On April 7, 2026, the Financial Crimes Enforcement Network issued a landmark Notice of Proposed Rulemaking that, if adopted, would represent the most significant restructuring of US anti-money laundering program requirements in decades. Filed under the Bank Secrecy Act and implementing provisions of the Anti-Money Laundering Act of 2020, the proposed rules shift the compliance focus from technical checkbox compliance to a genuine effectiveness-based standard.
One day later, FinCEN and the Office of Foreign Assets Control jointly released a second NPRM under the GENIUS Act — creating, for the first time under federal law, a mandatory sanctions compliance program requirement for a specific category of US financial entities.
Both NPRMs have a comment deadline of June 9, 2026. Neither is yet in force. For compliance professionals who work with US-connected entities — or who simply want to understand where AML enforcement is heading — these proposals deserve close attention.
A Two-Tiered Framework: Establish First, Then Implement
Under FinCEN’s April 7 NPRM, AML/CFT program obligations would be divided into two distinct tiers, each carrying different compliance and enforcement consequences.
The first tier is program establishment. Financial institutions would be required to build an AML/CFT program incorporating four core elements: risk-based internal policies and controls, independent testing, a designated AML/CFT officer, and ongoing employee training. This is not new in concept — but the proposed rule codifies it with greater precision.
The second tier is program implementation. Once established, the program must be carried out “in all material respects.” And here is the key shift: if adopted, only significant or systemic failures to implement the program would warrant enforcement action or significant supervisory steps. Isolated or technical deficiencies would not.
This is a meaningful departure from the current approach, where even minor program gaps can attract regulatory scrutiny. The proposed framework, in theory, rewards institutions that have built genuine compliance infrastructure — and focuses enforcement resources on those with chronic, systemic breakdowns. Jones Day, in its analysis of the NPRM, noted that the risk-based approach has historically led to disagreements between regulators and banks, and cautions that well-documented risk assessment processes will be essential if the framework is adopted.1
Innovative Technology as a Mitigating Factor
One of the more notable provisions in FinCEN’s proposed framework is the treatment of innovative compliance technology. If adopted, using artificial intelligence, machine learning, digital identity tools, blockchain analytics, and APIs would be considered a mitigating factor in enforcement decisions.
Importantly, this is not a safe harbour — adopting new technology would not guarantee protection from enforcement. But it signals a clear regulatory preference for institutions that actively invest in compliance modernization rather than relying on legacy systems. The proposed rules would also expand FinCEN’s oversight role: under a joint NPRM with FDIC, NCUA, and OCC, those agencies would be required to give FinCEN at least 30 days’ notice before initiating enforcement or significant supervisory actions. (The Federal Reserve did not join the joint NPRM.)
Stablecoins: The First-Ever Mandatory US Sanctions Compliance Program
On April 8, 2026 — one day after FinCEN’s standalone NPRM — FinCEN and OFAC jointly released a proposed rulemaking implementing the anti-financial crime provisions of the GENIUS Act (Guiding and Establishing National Innovation for U.S. Stablecoins Act).
If adopted, this NPRM would establish comprehensive AML/CFT obligations for permitted payment stablecoin issuers (PPSIs) under a new regulatory framework. But the historically significant provision is on the sanctions side: the GENIUS Act would be, if enacted as proposed, the first time federal law has explicitly mandated that a specific category of US persons maintain an effective sanctions compliance program.
Previously, OFAC sanctions compliance programs were built around OFAC’s voluntary 2019 Framework — encouraged, but never legally required. That voluntary standard would be codified as a binding requirement for PPSIs, with civil monetary penalties of up to $100,000 per day for material violations.2
The proposed rules distinguish between primary market activity — issuance, redemption, and burning of stablecoins, where full AML/CFT obligations would apply — and secondary market activity, such as person-to-person transfers. For secondary market transactions, PPSIs would need technical capability to block or freeze transactions, but would not face mandatory customer due diligence, ongoing monitoring, or SAR filing obligations under the proposal.
Note for Canadian readers: Canada’s Stablecoin Act has been enacted but is not yet in force. There is no equivalent Canadian mandatory sanctions compliance program for stablecoin issuers at this time.
Context: The $80 Million Enforcement Action That Preceded the Reform
These proposed reforms don’t exist in a vacuum. On March 6, 2026 — just one month before FinCEN issued its NPRM — FinCEN signed a consent order imposing an $80 million civil money penalty against Canaccord Genuity LLC, the largest Bank Secrecy Act enforcement action ever brought against a broker-dealer.
The penalty arose from chronic underfunding of AML compliance. At one point, only four employees — each with other job responsibilities, none with prior AML experience — were reviewing surveillance reports covering millions of transactions annually. Key trade surveillance reports went entirely unreviewed for stretches of months to four years. And when regulators came calling, employees falsified nearly 400 documents in response to FINRA requests — described by Holland & Knight as “the ultimate aggravating factor” in the enforcement case.3
Parallel penalties from the SEC ($20 million) and FINRA ($20 million) brought the total coordinated action to $120 million. FINTRAC and CIRO in Canada separately pursued the same firm. The message from US regulators was clear: chronic underinvestment in AML compliance is not a cost-saving strategy. It is a liability — and one that regulators on both sides of the border will pursue simultaneously.
How This Compares to Canada’s New AML Standard
Canadian compliance professionals reading these US proposals will notice a familiar phrase at the centre of FinCEN’s proposed framework: reasonably designed, risk-based and effective.
That is precisely the new standard for PCMLTFA compliance programs introduced by Bill C-12, which received Royal Assent on March 26, 2026 — two weeks before FinCEN’s NPRM. For Canadian reporting entities, that standard is not proposed. It is in force. Maximum AMPs for very serious violations now reach $20,000,000, and a program that is not reasonably designed, risk-based, and effective can attract that maximum penalty.
The convergence between the US and Canadian approaches is notable: both regulators are moving away from procedural compliance and toward outcome-based effectiveness. The difference is that Canada is already there.
Keeping pace with regulatory developments on both sides of the border is essential for compliance teams — and effective, documented training is one of the most credible ways to demonstrate a “reasonably designed, risk-based and effective” program to FINTRAC examiners.
Explore how Tamlo’s award-winning AML/ATF e-learning courses are built specifically for Canadian reporting entities. Browse our compliance resources for more regulatory updates, or book a discovery call to discuss your compliance training needs.
Sources
1 Jones Day, “Modernizing AML/CFT: FinCEN Proposes Fundamental Reforms to Program Requirements” (May 2026): jonesday.com
2 Covington & Burling, “FinCEN and OFAC Propose AML/CFT and Sanctions Framework for Permitted Payment Stablecoin Issuers: Five Things to Know” (April 16, 2026): cov.com
3 Holland & Knight, “FinCEN Imposes Record Penalty on Broker-Dealer: Compliance Lessons Going Forward” (March 23, 2026): hklaw.com