6 AML Trends in Regulatory Compliance Every Compliance Officer Needs to Follow

By /
🔔

COMPLIANCE ALERT

Is your AML programme ready for 2026’s regulatory wave? ComplyFactor provides expert AML audit services, outsourced MLRO services, and compliance programme development for VASPs, PSPs, EMIs, and fintechs across the UK, UAE, EU, Canada, and Switzerland. Talk to our team today →

Why 2026 Is a Watershed Year for AML Compliance

The global AML landscape has been through seismic change before — but 2026 feels structurally different. This is not merely one or two regulatory updates landing simultaneously. It is a coordinated, multi-jurisdictional realignment of how governments, regulators, and financial intelligence units think about financial crime: who bears responsibility for stopping it, what technology is expected to detect it, and what “adequate” compliance actually means in an enforcement context.

For compliance officers at fintechs, virtual asset service providers (VASPs), payment institutions, and electronic money institutions (EMIs), the stakes have never been higher. The era of reactive compliance — waiting for a regulator to knock before fixing gaps in your AML framework — is over. The enforcement record makes that clear.

In 2024–2025, TD Bank agreed to pay $3.09 billion in penalties in the largest AML enforcement action in US banking history, following a joint investigation by FinCEN, the OCC, and the DOJ that revealed systematic failures in transaction monitoring and suspicious activity reporting. The FCA imposed an approximately £29 million fine (£28,959,426 per the FCA Final Notice) on Starling Bank for deficiencies in its financial crime controls — explicitly criticising the bank’s MLRO function. FINTRAC levied a C$7.4 million administrative monetary penalty in one of Canada’s most significant AML enforcement actions against a domestic institution. VARA in the UAE commenced its first wave of supervisory examinations of VARA-licensed VASPs.

The Europol SOCTA 2025 report — which we analysed in depth here — identified cryptocurrency money laundering, trade-based money laundering, and professional money laundering networks as the three fastest-growing financial crime threats facing European financial institutions. These are not abstract threats; they are the typologies regulators are actively examining for in 2026 supervisory engagements.

The message from regulators across every major jurisdiction is uniform: the compliance function must be proactive, adequately resourced, risk-based, and demonstrably effective — not just documented on paper.

This article identifies the six most consequential regulatory shifts of 2026, explains their practical operational impact, and provides actionable guidance for compliance officers who need to adapt now rather than later.

Shift 1: The Rise of AMLA and Europe’s Single AML Rulebook

What Is Happening

The establishment of the Anti-Money Laundering Authority (AMLA) represents the most significant structural change to European financial crime regulation in a generation. AMLA — headquartered in Frankfurt and operational since 1 July 2025 — is the EU’s new supranational AML supervisor with a mandate that no national regulator has previously held: direct supervisory authority over the highest-risk obliged entities operating across the EU, the power to issue binding technical standards, and the authority to impose sanctions where national competent authorities have failed to act adequately.

Alongside AMLA, the EU AML Regulation (AMLR) — the centrepiece of the EU’s 2024 Anti-Money Laundering Package — will become directly applicable across all 27 EU member states from 1 July 2027. The AMLR is a regulation, not a directive. This distinction is not a legal technicality — it is operationally transformative. Unlike the Fourth, Fifth, and Sixth Anti-Money Laundering Directives (6AMLD), which required domestic transposition and permitted significant national variation, the AMLR requires no transposition whatsoever. The rules will apply uniformly, simultaneously, and without the national interpretation divergences that criminal networks have historically exploited to route funds through the most permissive member state.

Why It Matters for Your Business

For any financial institution, payment institution, VASP, or CASP operating in or into EU markets, the AMLR and AMLA create four immediate compliance imperatives:

  • Harmonised CDD standards: The AMLR standardises customer due diligence (CDD) requirements across the EU, including specific provisions for beneficial ownership verification, source of funds documentation, and enhanced due diligence (EDD) triggers. If your CDD procedures were calibrated to the most permissive EU member state, they will need significant upward revision.
  • Expanded obliged entities: The AMLR brings new sectors into scope — including professional football clubs and agents, luxury goods dealers, crypto-asset service providers, and investment migration operators. If you provide banking or payment services to any of these sectors, your risk appetite and onboarding procedures must reflect that these customers are now themselves regulated entities with AML obligations.
  • AMLA’s direct supervision list: AMLA will directly supervise approximately 40 of the highest-risk obliged entities in its first supervisory cycle, selected based on cross-border footprint, customer risk profile, and STR volume. If your firm meets these thresholds, you will face a materially different supervisory experience.
  • The end of regulatory arbitrage: Firms that structured EU operations through the most permissive member state to minimise compliance burden must conduct an urgent gap analysis. That strategy is now foreclosed.

<div style=”border-color:#9b59b699;border-style:solid;border-width:1px;border-radius:16px;color:#1e1e1e;background:linear-gradient(86deg,rgb(248,240,255) 6%,rgb(255,255,255) 100%);margin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”> <div style=”display:flex;align-items:center;gap:12px;margin-bottom:12px”> <span style=”font-size:20px”>🔍</span> <p style=”color:#9b59b6;font-size:16px;font-weight:600;line-height:1.5;margin:0″>INDUSTRY INSIGHT</p> </div> <p style=”color:#1e1e1e;font-size:18px;font-weight:500;line-height:1.5;margin:0″>AMLA’s creation effectively ends the dynamic that saw some VASPs and payment institutions deliberately licence in lower-scrutiny EU jurisdictions to minimise AML compliance burden. With uniform supervision under the AMLR and AMLA’s direct oversight powers, the regulatory arbitrage that previously made certain member states more commercially attractive for compliance reasons has been substantially eliminated. Firms should now select EU operating jurisdictions based on commercial and operational logic, not supervisory leniency.</p> </div>

Action Items for Compliance Officers

  1. Conduct a gap analysis of your current CDD and EDD procedures against the AMLR requirements — the July 2027 deadline sounds distant, but system and policy changes of this magnitude require 18–24 months of lead time minimum.
  2. Review your customer portfolio for newly in-scope obliged entity types and revise risk classifications accordingly.
  3. Monitor AMLA’s publication of draft Regulatory Technical Standards (RTS) — several are expected throughout 2026 and will provide granular guidance on beneficial ownership thresholds, PEP classification standards, and third-country equivalence decisions.
  4. If you operate across multiple EU member states, appoint a dedicated AMLR implementation lead and establish a cross-jurisdictional working group with documented terms of reference.

For firms navigating the EU’s evolving crypto regulatory framework alongside AMLA, our guide to MiCA regulation 2026 provides essential context on how MiCA and the AMLR interact.

Shift 2: MiCA Full Implementation and the VASP/CASP Compliance Reckoning

What Is Happening

The Markets in Crypto-Assets Regulation (MiCA) reached its final implementation milestone on 30 December 2024, when provisions covering crypto-asset service providers (CASPs) became fully applicable across the EU. The grandfathering period — during which existing VASPs registered under national regimes could continue operating without MiCA authorisation — expired by 30 June 2026 at the latest across all member states (with some member states having set shorter transitional periods). The grandfathering maximum was 18 months from MiCA’s 30 December 2024 CASP provisions date; firms should verify the specific end date applicable in their member state of registration.

The consequence is unambiguous: any entity providing crypto-asset services in the EU without a valid MiCA CASP authorisation after the applicable grandfathering deadline is operating without regulatory permission. There are no extensions. There is no forbearance for late applicants.

The CASP Authorisation Bottleneck

The practical challenge for many VASPs and CASPs in 2026 is not regulatory understanding — it is authorisation processing capacity. National Competent Authorities (NCAs) across the EU have been inundated with applications, and processing timelines have extended to 12–18 months in several jurisdictions. This creates a dangerous gap for firms that initiated the process late.

JurisdictionRegulatory AuthorityKey Characteristics
LithuaniaBank of LithuaniaFast-track process; extensive English-language guidance
NetherlandsAFM / DNBRigorous assessment; high institutional credibility
IrelandCentral Bank of IrelandHigh bar; strong EU passporting value
PolandKNFGrowing CASP pipeline; competitive timelines
BulgariaFSCLower application volume; faster processing
RomaniaASFAmong EU’s fastest MiCA implementation tracks
Czech RepublicCNBStructured process; growing crypto hub

For jurisdiction-specific analysis, see our guides on MiCA in Lithuania, Poland, Czech Republic, Netherlands, Bulgaria, and Romania.

The UK’s Parallel Path: Regulatory Changes for Crypto in 2026

The UK is not subject to MiCA but is implementing its own comprehensive crypto regulatory framework. The Financial Services and Markets Act 2023 (FSMA 2023) gives HM Treasury powers to bring crypto-asset activities into the UK’s financial services regulatory perimeter, with the FCA serving as the primary regulator. The UK regulatory changes for crypto and fintech in 2026 represent a parallel — and in some respects, more demanding — regime for UK-based VASPs and CASPs.

AML/CFT Obligations Under MiCA

MiCA operates alongside, not instead of, the EU’s AML framework. CASPs authorised under MiCA are simultaneously obliged entities under the AMLR and must maintain:

  • A comprehensive, implemented AML/CFT policy and procedures manual (not a template; a document tailored to the firm’s actual business model and risk profile)
  • A qualified, fit-and-proper MLRO with documented authority and reporting lines
  • Full Travel Rule compliance for all crypto-asset transfers (addressed in Shift 5)
  • Transaction monitoring calibrated to crypto-specific typologies, including chain-hopping, mixing, and DeFi-related risks
  • STR/SAR filing capability with the relevant FIU
  • Annual independent AML review or audit

<div style=”border-color:#e7484899;border-style:solid;border-width:1px;border-radius:16px;color:#1e1e1e;background:linear-gradient(86deg,rgb(255,240,242) 6%,rgb(255,255,255) 100%);margin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”> <div style=”display:flex;align-items:center;gap:12px;margin-bottom:12px”> <span style=”font-size:20px”>⚠️</span> <p style=”color:#e74848;font-size:16px;font-weight:600;line-height:1.5;margin:0″>COMMON MISTAKE</p> </div> <p style=”color:#1e1e1e;font-size:18px;font-weight:500;line-height:1.5;margin:0″>Many VASPs seeking MiCA authorisation treat it as purely a licensing exercise and neglect the AML/CFT programme requirements that must be operational before and during the application process. NCAs are conducting AML readiness assessments as part of the authorisation review. Presenting a draft or template AML policy rather than an implemented, tested programme is one of the most frequently cited reasons for application delays and rejections in 2026.</p> </div>

For firms considering their VASP or CASP licensing and compliance strategy, our ultimate guide to VASP compliance and our analysis of why to outsource your MLRO as a VASP or CASP provide practical frameworks for building an authorisation-ready compliance programme.

Shift 3: FATF Grey List Expansion and the Correspondent Banking Fallout

What Is Happening

The Financial Action Task Force (FATF) — the intergovernmental standard-setter for AML/CFT — has continued its aggressive use of the grey list (Jurisdictions under Increased Monitoring) and black list (Jurisdictions Subject to a Call for Action) as instruments of regulatory pressure and diplomatic leverage. The February 2026 FATF Plenary brought further changes to both lists, with new additions creating immediate operational consequences for payment institutions, MSBs, and VASPs processing transactions involving affected jurisdictions.

The FATF grey list is not merely a reputational concern. It triggers concrete compliance obligations under virtually every major AML regulatory framework:

  • Enhanced Due Diligence (EDD) is mandatory for all transactions involving customers or counterparties connected to grey-listed jurisdictions under the UK Money Laundering Regulations 2017 (Regulation 33), the EU AMLR (Article 29), and FinCEN guidance.
  • Correspondent banking relationships become more difficult and expensive to maintain. Global correspondent banks apply blanket restrictions or significantly elevated due diligence requirements for payments touching grey-listed jurisdictions.
  • Licensing implications: Regulators in clean jurisdictions — particularly the FCA, DFSA, and ADGM — scrutinise applications more carefully when applicants have operational or ownership connections to grey-listed countries.

The Correspondent Banking De-Risking Problem

One of the most operationally damaging consequences of grey list dynamics is the acceleration of correspondent banking de-risking. Global correspondent banks — particularly those subject to US Federal Reserve and OCC oversight — have been systematically terminating or restricting correspondent relationships with financial institutions in higher-risk jurisdictions. This trend has intensified in 2026 as regulators have increased scrutiny of correspondent banks’ own AML controls for their respondent relationships.

For MSBs, smaller payment institutions, and VASPs that rely on correspondent banking for fiat currency on/off ramps, de-risking creates an existential business risk that requires proactive management.

For Canadian MSBs and PSPs navigating the FATF risk environment alongside FINTRAC obligations, our analysis of Canada’s assessment of money laundering and terrorist financing risks provides essential context. <div style=”border-color:#f7853399;border-style:solid;border-width:1px;border-radius:16px;color:#1e1e1e;background:linear-gradient(86deg,rgb(255,245,237) 6%,rgb(255,255,255) 100%);margin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”> <div style=”display:flex;align-items:center;gap:12px;margin-bottom:12px”> <span style=”font-size:20px”>💡</span> <p style=”color:#f78533;font-size:16px;font-weight:600;line-height:1.5;margin:0″>PRO TIP</p> </div> <p style=”color:#1e1e1e;font-size:18px;font-weight:500;line-height:1.5;margin:0″>Build FATF plenary monitoring into your AML programme as a documented, recurring control with a defined response timeline — not an ad hoc task. Regulators increasingly expect evidence that your firm tracks FATF list changes in real time and updates jurisdiction risk ratings within a defined window (30 days is a defensible standard) of each plenary outcome. This is now a basic expectation in FCA and DFSA supervisory examinations.</p> </div>

FATF’s Focus on Offshore VASPs in 2026

FATF’s March 2026 report on offshore VASP risk identified systematic AML control weaknesses in VASPs operating from jurisdictions with minimal regulatory oversight — including non-existent transaction monitoring, absent Travel Rule implementation, and near-zero STR filing rates. This report has directly influenced the supervisory priorities of the FCA, DFSA, MAS, and FINMA for 2026. Compliance officers at VASPs should treat the report’s findings as a roadmap of what examiners will look for in their next supervisory engagement.

For guidance on the specific control weaknesses regulators are targeting, our AML/CFT best practices for VASPs guide addresses each identified weakness in detail.

Shift 4: AI in AML — From Buzzword to Regulatory Expectation

What Is Happening

The use of artificial intelligence and machine learning in AML compliance — for transaction monitoring, customer risk scoring, adverse media screening, and network relationship analysis — has moved from optional enhancement to something approaching a regulatory expectation in 2026. This shift is visible in concrete regulatory developments across multiple jurisdictions:

  • The FCA’s approach to AI in financial services, articulated through its 2024 AI and Digital Innovation publications and its Discussion Paper DP5/22 on AI and Machine Learning, signals that AI systems used in compliance contexts must be explainable, subject to human oversight, and governed with the same rigour as any other material business system.
  • FATF Recommendation 1 (the risk-based approach) increasingly implies the use of data analytics and technology to identify risk patterns that static, rule-based systems cannot reliably detect — a position explicitly articulated in FATF’s 2021 guidance on digital identity and AML.
  • The EU AI Act (Regulation (EU) 2024/1689), which became fully applicable in phases from August 2024, classifies certain AI applications in financial services — including AI used for credit risk assessment and fraud detection — as high-risk systems. Whether AI used specifically for AML transaction monitoring or customer risk scoring falls within the high-risk classification depends on the specific use case and deployment context; this remains subject to ongoing regulatory interpretation and guidance from the European AI Office. High-risk AI systems, where applicable, are subject to mandatory conformity assessments, transparency obligations, human oversight requirements, and registration in the EU AI database.
  • FINMA Circular 2013/3 on auditing and the broader Swiss regulatory framework for technology risk apply to AI tools used within Swiss financial institutions and intermediaries. For Swiss firms, see our comprehensive guide to AML audits in Switzerland.

The Explainability Imperative

The most significant compliance challenge with AI in AML is not adoption — it is explainability. Regulators in 2026 require firms using AI-driven transaction monitoring or risk scoring to demonstrate: why a particular alert was generated, why a customer was assigned a specific risk rating, and why a transaction was or was not reported. This is not a future requirement — it is being examined now.

Black-box AI systems — where the model produces outputs without meaningful, human-interpretable reasoning — create serious and direct regulatory exposure. The FCA has been explicit in its guidance that it expects firms to maintain the ability to explain to a supervisor how any AI-generated compliance decision was reached.

What Regulators Actually Expect to See

Regulatory ExpectationPractical Operational Implication
Human oversightNo fully automated SAR/STR decisions; MLRO must retain meaningful review authority
ExplainabilityAlert rationale must be documentable, auditable, and expressible in plain language
Data quality governanceAI outputs are only as reliable as the data inputs; data governance is a compliance issue
Bias testingModels must be tested for demographic or geographic bias and disproportionate impact
Vendor due diligenceOutsourcing AI to a third party does not transfer the compliance obligation
Model risk managementAI models must be validated, version-controlled, periodically retrained, and change-managed

For compliance officers at smaller fintechs and VASPs, the key regulatory message is this: using a reputable third-party transaction monitoring system with documented, explainable rule logic is defensible. Using a black-box AI tool that your MLRO cannot explain to a supervisor is a material compliance gap — regardless of its statistical performance.

Shift 5: The Travel Rule Goes Mainstream — No More Excuses

What Is Happening

The FATF Travel Rule — Recommendation 16, requiring VASPs to collect, verify, and transmit originator and beneficiary information for virtual asset transfers above threshold — has been a stated compliance obligation since FATF’s 2019 Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. In 2026, it is a compliance obligation with genuine enforcement consequences.

The key developments driving this shift:

EU Transfer of Funds Regulation (TFR — Regulation (EU) 2023/1113): The TFR extended Travel Rule obligations to crypto-asset transfers under MiCA. Critically, the TFR applies a zero-threshold rule for crypto transfers — originator and beneficiary information must be collected and transmitted for all crypto-asset transfers, regardless of value. This is materially more demanding than FATF’s USD/EUR 1,000 threshold and creates a specific compliance gap for firms that built their Travel Rule systems around the FATF standard.

UK Travel Rule (FCA): The UK’s Travel Rule — implemented through the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as amended — came into force for cryptoasset businesses on 1 September 2023. By 2026, the FCA expects full operational compliance. The FCA’s threshold is £1,000, but the practical requirement for VASP-to-VASP transfers involves collecting and transmitting data for all transfers. For detailed FCA compliance requirements, see our SPI vs API FCA audit expectations guide.

UAE Travel Rule: VARA’s Virtual Assets Regulation and associated rulebooks require Travel Rule compliance from all VARA-licensed entities. The DFSA similarly requires Travel Rule compliance from DIFC-based VASPs, as detailed in our DIFC AMI compliance handbook.

Canada: FINTRAC’s Travel Rule for virtual currency is explicitly established in Part 1 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and the associated Regulations, as amended in 2021. Virtual currency transfers of CAD 1,000 or more require originator and beneficiary information to be collected and transmitted. This is not interpretive guidance — it is a statutory obligation.

The Sunrise Problem and Counterparty Risk

The practical challenge of Travel Rule compliance in 2026 is not the rule itself but the sunrise problem: the difficulty of complying when the counterparty VASP is located in a jurisdiction that has not yet implemented Travel Rule requirements, or operates without any AML regulation at all.

Regulatory guidance on this issue — from FATF, the FCA, and other authorities — consistently points in one direction: VASPs should not route transactions through non-compliant counterparties where this can be avoided, and should apply heightened due diligence where the counterparty’s compliance status cannot be confirmed.

In practice, a 2026-ready Travel Rule framework requires:

  • A VASP counterparty risk assessment policy — defining how your firm assesses, approves, and monitors the compliance status of counterparty VASPs
  • Integration with VASP directory services such as the TRISA network, VerifyVASP, or the OpenVASP protocol
  • A documented sunrise rule policy defining how your firm responds to transactions with non-compliant counterparties
  • Travel Rule-compliant messaging protocols (IVMS101 data standard)
  • An audit trail of every Travel Rule compliance decision, stored for the regulatory-required retention period

For a comprehensive jurisdictional breakdown, our crypto Travel Rule guide covers requirements across the UK, EU, UAE, Canada, and beyond. <div style=”border-color:#4a90e299;border-style:solid;border-width:1px;border-radius:16px;color:#1e1e1e;background:linear-gradient(86deg,rgb(237,245,255) 6%,rgb(255,255,255) 100%);margin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”> <div style=”display:flex;align-items:center;gap:12px;margin-bottom:12px”> <span style=”font-size:20px”>🔔</span> <p style=”color:#4a90e2;font-size:16px;font-weight:600;line-height:1.5;margin:0″>COMPLIANCE ALERT</p> </div> <p style=”color:#1e1e1e;font-size:18px;font-weight:500;line-height:1.5;margin:0″>Under the EU’s Transfer of Funds Regulation (EU) 2023/1113, there is no de minimis threshold for Travel Rule obligations on crypto-asset transfers. Unlike FATF’s USD/EUR 1,000 threshold, every single crypto-asset transfer — regardless of value — requires originator and beneficiary data to be collected and transmitted. Firms that calibrated their Travel Rule systems to the FATF threshold are systematically under-compliant for EU transfers and must recalibrate immediately.</p> </div>

Shift 6: Enforcement Is Getting Personal — Individual Accountability Rises

What Is Happening

Perhaps the most consequential shift of 2026 for individual compliance professionals is one that is easy to overlook amid the noise of new regulations: the systematic move by regulators across every major jurisdiction toward personal liability for AML failures. The era of the corporate fine as the primary — and often only — AML enforcement tool is giving way to a model where MLROs, CEOs, board members, and compliance officers face direct, personal regulatory consequences.

The UK: SM&CR in Full Effect

The FCA’s Senior Managers and Certification Regime (SM&CR) — which has applied to all FCA-authorised firms since December 2019 — creates a framework in which individuals holding Senior Management Functions (SMFs) can be held personally liable for AML failures that occurred during their tenure. The FCA’s Duty of Responsibility means that a Senior Manager can be sanctioned if they did not take reasonable steps to prevent a regulatory breach occurring in their area.

The FCA has signalled — through enforcement actions and Dear CEO letters in 2024 and 2025 — that it intends to use SM&CR more actively in 2026, particularly against MLROs (who typically hold the SMF17 function designation) who failed to escalate material compliance concerns to the board. The £29 million fine against Starling Bank explicitly criticised the MLRO function’s failure to maintain adequate oversight as the firm’s customer base scaled rapidly. For UK payment institutions, our FCA AML audit preparation checklist and our analysis of SPI and API FCA audit expectations detail precisely what the FCA examines in 2026 supervisory reviews.

The UAE: Criminal Liability Framework

The UAE’s approach to individual AML accountability is particularly stringent. Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (as amended) creates criminal liability — not merely administrative sanctions — for compliance failures under certain circumstances. VARA’s enforcement framework includes personal liability provisions for compliance officers and senior management of VARA-licensed entities. The UAE crypto regulation landscape has evolved rapidly, and individual accountability provisions have tightened in parallel with the maturation of VARA’s supervisory capacity.

Canada and the US: Institutional and Individual Exposure

In Canada, FINTRAC’s administrative monetary penalty framework allows for findings against compliance officers responsible for specific regulatory failures. The lessons from Canada’s historic FINTRAC AML penalty illuminate the kinds of control weaknesses — particularly in transaction monitoring and STR filing — that attract regulatory scrutiny at both institutional and individual levels.

In the United States, the FinCEN advisory on Chinese money laundering networks and FinCEN’s expanded use of civil money penalties against individual compliance officers who failed to maintain adequate BSA/AML programmes reflect the same directional shift. The TD Bank enforcement action — resulting in $3.09 billion in penalties — included personal liability findings and restrictions on specific individuals within the bank’s compliance and management hierarchy.

Switzerland: The FINMA and SRO Framework

In Switzerland, FINMA’s enforcement powers extend to individuals as well as institutions. Under the Anti-Money Laundering Act (AMLA, Geldwäschereigesetz / Loi sur le blanchiment d’argent / Legge sul riciclaggio di denaro — GwG/LBA/LRD) and associated FINMA Circulars, compliance officers at Swiss financial intermediaries — including those supervised by Self-Regulatory Organisations (SROs) — face personal regulatory exposure for material AML failures. Our Switzerland AML audit guide covers the FINMA and SRO supervisory framework in detail.

Enforcement Cases That Define the 2026 Standard

The enforcement record of 2024–2026 provides a clear picture of what constitutes inadequate AML compliance:

  • Monzo (FCA, 2024): £21.1 million fine for systematic failures in financial crime controls, including inadequate transaction monitoring calibration and failure to apply appropriate EDD to high-risk customers during a period of rapid customer growth.
  • Barclays (FCA, 2024): £39.3 million fine arising from control deficiencies in correspondent banking relationships and inadequate governance of AML-related risks.
  • TD Bank (FinCEN/OCC/DOJ, 2024): $3.09 billion in penalties — the largest AML enforcement action in US banking history — for systematic and long-standing failures in transaction monitoring, STR filing, and compliance governance.

Each of these cases involved individual-level failures as well as institutional ones. MLROs, compliance officers, and senior managers are now unambiguously on notice.

What These 6 Shifts Mean for Your AML Programme

Taken together, the six regulatory shifts outlined above point to a fundamental redefinition of what a compliant AML programme looks like in 2026. The bar has moved — and it has moved in five specific, interconnected directions:

From policy to evidence. Regulators no longer accept well-drafted AML policies as evidence of compliance. They want to see that policies are implemented, tested, and effective. This means documented control testing, training records with individual assessment scores, transaction monitoring calibration logs evidencing periodic tuning, and board minutes reflecting meaningful engagement with MLRO reports.

From annual to continuous. The annual AML review cycle — risk assessment updated once a year, training delivered once a year, audit conducted once a year — is no longer adequate for the pace of regulatory change in 2026. Regulators expect continuous transaction monitoring, real-time screening against updated sanctions lists, and dynamic risk assessment that responds to emerging typologies.

From compliance to risk management. The distinction between compliance (ticking required boxes) and risk management (genuinely identifying, assessing, and mitigating financial crime risk) has never mattered more. FATF, the FCA, and AMLA are all explicit that a risk-based approach means genuinely assessing risk — not applying generic procedures uniformly across all customers and transactions.

From individual to institutional. While individual accountability is rising, so is the expectation that AML is embedded institutionally — in governance structures, technology systems, board culture, and commercial incentive frameworks. Compliance is no longer a function housed within a single team; it is a firm-wide responsibility with board-level ownership.

From domestic to global. Even firms that primarily serve domestic customers are affected by global regulatory shifts. FATF standards flow into domestic frameworks. AMLA creates EU-wide standards affecting global firms accessing EU markets. Travel Rule requirements create compliance obligations for every cross-border virtual asset transfer. FinCEN advisories on specific money laundering networks require responses from firms worldwide.

How to Build a 2026-Ready AML Compliance Framework

The Six Pillars of a 2026-Ready AML Programme

Pillar 1: Dynamic, Risk-Based Assessment

Your Business-Wide Risk Assessment (BWRA) and Customer Risk Assessment (CRA) methodology must be capable of incorporating new risk information quickly and systematically. This means:

  • Jurisdiction risk ratings that update within 30 days of FATF plenary outcomes, documented as a recurring control
  • Customer risk profiles that re-score when defined trigger events occur — change of ownership, unusual transaction patterns, adverse media hits, or changes in customer activity profile
  • Product and channel risk assessments that reflect evolving delivery mechanisms including DeFi, stablecoins, embedded finance, and BNPL products

Use our AML risk assessment calculator as a starting point for calibrating your risk assessment methodology.

Pillar 2: Technology-Enabled, Explainable Transaction Monitoring

A 2026-ready transaction monitoring system must:

  • Incorporate both rule-based and anomaly-detection capabilities, with documented rationale for each rule
  • Generate a full audit trail for every alert decision — including the decision not to escalate
  • Be calibrated against current typologies, not those prevalent when the system was originally configured
  • Produce false positive rates that can be explained and defended to a regulator
  • Include Travel Rule data validation for VASP-to-VASP transfers
  • Be tested at least annually and whenever a material change in the firm’s product set or customer base occurs

Pillar 3: Qualified, Empowered MLRO Function

The MLRO — or equivalent (CAMLO in Canada, CMLRO in certain UAE contexts) — must be:

  • Senior enough to access the board directly and without commercial obstruction
  • Adequately time-allocated (a 10% role allocation is not adequate for a firm processing significant transaction volumes)
  • Budgeted to acquire the tools, training, and external expert support the AML programme requires
  • Documented in the firm’s governance framework with clear reporting lines and accountability

For firms where a full-time, senior MLRO is not commercially viable, outsourced MLRO services provide a regulatory-compliant solution. Our analysis of MLRO roles and responsibilities provides further detail on what regulators expect from this function.

Pillar 4: Independent AML Review and Audit

Every regulated firm should conduct an independent AML review at least annually — and in many jurisdictions, this is a hard regulatory requirement. Understanding the distinction between an AML review and an AML audit matters:

  • An AML review assesses the overall effectiveness of your AML programme, identifies weaknesses, and recommends improvements. It is typically conducted by an independent internal or external reviewer and focuses on programme design and implementation.
  • An AML audit is a more formal, evidence-based examination of whether specific AML controls are operating as designed, typically conducted by an external auditor with defined scope, testing methodology, and formal reporting.

For a practical framework, see our complete guide to AML audits, our AML audit checklist for 2025, our guide on how to prepare for your annual independent AML audit, and our detailed breakdown of key components of an effective AML audit programme. For UK payment institutions specifically, our FCA AML audit preparation checklist and our guide to EMI safeguarding audit vs AML audit address jurisdiction-specific requirements.

ComplyFactor’s AML audit services are specifically designed for fintechs, VASPs, PSPs, and EMIs navigating the 2026 regulatory environment.

Pillar 5: Role-Specific, Assessed AML Training

AML training in 2026 must be:

  • Role-specific — the transaction monitoring analyst, the customer onboarding team, and the board each require different training content
  • Updated at least annually and whenever a material regulatory change occurs
  • Assessed — completion alone is not sufficient; regulators expect evidence of comprehension through scored assessments
  • Documented with individual records that can be produced during a regulatory examination or audit

Our AML training programmes are designed to meet these specific requirements across regulated firm types and jurisdictions.

Pillar 6: Meaningful Board Governance and Oversight

AML compliance in 2026 requires genuine board ownership, not ceremonial sign-off. This means:

  • Quarterly MLRO reports to the board or audit committee containing meaningful metrics — not just reassurances
  • Board sign-off on the annual Business-Wide Risk Assessment with documented evidence of substantive engagement
  • Board members who can articulate the firm’s principal financial crime risks in their own words
  • A documented escalation framework that the MLRO can activate without commercial or reputational obstruction
  • Board AML training, recorded and assessed

2026 AML Compliance Checklist

Use this checklist to assess your current AML programme against the six regulatory shifts identified in this article:

AMLA / AMLR Readiness

  • Gap analysis of current CDD and EDD procedures against AMLR requirements completed
  • Newly in-scope obliged entity customer types identified and risk-reclassified
  • AMLR implementation project lead appointed with documented terms of reference
  • AMLA RTS publications being monitored and incorporated into programme updates

MiCA / CASP Compliance

  • MiCA CASP authorisation status confirmed, or application in progress with timeline documented
  • AML/CFT programme fully implemented and tested prior to/during CASP application
  • Qualified MLRO in place, documented in regulatory submission and governance framework
  • Annual independent AML review scheduled and provider engaged

FATF Grey List and Jurisdiction Risk

  • FATF list monitoring process documented as a recurring control with a defined response timeline
  • Jurisdiction risk matrix updated within 30 days of February 2026 FATF Plenary
  • EDD procedures applied to all grey-listed jurisdiction customer and counterparty connections
  • Correspondent banking contingency plan documented and tested

AI and Technology Governance

  • All AI and ML tools used in AML documented, with explainability evidence for each
  • Human oversight procedures for automated alert and risk scoring decisions documented
  • Vendor due diligence completed for all third-party AML technology providers
  • EU AI Act high-risk classification assessment completed, where applicable
  • Model validation and retraining schedule documented

Travel Rule Compliance

  • Travel Rule solution implemented, tested, and integrated with transaction monitoring
  • EU TFR zero-threshold requirement reflected in systems for all crypto transfers
  • Counterparty VASP risk assessment framework documented and operational
  • Sunrise rule policy documented for non-compliant counterparty scenarios
  • IVMS101 data standard implemented for Travel Rule messaging

Individual Accountability

  • SM&CR / equivalent individual accountability framework fully documented
  • MLRO’s responsibilities, authority, and reporting lines formally documented
  • Board AML training completed, scored, and recorded for all board members
  • MLRO succession plan documented and deputy appointed
  • Personal liability provisions under applicable jurisdiction reviewed with legal counsel

FAQ: AML Trends 2026

Q: When does AMLA begin direct supervision of obliged entities?

AMLA became operational on 1 July 2025 and is conducting its initial supervisory preparations throughout 2025–2026. Direct supervision of the first cohort of selected obliged entities — approximately 40 of the highest-risk cross-border firms — is expected to formally commence in 2026, with the EU AML Regulation (AMLR) becoming directly applicable across all member states from 1 July 2027.

Q: Does MiCA CASP authorisation replace national VASP registration?

Yes. A MiCA CASP authorisation obtained from any EU NCA provides a passport to operate across all 27 EU member states for the activities covered by MiCA. National VASP registration regimes — such as those previously operated by BaFin in Germany, DNB in the Netherlands, and the Bank of Lithuania — are superseded by MiCA for in-scope activities. However, firms must check whether any residual national requirements apply to activities not covered by MiCA.

Q: Is AI-driven transaction monitoring compliant with FCA expectations?

The FCA does not prohibit AI-driven transaction monitoring. However, it expects firms to demonstrate that any AI system used in AML compliance is explainable, subject to meaningful human oversight, adequately governed, and does not produce discriminatory or systematically biased outcomes. Firms using AI tools should document their model governance framework and be able to walk a supervisor through the logic behind any AI-generated alert or risk score.

Q: What is the Travel Rule threshold under the EU Transfer of Funds Regulation?

The EU’s Transfer of Funds Regulation (EU) 2023/1113 applies a zero threshold to crypto-asset transfers — meaning originator and beneficiary information must be collected and transmitted for every crypto-asset transfer, regardless of value. This contrasts with FATF Recommendation 16, which sets a EUR/USD 1,000 threshold. Firms that built their Travel Rule compliance around the FATF threshold are under-compliant for EU transfers.

Q: Can our MLRO function be outsourced?

Yes. Regulators in most major jurisdictions — including the FCA (UK), VARA and DFSA (UAE), FINTRAC (Canada), and most EU NCAs — permit the MLRO function to be fulfilled by a qualified, external third party, provided appropriate oversight and accountability structures remain within the firm. ComplyFactor’s outsourced MLRO service provides regulated firms with a named, qualified MLRO who satisfies regulatory requirements and provides the firm with the expertise and regulatory standing the role demands.

Q: How often should we update our Business-Wide Risk Assessment?

At minimum, annually — and whenever a material change occurs in the firm’s business model, customer base, product set, geographic footprint, or regulatory environment. Leading compliance programmes treat the BWRA as a living document and conduct formal quarterly reviews alongside the full annual update. The FATF, FCA, and most other regulators are clear that a BWRA updated only annually without any interim review process is unlikely to be considered adequate for a firm operating in a dynamic regulatory environment. For a structured approach to building and maintaining your BWRA, see The Complete AML Programme Blueprint and our AML risk assessment calculator.

Q: What should we do if our firm has connections to FATF grey-listed jurisdictions?

Apply Enhanced Due Diligence (EDD) to all relevant customers and counterparty relationships — this is mandatory under the UK MLR 2017 (Regulation 33), EU AMLR, and equivalent frameworks. Document your EDD conclusions thoroughly. Review your correspondent banking and payment routing arrangements to assess whether they create exposure to grey-listed jurisdictions that you have not yet addressed. Update your Business-Wide Risk Assessment to reflect the current FATF list status. And ensure your staff are trained on the specific red flags and typologies associated with the relevant jurisdictions.

Q: What is the difference between an AML audit and an independent AML review?

An AML review is a periodic assessment of whether your AML programme is fit for purpose and effectively implemented — focusing on programme design, policy adequacy, and implementation effectiveness. An AML audit is a more formal, evidence-based examination of whether specific controls are operating as designed, typically with a defined scope, testing methodology, and audit opinion. Both serve distinct purposes; many regulated firms require both on an annual basis. For guidance on which your firm needs, see our guide on 5 warning signs you need an independent AML review.

Conclusion: The Cost of Inaction in 2026

The six regulatory shifts documented in this article — AMLA and Europe’s Single AML Rulebook, MiCA’s full CASP compliance reckoning, FATF grey list dynamics and correspondent banking de-risking, AI becoming a regulatory expectation rather than a differentiator, the Travel Rule maturing into an enforced obligation, and the rise of personal accountability for AML failures — collectively define a compliance environment where the cost of inaction has become prohibitive.

This is not regulatory noise. These are structural changes with defined deadlines, enforcement consequences, and — increasingly — personal liability implications for the individuals responsible for managing them. The TD Bank case established that $3.09 billion is the price of systematic AML failure at scale. Monzo established that £21.1 million is the price of inadequate controls during rapid growth. These are not outliers. They are data points in a directional trend that is accelerating, not plateauing.

For compliance officers, MLROs, and senior management at fintechs, VASPs, PSPs, and EMIs, 2026 demands structured action — specifically, the kind of documented, tested, risk-based action that can withstand regulatory scrutiny from the FCA, AMLA, VARA, FINTRAC, or any of the other agencies whose enforcement capacity has never been higher.

ComplyFactor specialises in helping exactly these kinds of regulated firms build and strengthen AML compliance programmes that meet 2026 standards. From independent AML audits and advisory services to outsourced MLRO services and full AML programme development across the UK, UAE, EU, Canada, and Switzerland — our team works with compliance professionals who need expertise, not just reassurance.

Contact ComplyFactor today to discuss how we can help your firm navigate 2026’s regulatory environment with confidence.

Related Posts

Scroll to Top
Telegram WhatsApp