By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

FinCEN’s AML Programs Rule: The Case for Open Compliance Infrastructure

Lana Schwartzman
June 25, 2026
Schwartzman boasts 19 years of experience in fintech and digital assets compliance, with a strong history of designing compliance programs and leading licensure strategies in crypto and financial companies.
Summary

FinCEN’s proposed AML/CFT Programs Rule could reshape how U.S. financial institutions design, assess, and evidence effective compliance programs. Notabene argues that open compliance infrastructure, including Travel Rule data exchange, pre-transaction authorization, and shared due diligence standards, should be recognized as a preventive AML control.

What we asked FinCEN to do, and why open compliance infrastructure is the strategic prize.

The AML/CFT Programs Rule is the most consequential installment yet in FinCEN's multi-year effort to modernize the Bank Secrecy Act under the AML Act of 2020. The rule (Docket FINCEN-2026-0034) will reshape how U.S. financial institutions design and supervise their compliance programs for the next decade. Comments closed June 9, 2026.

The rule does several things:

  • Codifies the AML Act of 2020’s risk-based, effectiveness-focused mandate into program requirements.
  • Introduces a new supervisory and enforcement framework at proposed 31 CFR 1020.221, giving the FinCEN Director discretion to consider an institution’s innovative compliance activities and demonstrable outputs when deciding supervisory action.
  • Adopts five risk assessment categories every covered institution will evaluate against.
  • Sets a 12-month effective date once a final rule publishes.

The most consequential piece for digital assets is in the Supervision and Enforcement section in Question 28 “FinCEN welcomes comment on provisions related to the use of innovative tools to achieve effective outcomes, specifically on how the Director may consider the performance of innovative activities that produce demonstrable outputs under the proposed supervision and enforcement framework.”. Basically, FinCEN built a new framework for recognizing innovative compliance activities under supervision, and asked the market what counts. The answer determines whether the technology stack getting supervisory credit a decade from now is built on open standards or on proprietary vendor platforms.

We made three asks.

01. Bring back the outcomes-based effectiveness definition.

The 2020 Effectiveness ANPRM proposed defining an effective AML program as one giving law enforcement timely, useful information the government uses. Thus, outcomes and not box-checking.

The current NPRM softens the language. We asked FinCEN to restore the 2020 definition. Without an outcomes anchor, examiners default to checklists, and the new innovation framework has nothing substantive to anchor against.

02. Recognize Travel Rule infrastructure as a preventive AML control.

Question 28 asks which compliance activities deserve formal recognition as innovative. Our answer contained five things:

  1. Travel Rule infrastructure. Pre-settlement data exchange enabling block, freeze, and reject decisions.
  2. Pre-transaction authorization including the Transaction Authorization Protocol (TAP). Authorization before settlement, rather than monitoring after.
  3. IVMS 101 data standardization. Common counterparty data structure across institutions.
  4. Counterparty due diligence interoperability. GDF VASP Due Diligence Questionnaire as the shared baseline.
  5. Counterparty-assisted false-positive resolution. Bilateral information exchange resolving sanctions screening hits.

All five are common and open compliance infrastructure. Open standards, implementable by any party. Not proprietary single-vendor networks.

Travel Rule deserves a closer look. Most AML controls are detective and after the fact.   Travel Rule, on the other hand, is preventive. Data exchange happens before settlement, which means the receiving institution blocks, freezes, or rejects a transfer before funds move on-chain.

03. Clarify the boundary between this rule and the PPSI rule.

This rule defines “distribution channels” narrowly: the methods institutions use to open accounts and deliver products. Remote onboarding, non-face-to-face channels, mobile, and similar.

A different FinCEN rulemaking already in progress, on permitted payment stablecoin issuers (Docket FINCEN-2026-0100), uses the same term much more broadly. Under the PPSI rule, blockchains themselves count as distribution channels.

Same term, two very different scopes. If institutions covered by both rules read the term the same way in their risk assessments, they end up running duplicate compliance frameworks against the same underlying risk. We asked FinCEN to clarify the boundary in the final rule.

What happens next

Twelve months after FinCEN finalizes this rule, every covered institution will be measured against a new supervisory framework. The institutions building on common and open compliance infrastructure now will have the evidence FinCEN says it wants to see. The institutions still on proprietary stacks will need a different story.

You can read Notabene's full response here: https://notabene.id/reports/notabene-response-to-fincen-aml-cft-program-nprm-fincen-2026-0034

References

FAQs

What is FinCEN’s AML/CFT Programs Rule?

FinCEN’s AML/CFT Programs Rule is a proposed rulemaking that would update how covered U.S. financial institutions design, manage, and assess their anti-money laundering and countering the financing of terrorism programs.

Why does the rule matter for digital asset compliance?

The rule matters because it could determine how regulators evaluate innovative compliance tools, including Travel Rule infrastructure, pre-transaction authorization, counterparty due diligence, and data standardization.

Why is open compliance infrastructure important?

Open compliance infrastructure allows financial institutions and digital asset businesses to use shared standards rather than proprietary vendor networks, making compliance more interoperable, scalable, and evidence-based.

FinCEN’s AML Programs Rule: The Case for Open Compliance Infrastructure

Insights

What we asked FinCEN to do, and why open compliance infrastructure is the strategic prize.

The AML/CFT Programs Rule is the most consequential installment yet in FinCEN's multi-year effort to modernize the Bank Secrecy Act under the AML Act of 2020. The rule (Docket FINCEN-2026-0034) will reshape how U.S. financial institutions design and supervise their compliance programs for the next decade. Comments closed June 9, 2026.

The rule does several things:

  • Codifies the AML Act of 2020’s risk-based, effectiveness-focused mandate into program requirements.
  • Introduces a new supervisory and enforcement framework at proposed 31 CFR 1020.221, giving the FinCEN Director discretion to consider an institution’s innovative compliance activities and demonstrable outputs when deciding supervisory action.
  • Adopts five risk assessment categories every covered institution will evaluate against.
  • Sets a 12-month effective date once a final rule publishes.

The most consequential piece for digital assets is in the Supervision and Enforcement section in Question 28 “FinCEN welcomes comment on provisions related to the use of innovative tools to achieve effective outcomes, specifically on how the Director may consider the performance of innovative activities that produce demonstrable outputs under the proposed supervision and enforcement framework.”. Basically, FinCEN built a new framework for recognizing innovative compliance activities under supervision, and asked the market what counts. The answer determines whether the technology stack getting supervisory credit a decade from now is built on open standards or on proprietary vendor platforms.

We made three asks.

01. Bring back the outcomes-based effectiveness definition.

The 2020 Effectiveness ANPRM proposed defining an effective AML program as one giving law enforcement timely, useful information the government uses. Thus, outcomes and not box-checking.

The current NPRM softens the language. We asked FinCEN to restore the 2020 definition. Without an outcomes anchor, examiners default to checklists, and the new innovation framework has nothing substantive to anchor against.

02. Recognize Travel Rule infrastructure as a preventive AML control.

Question 28 asks which compliance activities deserve formal recognition as innovative. Our answer contained five things:

  1. Travel Rule infrastructure. Pre-settlement data exchange enabling block, freeze, and reject decisions.
  2. Pre-transaction authorization including the Transaction Authorization Protocol (TAP). Authorization before settlement, rather than monitoring after.
  3. IVMS 101 data standardization. Common counterparty data structure across institutions.
  4. Counterparty due diligence interoperability. GDF VASP Due Diligence Questionnaire as the shared baseline.
  5. Counterparty-assisted false-positive resolution. Bilateral information exchange resolving sanctions screening hits.

All five are common and open compliance infrastructure. Open standards, implementable by any party. Not proprietary single-vendor networks.

Travel Rule deserves a closer look. Most AML controls are detective and after the fact.   Travel Rule, on the other hand, is preventive. Data exchange happens before settlement, which means the receiving institution blocks, freezes, or rejects a transfer before funds move on-chain.

03. Clarify the boundary between this rule and the PPSI rule.

This rule defines “distribution channels” narrowly: the methods institutions use to open accounts and deliver products. Remote onboarding, non-face-to-face channels, mobile, and similar.

A different FinCEN rulemaking already in progress, on permitted payment stablecoin issuers (Docket FINCEN-2026-0100), uses the same term much more broadly. Under the PPSI rule, blockchains themselves count as distribution channels.

Same term, two very different scopes. If institutions covered by both rules read the term the same way in their risk assessments, they end up running duplicate compliance frameworks against the same underlying risk. We asked FinCEN to clarify the boundary in the final rule.

What happens next

Twelve months after FinCEN finalizes this rule, every covered institution will be measured against a new supervisory framework. The institutions building on common and open compliance infrastructure now will have the evidence FinCEN says it wants to see. The institutions still on proprietary stacks will need a different story.

You can read Notabene's full response here: https://notabene.id/reports/notabene-response-to-fincen-aml-cft-program-nprm-fincen-2026-0034

Notabene is the trust layer for global crypto money movement.

Notabene Flow — the first open stablecoin payments platform for businesses—and Notabene Transact—the world's largest Travel Rule-compliant transaction authorization platform for regulated institutions—are built on the Transaction Authorization Protocol (TAP), an open messaging standard that enables verified entities to transact securely.

The Notabene Network connects thousands of trusted counterparties, facilitating over $1T in transaction volume annually across over 100 jurisdictions.