The Financial Crimes Enforcement Network (FinCEN) has proposed a rule that would fundamentally reform how anti-money laundering and countering the financing of terrorism (AML/CFT) programs are designed, operated, and reviewed.

For money services businesses (MSBs), this is more than a regulatory update; it’s a reset of expectations. The proposal moves the industry away from checkbox compliance and toward something far more demanding: proving that your AML/CFT program actually works.

Driven by the Anti-Money Laundering Act of 2020, this rulemaking is the most significant overhaul of AML obligations since the USA PATRIOT ACT of 2001 amended and expanded the Bank Secrecy Act (BSA).

What the Proposed Rule Requires

1. A New Standard: “Effective” AML/CFT Programs

The proposal introduces a new baseline: AML/CFT programs must be effective, risk-based, and reasonably designed. 

Regulators will no longer simply ask whether you have the required components. They will ask whether your program detects real risks, produces reliable reporting, and supports defensible decisions.

2. Formal, Documented Risk Assessments

For the first time, FinCEN explicitly requires a formal, documented risk assessment as the cornerstone of every AML/CFT program. It must evaluate products and services, customer types, geographic exposure, and delivery channels, and it must be regularly updated and directly tied to your controls.

For MSBs, this means going beyond generic risk ratings. Your risk assessment needs to explain why certain products carry a higher risk, how customer types influence exposure, and where geographic risks exist. Regulators will likely challenge your assumptions.

3. Alignment with National AML/CFT Priorities

Institutions must now incorporate government-issued AML/CFT priorities into their programs. This means your controls must reflect current risks such as fraud, human trafficking, drug trafficking, and cybercrime. Static, set-it-and-forget-it programs will not meet the new standards.

4. A Formal Purpose Statement

One of the most overlooked elements of the proposal is the introduction of a formal purpose for AML/CFT programs. Programs must now identify and mitigate illicit finance risks, generate useful intelligence for law enforcement, and support national security objectives.

This reframes compliance entirely. Your program is now about producing actionable intelligence, not just avoiding penalties.

5. Reinforced Program Pillars with Higher Expectations

The traditional four pillars remain, but the expectations across each have risen.

1. Internal controls, procedures, and controls → must rely on accurate system inputs, including a risk assessment and ongoing customer due diligence
2. Independent testing → must include validation of underlying data and processes. 
3. A U.S.-based compliance officer → must understand the limitations of the systems they oversee.
4. Employee training → should address data handling and red flag recognition, not just policy acknowledgment.

6. Governance at the Leadership Level

The proposal places board-level (or equivalent) approval and oversight responsibility directly in the frame. For MSBs, this means ownership and senior leadership are now accountable for AML performance, not just the compliance team. 

Leadership must be knowledgeable about how the AML/CFT program operates and able to speak to its effectiveness.

7. Continuous AML/CFT Program Evolution

AML/CFT programs must revalidate when systems change, test after product updates, and monitor for data gaps or breaks. AML/CFT programs must evolve with your business and can no longer be treated as static documents.

8. Encouragement of Technology and Innovation

FinCEN explicitly supports technology-driven solutions and smarter, more flexible monitoring approaches. This opens the door for MSBs to modernize, but modernization must be accompanied by careful validation to ensure new systems perform as intended.

How This Hits MSBs Hardest

MSBs face unique scrutiny under this rule due to their risk profile and transaction types. Here’s where the impact is most acute:

Flow of Funds

Flow of funds documentation is no longer optional. MSBs must fully understand and document the source, movement, and final destination of funds. This is foundational to customer risk rating, transaction monitoring, and SAR decisioning.

Each product line needs its own treatment. Money transmission, check cashing, currency exchange, and stored value each carry distinct risk profiles. A one-size-fits-all AML/CFT program will not meet the new standard.

Transaction Monitoring

Monitoring thresholds must be justified. Transaction monitoring systems must align with your specific risk profile. You should be able to explain why thresholds are set where they are, how alerts reflect actual risk, and what distinguishes normal from suspicious activity. Regulators will expect clear, logical reasoning.

Documentation

Documentation is your strongest defense. Every element of your program must be documented, justified, and traceable back to your risk assessment. If you can’t explain it, it will be treated as a deficiency.

Data Validation

Examinations will focus on effectiveness, not just existence. FinCEN is signaling a shift toward evaluating whether programs actually work, with greater scrutiny on the quality of SAR reporting and identification of meaningful deficiencies, not just whether required components are present.

What MSBs Should Be Doing Now

The rule is still proposed, but the direction is clear. MSBs should begin preparing now:

• Conduct or refresh your enterprise-wide risk assessment
• Map the flow of funds for each product and service
• Align your program controls with current AML/CFT policies and procedures
• Review and document the rationale behind your monitoring thresholds
• Strengthen governance processes and ensure leadership is informed and engaged

Final Thoughts

This proposed rule represents a new era of AML compliance. It is defined by risk-driven design, continuous adaptation, and measurable effectiveness. The days of static programs and high-volume, low-quality reporting are coming to an end.

If you’d like support updating your risk assessment, reviewing your AML/CFT program for alignment with the proposed rule, or exploring how to strengthen your compliance infrastructure, we’re here to help.