Digest—January 2026

Every month, Sumsub’s Compliance Team prepares a digest with all the latest updates in the world of AML and beyond. We cover multiple industries, from crypto and AML to gaming.

If you want to get the latest news every month in one place, subscribe to our newsletter.

AML 

🇹🇷 Turkey Introduces Tiered Cash Declarations and Enhanced Transfer Purpose Requirements 

What happened?

MASAK (Turkey’s financial crimes Investigation Board) issued General Communiqué (Serial No. 30) introducing a tiered declaration and documentation system for cash transactions, alongside stricter purpose-of-transaction selection rules for electronic transfers (EFT, wire transfers, remittances). The Communiqué establishes graduated obligations based on transaction size:

Cash transactions (tiered system)

Up to TRY 200,000: No declaration obligation.

TRY 200,001—TRY 2,000,000

• Customer must select the nature/purpose of transaction.
• If a generic option (e.g., “other” / “individual payment”) is chosen → minimum 20-character explanation required.

TRY 2,000,001—TRY 20,000,000

• Cash Transaction Declaration Form must be completed.
• Generic selections still require a minimum 20-character explanation.

Above TRY 20,000,000: Cash Transaction Declaration Form + supporting documents (e.g., invoice, contract) are required.

Electronic transfers (EFT / wires / remittances)

• Banks and PSPs must require customers to select a transaction purpose category.
• Generic categories require a meaningful free-text explanation.
• Focus is on transparency and traceability, not automatic documentary proof for all transfers.

Who’s affected?

• Banks
• Payment institutions & electronic money institutions
• Individuals and corporate customers conducting high-value cash transactions
• Other obliged parties under Turkish AML law when processing covered transactions

This applies across the financial sector, where cash handling and electronic transfers are offered.

Business effect:

Financial Institutions must implement:

• Purpose-of-transaction selection systems
• Tiered cash declaration workflows
• Cash Transaction Declaration Form handling
• Collection and retention of supporting documents for > TRY 20m

Financial institutions must also be able to refuse transactions if the required information is not provided. Systems, policies, and front-end banking flows must be updated before 2026.

For customers, more detailed explanations are required for:

• Large cash deposits/withdrawals
• Transfers using generic categories
• Very large cash transactions require formal documentation.

❗Failure to comply may trigger administrative sanctions under Law No. 5549.

Deadline: 

January 1, 2026, entry into force of the tiered cash declaration and enhanced transfer purpose requirements.

Read more: 

New Draft Communiqué from MASAK: Gradual Declaration Period for Financial Transactions

🇪🇺 EU Completes Transfer of AML/CFT Powers from EBA to AMLA

What happened?

On January 1, 2026, the European Banking Authority (EBA) and the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) completed the full handover of all EU-level AML/CFT mandates and functions from the EBA to AMLA.

This marks the formal end of the EBA’s stand-alone AML/CFT role (which began in 2020) and operationalizes AMLA as the central EU authority for anti-money laundering and counter-terrorist financing supervision.

The handover is part of the EU’s new AML/CFT legislative package, which established:

• AMLA Regulation (EU) 2024/1620
• Single Rulebook Regulation (EU) 2024/1624
• Sixth AML Directive (EU) 2024/1640 (AMLD6)

AMLA is now responsible for EU-level AML/CFT rulemaking, supervisory convergence, and coordination across Member States.

Who’s affected?

All EU financial institutions, including:

• Banks
• Payment institutions
• Electronic money institutions
• Investment firms
• Crypto-asset service providers (CASPs)

Non-financial obliged entities, including:

• Lawyers and notaries
• Accountants and auditors
• Trust and company service providers
• Real estate agents
• High-value goods dealers

National AML supervisors and FIUs: Cross-border financial groups subject to EU supervision.

Business effect:

Centralized EU AML supervision. With the creation of AMLA, the EU is moving toward a more centralized and consistent approach to AML/CFT supervision. AMLA’s current role includes:

• Completing and enforcing the EU Single Rulebook
• Developing binding Regulatory Technical Standards (RTS) and supervisory guidelines
• Coordinating supervisory practices across EU Member States
• Enhancing cooperation and information sharing between Financial Intelligence Units (FIUs)

Direct supervision of high-risk institutions. From 2028, AMLA will:

• Directly supervise up to 40 of the most complex and highest-risk financial institutions and groups in the EU
• Apply harmonized supervisory methodologies across jurisdictions

Regulatory continuity during the transition. To avoid disruption:

• All existing EBA AML/CFT guidelines and standards remain in force
• These will continue to apply until AMLA formally replaces them
• This ensures there is no regulatory gap for firms during the transition period

💡 The European Banking Authority (EBA) will continue to address money laundering and terrorist financing risks through prudential supervision. AML risk considerations will remain embedded in authorization processes, fit-and-proper assessments, governance frameworks, and ongoing supervision.

Deadline:

• January 1, 2026: Full transfer of AML/CFT mandates to AMLA completed
• 2026–2027: AMLA finalizes Single Rulebook and RTS
• From 2028: AMLA direct supervision of selected high-risk institutions begins

Read more:

• AMLA (official)—EBA and AMLA complete handover of AML/CFT mandates
• EBA—AML/CFT transition overview

Crypto

🇦🇪 UAE Regulators Tighten Qualified Investor Rules and Strengthen AML and Sanctions Oversight

What happened?

On January 8, 2026, Dubai’s Virtual Assets Regulatory Authority (VARA) issued a Circular titled “Onboarding and Classification of Qualified Investors”. The Circular significantly tightens and formalizes how qualified investors must be classified by VARA-licensed Virtual Asset Service Providers (VASPs), shifting from principles-based guidance to a documentary, supervisory standard.

Financial eligibility thresholds are now clearly defined. For individuals, qualified investor status requires net assets of at least AED 3.5 million, excluding the primary residence, and/or an annual income of AED 700,000 or more. For legal entities, net assets must also meet the AED 3.5 million threshold, and governing persons are expected to demonstrate sufficient financial knowledge. Self-certification alone is no longer acceptable; documentary evidence is mandatory in all cases.

The Circular also strengthens onboarding and eligibility verification requirements. VASPs must obtain and verify:

• Income and net-asset documentation
• Explicit client election and informed consent
• Source of Wealth, and Source of Funds where applicable
• Compliance with threshold and liquidity criteria

In addition, firms must conduct a mandatory suitability and risk assessment. This includes evaluating:

• The client’s virtual asset knowledge and experience
• Investment objectives
• Ability to bear potential losses

Clients assessed as unsuitable must remain classified as retail investors, be subject to a one-week cooling-off period, and undergo a substantively different reassessment before any upgrade can be considered.

Lifecycle monitoring obligations are also reinforced. Re-reviews must be triggered by events such as high-risk product requests, updated client disclosures, or increased trading activity. Any upgrade in investor status requires prior disclosure, explicit client consent, and full re-confirmation of eligibility and suitability criteria.

Finally, the Circular introduces clear ongoing obligations, including periodic reassessments, a minimum eight-year record-retention requirement, and the maintenance of regulator-ready, auditable documentation.

Suggested read: Crypto Regulation in 2026: What Changed and What’s Ahead

🇦🇪 Dubai’s DFSA Strengthens Crypto Token Rules with Expanded AML and Sanctions Obligations

The Dubai Financial Services Authority (DFSA) implemented updates to its Crypto Token Regulatory Framework, effective January 2026, alongside strengthened expectations around AML/CFT and sanctions compliance. These changes apply to all DIFC-authorized firms, including those operating in the crypto sector.

A key focus of the updated framework is sanctions risk. The DFSA has clarified that firms must not limit their considerations to local requirements alone, but should also assess and take positive steps in relation to major unilateral sanctions regimes. This includes sanctions imposed by the European Union, the United Kingdom through the Office of Financial Sanctions Implementation (OFSI), and the United States via the Office of Foreign Assets Control (OFAC).

DFSA guidance confirms that, where required or appropriate, firms are expected to actively consider these international sanctions regimes and implement measures to ensure compliance. This reinforces the expectation that sanctions risk management forms an integral part of broader AML/CFT controls within the DIFC regulatory environment. This goes beyond narrow UN-only sanctions and creates enhanced screening and controls expectations.

Who’s affected?

• VARA-licensed VASPs in Dubai
• DFSA-authorized crypto firms in DIFC
• Crypto exchanges, brokers, custodians, and token issuers
• Compliance, onboarding, and suitability teams
• Clients seeking Qualified Investor status
• Firms serving users subject to EU/UK/US sanctions regimes

Business effect:

Implications for VASPs (Dubai, VARA)

For Virtual Asset Service Providers licensed by VARA, the updated requirements translate into concrete operational and compliance changes. Firms are expected to redesign their onboarding processes to:

• Collect robust documentary evidence of client wealth and income
• Conduct structured and defensible suitability assessments
• Implement cooling-off periods and clearly defined reassessment logic

At the same time, supervisory risk increases for firms with weak or incomplete documentation, as well as inadequate suitability and risk assessment controls.

As a result, there is growing demand for:

• Automated investor qualification and suitability assessment tools
• Reliable Source of Wealth verification solutions
• Audit-ready record-keeping capable of withstanding regulatory scrutiny

Implications for DIFC Firms (DFSA)

For firms authorized by the DFSA in the DIFC, the updated framework reinforces a broader and more proactive approach to sanctions compliance. Firms must:

• Integrate EU, UK, and US sanctions regimes into their screening and monitoring frameworks
• Take active steps to prevent the facilitation of prohibited or sanctioned activity

These expectations create a higher compliance burden for firms offering cross-border crypto services and services involving high-risk jurisdictions or higher-risk users.

Deadline:

• Federal Decree-Law No. 6 of 2025: In force
• VARA Qualified Investor Circular: Effective January 8, 2026
• DFSA Crypto Token & AML updates: Effective January 2026

Read more:

• VARA—Onboarding and Classification of Qualified Investors (Circular, January 8, 2026)
• DFSA—Crypto Token Regulatory Framework updates

🇮🇳 India Issues Comprehensive AML & CFT Guidelines for Virtual Digital Asset Service Providers

What happened?

On January 8, 2026, the Financial Intelligence Unit, India (FIU-IND) issued updated AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets (VDAs). These Guidelines significantly expand and operationalize AML/CFT obligations for Virtual Digital Asset Service Providers (VDASPs) under:

• Prevention of Money Laundering Act, 2002 (PMLA), and
• Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PMLR)

The Guidelines transform high-level AML obligations into detailed, technology-driven operational requirements, aligning VDASPs with standards applied to banks and financial institutions. This replaces and expands the earlier 2023 VDA AML guidance.

Who’s affected?

The Guidelines apply to all entities providing services related to VDAs, including:

• Crypto exchanges (centralized and decentralized, where applicable)
• Custodial wallet providers
• Broker-dealers in VDAs
• NFT marketplaces (where they facilitate transfers/exchange)
• Token issuers involved in VDA-related financial services
• Offshore VDA platforms serving Indian users
• Web3 intermediaries facilitating VDA transactions

All such entities are treated as “Reporting Entities” under PMLA and must register with FIU-IND.

Business effect:

A) Governance & accountability

VDASPs are required to establish clear governance structures and assign accountability at both board and operational levels. Firms must appoint:

• A Designated Director at the board level, with overall responsibility for AML/CFT compliance
• A Principal Officer, in a senior, full-time role, responsible for STR filing, liaison with the FIU, and day-to-day AML operations

In addition, board-approved AML/CFT/CPF policies are mandatory and must be actively overseen.

B) Enhanced KYC & CDD

Customer due diligence requirements are formalized and strengthened under a risk-based approach. Mandatory obligations include:

• Risk-based Customer Due Diligence (CDD)
• Ongoing customer monitoring
• Enhanced Due Diligence (EDD) for high-risk customers
• Verification of beneficial ownership
• Periodic KYC reviews and updates

C) Travel Rule for VDA transfers

VDASPs must comply with Travel Rule requirements for virtual digital asset transfers, ensuring the collection and transmission of originator and beneficiary information.

Required originator data includes:

• Full name
• PAN or other identity document
• Wallet or account address
• Physical address

Required beneficiary data includes:

• Identity details
• Wallet or account address

These requirements align India’s VDA framework with FATF Travel Rule standards for crypto assets.

D) Transaction monitoring & blockchain analytics

Firms are expected to move beyond manual controls and implement technology-driven monitoring solutions. Required capabilities include:

• Automated transaction monitoring systems
• Blockchain analytics to support wallet clustering, transaction tracing, and detection of illicit typologies
• Structured alert generation and investigation workflows

Manual-only monitoring is explicitly considered insufficient.

E) Reporting & record-keeping

Robust reporting and documentation obligations form a core part of compliance expectations. Mandatory requirements include:

• Filing of Suspicious Transaction Reports (STRs)
• Submission of periodic compliance and operational reports
• Retention of KYC and transaction records for a minimum of five years

Strict prohibitions on tipping-off apply throughout the reporting process.

Suggested read: Suspicious Transaction Reports (STRs) in 2025: The Latest Guidance for Regulated Businesses

F) Registration & supervisory walkthroughs

To operate legally, VDASPs must register with FIU-IND as Reporting Entities and demonstrate operational readiness. Firms must:

• Complete FIU-IND registration
• Undergo supervisory walkthroughs covering:
  • KYC systems
  • Sanctions screening
  • Transaction monitoring
  • Travel Rule compliance
  • STR filing processes

❗Failure to meet these requirements may result in rejection or cancellation of registration.

Deadline:

• January 8, 2026: Guidelines issued and effective
• Immediate applicability for new registrants and existing VDASPs (transition expected but enforcement active in 2026)

Read more:

FIU-IND — AML & CFT Guidelines for VDAs (PDF, January 8, 2026)

🇧🇷 Brazil Central Bank Mandates Independent Technical Certification for Virtual Asset Providers 

What happened?

On January 23, 2026, the Central Bank of Brazil (BCB) published Instrução Normativa BCB No. 701. Instruction No. 701 establishes the procedures, form of communication, and minimum technical requirements for institutions that intend to provide virtual asset services, specifically:

• Intermediation of virtual assets
• Custody of virtual assets

The Instruction operationalizes and supports BCB Resolution No. 520/2025, which introduced Brazil’s licensing and operating framework for Virtual Asset Service Providers (VASPs), known in Brazil as SPSAVs.

Under IN 701, institutions must submit a formal communication of interest to the BCB, accompanied by a technical certification prepared by an independent, qualified company.

❗Failure to follow the procedures renders the communication ineffective, and the institution is prohibited from offering virtual asset services in Brazil.

Who’s affected?

• Banks and financial institutions authorized by the BCB
• Broker-dealers and securities distributors
• Crypto exchanges and virtual asset platforms
• Virtual asset custodians
• Foreign firms seeking to serve Brazilian clients
• Any entity seeking to act as virtual asset intermediary, virtual asset custodian, or virtual asset broker (where applicable under Resolution 520).

Business effect:

A) Mandatory independent technical certification

Institutions must:

• Engage a qualified, independent company to prepare the certification
• Demonstrate that the certifier has appropriate technical qualifications, no conflicts of interest, and has no corporate or business relationships impairing independence.

The certifier must formally declare independence.

B) Communication & registration requirements

Applicants must:

• Maintain up-to-date registration data in the UNICAD database
• Submit the technical certification via the APS-SISCOM supervisory system

❗Failure to complete both steps makes the communication ineffective and prohibits the institution from providing virtual asset services.

C) Scope and depth of certification

The certification must provide a conclusive technical opinion covering multiple regulatory dimensions under Resolution 520, including:

• Segregation of client assets from firm assets
• Proof of reserves for client and proprietary virtual assets
• Governance and internal controls
• Risk management and cybersecurity
• Customer disclosures and transparency
• Custody and safeguarding arrangements
• Compliance with AML/CFT obligations

The certifier must explicitly assess whether the institution meets baseline regulatory requirements.

D) Supervisory follow-up & record retention

• The BCB may request additional clarifications or documents
• The certifying firm must retain working papers and supporting documents for at least five years
• This strengthens auditability and supervisory review

Deadline:

February 2, 2026: Instruction No. 701 enters into force. From this date:

• Independent certification becomes mandatory
• Communication without certification is invalid
• Institutions may not offer virtual asset intermediation or custody without compliance

Read more: 

Instrução Normativa BCB n° 701 de 22/1/2026

Gambling

🇨🇼 Curaçao Gaming Authority Updates Licensing Requirements Under the New LOK Regime

What happened?

The Curaçao Gaming Authority (CGA) confirmed changes following the entry into force of the new National Ordinance on Games of Chance (LOK) on December 24, 2024. As part of this transition:

• Existing NOOGH licenses are converted into provisional licenses under the new LOK regime.
• The old orange CGA seals and sub-license certificates are no longer valid.
• Operators must now use the new green CGA dynamic license seal linked to their official certificate.
• Any previously issued seals for sub-licensed operators must be removed immediately.

Who's affected?

• Online gaming operators licensed in or from Curaçao
• Operators previously holding NOOGH or sub-licenses
• Gaming suppliers and service providers
• Any websites displaying CGA license seals or certificates
• Compliance, legal, and AML/KYC teams supporting gaming operators

Business effect:

Operators are required to remove all old orange CGA seals and any related certificates and replace them with the new green CGA dynamic license seal. This seal must be correctly linked to the operator’s official licence certificate through the CGA regulatory portal, ensuring that the domain and licence information match accurately. 

❗Failure to comply with these requirements may result in regulatory breaches, misrepresentation of licensing status, increased regulatory scrutiny, and, in serious cases, suspension or enforcement action. To meet these obligations, operators’ website and technical teams must update existing seal integrations, whether implemented via iframe or direct image display.

Deadline:

Immediate. The CGA states that old seals are no longer valid. They must be removed immediately. Until a formal license is issued, no seal or certificate may be displayed

Read more:

CGA Publishes Updated Portal Documentation Suite. 20th January 2026

🇬🇧 UK Gambling Commission Bans Mixed-Product Promotions and Caps Bonus Wagering at 10x

What happened?

The UK Gambling Commission implemented changes to the Licence Conditions and Codes of Practice (LCCP), specifically Social Responsibility Code Provision 5.1.1 (Rewards and Bonuses). Two key new requirements came into force on January 19, 2026:

A) Mixed product promotion ban

Licensees are now prohibited from offering incentives that include more than one type of gambling product within a single promotion. Under SR Code 5.1.1(3b), an incentive must not include more than one of the following:

• Betting
• Casino
• Bingo
• Lottery

Examples now prohibited:

• “Bet £10 on sports to unlock casino free spins”
• “Place a bet to receive a bingo bonus.”

The Gambling Commission confirmed that mixed-product incentives are considered higher risk and more confusing for consumers.

B) Bonus wagering requirements capped at 10x

Licensees must now limit wagering (play-through) requirements to a maximum of 10 times the bonus amount before winnings become withdrawable.

This applies to:

• Welcome bonuses
• Reload bonuses
• Promotional free-funds offers

The main purpose of the change is to reduce complexity, improve transparency, and lower risk of gambling-related harm.

Who’s affected?

• All UK Gambling Commission-licensed operators, including remote betting operators, online casino operators, bingo operators, and lottery operators
• Affiliates and marketing partners
• Product, CRM, marketing, and compliance teams designing promotions

This applies to all licenses, except:

• Gaming machine technical licences
• Gambling software licenses

Business effect:

• Gambling operators must redesign all incentives to be single-product only, remove cross-product unlock mechanics, and cap wagering requirements at 10x.
• Marketing, CRM, and bonus engines must also be updated. Legacy promotions and templates must be withdrawn.
• Affiliates & marketing must remove or update landing pages advertising mixed-product offers, and adjust tracking and campaign structures.

❗Non-compliance may result in:

• Regulatory findings
• License reviews
• Financial penalties
• Enforcement action by the Gambling Commission.

Deadline:

January 19, 2026: Rules came into force and are now enforceable

Read more:

UK Gambling Commission — Upcoming LCCP changes

🇫🇮 Finland Enacts New Gambling Act, Introducing a License-Based System

What happened?

Finland has published Statute Book 10/2026 (Rahapelilaki), forming part of a new Gambling Act package formally approved by Parliament and signed by the President in January 2026. The legislation implements a structural reform of Finland’s gambling system, transitioning from a full state monopoly to a partially liberalized, license-based regime.

The new Gambling Act introduces several key structural changes. Most notably, it replaces Veikkaus’ exclusive control with a dual system that combines monopoly and competitive licensing. Exclusive licenses are retained for certain products, including lotteries, scratch cards, land-based casino operations, and physical slot machines. At the same time, competitive licenses are introduced for online casino games, online slots, sports betting, and online money bingo, allowing private operators to enter these segments under regulatory supervision.

In addition, the law establishes a formal licensing framework for private operators and provides for the creation of a new supervisory and licensing authority, which will assume responsibility for overseeing licensed gambling activities from 2027.

Statute Book 10/2026 forms part of a broader reform package adopted on December 16, 2025, and formally confirmed by the President on January 16, 2026, marking a significant shift in Finland’s approach to gambling regulation.

Who’s affected?

• Private gambling operators seeking to enter the Finnish market
• Online betting and casino operators
• Gambling software (B2B) providers
• Veikkaus Oy (state operator, monopoly reduced)
• Affiliates, marketing partners, and suppliers
• Payment service providers and AML/KYC vendors
• Compliance and regulatory teams

Business effect:

For gambling operators

Under the new framework, operators will be able to apply for Finnish gambling licences covering specific online gambling activities. Licenses may be issued for:

• Online casino
• Sports betting
• Online slots
• Online bingo

Licenses will be valid for up to five years and will be granted subject to strict suitability assessments, AML obligations, and responsible gambling controls.

Once licensed, operators must comply with key regulatory requirements, including:

• The Finnish AML Act
• Player identification and verification rules
• Participation in central self-exclusion systems
• Ongoing responsible gambling monitoring

For Veikkaus

Veikkaus will retain its monopoly only over certain products, namely:

• Lottery products
• Scratch cards
• Land-based casinos and physical slot machines

It will lose exclusivity over online betting and online casino operations under the reformed regime.

For software suppliers (B2B)

The reforms also introduce mandatory gambling software licensing for B2B providers. From 2028, B2C gambling operators will only be permitted to use software supplied by licensed B2B providers, further strengthening oversight and supply-chain accountability.

Deadline (key dates under the new law):

• January 16, 2026: New Gambling Act signed by the President
• March 1, 2026: Gambling license applications open
• July 1, 2027: Licensed operators may begin offering services
• From 2028: Mandatory use of licensed B2B software providers

During the transition Veikkaus retains monopoly until June 30, 2027.

Read more:

Finland Ministry of the Interior—Reform of the gambling system

Other 

🇹🇭 Thailand Proposes Mandatory User and Advertiser Identity Verification for Social Media Platforms

What happened?

On January 16, 2026, Thailand’s Electronic Transactions Committee (ETC) released a draft notification for public consultation, “Notification on Measures to Prevent Technological Crimes for Social Media Service Providers”. The draft was issued under the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes (as amended). The proposal would introduce mandatory identity verification obligations for all user accounts and all advertisers on social media platforms operating in Thailand.

The consultation is published via Thailand’s official legislative consultation portal (law.go.th) and is part of Thailand’s broader effort to combat online fraud, scams, impersonation, and technology-enabled crime. If finalized, the notification would become a binding regulatory obligation for in-scope platforms.

Who’s affected?

The draft applies to “social media service providers” operating in or targeting Thailand, including:

• Global and regional social media platforms
• Messaging and communication platforms
• Content-sharing platforms
• Community forums and similar user-generated content platforms

Indirectly affected are:

• Advertisers using social media platforms
• Ad networks and intermediaries
• Digital platforms with advertising functionality
• Vendors providing identity verification and digital ID services

The rules apply extraterritorially to platforms with Thai users, regardless of where the operator is incorporated.

Business effect:

A) Mandatory user identity verification

Platforms will be required to:

• Implement user identification and verification measures for every account
• Verify contact channels, such as telephone numbers (e.g., via OTP)
• Ensure each account can be linked to an identifiable natural person

This goes beyond current voluntary trust & safety practices and creates a formal regulatory obligation.

B) Mandatory advertiser KYC

Before publishing advertisements, platforms must:

• Verify advertiser identity using a government-issued ID or an eligible digital identity verification/authentication provider
  
• Collect and retain:
  • Name (individual or juristic person)
  • Government ID or corporate registration details
  • Contact information
    
• Where a third party pays for ads, platforms must also collect and retain payer identity data

C) Enhanced verification for high-risk ads

Stricter verification applies where ads involve:

• Finance, investment, or loans
• Sensitive personal data
• Content linked to technology crime risks
• Ads targeting vulnerable groups

In such cases, platforms may be required to verify documents directly with the issuing authorities and apply re-verification based on complaints, violations, or suspicious behavior.

D) New regulated KYC market outside financial services

This effectively creates a new regulated KYC perimeter for:

• Social media platforms
• Ad tech platforms
• Online marketplaces with ads

Many platforms will need to build or procure KYC infrastructure for the first time.

Deadline:

• The draft notification is currently under public consultation
• If adopted, it will take effect 180 days after publication in the Royal Gazette

Based on current timelines, this implies a likely late-2026 effective date, depending on when the final version is gazetted. Public comment period reported as open until early February 2026.

Read more:

Tilleke & Gibbins—Thailand seeks feedback on requiring social media platforms to verify users and advertisers

🇦🇪 UAE Introduces Comprehensive Child Digital Safety Law Effective 2026

What happened?

The United Arab Emirates enacted Federal Decree-Law No. 26 of 2025 on Child Digital Safety, establishing a comprehensive legal framework aimed at protecting children in the digital environment. The law came into force on January 1, 2026, and consists of 20 articles that set out binding obligations for digital platforms, internet service providers, and caregivers.

Under the new regime, regulated entities are required to implement enhanced content moderation, age verification, and child protection standards. The law also establishes a dedicated Child Digital Safety Council to oversee implementation, coordination, and policy development in this area. Overall, the legislation forms part of the UAE’s broader regulatory push to strengthen online safety, privacy, and digital governance in response to the growing risks faced by children online.

Who’s affected?

A) Digital platforms & ISPs (including extraterritorial reach)

Any platforms operating in the UAE or directed at UAE users, including:

• Websites and search engines
• Mobile applications & messaging platforms
• Online gaming platforms
• Social media platforms
• Live streaming & podcast platforms
• Streaming / video-on-demand services
• E-commerce platforms
• Licensed Internet Service Providers (e.g., du, Etisalat/e&)

B) Children’s caregivers

Parents, guardians, and others responsible for children, who have defined duties regarding monitoring children’s digital activity, using parental control tools, reporting harmful content, and avoiding harmful “sharenting” or online exploitation.

A “child” is defined as any person under 18 years old.

Business effect:

Platforms are required to implement enhanced child protection measures, supported by robust governance and oversight arrangements. These obligations apply across platform design, content management, and data handling.

Core platform obligations include privacy-by-default settings for children’s accounts, age-verification mechanisms proportionate to the platform’s risk profile, and age-rating systems supported by tools that effectively enforce age restrictions. Platforms must also deploy blocking and filtering controls to limit excessive use and restrict access to inappropriate content.

To support caregivers, platforms must provide parental control tools, including:

• Usage-time limits and mandatory breaks
• Easy and accessible reporting channels for harmful content

Platforms are also expected to take a proactive approach to content risks, which includes the detection, removal, and reporting of:

• Harmful content
• Child sexual exploitation material (CSEM)

Children’s access to certain high-risk services is explicitly prohibited. In particular, platforms must prevent access to online games involving gambling or betting through effective age-gating and blocking measures.

From a governance and oversight perspective, the framework establishes a Child Digital Safety Council and introduces a risk-based platform classification system. Depending on the level of risk and non-compliance, enforcement measures may include:

• Platform blocking
• Service closure
• Administrative penalties, to be set out in future Cabinet decisions

Finally, the law imposes strict data protection and privacy requirements. These include limits on the processing of children’s personal data—especially for users under the age of 13—mandatory parental consent mechanisms, and clear restrictions on targeted advertising to children.

Deadline:

In force from January 1, 2026. Compliance grace period:

• Up to 1 year to implement operational changes
• Full compliance expected by January 2027, unless extended by Cabinet decision

Read more:

UAE Federal Decree-Law No. 26 of 2025 on Child Digital Safety

🇹🇷 Turkey's MASAK Introduces Mandatory Verification Transfers for Customer Onboarding

What happened?

MASAK issued Communiqué No. 31, amending General Communiqué No. 5, published in the Official Gazette on January 7, 2026 (No. 33130).

The amendment introduces a new identity-verification mechanism during customer onboarding, requiring a verification fund transfer before customer acceptance and service provision in certain sectors. Key change: ➡️ For specified obliged parties, customer onboarding cannot be completed unless a fund transfer is made from an account matching the customer’s identity to a designated verification account.

This is designed to strengthen customer identity assurance and prevent impersonation, mule accounts, and misuse of third-party payment instruments.

Who’s affected?

A) Gambling and betting operators, including

• Licensed gaming and betting companies
• Operators accepting customers remotely

B) Electronic commerce intermediary service providers

• Online marketplaces
• Intermediary platforms facilitating payments between buyers and sellers

These sectors were singled out due to higher fraud and impersonation risks in remote onboarding environments.

Other obliged parties are not automatically subject to this specific verification-transfer mechanism unless separately designated.

Business effect:

Before a customer can be accepted or any services are provided, a verification transfer must be completed. This involves a fund transfer made from a bank account or credit card that matches the customer’s identity information to a verification account established by the obliged party.

From an operational standpoint, onboarding must remain blocked until the verification transfer has been successfully completed. Systems are expected to:

• Match the payer’s identity with the onboarding identity data
• Log and retain evidence of the verification transfer

This requirement is designed to prevent:

• Use of third-party payment accounts
• Onboarding using fake or stolen identities
• Mismatches between customers and their payment instruments

❗Failure to apply this mechanism can lead to:

• Administrative fines under Law No. 5549
• Findings in MASAK inspections
• Potential suspension of simplified onboarding procedures

Deadline:

The verification-account transfer requirement will become mandatory on February 1, 2026 for gambling and betting operators as well as electronic commerce intermediary service providers. While other amendments introduced under Communiqué No. 31 took effect upon publication, this specific obligation was explicitly deferred, giving affected entities additional time to prepare for implementation.

Read more:

Turkish Law Blog—Amendment to MASAK General Communiqué No. 5 (No. 31)