The Federal Reserve wants banks cited only for significant or systemic AML failures. We map what its risk-based AML program rule changes for compliance teams.
Table of contents
The Federal Reserve has proposed a risk-based AML program rule that would cite supervised banks only for "significant or systemic" failures, not isolated slips. The Board voted 6 to 1 on 7 July 2026 to seek comment, aligning its Regulation H with the wider AML Act of 2020 overhaul. Comments close 8 September 2026.
- The Federal Reserve Board approved the proposal 6 to 1 on 7 July 2026, with Governor Michael Barr the sole dissent, and published it in the Federal Register on 9 July 2026.
- The rule would require Board-supervised banks to run programs "reasonably designed to identify, assess, and mitigate risks of illicit finance", and reserve enforcement for significant or systemic failures, not routine or one-off lapses.
- It is the Federal Reserve's companion to the FinCEN, OCC, FDIC and NCUA package proposed on 10 April 2026, so all five regulators now move toward one risk-based AML program standard.
- Core duties survive: customer due diligence, beneficial ownership collection, independent testing, ongoing training and a US-based AML/CFT officer all remain.
- The public comment period closes on 8 September 2026.
What did the Federal Reserve actually propose?
On 7 July 2026 the Federal Reserve Board voted to seek comment on a notice of proposed rulemaking that rewrites the anti-money laundering rules for the banks it supervises. Filed as Docket No. R-1835 (RIN 7100-AG78), the proposal amends 12 CFR Part 208 and was published in the Federal Register on 9 July 2026. It is a notice, not a final rule, and nothing changes for banks yet.
The rule would require each supervised bank to establish and maintain an AML/CFT program "reasonably designed to identify, assess, and mitigate risks of illicit finance", in the Board's own words. That phrase matters: it shifts the legal test from box-ticking toward demonstrable effectiveness. The Board frames the change as implementing the Anti-Money Laundering Act of 2020, which Congress passed to modernise a regime largely unchanged since the Bank Secrecy Act of 1970.
| Detail | Value |
|---|---|
| Regulator | Board of Governors of the Federal Reserve System |
| Instrument | Notice of proposed rulemaking (Docket R-1835, RIN 7100-AG78) |
| Rule amended | 12 CFR Part 208 (Regulation H), section 208.63 |
| Board vote | 6 to 1, Governor Michael Barr dissenting |
| Published | Federal Register, 9 July 2026 |
| Comment deadline | 8 September 2026 |
How would the "significant or systemic" threshold work?
The headline change is enforcement posture. Once a bank has properly built its program, the Board would reserve AML/CFT enforcement and significant supervisory actions for "significant or systemic" implementation failures, rather than isolated, technical or immaterial shortcomings. In plain terms, a single missed alert or a one-off documentation gap should no longer drive a formal citation.
This is the Federal Reserve completing a set. FinCEN and the other banking agencies (the OCC, FDIC and NCUA) proposed their matching AML program rules on 10 April 2026; the Federal Reserve is the last of the five to move. The stated goal is one consistent, risk-based AML program standard so a state member bank is not judged against different yardsticks by different supervisors.
| Regulator | Program rule | Institutions covered | Proposed |
|---|---|---|---|
| FinCEN | 31 CFR 1020.210 | All banks (Title 31) | 10 April 2026 |
| OCC | 12 CFR 21.21 | National banks | 10 April 2026 |
| FDIC | 12 CFR 326.8 | State non-member banks | 10 April 2026 |
| NCUA | 12 CFR 748.2 | Federal credit unions | 10 April 2026 |
| Federal Reserve | 12 CFR 208.63 | State member banks | 7 July 2026 |
The design duty itself becomes explicit. A compliant risk-based AML program must assess exposure across products, services, delivery channels, customer types and geographies, then allocate more attention and resources to higher-risk relationships. That is a familiar idea in examination practice; the proposal writes it into the rule text.
What does the risk-based AML program rule change for your obligations?
Less than the enforcement rhetoric suggests. The proposal changes the sequencing and the effectiveness framing of a program, not the underlying pillars. Every core Bank Secrecy Act duty a bank runs today survives the rewrite. What follows maps the specific obligations against the new standard.
Customer due diligence and enhanced due diligence stay. The 2016 CDD rule and its beneficial ownership collection requirement remain in force, and examiners still test against them. A risk-based AML program must still identify the customer, verify identity, understand the nature and purpose of the relationship and resolve who ultimately owns the entity, with heavier checks on higher-risk customers.
Suspicious activity reporting is untouched. Filing thresholds and timelines under FinCEN rules do not move; a bank that spots reportable activity must still file its Suspicious Activity Report. Sanctions and politically exposed person screening obligations, which sit under separate OFAC and FinCEN authorities, are equally unaffected by this program rule.
The four pillars persist. Internal policies and controls, a designated compliance officer (now required to be US-based), an ongoing training program and independent testing all remain mandatory. What the rule adds is a duty to show the program is reasonably designed to work, and board-level approval of the written program. The practical shift is evidentiary: you will be judged less on whether a control exists and more on whether your risk assessment justifies it.
What is still uncertain or risky about the proposal?
Plenty, which is why it drew a dissent. Governor Michael Barr voted no, warning in his published statement that the proposal introduces a "new, undefined standard" for matters requiring attention and enforcement. His concern, in his words, is that "the 'significant or systemic' standard may have unknown effects" on the Board's ability to substantiate that a bank actually maintains a compliant program.
The core open question is where "significant or systemic" begins. The proposal does not draw a bright line between an isolated lapse and a systemic one, leaving examiners with wide discretion and banks with less certainty about when conduct crosses into citable territory. Two supervisors could reasonably reach different conclusions on the same facts, which is the opposite of the consistency the package promises.
Timing is a second risk. This is a proposal with a comment window to 8 September 2026, then a final rule, then implementation. Banks that read the softer posture as a reason to slow investment could find the standard tightened after comment, or find that a lighter citation regime does nothing to shield them from a Department of Justice or state action. Enforcement did not disappear; it moved its trigger.
Does a lighter citation threshold mean lighter risk?
No. The duty to build an effective risk-based AML program is unchanged, and the cost of getting it wrong is set by the underlying event, not by the citation threshold. Recent penalties make the point: firms have absorbed nine and ten-figure AML settlements when weak controls let illicit flows through, from Canaccord's record FinCEN penalty to the EagleBank Bank Secrecy Act settlement, and none of those outcomes turned on whether a single alert was missed.
A higher bar for routine citations is best read as a bar against nitpicking, not a discount on genuine failure. If anything it raises the premium on a defensible risk assessment, because "significant or systemic" is judged against the program you designed. Thin customer due diligence, unresolved beneficial ownership and an audit trail you cannot produce are exactly the failures a supervisor, or a prosecutor, will call systemic.
How should compliance teams respond?
Start with the risk assessment, because the whole standard now hangs on it. Document how you score products, channels, customers and geographies, and make sure the controls you run map to that scoring. Tighten customer due diligence and beneficial ownership resolution at onboarding, keep independent testing genuinely independent, and preserve an exportable audit trail that shows an examiner why each control exists. File your comment before 8 September 2026 if the threshold language affects you.
Effective, evidence-first onboarding is where a risk-based AML program is won or lost, and it is where Zyphe helps. Zyphe reads the identity document's NFC chip to ICAO 9303 and eIDAS standards with two-step liveness and no image upload, resolves ultimate beneficial ownership recursively across EU corporate registries, and issues a reusable credential so a verified customer can re-present elsewhere. Personal data is sharded across a distributed network with no central honeypot, and every check produces an exportable audit trail, all on usage-based pricing. If you want to see how that maps to your program, book a demo.
The bottom line
The Federal Reserve is proposing to change when a bank gets cited, not whether it must run an effective AML program. For teams running KYC and AML, the message is to invest in a defensible risk assessment and evidence-first customer due diligence, because "significant or systemic" is measured against the program you designed and can prove. A softer citation threshold rewards good design and punishes weak foundations. The obligations that matter, knowing your customer and resolving who really owns them, did not move.
Cited sources
- Federal Reserve notice of proposed rulemaking, AML/CFT programs (Federal Register, 9 July 2026)
- Federal Reserve proposed rule text, Docket R-1835 (federalreserve.gov)
- Governor Michael S. Barr, dissenting statement on the AML program proposal (7 July 2026)
- FinCEN news release, proposal to reform financial institution AML/CFT programs (10 April 2026)
- American Banker, Fed proposal calls for higher threshold for BSA/AML citation
Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.