2026 KYC/AML Outlook: Key Takeaways for Compliance Teams
This year, speed is set to become the deciding factor in KYC and AML. Customer risk shifts faster than periodic review cycles. Illicit finance is fragmenting into smaller, harder-to-spot flows. Sanctions continue to change quickly, and not always in sync across jurisdictions. AI is accelerating both sides of financial crime, enabling more scalable deception while raising expectations for explainable, auditable AI-powered controls.
This report breaks down the key trends that compliance teams must act on this year.
The Shift to Perpetual KYC: Keeping Customer Risk Current
Periodic KYC refresh cycles are increasingly out of step with how quickly customer risk can change. Ownership and control structures evolve, exposure to new geographies appears, and product usage shifts. If the customer risk profile does not align with that reality, monitoring decisions start from the wrong assumptions and controls become harder to defend. That is why more firms are pushing towards a dynamic customer lifecycle management (CLM) and perpetual KYC approach. In practice, that means event-led refresh triggers, tighter links between onboarding, monitoring, screening and casework, and an evidence trail that shows what changed and what the firm did about it.
This direction is reinforced by the EU Anti-Money Laundering Regulation’s ongoing monitoring requirements. It explicitly requires customer documents, data and information to be kept up to date, with the period between updates linked to risk and capped at 1 year for higher-risk customers and 5 years for all other customers. It also requires updates when circumstances change or when the firm becomes aware of a relevant new fact. By 10 July 2026, AMLA must issue guidelines on ongoing monitoring and transaction monitoring, which is likely to tighten expectations on what “effective” monitoring looks like in practice.
Firms adopting technology solutions that enable live risk management across the client lifecycle can strengthen anti-financial crime frameworks and improve customer experience by reducing redundant information requests.
Cryptocurrencies: Smaller Flows, Bigger Exposure
Cryptocurrencies and digital asset platforms remain attractive channels for moving illicit funds across fragmented systems, and the tactics are becoming more sophisticated. One pattern is the growth of “micro-laundering” routed through creator economy rails, such as tipping services, subscription platforms, and digital goods marketplaces. These ecosystems are built for high-volume, low-friction payments, so smaller flows can blend into normal user behaviour and be harder to distinguish from legitimate activity.
From a typology perspective, FATF has raised particular concern about stablecoins, noting that illicit use has increased since 2024 and that most on-chain illicit activity now involves stablecoins. It also warned of a “significant uptick” in the use of virtual assets in fraud and scams.
The practical consequence for 2026 is a sharper expectation that firms can evidence coverage across crypto-adjacent exposure points, including onboarding, transaction monitoring, and incoming travel rule compliance processes.
Staying ahead in 2026:
- Update typologies and monitoring logic for fragmentation and micro flows.
- Increase focus on stablecoin exposure and rapid fraud-to-crypto laundering pathways in risk assessments and investigations.
- Show how crypto-related alerts are detected, triaged, investigated, and closed, with clear linkage to customer risk profiles and ongoing monitoring.
Continued Enforcement Pressures
Regulators show no signs of easing up on AML enforcement, and 2025 provided multiple high-profile reminders of the consequences of poor AML controls. In the UK, the FCA fined Monzo £21m, Barclays £43m and Nationwide £44m for significant failings in AML controls.
These fines send a clear message that weak AML frameworks and governance lapses will be punished. Notably, many recent enforcement cases tied back to historical compliance gaps that have since been remediated. In 2026, regulators will expect firms to demonstrate ongoing effectiveness.
Firms should invest in compliance programme integrity, ensuring sufficient resources, independent testing, and prompt remediation of issues to avoid becoming an enforcement statistic.
Regulators are expected to increasingly test whether a programme is explainable. Not just what controls exist, but why they are designed that way, who owns them, and how they work together. Therefore, continuous, data-driven oversight and strong governance are key to avoiding enforcement action.
See the biggest fines of 2025.
Staying ahead in 2026:
- Treat governance gaps as risk issues and ensure ownership and escalation paths are unambiguous for high-risk decisions.
- Align resourcing and testing to risk and be able to evidence why the programme is designed the way it is.
- Focus on clearly documenting outcomes with transparent audit trails of all activity.
Key Regulatory Reforms to Track in 2026
2026 brings a wave of regulatory changes that will reshape AML/CFT compliance expectations across jurisdictions. Compliance teams will need to stay agile and informed to meet new rules in different regions.
UK: Single AML Supervisor for Professional Services and Mandatory Companies House ID Verification
The UK is overhauling how it supervises AML compliance in the legal and accountancy sectors, with a sole AML/CTF supervisor to come in for professional services firms. This change aims to ensure more consistent oversight. The FCA could impose stricter expectations around AML governance, senior management accountability, and timely remediation, compared to the more varied approaches of self-regulatory bodies.
Corporate transparency is another focus in the UK. Under the Economic Crime and Corporate Transparency Act, Companies House now requires identity verification for directors and beneficial owners (PSCs) of UK companies. This became law on 18 November 2025, kicking off a 12-month transition period for all existing directors and PSCs to verify their ID. For financial institutions, this raises KYB (Know Your Business) expectations as the official company register will become a more reliable source of verified identity data.
EU: AMLA Build-Out and Digital Identity Wallets
The European Anti-Money Laundering Authority (AMLA) is ramping up operations in 2026. While AMLA’s direct supervision of certain high-risk institutions won’t begin until 2028, the framework is moving toward a single EU AML rulebook. This means that by 2027, firms operating across EU member states will follow one unified set of AML rules, rather than navigating each country’s implementation. The aim is more consistent, intelligence-driven customer screening and enforcement across Europe. 2026 will see progress in this direction, with AMLA coordinating closely with national regulators on joint risk assessments and guidance.
In parallel, the EU’s digital identity programme is on a fixed timeline. The European Digital Identity Framework entered into force in May 2024, and each Member State will be required to offer at least one EU Digital Identity Wallet by 2026, under common specifications. This is notable for compliance teams because they will need to be aware of any changes on how identity assertions are delivered and reused in onboarding and KYB processes.
Australia: “Tranche 2” AML/CTF Expansion
Australia is extending its AML/CTF regime to certain non-financial sectors, a reform often called “Tranche 2.” From 1 July 2026, lawyers, accountants, real estate agents, trust/company service providers, and dealers in precious metals and stones will become subject to AML/CTF obligations. Key requirements will include developing an AML programme, conducting customer due diligence (including identification and verification of clients), reporting suspicious matters and large transactions, and keeping records.
See essential checklist to Tranche 2 Reforms
Staying ahead in 2026:
- Build a simple regulatory change register with owners, impacted processes, and evidence requirements for each reform area (supervision, identity, onboarding, monitoring).
- Stress-test KYB workflows for verification and exception handling (missing or inconsistent registry data, non-compliance flags, director and PSC changes).
- Review your operating model defensibility ahead of potential supervision tightening, especially governance, escalation paths, and remediation pace.
Continued Sanctions Volatility
The sanctions environment heading into 2026 remains highly fluid, with both further tightening and selective easing still plausible depending on how geopolitical events develop, and with differences between jurisdictions creating real operational complexity.
For compliance teams, the risk is often indirect exposure. Ownership and control linkages, affiliated entities, trade finance, and maritime activity can create sanctions touchpoints even when the primary counterparty looks clean. The UK National Crime Agency has issued alerts focused on sanctions evasion involving maritime “shadow fleets”, aiming to help institutions identify evasion and avoidance networks. Sanctions screening cannot be limited to name matching alone. It must include context, relationships, and rapid updates as lists and guidance evolve.
Staying ahead in 2026:
- Ensure coverage of associated parties and ownership/control linkages, not only named customers.
- Ensure lists, guidance, and risk assessments are updated quickly and consistently across systems and teams.
- Be prepared for jurisdictional divergence in the tightening and easing of sanctions.
The AI Arms Race
AI is accelerating both sides of the battle against financial crime. Firms are using machine learning to reduce false positives and surface complex patterns, while criminals are using the same technology to scale deception and probe controls. KYC360 CEO & Founder, Stephen Platt’s article “Preventing Financial Crime in 2026: Why It Matters and How to Stay Ahead”, highlights this directly. AI can be used to test onboarding, payment flows, screening and monitoring logic to find blind spots and exploit shared vulnerabilities across institutions.
The most visible pressure point is identity. Europol has warned that deepfake and synthetic media capabilities can be used for fraud, document manipulation, and impersonation, all of which raise the bar for identity proofing and onboarding assurance. The second pressure point is operational. As the use of AI models and automation expands, regulators and boards will expect firms to explain and evidence how AI-driven decisions are made and controlled.
Governance maturity remains uneven, and data and cost barriers remain material. The competitive advantage will not come from “more AI” alone. It will come from auditable AI, backed by data quality and clear accountability.
Staying ahead in 2026:
- Assume controls will be tested: strengthen onboarding and monitoring against threshold probing and “edge case” manipulation.
- Upgrade identity assurance for deepfake and synthetic identity risk, especially in higher-risk channels and segments.
- Treat explainability and model governance as core compliance controls.
Conclusion
In 2026, regulations are shifting, criminal tactics are evolving, and AI is raising the stakes on both sides. A business-as-usual approach will not suffice.
The firms that outperform will be the ones that build living risk profiles, tighten governance and evidence trails, and adopt technology in a way that stays auditable. Done well, compliance becomes more than a defensive function. It becomes an operational advantage that reduces friction, strengthens resilience, generates operational efficiency and improves customer experience.
Contact KYC360 to see how our industry-leading solutions transform compliance into a competitive advantage.
The KYC360 platform is an end-to-end solution offering slicker business processes with a streamlined, automated approach to Know Your Customer (KYC) compliance. This enables our customers to outperform commercially through operational efficiency gains whilst delivering improved customer experience and KYC data quality.
