On April 1, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued a Notice of Proposed Rulemaking (“NPRM”) titled “Whistleblower Incentives and Protections,” proposing regulations to fully implement Treasury’s statutory whistleblower bounty program. The NPRM covers violations of the Bank Secrecy Act (“BSA”), International Emergency Economic Powers Act (“IEEPA”), Trading with the Enemy (“TWEA”), and the Foreign Narcotics Kingpin Designation Act (“Kingpin Act”). The BSA generally applies to “covered financial institutions”1 while IEEPA and the other statutes underlie economic sanctions programs administered by the Office of Foreign Assets Control (“OFAC”) and the US Outbound Investment Security Program and have broad application.
At long last, the NPRM would operationalize the FinCEN whistleblower bounty program that has existed by statute for years. Combined with FinCEN’s February 13, 2026, launch of a dedicated whistleblower tip website, the NPRM provides more clarity and likely more incentive for individual whistleblowers to report violations and seek potentially life-changing bounties. Entities subject to the BSA and companies doing business in the US, with US persons or with the US financial system should review their risk management, escalation, and investigation procedures in light of the key provisions outlined below.
Background
The Anti-Money Laundering Act of 2020, enacted by Congress in January 2021, greatly enhanced the pre-existing FinCEN whistleblower bounty program for BSA violations, following the model of the successful Securities and Exchange Commission and Commodity Futures Trading Commission programs established in 2010 under Dodd-Frank. In December 2022, Congress expanded the bounty program to include OFAC sanctions violations through the Anti-Money Laundering Whistleblower Improvement Act. By statute, qualified whistleblowers are eligible to receive a minimum of 10% and up to 30% of the monetary sanctions collected by the government, representing potentially generational wealth. FinCEN has been accepting and acting on tips from whistleblowers on BSA and OFAC violations for several years, although the process for awarding bounties awaits the finalization of the implementing regulations.
Key Provisions
Who is Eligible: A “Whistleblower” under the NPRM is an individual (or individuals) that voluntarily provides original information to FinCEN, the US Department of Justice (“DOJ”), or their employer, that leads to a successful enforcement action for a “covered action.”2 Whistleblowers can be US or non-US citizens and located in any jurisdiction.
Significantly, under the NPRM, Whistleblowers can include individuals that are employed in the internal audit and compliance functions of a company and individuals directly involved in the violations provided they are not criminally convicted for their actions.
Original Information: A Whistleblower must provide “original information” derived from either “independent knowledge” or “independent analysis” and not otherwise already known by FinCEN or DOJ. The NPRM defines these terms broadly apparently to encourage individuals to come forward with the hope of a bounty.
The NPRM defines independent knowledge as “factual information known to the whistleblower that is not exclusively obtained from publicly available sources.” The Whistleblower need not have direct, first-hand knowledge of potential violations, but rather can have obtained the information from “experiences, observations, or communications.”
Independent analysis is broadly defined to include the Whistleblower’s evaluation of information including publicly available information, “acting alone or in combination with others…that results in material insights into or interpretations of the significance of such information that are not generally known or available to the public.”
Even when there is an active government investigation of a company, an individual can still qualify as a Whistleblower if, at the time they make their tip, they had not been questioned by the government and independently came forward with information not previously available to the government that proves important to a successful enforcement action.
Disclosed to FinCEN: Whistleblowers must submit tips through FinCEN’s secure online portal using the “Tip, Complaint, or Referral” form.
If the Whistleblower first discloses the information to DOJ, OFAC or their employer, they are also required to submit the same information “within a reasonable time”3 directly to FinCEN.
Whistleblowers must wait 120 days after first reporting information to their employer before disclosing it to FinCEN, allowing the employer the opportunity to investigate and decide on a voluntary disclosure. In this circumstance, the Whistleblower remains eligible for a bounty even if the employer provides the original information to FinCEN before the Whistleblower.
Whistleblowers who obtained the original information as a result of (i) being an officer, director, trustee or partner of an entity; (ii) consulting on audit or compliance services for an entity, or (iii) through the entity’s internal audit and compliance controls, must wait 120 days from the date that they learned of the original information before disclosing to FinCEN. Significantly, they are not required first to report the information internally to the entity. Individuals, however, that violate the attorney-client or work product privileges in making a disclosure to FinCEN are not eligible.
Bounty Incentive: A Whistleblower is entitled to receive a minimum of 10% and up to 30% of the monetary sanctions collected in excess of $1 million, defined to include penalties, fines, settlement payments, disgorgement, and interest, but not forfeiture, restitution, or victim compensation payments. The NPRM also provides for FinCEN to consider the recovery in related actions by other agencies or under other statutes and regulations. The percentage over 10% awarded is at the discretion of FinCEN in consideration of several factors, such as significance of the information, culpability of the Whistleblower, and the extent to which the Whistleblower utilized internal compliance and reporting systems. To further incentivize Whistleblowers, if a 30% bounty would amount to $15 million or less, the Whistleblower is presumed to receive the maximum 30%.
Public Comment Period
The proposed rule is open for public comment until June 1, 2026. FinCEN is seeking feedback on all aspects of the proposal, including definitions, ineligibility rules, deadlines, and award factors. For example, FinCEN seeks comment on whether internal audit and compliance officials who learn of the information in the course of their duties should be eligible for a bounty.
Key Takeaways
Don’t sleep on it: The NPRM is a proposal and FinCEN is seeking comment on several key points. Nonetheless, companies should be preparing for the upcoming implementation and taking steps to consider the adequacy of their whistleblower risk management.
Actively manage whistleblower risk: While the NPRM provides that a Whistleblower can first report internally and remain eligible as a Whistleblower if they subsequently report the information to FinCEN, there could be a financial incentive for a Whistleblower to bypass internal controls and report directly to the government in order to deprive the company of an opportunity for a reduced penalty through voluntary disclosure credit. The NPRM appears to recognize this conflict and includes consideration of whether an employee reported internally as a factor in setting the bounty size. It remains to be seen, however, how FinCEN will exercise discretion in practice, and how Whistleblowers and their counsel will balance these factors in their reporting strategy. In any event, companies should take appropriate steps to ensure that their internal reporting and anti-retaliation procedures are easily accessible, well publicized and encouraged.
Address potential impact on control functions: The Whistleblower eligibility of individuals on internal audit and compliance teams could have an impact on the operation and culture of those functions. Companies should be attentive to this risk and take appropriate steps to reinforce corporate culture.
Beat the Clock: The NPRM only provides 120 days for companies after receiving an internal tip – which could come through the hotline or be reported by an employee for example to their supervisor to investigate and decide whether to make a voluntary disclosure, or risk loss of voluntary disclosure credit. Companies should assess procedures and resources to ensure senior management can make a timely and informed decision.
Align internal investigation procedures: A key exception for Whistleblower eligibility is that the original information forming the disclosure to FinCEN cannot violate legal privilege. Companies should take steps to ensure that their investigations into matters involving potential BSA or OFAC sanctions violations are properly under legal privilege from the outset.
1 As described by FinCEN: “The BSA authorizes the Department of the Treasury to impose reporting and other requirements on financial institutions and other businesses to help detect and prevent money laundering. Specifically, the regulations implementing the BSA require financial institutions to, among other things, keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. The BSA is sometimes referred to as an ‘anti-money laundering’ (AML) law or jointly as ‘BSA/AML,’ and is codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-1960, 31 U.S.C. 5311-5314, 5316-5336, and includes notes thereto.”
2 “Covered actions” are violations of the BSA, IEEPA, TWEA, and the Kingpin Act, and charges of conspiracy to violate these statutes.
3 FinCEN has not yet defined what constitutes a “reasonable time.”
