• Jul 01, 2026
  • 14 min read

Compliance Digest—June 2026

Learn about all the latest compliance updates from the past month.

Every month, Sumsub’s Compliance Team prepares a digest with all the latest updates in the world of AML and beyond. We cover multiple industries, from AML to gambling.

If you want to get the latest news every month in one place, subscribe to our newsletter.

AML

Turkey🇹🇷 Expands Remote Customer Identification for Foreign Nationals

What happened?

Turkey amended the MASAK General Communiqué (Serial No. 19) to introduce a framework allowing remote identity verification of non-Turkish individuals using NFC-enabled passports that comply with ICAO 9303 standards. The regulation establishes detailed onboarding requirements, including video verification by trained personnel, NFC passport validation, address verification, risk-based technical checks, and enhanced monitoring. It also adds crypto-asset service providers to the list of obliged entities under certain remote identification provisions. The communiqué entered into force upon publication on June 27, 2026.

Who's affected?

  • Financial institutions and other MASAK-obliged entities conducting remote customer onboarding
  • Crypto-asset service providers (newly included in the relevant provision)
  • Foreign individuals opening accounts or establishing business relationships remotely using passports
  • Companies onboarding foreign representatives through remote identification procedures

Deadline

  • Effective date: June 27, 2026 (effective immediately upon publication).
  • Institutions adopting this onboarding method must notify MASAK within one month after commencing customer acceptance under the new framework and establish the required internal procedures and risk controls. 

Business effect

The regulation allows financial institutions to onboard foreign customers digitally without requiring their physical presence, which potentially improves customer acquisition and expands access to international markets. At the same time, it introduces a range of new compliance obligations. These include NFC-based passport verification, video-based identity verification conducted by trained personnel, verification of the customer's address within three months of onboarding, and the collection and assessment of technical data such as device and IP information. Since customers onboarded under this framework are automatically classified as high risk, institutions must also implement enhanced ongoing monitoring.

To comply with the new requirements, financial institutions will need to update their AML/KYC policies, operational procedures, and digital onboarding systems. Crypto-asset service providers should likewise review their remote onboarding processes to determine whether changes are necessary following their inclusion in the communiqué.

Read more:

Communiqué on Amendments to the General Communiqué of the Financial Crimes Investigation Board (Serial No. 19) (Serial No. 32)

EU’s🇪🇺 AMLA Launches Consultation on Guidelines for Ongoing Monitoring of Business Relationships

What happened?

The Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) has launched a public consultation on draft Guidelines for the ongoing monitoring of business relationships under Article 26(5) of the Anti-Money Laundering Regulation (AMLR). The draft Guidelines aim to harmonize ongoing customer due diligence across obliged entities. They establish practical expectations for maintaining up-to-date customer information through periodic and event-driven reviews and for implementing transaction and activity monitoring frameworks that detect unusual or suspicious activity using risk-based, proportionate controls across both financial and non-financial sectors.

Who's affected?

  • All AMLR-obliged entities, including financial institutions and designated non-financial businesses and professions (DNFBPs)
  • Newly covered sectors under the AMLR, including certain crypto-asset service providers, crowdfunding service providers, investment migration operators, football clubs and agents, credit intermediaries, non-financial mixed-activity holding companies, and high-value goods traders
  • Industry associations, supervisors, and other stakeholders wishing to provide feedback during the consultation

Deadline

  • Public hearing: July 2, 2026 (10:00–12:00 CEST)
  • Consultation closes: September 3, 2026

AMLA expects to issue the final Guidelines in Q4 2026 following consideration of stakeholder feedback. 

Business effect

Firms should review the draft Guidelines to assess whether existing ongoing monitoring, customer review cycles, and transaction monitoring frameworks align with AMLA's expectations. The Guidelines reinforce a risk-based and proportionate approach, with greater emphasis on event-driven customer reviews, maintaining up-to-date customer information, and ensuring monitoring frameworks are appropriately designed, tested, and governed. Organizations may wish to submit consultation feedback where operational challenges or sector-specific considerations warrant clarification before the Guidelines are finalized. 

Read more:

AMLA Consultation – Draft Guidelines on Ongoing Monitoring of Business Relationships

UK🇬🇧 Updates High-Risk Third Countries List and EDD Requirements Following FATF Changes

What happened?

HM Treasury updated its Money Laundering Advisory Notice following the June 2026 plenary of the Financial Action Task Force (FATF). The update reflects changes to the FATF's lists of High-Risk Jurisdictions subject to a Call for Action and Jurisdictions under Increased Monitoring, which determine the UK's High-Risk Third Countries (HRTCs) for AML purposes. The notice also confirms that amendments to the UK Money Laundering Regulations take effect on June 30, 2026, changing the date on which Enhanced Due Diligence (EDD) becomes mandatory.

Suggested read: Enhanced Due Diligence (EDD): When It Is Required and How It Works

Who's affected?

  • UK-regulated businesses subject to the Money Laundering Regulations (e.g., financial institutions, payment firms, cryptoasset businesses, legal and accounting firms, estate agents, and trust and company service providers).
  • Businesses with customers, counterparties, branches or subsidiaries in jurisdictions listed by FATF as high-risk or under increased monitoring.

Deadline

June 30, 2026: The Money Laundering and Terrorist Financing (Amendment) Regulations 2026 come into force. From this date, mandatory EDD under Regulation 33 applies only to jurisdictions on FATF's "High-Risk Jurisdictions subject to a Call for Action" (black list). Firms must still assess jurisdictions under increased monitoring as part of their risk-based AML framework. 

Business effect

Firms should review and update AML/CTF policies, customer risk assessments and screening processes to reflect the revised FATF lists. Mandatory EDD requirements become more targeted, although firms remain responsible for applying a risk-based approach to customers linked to jurisdictions under increased monitoring where higher ML/TF risks are identified. Existing customer relationships and group-wide AML controls may need reassessment to ensure continued compliance. 

Read more:

HM Treasury – Money Laundering Advisory Notice: June 2026

Australia🇦🇺 Expands its Anti-Money Laundering and Counter-Terrorism Financing Regime

What happened?

Australia's AUSTRAC is expanding its Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime from July 1, 2026. The reforms bring a range of previously unregulated professions into scope, including legal professionals, accountants, conveyancers, real estate professionals, and dealers in precious metals, stones, and products. AUSTRAC has published guidance and support materials to help newly regulated businesses prepare for compliance.

Who's affected?

  • Lawyers and legal professionals
  • Accountants
  • Conveyancers
  • Real estate professionals
  • Trust and company service providers
  • Dealers in precious metals, stones and products
  • Certain virtual asset service providers offering newly regulated services

Deadline

  • July 1, 2026: AML/CTF obligations commence for newly regulated businesses
  • July 29, 2026: Deadline for newly regulated businesses providing designated services to enroll with AUSTRAC (enrolment opened on March 31, 2026)

Business effect

Affected businesses must enroll with AUSTRAC, implement an AML/CTF program, appoint an AML/CTF compliance officer, conduct CDD, train staff on AML/CTF obligations, and establish processes to identify and report suspicious matters.

AUSTRAC has indicated it will take a pragmatic approach during implementation but expects businesses to make genuine efforts to comply from commencement. Enforcement will focus on businesses that deliberately fail to enroll or knowingly facilitate money laundering or terrorism financing.

Read more:

AUSTRAC – Newly Regulated Businesses: Get Ready for the Reforms

Crypto

US🇺🇸 Regulators Propose Customer Identification Program Requirements for Stablecoin Issuers

What happened?

The US Department of the Treasury's Financial Crimes Enforcement Network (FinCEN), together with the Federal Reserve, FDIC, OCC, and NCUA, has issued a proposed rule requiring permitted payment stablecoin issuers (PPSIs) to establish and maintain a Customer Identification Program (CIP) under the GENIUS Act. The proposal would align stablecoin issuers with existing Bank Secrecy Act (BSA) customer identification requirements applicable to banks and credit unions, requiring issuers to verify the identity of customers opening accounts, maintain identification records, screen customers against designated government lists, and implement risk-based CIP procedures. The proposal clarifies that CIP obligations generally apply to direct customer relationships (primary market activities) rather than secondary-market holders of stablecoins. 

Who's affected?

  • Permitted payment stablecoin issuers (PPSIs) regulated under the GENIUS Act
  • Financial institutions partnering with or providing services to PPSIs
  • Stablecoin issuers operating under federal or qualifying state regulatory frameworks
  • Technology and compliance providers supporting digital identity verification, AML/KYC, and customer onboarding

Deadline

  • Comments due: August 21, 2026 (60 days after publication in the Federal Register)
  • The agencies propose that any final rule would become effective 12 months after issuance, providing implementation time for affected firms

Business effect

Stablecoin issuers will need to implement formal, written risk-based Customer Identification Programs as part of their AML/CFT compliance frameworks. Firms must collect and verify customer identification information, retain records, provide customer notices, and conduct government list screening. The proposal allows limited reliance on another federally regulated financial institution to perform CIP procedures, provided specific contractual and oversight conditions are met; however, responsibility for compliance remains with the issuer. By limiting CIP obligations primarily to direct issuer-customer relationships, the proposal avoids imposing customer identification requirements on all secondary-market holders of stablecoins, reducing operational burden while maintaining AML safeguards.

Read more:

Federal Register – Permitted Payment Stablecoin Issuer Customer Identification Program (Proposed Rule)

UK’s🇬🇧 FCA Publishes Final Policy Statement on New Cryptoasset Regulatory Regime

What happened?

The Financial Conduct Authority (FCA) has published its Policy Statement on the UK cryptoasset regulatory regime, setting out the final rules for firms carrying out regulated cryptoasset activities under the new framework. The regime introduces a comprehensive prudential, conduct, governance and consumer protection framework for cryptoasset firms, applying the FCA's principle of "same risk, same regulatory outcome." The final rules cover crypto trading platforms, intermediaries, custodians, staking services and stablecoin issuers, with amendments made following industry consultation, including proportionate changes to capital and disclosure requirements.

Who's affected?

  • Cryptoasset trading platforms
  • Cryptoasset intermediaries (including brokers and lending/borrowing firms)
  • Cryptoasset custodians
  • Stablecoin issuers
  • Firms providing staking and certain other regulated cryptoasset services
  • Overseas firms providing regulated cryptoasset services into the UK where applicable

Deadline

  • Application window opens: September 30, 2026
  • Application window closes: February 28, 2027
  • New regime commences: October 25, 2027. Firms intending to continue regulated cryptoasset activities should prepare for FCA authorization before commencing such activities

Business effect

Crypto firms will need to obtain FCA authorization and comply with new prudential, governance, operational resilience, and consumer protection requirements. Stablecoin issuers will be subject to dedicated prudential requirements, including a 1% capital requirement (reduced from the originally proposed 2%), as well as reserve, redemption, and safeguarding obligations. Firms should review governance frameworks, capital planning, risk management, custody arrangements and compliance programs to ensure readiness for authorization and implementation. The FCA has also tailored certain requirements, such as capital treatment, disclosures and trading rules, to better reflect the operational characteristics of crypto markets and maintain consumer protection.

Read more:

FCA: Overview of our cryptoassets regime policy statements

Azerbaijan🇦🇿 Finalizes Draft Crypto Law to Introduce Licensing and an AML/KYC Framework

What happened?

The Central Bank of Azerbaijan (CBA) finalized a draft law on virtual assets and crypto markets and submitted it to the relevant state authorities for consideration. The proposed legislation would establish Azerbaijan's first comprehensive legal framework for crypto-assets, including a licensing regime for crypto service providers and regulatory requirements aligned with international standards. According to the CBA, the law is expected to be adopted by the end of 2026. 

Who's affected?

  • Crypto exchanges and other virtual asset service providers (VASPs) operating or seeking to operate in Azerbaijan
  • Financial institutions partnering with crypto businesses
  • Fintech companies offering crypto-related products or services
  • Individuals and businesses participating in the domestic crypto market

Deadline

  • The draft law is under governmental consideration
  • The CBA expects the legislation to be adopted by the end of 2026

Business effect

Crypto firms should prepare for a licensing and supervisory regime that is expected to include AML/CFT, KYC, customer due diligence, and ongoing compliance obligations consistent with FATF standards.

The legislation is expected to provide long-awaited regulatory certainty, facilitating the development of Azerbaijan's digital asset market while strengthening consumer protection and financial crime controls.

Firms planning to enter the Azerbaijani market should monitor the legislative process and assess future licensing and compliance requirements. 

Read more:

Azerbaijan Central Bank announcement (reported by AzerNews)

iGaming

Sumsub Releases iGaming Fraud Report 2026: AI-Driven Fraud Is Now Cheaper and More Sophisticated

What happened?

Sumsub has released its iGaming Fraud Report 2026, highlighting the growing sophistication of fraud in the iGaming sector. According to the Report, fraud rates increased from 1.10% in 2024 to 1.53% in Q1 2026—a nearly 40% rise over two years. The findings show that fraud is now largely driven by AI-generated identities, deepfakes, synthetic documents, and organized fraud networks. They also point to a shift in attack patterns, with fraudsters moving beyond player onboarding to target the deposit stage and other parts of the customer journey.

Who's affected?

  • Online gambling and betting operators
  • iGaming platforms and affiliates
  • AML, KYC, fraud, and compliance teams
  • Payment providers supporting iGaming
  • Risk professionals responsible for customer onboarding, transaction monitoring, and fraud prevention

Deadline: N/A

Business effect

iGaming operators should strengthen fraud prevention controls beyond customer onboarding, as fraudsters increasingly target the deposit stage and other points throughout the player lifecycle. Identity verification, transaction monitoring, behavioral analytics, and AI-powered fraud detection should work together to detect increasingly sophisticated threats, including deepfakes, synthetic identities, and forged documents. Firms should also regularly review and update their fraud detection strategies to address the growing use of AI-enabled fraud and evolving attack patterns.

Read more:

iGaming Fraud Report 2026

Curaçao’s🇨🇼 Gaming Authority Issues Crypto Policy Guideline for Online Gaming Operators

What happened?

The Curaçao Gaming Authority (CGA) has published a Crypto Policy Guideline for Online Gaming Operators, setting out minimum expectations for B2C licensees that accept, hold, or pay out crypto-assets. The guidance introduces governance, AML/CFT, wallet management, blockchain analytics, transaction monitoring, FATF Travel Rule compliance, and incident reporting requirements. It also prohibits certain high-risk crypto activities, including transactions involving sanctioned wallets, crypto mixers, and operators acting as VASPs. 

Who's affected?

  • Curaçao-licensed B2C online gaming operators accepting crypto-assets
  • Group entities supporting licensed gaming operations
  • Crypto payment providers and VASPs used by licensed operators
  • Compliance, AML, risk, and operational teams responsible for crypto payment processes

Deadline

The guideline introduces a phased implementation:

  • Immediate effect: Prohibitions on sanctioned wallets, crypto mixers, prohibited crypto-assets, personal/UBO-linked wallets, and operators acting as exchanges, payment providers, or VASPs.
  • By September 2026 (within 3 months): Upload a compliant Crypto Policy to the CGA Portal, including an implementation roadmap.
  • By December 2026 (within 6 months): Complete crypto risk assessments, VASP due diligence, wallet ownership verification controls, transaction monitoring procedures, and staff training.
  • By June 2027 (within 12 months): Fully implement wallet segregation, blockchain analytics capabilities, reconciliation processes, withdrawal whitelisting (or equivalent controls), and audit-ready record-keeping. 

Business effect

Operators accepting crypto must significantly strengthen AML/CFT controls through blockchain analytics, wallet screening, transaction monitoring, and source-of-funds verification. Firms should update governance frameworks, crypto acceptance policies, wallet management procedures, and third-party VASP due diligence processes. The guidance encourages the use of regulated fiat-backed stablecoins where appropriate and requires a risk-based approach to higher-risk assets such as privacy coins, meme coins, wrapped tokens, and unhosted wallets. Gaming operators will need to invest in staff training, technical controls, and documented compliance processes to meet the phased implementation requirements.

Read more:

Curaçao Gaming Authority – Crypto Policy Guideline for Online Gaming Operators (June 2026)

Prediction markets

US🇺🇸 CFTC Proposes Framework for Assessing Event Contracts Against Public Interest Standard

What happened?

The US Commodity Futures Trading Commission (CFTC) has issued a Notice of Proposed Rulemaking (NPRM) to amend CFTC Regulation 40.11 and introduce a new Appendix F establishing a structured framework for evaluating certain event contracts. The proposed framework clarifies how the CFTC will determine whether an event contract involves activities listed under the Commodity Exchange Act—such as terrorism, assassination, war, gaming, or unlawful conduct—and whether it is contrary to the public interest. It also defines key statutory terms, including "involve" and "gaming," and introduces a formal review process for affected contracts.

Suggested read: What Are Prediction Markets and How Do They Work in 2026?

Who's affected?

  • Designated Contract Markets (DCMs) listing event or prediction contracts
  • Operators of prediction markets and event contract platforms
  • Market participants trading event contracts
  • Legal and compliance teams responsible for contract listings and regulatory submissions

Deadline

  • The public comment period for the NPRM will close on July 27, 2026
  • The proposed framework would be implemented following completion of the rulemaking process and publication of a final rule

Business effect

Operators listing event contracts should review whether existing or proposed contracts could fall within the statutory categories subject to heightened CFTC scrutiny. The proposal introduces a more transparent and predictable review process, including a 90-day review period and public interest assessment criteria. Firms involved in prediction markets may wish to participate in the consultation to help shape the CFTC's interpretation and application of concepts such as gaming and the public interest, which could materially affect future product offerings.

Read more:

CFTC Seeks Public Comment on Notice of Proposed Rulemaking Concerning Event Contracts Involving Enumerated Activities