A Two Part Series -Part One: Components

On April 7, 2026, FinCEN released a proposed rule that will eventually lead to a (hopefully) different approach to the way AML compliance programs are critiqued by federal and state regulators. The comment period on the rule ends in June 2026 and the final rule would take effect 12 months after publication (April 2027).
Among the changes that the proposed rule will established is a regulatory requirement for a risk assessment. Currently, completing a risk assessment is considered a best practice, but the new rule will change that. The reason for this change is to enshrine the idea that it is the risk assessment that should be the “beating heart” of the AML compliance program. The identification of inherent risks in the day-to-day operation of the business is a crtitical task. Emphasis is being placed on the ability of the compliance team to develop a “base-case” for a typical customer. Once this base case is established, the compliance team can document customers, transactions and events that fall outside and take action accordingly. Under the proposed rule, regulators will be tasked with evaluating the risk assessment as the basis for internal controls and resource allocation.
One of the pillars under the new rule will be internal controls which are defined as
Established Internal Controls– including a risk assessment and written policies and procedures have been established. The program must include a risk-based set of policies, procedures, and controls that are reasonably designed to identify, assess, and mitigate illicit finance risks FDIC
Component Parts of a strong Compliance Risk Assessment
Past examination and audit results– it goes without saying that the past can be prelude to the future, especially in compliance. Prior findings are an immediate indication of problems in the compliance program. It is important that the root cause of the finding is determined and addressed. The compliance risk assessment must include a description of the cause of the findings and the steps being taken to mitigate the risk of a repeat. We recommend that the action must be more than additional training. Training tends to be the number one answer and of course it is important. However, without testing to determine whether the training is effective, the risk of repeat findings remains high. It should also be noted that a lack of past findings does not necessarily mean that the coast is clear. In some cases, there are findings that are lying in wait and have not yet been discovered. Each compliance area should be reviewed and rated regardless of whether there were past findings.
Changes in staff and management– change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change. For example, supposed the head of operations is brand new. This new manager will want to process their tasks using her/his own system. Staff who may be used to doing compliance checks at certain times during the process might become confused. This increases the possibility of findings or mistakes. Your compliance risk assessment should take into account the risks associated with changes including staff changes and how best to address them
Changes in products, customers or branches– continuing on with the idea that change is going to happen, it is important that your risk assessment consider all the different aspects of changes that have occurred or will occur during the year. This will include any new products or services, new vendors, and marketing campaigns that are designed to entice new types of customers. The risk assessment should consider what resources will be required and how they should best be deployed. Before new products are introduced, the compliance team has to consider the time necessary to make sure that all of the processes are in place.
Changes in Regulations– Over the past five years, there have been few changes to regulations, guidance and directives from Federal and State agencies. Many of these changes do not impact small financial institutions directly, but many do. Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year. Part of your risk assessment process must consider changes that affect your company or will affect your company. As a best practice, it is advisable to review the annual report of your regulator to determine the areas of focus that are planned for the year. Most regulators are transparent with this information, and their publications will indicate areas of examiner focus for the upcoming year.
FinCEN priorities – The regulation directs that the risk assessment should incorporate the priorities that FinCEN publishes. Currently FinCEN has note that there are eight priorities and there has been no order established yet. These priorities are:
- Corruption
- Cybercrime
- Terrorism Financing
- Fraud
- Transnational Criminal Organization
- Drug Trafficking Organization
- Human Trafficking
- Proliferation (Weapons) Financing
As part of the risk assessment, the compliance team should consider the possibility that clients could engage in any of these activities.
Monitoring systems in place – finally, the systems that you use to monitor compliance should be considered. For many small institutions, this system is comprised of word of mouth and the results of audits and examinations. Part of your assessment should include a plan to do some basic testing of compliance on a regular basis. After all an ounce of prevention……
***For More Information, please visit www.VCM4you.com ***