The Federal Reserve published a sweeping proposal to rewrite how it polices anti-money laundering and counter-terrorist-financing (AML/CFT) programs at the banks it supervises.
Getty Images
Somewhere between $800 billion and $2 trillion in dirty money moves through the global financial system every year, according to the UN Office on Drugs and Crime — and authorities manage to freeze less than 1% of it. Banks are the pipeline. The 2020 “FinCEN Files” leak, which exposed $2 trillion in transactions flagged internally as suspicious yet processed anyway, made that uncomfortably clear. So when the Federal Reserve published a sweeping proposal on July 7 to rewrite how it polices anti-money laundering and counter-terrorist-financing (AML/CFT) programs at the banks it supervises, the stakes were never in question. What’s in question is whether the rule actually raises the bar — or quietly lowers it.
The Fed’s Proposal
The proposal, running 20 pages in the Federal Register and developed alongside parallel rules from FinCEN, the OCC, the FDIC, and the NCUA, is billed as a modernization effort required by the Anti-Money Laundering Act of 2020. Its centerpiece is a new two-part test: banks must “establish” an AML/CFT program and separately “maintain” it by implementing that program “in all material respects.” That distinction sounds like bureaucratic hairsplitting, but it does real work. Under the proposed framework, once a bank has properly established a program, the Fed would only bring an enforcement action or a “significant” supervisory action over implementation failures that are “significant or systemic” — not for isolated or technical lapses.
The trouble is that nobody, including the Fed, can yet say what “significant or systemic” means. The rule doesn’t define it. The preamble doesn’t define it. And in its own request for public comment, the Board asks whether “clarification is needed for banks to determine what constitutes a ‘significant or systemic failure.'” That’s a regulator building the central trigger for its own enforcement power and then asking the public to help figure out what it means.
This is not a fringe objection. Federal Reserve Board Governor Michael Barr, in a statement declining to support the proposal, said he could not vote for it “because of the introduction of a new, undefined standard for issuing matters requiring attention and for enforcement actions,” warning that the vague threshold could leave the Board unable to substantiate noncompliance even when a bank’s program isn’t being run properly. When a sitting governor says the agency may not be able to enforce its own rule, that’s not a technical footnote — that’s the whole ballgame.
Layer a second problem on top: the proposal leans heavily on banks grading their own homework. It directs institutions to allocate compliance staff and technology according to their own risk assessments, and it explicitly tells examiners not to substitute their judgment for a bank’s resource-allocation decisions. The Fed’s rationale is that banks understand their own customer base better than examiners do, which is true as far as it goes. But nothing in the rule sets a floor — no minimum staffing benchmark, no external check on whether a bank’s “reasonably designed” risk assessment is genuinely rigorous or just cheap. A bank that wants to under-resource compliance has every incentive to classify a risky business line as low-risk in its own internal assessment, and the proposal gives examiners limited room to push back once that self-assessment exists on paper.
The Fed’s cost-benefit math compounds the concern. The regulatory impact analysis assumes banks are “already generally in compliance” with the new requirements and predicts no material increase in ongoing compliance costs. That’s a strange claim to pair with a rule the Fed elsewhere describes as a fundamental overhaul of AML/CFT supervision. Either the rule mostly formalizes what banks already do — in which case it’s unclear what problem it solves — or the cost estimate understates what banks will actually have to spend rebuilding governance and documentation around the new establish/maintain framework. The analysis doesn’t resolve which is true.
There is also a coordination gap. The parallel proposal from the OCC, FDIC, and NCUA includes a requirement that those agencies give FinCEN advance notice before bringing a significant enforcement action, letting the agency that actually administers the Bank Secrecy Act weigh in first. The Fed’s version doesn’t include that check — the Board just asks whether it should. Until that’s resolved, banks supervised by the Fed face a different enforcement backstop than banks supervised by its sister agencies, undermining the very consistency the rule claims to deliver.
Global AML Fines Are Declining
None of this is happening in a vacuum. Global AML fines fell for a second straight year in 2025, and by at least one industry tracker’s count, it was the first year in over two decades that no U.S. bank faced a major AML penalty — even as enforcement against crypto exchanges and fintechs picked up. Analysts attribute the shift partly to regulatory staffing cuts and shifting priorities, not to banks suddenly getting better at compliance. Cumulative AML-related penalties against financial institutions since the 2007-08 crisis total roughly $69 billion — a large number in isolation, but a rounding error against the trillions believed to move illicitly through the system each year. Fines at that scale look less like a deterrent and more like a cost of doing business.
Accountability Is Undefined
None of this means the Fed’s underlying instinct is wrong. Encouraging banks to focus scarce compliance resources on genuinely high-risk customers, rather than drowning examiners and compliance officers in low-value paperwork, is a defensible modernization goal, and one banks have quietly wanted for years. But risk-based flexibility and enforceable accountability are not supposed to be trade-offs; they are supposed to travel together. As written, the proposal hands banks the flexibility first and leaves the accountability mechanism undefined, to be worked out later through the same comment process that’s supposed to fix it now.
Public Comment Period
The Board is accepting public comments through September 8. Whether the final rule closes the gap Barr flagged — or simply codifies it — will determine whether this “modernization” makes the financial system harder to launder money through, or just harder to catch anyone doing it.
Forbes Articles By Mayra Rodríguez Valladares
Congressional Testimonies By This Author
Strengthening Accountability at the Federal Reserve: Lessons and Opportunities for Reform
A Holistic Review of Regulators: Regulatory Overreach and Economic Consequences

Leave a comment