One question I hear from clients, including the conversation that prompted this article, is: “Can you give me all the AML updates to add to my policy since January 2025?”
It is a reasonable question, especially as I run a tech company with AI, and people assume much can be done automatically. The honest answer is: the list is longer than you might expect, more consequential than most firms have acted on, and 2026 has already added several chapters of its own. In this regard, with or without AI you are not likely to have a simple job, so no, I can’t.
We are not in a period of regulatory consolidation, but rather a period of structural redesign, whether in the UK, the EU, or the US. Rules are being rewritten, and supervisory pressures are changing. The compliance frameworks that firms built for a pre-covid, pre-populist political era are, in many cases, no longer fit for the one they are operating in now.
This article is a map I have written to be as specific and source-based as possible. I like sources; they allow corroboration and limit errors. You can use it as a base to review things further in the way they may affect your own regulatory permissions and processes.
If you read nothing else this month on AML, read this.
UK: Three Things That Already Changed and One That Is About to
1. Domestic PEPs: The Rules Shifted, and So Did the Risk of Over-Compliance
The FCA’s July 2025 guidance (FG25/3) settled a debate that compliance professionals have been having for years. UK domestic PEPs should generally be treated as lower risk than foreign PEPs. Non-executive board members of government departments no longer qualify as PEPs at all. Automatic MLRO sign-off on every PEP relationship is no longer required as a ‘blanket’ rule.
This is helpful proportionality; however, if your internal policy still requires enhanced scrutiny across all UK PEPs regardless of actual assessed risk, you have to change the policy. You would be over-compliant and might as well reduce the burden.
My suggestion is that if your policy was written before July 2025, it almost certainly needs updating.
Source: FCA, FG25/3 — Guidance on Politically Exposed Persons (July 2025)
2. The National Risk Assessment Named Two Threats
The fourth UK National Risk Assessment (NRA), published in July 2025, formalised that AML and sanctions evasion were converging. Some regulated firms might still be looking at these workflows as separate workstreams. The NRA further formally identified cryptoassets and AI as active tools of financial crime. That means those risks will form part of supervisory examinations and thematic reviews. If your monitoring controls or policies do not specifically address AI-enabled fraud typologies and cryptoasset layering, they need to.
Source: HM Treasury / Home Office, UK National Risk Assessment of Money Laundering and Terrorist Financing 2025
3. The MLR Amendments: Coming Into Force Mid-2026
The Money Laundering and Terrorist Financing (Amendment) Regulations 2026 have been laid before Parliament. The majority of those provisions are expected to come into force in late June or early July 2026, with the remainder following in 2027.
The substantive changes firms need to prepare for right now are:
- EDD trigger narrowed: Enhanced Due Diligence under Regulation 33(b) will only be triggered by jurisdictions subject to a FATF Call to Action, for example, currently Iran, North Korea, and Myanmar. The FATF increased monitoring list remains a relevant risk factor, but it will no longer automatically trigger EDD. If your policy uses the grey list as an automatic EDD trigger, it must be updated, and this is to your benefit.
- Complex transaction EDD refined: EDD for complex or large transactions is now calibrated to what is “unusually complex or unusually large relative to what is typical for the sector.” A catch-all that applies to any large transaction will need to be narrowed as a benefit of the proportionality approach.
- Sterling thresholds: All CDD, reporting, and transaction thresholds are being converted from euros to sterling. This is a ‘benefit’ of Brexit, a bit administrative, but every threshold reference in your policy and systems should be updated.
- Shell company sales regulated: Selling off-the-shelf companies is now a regulated activity for Trust and Company Service Providers. If your TCSPs are involved in company formation or shelf company distribution, CDD requirements now apply. This is an extra burden on a part of the industry that is not directly related to financial services. From my point of view, it is adding layers of ‘policing’ when there are many already, but so be it. So much for ‘deregulation’ …
- Cryptoasset firms: Fit-and-proper and change-in-control requirements tightened to align with FSMA standards. This is not directly AML but linked and is worth noting for firms operating in that area.
4. One Supervisor for Professional Services in Due Course
The FCA will become the single AML/CTF supervisor for professional services firms, replacing a patchwork of more than twenty professional body supervisors covering law firms, accountants, and trust and company service providers. The legislation is not yet in place, and the implementation timeline depends on parliamentary time.
The FCA’s supervisory model is data-driven and enforcement-oriented. It is not the relationship-based oversight that many professional body supervisors have provided. Law firms in particular should be treating this as a near-term compliance transformation project, not a distant concern.
Source: HM Treasury, Reform of the AML/CTF Supervision Regime — Consultation Response (October 2025)
FATF: Two Important Updates
The Risk-Based Approach Now Works in Both Directions
In February 2025, the FATF Plenary approved changes to Recommendation 1 and its Interpretive Note, with corresponding amendments to Recommendations 10 and 15. The amendments include an explicit requirement for countries to allow and encourage simplified measures in lower-risk scenarios. Just as importantly, supervisors are now required to review whether firms are applying proportionate controls, including over-compliance that causes financial exclusion.
The practical consequence: your risk appetite statement and CDD tiering should explicitly address how your firm calibrates controls across the full risk spectrum, not just the high end. If your policy only articulates what triggers enhanced measures and is silent on when standard or simplified measures apply, it is now incomplete against FATF standards. This is another part of policies that needs to be reviewed.
Source: FATF, Update to Standards to Promote Financial Inclusion, February 2025
The Travel Rule Was Revised
On 18 June 2025, FATF revised the Travel Rule under Recommendation 16. The revisions expand coverage from wire transfers to all “payments or value transfers and related messages,” and require payment information to be structured in accordance with established standards, including ISO 20022 where applicable.
Note that the 2025 revisions do not apply the Travel Rule directly to Virtual Asset Service Providers (VASPs). VASPs are being addressed through a separate tailored framework being developed by FATF’s Virtual Asset Contact Group. If your AML policy currently states that Recommendation 16 applies to crypto transfers, it is wrong and needs correcting.
Source: FATF, Revisions to Recommendation 16 and Interpretive Note, June 2025
Europe: AMLA Is Operational
AMLA became operational on 1 July 2025. The Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) and Sixth AML Directive (AMLD6, Directive (EU) 2024/1640) fully apply from 10 July 2027. The period between now and 2027 is when AMLA publishes 23 Level 2 and Level 3 measures — technical standards and guidelines that will define what compliance actually looks like. Most of those are due by July 2026.
AMLA can impose sanctions of up to €10 million or 10% of annual group turnover for the most serious violations. It will directly supervise up to 40 of the highest-risk cross-border financial institutions from 2028 onward.
For UK firms: AMLA does not apply directly post-Brexit, but the FCA is likely to wish to align with the EU, and dual-regulated groups with EU operations still have to manage the regulatory divergence. Probably best to use the ‘highest common denominator’.
Sources: Regulation (EU) 2024/1620 (AMLA); Regulation (EU) 2024/1624 (AMLR); Directive (EU) 2024/1640 (AMLD6)
US: Delay To the Biggest AML Overhaul in Twenty Years
FinCEN’s rule requiring registered investment advisers to implement AML/CFT programmes under the Bank Secrecy Act (BSA) was delayed to 1 January 2028 by a final rule issued 31 December 2025. The delay was widely reported as deregulation as one would expect under the current administration.
What was less widely reported and is in opposition to deregulation is that on 7 April 2026, FinCEN issued a new Notice of Proposed Rulemaking (NPRM) representing what some say is the most substantial overhaul of BSA AML programme requirements since the USA PATRIOT Act. Key structural changes include a formal distinction between programme “establishment” (design) and “maintenance” (ongoing implementation), and a requirement for financial institutions to incorporate government-wide AML/CFT national priorities into their programmes. The OCC, FDIC, and NCUA issued a coordinated joint NPRM the same day, so more comments to come.
UK and EU compliance professionals will recognise the architecture immediately: it mirrors the systems-and-controls framework that has been standard in the FCA environment for years. The US is not retreating from AML compliance therefore it seems to be actually enhancing it through a restructuring.
Separately, FinCEN and OFAC have jointly proposed AML and sanctions rules for stablecoin issuers under the GENIUS Act, the first federal regulatory framework for US payment stablecoins, which was enacted in 2025. If you have clients or counterparties in the stablecoin space, these rules will affect your own due diligence obligations.
Sources: FinCEN Final Rule — IA AML Delay, Federal Register (January 2026); FinCEN NPRM — BSA Programme Reform (April 2026)
Beneficial Ownership: The Expectations Have Tightened Globally
Both the EU and FATF have strengthened expectations on Ultimate Beneficial Ownership verification. The standard threshold under the AMLR remains 25%, though the European Commission is considering lowering this to 15% for high-risk sectors. Some jurisdictions go further still for example, Cayman or Barbados apply a 10% threshold for certain regulated activities (Cayman has various caveats for trusts or foreign companies) however, this would matter for firms operating in the region.
Under FATF Recommendation 24, the global standard now requires verified, current UBO data to be accessible to law enforcement across jurisdictions. For firms with international client structures such as trusts, holding companies, nominee arrangements, etc., there will be potential policy gaps to review.
Sources: FATF, Recommendation 24; Regulation (EU) 2024/1624
AI in AML
Many clients or industry operators have also asked me if AI can be incorporated in solutions like Leo RegTech for client onboarding and whilst of course it is used by more and more RegTech and regulators across the UK, EU, and US are actively encouraging the use of AI in transaction monitoring and risk assessment, it remains a risk in itself (it is deemed to be wrong 25% of the time according to recent studies). The consistent message from FATF guidance, FCA supervisory statements, and the EBA’s draft technical standards under the AMLR is also that this must be explained.
A system that produces an alert must produce a traceable trail showing why. If you cannot explain to a supervisor how your AI reached a particular decision, you cannot rely on it as the basis for a compliance judgment.
Two practical consequences to consider, first, for technology procurement, you need to understand how your systems make decisions, not just what decisions they make. Second, many firms are using AI tools in parts of their compliance process without any written policy governing their use. If that describes your organisation, this is a gap that supervisors will increasingly ask about, and you are notably in default when things go wrong.
Why Generic AI Searches Are the Wrong Tool for This Job
Back to the question that started this article: “Can you give me all the AML updates to add to my policy since January 2025?”
The problem with running that query through a generic AI assistant, or a standard Google search, is that the results tend to surface blog posts citing other blog posts, not actual regulatory instruments. I have tested and reviewed AI outputs that misstate the FATF Travel Rule, present delayed US rules as active obligations, and omit material UK changes entirely. Some of those outputs came from tools being used by compliance professionals to update client-facing policies.
Generic tools are not built for regulatory compliance work. They are built for information retrieval, and regulatory compliance requires something different, for instance, mapping updates to your specific policy framework, identifying what is relevant to your jurisdiction and business type, and presenting changes with citations that a human reviewer can actually verify.
That is what Eva, Leo RegTech’s compliance AI, is designed to do. Not to automate compliance away, which, however appealing to some, would be the wrong goal, but to do it more accurately and efficiently, with the right controls in place.
If you would like a gap analysis of your AML framework or to discuss the use of AI or RegTech in your processes, get in touch here or visit leo.tech.
Jerome Lussan is the CEO of Leo RegTech and Chairman of Laven Advisors. Leo RegTech provides automated compliance technology for financial services firms, law firms, and regulated professional services businesses across the UK, EU, and US.
Note: The article was written by Jerome with the help of OpenAI, Claude and Eva AI.
