Compliance Digest—November 2025

Every month, Sumsub’s Compliance Team prepares a digest with all the latest updates in the world of AML and beyond. We cover multiple industries, from crypto and digital ID to AI.

If you want to get the latest news every month in one place, subscribe to our newsletter.

Crypto 

UAE 🇦🇪

1. UAE Publishes 2025 AML/CFT/CPF Decree-Law, Setting Fresh Standards for VASPs

What happened? The United Arab Emirates (UAE) published the 2025 Federal Decree-Law on AML/CFT/CPF, establishing new regulatory requirements for Virtual Asset Service Providers (VASPs). As part of compliance, VASPs must conduct a mandatory GAP assessment of their current AML/CFT/CPF policies, procedures, systems, and controls against the provisions of the 2025 Decree-Law.

Who's affected?

• VASPs operating in or from the UAE
• Boards and compliance teams responsible for AML/CFT/CPF adherence

Deadline: 60 calendar days from the issuance of the circular to submit a completed GAP Assessment with clause-by-clause mapping, a board-approved Remediation Plan that includes owners, milestones, and target dates, and evidence of immediate risk-based mitigations for any high-risk gaps identified.

Read more: UAE Federal Decree-Law on AML/CFT/CPF (2025) and related circulars for VASPs

2. Dubai’s VARA Issues New Circular on Risk Assessments for VASPs

What happened? On November 7, 2025, the Virtual Assets Regulatory Authority (VARA) issued a circular providing guidance to regulated Virtual Asset Service Providers (VASPs) on Rule III.D (Risk Assessments) in the compliance/risk rulebook. The circular follows VARA’s May 2025 Risk Management Rulebook and the June 2025 national risk assessment circular. It mandates data-driven, quarterly-maintained BRAs for all VASPs and addresses significant deficiencies identified during 2024–2025 inspections, including:

• Lack of documented business risk assessment (BRA) methodologies
• Unrealistic residual risk ratings
• Failure to consider emerging risks such as proliferation financing (PF), targeted financial sanctions (TFS), and the use of AI

Who's affected?

• All regulated Virtual Asset Service Providers (VASPs) under VARA supervision
• Compliance and risk teams responsible for AML/CFT/PF risk assessments

Deadline:

The circular is effective immediately from November 7, 2025. VASPs must complete their first quarterly BRA reassessment by November 30, 2025. Those that fail to maintain credible BRAs may face enforcement action, and assessments must be re-performed within 30 days if deficiencies are identified. VARA will also conduct a thematic review of BRA frameworks in Q2 2026.

Read more: D. Risk Assessments

Suggested read: A Lighthouse in the Crypto Storm: How Dubai’s VARA Combines Market Resilience and Travel Rule Excellence

Kenya 🇰🇪

Kenya Implements New VASP Act Establishing Full Regulatory Framework

What happened? The Central Bank of Kenya and the Capital Markets Authority have announced the commencement of the Virtual Assets Service Providers Act, 2025 (Act No. 20 of 2025). Gazetted on October 21, 2025, and effective from November 4, 2025, the Act establishes a comprehensive regulatory and supervisory framework for Virtual Asset Service Providers (VASPs). It introduces obligations related to anti-money laundering (AML), counter-terrorism financing (CTF), and counter-proliferation financing (CPF), bringing the sector under formal oversight for the first time.

Who's affected?

• Virtual Asset Service Providers (VASPs) operating in Kenya
• Compliance teams and management of VASPs
• Regulatory authorities, including the Central Bank of Kenya and Capital Markets Authority

Deadline: Effective immediately from November 4, 2025 for all VASPs to comply with obligations under the Act.

Read more: Virtual Assets Service Providers Act, 2025 (Act No. 20 of 2025), Kenya Gazette

Brazil 🇧🇷

Brazil Introduces Comprehensive Regulatory Framework for Virtual Asset Service Providers

What happened? On November 10, 2025, the Central Bank of Brazil (BCB) issued Resolutions 519, 520, and 521, establishing the country’s first comprehensive rules for the authorization and provision of virtual asset services and formally creating Virtual Asset Service Provider Companies (VASPs).

Resolution 520, Provision of Virtual Asset Services, outlines the standards for providing virtual asset services, including requirements for client protection, transparency, AML/CFT controls, governance, security, internal controls, and information disclosure. It allows these services to be offered either by eligible financial institutions or by VASPs classified as intermediaries, custodians, or brokers.

Resolution 519, Authorization, sets the rules for authorizing VASP operations and updates authorization procedures for entities already regulated in related segments, such as foreign exchange brokers, securities brokers, and securities distribution firms. It also details the processes and deadlines that existing service providers must follow to achieve compliance.

Resolution 521, Foreign Exchange and International Capital, clarifies which virtual asset activities fall under Brazil’s foreign exchange market and international capital regulations, aligning the virtual asset sector with the broader financial regulatory framework.

Who's affected?

• Virtual Asset Service Providers (VASPs) in Brazil
• Financial institutions offering virtual asset services
• Compliance, governance, and reporting teams within affected institutions
• Participants in foreign exchange and international capital operations involving virtual assets

Deadline: Resolutions take effect on February 2, 2026, with mandatory reporting on foreign exchange and foreign capital operations starting May 4, 2026.

Read more: Banco Central regulamenta o uso de ativos virtuais e o funcionamento e a autorização das instituições que atuam nesse mercado

Suggested read: Global Stablecoin Compliance: GENIUS Act, MiCA, Hong Kong, Singapore, and More Key Rules

AML 

Peru 🇵🇪

Peru’s Financial Regulator Releases Draft AML and CTF Regulations

What happened? The Superintendencia de Banca, Seguros y AFP (SBS) in Peru published a draft regulation on anti-money laundering and counter-terrorism financing (AML/CTF) for casino and slot machine operators under Resolution 04033-2025. The draft outlines requirements, including:

• Customer due diligence training for directors, employees, and suppliers.
• Mandatory AML/CTF prevention training for all employees, based on the official prevention manual and code.
• Transaction logs and an annual compliance officer report.
• Repeal of SBS Resolution No. 1695-2016, the previous AML/CTF regulation for casino and slot machine operators.

Who's affected?

• Casino and slot machine operators in Peru
• Directors, employees, and suppliers involved with these operators
• Compliance officers responsible for AML/CTF adherence
• Stakeholders interested in providing feedback on AML/CTF regulations

Deadline: Comments on the draft regulations must be submitted within 15 days, by November 29, 2025.

Read more: Proyecto de resolución que aprueba la Norma para la prevención del lavado de activos y del financiamiento del terrorismo aplicable a las personas jurídicas que explotan juegos de casino y/o máquinas tragamonedas

UK 🇬🇧

UKFIU Issues New Guidance for SAR Submissions, Replacing Previous Documents

What happened?
The United Kingdom Financial Intelligence Unit (UKFIU), part of the National Crime Agency (NCA), published updated best practice guidance for submitting Suspicious Activity Reports (SARs). The new documents cover portal use, SAR submission procedures, and understanding Defence Against Money Laundering (DAML) and Defence Against Terrorist Financing (DATF) requests. All previous guidance has been withdrawn and should no longer be used.

Who's affected?

• All Gambling Commission operating licensees
• Compliance, AML, and reporting teams responsible for SAR submissions
• Anyone using the SAR Portal to file DAML/DATF-related reports

Deadline: No explicit deadline mentioned, but operators are expected to review and transition to the new guidance immediately, as older versions are now invalid.

Read more:

• Chapter 1: Using the SAR Portal
• Chapter 2: Submitting a SAR
• Chapter 3: Understanding DAMLs and DATFs

Gambling 

Argentina 🇦🇷

Argentina Updates Online Betting Tax Rules with New ARCA Resolution 5791/2025

What happened?
Argentina’s Customs Collection and Control Agency (ARCA) issued new regulations (General Resolution 5791/2025) modifying procedures for registration, monitoring, and collection within the indirect tax regime on online betting. The resolution updates deadlines, oversight mechanisms, communication requirements, and the publication of operator information, while also formalizing processes for appeals and deregistration. 

Who's affected?

• National and foreign online gambling operators offering services in Argentina
• Payment intermediaries handling transactions with foreign gambling platforms
• Applicants to the Online Control Registry of Betting Systems
• Operators subject to ARCA’s monitoring and compliance requirements

Deadline: ARCA must resolve operator applications within 60 days. Appeals or deregistration requests must be resolved within 15 days of filing. New withholding rates take effect on the first day of the two-week period following the issuance of the approval and tax-rate certificate.

Read more: AGENCIA DE RECAUDACIÓN Y CONTROL ADUANERO. Resolución General 5791/2025

Brazil 🇧🇷

Brazil Tightens Responsible Gambling Rules with New Self-Exclusion Regulations

What happened? Brazil’s Secretariat of Prizes and Bets (SPA-MF) under the Ministry of Finance published regulations to strengthen self-exclusion measures for gambling operators:

Normative Instruction No. 31 establishes systems to prevent self-excluded individuals from placing bets, including mandatory checks against the Betting Management Platform (SIGAP) during login/registration and every 15 days. Operators must block accounts, notify users, return funds, and maintain records for five years.

Ordinance No. 2,579/2025 updates self-exclusion rules and requires additional responsible gambling tools and user data collection (e.g., gender, address, ID, betting limits). Unreturned funds must go to social benefit programs. Operators cannot notify users directly about removal from self-exclusion.

Who's affected?

• Licensed gambling operators in Brazil
• Self-excluded users
• Compliance and responsible gambling teams within operators
• Social benefit programs (potential recipients of unreturned funds)

Deadline: Both regulations take immediate effect. Operators have 30 days to implement the required changes under Normative Instruction No. 31, and 90 days to implement the changes mandated by Ordinance No. 2,579/2025.

Read more: 

• Normative Instruction No. 31
• SPA/MF Ordinance No. 2,579

South Africa 🇿🇦

South Africa Proposes 20% National Tax on Online Gambling Revenue

What happened?
South Africa’s National Treasury released a discussion paper proposing a 20% national tax on gross gambling revenue (GGR) from online gambling, including interactive betting. The measure aims primarily to curb problem gambling while also generating an estimated R10bn in additional revenue. The proposal would operate alongside existing provincial taxes, increase effective rates, streamline regulatory oversight, and apply even to operators offering online casino games—despite their illegality under current national law.

Who's affected?

• Online betting and gambling operators active in South Africa
• Operators licensed in provinces such as the Western Cape and Mpumalanga
• Provincial gambling boards and regulatory authorities
• South African Revenue Service (SARS)
• Stakeholders engaged in the national debate on gambling regulation
• Consumers who gamble online (through potential behaviour-modifying tax impacts)

Deadline: Public comments on the draft national online gambling tax discussion paper are open until January 30.

Read more: South Africa National Treasury – Discussion Paper (November 25)

EU 🇪🇺

EU Regulators Join Forces Against Illegal Online Gambling

What happened? Gambling authorities from Germany, Austria, France, the United Kingdom, Italy, Portugal, and Spain reached a joint agreement to share information and coordinate enforcement actions against illegal online gambling. The agreement—finalized during a meeting at Spain’s Directorate General for Gambling Regulation (DGOJ) on November 12—focuses on combating unlicensed operators, reducing illicit online advertising, and improving cross-border regulatory cooperation. It coincided with the First International Gaming Congress in Madrid, where European regulators discussed sector challenges and consumer-protection strategies. Recent developments, such as GambleAware’s call for stricter rules and the EGBA-supported European standard on markers of harm, also underscore the broader EU push toward stronger consumer safeguards.

Who's affected?

• National gambling regulators across the seven participating countries
• Illegal/unlicensed online gambling operators
• Social media platforms, video platforms, and affiliate networks targeted for coordinated complaints
• Consumers, particularly vulnerable groups such as minors
• Regulators and operators preparing for the upcoming voluntary European harm-markers standard (expected early 2026)

Deadline: No formal deadlines are included in the agreement. The new European standard on markers of harm is expected to be published in early 2026.

Read more: EGBA welcomes approval of European standard on markers of harm

Sweden 🇸🇪

Swedish Gambling Authority Seeks Feedback on Proposed AML Regulation Changes

What happened?
The Swedish Gambling Authority (Spelinspektionen) has invited public comments on proposed amendments to its regulations on measures against money laundering and terrorist financing (SIFS 2019:2). The proposal seeks to remove land-based casino games, licensed under Chapter 9 of the Gambling Act, from the list of gambling activities exempt from the Money Laundering and Terrorist Financing (Prevention) Act (2017:630). This change reflects the authority’s assessment that commercial land-based casinos are no longer low-risk for money laundering, particularly following the removal of state-run casinos from licensing categories.

Who's affected?

• Land-based commercial casino operators in Sweden
• Gambling agents and operators subject to AML and terrorist financing regulations
• Compliance and regulatory teams within affected casinos
• Interested parties wishing to comment on the proposal

Deadline: Responses to the proposed changes must be submitted by December 12, 2025

Read more: Spelinspektionens föreskrifter och allmänna råd om åtgärder mot penningtvätt och finansiering av terrorism

UK 🇬🇧

UK Sets New Gambling Tax Measures in Latest Economic and Fiscal Outlook

What happened? The UK Government announced major changes to gambling taxation in the Economic and Fiscal Outlook, published by the Office for Budget Responsibility (OBR) in November 2025. Key measures taking effect:

April 2026:

• Remote Gaming Duty (RGD) will rise sharply from 21% to 40% of profits.
• The 10% bingo duty will be abolished.

April 2027:

• A new 25% General Betting Duty (GBD) rate for remote betting will apply (excluding self-service betting terminals, spread betting, pool bets, and horse racing).
• The duty on remote horse racing remains 15%.

The government will freeze casino gaming duty bands in 2026–27.

These changes are expected to raise £1.1bn by 2029–30. Industry observers warn that the 40% RGD will likely push more players to the black market, while operators may respond with budget cuts, reduced promotions, operational adjustments, and restructuring.

Who's affected?

• UK-licensed online casino and remote betting operators
• Consumers (due to reduced promotions/offers and potential black-market risks)
• The Gambling Commission (set to receive £26m over three years to combat illicit markets)
• Land-based casinos (through duty band freezes)
• Bingo operators (benefiting from the abolition of bingo duty)
• Remote betting operators (subject to new GBD rate from 2027)

Deadline: Tax changes take effect:

• April 2026 (RGD increase; bingo duty abolished)
• April 2027 (new remote GBD rate)

No additional consultation deadlines mentioned in the supplied text.

Read more: The Tax Treatment of Remote Gambling. Summary of Responses and Government Response

Digital ID 

EU 🇪🇺

EU Proposes European Business Wallets for Secure Digital Identification and Data Exchange

What happened? The European Commission proposed a regulation to establish European Business Wallets (EBWs), a digital solution enabling companies to securely identify, authenticate, and exchange data with legal effect across the EU. EBWs aim to simplify business operations, reduce paperwork, and enhance competitiveness by allowing businesses to:

• Digitally identify and authenticate with a unique persistent identifier
• Sign, timestamp, or seal documents
• Create, store, and exchange verified digital documents (licenses, certificates, permits)
• Communicate securely with customers, suppliers, business partners, and public administrations

EBWs are based on the architecture of EU Digital Identity Wallets, providing interoperable, cloud-based identity solutions for economic operators of all sizes and supporting compliance automation.

Who's affected?

• Companies operating within the EU, including SMEs and large enterprises
• Public administrations interacting digitally with businesses
• Economic operators needing to demonstrate compliance with multiple EU rules

Deadline: No specific implementation or consultation deadline mentioned in the proposal summary.

Read more: Proposal for a Regulation of the European Parliament and of the Council on European Business Wallets (EU Commission)

Suggested read: Breaking News, Explained: Global Digital ID Regulations and Shifts (2026)

Artificial Intelligence

EU 🇪🇺

1. EBA Publishes AI Act Mapping for Banking and Payments Sector

What happened? On November 20, 2025, the European Banking Authority (EBA) sent a letter to the European Commission (EC) presenting the results of its AI Act mapping exercise for the banking and payments sector. Key points include:

• No significant contradictions were found between the AI Act and existing EU banking and payments law.
• While the AI Act acknowledges overlaps for some high-risk AI system requirements (human oversight, data governance, cybersecurity), EU financial law already includes comprehensive rules in these areas.
• The letter includes an annex identifying relevant EU banking and payments obligations mapped against AI Act requirements, highlighting where AI Act does or does not envisage derogations or synergies.
• EBA considers the findings a useful tool to guide future alignment between the AI Act and sectoral legislation.

Who's affected?

• Banks and payment service providers operating in the EU
• National competent authorities supervising the banking and payments sector
• EBA and the EU AI Office, for coordination and implementation guidance
• Developers and deployers of high-risk AI systems in financial services

Deadline: There are no immediate regulatory deadlines. Looking ahead, in 2026–2027, the EBA will undertake activities to support the implementation of the AI Act, including promoting a common supervisory approach and participating in the AI Board Subgroup on Financial Services.

Read more: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of European Business Wallets

2. European Parliament Highlights AI Opportunities and Risks in the Financial Sector

What happened? The European Parliament released a report examining the impact of artificial intelligence (AI) on the financial sector, emphasizing both its potential benefits and associated risks. The report identifies key opportunities, including fostering innovation, improving fraud detection, and enhancing compliance processes. At the same time, it flags risks related to data quality, algorithmic bias, and the explainability of AI systems.

To address these challenges, the report calls for clear guidance on regulatory overlaps, proportionate supervision to avoid stifling innovation, and increased investment in AI and digital skills. It also encourages the use of regulatory sandboxes and supervisory technology (SupTech) to balance innovation with consumer protection and financial stability.

Who's affected?

• Financial institutions across the EU adopting or developing AI systems
• Regulators and supervisors in the EU financial sector
• Consumers of financial services
• Developers of AI solutions for financial services

Deadline: No specific deadlines set. The report provides guidance and recommendations for ongoing and future AI deployment in finance.

Read more: REPORT on the impact of artificial intelligence on the financial sector (2025/2056(INI))

Fintech

Thailand 🇹🇭

BOT Introduces Framework for Safe and Standardized Financial Data Transfers

What happened? On October 30, 2025, the Bank of Thailand (BOT) issued regulations allowing citizens and businesses to exercise their rights to share financial data held by financial institutions with other service providers through digital channels. This initiative is part of the “Your Data for Financial Services That Meet User Needs” project and covers financial information such as account status, spending patterns, and debt repayment behavior.

Under the new regulations, financial service providers are required to implement secure, standardized, and user-friendly mechanisms for data transfer. Service providers must also ensure data security, protect consumers, and comply with established terms and fees, supporting greater transparency and accessibility in financial services.

Who's affected?

• Financial service providers supervised by the Bank of Thailand
• Consumers and businesses submitting their financial data
• Other service providers receiving the transferred data

Deadline: The regulations take effect on October 31, 2025. Users can access deposit data transfers starting late 2026, with expansion to other data types during 2027–2028.

Read more: ธปท. ออกหลักเกณฑ์ภายใต้โครงการ Your Data เพื่อให้ประชาชนและผู้ประกอบการสามารถใช้สิทธิส่งข้อมูลในภาคสถาบันการเงิน เพื่อให้ได้รับบริการทางการเงินที่ตอบโจทย์