Staying ahead in AML compliance means understanding how each development, large or small, shapes the landscape you operate in. Whether it’s a sweeping reform, a small adjustment, or a new red flag to watch for, every update carries consequences for the way you do business.

This update brings together the most recent and impactful developments from regulators, law enforcement, and industry guidance, then looks ahead to what they mean for 2026. From targeted rule adjustments to shifts in enforcement priorities and fresh insights on emerging risks, you’ll find both the facts and the practical takeaways to help your institution prepare for what’s next.

Key Developments in AML: 2024 & 2025

Modernization is Here: FinCEN’s AML/CFT Program Overhaul

On June 28, 2024, FinCEN issued a Notice of Proposed Rulemaking (NPRM) that would make some of the most significant structural changes to AML/CFT programs in years. The proposal would explicitly require all covered financial institutions to maintain a program that is effective, risk-based, and reasonably designed.

In practice, under the NPRM, every AML/CFT program would need to:

• Identify, assess, and reasonably mitigate illicit-finance risks based on both the institution’s own risk assessment and FinCEN’s national AML/CFT priorities.
• Comply with all relevant BSA recordkeeping and reporting requirements.
• Provide information with a “high degree of usefulness” to law enforcement and regulators.

It would also formalize something many institutions already treat as essential: a mandatory risk assessment process. While risk assessments have long been best practice, FinCEN’s new framework would make them an explicit requirement for all covered entities.

The NPRM’s intent is twofold: strengthen the BSA framework to keep pace with evolving threats and give financial institutions greater flexibility in how they meet those obligations. That flexibility is especially important for smaller institutions that shoulder disproportionate compliance costs.

The role of technology in modernization

The NPRM echoes the AML Act of 2020 in encouraging responsible innovation, including AI and advanced analytics, to improve program performance. AI tools in particular can drastically reduce false positives, accelerate investigations, and detect complex typologies, but only when paired with strong governance and human oversight. Examiners will expect you to be able to explain and account for the decisions of any AI model employed in your AML program.

As an IBM training manual from 1979 is often quoted: “A computer can never be held accountable. Therefore, a computer must never make a management decision.” The world has changed since then, but the point stands: final say on important matters should stay with humans.

Steps to take for 2026 readiness

• Refresh your risk assessment now with the NPRM’s priorities in mind, and document how each risk links to controls and monitoring.
• Map program elements to outcomes to show how your procedures and technology choices produce “highly useful” information for law enforcement.
• Pilot technology enhancements such as AI-assisted alert scoring or entity resolution, but keep human investigators in the loop for all final decisions.
• Document your model governance to ensure any AI or analytics tools are explainable, customizable, and validated regularly.

By treating modernization as an ongoing process—linking risk assessments to national priorities, aligning controls to actual risks, and using technology to sharpen rather than replace human judgment—you’ll be well positioned when this NPRM becomes final.

The Net Widens: Expanding AML Coverage to New Sectors

Two recent rulemakings extend AML obligations into sectors that have historically operated outside full BSA program requirements, signaling FinCEN’s intent to close longstanding coverage gaps.

Residential real estate transactions

A final rule issued August 29, 2024 will require certain title and settlement agents to file reports on specified all-cash transfers of residential property to legal entities or trusts. The rule takes effect December 1, 2025, replacing the patchwork of Geographic Targeting Orders with a nationwide standard.

Why it matters: Real estate has been a favored channel for laundering illicit proceeds, particularly through anonymous entity purchases. Bringing these transactions into BSA reporting will give law enforcement a clearer picture of beneficial ownership and payment flows, data that banks may also find useful when those entities seek other financial services.

Investment advisers

On September 4, 2024, FinCEN finalized a rule adding SEC-registered and “exempt reporting” advisers to the BSA’s definition of “financial institution,” with a requirement to establish AML programs and file suspicious activity reports (SAR) beginning January 1, 2026. In July 2025, however, FinCEN announced it would postpone the effective date to January 1, 2028 while it reviews and potentially narrows the rule’s scope.

Why it matters: Even with the delay, the direction is clear: wealth management and advisory activities are on the regulatory radar. Institutions with affiliated advisers or advisory partnerships should treat the next two years as time to prepare.

Practical impact for community financial institutions

• For real estate: Because Real Estate Reports (filed by title/settlement agents) are confidential and not shared with banks, determine whether to reflect this typology in your risk assessment and whether any updates to CDD/EDD, onboarding questions, or event-driven reviews are appropriate for non-financed transfers to entities/trusts.
• For advisers: Map existing KYC and monitoring processes against BSA program requirements so any gaps are identified well before the new effective date.
• For both: Review contracts and procedures for any third-party relationships in these sectors to ensure AML responsibilities are clearly allocated.

Targeted Regulatory Adjustments: TIN Collection Flexibility and BOI Reporting Changes

Not every regulatory development comes in the form of a major new requirement—some offer targeted relief that can streamline compliance without weakening safeguards. Two recent moves from FinCEN fit that bill.

CIP Rule – TIN collection exemption

On June 27, 2025, FinCEN and the federal banking agencies issued a Customer Identification Program (CIP) rule exemption allowing banks and credit unions to collect a customer’s Taxpayer Identification Number (TIN) from a reliable third-party source before account opening, rather than directly from the customer. The exemption applies to all account types and mirrors an existing carve-out for credit card issuers.

Why it matters: For community institutions, especially those with digital onboarding or fintech-partner channels, this removes a longstanding friction point. By tapping into verified data sources, institutions can speed account openings, reduce abandonment rates, and still meet CIP’s identity verification requirements.

Practical impact for community financial institutions

• This is optional relief, so institutions may use the exemption or continue collecting TINs directly.
• Applies to all account types, so there’s no need for separate procedures by product.
• Risk-based procedures are still required to verify accuracy when using third-party data.
• Effective immediately; no implementation deadline.

Corporate Transparency Act (CTA) – BOI reporting narrowed

On March 26, 2025, FinCEN published an interim final rule eliminating beneficial ownership information (BOI) reporting for U.S.-created entities, narrowing the Corporate Transparency Act’s scope to foreign companies only.

For banks and credit unions, the operational impact is limited: the 2016 CDD rule still requires you to collect BOI at account opening, but FinCEN’s database will no longer contain domestic-entity records to cross-check.

What this means in practice

• No change to core processes: Your institution’s CDD collection remains the primary record for domestic customers.
• Foreign entities still report: If a customer falls into the remaining CTA reporting category, their BOI filing can be used as supplemental evidence in due diligence.
• Remove database checks for domestic entities: Since no BOI record will exist, there’s no value in attempting a FinCEN lookup for these customers.

While the change is more significant for the reporting companies themselves, institutions should still update onboarding procedures and training to reflect the narrowed CTA scope.

DOJ Narrows Crypto Focus

On April 7, 2025, the Department of Justice issued a memorandum significantly narrowing its digital asset enforcement priorities. The DOJ will now focus on prosecuting individual users engaged in fraud, sanctions evasion, and other serious crimes, while deprioritizing compliance gaps at crypto platforms. The memo also formally disbanded the National Cryptocurrency Enforcement Team (NCET).

What this means for financial institutions

• Lower direct enforcement risk for platforms may shift more illicit activity detection responsibility downstream, meaning you may see more suspicious user-level activity in your own channels.
• Civil/regulatory obligations are unchanged: FinCEN, state regulators, and banking agencies still expect robust BSA/AML programs for any crypto-exposed customers.
• Screening and monitoring need to adapt: As enforcement pivots away from platforms, high-risk behaviors like the use of mixing services (services that obscure where funds come from), privacy-focused tokens, or rapid transfers between crypto networks may appear more often in ordinary customer activity.

Practical steps to take

• Update your risk assessment for crypto exposure, even if you don’t bank exchanges directly.
• Build investigative playbooks for crypto-linked transactions, including the use of blockchain explorers (crypto transaction lookup) and due diligence on crypto service providers.
• Strengthen sanctions screening and EDD for customers with known or likely digital asset activity.

While the DOJ’s shift may signal a friendlier federal posture toward the industry, it also highlights the need for institutions to maintain their own vigilance. Your program is still the first (and sometimes only) line of defense against illicit crypto flows.

Recent Advisories and the Threat Landscape

Over the past year, FinCEN has issued several advisories aimed at helping financial institutions detect and report specific, high-priority threats. While these advisories are not new regulations, they outline red flags and transaction patterns that regulators expect institutions to incorporate into their risk assessments and monitoring.

ISIS financing (April 1, 2025)

This advisory describes how ISIS and its affiliates raise, move, and store funds — including the use of charitable organizations as fronts, cross-border transfers in conflict-adjacent regions, and peer-to-peer payment platforms.

Key takeaway for your institution: Incorporate the advisory’s red flags into transaction monitoring rules and ensure SAR narratives reference the advisory if activity matches its patterns.

Iranian oil smuggling & shadow banking (June 6, 2025)

FinCEN warns of illicit shipping methods, falsified documentation, and complex payment chains used to evade U.S. sanctions on Iranian oil. The advisory also notes the role of “shadow banking” networks, informal or hidden financial systems outside normal channels.

Key takeaway: If you have customers involved in commodities, energy, or international trade, review your due diligence and monitoring for signs of these typologies, such as repeated use of intermediaries in high-risk jurisdictions.

Fentanyl-related illicit finance (April 9, 2025)

FinCEN’s Financial Trend Analysis highlighted $1.4 billion in suspicious activity in 2024 tied to the fentanyl supply chain. Common patterns included cash deposits, funnel accounts (where funds are deposited in one location and withdrawn in another), bulk money orders, and payments to chemical suppliers in China.

Key takeaway: Update your monitoring scenarios to spot these patterns, especially in areas with known drug trafficking activity.

OCC Semiannual Risk Perspective (Spring 2025)

The OCC reiterated in its Spring 2025 Semiannual Risk Perspective that BSA/AML and fraud risks remain elevated, citing fintech partnerships as a potential vulnerability if not properly managed. Rapid adoption of new technologies can create control gaps if vendor oversight and data integration aren’t strong.

Key takeaway: Review third-party risk management practices, especially for fintech partners that perform customer onboarding or transaction processing on your behalf.

Steps to take

• Add advisory-specific red flags to your transaction monitoring rules and SAR guidance.
• Refresh risk assessments to reflect these emerging threats.
• Coordinate between AML and fraud teams on typologies that overlap, such as scams or mule accounts tied to fentanyl trafficking.
• Ensure fintech and vendor oversight processes cover AML controls, not just operational performance.

These advisories and the OCC’s risk assessment are reminders that even without far-reaching new rules, expectations are always shifting. Institutions that can quickly integrate threat intelligence, adjust monitoring, and manage third-party risk will be in the best position to navigate what’s ahead.

2026 Outlook: What to Expect and How to Prepare

As we head into 2026, the AML environment for community financial institutions is being shaped less by sudden waves of new rulemaking and more by the steady convergence of trends already underway. Clearer expectations for program effectiveness, an evolving threat landscape, smarter use of technology, and the gradual broadening of AML obligations are all moving in parallel. Together, they’re defining what strong compliance will look like in the year ahead.

AML Effectiveness Over Checklists

FinCEN’s 2024 NPRM, when finalized, will hardwire “effective, risk-based, and reasonably designed” into AML/CFT program requirements. That means examiners will be looking for evidence that your program works against your risk profile, not just that it exists on paper. Risk assessments that drive controls, targeted monitoring rules, and clearly linked SAR outcomes will carry more weight than ever.

The NPRM also signals a willingness from regulators to work with the industry on mutually beneficial solutions. By clarifying priorities, inviting broad comment, and emphasizing flexibility in how requirements can be met, FinCEN is showing that modernization can be a collaborative process. For community institutions, that means the opportunity to help shape practical implementation and align compliance investments with regulatory expectations from the outset.

Persistent and Adaptive Threats

Recent FinCEN advisories on ISIS financing, Iranian oil smuggling, and fentanyl-related illicit finance confirm that threat typologies are evolving, often crossing jurisdictional and product lines.

The OCC’s Spring 2025 risk report likewise underscores elevated BSA/AML and fraud risk, emphasizing the need for institutions to quickly incorporate new red flags and typologies into monitoring and investigations.

These patterns illustrate that geopolitical instability, technological change, and high fraud levels will continue to define the risk environment.

Technology Adoption, with Smart Governance

The NPRM explicitly supports responsible adoption of technology, including AI and advanced analytics, to enhance detection and efficiency. However, regulatory statements and industry guidance stress that such tools must be explainable, validated, and paired with human oversight, reinforcing that automation should enhance, not replace, informed decision-making in AML programs.

Institutions that can demonstrate measurable gains in both efficiency and detection quality, and can clearly explain how their tools work, will be better positioned in exams.

Rising Expectations for Third-Party Oversight

The OCC has repeatedly highlighted the importance of effective oversight when financial institutions rely on third parties for onboarding, payment processing, or monitoring. The focus is not on treating fintech partners as inherently risky, but on ensuring partner controls meet regulatory standards and integrate smoothly with your institution’s own AML framework.

In 2026, examiners will likely continue to scrutinize how well institutions evaluate partner AML programs, manage data integration, and address any identified control gaps. As always, the right partner makes all the difference.

Gradual Broadening of AML Coverage

The residential real estate rule taking effect in December 2025 and the investment adviser rule, even with its delay to 2028, point toward a longer-term trend of extending AML requirements to high-risk sectors beyond traditional banking. This expansion could increase the number of customers and counterparties that arrive with their own compliance obligations, altering risk profiles and due diligence requirements for financial institutions.

Crypto Enforcement Shifts

The DOJ’s April 2025 memo narrowed federal enforcement priorities for digital assets, focusing on prosecuting end-user crimes rather than platform-level compliance violations. While this is widely viewed as a friendlier stance toward the digital asset industry, it also means more responsibility for detecting illicit activity could shift to the institutions serving those users.

Combined with a generally supportive policy climate (including legislation like the GENIUS Act on stablecoins), the environment for crypto-related services is becoming more permissive, but financial institutions must keep sanctions screening, customer due diligence, and monitoring capabilities robust.

Bottom Line: Steady Shifts, Higher Expectations

While 2026 may not bring a flood of brand-new rules, the cumulative effect of modernization, evolving threats, technology integration, gradual scope expansion, and enforcement recalibration will raise the bar for AML compliance. Institutions that use this time to align programs with the NPRM’s effectiveness standard, strengthen risk-based controls, and ensure both internal systems and vendor arrangements are examiner-ready will be best positioned to meet that higher bar.

For a deeper dive into these developments—including detailed breakdowns of recent regulatory changes, insights on FinCEN’s NPRM, and actionable steps for community financial institutions—download our white paper.

Read the white paper