Nov 03, 2025
14 min read

Compliance Digest—October 2025

Learn about all the latest compliance updates from the past month.

Every month, Sumsub’s Compliance Team prepares a digest with all the latest updates in the world of AML and beyond. We cover multiple industries, from AML to gambling.

If you want to get the latest news every month in one place, subscribe to our newsletter.

AML

Global 🌎

1. FATF Issues Updated Call for Action on High-Risk Jurisdictions

What happened?
The Financial Action Task Force (FATF) published its updated “Call for Action” statement, identifying jurisdictions with significant strategic deficiencies in their regimes to counter money laundering, terrorist financing, and proliferation financing. The jurisdictions listed face increased obligations, including enhanced due diligence and, in the most serious cases, full countermeasures.

Who’s affected?

The jurisdictions specifically named:

Democratic People’s Republic of Korea (DPRK): all members urged to apply full counter-measures.
Iran: remains on the list due to failure to fully implement its action plan.
Myanmar: designated for enhanced due diligence, with potential escalation to counter-measures if progress isn’t made.

All jurisdictions globally (including FATF members, observers, and financial institutions) are affected, since they are required to apply the measures accordingly (e.g., enhanced due diligence (EDD), termination of correspondent banking relationships, etc.).

Deadline:

For Myanmar: If no further progress is made by February 2026, the FATF will consider moving from enhanced due diligence measures to full counter-measures.
For DPRK and Iran: The call is effective immediately as of October 24, 2025. There’s no later “deadline” set in the document beyond the expectation of urgent action.

2. FATF Updates Grey List: Jurisdictions Under Increased Monitoring

What happened?
The Financial Action Task Force (FATF) also published an updated list of jurisdictions under “increased monitoring” (commonly referred to as the “grey list”) as of October 24, 2025. The list reflects countries that have committed to work with FATF and FATF‐style regional bodies (FSRBs) to address strategic deficiencies in their anti-money laundering / counter‑terrorist financing (AML/CFT) regimes.

Additionally, the FATF announced that four jurisdictions—Burkina Faso, Mozambique, Nigeria, and South Africa—are no longer subject to increased monitoring.

Who’s affected?

All jurisdictions listed under increased monitoring—Algeria, Angola, Bolivia, Bulgaria, Cameroon, Côte d’Ivoire, Democratic Republic of the Congo, Haiti, Kenya, Lao PDR, Lebanon, Monaco, Namibia, Nepal, South Sudan, Syria, Venezuela, Vietnam, Virgin Islands (UK), Yemen—are impacted.

The four jurisdictions removed from this monitoring list (Burkina  Faso, Mozambique, Nigeria, South Africa) are also affected by the change in status.

Financial institutions, compliance practitioners, and other international counterparties dealing with entities or transactions linked to the listed jurisdictions will also be impacted, as they may need to reassess risk profiles, due diligence measures, and monitoring obligations.

Deadline:

The statement is effective as of October 24, 2025 (publication date). There is no single uniform deadline for the listed jurisdictions to complete reforms. Rather, each country committed to an action plan with agreed-upon timeframes; the FATF will continue to monitor progress and expects the work to be completed “expeditiously and within the agreed timeframes”. For some jurisdictions, stated deadlines have already expired, and the FATF “encourages” continued implementation.

3. FATF Releases Updated Recommendations with New AML/CFT Clarifications and Improvements

What happened?
The FATF published the updated “Recommendations,” the global standard for combating money laundering, terrorist financing, and proliferation financing. The June 2025 update includes clarifications, procedural improvements, and new guidance for countries and financial institutions.

Key changes:

Recommendation 16 (Payment Transparency):

Clarified responsibilities for cross‑border payment information.
Standardized originator/beneficiary data (e.g., name, address, date of birth).
Introduced safeguards against fraud/errors in the payment chain.
Full compliance expected by the end of 2030.

Risk‑based approach & financial inclusion:

Strengthened guidance for proportional AML/CFT/CPF measures.
Encourages financial inclusion while managing risk.
Updated Interpretive Notes reinforce this approach.

Assessment methodology & procedural improvements:

Updated mutual evaluation procedures to mitigate unintended consequences.
Ensures legitimate NPOs and humanitarian flows are not unduly hindered.

Proliferation financing & virtual assets:

Highlighted gaps in sanctions implementation for proliferation financing.
Focused on oversight and regulation of virtual asset service providers (VASPs).

Who’s affected?

The updated FATF Recommendations apply broadly across the global financial system. All FATF members and affiliated jurisdictions—more than 200 in total—are expected to implement the standards. National authorities and regulators are responsible for embedding the revised AML/CFT/PF requirements into their supervisory frameworks, while financial institutions and DNFBPs must incorporate the updates into their internal compliance programs. In addition, observers, assessors, and international counterparties will continue to monitor adherence to ensure consistent application worldwide.

Deadline:

The updated Recommendations took effect in June 2025. For Recommendation 16 on payment transparency, FATF expects full global compliance by the end of 2030. All other Recommendations follow national implementation timelines and mutual evaluation schedules, rather than a single universal deadline.

Australia 🇦🇺

AUSTRAC Releases Updated Guidance to Support AML/CTF Compliance

What happened?
The Australian government passed the Anti‑Money Laundering and Counter‑Terrorism Financing Amendment Act 2024 on November 29, 2024, significantly reforming the AML/CTF regime under the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006. In response, AUSTRAC released draft versions of new AML/CTF Rules for consultation (including the second exposure draft in May 2025), which propose major changes to obligations for reporting entities. Additionally, AUSTRAC has published its “Regulatory expectations for the implementation of the AML/CTF reforms,” describing its oversight focus and preparatory guidance for entities.

Who’s affected?

Current reporting entities under the AML/CTF Act (e.g., banks, financial institutions) are affected by the updated obligations and implementation timelines.
Newly regulated businesses—often in ‘Tranche 2’ sectors (real estate professionals, lawyers, accountants, dealers in precious metals & stones, trust and company service providers)—will become subject to the regime under the reforms.
All entities in scope for AML/CTF obligations will need to prepare for changes in enrolment/registration, customer due diligence, reporting obligations, and program documentation.

Deadline:

The reform commencement dates are: March 31, 2026, for businesses already regulated, and July 1, 2026 for businesses newly entering regulation (Tranche 2). The finalized new AML/CTF Rules are expected to be published in August 2025.

UAE 🇦🇪

UAE Enacts New Banking Law

What happened?
Late  September 2025, the UAE enacted Federal Decree-Law No. 6 of 2025, the “New Banking Law,” which repeals Federal Law No. 14 of 2018 (the 2018 Law) and consolidates regulatory changes since then. The new Law also expands the scope of licensed financial activities under the Central Bank of the UAE (CBUAE) framework.

The Law also introduces two new regulated activities:

Providing open finance services
Providing payment services using Virtual Assets

Article 62 confirms that any person carrying out, offering, issuing, or facilitating a licensed financial activity, regardless of technology or form, is subject to CBUAE licensing, regulation, and oversight. Platforms, decentralized applications (dApps), protocols, and technology infrastructure that enable financial services (payments, credit, deposits, money exchange, remittances, investment) are now included within the regulatory perimeter.

Who’s affected?

Financial institutions and payment service providers offering licensed services in the UAE.
Virtual Asset service providers (VASPs), including those using virtual asset payment tokens.
Open finance providers.
Technology platforms and infrastructure providers that facilitate payments, credit, deposits, money exchange, remittances, or investment services—including dApps and protocols.
Any entity offering services without a license is now subject to CBUAE oversight and potential regulatory action.

Deadline:

The law came into effect on September 16, 2025. All affected entities must obtain CBUAE authorization before carrying out any regulated activity, including Virtual Asset payment services and open finance services.

Turkey 🇹🇷

MASAK Updates AML/CFT Guidance with Enhanced Due Diligence and Crypto Rules

What happened?
Turkey’s Financial Crimes Investigation Board (MASAK) published an updated version of its Guidance on Tightened / Enhanced Measures (the “Rehber”) for obliged entities under Turkey’s AML/CFT regime. The update reflects clarified obligations around enhanced due diligence, risk‑based monitoring, crypto‑asset service providers, and related entities.

Who’s affected?

Financial institutions and other obliged entities (banks, non‑bank financial institutions) operating in Turkey.
Crypto asset service providers (CASPs), which are now subject to tightened withdrawal/transfer restrictions, source‑identification and monitoring obligations.
Entities performing transactions with high‑risk customers, high‑risk jurisdictions, politically exposed persons (PEPs), and via remote onboarding or e‑services. The revised guidance also clarifies these categories.

Deadline:

The updated Guidance is in force as of its publication (September 2025). Obliged entities should review and align their systems, risk assessments, CDD/EDD procedures, and monitoring frameworks without delay (i.e., immediate compliance expected). For specific crypto asset‑related measures (via MASAK Communiqué No. 29/2025), the effective provisions (e.g., time‑delay withdrawals, limits on stablecoin transfers) were introduced in June 2025 as per the Official Gazette.

Crypto

EU 🇪🇺

ESMA Issues Q&A to Help CASPs Navigate MiCA Service Types

What happened?

The European Securities and Markets Authority (ESMA) published a Q&A number 2653 dated October 14, 2025, that clarifies how crypto asset service providers (CASPs) should distinguish between three types of services under MiCA:

Execution of orders for crypto‑assets on behalf of clients (agent/broker model)
Reception and transmission of orders for crypto‑assets on behalf of clients (RTO) (pure intermediary)
Exchange of crypto‑assets for funds or other crypto‑assets (principal/counterparty model)
ESMA emphasizes that classification depends on the actual operational reality (order‑fulfilment flow, use of proprietary capital, how client orders are handled), not merely how the CASP labels its service agreement or marketing materials.
In cases of doubt, especially with retail clients, ESMA recommends a presumption that the CASP acts as an agent (thus execution services), which triggers best execution obligations.

Who’s affected?

All CASPs operating under MiCA in the EU that provide crypto asset services, such as exchanges, broker‑type services, or reception/transmission of orders.
National competent authorities (NCAs) responsible for authorizing and supervising CASPs (because they must assess service type based on operational facts, not just contractual labels).
Clients of CASPs (especially retail clients), since different service categories carry different obligations (e.g., best execution for agent services).
Legal/compliance teams within firms offering crypto‑asset services, who must review service documentation, process flows, marketing, and client contracts to ensure alignment with the service type under MiCA.

Deadline:

The guidance is published and effective as of October 14, 2025. There is no separate fixed “compliance deadline” specified in the Q&A beyond the fact that CASPs should ensure their service classification and related compliance frameworks align now with MiCA and this guidance. CASPs should therefore act promptly to review and adjust their categorization, service documentation, and contractual arrangements to avoid regulatory misclassification.

Suggested read: EU Crypto Regulations 2025

Turkey 🇹🇷

Turkey’s MASAK Releases Revised Guide for Crypto Asset Service Providers

What happened?
On September 30, 2025, MASAK announced the publication of an updated version of its “Kripto Varlık Hizmet Sağlayıcılar Rehberi” (the Crypto Asset Service Providers Guide).
Key points in the updated guide include:

Strengthened customer due diligence and identity verification processes (including remote methods).
Implementation of the “Travel Rule” for crypto asset transfers requiring sender and recipient information to accompany transfers.
Specific obligations regarding crypto‑asset transfers, such as limits, time delays, monitoring of high‑risk clients, and jurisdictions.
Clarification of obligations for platforms, wallet services, and other infrastructure intermediaries in the crypto ecosystem.

Who’s affected?

All entities operating as crypto asset service providers (CASPs) in Turkey, e.g., exchanges, wallet providers, custody services, and transfer platforms.
Financial institutions and obliged parties that interact with CASPs (for example, via transfers or correspondent relationships).
Compliance, AML/CFT units within CASPs that need to revise their KYC, monitoring, and suspicious transaction reporting frameworks.
End‑users of CASPs, as new identity‑verification and transfer‑information rules will affect onboarding and transaction flows.

Deadline:

The guide was published on September 30, 2025. The update is in effect immediately. Entities are expected to review and align their systems and processes promptly, with no separate fixed extension deadline publicly specified. Entities should act without undue delay to ensure compliance with the new standards (given the heightened regulatory emphasis).

Gambling

Curaçao 🇨🇼

Curaçao Gaming Authority Introduces Framework to Reclassify NOOGH Licenses Under LOK Regime

What happened?
The Curaçao Gaming Authority (CGA) announced a framework to reclassify licenses issued under the NOOGH regime into the new LOK regime, specifically to ensure the business model (B2C vs B2B) on the license certificate matches the actual operations. Key aspects of the new framework include the expiration of the “Orange Seal” Certificate of Operations under the NOOGH regime on October 15, 2025, which officially ends the sublicense system. Operators whose NOOGH license certificate does not match their actual business model must apply to convert to the correct category, such as B2C (business to consumer) and B2B (business to business) or vice versa.

The framework outlines four main scenarios:

A B2C license under NOOGH, but operating as B2B, must transition to a LOK B2B license.
A B2B license under NOOGH, with the certificate showing B2C, must also convert to LOK B2B.
A change in business model from B2C to B2B requires revocation of the NOOGH B2C license and a new application under LOK B2B.
Conversely, a change from B2B to B2C requires revocation and re-application under LOK B2C.

The document also emphasizes that a single company can’t hold both a B2C and a B2B license simultaneously.

Who’s affected?

All license‑holders under the NOOGH regime whose license classification (B2C/B2B) does not match their actual operations.
Operators in the gaming sector offering services under Curaçao licensing: both B2C and B2B operators.
Entities considering a change of business model (e.g., shifting from B2C to B2B or vice versa) under Curaçao’s jurisdiction.
Compliance, legal, and operational teams within licensed gaming companies needing to review license classification and transition processes.

Deadline:

The reclassification framework is effective as of October 15, 2025 (expiry of the Orange Seal sublicense system).
For business‑model change scenarios (B2C → B2B or B2B → B2C) there is a transition provision: in scenario 3, the document states that until December 24, 2026, a B2B license is not mandatory for entities providing services to Curaçao‑licensed B2C operators (giving some transitional relief).
Operators must submit the required documentation and initiate the appropriate application or revocation process promptly (i.e., without undue delay) to ensure their license accurately reflects operations under the new LOK regime.

Croatia 🇭🇷

Croatia Adopts Responsible Gambling Reform

What happened?
The Republic of Croatia’s government approved a comprehensive reform of the country’s gambling legislation, focusing on socially responsible organization of games of chance, reducing excessive advertising, strengthening player protection measures (including self‑exclusion, mandatory player identification), and enforcing stricter location and operational rules for gambling venues.

Who’s affected?

All gambling operators in Croatia (land‑based and online).
Players (especially vulnerable groups, youth) who will be subject to new protections.
Advertisers, media, and venues hosting self‑service betting terminals (which face bans in certain contexts).
Public health & regulatory authorities tasked with implementation of the self‑exclusion register and oversight.

Deadline:

The amendments to the Law on Games of Chance were passed by Parliament in April 2025 and entered into force on May 1, 2025. Key responsible gambling measures (e.g., self‑exclusion register) must be implemented by June 30, 2026. Certain venue and terminal changes (e.g., removal of self‑service betting machines in cafes) are targeted by early 2026.

Brazil 🇧🇷

Brazil Extends Compliance Deadline for Beneficiary Program Betting Controls

What happened?
On October 30, 2025, the Prizes and Bets Secretariat (SPA-MF) under the Ministry of Finance announced an extension of the compliance deadline for operators to implement systems preventing recipients of Brazil’s social-benefit programs from placing bets. Originally, operators had 30 days from the publication of the normative instruction, setting the deadline at November 1, 2025. The new extended deadline is December 1, 2025, providing operators additional time to implement the required control systems. The extension is intended to help operators fully comply with Brazilian betting regulations.

Who’s affected?

All licensed betting operators in Brazil subject to SPA-MF regulations.
Compliance, IT, and operational teams within betting companies who must implement systems to prevent prohibited recipients from betting.
Social-benefit program recipients indirectly affected, as the systems will restrict their ability to participate in betting activities.

Deadline: Operators must have systems in place to prevent beneficiaries from participating in betting by December 1, 2025.

Share this article

AML Crypto Digest Gaming Global Intermediate News