Compliance Digest—April 2026

Every month, Sumsub’s Compliance Team prepares a digest with all the latest updates in the world of AML and beyond. We cover multiple industries, from payments and crypto.

If you want to get the latest news every month in one place, subscribe to our newsletter.

AML 

EU🇪🇺 AMLA launches consultations on AML/CFT group-wide requirements and business-wide risk assessments

What happened?

The Anti-Money Laundering Authority (AMLA) launched two public consultations on draft regulatory instruments covering Business-Wide Risk Assessment (BWRA) guidelines and Regulatory Technical Standards (RTS) on group-wide AML/CFT requirements.

These drafts define how obliged entities should identify, assess, and manage money laundering and terrorist financing (ML/TF) risks under the new EU AML framework. 

Who’s affected?

• All obliged entities under EU AML rules (financial and non-financial sectors)
• Groups with cross-border operations, including those operating in third countries
• Parent undertakings responsible for group-wide AML/CFT frameworks

The consultation is particularly relevant for entities required to conduct business-wide risk assessments and groups needing to implement centralized AML/CFT policies, controls, and information-sharing mechanisms

Deadline:

• Business-wide risk assessment consultation: July 15, 2026
• Group-wide requirements consultation: June 15, 2026 

Read more:

• AMLA consults on group-wide requirements and business-wide risk assessment
• FIAU: Latest Updates from AMLA

UAE🇦🇪 Central Bank updates AML/CFT/CPF guidance to strengthen the financial crime risk management framework

What happened?

The Central Bank of the United Arab Emirates (CBUAE) issued an updated package of AML/CFT/CPF guidance and best practices to enhance the effectiveness of compliance systems across the UAE financial sector.

The package includes:

• 4 supervisory guidance documents, covering:
  • Proliferation financing (PF) risk frameworks
  • Trade-based money laundering (TBML) and transshipment risks
  • Correspondent banking risk management
  • Customer due diligence (CDD), KYC, and record-keeping expectations
• 2 best practice manuals, focusing on:
  • Risk-based approach and institutional risk assessments
  • Role-based AML/CFT/CPF training programs

The updates align with the Financial Action Task Force standards and the UAE National Strategy 2024–2027, aiming to improve risk identification, monitoring of emerging threats, and implementation of proportionate controls across institutions.

Who’s affected?

• Licensed Financial Institutions (LFIs) in the UAE
• Registered Hawala Providers (RHPs)

The updates are particularly relevant for:

• Compliance and AML teams responsible for risk assessments and control frameworks
• Institutions managing correspondent banking relationships
• Firms handling trade finance and cross-border transactions
• Organizations required to implement CDD/KYC and record-keeping systems

Deadline:

No explicit consultation deadline. The guidance is effective upon issuance (April 16, 2026)

Read more: 

CBUAE Updates AML/CFT/CPF Guidance for Licensed Financial Institutions

US🇺🇸 FinCEN proposes fundamental reform of the AML/CFT program requirements

What happened?

The Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) to fundamentally reform AML/CFT program requirements for financial institutions under the Bank Secrecy Act.

The proposal represents a structural shift from “check-the-box” compliance to program effectiveness, with key elements including:

• Introduction of a formal “effectiveness” standard for AML/CFT programs
• Mandatory risk-based frameworks, which require institutions to allocate more resources to higher-risk areas
• Codification of risk assessment processes as a core component of AML programs
• Requirement to incorporate FinCEN AML/CFT Priorities into risk assessments
• Reinforcement of the four core pillars (internal controls, independent testing, compliance officer, training)
• Enhanced supervisory coordination, including FinCEN involvement in significant enforcement actions

The reform aims to modernize the US AML/CFT regime, improve outcomes in combating illicit finance, and reduce unnecessary compliance burden. 

Who’s affected?

The affected entities are US financial institutions subject to the Bank Secrecy Act, including:

• Banks
• Money services businesses (MSBs)
• Broker-dealers and mutual funds
• Certain insurance companies
• Other regulated financial entities

Particularly impacted are:

• Institutions required to redesign AML/CFT programs around risk-based effectiveness
• Compliance teams responsible for risk assessments and governance frameworks
• Firms which need to align with FinCEN priorities and updated supervisory expectations

Deadline:

• Public comment deadline: June 9, 2026 
• Proposed implementation timeline: ~12 months after final rule adoption 

Read more:

FinCEN Proposes Rule to Fundamentally Reform Financial Institution Programs Designed to Fight Illicit Finance

Crypto

UK🇬🇧 Financial Conduct Authority consults on guidance clarifying the scope of the future UK crypto regulatory regime

What happened?

The Financial Conduct Authority (FCA) launched a consultation on draft guidance to help firms understand the scope (“perimeter”) of the UK’s future cryptoasset regulatory regime. 

The guidance aims to clarify, which cryptoasset activities will require authorization, including issuance of qualifying stablecoins, operation of trading platforms, dealing/arranging transactions in cryptoassets, safeguarding (custody), as well as staking.

This consultation forms part of the broader UK crypto framework, which seeks to promote market integrity and consumer protection, as well as support a competitive and sustainable crypto sector. It is a key step in finalizing the UK’s end-to-end crypto regulatory regime, with rules expected to be completed ahead of implementation.

Who’s affected?

• Cryptoasset firms operating or planning to operate in the UK
• Firms engaging in in-scope regulated crypto activities (trading, custody, staking, issuance)
• Advisers, auditors, and industry bodies supporting crypto firms
• Firms currently registered under AML regimes that will need full authorization under FSMA

Particularly impacted are:

• Firms needing to determine whether they fall within the regulatory perimeter
• Businesses preparing for authorization and compliance under the new regime

Deadline:

• Consultation closes: June 3, 2026 
• Authorization applications open: September 2026 
• Full regime expected to apply: October 2027 

Read more:

FCA consults on guidance on UK’s future crypto regime

EU🇪🇺 ESMA confirms the end of the MiCA transitional period and mandates wind-down of unauthorized crypto providers

What happened?

The European Securities and Markets Authority (ESMA) has issued a supervisory statement clarifying expectations ahead of the end of the transitional period under the Markets in Crypto-Assets Regulation (MiCA).

The MiCA transitional period will end on July 1, 2026 across the EU. After this date, any crypto-asset service provider (CASP) operating without a MiCA license will be in breach of EU law and required to cease its activities. ESMA makes clear that unauthorized CASPs must implement comprehensive wind-down plans. These should ensure an orderly exit from the market while safeguarding client assets, for example by transferring them to authorized CASPs or to self-hosted wallets. Authorized CASPs are expected to proactively onboard and migrate clients ahead of the deadline to minimize disruption.

The statement also reinforces that third-country firms are generally prohibited from providing services to EU clients, except in very limited cases of reverse solicitation. In parallel, ESMA sets expectations for national competent authorities (NCAs), calling on them to enforce the prohibition on unauthorized activity, monitor wind-down processes and client migrations, and ensure supervisory convergence across the EU.

This marks a definitive end to the MiCA transitional regime, moving the EU crypto market fully into an authorization-based framework.

Suggested read: EU Crypto Regulations

Who’s affected?

• Crypto-asset service providers (CASPs) operating in the EU
• Unauthorized firms, including those relying on transitional regimes
• Third-country crypto firms servicing EU clients
• Authorized CASPs onboarding migrating clients
• EU investors/consumers, whose protections now depend on dealing with authorized entities

Deadline:

July 1, 2026: end of MiCA transitional period and enforcement of full authorization requirement

Read more:

Statement on the End of Transitional Periods under MiCA

US🇺🇸 SEC clarifies the application of US federal securities laws to crypto assets

What happened?

At the end of March, the US Securities and Exchange Commission (SEC) issued an interpretive release clarifying how US federal securities laws apply to crypto assets and related activities.

A central element of the release is the introduction of a structured token taxonomy, distinguishing between:

• Digital commodities
• Digital collectibles
• Digital tools
• Stablecoins
• Digital securities

The SEC also clarifies that most crypto assets are not inherently securities. However, they may fall within the scope of securities laws when they form part of an “investment contract” under the Howey test, and in some cases may cease to be treated as securities over time depending on the relevant facts and circumstances.

In addition, the release provides guidance on specific crypto activities, including:

• Airdrops
• Staking
• Mining
• Token “wrapping”

It also reflects alignment with the Commodity Futures Trading Commission (CFTC) in clarifying jurisdictional boundaries between securities and commodities regulation.

Overall, the interpretive release establishes a more formal framework for determining when crypto assets and related transactions fall within securities regulation, helping to reduce prior uncertainty.

Who’s affected?

• Crypto issuers and project developers
• Crypto exchanges and trading platforms
• Investors and market participants
• Intermediaries (broker-dealers, custodians, etc.)

Particularly impacted:

• Firms assessing whether their tokens or activities fall under securities vs commodities regimes
• Projects relying on staking, airdrops, or token distribution models
• Entities structuring offerings to avoid or comply with securities laws

Deadline:

No deadline, interpretive guidance is effective upon issuance 

Read more:

SEC Clarifies the Application of Federal Securities Laws to Crypto Assets

Payments

South Africa🇿🇦 proposes Capital Flow Management Regulations to replace exchange controls with a risk-based cross-border oversight framework

What happened?

The National Treasury of South Africa has published draft Capital Flow Management Regulations (2026) for public consultation, marking a significant overhaul of the country’s longstanding exchange control regime.

The proposal would replace the 1961 Exchange Control Regulations with a modernized framework and introduce a shift from a pre-approval model to a risk-based system. This new approach focuses on reporting obligations, the monitoring of high-risk and high-impact cross-border transactions, and stronger measures to combat illicit financial flows.

It also introduces a “positive bias” toward capital flows, aiming to ease restrictions while maintaining appropriate regulatory oversight. In addition, crypto assets are explicitly brought within the capital flow management framework, placing them under formal regulatory supervision.

Who’s affected?

• Financial institutions and authorized dealers managing cross-border transactions
• Asset managers and investment firms
• Corporations and individuals engaging in offshore investments or capital movements
• Crypto asset service providers and users, now explicitly captured within the framework

Particularly impacted:

• Entities subject to cross-border reporting and monitoring obligations
• Firms benefiting from reduced pre-approval requirements but increased surveillance

Deadline:

Public comment deadline is May 18, 2026 (note: some sources indicate extensions up to June 2026 depending on consultation channel)

Read more:

Official consultation notice—South African Government

EU🇪🇺 PSD3 & PSR final compromise texts introduce a strengthened EU anti-fraud framework for payment services

What happened?

The Council of the European Union released the final compromise texts for the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR). This new legislative package will update and replace the PSD2 regime, introducing a directly applicable regulation (PSR) alongside PSD3.

A key focus of the proposal is the significant strengthening of the EU anti-fraud framework. This includes the introduction of mandatory transaction monitoring (TM), with direct liability for payment service providers (PSPs), as well as obligatory fraud data sharing between PSPs. The framework also grants new intervention powers, such as the ability to suspend or reject transactions, and explicitly recognizes social engineering fraud as a relevant risk category.

In addition, the proposal expands refund rights and PSP liability, including in spoofing scenarios, and introduces enhanced customer protection controls, such as transaction limits and delays. It further extends the Verification of Payee (VoP) requirement to all credit transfers and enables cross-sectoral data exchange to support fraud prevention efforts.

The European Banking Authority (EBA) will be responsible for developing regulatory technical standards (RTS) on transaction monitoring requirements.

Who’s affected?

Particularly impacted are:

• PSPs responsible for real-time fraud detection and monitoring systems
• Firms required to implement data-sharing frameworks
• Institutions managing customer authentication and communication channels

Deadline:

• Not yet final - timelines will be confirmed following formal adoption and publication in the EU Official Journal
• Implementation will follow transitional periods under PSD3/PSR

Read more:

• Third Payment Services Directive (PSD3)
• Payment Services Regulation (PSR)

Gambling

EU🇪🇺 Court of Justice confirms Member States may prohibit online gambling services and allow recovery of player losses despite cross-border licensing

What happened?

The Court of Justice of the European Union (CJEU) ruled in Case C-440/23 (European Lotto and Betting) that EU law does not prevent Member States from prohibiting certain online gambling services, even where those services are licensed in another EU country. 

The ruling sets out several key findings on the regulation of online gambling within the EU. It confirms that Member States may prohibit certain gambling activities, including online casino games, slot machines, and specific forms of betting, in order to protect consumers, prevent fraud and addiction, and maintain public order. Such restrictions are considered compatible with the EU’s freedom to provide services, particularly given the lack of full harmonization at EU level and the broad discretion afforded to national authorities in determining the appropriate level of protection.

The Court further clarifies that licensing in another Member State—for example, in Malta—does not override national prohibitions. As a result, contracts concluded in breach of national law may be declared void and can give rise to civil claims for restitution. Consumers may therefore recover gambling losses from operators where the services were unlawful in their home country.

The ruling also notes that subsequent regulatory changes, such as Germany’s transition to a licensing regime, do not invalidate earlier prohibitions or affect related claims.

Overall, the judgment reinforces national control over gambling regulation and limits the effectiveness of cross-border licensing models within the EU.

Who’s affected?

• Online gambling operators, especially those licensed in one EU country but targeting others
• Betting and casino platforms offering cross-border services
• Consumers/players, who may claim restitution of losses
• National regulators, enforcing domestic gambling restrictions

Particularly impacted:

• Operators relying on EU passporting-like arguments (which do not apply in gambling)
• Firms offering online casino and slot products in restricted jurisdictions

Deadline:

Not applicable: judgment effective immediately (April 16, 2026)

Read more:

Online games of chance: EU law does not preclude a Member State from prohibiting certain services provided online and authorised in other Member States, and from attaching civil-law consequences to that prohibition

Brazil🇧🇷 adopts a CMN Resolution restricting prediction markets and strengthening financial risk safeguards

What happened?

The National Monetary Council of Brazil adopted CMN Resolution No. 5,298, introducing a clear regulatory boundary between financial instruments and betting-type activities.

The resolution prohibits financial institutions from offering or facilitating contracts based on real-world events, such as:

• Sports outcomes
• Political events
• Entertainment or social developments

It also formally reclassifies these event-based contracts as gambling (betting), not financial instruments, and restricts permissible contracts within the financial system to those linked to economic and financial variables(e.g., interest rates, FX, inflation, commodities).

As a result, prediction market models structured as “financial products” are no longer permitted under Brazil’s financial regulatory framework.

The measure is aimed at reducing consumer and systemic risk, preventing regulatory arbitrage between financial and gambling regimes, as well as limiting speculative activity linked to non-financial events.

Who’s affected?

• Prediction market and event-based trading platforms
• Financial institutions facilitating or distributing such products
• Gambling/betting operators, particularly those using financial market structures
• Retail users engaging in event-based contracts

Deadline:

Effective early May 2026

Read more: 

Resolução CMN n° 5.298 de 24/4/2026