BSA and beyond in 2026
In 2026, the Bank Secrecy Act (BSA) framework is undergoing its most significant structural shift in decades. Led by the Financial Crimes Enforcement Network (FinCEN) and federal banking regulators, the system is transitioning from a rigid, process-driven model to an outcome-oriented, risk-based compliance framework. [1, 2, 3]
The primary regulatory adjustments, executive mandates, and enforcement updates shaping the BSA landscape in 2026 include the following:
1. Shift to Risk-Based Effectiveness Over Paperwork [1, 2]
In April 2026, FinCEN issued a landmark proposed rule to overhaul Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) programs. [1, 2]
Outcome Over Checklist: Compliance success will be measured by an institution's ability to block actual illicit threats rather than the total volume of forms filed. [1, 2]
Resource Reallocation: Institutions can legally reallocate compliance assets away from low-risk administrative processes and focus heavily on high-risk areas. [1, 2]
Two-Pronged Supervision: Regulatory agencies will distinguish strictly between program design gaps and implementation issues to prevent subjective auditor penalties. [1]
Consolidated Banking Standards: The Office of the Comptroller of the Currency (OCC), FDIC, and NCUA issued parallel rulemakings to align their banking examinations directly with FinCEN’s new baseline. [1, 2]
2. Elimination of Repetitive Customer Due Diligence (CDD) [1]
A massive administrative bottleneck was removed via a FinCEN Exceptive Relief Order. [1]
Per-Customer Verification: Financial institutions are no longer required to identify and re-verify beneficial owners every single time an existing business customer opens a new account. [1, 2]
Trigger-Based Actions: Verification is now restricted to initial onboarding, periodic risk-based updates, or when specific data reliability concerns arise. [1]
3. Regulatory Extension to Stablecoins (The GENIUS Act) [1, 2, 3]
BSA requirements have aggressively expanded to cover the digital asset ecosystem in mid-2026. [1, 2]
Stablecoin Mandates: Following directives from the GENIUS Act, the FDIC and OCC proposed explicit BSA and economic sanctions compliance rules for Permitted Payment Stablecoin Issuers (PPSIs). [1, 2]
Crypto Onramps: State nonmember bank subsidiaries and nonbank stablecoin issuers must formalize full Customer Identification Programs (CIP) and track illicit virtual flows. [1, 2, 3]
4. Executive Order on Cross-Border and Identity Risk [1]
A presidential executive order issued in May 2026 altered identity verification focus areas under the BSA. [1]
Identity Tracking: The directive instructs Treasury and financial agencies to tighten risk-based verification rules surrounding non-work-authorized individuals using Individual Taxpayer Identification Numbers (ITINs) instead of SSNs. [1]
Targeted Threat Sectors: Examiners are prioritizing low-dollar cross-border remittances to combat Chinese laundering networks and Mexican cartel-linked fentanyl financing. [1]