On July 7, 2026, the Federal Reserve requested public comment on a proposal to update anti-money laundering and countering the financing of terrorism program rules for the banks it supervises. The proposal was published in the Federal Register on July 9, and comments are due by September 8, 2026.
At its core, the proposal says banks should not treat every customer, transaction, or business activity as if it carries the same level of risk. Banks would be expected to direct more attention and resources toward higher-risk areas while spending fewer resources on lower-risk activity.
That goal is practical. Compliance teams often spend too much time reviewing alerts that do not point to meaningful risk. However, the proposal also introduces an enforcement standard that has raised concerns inside and outside the Federal Reserve.
Once a bank has established an AML/CFT program, certain Federal Reserve enforcement or significant supervisory actions based on implementation problems would generally be reserved for failures that are considered “significant or systemic.” The proposal does not define those terms.
This creates an important question for banks, regulators, and the public: How can a risk-based AML/CFT program remain flexible without weakening accountability?
Key Takeaways
- The proposal would formally require banks to operate an effective, risk-based AML/CFT program.
- Banks would need to connect their risk assessments to FinCEN’s national AML/CFT priorities.
- More attention and resources should go toward higher-risk customers and activities.
- Banks would need to update their programs when their risk profiles significantly change.
- The proposed “significant or systemic” enforcement threshold remains undefined.
- Public comments are due September 8, 2026.
What Is the Federal Reserve Proposing?
The Federal Reserve’s proposal would require supervised banks to establish and maintain an effective AML/CFT program. The program must be reasonably designed to identify, assess, document, and reduce money laundering, terrorist financing, and other illicit finance risks.
Under the proposal, banks would need to:
- Assess risk across products, services, customers, distribution channels, and geographic locations.
- Review FinCEN’s national AML/CFT priorities and incorporate them when they apply to the bank’s risk profile.
- Update risk assessments promptly when the bank knows, or should know, that its risk profile has significantly changed.
- Direct more resources toward higher-risk customers and activities than lower-risk ones.
- Continue ongoing customer due diligence, employee training, independent testing, and program oversight.
- Designate a qualified AML/CFT officer located in the United States.
The proposal would give banks room to use their own knowledge of their customers, products, services, and business models. Examiners would not be expected to replace a bank’s reasonable judgment with their own.
However, banks would still need to show that their decisions come from a sound risk assessment. They would also need to show that known weaknesses are addressed.
In other words, a bank could not simply call its program “risk-based.” It would need evidence showing that its risk decisions are consistent, current, and tied to real controls.
Why the “Significant or Systemic” Standard Is Drawing Criticism
The most debated part of the proposal is the difference between establishing an AML/CFT program and maintaining it.
A bank establishes a program by putting the required policies, controls, testing, training, governance, and risk assessment processes in place.
It maintains the program by carrying out those requirements “in all material respects.”
The proposal would not limit the Federal Reserve’s ability to act when a bank fails to establish an effective program. However, after a program has been properly established, the Fed would generally reserve certain AML/CFT enforcement or significant supervisory actions based on implementation problems for failures that are “significant or systemic.”
Supporters may see this as a way to prevent major enforcement over isolated, technical, or minor errors.
Critics see a possible gap. The rule does not explain how serious, widespread, repeated, or long-lasting a failure must be before it meets the new standard. Forbes described this uncertainty as a potential loophole in the proposed rule.
The Federal Reserve’s own proposal asks commenters whether more clarity is needed on what counts as a “significant or systemic failure.”
Federal Reserve Governor Michael Barr voted against the proposal because of the new, undefined standard. He warned that it could affect the Fed’s ability to determine whether a supervised institution has established and maintained a compliant AML/CFT program.
The concern is not that banks would be free to ignore their AML obligations. The concern is that an unclear threshold could create uncertainty about when implementation failures justify major action.
That uncertainty could lead to uneven supervision, delayed enforcement, or long disputes over whether a failure was serious enough to count.
Risk-Based Compliance Requires Proof, Not Just Policy
The broader direction of the proposal is important. It reinforces the shift from checklist compliance toward programs focused on real risk and useful outcomes.
That shift makes sense.
A small local bank does not have the same risk profile as a global bank offering complex cross-border products. A low-risk customer should not always receive the same review as a customer with exposure to high-risk jurisdictions, opaque ownership structures, sanctions concerns, or serious adverse media.
But risk-based compliance only works when decisions can be explained, tested, and reproduced.
A bank should be able to answer questions such as:
- Why was this customer rated high, medium, or low risk?
- Which data and risk factors informed the rating?
- How were screening thresholds selected?
- Why was an alert closed, escalated, or sent for deeper review?
- How did the program change after new products, customers, geographies, or threats appeared?
- Can the bank reproduce the decision and show a complete audit trail?
Without clear answers, “risk-based” can become a vague label for inconsistent decisions.
With strong documentation, data, testing, and governance, it becomes a more focused and defensible way to fight financial crime.
What Banks Should Do During the Comment Period
The proposal is not final, but banks should use the comment period to review how well their current programs support risk-based decisions.
Connect risk assessments to daily operations
High-risk findings should change how the institution handles screening, monitoring, due diligence, staffing, escalation, and review.
A risk assessment that does not affect daily operations will be difficult to defend.
Establish a clear approach to materiality
Not every alert carries the same importance.
Banks need a consistent method for separating weak, low-value signals from events that are severe, recent, credible, or closely connected to the customer.
Materiality should influence how alerts are prioritized, reviewed, escalated, and documented.
Document model and rule decisions
Documentation should cover data sources, risk factors, thresholds, model versions, validation results, analyst overrides, and changes made after testing.
The purpose is not to create paperwork for its own sake. The goal is to provide a clear record of why the program works the way it does.
Prepare for changes in risk
The proposal would require banks to update risk assessment processes promptly when known changes significantly affect the institution’s risk profile.
Banks should define who monitors for those changes, who decides whether an update is needed, and how quickly the new risk is reflected in screening and compliance controls.
Consider commenting on the enforcement standard
Banks and other stakeholders may benefit from clearer examples of:
- What counts as a significant failure
- What counts as a systemic failure
- How repeated smaller problems would be treated
- Whether a failure must affect several parts of the program
- How the standard would apply to different bank sizes and risk profiles
Clear examples could help protect both regulatory accountability and the flexibility banks need to operate truly risk-based programs.
How Explainable Technology Supports a Risk-Based AML/CFT Program
A risk-based AML/CFT program depends on more than a written policy. It needs data and technology that can identify meaningful risk, reduce low-value work, and show how each decision was made.
Sigma360 supports this approach through configurable risk scoring, entity risk analysis, materiality tuning, and explainable AI.
The platform brings together sanctions, PEP, adverse media, corporate registry, country risk, and network intelligence to help institutions assess direct and indirect exposure through a unified risk view.
This is especially important in adverse media and name screening.
Basic keyword and matching systems can generate large volumes of duplicate or irrelevant alerts. Analysts then spend time proving that low-risk results do not matter instead of investigating serious threats.
Sigma360’s materiality scoring helps teams consider factors such as severity, recency, frequency, and source authority. Entity risk measures how directly a person or company is connected to a material event. Together, these controls help institutions focus on the signals that are most relevant to their customers and risk profiles.
Compliance teams can also adjust thresholds, taxonomies, and relevance filters to match the institution’s risk appetite. Independent analysis from Chartis Research has highlighted Sigma360’s configurable alerting, materiality scoring, audit-ready reporting, and approach to model validation as key strengths.
Explainable AI can support first-level alert review while keeping people accountable for final decisions.
Sigma360’s model governance framework emphasizes clear reasoning, source attribution, human review for uncertain cases, ongoing model testing, and documented validation. These controls allow institutions to use automation without turning compliance decisions into a black box.
The lesson from the Federal Reserve proposal is simple:
Better risk focus must come with better evidence.
Institutions need to show not only that they found risk, but also why the risk mattered, how the decision was made, and whether the program changed when the facts changed.
The Path Forward
The Federal Reserve’s proposal could help banks spend less time on lower-risk activity and more time on the threats that matter most. That is a positive goal for compliance teams, law enforcement, customers, and the financial system.
Still, the “significant or systemic” standard needs careful attention. A risk-based framework should reduce low-value work without creating uncertainty about accountability.
As regulators consider public comments, banks should focus on the part they can control now: building AML/CFT programs that are current, well-tuned, explainable, and supported by evidence.
In a more risk-based regulatory environment, the strongest program will not be the one that creates the most alerts. It will be the one that can clearly show how it identifies, prioritizes, and acts on real risk.
Frequently Asked Questions
What is a risk-based AML/CFT program?
A risk-based AML/CFT program adjusts its controls and resources based on the level of money laundering, terrorist financing, and illicit finance risk facing the institution. Higher-risk customers and activities receive more attention than lower-risk ones.
What does “significant or systemic” mean in the Federal Reserve proposal?
The proposal does not provide a final definition. It asks the public whether more clarification is needed. This lack of detail is one of the main concerns raised by critics and Governor Michael Barr.
Would the proposal prevent the Federal Reserve from taking AML enforcement action?
No. The proposal would not limit action when a bank fails to properly establish an AML/CFT program. The debated threshold applies to certain actions based on failures to implement a program that has already been properly established.
When does the Federal Reserve AML/CFT comment period close?
Comments on the proposed rule must be submitted on or before September 8, 2026.
This article is provided for informational purposes and does not constitute legal or regulatory advice.
