FinCEN has proposed a broad rewrite of its AML/CFT program rules, saying it wants to “fundamentally reform” how covered financial institutions build, maintain and are supervised on anti-money laundering and counter-terrorist financing controls. The proposal would standardize program rules across multiple sectors and push firms toward “effective, risk-based, and reasonably designed” programs tied more directly to actual risk and outcomes.
For crypto, the immediate read-through is clear even though the NPRM is not written as a crypto rule. The proposal applies to money services businesses, and FinCEN’s longstanding guidance says persons engaged as a business in exchanging or transmitting convertible virtual currency are generally money transmitters and therefore MSBs under the BSA. That means many U.S.-facing crypto firms would feel this rule through the MSB channel, while permitted payment stablecoin issuers under the GENIUS Act are being handled separately from this rulemaking.
The biggest change is making risk assessment explicit
The proposal would require covered firms to establish risk assessment processes inside their AML/CFT programs, not just maintain general controls. FinCEN says those processes must identify, assess and document money laundering and terrorist financing risks across products, services, distribution channels, customers and geographies, and must be kept current when a firm’s risk profile changes.
That matters because for several sectors, including MSBs, the rule text becomes much more explicit about tying resource allocation to risk. FinCEN says firms should direct more attention and resources toward higher-risk customers and activities rather than lower-risk ones, and should review and, as appropriate, incorporate the government’s AML/CFT priorities into those risk processes.
FinCEN is pushing outcome-based compliance, not just box-ticking
The NPRM repeatedly says the AML Act requires FinCEN to focus more on effective outcomes than on rigid process prescriptions. In the proposal’s language, an effective AML/CFT program is one that helps safeguard national security and helps law enforcement prevent illicit funds from moving through the financial system.
At the same time, FinCEN is not proposing a “perfect compliance” standard. The preamble notes that commenters wanted clarity that an effective, risk-based, reasonably designed program should not be read to mean one that completely prevents financial crime. The agency is instead trying to define a system that is risk-driven, current and materially implemented.
Governance and control expectations get sharper
The rule would require a written AML/CFT program approved by a board, equivalent governing body or appropriate senior management. FinCEN says this would be a change for some sectors, including casinos and MSBs, where current rules do not uniformly impose that kind of approval requirement.
It would also require the AML/CFT officer to be located in the United States and accessible to FinCEN and its designees, even though some AML/CFT functions could still be performed outside the U.S. FinCEN also says the officer must have sufficient authority, independence and resources to run the program effectively.
Independent testing remains in the framework too, but FinCEN is trying to standardize it across institution types and is asking whether more clarification is needed to ensure testing is truly risk-based and focused on effectiveness rather than formality.
Banks get a separate supervision shift, and that matters beyond banking
One of the more consequential parts of the NPRM is not about internal controls at all. FinCEN also proposes a stronger role for itself in bank AML/CFT supervision, including a notice-and-consultation framework before federal banking regulators take a significant AML/CFT supervisory action under delegated authority.
FinCEN says that once a bank has properly established an AML/CFT program, significant enforcement or supervisory action should focus on significant or systemic failures to implement it, not isolated or immaterial issues. That is a meaningful attempt to recalibrate how AML/CFT supervision works in practice, even though the formal consultation framework in this proposal is specific to banks.
The cost signal is mixed, and FinCEN is admitting that
FinCEN says the proposal was deemed “economically significant” by OIRA, meaning the effects are expected to cross the $100 million threshold that triggers a regulatory impact analysis. But the same document also says the net change in aggregate costs attributable to the rule is not expected to be easily distinguishable from zero once final.
That tension is one of the more interesting parts of the filing. FinCEN also says the rule may have a significant economic impact on a substantial number of small entities in certain affected industries, while inviting comments if that effect has been overstated. In short, Treasury is trying to sell the rule as a major modernization effort, but not as a simple across-the-board cost surge.
What stays outside this proposal
FinCEN is explicit that this NPRM does not amend the delayed investment adviser AML rule, now pushed to January 1, 2028. It also says AML/CFT standards for permitted payment stablecoin issuers under the GENIUS Act will be addressed separately, even though the GENIUS framework already treats them as financial institutions for BSA purposes.
Why it matters for crypto
- Many U.S.-facing crypto firms would likely feel this proposal through the MSB route, because FinCEN’s own guidance treats CVC exchangers and transmitters as money transmitters subject to BSA program requirements.
- The practical burden would move closer to bank-style governance: explicit risk assessment processes, written program approval, more formal resource allocation, and a U.S.-based AML/CFT officer with real authority.
- For crypto compliance teams, the most important shift is that FinCEN wants programs to be continuously updated when risk changes, not treated as annual paperwork exercises.
- Stablecoin issuers do matter here, but through a different channel: the NPRM flags that GENIUS Act AML/CFT standards for permitted payment stablecoin issuers will come in a separate rulemaking.
What to watch next
- Whether FinCEN keeps the current outcome-based structure in the final rule or adds more prescriptive detail after comments from banks, MSBs and other covered firms.
- Whether crypto firms and other MSBs push back on the governance, documentation and U.S.-based officer requirements as a practical compliance expansion. This is an inference based on the text of the proposal.
- How quickly Treasury moves on the separate AML/CFT standards for permitted payment stablecoin issuers under the GENIUS Act.
- Whether the final rule preserves FinCEN’s attempt to shift exams and enforcement away from technical defects and toward significant or systemic failures, especially in banking.