Learn more about the latest security and privacy threats
Editorial illustration for the article "The Fed's risk-based AML program rule: a higher bar for BSA citations".

The Federal Reserve wants banks cited only for significant or systemic AML failures. We map what its risk-based AML program rule changes for compliance teams.

Table of contents

The Federal Reserve has proposed a risk-based AML program rule that would cite supervised banks only for "significant or systemic" failures, not isolated slips. The Board voted 6 to 1 on 7 July 2026 to seek comment, aligning its Regulation H with the wider AML Act of 2020 overhaul. Comments close 8 September 2026.

  • The Federal Reserve Board approved the proposal 6 to 1 on 7 July 2026, with Governor Michael Barr the sole dissent, and published it in the Federal Register on 9 July 2026.
  • The rule would require Board-supervised banks to run programs "reasonably designed to identify, assess, and mitigate risks of illicit finance", and reserve enforcement for significant or systemic failures, not routine or one-off lapses.
  • It is the Federal Reserve's companion to the FinCEN, OCC, FDIC and NCUA package proposed on 10 April 2026, so all five regulators now move toward one risk-based AML program standard.
  • Core duties survive: customer due diligence, beneficial ownership collection, independent testing, ongoing training and a US-based AML/CFT officer all remain.
  • The public comment period closes on 8 September 2026.

What did the Federal Reserve actually propose?

On 7 July 2026 the Federal Reserve Board voted to seek comment on a notice of proposed rulemaking that rewrites the anti-money laundering rules for the banks it supervises. Filed as Docket No. R-1835 (RIN 7100-AG78), the proposal amends 12 CFR Part 208 and was published in the Federal Register on 9 July 2026. It is a notice, not a final rule, and nothing changes for banks yet.

The rule would require each supervised bank to establish and maintain an AML/CFT program "reasonably designed to identify, assess, and mitigate risks of illicit finance", in the Board's own words. That phrase matters: it shifts the legal test from box-ticking toward demonstrable effectiveness. The Board frames the change as implementing the Anti-Money Laundering Act of 2020, which Congress passed to modernise a regime largely unchanged since the Bank Secrecy Act of 1970.

DetailValue
RegulatorBoard of Governors of the Federal Reserve System
InstrumentNotice of proposed rulemaking (Docket R-1835, RIN 7100-AG78)
Rule amended12 CFR Part 208 (Regulation H), section 208.63
Board vote6 to 1, Governor Michael Barr dissenting
PublishedFederal Register, 9 July 2026
Comment deadline8 September 2026

How would the "significant or systemic" threshold work?

The headline change is enforcement posture. Once a bank has properly built its program, the Board would reserve AML/CFT enforcement and significant supervisory actions for "significant or systemic" implementation failures, rather than isolated, technical or immaterial shortcomings. In plain terms, a single missed alert or a one-off documentation gap should no longer drive a formal citation.

This is the Federal Reserve completing a set. FinCEN and the other banking agencies (the OCC, FDIC and NCUA) proposed their matching AML program rules on 10 April 2026; the Federal Reserve is the last of the five to move. The stated goal is one consistent, risk-based AML program standard so a state member bank is not judged against different yardsticks by different supervisors.

RegulatorProgram ruleInstitutions coveredProposed
FinCEN31 CFR 1020.210All banks (Title 31)10 April 2026
OCC12 CFR 21.21National banks10 April 2026
FDIC12 CFR 326.8State non-member banks10 April 2026
NCUA12 CFR 748.2Federal credit unions10 April 2026
Federal Reserve12 CFR 208.63State member banks7 July 2026

The design duty itself becomes explicit. A compliant risk-based AML program must assess exposure across products, services, delivery channels, customer types and geographies, then allocate more attention and resources to higher-risk relationships. That is a familiar idea in examination practice; the proposal writes it into the rule text.

What does the risk-based AML program rule change for your obligations?

Less than the enforcement rhetoric suggests. The proposal changes the sequencing and the effectiveness framing of a program, not the underlying pillars. Every core Bank Secrecy Act duty a bank runs today survives the rewrite. What follows maps the specific obligations against the new standard.

Customer due diligence and enhanced due diligence stay. The 2016 CDD rule and its beneficial ownership collection requirement remain in force, and examiners still test against them. A risk-based AML program must still identify the customer, verify identity, understand the nature and purpose of the relationship and resolve who ultimately owns the entity, with heavier checks on higher-risk customers.

Suspicious activity reporting is untouched. Filing thresholds and timelines under FinCEN rules do not move; a bank that spots reportable activity must still file its Suspicious Activity Report. Sanctions and politically exposed person screening obligations, which sit under separate OFAC and FinCEN authorities, are equally unaffected by this program rule.

The four pillars persist. Internal policies and controls, a designated compliance officer (now required to be US-based), an ongoing training program and independent testing all remain mandatory. What the rule adds is a duty to show the program is reasonably designed to work, and board-level approval of the written program. The practical shift is evidentiary: you will be judged less on whether a control exists and more on whether your risk assessment justifies it.

What is still uncertain or risky about the proposal?

Plenty, which is why it drew a dissent. Governor Michael Barr voted no, warning in his published statement that the proposal introduces a "new, undefined standard" for matters requiring attention and enforcement. His concern, in his words, is that "the 'significant or systemic' standard may have unknown effects" on the Board's ability to substantiate that a bank actually maintains a compliant program.

The core open question is where "significant or systemic" begins. The proposal does not draw a bright line between an isolated lapse and a systemic one, leaving examiners with wide discretion and banks with less certainty about when conduct crosses into citable territory. Two supervisors could reasonably reach different conclusions on the same facts, which is the opposite of the consistency the package promises.

Timing is a second risk. This is a proposal with a comment window to 8 September 2026, then a final rule, then implementation. Banks that read the softer posture as a reason to slow investment could find the standard tightened after comment, or find that a lighter citation regime does nothing to shield them from a Department of Justice or state action. Enforcement did not disappear; it moved its trigger.

Does a lighter citation threshold mean lighter risk?

No. The duty to build an effective risk-based AML program is unchanged, and the cost of getting it wrong is set by the underlying event, not by the citation threshold. Recent penalties make the point: firms have absorbed nine and ten-figure AML settlements when weak controls let illicit flows through, from Canaccord's record FinCEN penalty to the EagleBank Bank Secrecy Act settlement, and none of those outcomes turned on whether a single alert was missed.

A higher bar for routine citations is best read as a bar against nitpicking, not a discount on genuine failure. If anything it raises the premium on a defensible risk assessment, because "significant or systemic" is judged against the program you designed. Thin customer due diligence, unresolved beneficial ownership and an audit trail you cannot produce are exactly the failures a supervisor, or a prosecutor, will call systemic.

How should compliance teams respond?

Start with the risk assessment, because the whole standard now hangs on it. Document how you score products, channels, customers and geographies, and make sure the controls you run map to that scoring. Tighten customer due diligence and beneficial ownership resolution at onboarding, keep independent testing genuinely independent, and preserve an exportable audit trail that shows an examiner why each control exists. File your comment before 8 September 2026 if the threshold language affects you.

Effective, evidence-first onboarding is where a risk-based AML program is won or lost, and it is where Zyphe helps. Zyphe reads the identity document's NFC chip to ICAO 9303 and eIDAS standards with two-step liveness and no image upload, resolves ultimate beneficial ownership recursively across EU corporate registries, and issues a reusable credential so a verified customer can re-present elsewhere. Personal data is sharded across a distributed network with no central honeypot, and every check produces an exportable audit trail, all on usage-based pricing. If you want to see how that maps to your program, book a demo.

The bottom line

The Federal Reserve is proposing to change when a bank gets cited, not whether it must run an effective AML program. For teams running KYC and AML, the message is to invest in a defensible risk assessment and evidence-first customer due diligence, because "significant or systemic" is measured against the program you designed and can prove. A softer citation threshold rewards good design and punishes weak foundations. The obligations that matter, knowing your customer and resolving who really owns them, did not move.

Cited sources

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.

Frequently Asked Questions

No. It is a notice of proposed rulemaking published on 9 July 2026, open for public comment until 8 September 2026. A final rule, and any effective date, would follow after the Board reviews comments. Until then, current AML/CFT program requirements continue to apply to supervised banks.

It is the new threshold the Federal Reserve would use before citing a bank or taking significant supervisory action on program implementation. The Board would reserve those actions for genuinely systemic breakdowns, not minor or one-off lapses. The proposal does not define a precise line, which is a leading concern.

No. The 2016 customer due diligence rule and its beneficial ownership collection requirement remain in force, and examiners continue to test against them. A risk-based AML program must still verify identity, understand each relationship and resolve ultimate ownership, applying enhanced due diligence to higher-risk customers.

FinCEN, the OCC, the FDIC and the NCUA proposed their companion AML program rules on 10 April 2026. The Federal Reserve is the fifth and final regulator to move, so all five now advance toward one consistent, risk-based AML program standard for the banks they each supervise.

Governor Michael Barr cast the sole dissenting vote in the 6 to 1 decision. He argued the "significant or systemic" standard could have unknown effects on the Board's ability to substantiate that banks maintain compliant programs, and stressed that a strong AML/CFT supervisory posture remains critical.

See privacy-first KYC in action

Verify identity without storing a single document. Reusable credentials, an exportable audit trail, and a 15-minute integration.

Book a demo