Regulatory Roundup - May 2026: Risk-Based Compliance Takes Center Stage
- FinScan
- 21 hours ago
- 6 min read
Global regulators are raising expectations around AML, sanctions, and financial crime compliance programs, with growing emphasis on effectiveness, operational resilience, and risk-based oversight. Recent developments across the US, Canada, the UK, the EU, Australia, and Asia highlight increased scrutiny around sanctions evasion, digital assets, AI governance, and cross-border financial crime risks.
At the same time, recent enforcement actions and regulatory reforms reinforce that technical compliance alone is no longer sufficient. Regulators increasingly expect firms to maintain risk-based controls supported by effective monitoring, timely sanctions screening, strong governance, and adequate staffing and operational oversight. Here are the latest regulatory updates.
ANTI-MONEY LAUNDERING
FinCEN Proposes Reforms to FinCrime Programs
FinCEN’s proposed AML/CFT program reforms reinforce the shift toward truly risk-based, effectiveness-focused compliance programs. Financial institutions would be expected to align controls with FinCEN priorities, continuously adapt programs as risks and business models evolve, and demonstrate that their AML efforts are effective in practice, not just documented on paper. For banks, the proposal also raises the bar for enforcement actions, focusing on material deficiencies and increasing FinCEN oversight of significant regulatory actions. Comments must be received by June 9, 2026.
US Treasury to Implement GENIUS Act Requirements
The Treasury’s proposed rules to implement the GENIUS Act would bring stablecoin issuers firmly into the US AML and sanctions compliance framework. Permitted payment stablecoin issuers (PPSIs) would be treated as financial institutions under the Bank Secrecy Act, requiring risk-based AML programs, sanctions controls, and ongoing compliance oversight comparable to traditional financial institutions. The proposal signals that as stablecoins move further into the financial mainstream, regulators expect the same level of transparency, screening, and illicit finance controls applied across traditional payment ecosystems.
Canada Expands Financial Crime Enforcement with New Federal Agency
Bill C-29 establishes a dedicated Canadian Financial Crimes Agency focused on investigating complex money laundering, fraud, and proceeds of crime cases — including those involving digital assets and crypto-enabled financial crime. The legislation signals a more coordinated and aggressive enforcement approach tied to cross-border efforts between Canada and the US to combat organized crime, fentanyl trafficking, and sophisticated money laundering networks.
FCA Sets Out Changes to Payment Safeguarding Rules
New FCA rules came into effect on May 7, 2026 requiring payment and e-money firms to better protect customer funds. Key changes include annual audits by qualified auditors, with a carve-out removing the audit requirement for firms holding less than £100,000 in customer funds. Firms must now conduct daily reconciliations of safeguarded funds, maintain resolution packs to ensure timely return of client funds in insolvency, and submit monthly FCA returns confirming safeguarding practices.
Australia’s Tranche 2 AML Reforms Dramatically Expand Regulatory Scope
Australia’s Tranche 2 AML/CTF reforms are set to bring an estimated 80,000-90,000 new entities under AUSTRAC oversight, including virtual asset service providers, lawyers, accountants, real estate professionals, and precious metals dealers. The reforms signal a major expansion of Australia’s financial crime framework and reinforce growing global expectations for risk-based AML controls across both traditional and emerging sectors exposed to money laundering and sanctions risks.
SANCTIONS
OFAC Targets Iranian Shadow Banking Networks
OFAC’s latest sanctions targeting Iran’s shadow banking networks highlight the growing complexity of sanctions evasion through exchange houses, intermediaries, and hidden financial networks tied to oil and petrochemical trade. The action reinforces the need for risk-based AML and sanctions programs capable of identifying indirect exposure, hidden counterparties, and increasingly sophisticated cross-border payment activity.
Executive Order 14404 Tightens Cuba-Related Sanctions Risks
US Executive Order 14404 expands sanctions pressure on individuals and entities supporting key sectors of the Cuban government, including energy, defense, and financial services, while carving out support for activities benefiting the Cuban people directly. The action also increases focus on corruption and human rights-related sanctions exposure, reinforcing the need for enhanced due diligence and risk-based screening tied to Cuba-related transactions and counterparties.
Canaccord Case Signals Heightened AML Expectations for Broker-Dealers
The coordinated and historical $80 million enforcement action against Canaccord Genuity by FINRA, FinCEN, and the SEC underscores growing regulatory intolerance for under-resourced AML programs and ineffective surveillance controls. Regulators cited failures in risk-based customer due diligence, inadequate monitoring of suspicious trading activity, unreviewed AML alerts, and missed SAR filings tied to potentially manipulative activity and sanctioned Russian oligarch exposure. The case reinforces a clear message from regulators: firms are expected to align AML staffing, technology, and oversight capabilities with the scale and risk profile of their business.
UK Strengthens Sanctions Enforcement Framework and Expands Iran Controls
The UK published a new cross-government enforcement strategy for sanctions, setting out the division of civil and criminal enforcement responsibilities across OFSI, the NCA, OTSI, the FCA, the SRA, and other regulators — and confirming OFSI's intent to double its statutory maximum penalty to the higher of £2 million or 100% of the breach value, pending legislative change. Simultaneously, the UK Sanctions List was updated on May 11, 2026 with twelve new designations under the Iran sanctions regime, and the new sanctions end-use controls regime came into force.
UK Introduces New Sanctions End-Use Controls
The UK government has implemented new sanctions end-use controls targeting situations where goods, technology, or related activities could indirectly undermine UK sanctions through their ultimate end use or end user. The guidance places greater emphasis on risk-based due diligence around dual-use goods, supply chains, counterparties, and transaction purpose — reinforcing expectations that organizations look beyond direct sanctions matches to identify broader sanctions evasion risks.
EU Expands Russia Sanctions to Crypto and Decentralized Platforms
The EU’s 20th sanctions package against Russia significantly expands anti-circumvention measures, including new restrictions targeting Russian and Belarusian crypto-asset service providers and decentralized crypto platforms. The move reinforces growing regulatory concern around the use of digital assets to evade sanctions and highlights increasing expectations for financial institutions and crypto firms to strengthen risk-based screening, transaction monitoring, and exposure management across digital asset ecosystems.
France Fines MoneyGram Over AML Monitoring and Due Diligence Failures
France’s ACPR fined MoneyGram International €1.3 million following findings of systemic AML/CFT weaknesses in customer due diligence, transaction monitoring, and suspicious activity reporting. Regulators specifically cited the company’s inability to identify networks of fund collectors and understand relationships between senders and recipients — reinforcing growing scrutiny on remittance providers and expectations for stronger risk-based monitoring of complex payment flows.
Malaysia Enforcement Action Highlights Expectations for Real-Time Sanctions Controls
Zurich General Insurance Malaysia Berhad and Zurich General Takaful Malaysia Berhad were fined by Bank Negara Malaysia over failures tied to sanctions screening, delayed watchlist updates, and inadequate escalation and reporting procedures after identifying sanctioned entities. Regulators pointed to weaknesses in screening systems, staff awareness, and operational oversight — reinforcing growing global expectations for timely sanctions updates, effective match resolution processes, and immediate action when confirmed sanctions exposure is identified.
AI & CRYPTO
EU AI Act Update Delays High-Risk AI Compliance Timelines
The EU’s new AI Act omnibus agreement introduces implementation simplifications and delays compliance deadlines for high-risk AI systems until 2027 or 2028 through a new “Stop-the-Clock” mechanism. The move gives regulators and industry more time to finalize technical standards, while reinforcing that governance, transparency, and risk management expectations for AI — including within financial crime and compliance operations — remain a long-term regulatory priority.
EU Advances AI Transparency and Disclosure Requirements
The European Commission has opened consultation on new AI transparency guidelines under the EU AI Act, reinforcing requirements for organizations to disclose when users are interacting with AI-generated content or systems. The proposed guidance increases expectations around labeling deep fakes, AI-generated public-interest content, and biometric or emotion-recognition technologies — highlighting the growing regulatory focus on explainability, transparency, and governance for AI deployment.
EU Expands Sanctions Pressure on Russian and Belarusian Crypto Networks
The EU’s latest sanctions measures effectively ban transactions involving Russia- and Belarus-based crypto-asset service providers and related platforms, marking a major escalation in efforts to combat sanctions circumvention through digital assets. The move, taking effect May 24, 2026, reinforces growing expectations for financial institutions and crypto firms to strengthen screening, monitoring, and exposure management across decentralized and cross-border crypto ecosystems.
Canada Proposes Ban on Crypto ATMs Amid Financial Crime Concerns
Canada’s proposed ban on crypto ATMs reflects increasing regulatory concern around the use of digital assets in fraud, scams, and money laundering activity. The proposal forms part of a broader financial crime agenda that includes enhanced enforcement powers, tighter oversight of money services businesses, and the planned creation of a dedicated Financial Crimes Agency.
Canada Moves Toward Prohibiting Crypto Political Donations
Canada’s proposed Bill C-25 would prohibit cryptocurrency donations across the federal political system, citing challenges around contributor transparency and identity verification. The proposal highlights growing regulatory scrutiny of pseudo-anonymous digital asset transactions and broader concerns around transparency, illicit finance, and election-related financial controls.
