Compliance Digest—March 2026

Every month, Sumsub’s Compliance Team prepares a digest with all the latest updates in the world of AML and beyond. We cover multiple industries, from AML to crypto.

If you want to get the latest news every month in one place, subscribe to our newsletter.

AML

UK🇬🇧 Proposes Targeted AML Reforms and Cryptoasset Alignment under Draft 2026 Regulations

What happened?

On March 26, 2026, the UK Government published a draft statutory instrument, together with an explanatory memorandum, proposing amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs).

The draft implements the Government’s response to HM Treasury’s 2024 consultation, which found that while the existing framework remains broadly effective, targeted updates are needed to improve efficiency and better reflect a risk-based approach.

The proposed amendments refine customer due diligence (CDD) and enhanced due diligence (EDD) requirements, including the treatment of unusually complex or large transactions, measures relating to high-risk jurisdictions, provisions for pooled client accounts, and onboarding scenarios following bank insolvency. Monetary thresholds would be converted from EUR to GBP in line with Financial Action Task Force (FATF) standards.

The draft also introduces important updates to the cryptoasset framework, aligning it more closely with the Financial Services and Markets Act 2000 (FSMA) regime and adjusting the change-in-control requirements for cryptoasset businesses. In addition, it clarifies the scope of trust or company service providers (TCSPs), explicitly bringing the sale of “off-the-shelf” companies within the regulatory perimeter. Overall, the reforms reflect a targeted, risk-based recalibration of the UK AML/CFT regime, with clearer integration of cryptoasset activities.

Who’s affected?

The proposed amendments apply to all “relevant persons” under the MLRs, including:

• Credit and financial institutions
• Payment and e-money institutions
• Cryptoasset businesses (including exchanges and custodians)
• Trust or company service providers (TCSPs)
• Legal and accounting professionals
• Other regulated entities subject to AML/CFT obligations

The changes will also have a direct impact on compliance, AML/CFT, and legal teams responsible for customer due diligence, transaction monitoring, onboarding, and risk assessment frameworks. In particular, cryptoasset firms will be affected by alignment with the forthcoming FSMA-based regime, while TCSPs will face an expanded scope of regulated activities.

Deadline

The draft regulations have been laid before Parliament and remain subject to approval by both Houses.

If adopted, the general provisions are expected to enter into force 21 days after the statutory instrument is made. However, certain cryptoasset-related measures will be implemented on a delayed basis, with key dates set for February 1, 2027, and October 25, 2027.

Firms should therefore prepare for near-term implementation of the general amendments, alongside a phased approach to compliance for cryptoasset-specific requirements.

Read more:

• UK Draft SI (26 March 2026) – Money Laundering and Terrorist Financing (Amendment) Regulations 2026
• Memorandum

EU🇪🇺 AMLA Advances Risk-Based Supervision and Rulemaking with Data Exercise and RTS Consultation

What happened?

On March 16, 2026, the Anti-Money Laundering Authority (AMLA) launched a data collection and testing exercise aimed at developing and calibrating its risk assessment models for the EU financial sector. The initiative is designed to support the selection of up to 40 entities for direct AMLA supervision from 2028 and to ensure a consistent approach to assessing money laundering and terrorist financing (ML/TF) risks across the EU.

To facilitate this exercise, AMLA published a comprehensive reporting package—including templates, interpretative guidance, and webinar materials—and is requiring selected entities, via their national supervisors, to submit structured data for testing purposes.

In parallel, AMLA held its first public hearing on March 24, 2026, on draft Regulatory Technical Standards (RTS) under the EU AML framework. The hearing brought together more than 1,600 stakeholders from both financial and non-financial sectors and focused on key elements of the EU Single Rulebook, particularly CDD requirements and criteria for identifying business relationships, as well as occasional and linked transactions. Feedback collected during the consultation process will inform the finalization of the RTS, with a focus on ensuring that the rules are risk-based and operationally practical.

Taken together, these developments highlight AMLA’s dual-track approach of building a data-driven supervisory model while advancing harmonized AML/CFT rulemaking across the EU.

Who’s affected?

The developments impact a broad range of stakeholders across the EU AML/CFT framework, including:

• Credit and financial institutions, particularly those selected by national competent authorities to participate in the data collection exercise
• All “obliged entities” under the EU AML framework, including financial institutions, non-financial businesses and professions (DNFBPs), and crypto-asset service providers
• National competent authorities (NCAs), which are responsible for coordinating participation and overseeing data submissions
• Compliance, AML/CFT, and data/reporting functions, which will need to prepare structured submissions, adapt to emerging EU-wide risk assessment methodologies, and anticipate harmonized CDD and transaction classification requirements

While participation in the data collection exercise is limited to selected entities, the resulting risk models and RTS will have system-wide implications for all obliged entities.

Deadline

• March 24, 2026: AMLA public hearing on draft Regulatory Technical Standards (RTS)
• April 22, 2026: Deadline for participating entities to submit data for the AMLA data collection exercise
• May 8, 2026: Deadline for stakeholders to provide written feedback on the draft RTS

Looking ahead, AMLA is expected to select entities for direct supervision in 2027, with direct supervisory activities commencing in 2028.

Read more:

• AMLA launches data collection exercise to test risk assessment models
• AMLA concludes first public hearing on draft regulatory technical standards

Turkey🇹🇷 Extends Remote Identification Framework to Crypto-Asset Service Providers

What happened?

Following its publication in the Official Gazette on February 28, 2026, Turkey amended and expanded its regulatory framework governing remote identification (non-face-to-face customer onboarding).

The Communiqué broadens the scope of application to include crypto-asset service providers, alongside intermediary institutions and portfolio management companies. It also confirms that customer identity verification may be carried out via remote methods—such as real-time video-based identification—provided that strict procedural safeguards are met.

Under the revised framework, in-scope entities must ensure that identification is conducted through secure, uninterrupted, and recorded video communication, supported by robust verification controls (including document checks and liveness detection). They are also required to retain comprehensive records and audit trails of the identification process and to establish appropriate internal policies, procedures, and control mechanisms prior to implementation. All processes must comply with risk-based AML/CFT principles.

Overall, the amendment aligns crypto-asset service providers with the same remote CDD standards applicable to traditional capital markets institutions.

Who’s affected?

The amended framework applies to:

• Intermediary institutions (investment firms and brokerages)
• Portfolio management companies
• Crypto-asset service providers, including:
  • Crypto trading platforms
  • Custody providers
  • Entities facilitating the issuance or transfer of crypto-assets

Additionally impacted:

• Compliance and AML/CFT functions responsible for customer onboarding and due diligence
• IT and security functions responsible for remote identification systems and data integrity

All in-scope entities must ensure that their remote identification systems are secure, auditable, and fully compliant with applicable AML/CFT requirements.

Deadline

The amendment entered into force on February 28, 2026, the date of its publication in the Official Gazette, unless otherwise specified in any transitional provisions.

In practice, affected entities—including crypto-asset service providers—are expected to align their onboarding processes without undue delay, while observing any applicable transitional arrangements set out in the Communiqué.

Read more: 

ARACI KURUMLAR VE PORTFÖY YÖNETİM ŞİRKETLERİ TARAFINDAN KULLANILACAK UZAKTAN KİMLİK TESPİTİ YÖNTEMLERİNE VE ELEKTRONİK ORTAMDA SÖZLEŞME İLİŞKİSİNİN KURULMASINA İLİŞKİN TEBLİĞ (III-42.1)’DE DEĞİŞİKLİK YAPILMASINA DAİR TEBLİĞ (III-42.1.a)

Australia's🇦🇺 AUSTRAC Introduces Phased AML/CTF Reforms with Transitional Relief for Virtual Asset Services

What happened?

AUSTRAC has introduced transitional rules to support the implementation of Australia’s amended Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) framework, effective from March 31, 2026.

The reforms establish a modernized, risk-based AML/CTF regime and expand the scope of regulation to cover additional designated services, including virtual asset service providers (VASPs). To ease implementation, AUSTRAC has adopted a phased approach, allowing entities time to transition to the new requirements.

In particular, existing reporting entities are granted a three-year transition period for customer due diligence (CDD), during which they may continue operating under legacy ACIP frameworks while progressively adopting the new risk-based model by March 31, 2029. For newly regulated virtual asset services, certain AML/CTF obligations—such as elements of CDD and value transfer requirements—are deferred until July 1, 2026.

The framework also introduces the “Travel Rule” for virtual asset transfers, requiring the collection and transmission of originator and beneficiary information. This requirement will apply to both existing and newly regulated VASPs once in force.

Overall, the transitional rules reflect a staged implementation of obligations, with particular focus on ensuring a smooth onboarding of crypto-related activities into the AML/CTF regime.

Who’s affected?

The transitional rules apply to a broad range of entities, including:

• Existing reporting entities under the AML/CTF Act (such as financial institutions and remittance providers)
• Newly regulated entities (“Tranche 2”), including professional service providers (e.g., legal, accounting, and real estate sectors) and virtual asset service providers (VASPs), such as exchanges, custody providers, and entities facilitating virtual asset transfers
• Compliance and AML/CTF functions responsible for customer due diligence frameworks, Travel Rule implementation, and registration and reporting obligations

These changes are particularly significant for crypto-related businesses, which will be subject to new and evolving regulatory requirements under a phased timeline.

Deadline

• March 31, 2026: Reformed AML/CTF regime enters into force; start of transition period for existing entities and opening of enrollment for newly regulated VASPs
• July 1, 2026: AML/CTF obligations begin to apply to newly regulated virtual asset services; Travel Rule becomes effective for virtual asset transfers
• July 29, 2026: Deadline for enrollment and registration of newly regulated entities, including VASPs
• March 31, 2029: End of transition period for initial customer due diligence; full implementation of the risk-based CDD framework required for all in-scope entities

Read more:

• AUSTRAC – AML/CTF Transitional Rules 2026 (including virtual asset services)

Crypto 

🌍 FATF Flags Rising AML Risks in Stablecoins and Unhosted Wallets in Targeted Report

What happened?

The Financial Action Task Force (FATF) has published a targeted report examining money laundering (ML), terrorist financing (TF), and proliferation financing (PF) risks associated with stablecoins and unhosted (self-custody) wallets.

The report highlights the rapid growth of stablecoins, noting that more than 250 are currently in circulation with a combined market capitalization exceeding USD 300 billion. It also finds that stablecoins accounted for a significant share of illicit virtual asset activity—approximately 84% in 2025.

According to FATF, certain inherent features of stablecoins—such as price stability, high liquidity, cross-border functionality, and interoperability—make them particularly attractive for illicit uses, including laundering proceeds of cybercrime and evading sanctions. At the same time, the increasing use of peer-to-peer (P2P) transactions via unhosted wallets presents a major regulatory challenge, as these transactions can occur without the involvement of regulated intermediaries and may fall outside existing AML/CFT controls.

The report also points to broader structural vulnerabilities, including limited visibility over P2P transaction flows, difficulties in tracing cross-chain activity, and uneven implementation of FATF standards across jurisdictions. Overall, it underscores the need for a more comprehensive and consistent application of AML/CFT measures across the evolving crypto ecosystem.

Suggested read: Global Stablecoin Compliance: GENIUS Act, MiCA, Hong Kong, Singapore, and More Key Rules

Who’s affected?

The findings are relevant to a wide range of stakeholders across the global AML/CFT framework, including:

• Jurisdictions and national regulators responsible for implementing FATF Recommendations, particularly those relating to virtual assets
• Crypto-asset ecosystem participants, such as Virtual Asset Service Providers (VASPs), stablecoin issuers and administrators, and other entities involved in stablecoin arrangements
• Financial institutions that interact with crypto markets
• Users engaging in unhosted wallet transactions, as these activities are identified as presenting elevated risk

Importantly, the report emphasizes that AML/CFT obligations should apply across the entire stablecoin ecosystem, rather than focusing solely on traditional intermediaries.

Deadline

The report does not introduce binding legal obligations or specific deadlines. However, it calls on jurisdictions to urgently and fully implement FATF Recommendation 15 and encourages the adoption of risk-based, proportionate regulatory frameworks that address stablecoin-specific risks.

In practice, the report serves as normative guidance and is expected to drive near-term regulatory reforms and to increase supervisory expectations for virtual asset service providers and stablecoin issuers.

Read more: 

• Targeted Report on Stablecoins and Unhosted Wallets

🇦🇪 Dubai’s DFSA Updates AML Framework to Align with UAE Federal Reforms

What happened?

The Dubai Financial Services Authority (DFSA) introduced amendments to its Anti-Money Laundering, Counter-Terrorist Financing and Sanctions (AML) Module and the Glossary Module of the DFSA Rulebook.

These amendments, which entered into force on March 2, 2026, are intended to align the DIFC regulatory framework with the updated UAE Federal AML legislation enacted in 2025. The changes primarily focus on ensuring consistency in definitions and regulatory concepts, with the Glossary Module updated to reflect revised federal terminology.

In addition, the amendments expand and clarify the scope of financial crime risks—explicitly incorporating updated concepts such as proliferation financing—and provide greater interpretative clarity on AML obligations within the DIFC framework. To support implementation, the DFSA has also issued FAQs offering practical guidance to firms.

Overall, while technical in nature, the amendments represent a meaningful step toward harmonizing DFSA rules with the UAE’s broader federal AML regime.

Who’s affected?

The amendments apply to all “Relevant Persons” under the DFSA AML Module, including:

• DFSA-authorized firms (such as banks, investment firms, and asset managers)
• Designated Non-Financial Businesses and Professions (DNFBPs)
• Authorized Market Institutions
• Registered auditors
• Compliance, AML/CFT, legal, and risk functions responsible for customer due diligence, transaction monitoring, sanctions compliance, and interpretation of updated regulatory definitions

All in-scope entities are expected to review and align their policies, procedures, and controls with the updated framework.

Deadline

• March 2, 2026: Entry into force of the amendments
• Immediate compliance expected: No general transitional period has been provided, meaning firms are required to comply from the effective date
• Additional updates: Certain related rulemaking instruments may have later effective dates (e.g., April 2026), depending on the specific module amendments

Read more: 

• DFSA AML and Glossary Modules amendments come into force; FAQs published

US🇺🇸 Treasury Highlights AI, Digital Identity, and Blockchain Analytics in AML Strategy under GENIUS Act

What happened?

On March 6, 2026, the US Department of the Treasury published a report to Congress titled “Innovative Technologies to Counter Illicit Finance Involving Digital Assets,” as mandated under the GENIUS Act.

The report explores how emerging technologies can enhance AML/CFT frameworks—particularly for digital assets—and outlines key policy directions. It identifies four core pillars: artificial intelligence (AI), digital identity solutions, blockchain analytics, and application programming interfaces (APIs).

AI is already used for transaction monitoring, SAR drafting, and deepfake detection, with Treasury planning further guidance and collaboration with NIST, while noting risks such as synthetic identity fraud. Digital identity tools, including mobile IDs and zero-knowledge proofs, are highlighted for improving customer identification, with further clarification expected under existing CIP rules.

Blockchain analytics remain central to tracing crypto transactions, with Treasury calling for stronger supervisory expertise, clearer standards, and better information sharing, alongside potential legislative developments such as safe harbor mechanisms. APIs are also emphasized as critical infrastructure, with plans for standardized guidance to support system integration.

Overall, the report signals a continued shift toward a technology-driven AML/CFT framework for digital asset markets.

Suggested read: Top Crypto-Friendly Countries in 2026

Who’s affected?

The report has implications for a wide range of stakeholders involved in AML/CFT compliance and digital asset markets, including:

• Financial institutions (such as banks, payment institutions, and broker-dealers)
• Digital asset service providers (including crypto exchanges, custodians, and blockchain-based platforms)
• Regulators and supervisory authorities, particularly U.S. federal agencies and AML examination bodies
• Technology providers, including AI vendors, digital identity solution providers, and blockchain analytics firms
• Compliance, AML/CFT, and risk functions responsible for adopting advanced monitoring tools, integrating digital identity solutions, and enhancing crypto transaction surveillance

Firms should expect increasing regulatory focus in the near to medium term, particularly around AI governance in AML, the use of digital identity tools, and the evolution of crypto transaction monitoring frameworks.

Deadline

The report does not introduce binding legal obligations or immediate compliance deadlines. 

Read more: 

• REPORT TO CONGRESS FROM THE SECRETARY OF THE TREASURY ON INNOVATIVE TECHNOLOGIES TO COUNTER ILLICIT FINANCE INVOLVING DIGITAL ASSETS

iGaming 

New Zealand🇳🇿 Advances Online Casino Gambling Bill Toward Regulated Market Framework

What happened?

New Zealand’s Online Casino Gambling Bill is progressing through the parliamentary process and is currently undergoing detailed scrutiny. The Bill aims to establish a regulated online casino market, replacing the current environment in which offshore operators provide services without domestic licensing.

It introduces a capped licensing regime (approximately 15 operators) alongside enhanced regulatory oversight. The framework includes measures on consumer protection, harm minimization, advertising restrictions, age verification, and community funding linked to gambling revenues.

Having passed earlier legislative stages, the Bill is now at the Committee of the Whole House phase, where provisions are reviewed clause by clause and may be amended—marking a critical step before final adoption.

Who’s affected?

The Bill will impact a range of stakeholders, including:

• Online casino operators, both domestic applicants and offshore operators targeting New Zealand customers
• Potential licensees subject to a competitive licensing process and ongoing regulatory supervision
• Consumers, who will benefit from enhanced protections and safeguards
• Regulatory authorities, particularly the Department of Internal Affairs (DIA), responsible for licensing and oversight
• Unlicensed offshore operators, which will need to obtain a license or exit the market once the regime is implemented

Deadline

The legislation is expected to be finalized around June 2026, subject to completion of parliamentary scrutiny and formal approval (including third reading and Royal Assent).

Following adoption, expressions of interest for licenses are anticipated around July 2026, with the regulated market and licensing regime expected to become operational by late 2026. Timing remains indicative and dependent on the legislative process.

Read more:

• Official Bill page (New Zealand Parliament)

EU🇪🇺 Advocate General Signals Broader Use of Account Preservation Orders Against Offshore Gambling Operators

What happened?

On March 5, 2026, Advocate General Norkus delivered an Opinion in Case C-716/24 (Ponner), following a preliminary reference from the Higher Regional Court in Frankfurt am Main on the scope of the European Account Preservation Order (EAPO) Regulation.

The case concerns a German player seeking to recover online gambling losses from a Curaçao-based operator, including by requesting the preservation of bank accounts allegedly held in Cyprus. The key legal question is whether insolvency proceedings opened in a non-EU country—and recognized under national law—prevent the issuance of an EAPO.

The Advocate General concluded that the EAPO framework does not exclude such orders merely because third-country insolvency proceedings exist. In his view, the relevant exclusion applies only to insolvency proceedings opened within EU Member States under the recast Insolvency Regulation. Any conflict with foreign insolvency proceedings should instead be assessed at the enforcement stage, rather than at the point of issuing the preservation order.

While not binding, the Opinion suggests a potentially stricter enforcement landscape for offshore online gambling operators targeting EU consumers. A final judgment from the Court of Justice of the European Union (CJEU) is expected later in 2026.

Who’s affected?

The Opinion has implications for several stakeholders, including:

• Offshore online gambling operators serving EU customers, particularly those with banking or payment arrangements within the EU
• EU-based claimants or players seeking to recover losses from unlicensed or offshore operators
• Banks and payment service providers in EU Member States that may be required to act on EAPO measures affecting customer accounts

If the Court follows the Advocate General’s reasoning, these groups may face increased exposure to cross-border asset preservation measures.

Deadline

The next key milestone is the final judgment of the Court of Justice of the European Union in Case C-716/24, which is expected later in 2026.

Read more:

• OPINION OF ADVOCATE GENERAL NORKUS delivered on 5 March 2026