Executive Summary
During the week of April 6, 2026, the Financial Crimes Enforcement Network (FinCEN) issued two Notices of Proposed Rulemaking (NPRMs) that represent a major shift in anti-money laundering (AML) compliance. On April 7, the AML and countering the financing of terrorism (CFT) programs NPRM fundamentally reformed the requirements for financial institutions’ AML/CFT programs, refocusing supervisory expectations on areas of heightened risk, and changing how AML oversight will be conducted in the future. On April 8, FinCEN proposed a rule to implement the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act, extending AML requirements to permitted payment stablecoin issuers (PPSIs) to counter illicit finance.
Collectively, these actions shift AML compliance away from documentation-based processes toward a systems-based, effectiveness-driven model, and establish PPSIs as financial institutions for purposes of the Bank Secrecy Act (BSA), subjecting them to an AML/CFT and sanctions compliance framework that closely aligns with that applied to banks.
1) AML Program Reform NPRM – Redefining Effectiveness
AML programs have evolved over the years, but many current programs face structural challenges. Notwithstanding years of investment in developing robust documentation and procedures, these investments have not always led to better detection results for institutions or regulatory bodies. Over time, significant resources were focused on lower-risk, high-volume activities, such as policy procedure mapping, client documentation, and alert reporting thresholds. This was not by accident; these areas were often the most visible during exams, easier to measure, and were regarded as a critical way to demonstrate that the AML program was operating as expected, in line with regulatory expectations. The focus now will be on the effectiveness of the program, which essentially will require an enhanced focus on higher-risk areas that can help spot and reduce financial crime risks. Inconsistencies in expectations across regulatory agencies also may have created confusion about what makes an effective AML program.
The AML/CFT program NPRM is intended to shift financial institutions’ focus from mere technical compliance toward effectiveness-based compliance monitoring. Institutions will now need to demonstrate that their AML programs are well designed and capable of identifying and addressing illicit finance risks.
Key elements include
- Risk-based allocation of resources across the organization, including skilled staff, a method focused on regular risk assessments, ongoing monitoring, improvement of controls, and investments in AML infrastructure
- Coordination with regulatory AML priorities and national security goals
- Focus on serious deficiencies instead of minor technical issues
- Centralized coordination by regulatory agencies with FinCEN for consistent enforcement
This reform lends itself to a cultural and operational pivot. Institutions must demonstrate that their AML program reduces illicit finance, not just checks the box, requiring targeted investment in systems and methodologies, skilled investigators, and governance processes that prioritize high-risk detection. Furthermore, success will hinge on measurable outcomes over processes.
2) Stablecoin NPRM – Expanding the AML Perimeter
The GENIUS Act NPRM incorporates PPSIs into the existing BSA framework. It requires PPSIs to establish and maintain risk-based AML/CFT and sanctions programs that are appropriately tailored to their size, complexity, and technological architecture, including distributed ledger and token-based systems. The U.S. Department of the Treasury’s NPRM aims to address AML risks while fostering innovation, reflecting a global trend to integrate digital assets into formal financial systems.
In addition, a parallel development is emerging from the prudential regulators—particularly the FDIC’s recent GENIUS Act framework proposal—and introduces a critical interpretative nuance around the definition of an “account” and its implications for AML and sanctions obligations. Specifically, the proposal raises the question of whether a tokenized deposit remains within the scope of an “account relationship” once the token is transferred from the original holder to another party.
Key expectations involve
- Recognition that a PPSI’s AML and Office of Foreign Assets Control obligations are primarily tied to its issuance, redemption, and other points of customer or system controls, and do not necessarily extend to all subsequent transfers of the tokenized deposit.
- Clarification that monitoring responsibility does not automatically follow the asset indefinitely once it leaves the originating account absent ongoing technical capability or a customer relationship.
- Monitoring both on-chain and off-chain transaction activity for suspicious activity and required regulatory reporting consistent with the PPSI’s risk profile and role in the transaction flow.
- Using blockchain analytics tools to improve transparency in transactions for review and possible transaction blockage, where appropriate to the PPSI’s operating model.
- Including sanctions controls within system architecture to ensure compliance and enable prompt response and regulatory reporting.
- Managing model risk and data integrity through regular scenario tuning and model validation with appropriate governance and documentation to support supervisory review. Firms should maintain transparency and clarity in their monitoring systems.
These proposed updates reflect an evolution from traditional, continuous account-based AML monitoring toward a control- and system-centered model tailored to payment stablecoins and decentralized networks, while maintaining core BSA, AML/CFT, and sanctions objectives.
3) Combined Regulatory Impact
| Dimension | Legacy AML Framework | New AML Framework |
|---|---|---|
| Regulatory scope | Banks and traditional financial institutions | Includes stablecoin issuers |
| Evaluation standard | Technical compliance | Effectiveness and outcomes |
| Control model | Customer-based | System-based |
| Technology role | Support function | Core compliance infrastructure |
| AML responsibility anchor | Account relationship | System/asset flows |
4) Implications for Stablecoin Issuers
Stablecoin issuers will need to create AML frameworks that can monitor decentralized transactions. This means integrating advanced analytics, managing model risk, and embedding sanctions controls into transaction systems for monitoring, timely escalation, review, and regulatory reporting. These challenges demand significant investment in technology and expertise.
A major challenge will be balancing innovation with regulatory accountability, especially in areas with limited visibility and control, like digital assets. Institutions already face issues with visibility, data integration, regulatory ambiguity, and tech implementation, and these challenges may increase.
5) Implications for Financial Institutions
Traditional financial institutions must adjust to increased interaction with digital asset ecosystems. This involves better due diligence, using blockchain analytics, and updating transaction monitoring scenarios to fit blockchain transactions. In addition, as the NPRM emphasizes effectiveness and risk-based outcomes, if monitoring obligations stop at transfer, institutions may be technically compliant but practically blind to downstream risk.
Institutions also need to manage risks that arise from fintech partnerships and digital asset service providers, especially with respect to data privacy, cybersecurity/ransomware, and similar risks. Firms need to take a proactive stance by investing in scalable compliance frameworks and aligning with regulatory expectations. Cooperation among compliance, technology, and business areas will be essential.
6) Internal Audit & Testing Evolution
Regulators will continue to rely on internal independent audit functions as a crucial third line of defense to ensure the effectiveness of institutions’ AML programs. Institutions must shift from periodic sampling to continuous, data-driven monitoring. Focus areas include client due diligence, regular KYC reviews, model validation, systems integration, and complete transaction monitoring, escalation, and reporting. Greater emphasis should be placed on validating models, ensuring data integrity, and directing resources toward higher-risk areas while reducing lower-value activities.
Audit methods will need to adapt to the complexities of hybrid financial systems that combine traditional transactions with digital assets. Leadership should evaluate whether AML programs show measurable effectiveness and whether resources match risk mitigation strategy. Internal audit functions would also need to focus on validating outcomes, not just controls, and institutions should prepare for more results-driven regulatory assessments in the future.
Conclusion
This dual NPRM issuance marks a significant moment in the evolution of AML compliance. By redefining both the scope and evaluation of AML programs, regulators are creating a new standard focused on effectiveness, technology, and system-level accountability. These proposals signal a shift from strict rules to risk management and from process to outcomes-based compliance in this new era of technological innovation. If implemented as is, the financial system will transition from an account-based AML program to an asset- and system-based AML approach. Institutions that adapt will be better positioned to meet regulatory expectations, while those sticking to outdated compliance methods may encounter difficulties.