Compliance Digest—February 2026

Every month, Sumsub’s Compliance Team prepares a digest with all the latest updates in the world of AML and beyond. We cover multiple industries, from crypto and AML to crypto.

If you want to get the latest news every month in one place, subscribe to our newsletter.

AML

🇪🇺 EU

1. AMLA Launches Consultation on Draft CDD Regulatory Technical Standards under the EU AMLR

What happened?

Last month, the Consultation on the draft RTS on Customer Due Diligence (CDD) was launched by the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA). It is an open public consultation on draft Regulatory Technical Standards (RTS) under Article 28(1) of the EU Anti-Money Laundering Regulation (AMLR). The draft RTS set out detailed technical requirements for how obliged entities across the EU should conduct customer due diligence, including identifying what information and documentation should be collected, and how to apply verification and risk-based approaches. This builds on prior work by the European Banking Authority (EBA) and aims to ensure clarity, proportionality, and applicability across financial and non-financial sectors.

Who’s affected?

All stakeholders with an interest in the EU AML/CFT framework can contribute, including:

• Obliged entities (financial and non-financial sector)
• Supervisors
• Public authorities
• Self-regulatory bodies
• International organizations
• Civil society
• Academia
• Consumer representatives
• Investigative journalists. 

It is especially relevant for entities that must comply with CDD obligations, e.g., banks, payment service providers, crypto-asset service providers, legal professionals, and corporate service providers. 

Deadline:

May 8, 2026, 23:59 (CEST) is the deadline to submit responses to the consultation.

Read more:

Consultation on the draft RTS on Customer Due Diligence—AMLA (official page)

2. AMLA Consults on Draft RTS for Identifying Business Relationships and Linked Transactions

What happened?

Last month, AMLA also opened a public consultation on draft Regulatory Technical Standards (RTS) under Article 19(9) of the AMLR concerning criteria for identifying business relationships, occasional transactions, and linked transactions. The draft RTS sets out detailed rules to help obliged entities distinguish between an ongoing business relationship and a one-off transaction, and to detect transactions that may be artificially structured to avoid AML/CFT obligations.

Correct classification determines when customer due diligence must be applied and is therefore central to effective AML compliance across the EU. At this stage, AMLA has decided not to introduce additional lower monetary thresholds for occasional transactions.

Who’s affected?

All stakeholders interested in the EU anti-money laundering regime are invited to contribute. The criteria set out in the draft apply to all obliged entities across financial and non-financial sectors, including banks, payment providers, legal and accounting professionals, estate agents, crypto-asset platforms, and other regulated entities that need to decide when to apply CDD. 

Deadline:

May 8, 2026, 23:59 (CEST) is the deadline to submit feedback on these draft criteria as well. 

Read more:

Consultation on the draft RTS on criteria for identifying business relationships, occasional and linked transactions—AMLA (official page)

3. EU Updates Counter-Terrorism Sanctions: Expanded Listings, Travel Bans and Clearer Enforcement Rules

What happened?

On February 26, 2026, the Council of the European Union adopted Decision (CFSP) 2026/455 and Regulation (EU) 2026/456, strengthening the EU’s counter-terrorism sanctions regime.

The measures expand the criteria for listing persons and entities, allowing the EU to target not only perpetrators of terrorist acts but also leaders, financiers, recruiters, trainers, and other supporters. Listed individuals are now subject to an explicit travel ban, alongside existing asset freezes and prohibitions on providing funds or economic resources.

The Regulation amends Regulation 2580/2001 to update implementation procedures, clarify definitions (funds, economic resources, claims), and ensure uniform enforcement across all Member States. Existing listings remain unchanged at this stage. Key sanctions measures are:

• Asset freeze: all funds and assets of listed persons or entities must be frozen
• Prohibition on providing funds or resources: direct or indirect financial or economic support is banned
• Travel ban: listed individuals cannot enter or transit through the EU
• Expanded listing scope: now includes leadership and support roles, not only direct perpetrators

Financial institutions and other obliged entities must continue sanctions screening, freeze assets where required, and ensure no funds or services are made available to listed parties. The updated rules clarify obligations and harmonize enforcement across the EU sanctions framework.

Suggested read: Effective Sanctions Screening: Best Practices for Preventing Financial Crime

Who’s affected?

• Listed persons, groups, and entities: subject to asset freeze, travel bans, and prohibition on receiving funds.
• Financial institutions (banks, payment service providers, crypto asset service providers, insurers) and other obliged economic operators: must ensure compliance (screening, blocking/freeze actions, reporting).
• EU Member States’ competent authorities responsible for enforcing sanctions and notifying affected parties.
• Businesses and intermediaries: required to adjust risk-based sanctions compliance programs and transaction monitoring systems.
• Humanitarian actors may be affected by the sanctions scope, but often individual regimes provide humanitarian carve-outs (not repealed here). 

Deadline:

Both Decision 2026/455 and Regulation 2026/456 were published in the Official Journal on February 26, 2026, and entered into force immediately upon publication or as otherwise specified in their texts. Sanction measures are binding across all Member States from that point forward.

Read More:

• Council Decision (CFSP) 2026/455 of 26 February 2026 on restrictive measures to combat terrorism, repealing Articles 2, 3 and 3a of Common Position 2001/931/CFSP on the application of specific measures to combat terrorism and repealing Decision (CFSP) 2025/1577 and Decision (CFSP) 2026/421
• Council Regulation (EU) 2026/456 of 26 February 2026 amending Regulation (EC) No 2580/2001 on specific restrictive measures directed against certain persons and entities with a view to combating terrorism and repealing Implementing Regulation (EU) 2025/1578 and Implementing Regulation (EU) 2026/420

Gambling

🇮🇪 Ireland Updates Guidance for B2C Gambling Licensees under the Gambling Regulation Act 2024

What happened?

On February 17, 2026, the Gambling Regulatory Authority of Ireland (GRAI) updated its Guidance on Relevant Obligations for Business-to-Consumer (B2C) licensees. The guidance provides practical instructions on applying conditions and obligations set out in the Gambling Regulation Act 2024 and associated regulations, supporting compliance with Ireland’s new gambling regulatory framework. The update reflects the phased implementation of statutory requirements under the 2024 Act.

Who’s affected?

• B2C gambling operators licensed in Ireland
• Compliance teams responsible for ensuring adherence to the Gambling Regulation Act 2024
• Any third-party service providers acting on behalf of B2C licensees in regulated activities

Deadline:

Immediate effect. B2C licensees are expected to review and align operations with the updated guidance to maintain ongoing compliance.

Read more:

Guidance on Relevant Obligations for Business to Consumer Licensees 17 February 2026

🇨🇼Curaçao Certifies ADR Providers for Player Dispute Resolution

What happened?

On February 9, 2026, the Curaçao Gaming Authority (CGA) officially certified the Curaçao Alternative Dispute Resolution Entity (CADRE) to handle disputes between players and licensed operators. The certification follows the National Ordinance on Games of Chance (LOK) 2024, which requires all licensed B2C operators to use approved ADR providers to ensure transparent and independent dispute resolution.

Two ADR providers are currently certified (CADRE and ADR Curaçao), with a third expected to launch. Complaints are handled at no cost to players, with operators covering the associated fees. CADRE has already received more than 100 complaints since the service launched. Key points:

• Only CGA-certified and publicly listed ADR providers may conduct dispute resolution
• Operators must describe the ADR process in their terms and conditions
• Operators may apply safeguards (e.g., mandatory ADR before legal action, binding decisions, or minimum claim thresholds).

The ADR framework is expected to process a high volume of complaints annually and aims to strengthen consumer protection and confidence in the Curaçao licensing regime.

Who’s affected?

• Licensed Curaçao B2C operators, who must engage only with CGA-certified ADRs.
• Players filing complaints against operators now entitled to free, independent dispute resolution.
• Certified ADR providers, responsible for managing and resolving disputes according to CGA guidelines.

Deadline:

Certification and compliance with the ADR mandate are already in effect. Operators must now engage certified ADRs for all player complaints.

Read more:

• CGA Player Complaints Policy (June 2025)
• Alternative Dispute Resolution (ADR) Role and Certification Version 1.0 8th September 2025
• CADRE official website

Crypto 

🇪🇺EU EBA Issues Opinion on Expiry of PSD2–MiCA No-Action Letter Transition

What happened?

On February 12, 2026, the European Banking Authority (EBA) published an Opinion addressing the end of the transition period under its June 10, 2025, No-Action Letter (NAL) on the interaction between the Revised Payment Services Directive (PSD2) and the Markets in Crypto-Assets Regulation (MiCA). The transition period expires on March 2, 2026.

The NAL had temporarily allowed certain crypto-asset service providers (CASPs) to provide payment services involving electronic money tokens (EMTs) without PSD2 authorization while their applications were being assessed.

In the new Opinion, the EBA instructs national competent authorities (NCAs) on:

• when such activities may continue after the transition ends,
• how to prioritize authorization assessments, and
• which supervisory measures to apply where firms fail to meet the conditions.

The EBA outlines three supervisory outcomes after the transition ends:

1. Authorized CASP (or partnered with an authorized PSP): May continue providing EMT-related payment services under that authorization.
2. Application submitted but pending: NCAs may temporarily allow services to continue if the application is complete, the firm cooperates, no serious compliance issues exist, and approval is likely soon. During this period, firms must stop marketing the service and avoid onboarding new clients.
3. No application or conditions unmet: CASPs should cease EMT payment services and off-board customers.

NCAs are expected to coordinate with MiCA supervisors, and the Opinion confirms that certain first-party EMT transfers may qualify as PSD2 payment transactions requiring authorization.

Who’s affected?

• Crypto-asset service providers (CASPs) that transact with electronic money tokens (EMTs), which qualify as payment services, and are in the process of seeking authorization under PSD2.
• National competent authorities (NCAs) under PSD2 and MiCA, which will apply the Opinion to supervise and enforce compliance.
• Broader financial market stakeholders interested in regulatory consistency between payments and crypto frameworks (e.g., PSPs, fintechs, legal/compliance teams).
  The Opinion is specifically addressed to NCAs, but its practical consequences affect CASPs operating in the EU. 

Deadline:

March 2, 2026: This is when the transition period under the No-Action Letter ends, and the Opinion’s guidance becomes applicable to supervisory actions. After this date, CASPs must either have obtained PSD2 authorization (or be properly partnered with an authorized PSP) or meet the Opinion’s conditions to continue EMT-related payment services. Otherwise, they must cease such services and off-board affected clients. 

Read more:

• Full EBA Opinion PDF: Opinion on the end of the NAL transition period (EBA/OP/2026/01)
• EBA Press Release: The EBA advises national authorities on actions to take at the end of the transition period under its No‑Action Letter

Suggested read: MiCA Regulation and EU Crypto Rules: What Changes in 2026

🇬🇧UK Adopts FSMA Cryptoasset Regime: FCA Authorization Required from October 2027

What happened?

The UK is introducing a full Financial Services and Markets Act (FSMA) regulatory framework for cryptoassets, moving the sector beyond AML registration into comprehensive financial regulation.

Under the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2025, firms carrying out specified cryptoasset activities will require FCA authorization from October 2027. Newly regulated activities include stablecoin issuance, custody, operation of trading platforms, dealing, arranging transactions, and staking services.

As a result, FCA AML registration alone will no longer be sufficient to operate in the UK crypto market.

Who’s affected?

• Cryptoasset exchanges, custodians, trading platforms, brokers, and staking providers operating in or into the UK
• Stablecoin issuers
• Firms currently registered under the UK AML regime (must apply for FSMA authorization separately)
• Senior managers subject to FCA fit-and-proper standards

Deadline:

• September 30, 2026: Authorization window opens
• February 28, 2027: Application window closes
• October 25, 2027: Regime becomes fully effective; firms must be authorized or cease regulated activities

Read more:

A new regime for cryptoasset regulation

Suggested read: Crypto Regulation in 2026: What Changed and What’s Ahead

🇺🇸US OCC Proposes Rules to Implement the GENIUS Act Stablecoin Framework (Bulletin 2026-3)

What happened?

The Office of the Comptroller of the Currency (OCC) issued Bulletin 2026-3, a notice of proposed rule-making to implement the Guiding and Establishing National Innovation for US Stablecoins (GENIUS) Act.

The proposal would establish the OCC’s regulatory framework for payment stablecoins and related activities conducted by OCC-supervised institutions. It outlines supervisory expectations, operational requirements, and amendments to existing banking regulations needed to align with the new federal stablecoin law.

Key elements of the proposal:

• Scope and new regulatory framework: Establishes a new 12 CFR Part 15 governing permitted stablecoin activities, including issuance, reserve management, redemption, custody, risk management, and reporting obligations.
• Revisions to existing banking rules: Amends capital requirements (12 CFR 3), prompt corrective action (12 CFR 6), assessment fees (12 CFR 8), and procedural rules (12 CFR 19) to integrate stablecoin oversight into the broader prudential framework.
• Supervision and enforcement: Sets out how the OCC will examine, supervise, and enforce compliance for stablecoin issuers and related custody activities.
• Treasury coordination: Bank Secrecy Act/AML and OFAC-related provisions will be addressed in a separate rule-making coordinated with the US Department of the Treasury.

Who’s affected?

• National banks, Federal savings associations, and their subsidiaries
• Federal branches of foreign banks and their subsidiaries
• Federal qualified payment stablecoin issuers and State qualified payment stablecoin issuers subject to OCC authority
• Foreign payment stablecoin issuers that fall under OCC jurisdiction
• Other parties interested in stablecoin issuance, custody, risk management, and supervision within the US banking system.

Deadline:

The notice seeks public comment on the proposed rules. A specific comment deadline will be detailed in the Federal Register notice associated with the proposal. (Not explicitly stated in the bulletin itself, but typical OCC practice is to set a 60-90 day comment period after publication in the Federal Register.)

Read more:

GENIUS Act Regulations: Notice of Proposed Rulemaking

🇦🇪UAE Central Bank Issues FAQs on Federal Decree-Law No. 6 of 2025 Financial Services Framework

What happened?

The Central Bank of the United Arab Emirates published FAQs clarifying the application of Federal Decree-Law No. (6) of 2025, which governs the Central Bank, financial institutions, financial activities, and insurance business in the UAE.

The FAQs provide official guidance on licensing, supervisory scope, and enforcement, helping market participants understand how the new framework applies in practice.

Key clarifications are:

Broader definition of licensed financial institutions: Licensed financial institutions include banks, insurance and reinsurance companies, and any entity authorized by the Central Bank to conduct regulated financial activities.

Scope of regulated activities: Covered activities include deposit-taking, lending and funding, payment services (including virtual-asset payments), money transfers, stored value or digital money, insurance and reinsurance, and arranging or marketing regulated services.

Technology-neutral regulation: The law applies regardless of the technology used (e.g., blockchain or decentralized systems). Providing technology alone does not trigger regulation unless the provider performs a regulated financial activity.

Financial free zones: The law generally does not apply to entities supervised by financial free-zone regulators, except in specific coordinated situations предусмотрed in the law.

Transition period: Firms have one year from the effective date (mid-September 2025) to comply, subject to possible extension by the Central Bank Board.

Continuity of existing rules: Existing regulations, standards, and circulars remain in force until replaced.

Who’s affected?

• Licensed Financial Institutions (LFIs): banks, insurance and reinsurance companies, and any institution the Central Bank licenses for financial activities.
• Branches/Subsidiaries of foreign financial institutions operating in the UAE. 
• Entities engaged in regulated financial activities, including deposits, credit, money transfer, payment services using virtual assets, stored value services, and more, regardless of the technology used. 
• Financial institutions using emerging technologies (e.g., blockchain/DeFi) where the underlying activity is licensed. 
• Individuals and institutions needing compliance adjustments under the new law.

Deadline: 

1-year ‘reconciliation period’ from September 16, 2025, ending September 16, 2026 (unless extended). 

Read more: 

Federal Decree Law #6

🇦🇺 AUSTRAC Publishes Crypto Sector Suspicious Activity Indicators for AML/CTF Compliance

What happened?

AUSTRAC has issued detailed suspicious activity indicators for the digital currency (cryptocurrency) sector to support anti‑money laundering and counter‑terrorism financing (AML/CTF) compliance. These indicators are part of a broader suite of sector‑specific guidance designed to help reporting entities recognize and respond to potential criminal misuse of cryptocurrencies, including money laundering, terrorism financing, proliferation financing, scams, and cybercrime. The guidance helps entities tailor their monitoring systems to identify red flags and report suspicious matters where necessary. 

Key indicators of suspicious activity:

Customer identity & behavior: False or unverifiable identification details, refusal to provide KYC information, behavior inconsistent with the customer profile, or multiple accounts linked to the same contact details.

Crypto ATM misuse: Use at unusual hours or without understanding the transaction, repeated small transactions below thresholds, transfers to third-party wallets, or rapid high-value transfers inconsistent with the customer’s profile.

Money laundering indicators: Rapid fiat-crypto or crypto-to-crypto conversions without economic purpose, structuring transactions to avoid detection, “U-turn” transactions, or activity involving high-risk platforms such as mixers or offshore brokers.

Cybercrime indicators: Transactions linked to darknet markets, ransomware, hacking activity, or patterns suggesting fraud or mule accounts.

Serious crime patterns: Activity associated with scams or illicit gambling, large unexplained transfers, or transactions involving high-risk jurisdictions.

Terrorism and proliferation financing: Transfers involving sanctioned or high-risk jurisdictions without business rationale, rapid pass-through deposits to private wallets, or addresses linked to proliferation risks.

Businesses must:

• Integrate relevant indicators into transaction monitoring systems and AML programs
• Conduct enhanced due diligence where indicators are observed
• File a Suspicious Matter Report (SMR) to AUSTRAC within required timeframes when there are reasonable grounds for suspicion (e.g., 24 hours for terrorism‑linked activity; 3 business days for other matters)
• Continuously update risk assessments and compliance controls based on emerging indicators. 

Who’s affected?

• Digital currency exchange providers and virtual asset service providers (VASPs) operating in Australia
• Cryptocurrency ATM operators and providers
• Reporting entities under the AML/CTF regime that handle crypto transactions (including rapid conversions, blockchain transactions, crypto‑fiat exchanges, and peer‑to‑peer transfers)
• Compliance teams responsible for transaction monitoring, risk assessment, and suspicious matter reporting (SMRs) to AUSTRAC. 

Deadline:

There is no fixed deadline. These indicators provide ongoing guidance for integrating into continuous AML/CTF compliance programs. Reporting entities should incorporate them into monitoring and suspicious matter reporting practices immediately and review them regularly as part of risk assessment processes.

Read more: 

AUSTRAC: Indicators of suspicious activity for the digital currency (cryptocurrency) sector

🇧🇷Brazil Establishes Virtual Asset Regulatory Framework: Central Bank Resolutions 519–521 Now in Force

What happened?

The Central Bank of Brazil has implemented a comprehensive regulatory framework for virtual asset services through Resolutions BCB Nos. 519, 520, and 521/2025, effective February 2, 2026.

The framework introduces authorization, governance, prudential, and compliance requirements for virtual asset service providers (VASPs), aligning Brazil’s supervision of the sector with international regulatory standards.

Key requirements

Resolution BCB No. 519/2025—Authorization and governance:

• Applies to foreign exchange brokers, securities brokers, securities distributors, and VASPs
• Requires adequate financial capacity, governance arrangements, capital/net worth, and technological capability

Resolution BCB No. 520/2025—Core VASP obligations:

• Establishes operational and prudential standards for VASPs
• Mandates client asset segregation, proof of reserves, independent audits, and risk management policies
• Requires cybersecurity, internal controls, and compliance frameworks
• Existing providers must apply for authorization between February 2 and October 29, 2026

Resolution BCB No. 521/2025—Cross-border and reporting rules:

• Integrates virtual asset transactions into foreign exchange and capital-flow reporting regimes
• Applies cross-border monitoring requirements similar to traditional FX operations

Who’s affected?

• Virtual Asset Service Providers (VASPs), including crypto exchanges, custodians, and intermediaries operating in Brazil.
• Foreign exchange brokers, securities brokers, and distributors now expressly regulated if involved in virtual asset activities.
• Foreign and domestic entities offering virtual asset services that must obtain authorisation from the central bank.
• Traditional financial institutions (banks and brokers) that serve as service providers in virtual asset operations and must meet the same standards. 

Deadline:

• February 2, 2026: Framework came into force.
• February 2 – October 29, 2026: VASPs and related entities must apply for authorisation under the new regime.

Read more:

• Resolução BCB n° 520 de 10/11/2025
• Resolução BCB n° 519 de 10/11/2025
• Resolução BCB n° 521 de 10/11/2025