U.S. Treasury Redesigns Financial Counter-Terrorism Regulation

For decades, compliance organizations have optimized around defensibility: documentation volume, training completion rates, periodic reviews, and evidence that policies exist on paper. That posture made sense under a regime where examiners often inferred soundness from process completeness. It also created durable incentives to staff large manual queues, generate low-value alerts, and treat innovation as a regulatory risk rather than a lever for better outcomes.

FinCEN’s proposal instead foregrounds program effectiveness: a program that is properly designed for the institution’s risk profile, implemented in material respects, and maintained as risks evolve. The rule text and accompanying materials emphasize risk assessment discipline, incorporation of government-wide AML/CFT priorities where appropriate, and risk-based allocation of resources so attention concentrates where typologies and data say the risk actually lives.

The NPRM does not tell institutions they may ignore controls. It reframes the objective. Programs must be reasonably designed to identify, mitigate, and report illicit finance risk and to produce information that is useful to law enforcement and national security agencies—not merely to generate internal attestations. That distinction matters: a system that files enormous volumes of marginally useful reports can still fail the spirit of an outcomes-oriented regime if it misses high-impact activity the institution should have seen.

Governance expectations are also tightened in predictable ways: written programs approved by boards or senior management, independent testing that is actually independent, training that matches real risks, and—for many institutions—a U.S.-based AML/CFT officer accessible to FinCEN and federal functional regulators. None of that is novel as a talking point, but codifying it alongside an effectiveness standard pushes institutions to connect structure to results.

Covered institutions will need living risk assessments that update when products, geographies, customers, or delivery channels change; testing and monitoring that validate how controls behave in production, not only at launch; and documentation that explains resource tradeoffs (for example, why lower-risk segments receive lighter touch) in terms of assessed risk rather than convenience.

Supervisory dynamics may shift as well. Among other provisions, the proposal contemplates coordination between FinCEN and banking agencies on significant AML/CFT supervisory actions, and it signals that FinCEN will generally refrain from enforcement against banks that have properly established their programs absent a significant or systemic maintenance failure—while also noting that innovative tools, including AI used responsibly, can be considered when evaluating effectiveness.

If the rule is finalized in something close to its proposed form, the winners will be programs that can demonstrate closed-loop performance: detection coverage that expands with new products, investigations that resolve faster with fewer touches for straightforward cases, and decisioning that stays aligned to policy as rules change. That is exactly the architecture we build at Conway—systems that learn from resolved work instead of freezing the operational model in three-ring binders.

We are not rendering legal advice in this note. Institutions should read the NPRM, the fact sheet, and their regulators’ parallel guidance, and should participate in the comment process if the proposal affects their business. For operators, the directional signal is clear: the future of AML/CFT belongs to teams who can prove, with data, that their programs detect and respond to financial crime—not only that they completed the paperwork.