How Casinos Should Prepare for FinCEN’s 2026 AML/CFT Overhaul

FinCEN’s April 10, 2026 Notice of Proposed Rulemaking (NPRM) on Anti‑Money Laundering and Countering the Financing of Terrorism (AML/CFT) programs would materially reshape what it means for casinos and card clubs to maintain an effective program under 31 CFR Part 1021. The proposal introduces several structural changes: a new requirement for risk assessment processes, mandatory integration of AML/CFT National Priorities, and clearer governance and accountability expectations, including board‑level approval and a U.S.‑located responsible officer. Comments are due June 9, 2026.

For casino operators, the NPRM signals a shift toward a governance‑driven, risk‑engineering model. FinCEN intends to evaluate not only whether a casino has the required program components, but whether those components are implemented in ways that matter for risk mitigation. That framing will influence examinations, enforcement posture, and how operators document risk‑based decisions.

From ‘Compliance Program’ to an ‘Effective AML/CFT Program’

Proposed § 1021.210 would require each casino to develop and implement a written AML/CFT program that is risk-based and reasonably designed to prevent money laundering, terrorist financing, and other illicit finance activity. The NPRM separates program establishment from program implementation and introduces a distinct standard for assessing how the program operated in practice. Under the proposal, a casino must establish its AML/CFT program in accordance with the rule’s specific requirements and implement that program in “all material aspects”.

FinCEN is signaling that it will evaluate whether the casino has documented the required program components, built the core capabilities, and implemented those components in a way that aligns with the program’s stated design. Examiners will look closely at materials such as the risk assessment methodology, documented mitigation decisions, governance approvals, and version‑controlled program documents. Operators should expect more scrutiny of how these materials support the program’s structure and demonstrate that it is functioning as intended.

Risk Assessment Processes Become an Express Requirement

What the Rule Text Requires

Proposed § 1021.210(b)(1) would require casinos to maintain risk assessment processes that identify money laundering, terrorist financing, and other illicit finance risks arising from the casino’s business activities, including products, services, distribution channels, customers, and geographic locations. FinCEN notes that making risk assessment processes an explicit regulatory requirement represents a new obligation for casinos.

The same provision would require casinos to incorporate AML/CFT National Priorities, defined as the most recent priorities issued under 31 U.S.C. § 5318(h)(4), into their risk assessment processes and program design.

Operational Pressure Points

The NPRM shifts the focus from having a risk assessment to demonstrating a repeatable process. Casinos will need to show defined inputs and data sources, clear ownership and governance cadence, documented update triggers, and a defensible methodology for how risks are identified and weighted.

The proposed rule requires updates when the casino knows or has reason to know of a change in circumstances that materially changes risk. FinCEN is seeking comment on what constitutes a material change and what timing expectations should apply. Examples likely to qualify include new product launches, new distribution channels, shifts in customer segments, significant third‑party relationships, or property acquisitions that alter geographic exposure.

Internal Controls Reframed as Risk‑Based Policies, Procedures, and Controls

The NPRM replaces the familiar “system of internal controls” language with a requirement for risk‑based internal policies, procedures, and controls that reasonably mitigate identified risks and direct more attention and resources to higher‑risk customers and activities.

Resource Allocation Becomes Examinable

FinCEN is positioning resource allocation as part of the effectiveness analysis. Examiners will ask not only what controls exist, but why resources are distributed the way they are. Operators who can demonstrate a clear chain from risk assessment to mitigation strategy to staffing and technology decisions, and who can show how QA and testing feed back into that chain, will be better positioned.

Scope Expansion Through “Other Illicit Finance Activity”

The NPRM uses the phrase “other illicit finance activity” without defining it for Part 1021. This invites broader interpretations of what casinos must risk assess and mitigate. Operators may want to comment on whether FinCEN intends this phrase to expand the substantive scope of expected controls beyond traditional casino AML typologies.

Governance: Board Approval, a U.S.‑Located Responsible Officer, and Document Availability

Program Approval and Availability

Proposed § 1021.210(a) would require the written AML/CFT program to be approved by the casino’s board of directors or governing body, or, if neither exists, by senior management. Proposed § 1021.210(d) would require casinos to make a copy of the program available to FinCEN or its designee upon request.

This requirement is straightforward, but it creates governance records such as minutes, resolutions, and delegation matrices that will carry weight in an examination or investigation. Casinos with enterprise‑level programs should consider how approval mechanics will operate across properties and legal entities to ensure consistency and clear accountability.

A U.S.‑Located AML/CFT Officer

Proposed § 1021.210(b)(3) would require casinos to designate an individual responsible for day‑to‑day compliance who is located in the United States and accessible to, and subject to oversight and supervision by, FinCEN. This is a meaningful change from the existing rule, which requires a compliance officer but does not impose a location requirement.

FinCEN is requesting comment on how this requirement would affect institutions that rely on non‑U.S. personnel for certain compliance functions. The preamble highlights SAR confidentiality as a particular concern. Casino groups with centralized or shared‑services models should treat this as a high‑priority comment topic and begin evaluating how to structure compliance responsibilities without fragmenting accountability.

Independent Testing, Training, and a Subtle Technology Signal

Proposed § 1021.210(b)(2) and (b)(4) preserve existing expectations for independent testing and ongoing training.

FinCEN also proposes to remove language that expressly calls for automated programs to aid compliance in casinos with automated data processing systems. FinCEN states that the deletion is not intended to reduce substantive obligations, but to reflect a more risk‑based, institution‑specific approach. Less prescriptive text gives operators flexibility, but it also creates room for after‑the‑fact arguments about what a reasonably designed program required given the casino’s size, product mix, and risk profile.

Recordkeeping Alignment

The NPRM would revise § 1021.410(b)(10) to require retention of a copy of the AML/CFT program described in § 1021.210. This technical update reinforces the importance of version control and documented governance approvals, both of which will be central in examinations and enforcement actions.

Timing

FinCEN proposes a final‑rule effective date 12 months after issuance and requests comment on whether that timeline is appropriate. For multi‑property operators, 12 months may be tight, particularly where systems, analytics, and governance processes must be updated to support a defensible risk assessment and resource‑allocation framework.

Conclusion: Practical Steps for Compliance Teams

If finalized as proposed, the NPRM would move casino AML/CFT regulation toward a more formalized, governance‑driven model. In the near term, casino operators should evaluate whether existing risk assessment workpapers function as true processes with defined ownership and update triggers, map AML/CFT National Priorities to the casino’s risk taxonomy in a way that can be defended to examiners, and begin socializing board‑level approval mechanics and a U.S.‑located accountable officer model to avoid a last‑minute scramble if the 12‑month implementation window is adopted.

FinCEN’s direction indicates that casinos will need to demonstrate that required program components are in place and functioning in a manner that reflects a risk‑based allocation of attention and resources.

Ballard Spahr’s Gaming Industry and Anti-Money Laundering Teams advise clients across the gaming sector on BSA/AML compliance, regulatory obligations, investigations, enforcement actions, licensing, internal risk assessments, policy development, training, due diligence, and technology solutions for monitoring and reporting. Our team brings legal and industry experience to help clients manage risk and meet business objectives. Please contact us for guidance on BSA/AML or related gaming‑sector matters.

Copyright © 2026 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.