FDIC FIL-12-2026: Proposed AML/CFT Program Requirements for Banks

Reference: FIL-12-2026

Official publication: Read the full FIL-12-2026 on the agency website

On April 7, 2026, the Federal Deposit Insurance Corporation issued Financial Institution Letter FIL-12-2026 announcing Board approval of a new notice of proposed rulemaking on anti-money laundering and countering the financing of terrorism program requirements for banks. The proposal is framed as a joint agency effort with the Office of the Comptroller of the Currency and the National Credit Union Administration, with a parallel FinCEN proposal issued at the same time. The official FDIC source is available here.

Executive Summary

FIL-12-2026 is significant because it does not merely restate long-standing Bank Secrecy Act program expectations. Instead, the FDIC describes a proposed framework intended to align the banking agencies’ AML/CFT program rule with FinCEN’s concurrent proposal and with the Anti-Money Laundering Act of 2020. The proposal would apply to all FDIC-supervised financial institutions and would require banks to establish and maintain AML/CFT programs reasonably designed to identify, assess, and mitigate risks of illicit finance.

Based on the FDIC’s summary, the proposal would preserve the familiar core architecture of a bank AML program while revising what counts as an adequately established and maintained program. The FDIC expressly states that an AML/CFT program would be deemed effective if it is established in accordance with the proposed rule’s establishment requirements and then maintained, meaning implemented in all material respects. That formulation matters. It signals that supervisory evaluation will remain tied to foundational program elements, but with more explicit attention to risk assessment processes, AML/CFT priorities, customer due diligence, and operational implementation.

For banks, the immediate legal consequence is not a new final obligation, but a need to compare existing program design against the structure described in the proposal. Institutions should treat this as a governance and rule-readiness exercise, particularly where current documentation, accountability structures, or testing protocols were built to older formulations of the AML program rule.

What the FDIC Issued

The FDIC states that its Board approved issuance of a new notice of proposed rulemaking and request for comment concerning AML/CFT program requirements. According to the FIL, the proposal is to be issued jointly with the OCC and the NCUA, while FinCEN has issued a separate notice of proposed rulemaking covering AML/CFT program requirements for financial institutions, including banks.

The FDIC describes the proposal as one that would revise AML/CFT program requirements for banks so they align with FinCEN’s rulemaking and remain consistent with the Anti-Money Laundering Act of 2020. The stated objective is to ensure that banks establish and maintain effective AML/CFT programs that better achieve the purposes of the Bank Secrecy Act and support more effective law enforcement and national security outcomes.

The FDIC’s highlights identify four core program components that would continue to anchor the rule, but with revisions. As summarized by the agency, a bank would be required to establish and maintain an AML/CFT program reasonably designed to identify, assess, and mitigate illicit finance risk through the following elements:

• a risk-based set of policies, procedures, and controls;
• independent testing;
• an individual responsible for establishing and implementing the program who must be U.S.-based and accessible to regulators; and
• an employee training program.

The FIL also states that the proposed establishment requirements would involve the four existing required BSA components with certain revisions. The revisions expressly identified in the source text are these:

1. the internal controls requirement would include risk assessment processes that incorporate the AML/CFT priorities issued under 31 U.S.C. 5318(h)(4);
2. FinCEN’s existing ongoing customer due diligence requirement would be added to the agencies’ program requirements; and
3. the proposal would incorporate an AML Act requirement, although the source excerpt provided here truncates that portion of the sentence before the requirement is fully described.

That final point should be handled carefully. The source material supplied for this memorandum clearly indicates that an additional AML Act requirement is being incorporated, but the excerpt cuts off mid-sentence. Without the full text of that passage, it would be inappropriate to characterize the omitted requirement more specifically.

Why It Matters

First, the proposal is important because it sharpens the connection between a bank’s AML/CFT program and documented illicit finance risk assessment. The FDIC is not describing internal controls in the abstract. It is describing a risk-based control framework that must identify, assess, and mitigate illicit finance risk and that must incorporate the statutory AML/CFT priorities. That should move many institutions toward more explicit mapping between enterprise risk assessment, customer and product risk, geographic exposure, transaction monitoring assumptions, and board-level oversight materials.

Second, the proposal matters because the FDIC’s description of an effective program ties effectiveness to both design and maintenance. A bank may have a formally complete program on paper and still face criticism if that program is not implemented in all material respects. From an examination perspective, that language supports closer scrutiny of whether training is current, whether independent testing is sufficiently probing, whether issue remediation is timely, and whether the designated responsible individual actually exercises accountable control over the program.

Third, the proposal matters because it emphasizes the role of a U.S.-based responsible individual who is accessible to regulators. For institutions with distributed compliance functions, foreign parent structures, shared-service arrangements, or substantial vendor involvement, the proposed requirement raises organizational questions. Regulators appear to be reinforcing that responsibility for establishment and implementation must rest with a specifically identifiable person within U.S. reach.

Fourth, adding FinCEN’s ongoing customer due diligence requirement into the agencies’ program requirements is not a cosmetic change. It reinforces that customer due diligence is not a stand-alone operational task but part of the core AML/CFT program structure. Banks that have historically managed customer due diligence in a separate procedural silo should expect pressure to show tighter integration among onboarding, risk rating, expected activity analysis, monitoring, and periodic review.

Practical Action Checklist

• Obtain and preserve the full text of FIL-12-2026 and the underlying proposed rule package, including the parallel FinCEN proposal, in the bank’s regulatory change management file.
• Map the current AML program document against the four elements identified by the FDIC: risk-based policies, procedures and controls; independent testing; a designated responsible individual; and employee training.
• Confirm in writing who is responsible for establishing and implementing the AML/CFT program, where that individual is located, and whether that person is demonstrably accessible to U.S. regulators.
• Review the bank’s enterprise BSA/AML risk assessment methodology and determine whether it expressly incorporates the AML/CFT priorities referenced in 31 U.S.C. 5318(h)(4).
• Test whether customer due diligence obligations are integrated into the program framework itself rather than addressed only in front-end onboarding procedures.
• Direct internal audit or independent testing personnel to assess whether the current program is implemented in all material respects, not merely documented in policy form.
• Inventory open validation gaps involving transaction monitoring scenarios, customer risk-rating logic, sanctions-adjacent escalation paths, and suspicious activity investigation timeliness, then tie each gap to a named remediation owner and deadline.
• Prepare a management memorandum for the board or appropriate committee identifying which features of the proposal would require policy amendments, committee charter changes, staffing adjustments, or budget requests if adopted as proposed.
• Evaluate whether the institution should submit a comment letter, especially if the bank has a complex operating model, foreign-affiliate dependencies, or practical concerns about how the proposed effectiveness standard will be examined.

Open Questions and Watch Items

The first open issue is the exact content of the full proposed regulatory text. The FIL provides a useful summary, but important supervisory consequences will turn on defined terms, cross-references, transition language, and the agencies’ explanation of how the effectiveness standard should be applied in examinations and enforcement settings.

The second open issue is the scope of any divergence between the agencies’ proposal and FinCEN’s parallel rulemaking. The FDIC says the proposal is intended to align with FinCEN’s rule, but alignment does not necessarily mean identical wording or identical supervisory expectations in application.

The third open issue concerns the truncated portion of the source text referring to an AML Act requirement being incorporated into the establishment requirements. Because the provided excerpt is incomplete at that point, the precise content of that requirement should be confirmed directly from the official NPR materials before any institution changes governance documents or compliance staffing models on that basis.

The fourth watch item is examination practice. Even before final adoption, institutions should expect examiners to ask whether management has reviewed the proposal and whether existing program architecture can demonstrate risk-based design, clear accountability, and operational maintenance in all material respects.

My Law Tampa publishes this memorandum as part of its banking and financial regulatory analysis.

This memorandum is informational only, does not constitute legal advice, and does not create an attorney-client relationship.