FinCEN’s AML and Stablecoin NPRMs Could Reshape Competition Between Banks and Non-Banks

Download PDF

Executive Summary

On April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (NPRM) to reform anti-money laundering/Bank Secrecy Act (AML/BSA) compliance requirements, superseding an earlier July 2024 NPRM.¹ On April 8, 2026, FinCEN and the Office of Foreign Assets Control (OFAC) jointly published a separate NPRM implementing the framework set forth by the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the GENIUS Act) for permitted payment stablecoin issuers (PPSIs).² Both proposals shift AML/countering the financing of terrorism (AML/CFT) policy toward effectiveness-driven, risk-based programs.³ Every covered institution faces the same substantive obligations, but the enforcement framework differs by charter type.

The AML/BSA Reform NPRM establishes a bank-specific enforcement framework with three components: (1) a higher threshold requiring "significant or systemic failure" before action⁵; (2) a consultation requirement under which banking agencies must give FinCEN 30 days' advance notice before significant AML/CFT supervisory actions⁶; and (3) credit for "responsible use of innovative tools" in enforcement assessments.⁷ Broker-dealers, futures commission merchants (FCMs), and introducing brokers in commodities (IBCs) are not covered by this framework, and their regulators (the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Commodity Futures Trading Commission (CFTC)) have no comparable obligations.⁸ FinCEN has requested comment on whether the framework should apply more broadly.⁹

The GENIUS Act NPRM classifies PPSIs as "financial institutions" under new 31 CFR Part 1033, subjecting them to sanctions compliance ($100,000/day penalties), real-time blocking capabilities, bank-level know-your-customer/customer due diligence (KYC/CDD), suspicious activity report (SAR) filing for transactions ≥$5,000, and Travel Rules for transmittals ≥$3,000.¹⁰ These novel requirements, where compliance gaps are most likely, make the enforcement framework differences especially significant. Left in place, the split could reshape competition and push industry consolidation. Banks face their own risks from the divergence: reputational exposure, added complexity for holding companies with non-bank affiliates, and potential underinvestment if the framework later tightens. Institutions of all types should use the June 9, 2026 comment period to address whether the bank-specific framework should extend to non-banks, how key terms should be defined, and whether technology credit should apply across charter types.¹¹

Practical Impacts: Penalty Exposure, Remediation Strategy, and Charter Choice

In practice, the enforcement split produces six measurable differences:

Penalty exposure. For a bank with a properly established program, enforcement requires a "significant or systemic failure."⁵ FinCEN is explicit: no program can catch everything.¹² The calculus differs for broker-dealers and FCMs/IBCs. Any deficiency may independently support an action. Each regulator can act on its own, so parallel penalties for the same conduct remain possible.⁸

Remediation strategy. The consultation timeline (described in detail below) gives banks room to focus remediation on the program as a whole and present progress to FinCEN.⁶ That timeline does not apply to broker-dealers and FCMs/IBCs, which may tackle all findings simultaneously rather than sequence them by severity.

Charter choice and competitive effects. These enforcement differences could affect pricing, client relationships, and where holding companies place their business lines. Consider AI or analytics spending: a bank may get explicit enforcement credit for that investment, while a broker-dealer or FCM/IBC sees only lower compliance costs.⁷ Companies deciding where to house a business, and new entrants picking a charter, may weigh these factors along with other considerations.

Potential harm to banks. The bank-specific enforcement framework looks favorable, but it also creates risks for banks. Regulatory divergence may lead to reputational problems: clients, counterparties, and investors may see different enforcement standards as preferential treatment, drawing public criticism, media attention, and congressional scrutiny. Banks with broker-dealer or FCM/IBC affiliates in the same holding company face added difficulty. Their compliance teams must run two sets of procedures (one for the higher “significant or systemic failure” threshold and consultation timeline, one for the stricter rules that apply to affiliates), which raises costs and creates gaps where the affiliates interact. Competitive dynamics could also work against banks. Broker-dealers and FCMs/IBCs, facing tougher enforcement, may spend more on compliance to reduce that risk, and end up with stronger controls that clients prefer. The framework may not last. If non-bank institutions win an extension of the bank rules, banks will have backed a structure that gives them no edge. If regulators later view the bank framework as too lenient, they may tighten the rules for banks, removing the current protections. Finally, banks used to the higher threshold and longer timeline may spend less on compliance than they would under a single, stricter standard, leaving them vulnerable if the rules later become uniform or if FinCEN uses its independent enforcement powers more aggressively.

Left unchanged, these differences could reshape competition and push consolidation. They may also spark wider debate about whether the enforcement framework should be the same for all institution types. FinCEN has invited comment on that question.⁹

Bank-Only Safe Harbor and Consultation Dynamics

Behind the penalty and timing differences described above sits a specific mechanism. The AML/BSA Reform NPRM draws a line between "establishing" and "maintaining" an AML/CFT program.¹³ Today, any isolated shortfall can feed into a supervisory action. The proposal changes that for banks. Once a bank has properly "established" its program (all four required pillars in place), enforcement requires a finding of "significant or systemic failure."⁵ FinCEN ties this threshold to a practical reality: no program catches every instance of illicit activity.¹² The safe harbor has two additional features. Banks may shift compliance resources toward higher-risk areas without being second-guessed by examiners.¹⁴ They also gain a direct channel to share AML/CFT information with FinCEN.¹⁵

The consultation requirement adds a separate layer with several procedural consequences.⁶ The 30-day minimum notice period sets a hard floor on the pre-action timeline, and material changes to a proposed consent order's terms during negotiations may require the banking agency to re-engage FinCEN, extending that floor further.⁶ No formal tolling provision exists, but the notice-and-review period functions as a de facto stay because the banking agency cannot initiate the action until consultation concludes and FinCEN's input has been considered. The required sequence is: banking agency notice, then FinCEN review, then banking agency decision.⁶ FinCEN review precedes (rather than runs parallel to) the agency's final decision, and any material revision to the proposed action's scope, terms, or severity may restart the consultation clock. Banks can use this window to challenge how deficiencies are characterized, and FinCEN's review introduces a second viewpoint that could influence the banking agency's posture.⁶

Critically, the consultation constrains only the banking agency, not FinCEN itself. FinCEN retains independent enforcement authority under the BSA and can bring its own action against the same bank for the same conduct without being subject to the consultation timeline, the "significant or systemic failure" threshold, or any sequencing requirement.¹⁶ This dual role creates several dynamics.

First, during the consultation period, FinCEN receives detailed information about the banking agency's enforcement rationale and the bank's deficiencies. The NPRM does not address whether information obtained during consultation may be used by FinCEN in its own parallel action, or whether any information barrier applies. Second, FinCEN could initiate its own enforcement action before, during, or after the banking agency's consultation period; the NPRM specifies no sequencing requirement between FinCEN's reviewer role and its independent enforcement role. Third, because the elevated threshold applies only to the banking agency, FinCEN could independently determine that a deficiency warrants its own action even where the banking agency concludes, after consultation, that the same deficiency does not meet the "significant or systemic failure" standard.¹⁶

The practical effect is that the consultation process coordinates only one direction: the banking agency toward FinCEN. It does not prevent FinCEN from acting independently in the other direction. A bank challenging the banking agency's characterization of a deficiency during the consultation period must account for the possibility that FinCEN, having reviewed the same facts, could pursue its own action under a separate enforcement theory or threshold. This narrows, but does not eliminate, the structural difference between the bank enforcement framework and the multi-regulator framework applicable to broker-dealers and FCMs/IBCs, where each regulator can act independently without any coordination requirement.⁸

Whether the consultation requirement should be bilateral is an open question the NPRM does not explicitly address. It does not appear among the issues on which FinCEN has specifically requested comment, though it falls within the broader request for comment on consultation mechanics.⁹

Same Substantive Standards, Different Enforcement Consequences

One structural choice in the AML/BSA Reform NPRM underlies everything discussed so far: every institution must meet the same program requirements, but the enforcement consequences differ by charter type. All covered institutions must maintain "effective, risk-based, and reasonably designed" AML/CFT programs, conduct written risk assessments, designate U.S.-based AML/CFT officers, arrange independent testing focused on whether the program works, provide ongoing training, and allocate resources based on risk.³ Three differences apply only to banks. First, enforcement for program violations requires a finding of "significant or systemic failure," while broker-dealers face enforcement for any shortfall from FinCEN, the Securities and Exchange Commission (SEC), or the Financial Industry Regulatory Authority (FINRA), and FCMs/IBCs from FinCEN and the CFTC.⁵ Second, banking agencies must consult FinCEN before starting "significant AML/CFT supervisory action" (as described above), while non-bank regulators may act on their own.⁶ Third, FinCEN will give banks credit for "responsible use of innovative tools (such as advanced analytics and artificial intelligence)" when deciding enforcement, with no similar promise from the SEC, FINRA, or CFTC.⁷

GENIUS Act PPSI Obligations Amplify the Enforcement Divergence

Start with what the rule requires. The GENIUS Act NPRM reclassifies PPSIs from the money services business (MSB) framework to 31 CFR Part 1033.¹⁰ On top of the shared program standard, it layers technical obligations that have no precedent in the current BSA framework. PPSIs must be able to block, freeze, or reject impermissible stablecoin transactions in real time, covering secondary market activity, wallet-address banning, and stablecoin burning.¹⁷ They must also run standalone sanctions compliance programs, with penalties reaching $100,000 per day.¹⁸ Their AML/CFT officers face disqualification criteria not applied elsewhere, including for insider trading or financial fraud convictions.¹⁹

Any institution that deals with a PPSI will need capabilities that most compliance programs lack. These include adding PPSI-specific risk factors to risk assessments, watching on-chain stablecoin transfers, screening wallet addresses against sanctions lists and internal watchlists, and rating each issuer by regulatory status, reserve makeup, and redemption practices.²⁰ None of these capabilities is mature. No established industry standards, ready-made vendor tools, or examination playbooks exist yet. Gaps are nearly certain across all institution types, which makes the enforcement framework the deciding factor. The penalty, remediation, and technology credit differences discussed earlier matter most here, where requirements are newest and early problems most likely.²¹

Comment Letter Recommendations

FinCEN has explicitly asked whether the bank-specific framework should extend to non-bank institutions, and comment letters are due June 9, 2026.⁹ Key topics for comment:

• Scope and definitions: Whether the "significant or systemic failure" threshold and FinCEN consultation should extend to broker-dealers and CFTC-regulated entities.⁹ Banks: consider whether extension would affect consultation workload and review depth. Broker-dealers/FCMs/IBCs: quantify parallel-penalty frequency (e.g., the $80 million combined Canaccord action), identify isolated-deficiency enforcement cases, and analyze three-regulator consultation feasibility. FCMs/IBCs: note that their two-regulator structure most closely mirrors the bank model. All institutions: propose definitions for “significant or systemic failure,” “significant AML/CFT supervisory action,” and “urgent circumstances.”²² Broker-dealers: compile data on deficiency types historically triggering SEC/FINRA enforcement and propose “urgent circumstances” language for customer-facing transaction profiles.

• Consultation mechanics: Whether FinCEN's input is binding or advisory, whether the consultation record is accessible to examined institutions, and whether the requirement should be bilateral.²² Banks: consider information-barrier provisions for FinCEN’s reviewer role. Broker-dealers: consider lead-regulator designation, joint notice protocols, or no-action safe harbors for three-regulator coordination; quantify parallel-penalty frequency and examination-to-enforcement timelines. FCMs/IBCs: consider whether existing CFTC-FinCEN coordination supports a consultation requirement.

• Technology credit scope: Whether "responsible use of innovative tools" treatment should apply to non-bank institutions.⁷ All institutions: propose specific criteria for “responsible use” and whether a safe harbor should apply across charter types. Broker-dealers/FCMs/IBCs: identify specific investments (ML-based monitoring, automated SAR generation, network-analysis tools) receiving no enforcement credit and propose criteria from existing SEC, FINRA, or CFTC guidance.

• Dual-regulated entities: What operational differences a unified framework would produce. Holding companies: provide data on incremental compliance costs, examples of non-bank findings that would not trigger enforcement under the bank threshold, and the burden of maintaining different remediation timelines for shared program components.

For More Information

If you have questions or would like additional information, please contact Tom Vincent (tom.vincent@pierferd.com) or your regular firm contact.

This publication and/or any linked publications herein do not constitute legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, the author(s) and PierFerd assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, this publication may constitute Attorney Advertising. © 2026 Pierson Ferdinand LLP.

1. FinCEN News Release, "FinCEN Proposes Rule to Fundamentally Reform Financial Institution Programs" (Apr. 7, 2026); FinCEN Fact Sheet, "Proposed Rule to Fundamentally Reform Financial Institutions' AML/CFT Programs" (Apr. 7, 2026).

2. FinCEN/OFAC News Release, "Treasury Proposes Rule to Implement the GENIUS Act's Requirements to Counter Illicit Finance" (Apr. 8, 2026); FinCEN Fact Sheet, "Proposed Rule to Implement the GENIUS Act's AML/CFT Requirements for Permitted Payment Stablecoin Issuers" (Apr. 8, 2026).

3. FinCEN News Release (Apr. 7, 2026); FinCEN Fact Sheet, AML/BSA Reform NPRM.

4. FinCEN Fact Sheet, AML/BSA Reform NPRM; FinCEN Key Changes Document, "Key Changes in FinCEN's Proposed Rule to Refocus AML/CFT Programs" (Apr. 7, 2026).

5. FinCEN Fact Sheet, AML/BSA Reform NPRM (describing "significant or systemic failure" threshold); FinCEN Key Changes Document (same).

6. FinCEN Fact Sheet, AML/BSA Reform NPRM (describing 30-day advance written notice and consultation requirement); FinCEN Key Changes Document (same).

7. FinCEN Fact Sheet, AML/BSA Reform NPRM (describing credit for "responsible use of innovative tools"); FinCEN Key Changes Document (same).

8. FinCEN Fact Sheet, AML/BSA Reform NPRM (noting bank-specific framework does not extend to non-bank institution types); FinCEN Key Changes Document (same).

9. FinCEN News Release (Apr. 7, 2026) (requesting comment on whether framework should apply more broadly); FinCEN Fact Sheet, AML/BSA Reform NPRM (same).

10. FinCEN/OFAC News Release (Apr. 8, 2026); FinCEN Fact Sheet, GENIUS Act NPRM; GENIUS Act NPRM Full Text (Federal Register).

11. FinCEN News Release (Apr. 7, 2026) (June 9, 2026 comment deadline); FinCEN/OFAC News Release (Apr. 8, 2026) (same).

12. FinCEN Fact Sheet, AML/BSA Reform NPRM (acknowledging no program can eliminate all illicit activity).

13. FinCEN Fact Sheet, AML/BSA Reform NPRM (distinguishing "establishing" from "maintaining"); FinCEN Key Changes Document (same).

14. FinCEN Fact Sheet, AML/BSA Reform NPRM (authorizing risk-based resource reallocation); FinCEN Key Changes Document (same).

15. FinCEN Key Changes Document (describing direct information-sharing channel with FinCEN).

16. FinCEN Key Changes Document (noting consultation constrains only the banking agency; FinCEN retains independent enforcement authority).

17. FinCEN Fact Sheet, GENIUS Act NPRM (describing real-time blocking, freezing, and rejection capabilities); GENIUS Act NPRM Full Text (same).

18. FinCEN/OFAC News Release (Apr. 8, 2026) (describing sanctions compliance penalties); FinCEN Fact Sheet, GENIUS Act NPRM (same).

19. FinCEN Fact Sheet, GENIUS Act NPRM (describing AML/CFT officer disqualification criteria).

20. FinCEN Fact Sheet, GENIUS Act NPRM (describing counterparty due diligence obligations); GENIUS Act NPRM Full Text (same).

21. FinCEN/OFAC News Release (Apr. 8, 2026) (discussing enforcement framework applicability to PPSI-related obligations).

22. FinCEN Fact Sheet, AML/BSA Reform NPRM (requesting comment on definitions and consultation mechanics).