In May, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued Alert FIN-2026-Alert002, warning financial institutions about the use of front companies, financial facilitators, and digital asset infrastructure by Iran’s Islamic Revolutionary Guard Corps (IRGC) to evade sanctions and launder proceeds. The Alert represents an escalation in U.S. government guidance concerning Iranian illicit finance and underscores the expectation that covered institutions maintain robust controls capable of detecting increasingly sophisticated sanctions evasion typologies.

Background: The IRGC and the Policy of “Maximum Pressure”

The IRGC was created after the Iranian Revolution as a parallel military organization reporting directly to Iran’s Supreme Leader, and includes ground, naval, and air forces, the Basij internal security militia, and the IRGC-Qods Force (IRGC-QF), which conducts covert operations abroad and supports terrorism by supplying funding, training, and weapons to aligned groups. The IRGC is a designated Foreign Terrorist Organization (FTO) and is subject to comprehensive U.S. sanctions, including a prohibition on opening or maintaining correspondent accounts in the United States for Iranian financial institutions pursuant to Section 311 of the USA PATRIOT Act.

The Alert arrives in the context of renewed maximum pressure on Iran. On February 4, 2025, President Trump signed National Security Presidential Memorandum-2 (NSPM-2), imposing a whole-of-government approach to deny Iran all paths to a nuclear weapon and counter its influence. The Financial Action Task Force (FATF) has also reiterated that Iran remains a high-risk jurisdiction, calling on all jurisdictions to apply effective countermeasures—including prohibiting Iranian digital asset service providers from establishing a presence in their countries.

Key Typologies and Financial Activity Flagged by FinCEN

The Alert identifies several categories of illicit financial activity through which the IRGC generates and moves funds, along with corresponding red flag indicators designed to help financial institutions detect, prevent, and report potential suspicious activity connected to Iranian sanctions evasion. No single red flag is determinative; institutions should consider the totality of the circumstances.

  • Commodity Sales and Oil Smuggling

The IRGC supplements its budgets by smuggling oil to international buyers, with proceeds funding procurement, weapons development, and terrorist activity abroad. FinCEN’s 2025 Financial Trend Analysis found that oil companies potentially linked to Iran transacted approximately $4 billion in 2024, while shipping companies potentially related to the transport of sanctioned Iranian oil conducted transactions through U.S. correspondent accounts totaling approximately $707 million over the same period. The IRGC uses a “shadow fleet” of aging vessels operating outside standard maritime regulations, often owned or managed by front companies outside Iran, and engages in deceptive shipping practices including blending Iranian oil with oil from third countries or relabeling it with forged documents as “Malaysian blend.”

Red flags in this area include transactions involving petroleum or shipping companies with ties to Iran or “shadow fleet” vessels; irregularities in shipping documentation intended to obscure an Iranian nexus; documentation referencing vessels with recent or multiple name, flag, or ownership changes following OFAC designations; and transactions referencing “Malaysian blend” oil, particularly if the vessel is bound for China via Southeast Asia with automatic Information System (AIS) irregularities.

  • Front Companies and Shadow Banking Networks

The IRGC relies on multi-jurisdictional shadow banking networks comprised of exchange houses, trading companies, and front companies to sell oil and other commodities abroad, launder the proceeds, and procure weapons and materiel on the international market. Iranian banks have established “rahbar” companies to manage international transactions, using exchange houses to form front companies in third-country jurisdictions, often in permissive free trade zones, to obscure Iranian involvement. FinCEN found that likely shell companies matching indicators for shell and Iranian activity moved $5 billion in 2024, primarily from non-resident accounts at banks in China operated by Hong Kong-based companies to the UAE.

Red flags in this area include wire transfers with unclear sources of funds involving entities in high-risk jurisdictions; general trading companies with opaque ownership registered in commercial free trade zones in the UAE with counterparties in Singapore, Hong Kong, China, or Oman; likely front companies with little to no web presence transacting in unusually high amounts from non-resident accounts; and unusual use of multiple exchange houses with fees or transaction patterns that do not reflect standard commercial practices.

  • Facilitators and Service Providers

IRGC networks are bolstered by facilitators including money services businesses (MSBs), investment companies, and trust and company service providers that assist—wittingly or unwittingly—in orchestrating complex money laundering and sanctions evasion schemes. Purported trust companies based in Hong Kong and Eastern Europe have been identified as facilitating the transmission of value to the IRGC, including through the conversion of fiat currency to digital assets.

  • Digital Assets

Iranian digital asset activity has reached billions of dollars per year, with the IRGC conducting sanctions evasion as part of this activity. Digital assets enable Iranian facilitators to circumvent the traditional financial system by transferring value internationally without intermediary financial institutions. Iranian facilitators are likely to use stablecoins due to their relative liquidity, ease of settlement, and exchange rate stability, and Iran’s use of stablecoins includes minting, moving between large-volume stablecoin issuers, and creating proprietary stablecoins. FinCEN also notes that unregistered peer-to-peer exchangers, unregistered foreign-located MSBs, and nested digital asset service providers (DASPs) may offer digital asset-related services in Iran.

Red flags in this area include companies with exposure to Iranian oil smuggling deviating from normal business practices to send or receive payments using digital assets; stablecoin payments with unclear sources of funds in high-risk jurisdictions; unusual stablecoin mint activity requiring multiple rate or limit increases; transactions directly or indirectly with digital asset addresses attributed to Iranian entities; authentication activity from Iranian IP addresses, email services, or phone numbers; and customer accounts that may be operating as unregistered P2P exchangers or nested DASPs providing services in Iran.

Conclusion

The FinCEN IRGC Alert reflects the U.S. government’s intensified focus on disrupting Iranian sanctions evasion networks and its expectation that the private sector serve as a critical partner in this effort. Regulatory compliance teams should evaluate existing frameworks governing exposure to Iranian illicit finance and ensure that processes align with current reporting and blocking obligations under U.S. law.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about our Anti-Money Laundering Team.

President Trump’s May 19, 2026 executive order, Restoring Integrity to America’s Financial System, directs Treasury, FinCEN, the CFPB, and the federal banking agencies to reassess how financial institutions identify and manage risks associated with non-work authorized populations and related cross border financial activity. The order reflects a significant shift in federal expectations across BSA/AML compliance, customer identification, and consumer credit underwriting. It also establishes short deadlines that will drive rapid regulatory and supervisory developments through the remainder of 2026.

The order frames these issues as national security and public safety concerns. It cites analyses linking low dollar cross border transfers to terrorist financing, narcotics trafficking, and human trafficking. It highlights Chinese money laundering networks that allegedly used U.S. accounts held by foreign passport holders to launder more than $312 billion for criminal organizations. It also identifies fentanyl related financial activity tied to Mexico based cartels as a priority area for regulatory attention.

At the same time, the order directs regulators to treat lending to non-work authorized individuals as a structural safety and soundness concern. It characterizes potential deportation and loss of wages as creating a fundamental ability to repay deficiency. This framing signals a broader policy shift that will affect both consumer credit markets and fair lending supervision.

Key Directives and Deadlines

The order requires several regulatory actions on compressed timelines.

Treasury Advisory (60 Days)

Within 60 days, Treasury must issue an Advisory describing red flags and typologies associated with six categories of suspicious activity:

  • Payroll tax evasion by employers or labor brokers
  • Use of foreign identity documents or nominee structures to conceal beneficial ownership or payroll disbursements
  • Unregistered MSBs and third party processors used for off the books wage payments intended to bypass BSA reporting thresholds
  • Structuring and micro structuring correlated with payroll cycles
  • Labor trafficking indicators where illicit proceeds are commingled with legitimate revenue
  • Use of ITINs to obtain credit or open accounts without verified lawful immigration status

Although the Advisory will not be binding, examiners routinely treat Treasury Advisories as articulations of expected practice. Institutions should anticipate that the Advisory will influence SAR filing expectations and monitoring scenarios well before any rulemaking is complete.

BSA Due Diligence Regulations (90 Days)

Within 90 days, Treasury must propose amendments to strengthen risk-based customer due diligence. The proposal must ensure institutions collect and verify sufficient identity information to assess illicit finance, sanctions evasion, and fraud risks. It must also preserve institutional authority to obtain additional information, including information relevant to immigration status and employment authorization, when other risk indicators warrant it.

Customer Identification Program Requirements (180 Days)

Within 180 days, Treasury and the federal functional financial regulators must consider changes to CIP regulations, with specific attention to risks associated with foreign consular identification cards. Institutions that rely on these documents for account opening should prepare for potential verification or documentation changes.

Credit Risk Guidance (60 Days)

Within 60 days, the CFPB must consider clarifying that potential deportation and loss of wages may adversely affect a non-work authorized borrower’s ability to repay under Regulation Z. Each federal functional financial regulator must also issue guidance on managing credit risks associated with non-work authorized populations. This directive raises complex questions about how lenders may incorporate immigration related risk factors while managing fair lending obligations.

Practical Implications for Financial Institutions

BSA/AML Programs

Institutions should begin reviewing transaction monitoring scenarios and SAR filing practices against the six categories of suspicious activity identified in the order. The forthcoming Treasury Advisory will likely establish new expectations for how institutions identify and report activity involving non-work authorized populations and their employers. Institutions should evaluate whether existing monitoring rules capture payroll related structuring, funnel account activity, and patterns associated with unregistered MSBs or third-party processors.

Customer Identification and Due Diligence

The order’s focus on consular identification cards and ITINs signals heightened scrutiny of identification documents commonly used by noncitizens. Institutions that accept these documents should assess whether existing CIP and CDD procedures address the risk indicators identified and whether additional verification steps may become necessary. Potential enhancements include supplemental non documentary verification, additional beneficial ownership inquiries, and review of employment authorization where risk indicators are present.

Credit Underwriting

Lenders offering consumer credit, particularly mortgage, auto, and credit card products, should evaluate whether underwriting models and ability to repay analyses account for the immigration related risk factors highlighted in the order. The CFPB’s forthcoming guidance will determine how lenders may incorporate these factors while managing fair lending obligations. Institutions should prepare for potential adjustments to income stability assessments, treatment of ITIN based applications, and portfolio level risk reviews.

Employer Related Risks

The order’s treatment of employer immigration law violations as a financial system vulnerability is notable. Institutions that bank employers in industries with high concentrations of non work authorized labor should anticipate increased scrutiny of payroll irregularities, mismatched tax identification numbers, and unusual payment patterns. These considerations may affect risk rating methodologies and periodic reviews for certain commercial customers.

Fair Lending Considerations

Institutions should monitor how the CFPB and prudential regulators reconcile the order’s directives with existing fair lending requirements under the Equal Credit Opportunity Act and the Fair Housing Act. The intersection of immigration status considerations and prohibited basis discrimination will require careful navigation, particularly if regulators expect lenders to incorporate deportation risk into underwriting.

Looking Ahead

The compressed timelines in the executive order mean that financial institutions will face a rapidly evolving regulatory environment over the next two to six months. Institutions should begin assessing how their existing BSA/AML, CIP, CDD, and credit underwriting programs align with the issues highlighted in the order and prepare for increased supervisory attention as agencies issue Advisories, proposed rules, and credit risk guidance.

We will continue to monitor developments as agencies complete their reviews and begin implementing the Order. If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

President Trump issued Executive Order 14405 (the “Order”) on May 19, 2026 titled Integrating Financial Technology Innovation into Regulatory Frameworks. The Order directs federal financial regulators to review and update regulations, guidance, and supervisory practices to support financial technology innovation and reduce barriers to entry for non‑bank fintech firms. It follows earlier actions establishing federal digital asset policy and a Strategic Bitcoin Reserve.

Stated Policy Objectives

The Order states that it is the policy of the United States to streamline regulatory processes, reduce unnecessary barriers to entry, and promote collaboration among fintech firms, federally regulated financial institutions, and federal financial regulators. It describes fintech firms as contributors to expanded access to financial services and economic opportunity. It also asserts that federal regulations should be updated to support the integration of digital assets and emerging technologies into traditional financial services and payment systems. The Order highlights concerns about fragmented or outdated regulatory requirements that may favor incumbent institutions.

Definition of “Fintech Firm”

The Order defines a fintech firm as any non‑bank company that uses or develops technology to offer or support financial products or services. The definition is broad and includes payment processing, lending, deposit‑taking, derivatives, investment management, brokerage services, underwriting, capital markets activities, custodial and fiduciary services, digital banking, digital asset services, securities and commodities activities, and blockchain‑based services. The Order incorporates by reference the financial activities listed in section 4(k)(4) of the Bank Holding Company Act.

Regulatory Review and Streamlining

Section 3 directs each federal financial regulator, including the CFPB, SEC, NCUA, CFTC, FDIC, and OCC, to conduct a review within 90 days of existing regulations, guidance, supervisory practices, and application processes. The review must identify items that could be updated to facilitate innovation and competition, including those that impede partnerships between fintech firms and federally regulated institutions. Agencies must also identify opportunities to streamline application processes for fintech firms seeking bank or credit union charters, deposit or share insurance, or other federal licenses and registrations.

The Order instructs agencies to balance innovation with safety and soundness, consumer and investor protection, market integrity, financial stability, and oversight. Within 180 days, each regulator is directed to take steps to encourage innovation based on the review, in consultation with the Assistant to the President for Economic Policy.

Access to Federal Reserve Payment Services

Section 4 requests that the Board of Governors of the Federal Reserve System conduct a comprehensive evaluation of the legal, regulatory, and policy framework governing access to Reserve Bank payment accounts and payment services by uninsured depository institutions and non‑bank financial companies, including firms engaged in digital assets and other novel activities. The Federal Reserve is asked to report within 120 days on:

  • the legal authority to extend direct access to such firms
  • options for expanding access subject to risk management requirements
  • legal impediments to direct access and potential legislative or regulatory solutions
  • whether individual Reserve Banks may act independently in granting or denying access and what policies should ensure consistent evaluation of applications

If the Federal Reserve determines that existing law permits expanded access, the Order requests that it establish transparent application procedures and make determinations on complete applications within 90 days.

Broader Context

The White House Fact Sheet describes the Order as part of a broader effort to position the United States as a global leader in financial innovation. It asserts that current rules governing access to payment services and third‑party risk management requirements may favor incumbents and that many financial regulations were designed for a brick‑and‑mortar environment. The Administration frames the Order as an attempt to modernize regulatory frameworks to reflect digital‑age financial services.

What This Means for Financial Institutions

Anticipated Regulatory Changes

The 90‑day review period means that by mid‑August 2026, each named regulator must complete its assessment. The 180‑day deadline for taking steps to encourage innovation extends into mid‑November 2026. Institutions should expect proposed rulemakings, updated guidance, or revised supervisory expectations to emerge on that timeline, particularly in areas involving bank‑fintech partnerships and chartering processes.

Third‑Party Risk Management and Bank‑Fintech Partnerships

The Order’s focus on regulations that impede partnerships suggests that existing interagency guidance on third‑party risk management, including the 2023 joint guidance issued by the OCC, FDIC, and Federal Reserve, may be revisited. Institutions with existing or planned fintech partnerships should anticipate potential adjustments to due diligence and oversight expectations. Current requirements remain in effect unless formally amended.

BSA/AML Considerations

Although the Order does not directly address Bank Secrecy Act or anti‑money laundering obligations, the potential expansion of Federal Reserve payment system access to non‑bank fintechs raises questions about the applicable AML/CFT framework for new direct participants. If non‑bank firms gain direct access, regulators will need to clarify whether and how BSA requirements apply. Institutions that currently serve as intermediaries for fintech payment flows should consider how their obligations may shift if those flows move to direct access models.

Federal Reserve Payment System Access

The Federal Reserve’s 120‑day report, expected by mid‑September 2026, will be a key milestone. The evaluation of whether individual Reserve Banks may act independently in granting access, and the emphasis on consistent evaluation standards, indicates concern about the current decentralized approach. Institutions that rely on privileged access to the Federal Reserve payment system as a competitive advantage should monitor this development closely.

Open Questions

Several issues remain unresolved. The Order does not specify what steps regulators must take after completing their reviews, leaving significant discretion to agency leadership. The Order states that it does not create enforceable rights and that implementation is subject to available appropriations. Any expansion of Federal Reserve access to non‑bank entities may require new legislation or a novel interpretation of existing authority under the Federal Reserve Act. Congressional engagement on these issues remains uncertain.

Conclusion

The Executive Order signals a significant policy direction for fintech regulation and the relationship between traditional financial institutions and non‑bank technology firms. Although the Order is primarily directive, the deadlines for regulatory review and Federal Reserve reporting create concrete milestones that will shape the regulatory landscape in the coming months. Financial institutions should evaluate how potential changes to third‑party risk management expectations, chartering processes, and payment system access may affect their operations and partnerships.

We will continue to monitor developments as agencies complete their reviews and begin implementing the Order. If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On April 30, 2026, the Financial Crimes Enforcement Network (“FinCEN”) published a notice and request for comment (the “Notice”) in connection with its renewal of Form 107, which Money Services Businesses utilize for registration and renewal purposes. FinCEN’s Notice proposes a renewal without change to Form 107, and the comment period remains open until June 29, 2026.

The Bank Secrecy Act (“BSA”) and its implementing regulations require MSBs to file an initial registration form, to renew the registration every two years, and maintain a list of their agents (if applicable).

As part of the Paperwork Reduction Act, FinCEN is required to periodically review Form 107. FinCEN must justify the necessity of the collection form and intended use, as well as provide an estimate of the burden in completing the form.

According to FinCEN’s analysis of Form 107 filings from the past three years, the number of MSBs filing an initial or renewal form has increased. The estimated burden associated with the initial filing is 50 minutes, depending on the number of fields an MSB must complete, 40 minutes for renewal, and 30 minutes for maintaining an agent list. FinCEN acknowledged that maintaining an MSB agent list may require additional time for purposes of auditing and verifying the list; however, FinCEN does not account for this time in estimated burdens.

Efforts to Implement AMLA

The Notice asks for comments on the following questions related to FinCEN’s efforts to implement the Anti-Money Laundering Act (“AMLA”):

  • Is there publicly available data that went unmentioned in this Notice, but that FinCEN should consider when estimating the number of MSB agents? If possible, please comment on the generalizability and other usability feature of the data.
  • How would changes in the size or composition of the MSB population affect FinCEN’s estimated burden? Are there other assumptions that are more likely to contribute to substantive inaccuracies in the total burden and cost estimates? If so, please describe.
  • What changes to FinCEN Form 107 would reduce common errors or omissions?

Section 6216 of the AMLA directs FinCEN to review BSA regulations and guidance to ensure there are appropriate safeguards to protect the financial system from threats posed by various forms of financial crime. To meet this objective, FinCEN has previously sought input through formal requests for information (“RFI”) on regulations, reporting, and recordkeeping requirements that protect the U.S. financial system while also minimizing regulatory burdens posed. Although the previous RFI did not expressly mention burdens on MSBs, FinCEN is using this Notice as an opportunity to assess the regulatory burdens imposed on MSBs. 

Risks Posed by Unregistered MSBs

According to Treasury’s most recent National Money Laundering Risk Assessment, MSBs, like other financial institutions, continue to face money laundering risks. Treasury cited the large number of current MSB principals and agents and highlighted the “outsized risks” posed by unregistered MSBs. Unregistered MSBs may include individuals and entities acting as part of an informal value transfer system (“IVTS”) or may include individuals and entities using their personal or business accounts to engage in money transmission. Treasury highlighted a recent enforcement action against an unregistered MSBs that resulted in a $37 million civil money penalty.

Regulatory and Operational Impact

As a reminder, accurate and complete MSB registration and agent maintenance is part of the MSB examination procedures.

Second, the AMLA‑related questions highlight where FinCEN wants industry input. The agency is probing data sources for agent counts and recurring Form 107 errors. This is an opportunity to identify gaps between agent rosters and operations and fields prone to stale or mis‑keyed entries.

Third, banks serving MSBs should read the 2026 National Money Laundering Risk Assessment. Recent enforcement actions illustrate that registration is closely tied to BSA/AML program effectiveness. Onboarding and periodic reviews of MSB customers should confirm proper registration.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On April 23, 2026, the Department of Justice announced charges against two Chinese Nationals, Huang Xing Shan and Jiang Wen Jie, for wire fraud, the seizure of $700 million in Cryptocurrency and the seizure of a Telegram Channel and 503 websites as part of the Department’s effort to combat foreign fraud schemes that target American citizens.

Huang and Jiang oversaw a cryptocurrency investment fraud operation at the Shunda compound in Burma. The Shunda compound is known to have operated from January 2025 to November 2025 and used scam websites and mobile applications designed to mimic legitimate investment platforms to convince its victims into draining their savings. 

The workers at the compound were trafficked individuals. Huang was a manager at the compound who reportedly used violence against the workers. Jiang was a supervisor who managed the workers’ efforts to defraud Americans.  The Shunda Compound was eventually seized by law enforcement, causing Huang and Jiang to attempt to replicate their scheme at a different compound in Cambodia.  In 2026, Huang and Jiang attempted to return to Burma but were arrested by Thai Law Enforcement for immigration violations. Their cases are currently being investigated by the FBI’s New York Field Office with assistance from Thai authorities.  The Complaint filed against Jiang Wen Jie can be found here. The Complaint filed against Huang Xing Shan can be found here.

The Scam Center Strike Force, which combines the powers of the U.S. Attorney’s Office with the Department of Justice’s Criminal Division, the FBI, and the U.S. Secret Service to secure America against Southeast Asian cryptocurrency-related fraud and scams, also announced the seizure of a Telegram Channel used to recruit workers.

The Telegram Channel had more than 6,0000 followers and was used to convince workers to travel to Cambodia with promises of high-paying employment. Once the workers arrived, they were held against their will and forced to participate in the fraud scheme. The workers specifically targeted Americans, imitating U.S. bank customer service agents and US law enforcement to convince victims to provide their bank account information. The Telegram seizure case is being investigated by FBI’s Miami Field Office, U.S. Secret Service Headquarters, and investigators at the U.S. Attorney’s Office for the District of Columbia. The Strike Force also announced that JPMorgan Chase, Microsoft, and Meta voluntarily took internal investigative measures to combat the fraud operating on their systems and occurring under their names.

Additionally, 503 dot-com web domains were seized. The domains were disguised as legitimate investment platforms. Victims reported to law enforcement that these platforms were causing them to unknowingly deposit cryptocurrency funds and view supposed “returns” on what they believed were legitimate investments.  In reality, the scammers received the investments and the returns. Now, when an individual visits these sites, they are informed the sites have been seized by law enforcement.

The Strike Force also announced that more than $701,962,392.15 in cryptocurrency has been identified as allegedly involved in laundering of funds stolen from victims of cryptocurrency investment fraud. The Strike Force aims to return the funds to victims.

In coordinated actions, the US Department of Treasury announced sanctions against individuals and entities perpetrating cryptocurrency investment fraud schemes against Americans using forced labor and violence in Cambodia, and Department of State announced an award of up to $10 million for anyone with information concerning the Tai Chang scam centers.

These actions are line with President’s Trump’s Executive Order Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens. Fighting fraud continues to be a top priority of this Administration’s Justice and State Departments.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

Last month, the U.S. Department of the Treasury announced a new cybersecurity information‑sharing initiative led by its Office of Cybersecurity and Critical Infrastructure Protection (OCCIP). The program is designed to give eligible U.S. digital asset firms access to the same actionable cyber‑threat information Treasury already provides to traditional financial institutions. According to Treasury, the effort responds to a rapidly evolving threat environment and implements a key recommendation from the President’s Working Group on Digital Asset Markets (PWG) report issued under Executive Order 14178.

The announcement marks Treasury’s most direct step to date in extending its critical‑infrastructure protection mission to the digital‑asset sector—an industry Treasury now describes as “an increasingly important part of the U.S. financial sector.”

A New Cybersecurity Information‑Sharing Channel for Digital Asset Firms

Treasury’s press release explains that OCCIP will provide participating digital asset firms with “timely, actionable cybersecurity information” at no cost. The information mirrors what Treasury already shares with banks and other traditional financial institutions.

Treasury officials emphasized several themes:

  • Growing systemic importance of digital asset firms. Assistant Secretary for Financial Institutions Luke Pettit stated that the resilience of digital asset firms is now “critical to the health of the broader system.”
  • Cybersecurity as a prerequisite for responsible innovation. Counselor to the Secretary for Digital Assets Tyler Williams linked the initiative to the principles of the GENIUS Act, noting that strong cybersecurity and operational resilience are foundational to digital‑asset market development.
  • Escalating threat landscape. Deputy Assistant Secretary for Cybersecurity Cory Wilson highlighted the increasing frequency and sophistication of cyberattacks targeting digital‑asset platforms and the need for more robust, real‑time threat information.

Eligible firms may contact OCCIP directly to enroll.

How the Initiative Aligns with the PWG’s Digital‑Asset Recommendations

The April 9 announcement explicitly ties the OCCIP initiative to the PWG’s July 2025 report, Strengthening American Leadership in Digital Financial Technology, issued pursuant to Executive Order 14178.

Several recommendations in the PWG report provide the policy foundation for Treasury’s new program:

  1. Expand public‑private information sharing to counter illicit finance and cyber threats.
    The PWG report calls for Treasury to “encourage greater information sharing between the private and public sectors to more effectively target bad actors operating in the digital asset ecosystem,” emphasizing that such sharing should be used solely for illicit‑finance and national‑security purposes. Treasury’s new initiative operationalizes this recommendation by extending its existing financial‑sector threat‑information channels to digital‑asset firms.
  2. Equip digital‑asset actors to mitigate risk.
    The PWG report identifies a need for clearer expectations and more support for digital‑asset firms navigating AML/CFT and cybersecurity risks. It encourages agencies—including Treasury—to provide guidance and tools that help firms understand and meet their obligations. Providing direct access to actionable cyber‑threat intelligence is consistent with that objective.
  3. Promote operational resilience as digital assets integrate into the financial system.
    The PWG report frames cybersecurity as essential to responsible innovation and to the stability of U.S. financial markets as digital‑asset activity grows. Treasury’s messaging in the April 9 release echoes this theme, underscoring that digital‑asset firms’ resilience is now a matter of broader financial‑system health.

What This Means for Digital Asset Firms

Although the initiative is voluntary, it signals Treasury’s expectation that digital‑asset firms should begin aligning their cybersecurity posture with the standards long applied to banks and other regulated financial institutions.

  1. Heightened expectations for threat‑intelligence integration.
    Access to Treasury’s cyber‑threat information is only useful if firms have the internal capability to ingest, triage, and act on it. Firms may need to evaluate whether their security operations centers, incident‑response processes, and governance structures can operationalize this information effectively.
  2. A clearer link between cybersecurity and financial‑crime compliance.
    The PWG report situates cybersecurity squarely within the broader illicit‑finance risk framework. Treasury’s initiative reinforces that cyber‑risk and AML/CFT risk are increasingly intertwined—particularly for digital‑asset platforms that face both technical and financial‑crime threats.
  3. Early alignment with future regulatory expectations.
    While the initiative itself is not a rulemaking, it reflects Treasury’s policy trajectory. As digital‑asset firms become more integrated into the financial system, regulators may expect them to demonstrate cybersecurity maturity comparable to traditional financial institutions. Participation in OCCIP’s program could become a de facto indicator of baseline preparedness.

How This Fits into Treasury’s Broader Digital‑Asset Strategy

The OCCIP initiative is one component of a broader shift in Treasury’s approach to digital‑asset oversight:

  • National‑security framing. The PWG report repeatedly emphasizes the need to counter illicit finance and protect U.S. financial stability as digital‑asset markets grow. Treasury’s April 9 announcement continues that framing by positioning cybersecurity as essential to safeguarding consumers and markets.
  • Technology‑neutral expectations. The PWG report encourages regulators to adopt technology‑neutral frameworks that apply consistent standards across financial activities, regardless of whether they involve digital assets. Extending existing cybersecurity information‑sharing channels to digital‑asset firms reflects that approach.
  • Operationalizing Executive Order 14178. The Executive Order directs agencies to support responsible digital‑asset innovation while protecting national security. Treasury’s initiative is a concrete step toward implementing that mandate.

Treasury frames the initiative as a concrete step toward strengthening operational resilience in the digital‑asset sector and advancing the policy objectives outlined in Executive Order 14178 and the PWG report. Some market participants, however, may assess potential confidentiality, operational, or integration considerations associated with receiving government threat intelligence, as well as whether participation in a voluntary program could carry additional compliance expectations. More broadly, the effectiveness and implementation of expanded public‑private information‑sharing efforts will likely remain an area of industry interest and discussion. It remains to be seen how widely the industry will participate and what practical impact the initiative will have in addressing evolving cyber threats.

Looking Ahead

Treasury’s launch of this cybersecurity information‑sharing initiative is a notable development for digital‑asset firms, signaling that the sector is now firmly within the scope of Treasury’s critical‑infrastructure protection efforts. It also reflects the Administration’s broader strategy: encourage innovation, but pair it with heightened expectations for operational resilience and risk management.

For digital‑asset firms, the message is clear. As the sector becomes more interconnected with the traditional financial system, regulators expect cybersecurity maturity to keep pace. Treasury’s new program offers a pathway to do that—while also previewing the direction of future oversight.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On April 8, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) issued a joint Notice of Proposed Rulemaking (NPRM) to implement the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act). The proposal would create a comprehensive anti‑money‑laundering/countering‑the‑financing‑of‑terrorism (AML/CFT) and sanctions compliance framework for “permitted payment stablecoin issuers” (PPSIs), treating them as financial institutions under the Bank Secrecy Act (BSA). Treasury frames the rule as an effort to support responsible innovation in payment stablecoins while mitigating illicit‑finance risks (see also Treasury’s press release and Fact Sheet).

For our coverage of Treasury’s related Notice of Proposed Rulemaking on state oversight of stablecoin issuers, see our post here.

Statutory Background and Policy Context

The GENIUS Act directs that PPSIs be treated as financial institutions for BSA purposes and comply with federal laws relating to sanctions, money‑laundering prevention, customer identification, and due diligence. It also requires PPSIs to maintain an effective sanctions compliance program.

Treasury’s March 2026 Congressional Report highlights the rapid growth of digital assets, the increasing use of stablecoins in payments, and the ways illicit actors exploit them for fraud, ransomware, sanctions evasion, and money laundering. These findings inform the risk‑based approach reflected in the NPRM.

Primary and Secondary Market Activity

A central concept in the NPRM is the distinction between primary and secondary market activity. Primary market activity refers to direct interactions between a PPSI and a user, such as issuing, redeeming, converting, repurchasing, burning, reissuing, or providing custodial services. Secondary market activity involves transactions between third parties that rely on the PPSI’s smart contract but do not involve the PPSI as a counterparty. This distinction matters because several obligations—including suspicious activity reporting—apply only to primary‑market transactions. This distinction will shape how PPSIs design monitoring, SAR processes, and technical controls, because only primary‑market activity triggers most BSA obligations.

AML/CFT Program Requirements

The NPRM would require PPSIs to establish and maintain a written AML/CFT program that mirrors the core elements required of other financial institutions, with tailoring for stablecoin‑specific risks. PPSIs must implement internal policies, procedures, and controls to identify, assess, and mitigate illicit‑finance risks. Risk assessments must evaluate the PPSI’s business activities, incorporate the national AML/CFT priorities, and be updated promptly when risks change.

PPSIs would also be required to conduct ongoing customer due diligence, including understanding the nature and purpose of customer relationships, developing customer risk profiles, and monitoring for suspicious activity. On a risk basis, PPSIs must maintain and update customer information, including beneficial ownership information for legal‑entity customers.

Independent testing is required to assess whether the PPSI has implemented an effective AML/CFT program. PPSIs must designate a U.S.‑based AML/CFT compliance officer responsible for day‑to‑day compliance. The program must also include ongoing employee training tailored to employee roles and responsibilities and must be approved by the PPSI’s board or equivalent governing body.

The NPRM outlines a supervisory framework under which FinCEN would generally not take enforcement action if a PPSI has established an AML/CFT program and does not exhibit significant or systemic failures. It also describes a notice and consultation process between FinCEN and primary federal payment‑stablecoin regulators for significant supervisory actions. For many issuers, this will require adopting governance, documentation, and testing practices that resemble those of traditional financial institutions—a significant shift for engineering‑driven companies.

Suspicious Activity and Currency Transaction Reporting

PPSIs would be required to file suspicious activity reports (SARs) for any suspicious primary‑market transaction. The NPRM explicitly states that secondary‑market transfers are not, by themselves, considered transactions “by, at, or through” a PPSI for SAR purposes. PPSIs must retain SARs and supporting documentation for five years.

Currency‑transaction reporting (CTR) requirements would apply to transactions in currency exceeding $10,000, though Treasury notes that stablecoin issuers rarely engage in physical‑currency transactions.

Recordkeeping, Travel Rule, and Information Sharing

The NPRM would require PPSIs to comply with the BSA’s Recordkeeping Rule and Travel Rule for transfers of $3,000 or more and would amend the definition of “transmittal order” to expressly include payment stablecoins. PPSIs would also be integrated into the BSA’s information‑sharing framework, including Section 314(a) requests and voluntary Section 314(b) sharing.

Enhanced Due Diligence and Special Measures

The NPRM would apply the BSA’s enhanced due‑diligence requirements for correspondent accounts for foreign financial institutions and private‑banking accounts for non‑U.S. persons. PPSIs would also be subject to special measures under Section 311 of the USA PATRIOT Act, Section 9714(a) of the Combating Russian Money Laundering Act, and 21 U.S.C. 2313a.

Sanctions Compliance Program Requirements

The NPRM reflects a significant change in Treasury’s expectations for PPSIs. PPSIs would be required to maintain a formal sanctions compliance program—something other BSA‑regulated financial institutions are not explicitly required to do. OFAC sanctions remain a strict‑liability regime, but Treasury is elevating sanctions compliance to the same programmatic level as AML/CFT. Examiners would look not only at whether a PPSI violated sanctions, but at whether its program is designed, resourced, and operating in line with OFAC’s risk‑based expectations. A strong program would meaningfully mitigate enforcement exposure, while gaps or weak controls could carry greater consequences given the statutory mandate.

OFAC proposes requiring PPSIs to maintain an effective sanctions compliance program incorporating five core elements: senior‑management commitment; holistic risk assessments; risk‑based internal controls, including technical capabilities; independent testing and auditing; and risk‑based training. These elements align with OFAC’s existing guidance and reflect the GENIUS Act’s mandate that PPSIs comply with all federal sanctions laws applicable to financial institutions.

Technical Capabilities and Lawful Orders

The GENIUS Act requires PPSIs to maintain the technological capability to block, freeze, and reject impermissible transactions and to comply with lawful orders, including orders to seize, freeze, burn, or prevent the transfer of payment stablecoins. These expectations apply whenever a PPSI’s smart contract is involved, even in secondary‑market activity, and will require issuers to document how these controls function in practice. Because these controls must function whenever a PPSI’s smart contract is implicated, issuers will need to document how block, freeze, reject, and burn capabilities operate in practice and ensure they can withstand regulatory scrutiny.

Economic Impact

Treasury estimates that approximately 50 PPSIs may be subject to the rule, with first‑year compliance costs of about $1.8 million and ongoing annual costs of roughly $1 million. Government costs are estimated at $5.9 million in the first year, and customer costs at approximately $1.2 million annually. Treasury expects many PPSIs to be money‑services businesses or insured‑depository‑institution subsidiaries already subject to similar requirements, reducing incremental burden.

Key Takeaway

The proposal makes clear that Treasury now expects permitted stablecoin issuers to operate with the same level of AML, sanctions, governance, and technical rigor long required of mature financial institutions. The NPRM signals that PPSIs will need to build compliance into the core of their operating models—risk assessments, beneficial‑ownership collection, primary‑market SAR obligations, enhanced due diligence, and the ability to block, freeze, or burn tokens cannot be bolted on later. These expectations create a high regulatory bar, and not every current or aspiring issuer will be able to meet it. Firms with the capital, staffing, and engineering capacity to stand up a full BSA/OFAC program will be positioned to move forward, while smaller or less‑resourced issuers may struggle to qualify as PPSIs. The practical effect is a market that shifts toward a smaller number of issuers capable of operating under a full federal compliance regime. The framework ultimately favors well‑capitalized issuers and is likely to accelerate consolidation in the stablecoin market.

Next Steps

FinCEN and OFAC are accepting public comments for 60 days following publication in the Federal Register. Treasury seeks input on the clarity of definitions, the feasibility of technical requirements, the tailoring of obligations for PPSIs of different sizes and business models, and the interaction between federal and state regulatory frameworks.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On March 31, 2026, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory on sham transactions, highlighting the compliance risks financial institutions must navigate when facilitating international property transactions.

What is a Sham Transaction?

OFAC defines a “Sham Transaction” as one in which a blocked person, typically operating through proxies or intermediaries, effectuates the transfer or concealment of a continuing interest in property, without genuinely extinguishing said interest, in an attempt to evade U.S. sanctions. In other words, sham transactions are those in which an individual appears to relinquish property on paper but remains effectively in control of it.

Who do Sham Transactions Apply To?

OFAC publishes a List of Specially Designated Nationals and Blocked Persons (“SDN List”) that is intended to restrict the access of the named individuals to the American financial system by preventing them from transferring, withdrawing, or otherwise dealing with any property and interests that are within the United States or within the possession or control of a U.S. person and prohibiting U.S. persons from transacting with them.

If an individual is blocked, their assets are frozen, and they are unable to exercise the powers and privileges of their property and interests without authorization from OFAC.

How Do Sham Transactions Operate?

OFAC identifies numerous methods by which blocked persons conceal their property interest, often by manipulating opaque legal structures and working with proxies. The following are some examples of sham transactions:

  • A blocked oligarch transferred ownership of his private jet to a trust, whose sole beneficiary was his unsanctioned wife, while the oligarch continued to use the jet for travel.
  • A blocked person transferred millions of dollars of funds into trusts held for his minor children and then attempted to move these funds through U.S. banks.
  • Following its designation, a company sanctioned for narcotics trafficking was reincorporated under a different name with new nominal owners while continuing the blocked company’s operations.

How Can Financial Institutions Recognize a Sham Transaction?

OFAC’s advisory highlights a non-exhaustive set of red flags that may indicate a sham transaction. The advisory stresses the importance of employing a functional approach, considering the totality of the circumstances, when evaluating a potential sham transaction.

For additional analysis on OFAC guidance, see our related posts here.

The following are some indications financial institutions should be aware of when evaluating a transaction:

  • Commercially Unreasonable Transactions: Transfers of property in which a blocked person once held an interest on terms that are commercially unreasonable or at odds with fair market value may indicate a sham transaction.
  • Transfer to Family Members or Close Associates: Transfers of property to an individual with close personal or professional ties may indicate that the receiving party is acting as a nominal owner and may be acting on behalf of the transferring party.
  • Unclear Purpose: Transfers to an individual with no clear business purpose or relevant expertise with respect to the property at issue may be evidence of a sham transaction.
  • Complex Corporate Structures and High-Risk Jurisdictions: The presence of unnecessarily complex corporate structures, particularly in jurisdictions that lack robust regulatory oversight, may suggest an effort to conceal true ownership interests.
  • Involvement of a Blocked Person: If the circumstances indicate that a blocked person remains involved in the operation of a property, they may hold a concealed interest. The use of evasive or vague responses regarding the extent of a blocked person’s involvement may present further indicia of a concealed interest.
  • Transfer At Time of Designation: If a property or interest is transferred immediately preceding or following a person’s designation by OFAC, the transaction may warrant additional scrutiny.

Guidance for Financial Institutions

If financial institutions become aware that a blocked person once held an interest in property, OFAC recommends reviewing the available information to see if any of the above-listed red flags are present. OFAC acknowledges in its advisory that institutions may encounter legitimate business transactions where this occurs and does not wish to interfere with parties and institutions who seek to comply with OFAC sanctions in good faith.

If institutions become aware that a blocked person retains an interest in property that is held within the United States or is in the possession or control of a U.S. person, the property must be blocked and reported to OFAC.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

FinCEN has published a Notice of Proposed Rulemaking (“NPRM”) that would formalize and expand its whistleblower program, offering potentially substantial financial payouts to whistleblowers reporting certain financial crimes. According to FinCEN’s announcement, this initiative is designed to incentivize and protect individuals who report violations of major financial crime laws—specifically, the Bank Secrecy Act (“BSA”), the International Emergency Economic Powers Act (“IEEPA”), the Trading With the Enemy Act (“TWEA”), and the Foreign Narcotics Kingpin Designation Act (the “Kingpin Act”). Treasury Secretary Scott Bessent has said that through this rule, “Treasury will reward whistleblowers who provide timely, actionable information on fraud, sanctions violations, and other significant illicit finance activity[.]”Under the proposed rule, whistleblowers could be entitled to 10-30 percent of monetary penalties the government collects as a result of whistleblower tips.

The NPRM, which notably requires a 120-day waiting period for whistleblowers involved in certain fiduciary and compliance functions, highlights the importance of investing in robust compliance programs. It signals heightened enforcement interest in financial crimes, and advertises weighty incentives to motivate potential whistleblowers.

Overview and Legal Authority

FinCEN cites to the BSA, as strengthened by the Anti-Money Laundering Act of 2022 and the Anti-Money Laundering Whistleblower Improvement Act of 2022 (codified at 31 U.S.C. § 5323), for its authority to implement the proposed rule. The relevant statutory provision states:

In any covered judicial or administrative action, or related action, the Secretary, under regulations prescribed by the Secretary, in consultation with the Attorney General and subject to subsection (c), shall pay an award or awards to 1 or more whistleblowers who voluntarily provided original information to the employer of the individual, the Secretary, or the Attorney General, as applicable, that led to the successful enforcement of the covered judicial or administrative action, or related action, in an aggregate amount equal to—

(A) not less than 10 percent, in total, of what has been collected of the monetary sanctions imposed in the action or related actions; and

(B) not more than 30 percent, in total, of what has been collected of the monetary sanctions imposed in the action or related actions.

FinCEN established an Office of the Whistleblower, which began receiving whistleblower tips in 2021. This proposed rule would formalize and significantly enhance this program. The proposed rule:

  • Defines key terms, such as “covered action”, “original information”, “voluntary submission”, “monetary sanctions”, and “related action;”
  • Provides for submission through a standardized, secure online form;
  • Outlines requirements to apply for an award;
  • Sets forth eligibility criteria for awards and the process for adjudicating award applications;
  • Details confidentiality and anti-retaliation protections; and
  • Implements a system for appealing adverse determinations, and for barring bad-faith or abuse of the whistleblowing program.

Eligibility Requirements for Whistleblower Award

The rule details four requirements for a whistleblower to be eligible for an award: (1) voluntary submission of original information; (2) the whistleblower is the original source of the original information; (3) the original information led to the successful enforcement of a covered action or related action; and (4) the whistleblower provides certain additional information to Treasury and DOJ upon request.

One key function of the proposed rule is to thoroughly define what qualifies as “original information.” It identifies four elements that must be met for FinCEN to find that a whistleblower provided qualified original information. These elements are:

  • The information must be “derived from the independent knowledge or independent analysis of [the] whistleblower.” In the NPRM, FinCEN explains that independent knowledge does not require the whistleblower to have direct, first-hand knowledge of potential violations. Rather, their knowledge must be obtained from their own experiences, observations, or communications, and not from public sources. On the other hand, independent analysis may be based on information that is generally available or known, as long as the analysis “results in material insights” that are not generally known or available to the public.
  • The information is not already known to Treasury or DOJ.
  • The information is not exclusively derived from an allegation made in a publicly available source, including judicial or administrative hearings.
  • The information is provided to Treasury or DOJ after the enactment of the statutes that established the Whistleblower Program and amended its scope (January 1, 2021 for violations of the BSA, and December 29, 2022 for violations of the IEEPA, TWEA, and the Kingpin Act).

Equally important is the proposed rule’s definition of voluntariness. In the proposed rule, FinCEN explains that a submission is voluntary if it is made before the whistleblower receives any request for information about the subject matter. Thus even an informal request for information would negate the voluntariness requirement.

The proposed rule also defines “covered action” as  “an administrative or judicial action taken by Treasury or DOJ under certain ‘covered statutes’ … the BSA, IEEPA, TWEA, and the Kingpin Act” where monetary sanctions exceed $1,000,000. Notably, the proposed rule grants FinCEN the discretion to treat multiple actions as a single “covered action” if they arise out of substantially the same facts, such that those actions could collectively exceed the $1,000,000 threshold.

Through these regulatory definitions, FinCEN seeks to establish clear standards for the circumstances under which a whistleblower may be entitled to an award, as well as situations in which a whistleblower may be excluded from participation.

One key limitation FinCEN proposes is a 120-day waiting period for whistleblowers involved in fiduciary or compliance roles within an entity. The proposed rule would prevent whistleblowers from receiving an award where their position in certain key roles within an entity—such as serving as a director or trustee, participating in internal compliance processes, or serving as an employee or outside contractor with duties involving audit or compliance responsibilities—is the reason the whistleblower obtained the potentially reportable information, and they report the information within 120 days of learning it. According to FinCEN’s announcement, this waiting period seeks to provide entities an opportunity to address issues or voluntarily disclose information to the government, and to avoid incentives for whistleblowers to undermine effective compliance programs.

Implications

Through this proposed rule, FinCEN clearly seeks to signal renewed, enhanced enforcement of financial crimes, and incentivize whistleblowers to come forward.

In addition to spelling out eligibility criteria, which in theory lessens the uncertainty potential whistleblowers may feel about their opportunity to gain from acting as a whistleblower, the proposed rule contains numerous provisions detailing procedural and operational implementation of the program. These provisions, which, for example, identify a secure portal for submitting information, detail the process for submitting and adjudicating award applications, and spell out confidentiality and anti-retaliation protections, seek to provide even further comfort for potential whistleblowers and establish a robust program for soliciting and processing tips.

FinCEN is accordingly projecting a substantial increase in the number of whistleblower tips it receives, estimating that it will receive approximately 250 original submissions and 150 supplemental submissions annually within three years of the rule’s effective date. This is a dramatic increase from the approximately 90 submissions it received per year between 2021 and 2024.

As the rule is not yet final (it is subject to a 60-day notice and comment period), some of the details may change. Nonetheless, the proposed framework provides substantial insight into the direction FinCEN is moving, and suggests is quite possible that there will be a notable increase in whistleblower activity following the rule’s implementation.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

As part of the U.S. Department of Treasury’s efforts to modernize the U.S. anti-money laundering regulatory and supervisory framework, the Financial Crimes Enforcement Network (FinCEN) has issued a proposed rule that would reform how financial institutions design and operate their anti-money laundering and countering the financing of terrorism (AML/CFT) programs. Though not a wholesale rebuild of the existing framework, FinCEN and the banking regulators are signaling a new emphasis on an approach that prioritizes risk-based effectiveness over process-driven compliance and establish FinCEN’s central role in AML/CFT supervision among the Federal bank regulators.

The Current Regulatory Landscape for AML/CFT Programs

Under the Bank Secrecy Act (BSA), financial institutions are required to establish AML/CFT programs designed to identify, prevent, and report financial crime. FinCEN, as the administrator of the BSA, plays a principal role in setting program standards and coordinating with federal banking supervisors – including the Federal Reserve, the Federal Reposit Insurance Corporation (FDIC), the Office of the Comptroller of Currency (OCC), and the National Credit Union Administration (NCUA) – who examine the institutions they oversee for compliance.

Historically, institutions’ compliance has been measured in part on whether they are adequately managing their AML / CFL responsibilities, with regulators assessing the design and operation of compliance programs. Much of the reform is aimed at moving away from a framework that critics argue encourages “check-the-box” compliance, focusing instead on achieving meaningful results. As Treasury Secretary Scott Bessent put it, “For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats.” Bessent added that, “Our proposal restores common sense with a focus on keeping bad actors out of the financial system, not burying America’s banks in more red tape.”

What’s Driving the Rulemaking?

The proposed rule is part of Treasury’s broader effort to modernize the AML/CFT regulatory and supervisory framework. It also implements key provisions of the Anti-Money Laundering Act of 2020 (AML Act), which, among other things, directed FinCEN and federal regulators to consider that compliance programs should be “risk-based, with more financial institution attention and resources directed toward higher-risk customers and activities…rather than toward lower-risk customers and activities.”

Results Over Process

FinCEN’s Fact Sheet accompanying the proposed rule identifies six key reforms that, taken together, signal a regulatory philosophy focused on outcomes rather than procedural box-checking:

  • Refocusing compliance obligations and expectations on effectiveness by distinguishing between deficiencies stemming from program design (“establishment”) and program implementation (“maintenance”);
  • Reinforcing Treasury’s belief that financial institutions are best positioned to identify and evaluate their money laundering, terrorist financing, and illicit finance risks;
  • Empowering financial institutions to direct more attention and resources toward higher-risk customers and activities;
  • Clarifying expectations related to certain program requirements and functions – including independent testing and audit functions – to ensure that examiners and auditors do not substitute their subjective judgment in place of financial institutions’ risk-based and reasonably designed AML/CFT programs;
  • Affirming FinCEN’s central role in AML/CFT supervision, including through the introduction of a notice and consultation framework between Federal banking supervisors and FinCEN with respect to significant AML/CFT supervisory actions;
  • Incorporating the AML/CFT Priorities in both AML/CFT program requirements and considerations involving significant supervisory or enforcement actions.

Three Areas of Significant Impact

Among these reforms, three are likely to have the most immediate impact on day-to-day compliance.

First, the proposed rule would make FinCEN the gatekeeper for significant supervisory and enforcement actions. Under a new notice and consultation framework, federal banking supervisors would be required to give FinCEN’s Director at least 30 days’ advance written notice before initiating a significant AML/CFT supervisory action under delegated authority. For banks, this suggests that FinCEN – not any single prudential regulator – will increasingly set the tone for AML/CFT supervision. Both the American Bankers Association and Bank Policy Institute   welcomed this development citing FinCEN’s “elevated role” as a step towards “ensur[ing] greater alignment and consistency across agencies.”

Second, the rule would establish that only “significant or systemic failures” to maintain a properly established AML/CFT program would warrant enforcement or significant supervisory action. In practice, this could reduce enforcement risk for institutions with sound programs but experience isolated implementation issues.

Third, the rule would include the four “core pillars” that an AML/CFT program must incorporate pursuant to the BSA: (1) internal policies, procedures, and controls, including risk assessment processes; (2) independent program testing; (3) designation of a U.S.-based compliance officer; and (4) ongoing employee training. By standardizing these requirements across institution types, FinCEN aims to promote consistency and reduce the patchwork of obligations that currently exist.

What’s Next?

FinCEN is accepting public comments for 60 days following publication of the Notice of Proposed Rulemaking in the Federal Register. The federal banking supervisors – the Federal Reserve, FDIC, OCC, and the NCUA – are also expected to issue their own proposed rules in substantive alignment with FinCEN’s proposal. Financial institutions should begin evaluating how these changes may affect their programs and whether to weigh in during the comment period.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.