Sep 01, 2025
12 min read

Compliance Digest—August 2025

Learn about all the latest compliance updates from the past month.

Every month, Sumsub’s Compliance Team prepares a digest with all the latest updates in the world of AML and beyond. We cover multiple industries from gambling to AML.

If you want to get the latest news every month in one place, subscribe to our newsletter.

AML

Thailand 🇹🇭

Thailand issues new BOT rules: Facial recognition, KYC & TM now mandatory

What happened?

The Bank of Thailand (BOT) issued new regulations under the Emergency Decree on Technology Crime Prevention and Suppression (No. 2, 2025), consolidated in BOT Notifications dated August 8 and August 19, 2025. These measures aim to counter financial fraud and scams, with phased rollouts since April 2025.

Key requirements include:

Facial recognition with liveness/anti-spoofing for high-value transactions.
KYC & Enhanced Due Diligence (EDD) obligations, including categorizing mule account owners into black, dark grey, and light grey risk groups.
Transaction monitoring & fraud detection, including customer notifications, fund suspension powers, and stricter daily transfer limits (default ≤ 50,000 THB/day or ~1,550USD).
Mobile & App security, requiring enhanced safeguards against malicious apps, harmful links, and unauthorized device conditions.
Fraud response protocols, including fast-track reporting and 24/7 contact channels for victims.

Who’s affected?

Banks operating in Thailand
E-payment providers (mobile wallets, digital transfer services)
Digital asset businesses (crypto exchanges, custodians, etc.)
Customers engaging in high-value or high-frequency transfers
High-risk customer groups (black/dark grey/light grey mule account holders)

Deadline: Measures have been rolled out since April 2025, with the latest rules consolidated under BOT Notifications of August 8 and August 19, 2025. Institutions are expected to comply immediately upon issuance of the notifications, unless BOT grants transitional periods for specific requirements.

มั่นคงปลอดภัยของการให้บริการทางการเงินและการชำระเงินบนอุปกรณ์เคลื่อนที่สำหรับ

สถาบันการเงินเฉพาะกิจ

Bank of Thailand Press Release

EU 🇪🇺

EBA publishes report on SupTech use in AML/CFT supervision

What happened?

Last month, the European Banking Authority (EBA) published a Report on the use of technology tools (SupTech) in anti-money laundering and countering the financing of terrorism (AML/CFT) supervision.

The purpose of the Report is to take stock of ongoing innovation efforts by national competent authorities (NCAs) in the EU and explore how technology can support the implementation of the new EU AML/CFT framework, including the establishment of the Anti-Money Laundering Authority (AMLA).

Key Findings include:

Nearly half (47%) of SupTech tools are already in production, 38% under development, and 15% in exploratory phases.
Benefits: improved data quality, stronger collaboration, more efficient risk identification.
Challenges: limited resources, legal uncertainty, and data governance issues.

The Report highlights effective practices in change management, data and technology use, as well as supervisory and regulatory strategies. EBA will continue to support NCAs and AMLA in developing a risk-based, data-driven, scalable supervisory model.

Who’s affected?

National competent authorities (NCAs) in EU Member States adopting SupTech tools.
The new Anti-Money Laundering Authority (AMLA), which will coordinate EU-level AML/CFT supervision.
Financial institutions, indirectly, through increased supervisory effectiveness and data-driven compliance checks.

Deadline:

The Report does not mention any fixed compliance deadline. This is part of an ongoing EU-wide transition to the new AML/CFT framework. Implementation will progress alongside the establishment of AMLA and continued rollout of SupTech tools by NCAs.

Gambling

India 🇮🇳

Indian parliament bans online gaming

What happened?

On August 21, 2025, the Indian Parliament passed the Promotion and Regulation of Online Gaming Bill, 2025 (the ‘Bill’), which prohibits:

All forms of online money games (whether based on skill, chance, or both, involving monetary stakes).
All online money gaming services (facilitating or offering such games).
Any advertisements promoting online money games.
Financial institutions, banks, or individuals from processing transactions related to online money gaming services.

Penalties include up to 3 years’ imprisonment, a fine of 10 million INR (~114,270 USD), or both. The Bill also officially recognizes e-sports as a legitimate sport in India. Additionally, it provides for the creation of a regulatory authority to oversee e-sports and online social games.

Who’s affected?

Online gaming companies and service providers offering money-based games.
Advertisers and media platforms promoting online money gaming.
Banks and financial institutions that facilitate related transactions.
Players who participate in online money games.
On the positive side, e-sports players, organisers, and developers stand to benefit from recognition and regulatory support.

Deadline:

The bill was passed on August 21, 2025. Effective deadlines for enforcement and compliance will depend on the government’s notification, but from passage onward, stakeholders should assume immediate compliance is required unless otherwise specified.

Philippines 🇵🇭

Philippines’ BSP halts in-app gambling transactions amid consumer protection concerns

What happened?

On August 14, 2025, the Bangko Sentral ng Pilipinas (BSP) published a memorandum approving Resolution No. 805. The resolution suspends in-app gambling access from all BSP-supervised payment institutions’ (BSIs) apps and websites. BSP cited a surge in online gambling transactions and rising public concern over consumer financial health as reasons for the suspension. The suspension will remain in place until a formal policy is issued, setting standards and expectations for BSIs in providing online gambling payment services.

Who’s affected?

BSP-supervised payment institutions (BSIs), including mobile payment app providers and payment website operators.
Online gambling operators relying on BSP-supervised payment channels for customer deposits or withdrawals.
Consumers who access gambling services through payment apps/websites.

Deadline:

Within 48 hours of the suspension memorandum (i.e., by August 16, 2025), all BSIs must remove links providing in-app gambling access from their mobile apps and websites. The suspension remains in effect until further notice, pending BSP’s issuance of a detailed policy framework.

Read more:

MEMORANDUM NO. M-2025-029

Kenya 🇰🇪

Kenya signs the Gambling Control Bill 2023 into law

What happened?

On August 7, 2025, President William Samoei Ruto signed the Gambling Control Bill 2023 into law. The law regulates:

Betting, casinos, and other gambling activities, including online gambling.
Licensing requirements for operators.
Responsible gambling provisions.
Advertising restrictions related to gambling.

It also establishes a new Gambling Regulatory Authority, which will replace the existing Betting Control and Licensing Board (BCLB). This follows the Mediation Committee’s report, adopted by the National Assembly on July 31, 2025.

Who’s affected?

Betting and casino operators (land-based and online)
Online gambling platforms serving Kenyan players
Advertising agencies and media outlets promoting gambling.

Deadline:

The law took effect upon presidential assent on August 7, 2025. Specific deadlines for transition to the new Gambling Regulatory Authority and compliance with licensing and advertising rules will depend on subsequent regulations or guidelines issued under the new framework.

UK 🇬🇧

UK Gambling Commission opens a consultation on amendments to the Licence Conditions and Codes of Practice

What happened?

On August 18, 2025, the UK Gambling Commission opened a consultation on proposed amendments to the Licence Conditions and Codes of Practice (LCCP). The changes are required to align the LCCP with the new Digital Markets, Competition and Consumers (DMCC) Act 2024. The DMCC Act:

Updates and strengthens consumer rights and protections.
Improves access to alternative dispute resolution for consumer contract disputes.
Revoked and replaced the Consumer Protection from Unfair Trading Regulations (CPUTR) 2008.
Will revoke the Alternative Dispute Resolution for Consumer Disputes (ADRR) 2015, replacing it with new provisions.

As both CPUTR 2008 and ADRR 2015 are currently referenced in the LCCP, amendments are necessary to reflect the updated legislation. The consultation is limited to legislative alignment and will not extend obligations on licensees beyond the DMCC Act.

Who’s affected?

UK gambling licensees, who must comply with LCCP requirements
Alternative Dispute Resolution (ADR) providers, as references shift from the ADRR 2015 to new DMCC Act provisions.

Deadline:

Consultation closes on September 29, 2025. Contact details for responses: [email protected]

Finland 🇫🇮

Finland notifies EU of draft regulation on gambling licence applications

What happened?

On August 7, 2025, Finland notified the European Commission of its draft regulation on licence applications under the new Gambling Act (pending before parliament since March 20, 2025). The draft regulation sets out:

Licensing requirements for exclusive gambling licences, gambling licences, and gaming software licences.
Rules on submission of applications, including necessary statements and documents.
Applicable fees for processing applications.

Who’s affected?

Prospective gambling operators applying for licences in Finland.
Gaming software providers requiring a licence.
Regulators and compliance teams overseeing the new licensing framework.

Deadline:

Standstill period (under EU notification rules) ends on November 10, 2025. The regulation is expected to take effect on January 1, 2026 (subject to parliamentary approval).

Read more:

Asian käsittelytiedot HE 16/2025 vp

Crypto

South Korea 🇰🇷

South Korea proposes a draft law to regulate stablecoins

What happened?

A new South Korean draft law has been proposed to regulate value-stable digital assets (stablecoins), addressing gaps in the current legal system. The law draws on international precedents, including the US (GENIUS Act), EU (MiCA), Japan (Funds Settlement Act), and Hong Kong (Stablecoins Bill), and aims to:

Define value-stable digital assets and their scope of application.
Introduce an authorization system requiring issuers to obtain approval from the Financial Services Commission (FSC).
Establish issuer obligations (e.g., disclosure, safe management of reserve assets, prohibition of interest payments, repayment obligations).
Require issuers to prepare internal controls, manage conflicts of interest, ensure transaction safety, preserve and destroy records, and maintain insurance.
Grant the FSC broad supervisory and enforcement powers, including inspections, revocation orders, and handling of operational failures.
Create a Value-Stable Digital Asset Committee to guide systemic and policy issues.
Provide authority for the Bank of Korea and the Minister of Strategy and Finance to request data, inspections, or emergency action.
Impose penalties and fines for non-compliance.

Who’s affected?

Stablecoin issuers (must obtain FSC approval, comply with reserve and disclosure requirements, internal controls, and repayment obligations).
Virtual asset service providers (VASPs) that support stablecoin transactions (subject to FSC supervision).
Financial regulators (FSC, Bank of Korea, Ministry of Strategy and Finance, Financial Supervisory Service) with enhanced oversight powers.

Deadline:

The bill is currently under review in the Korean National Assembly. No fixed enforcement date is set yet, it will depend on parliamentary passage and subsequent promulgation.

Hong Kong 🇭🇰

SFC issues a circular to all licensed virtual asset trading platforms in Hong Kong

What happened?

On August 15, 2025, the Securities and Futures Commission (SFC) issued a circular to all licensed virtual asset trading platforms (VATPs) in Hong Kong. The circular sets expectations for robust custody of client virtual assets and supports the industry’s transition to advanced custody technologies under the “A-S-P-I-Re” roadmap.

Earlier in 2025, the SFC’s targeted review revealed inadequacies in some VATPs’ cybersecurity controls, while overseas custody failures underscored global risks such as compromised third-party wallet solutions, insufficient transaction verification, and inadequate access controls on approval devices.

In response, the circular outlines good practice examples and minimum standards for custody. These include clear senior management responsibilities, secure client cold wallet infrastructure and operations, appropriate use of third-party wallets, and real-time threat monitoring. Together, these standards form the core expectations for virtual asset custodians and will guide the development of an industry-wide custody framework.

Who’s affected?

Licensed virtual asset trading platforms (VATPs) in Hong Kong.
Virtual asset custodians, as the standards will guide future custody requirements.
Clients of VATPs, as well as senior management and IT teams within VATPs, responsible for implementing the controls.

Deadline:

The circular was issued on August 15, 2025. VATPs are expected to review and strengthen custody practices immediately, aligning with the SFC’s minimum standards. Ongoing compliance will be monitored as part of the ASPIRe roadmap and future regulatory inspections.

US 🇺🇸

FinCEN issues notice on the use of convertible virtual currency kiosks in scam payments and other illicit activity

What happened?

On August 4, 2025, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Notice urging financial institutions to remain vigilant in identifying and reporting suspicious activity involving convertible virtual currency (CVC) kiosks.

The Notice advises that CVC kiosks are convenient for consumers but increasingly exploited by illicit actors. According to FinCEN, their misuse includes fraud, cybercrime, and drug trafficking activity—areas already identified in the agency’s AML/CFT National Priorities. The notice highlights a rise in scams involving CVC kiosks, particularly tech and customer support scams, bank imposter schemes, and frauds that disproportionately target older adults. It also provides typologies and red flag indicators to help institutions identify suspicious activity, while reminding them of their reporting obligations under the Bank Secrecy Act (BSA).

Who’s affected?

Financial institutions subject to BSA requirements.
CVC kiosk operators, who must meet AML/CFT compliance obligations.
Regulators and law enforcement, tasked with oversight and enforcement against illicit CVC activity.

Deadline:

The Notice is effective immediately as of August 4, 2025. Financial institutions must already be monitoring, reporting, and complying with BSA requirements when dealing with CVC kiosk-related transactions.

EU 🇪🇺

EBA publishes final draft RTS on prudential treatment of crypto-asset exposures

What happened?

The European Banking Authority (EBA) published its final draft Regulatory Technical Standards (RTS), specifying the technical framework for institutions to calculate and aggregate crypto-asset exposures under the transitional prudential treatment in CRR 3 (Regulation (EU) 2024/1623).

The draft Regulatory Technical Standards (RTS) outline capital treatment for credit risk, counterparty credit risk (CCR), market risk, and credit valuation adjustment (CVA) risk. They apply to asset-referenced tokens (ARTs) tied to traditional assets, ARTs referencing crypto-assets, and unbacked crypto-assets such as Bitcoin. The draft also sets out rules for netting and aggregating long and short positions, hedge recognition criteria for crypto-assets, and formulas for calculating CCR and market risk exposure values. Overall, the RTS aim to align, as closely as possible, with the Basel standard and the EU’s Markets in Crypto-Assets Regulation (MiCA).

Following consultation, certain changes were made: prudent valuation requirements for fair value crypto exposures were removed, and clarifications were added on how to aggregate long and short positions when determining exposure limits. The draft RTS also include transitional provisions, offering a method for institutions to capitalise crypto-asset exposures until a permanent prudential framework is established.

Who’s affected?

Credit institutions and investment firms across the EU with exposures to crypto-assets.
Banks and financial institutions engaging in crypto-related activities (custody, issuance, trading, lending).
Supervisory authorities, ensuring harmonized application of prudential rules.

Deadline:

The RTS are based on CRR 3 transitional rules (Article 501d). They will apply once adopted by the European Commission and enter into force, pending final approval. These transitional measures remain in place until a permanent prudential framework is implemented for crypto-asset exposures.

Share this article

AML Crypto Digest EU Europe Global Intermediate KYC Trading