Reference: OCC Bulletin 2026-11, issued April 7, 2026, announcing a joint notice of proposed rulemaking with the FDIC and NCUA to revise bank AML/CFT program requirements in parallel with FinCEN’s proposal.
This Is Not Just a Terminology Update
The Office of the Comptroller of the Currency’s April 7, 2026 bulletin about new AML/CFT program requirements will attract attention because it changes familiar language. Banks that have lived for years with the phrase “BSA compliance program” may be tempted to read the proposal as a rebranding exercise. That would be a mistake. The more important shift is structural. The proposal points supervised institutions toward a more explicit risk-assessment foundation, direct consideration of FinCEN’s national AML/CFT priorities, clearer integration of customer due diligence requirements, and a more defined framework for when regulators conclude a bank has actually established and maintained an effective program.
For national banks and federal savings associations, the business impact is not limited to compliance department vocabulary. If finalized substantially as proposed, the rule would affect governance, exam preparation, control design, issue escalation, board reporting, and how institutions justify the allocation of compliance resources. The banks that do best under this kind of change are usually the ones that start by asking how the rule changes decisions, not just policy headings.
What the OCC Said on April 7, 2026
According to OCC Bulletin 2026-11, the OCC, FDIC, and NCUA issued a joint notice of proposed rulemaking to amend the Bank Secrecy Act program rules each agency applies to its supervised institutions. The proposal would align the agencies’ rules with concurrent FinCEN amendments required by the Anti-Money Laundering Act of 2020. The bulletin highlights several notable features:
- a formal risk assessment process built into AML/CFT program rules, including consideration of national AML/CFT priorities;
- incorporation of customer due diligence requirements already reflected in FinCEN regulations;
- conforming amendments tied to changes made by the AML Act; and
- a new notice and consultation framework involving FinCEN before certain AML/CFT enforcement or significant supervisory actions are initiated.
Those are not cosmetic changes. They go to the heart of how a bank demonstrates that its program is reasonably designed and actually functioning.
Who Needs to Read This Proposal Closely
This proposal has the strongest immediate consequences for four groups inside a bank.
Compliance leadership
Chief compliance officers, BSA officers, AML leaders, and enterprise-risk teams will need to evaluate whether their current risk assessment is robust enough to serve as the foundation for the program rather than just one component among many. If the risk assessment is stale, generic, or disconnected from actual alerting, investigation, and reporting decisions, that gap becomes harder to ignore.
Senior management and the board
Boards do not need to run transaction monitoring, but they do need a clearer line of sight into whether the bank’s AML/CFT program is appropriately designed for the institution’s customer base, products, channels, geographies, and growth plans. Under a more explicit effectiveness framework, board oversight materials may need to become more substantive and less checklist driven.
Internal audit and testing functions
Independent review teams should expect a heavier focus on whether the bank’s controls make sense for its risk profile, not just whether required policy sections exist. Testing that proves a form was completed may not be enough if the underlying risk logic is weak.
Legal and regulatory affairs
Because this is a proposal, not a final rule, institutions still have a window to analyze the text, identify implementation burden, and consider whether a comment letter is warranted. Counsel can also help management distinguish between what is changing immediately and what should be monitored until final rulemaking occurs.
The Strategic Shift Banks Should Focus On
The most important concept in the proposal is the move away from a purely mechanical understanding of BSA compliance. Regulators appear to be asking a more practical question: is the program reasonably designed to identify, assess, and address the bank’s actual illicit finance risks in a way that produces useful outcomes? That question changes the conversation.
For example, a bank may have policy language, annual training, customer due diligence files, automated monitoring, and suspicious activity reporting procedures. But if its risk assessment does not meaningfully incorporate customer types, delivery channels, geographic exposure, or the national AML/CFT priorities published by FinCEN, the program may be harder to defend as coherent. Likewise, if the bank cannot explain why certain scenarios, thresholds, or staffing decisions make sense for its risk profile, the existence of controls alone may not be persuasive.
Business Impact Areas Banks Should Start Evaluating Now
Risk assessment design
Many institutions will need to revisit how frequently they refresh enterprise AML risk assessments, what data informs them, and whether the results actually drive monitoring, due diligence, and escalation decisions. A risk assessment that is disconnected from operations can become a liability under an effectiveness-focused regime.
CDD integration
The proposal expressly incorporates customer due diligence requirements. That makes it harder to treat CDD as a separate box-checking exercise. Customer risk rating logic, beneficial ownership handling, periodic review practices, and event-driven updates should make sense alongside the rest of the AML/CFT program.
Governance and board reporting
Banks should review whether their board reports meaningfully describe risk changes, control performance, backlogs, staffing pressure, validation results, and material issues. Reports that only recite training completion or SAR counts often do not tell leadership whether the program is working well enough.
Examination readiness
If examiners increasingly assess whether a bank has both established and maintained an effective program, institutions may need better evidence of ongoing oversight. That can include issue-remediation tracking, model or scenario validation, tuning decisions, and documented rationale for risk-based prioritization.
Resource allocation
The rule proposal may force difficult budget conversations. A bank that claims a risk-based approach while starving the functions needed to execute that approach creates its own credibility problem. Management should be prepared to explain how staffing, technology, and training align with the institution’s stated risk profile.
Questions Management Should Ask Before This Rule Is Final
- Does our current AML risk assessment genuinely drive our program design?
- Can we explain how we considered FinCEN’s national AML/CFT priorities in a way tied to our own products, customers, and channels?
- Do our board materials show effectiveness, or only activity?
- Are our CDD processes integrated with monitoring and escalation, or managed in silos?
- If the final rule resembles the proposal, what implementation changes would require the longest lead time?
- Should the institution submit comments on burden, clarity, timing, or examiner application?
Why Early Preparation Matters Even Though This Is Still a Proposal
Banks do not need to overhaul programs overnight based on a notice of proposed rulemaking. They should, however, use the proposal period to identify where their current framework is thin. Waiting until a final rule is issued can compress governance, technology, and staffing decisions into a much shorter time frame. Institutions that perform a disciplined gap assessment now will be in a better position to decide what requires immediate planning, what can wait for a final rule, and what is already strong enough to carry forward.
This is also the right time to separate real risk from vague compliance anxiety. Not every bank needs the same degree of redesign. A community-focused institution with a narrower product set may face different implementation demands than a larger or more complex bank. But every supervised institution should be able to explain why its program is reasonably designed for its own risk profile.
Bottom Line
The OCC’s April 7, 2026 proposal matters because it pushes AML/CFT governance toward substance over labels. The institutions most likely to benefit from acting early are the ones that review their risk assessment logic, board reporting, CDD integration, and examination readiness now, while the rule is still in proposed form. That approach creates optionality: the bank can improve weak areas, prepare meaningful comments, and enter the final-rule phase with fewer surprises.
We can help evaluate regulatory developments, governance exposure, and implementation planning.
Frequently Asked Questions
Is OCC Bulletin 2026-11 a final rule?
No. It announced a notice of proposed rulemaking on April 7, 2026. Banks should distinguish between current requirements and changes that may take effect only after final rulemaking.
What is the practical significance of the term AML/CFT program?
The proposal suggests a broader and more integrated framework than the legacy shorthand of a BSA compliance program, with explicit attention to risk assessment, CDD, and national priorities.
Should community banks care about this proposal?
Yes. The OCC specifically noted that the proposal applies to all national banks and federal savings associations, including community banks, though implementation burdens may differ by size and complexity.
