As financial institutions prepare for 2026, the landscape surrounding financial crimes prevention continues to evolve. Several key regulatory shifts and emerging risks related to the Bank Secrecy Act (BSA), Anti-Money Laundering (AML) requirements, and Countering the Financing of Terrorism (CFT) are reshaping expectations for institutions. These changes call for modernized compliance processes, stronger risk assessment governance, enhanced sanctions monitoring, and improved reporting procedures to protect against financial crimes.

Below are highlights of the most important updates to act on and prioritize:

Ensure BSA is a Primary Responsibility for ALL Employees

Regardless of position, every employee in a financial institution plays a role in BSA compliance. Provide training on policies and procedures and reinforce the expectation to consult the BSA officer or supervisor when questions arise.

Make Note of Modernized Terminology: AML/CFT

The Anti-Money Laundering Act of 2020 includes modernizing the terminology within BSA conversations, policies, and procedures. While the Federal Financial Institutions Examination Council (FFIEC) still references “BSA/AML”, regulators are shifting to AML/CFT. This change highlights the need to encompass a broader scope of national and international standards into compliance programs. Institutions should update their policies, procedures, and training materials to align with these standards.

Develop a Living Risk Assessment as a Basis for Your Compliance Program

Your risk assessment should serve as the basis for your BSA/AML/CFT compliance program utilizing the AML/CFT Priorities.

  • The risk assessment should be a living–breathing document that is updated as situations occur.
  • Document the mitigation of the risk. Tell the story — outline risks and include expected activity.
  • Present and obtain Board approval at least once per year. Note: It doesn’t have to go to the Board after situational updates.

Update the Policy and Procedures

Further enhance your compliance program by incorporating:

  • Terrorist financing – Including the incorporation of “red flags”, customer due diligence procedures for higher-risk geographies, and higher risk accounts. Be sure to use the verbiage “terrorist financing” within the policy and procedures.
    • AI governance and oversight – Including expectations and roles, ongoing monitoring, oversight of technology used to detect suspicious activity, implementation of periodic testing to assess the outputs of AI.

Include Monitoring and Risk Assessment for Mexico-Related Transactions

In 2025, several Mexico-based financial institutions were added to U.S. sanctions lists. For Midwest banks, this change could impact customers with cross-border business. Make sure you screen for transactions involving sanctioned entities. Ask the hard questions — are your customers making protection payments to criminal organizations (such as cartels) to operate safely? If so, this could expose your bank to serious criminal and civil liability under BSA/AML and OFAC regulations.

Familiarize Yourself With FinCEN Frequently Asked Questions (FAQs) Updates

In October 2025, FinCEN clarified expectations related to Suspicious Activity Reports (SARs). Familiarize yourself with these updates which note:

  • Continuing activity SARs are not mandatory- they’re risk-based
  • Document all non-filing decisions
  • Avoid filings for small-dollar, routine transactions unless a suspicious pattern emerges

Incorporate Regulatory Guidance Regularly

FinCEN guidance should be used to help update and manage BSA policy and procedures. Make note that it is not optional — regulators have cited institutions for failing to follow the guidance. Review the guidance on a regular basis and train relevant personnel on the various alerts and advisories provided.

  • Be sure to document the analysis of these alerts and how they were incorporated into the risk assessment.

Recognize Red Flags

Be sure to understand and incorporate “red flags” as they relate to money laundering and terrorist financing into your compliance program. Resources include:

Incorporate Reporting and Recordkeeping Requirements for MSBs Operating Along the Southwest Border

Geographic Targeting Orders (GTOs) were established to impose additional reporting and recordkeeping requirements for Money Service Businesses (MSBs) operating along the Southwest Border. Ensure policies related to CTR thresholds and identity verification.

Be Aware of High-Risk Customers

Potential “high” risk customers based on the recent smuggling activity includes:

  • Small US-based oil and natural gas companies
  • Vape stores
  • Cell phone repair shops
  • Boutique stores
  • International students with large volume transactions

Avoid Broad-Based De-Risking

Be careful to not to fall into the category of an institution that is “de-risking” itself.  When ending relationship with or declining riskier customers, document clear rationale for it, especially if doing so under a broad-based, categorical group.

The changes and similarities related to anti-money laundering and terrorist financing are broad and can be challenging to keep up with, but even taking small steps at a time can be beneficial.

Acting now will reduce risk, save time, and position your institution for a smooth program review.

Contact a Pinion advisor for assistance evaluating your compliance and risk management strategies.