RegRally Insights: AML/CFT Compliance Updates, July 2026

RegRally Insights: AML/CFT Compliance Updates July 2026

RegRally Insights: AML/CFT Compliance Updates – Ongoing Monitoring, MiCAR Transition Risks and Supervisory Expectations (July 2026)

The July edition of AML/CFT Insights highlights key regulatory developments shaping the future of anti-money laundering compliance, with an increased focus on ongoing monitoring, risk-based controls, and the effective implementation of AML frameworks.

AMLA continues to strengthen the EU AML/CFT framework by emphasising continuous customer risk assessment, transaction monitoring and practical effectiveness of compliance measures. Meanwhile, the end of the MiCAR transitional period introduces new challenges for crypto-asset service providers, including customer migration risks and increased supervisory expectations.

Recent enforcement actions and international developments, including FATF updates and crypto-related financial crime cases, demonstrate that regulators are placing greater emphasis on whether organisations can, in practice, identify, assess and manage evolving ML/TF risks.

 

AMLA Consults on Guidelines for Ongoing Monitoring of Business Relationships

Source: AMLA | Date: 2026-06-03
Link

The Anti-Money Laundering Authority (AMLA) launched a public consultation on draft Guidelines on the ongoing monitoring of business relationships under Article 26(5) of the Anti-Money Laundering Regulation (AMLR).

The draft Guidelines establish risk-based and proportionate principles for maintaining up-to-date customer information and monitoring customer activity throughout the entire business relationship lifecycle.

The Guidelines address how obliged entities should identify changes in customers’ circumstances, review customers’ risk profiles, and ensure that transaction monitoring processes remain effective at detecting unusual or suspicious activity.

The consultation applies across financial and non-financial sectors and is particularly relevant for newly covered entities, including certain crypto-asset service providers (CASPs), crowdfunding providers and traders in high-value goods.

The consultation period remains open until 3 September 2026.

Why does it matter?

The initiative reflects a broader regulatory shift: AML compliance is increasingly moving away from a one-time onboarding exercise towards continuous risk management.

Supervisors are placing greater emphasis on whether companies can demonstrate that their customer monitoring processes operate effectively in practice, rather than merely having documented AML procedures.

For financial institutions and CASPs, this means that ongoing monitoring, customer risk reassessment and transaction-monitoring calibration are becoming key elements of supervisory scrutiny.

Recommended actions

Businesses should:

  • Review existing ongoing monitoring procedures against AMLA’s draft expectations.
  • Identify gaps in customer review triggers and transaction-monitoring calibration.
  • Ensure customer risk assessments are updated throughout the relationship lifecycle.
  • Prepare internal AML documentation for alignment with the final Guidelines once adopted.
  • Consider submitting feedback to AMLA before the consultation deadline, particularly where practical implementation challenges exist.

AMLA Highlights ML/TF Risks Following the End of the MiCAR Transitional Period

Source: AMLA | Date: 2026-06-29
Link

AMLA issued an Advisory Note addressing money laundering and terrorism financing risks arising from the end of the MiCAR transitional period, which concluded across the EU on 1 July 2026.

The Advisory Note identifies several potential risks connected with the transition, including:

  • the exit of unauthorised virtual asset service providers (VASPs);
  • migration or termination of large volumes of customer relationships;
  • increased concentration of customers among authorised crypto-asset service providers (CASPs).

AMLA emphasised that CASPs onboarding customers from former VASPs should conduct individual risk assessments and avoid automatic de-risking based solely on the customer’s previous service provider.

The Authority also highlighted the need for CASPs to ensure that transaction-monitoring systems, onboarding procedures, and compliance resources can handle increased operational pressure.

The end of the MiCAR transitional period represents a significant restructuring point for the European crypto market. While market consolidation may improve regulatory certainty, it also creates new AML risks related to customer migration, increased transaction volumes and potentially incomplete historical customer information. CASPs will be expected to demonstrate that growth and customer onboarding are supported by appropriate AML controls.

Recommended actions

CASP clients receiving migrating customers should document individualised risk assessments rather than uniform treatment, and evidence why de-risking decisions are proportionate.

Stress-test transaction-monitoring and staffing capacity against projected inflows following the 1 July 2026 deadline.

Retain up-to-date CDD and suspicious-activity reporting throughout any wind-down phase.


Lietuvos bankas Identifies AML Control Weaknesses During EMI Inspections

Source: Lietuvos bankas | Date: 2026-06-04
Link

Following targeted AML/CFT inspections, Lietuvos bankas concluded administrative settlements with two electronic money institutions: UAB “Nuvei” and UAB “TeslaPay”.

The supervisory findings related to deficiencies in several areas of AML governance and control frameworks.

In the case of UAB “Nuvei”, Lietuvos bankas identified shortcomings related to:

  • enhanced customer identification;
  • monitoring of business relationships and transactions;
  • conflict-of-interest management;
  • internal controls for safeguarding client funds.

A €90,000 sanction was imposed for AML-related breaches, alongside additional supervisory measures.

In the case of UAB “TeslaPay”, Lietuvos bankas identified deficiencies in transaction-monitoring procedures, including insufficient calibration to ML/TF risks and inconsistent application of monitoring measures. A €19,000 sanction was imposed.

The enforcement actions demonstrate that Lithuanian supervisors continue focusing on the practical effectiveness of AML frameworks.

The existence of AML policies and procedures alone is insufficient. Supervisors expect institutions to demonstrate that controls are appropriately designed, risk-based, consistently applied and independently tested.

Transaction monitoring remains a key area of regulatory attention, particularly regarding calibration and alignment with actual business risks.

Recommended actions

  • Strengthen AML/CFT transaction monitoring by ensuring monitoring scenarios are risk-based, properly calibrated, periodically reviewed, and consistently applied across all customers.
  • Enhance customer due diligence and ongoing monitoring by ensuring enhanced due diligence measures are applied to higher-risk customers and business relationships are reviewed throughout the customer lifecycle.
  • Strengthen governance and conflict-of-interest management by implementing clear conflict-of-interest controls, maintaining declarations, and ensuring independent oversight of key decisions.
  • Review client-funds safeguarding controls by ensuring robust reconciliation, segregation, oversight, and documented internal controls to protect client funds.
  • Perform independent effectiveness testing of AML/CFT and safeguarding frameworks to identify weaknesses before regulatory inspections and ensure timely remediation.

FATF Updates Jurisdictions Under Increased Monitoring

Source: FATF | Date: 2026-06-19
Link

The Financial Action Task Force (FATF) updated its list of jurisdictions under increased monitoring (“grey list”) on 19 June 2026.

The updated list includes jurisdictions subject to increased FATF monitoring due to identified strategic deficiencies in their AML/CFT frameworks.

The list includes:
Angola, Bolivia, Bosnia and Herzegovina, Bulgaria, Cameroon, Côte d’Ivoire, Democratic Republic of the Congo, Haiti, Iraq, Kenya, Kuwait, Lao PDR, Lebanon, Monaco, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, Virgin Islands (UK) and Yemen.

Why does it matter?

FATF grey-listing remains an important factor in assessing geographic AML/CFT risk exposure.

Financial institutions are expected to consider updated jurisdictional risks when assessing customers, transactions and business relationships.

The update may affect customer risk classifications, enhanced due diligence procedures and internal risk models.

Recommended actions

Refresh country-risk models and enhanced-due-diligence triggers against the current grey list; the specific jurisdictions should be verified directly against the FATF statement.


FATF Publishes Follow-Up Report on Indonesia’s AML/CFT Progress

Source: FATF | Date: 2026-06-03
Link

FATF published a follow-up report assessing Indonesia’s progress in strengthening its AML/CFT framework.

The report provides an updated assessment of Indonesia’s technical compliance with FATF standards and the progress achieved since the previous evaluation.

Why does it matter?

Businesses with customers, counterparties or operations connected to Indonesia should ensure that their AML risk assessments reflect the latest FATF assessment.

Regulatory expectations require institutions to maintain current geographic risk assessments rather than relying on outdated country-risk assumptions.

Recommended actions

Firms with Indonesia exposure should reflect the updated technical-compliance position in country-risk assessments.


Europol Highlights Crypto-Related Terrorism Financing Risks

Source: Europol | Date: 2026-06-10
Link

Europol supported Belgian authorities in concluding a counter-terrorism investigation into an international network involved in financing the so-called Islamic State.

Seven individuals were convicted and received prison sentences ranging from five to fifteen years.

The investigation identified the use of terrorism financing structures, cryptocurrency-based money laundering and facilitation networks connected with financing activities involving Foreign Terrorist Fighters detained in conflict zones.

Why does it matter?

The case highlights the continued focus of authorities on crypto-related financial crime risks.

Crypto transactions remain an area of increased regulatory attention, particularly when they involve complex structures, high-risk jurisdictions, or links to terrorism-financing indicators.

Recommended actions

Note the crypto-based TF/ML typology; reinforce monitoring for small-value crypto flows linked to foreign-terrorist-fighter facilitation and conflict-zone nexus.

Ensure sanctions and terrorism-financing screening covers facilitation networks, not only designated principals.


Need assistance?

Our AML/CTF specialists assist financial institutions, FinTech companies, EMIs, payment institutions and crypto-asset service providers in navigating evolving regulatory expectations and strengthening compliance frameworks.

We can assist with:

  • AML/CFT gap assessments and compliance maturity reviews
  • Independent reviews of AML policies, procedures and internal controls
  • Transaction monitoring and risk assessment framework reviews
  • AML/CFT policy updates and implementation support
  • Regulatory inspections, investigations and remediation projects
  • CASP, EMI and payment services licensing and supervisory matters
  • Preparation for changing EU AML/CFT requirements, including AMLA and MiCAR-related developments
About the Author:


Inga Karulaitytė is an attorney-at-law, Partner, and Head of Banking, Finance & FinTech at ECOVIS ProventusLaw — a recognised expert in FinTech and digital finance regulation in Lithuania and the Baltics. She is consistently ranked in FinTech Legal by Chambers and Partners and recognised as a Highly Regarded lawyer in Banking and Finance by IFLR1000, Chambers and Partners, and The Legal 500.

She is a Certified Anti-Money Laundering Specialist (CAMS), a Certified Global Sanctions Risk Management Specialist, a certified board member (Corporate Governance Certificate by BICG), and a Certified Internal Auditor.

Connect on LinkedIn →

Newsletter SubscriptionGet in touch