The AML/CFT Compliance Landscape Is Shifting
The Bank Secrecy Act has governed anti-money laundering compliance for financial institutions since 1970. For most of that time, compliance meant building programs around a defined set of procedural requirements — demonstrating that the right boxes had been checked, the right forms filed, the right policies documented.
That model is changing. For financial institutions using Salesforce-native compliance infrastructure, understanding the direction of that change — and positioning your program accordingly — is the work of the next twelve months.
LASER's COMPLY pillar is built around the effectiveness-focused, risk-based compliance model that regulators are now formalizing. Schedule a Compliance Discussion to see how it applies to your AML/CFT program.
The Existing Framework: Four Pillars of AML/CFT Programs
Under the Bank Secrecy Act, financial institutions have long been required to establish AML/CFT programs built around four core components:
| Pillar | Requirement |
| Internal Controls | Written policies, procedures, and controls — including risk assessment processes and ongoing customer due diligence |
| Independent Testing | Regular audits to evaluate program effectiveness |
| AML/CFT Officer | A designated compliance officer located in the United States |
| Ongoing Training | Regular employee training on AML/CFT obligations |
These four pillars remain intact under the April 2026 proposed rule. What changes is how each pillar is evaluated, what documentation is required, and where enforcement focuses.
April 2026 Update: FinCEN Issues Landmark NPRM
On April 7, 2026, the U.S. Department of the Treasury's Financial Crimes Enforcement Network issued a Notice of Proposed Rulemaking that substantially revises AML/CFT program requirements under the Bank Secrecy Act. Issued alongside conforming proposed rules from the OCC, FDIC, and NCUA, this NPRM represents the most sweeping proposed overhaul of financial institution AML/CFT obligations since the BSA was enacted.
The proposed rule supersedes and fully withdraws FinCEN's prior July 2024 NPRM — which drew significant criticism for being overly prescriptive and additive — and takes a markedly different approach rooted in flexibility, risk-based effectiveness, and institutional discretion. The public comment period closes June 9, 2026.
The Core Shift: From Technical Compliance to Risk-Based Effectiveness
The central organizing principle of the April 2026 NPRM is a move away from process-driven, check-the-box compliance toward outcome-focused, risk-based effectiveness. Under the proposed rule, AML/CFT programs would be evaluated on two distinct dimensions:
Establishment — Program design: having the required programmatic elements in place, including the formal documented risk assessment the NPRM now makes mandatory. Maintenance — Program execution: implementing the program "in all material respects." Enforcement actions would be reserved for significant or systemic operational failures, not isolated or technical deficiencies.For lenders, this distinction is meaningful. Institutions with sound program designs that experience isolated implementation issues would no longer face the same enforcement exposure as those with systemic program failures.
Five Key Reforms Lenders Need to Understand
| Reform | Practical Impact |
| Mandatory Risk Assessment Process | Institutions must formally document their ML/TF risk assessment — evaluating products, services, distribution channels, customers, and geography. Previously implied; now an explicit required element. |
| Risk-Based Resource Allocation | Institutions are directed to focus attention and resources on higher-risk customers and activities. Reduced resources directed at lower-risk areas will not trigger regulatory criticism. |
| FinCEN as Enforcement Gatekeeper | Federal banking regulators must give FinCEN's Director at least 30 days' advance notice before initiating a significant AML/CFT supervisory or enforcement action. Centralizes oversight and promotes national consistency. |
| Technology and Innovation Encouraged | The NPRM explicitly encourages responsible use of AI, automation, and innovative approaches in AML/CFT programs. Institutions using technology to strengthen compliance face no additional enforcement risk from doing so. |
| Four-Pillar Structure Retained | The existing four pillars remain. The NPRM modifies how they are evaluated — not their existence. |
Key Dates
- Comment Deadline: June 9, 2026 — Submit comments to FinCEN on the proposed rule
- Proposed Effective Date: 12 months after issuance of the final rule
- Federal Register Docket: Available at federalregister.gov (search FinCEN AML/CFT program requirements 2026)
The June 9 comment deadline creates a natural engagement window. Consider what your institution would submit in comments — FinCEN has specifically invited feedback on how the risk-based framework should operate in practice for different institution types.
What This Means for Your AML/CFT Program Today
The NPRM does not require a program rebuild for institutions with sound existing programs. It requires documentation of what a well-run compliance program is already doing — and it rewards institutions that have already built risk-based, technology-supported AML/CFT workflows.
Institutions whose compliance programs are driven by workflow automation — rather than manual checklists and periodic reviews — are structurally better positioned to demonstrate program effectiveness under the new framework. When compliance controls are embedded in the technology platform, the audit trail regulators expect to see is generated as a byproduct of normal lending operations.
As detailed in LASER's analysis of AML and KYC requirements for financial institutions, understanding how CIP obligations fit within the broader AML/CFT program framework is essential for building a compliance program that satisfies regulators at every level. The April 2026 NPRM elevates that requirement — making the documented connection between individual compliance controls and institutional risk assessment a core program element.
What LASER COMPLY Users Should Know
The NPRM's emphasis on documented risk assessments, automated compliance workflows, and technology-forward programs directly aligns with how LASER's COMPLY pillar operates. Specifically:
- Automated CIP and pre-account verification workflows satisfy the NPRM's explicit risk assessment and CIP requirements without manual documentation steps
- Salesforce-native audit trails provide the independent program documentation regulators will evaluate when assessing program effectiveness
- Risk-based decisioning built into the ACCESS and DECIDE pillars enables lenders to direct diligence resources toward higher-risk applicants — exactly the approach the NPRM formalizes
In our work with commercial lenders implementing COMPLY on Salesforce, the shift toward effectiveness-based evaluation is one the platform is already built to support. The NPRM does not require a program rebuild — it requires documentation of what a well-run compliance program is already doing.
What This Means for Your Institution
The April 2026 NPRM offers meaningful relief for institutions that have invested in building effective, risk-based AML/CFT programs. The shift from technical compliance to effectiveness-based evaluation reduces enforcement risk for sound programs with isolated implementation issues — and rewards the kind of technology-forward compliance infrastructure that modern lending platforms are built to support.
The comment period closes June 9, 2026. Whether or not your institution submits formal comments, this is the moment to assess your AML/CFT program against the effectiveness standard FinCEN is now formalizing — and to ensure that your compliance infrastructure is positioned to demonstrate that effectiveness when examiners ask.
Schedule a Compliance Discussion to see how LASER's COMPLY pillar operationalizes risk-based AML/CFT compliance inside Salesforce and positions your institution for the effectiveness-focused framework the April 2026 NPRM requires.