proposal does not reduce the total number of laws crypto firms must follow. BSA registration, SAR filing obligations, and the Travel Rule all remain. What changes is how regulators evaluate whether a firm's program is working.
FinCEN Gets a Veto Over Banking Regulators
One structural change buried in the proposal: before the FDIC, OCC, or NCUA can pursue a "significant supervisory action" against any institution for AML failures, they must now give FinCEN's director an opportunity to review and consult. This creates a notice-and-consultation framework that effectively gives FinCEN a soft veto over banking examiners.
The American Bankers Association praised this provision. ABA President Rob Nichols said the elevated FinCEN role would help "ensure consistency across agencies." For crypto-adjacent banks, this could mean fewer situations where a single examiner's interpretation of crypto risk leads to a debanking event. The consultation requirement adds friction to the enforcement pipeline.
60-Day Comment Window
The comment period runs 60 days from the date of publication in the Federal Register. Given that four agencies coordinated the release, the final rule is unlikely before late 2026 at the earliest. The July 2024 proposal that this supersedes never received a final rule in two years, so timeline certainty is low.
The crypto industry's lobbying apparatus, including the Blockchain Association and the Chamber of Digital Commerce, will likely submit comments focused on the MSB provisions. Whether those comments move the needle depends on whether FinCEN treats crypto MSBs as part of the broader reform or carves them into a separate track.
Overview
FinCEN and three federal banking agencies proposed the largest overhaul of Bank Secrecy Act compliance in two decades on April 7. The rule replaces paperwork-volume enforcement with risk-based standards, raises the enforcement threshold to "significant or systemic failures," and gives FinCEN consultation authority over banking regulators' AML actions. The 60-day comment period begins upon Federal Register publication. Every crypto exchange, stablecoin issuer, and payment processor registered as an MSB with FinCEN is covered.
