RegRally Insights: Your Guide to AML/CTF Compliance, June 2026

This month’s AML RegRally – Baltic FIU Intelligence Edition highlights a significant shift in how regulators across the region are assessing financial crime risks in the rapidly evolving FinTech and payments ecosystem. A landmark joint study by the Financial Intelligence Units of Lithuania, Latvia, and Estonia, together with the Bank of Lithuania, signals increased supervisory scrutiny of Lithuania’s role as a regional FinTech hub, particularly regarding non-resident clients, vIBAN structures, Banking-as-a-Service models, and crypto-related payment flows.

Alongside this, EU and international developments continue to reshape the AML/CFT landscape — from AMLA’s preparations for its 2027 direct supervision regime and new harmonised risk assessment standards, to FATF findings on Singapore and updated supervisory insights from Estonia’s FIU. Across jurisdictions, the direction is consistent: a stronger focus on cross-border transparency, governance of complex payment infrastructures, and the effectiveness of transaction monitoring and reporting.

Together, these developments confirm that AML supervision is entering a more centralised and data-driven phase, where FinTech growth must be matched by demonstrable control maturity across products, clients, and jurisdictions.

Baltic FIUs Highlight Elevated AML Risks in Regional FinTech Payment Sector

The three Baltic Financial Intelligence Units — Financial Crime Investigation Service (FNTT), Estonian Financial Intelligence Unit, and Financial Intelligence Unit of Latvia, together with the Bank of Lithuania, have published a landmark joint study, “Evolving Payment Landscapes and AML Challenges in the Baltic States”, examining developments across the region between 2021 and mid-2024.

The report identifies Lithuania as a significant regional FinTech payment hub with comparatively elevated exposure to foreign clients and associated AML risks. According to the study, suspicious transaction reports (STRs) filed in Estonia and Latvia frequently reference accounts held with Lithuanian FinTech payment institutions and electronic money institutions, suggesting that traditional bank de-risking has often shifted higher-risk customers toward digital payment providers rather than removing the underlying risk.

The study highlights several structural vulnerabilities within the regional payments ecosystem, including:

• virtual IBAN (vIBAN) arrangements
• Banking-as-a-Service (BaaS) models
• crypto on-ramp and off-ramp structures
• complex cross-border payment flows involving non-resident clients

The authorities also identify recurring money laundering and financial crime typologies involving:

• fraud schemes
• tax evasion structures
• sanctions circumvention activities
• misuse of digital payment infrastructure for cross-border fund movements

For Lithuanian EMIs, PIs, crypto-asset service providers, and FinTech firms, the report serves as a clear supervisory signal. Institutions should expect continued regulatory focus on customer onboarding, beneficial ownership verification, transaction monitoring, sanctions screening, vIBAN controls, BaaS governance, and crypto-related risk management.

Key considerations for firms include:

• reassessing foreign customer risk exposure
• reviewing vIBAN and BaaS control frameworks
• strengthening sanctions and fraud monitoring systems
• enhancing transaction monitoring scenarios for complex payment flows
• ensuring AML risk assessments accurately reflect current business models

The report reinforces a broader regulatory trend: Baltic supervisors increasingly expect FinTech institutions to demonstrate that innovation and growth are matched by robust AML/CFT controls and effective risk governance.

Our recommendation:

Lithuanian PIs and EMIs: conduct targeted enhanced due diligence reviews of non-resident client portfolios; re-assess risk scores for clients from jurisdictions overrepresented in Baltic STRs.

Implement specific vIBAN and BaaS opacity controls; apply transaction monitoring calibrated to the pass-through payment patterns and crypto on-ramp typologies identified in the joint study.

Enhance cross-Baltic information-sharing protocols by assigning correspondent relationship managers to Lithuanian PSP accounts flagged in Estonian and Latvian FIU STRs.

AMLA Launches 2027 Selection Process for Direct Supervision of High-Risk Financial Institutions

The Anti-Money Laundering Authority published a reporting package on 12 May 2026 to support the identification of obliged entities that may fall within AMLA’s direct supervisory remit from 2028.

The package includes:

• a standardised reporting template (version 1.1)
• an interpretative note explaining the eligibility criteria for the 2027 selection exercise
• guidance on the information national supervisors must collect from obliged entities

National competent authorities, including the Bank of Lithuania, Latvijas Banka, and Finantsinspektsioon, must gather the required data from obliged entities by 15 August 2026.

From 2028, AMLA will directly supervise 40 high-risk cross-border financial institutions across the EU, marking a significant shift towards centralised AML/CFT supervision at European level.

Financial institutions with cross-border operations, particularly EMIs, payment institutions, banks, crypto-asset service providers, and other regulated entities operating in multiple Member States, should assess whether they could fall within AMLA’s future supervisory scope and prepare for upcoming reporting requests from their national regulators.

Key actions include:

• reviewing AMLA’s eligibility criteria and reporting requirements
• ensuring data collection and reporting capabilities are in place
• assessing cross-border activities and group structures
• evaluating whether the institution could qualify for AMLA direct supervision from 2028
• engaging early with national supervisors regarding reporting expectations

AMLA will host a public webinar on 10 June 2026 to provide further guidance on the selection exercise and reporting process.

For Baltic fintechs and financial institutions, this development is an important reminder that EU-level AML supervision is rapidly becoming a reality and may significantly influence future compliance expectations and supervisory engagement.

Assess whether your institution meets the criteria for provisional eligibility for AMLA direct supervision; engage your national supervisor before the 15 August 2026 data collection deadline.

Begin updating AML/CFT governance frameworks to align with AMLA’s risk assessment methodology; register for the AMLA webinar on 10 June 2026 to ensure accurate reporting template completion.

AMLA Advances EU AML/CFT Harmonisation with Group-Wide and Risk Assessment Standards

The Anti-Money Laundering Authority held two public hearings in May 2026, marking a key step in implementing the EU’s harmonised AML/CFT framework under Regulation (EU) 2024/1624 (AMLR).

On 20 May 2026 (with over 650 participants), AMLA presented draft Regulatory Technical Standards (RTS) on group-wide AML/CFT requirements under Articles 16(4) and 17(3) AMLR. These RTS establish binding requirements for financial groups, including:

• group-wide AML/CFT policies, procedures and internal controls
• consolidated group-wide ML/TF risk assessments
• intra-group information sharing mechanisms
• governance arrangements for AML/CFT compliance at the group level across cross-border structures

On 28 May 2026, AMLA presented draft Guidelines on Business-Wide Risk Assessment (BWRA), setting the foundation for how obliged entities identify, assess, document and manage ML/TF risks. The BWRA Guidelines harmonise the risk-based approach across the EU and directly underpin future AMLA Customer Due Diligence (CDD) RTS requirements, shaping:

• customer risk profiling methodologies
• transaction monitoring thresholds
• enhanced due diligence (EDD) triggers
• risk scoring and control calibration frameworks

Practical recommendations for obliged entities

• Conduct a gap analysis between existing group AML/CFT governance and the draft RTS, covering all subsidiaries and branches in scope
• Align parent and subsidiary compliance functions, with particular focus on intra-group information sharing and escalation protocols
• Review and update business-wide risk assessment methodologies in line with the BWRA Guidelines
• Treat BWRA implementation as a strategic priority, as it will be central to supervisory convergence and AMLA’s future selection process for direct supervision

These developments signal a shift toward a fully standardised EU AML framework, where consistency of governance, documentation, and risk methodology will become a core supervisory expectation rather than a best practice.

FATF/APG Mutual Evaluation Highlights Targeted AML/CFT Gaps in Singapore

The Financial Action Task Force (FATF) and the Asia/Pacific Group on Money Laundering (APG) published the Mutual Evaluation Report on Singapore on 6 May 2026, based on an on-site assessment conducted in July 2025.

The report concludes that Singapore maintains a generally competent and well-coordinated AML/CFT framework. However, it identifies the need for more effective risk-based outcomes in several areas. Importantly, Singapore remains in the regular follow-up category and is not subject to grey-listing.

Key findings

The assessment highlights several structural and supervisory challenges:

• supervisory gaps in designated non-financial businesses and professions (DNFBPs) and casinos
• uneven enforcement consistency across sectors
• cross-border ML/TF exposure linked to Singapore’s role as a fintech, payment, and digital asset hub

The FATF/APG also notes Singapore’s ongoing commitment to strengthening implementation of FATF standards and addressing identified deficiencies.

Implications for financial institutions

For banks, EMIs, payment institutions, and crypto-asset service providers with exposure to Singapore, the report is relevant from a risk-based compliance perspective:

• reassess correspondent banking and payment relationships involving Singapore-based entities
• apply enhanced, risk-proportionate due diligence to fintech, payments, and digital asset counterparties
• review exposure to cross-border transaction flows routed through Singapore infrastructure
• ensure ongoing monitoring reflects identified supervisory gaps in higher-risk sectors

Institutions should also closely monitor Singapore’s follow-up reporting under the FATF process, as any deterioration in status or escalation of follow-up measures could materially affect internal country risk ratings and correspondent banking policies, particularly in crypto-asset and cross-border payment channels.

Estonian FIU Yearbook 2025 Highlights Sharp VASP Market Contraction and Shift in AML Priorities

The Estonian Financial Intelligence Unit (FIU) published its Yearbook 2025, providing an updated assessment of AML/CFT risks, supervisory trends, and typologies in Estonia. The report is available in English.

Key findings

• Significant reduction in VASP sector risk exposure
  The number of active virtual asset service provider (VASP) licences has dropped from 846 at the beginning of 2021 to 36 by the end of 2025, reflecting a heavily consolidated and de-risked market.
• Persistent fraud and online scams
  Online fraud schemes remain a major source of illicit proceeds, continuing to generate large-scale financial crime exposure.
• Ongoing crypto-sector vulnerabilities
  The FIU highlights continued risks in the crypto ecosystem, particularly nested service models, where smaller operators rely on infrastructure provided by larger exchanges, creating opacity and dependency risks.
• Shift in supervisory focus: SAR quality over volume
  The FIU emphasises that the effectiveness of suspicious activity reports (SARs) depends on quality and analytical value, not submission volume.
• Institutional resilience and independence
  The report underscores the importance of FIUs maintaining operational autonomy and strong tools to counter increasingly complex cross-border financial crime schemes.

Practical implications for obliged entities

• reassess exposure to the now highly consolidated Estonian VASP market
  • review reliance on nested crypto service structures and upstream/downstream dependencies
  • strengthen due diligence on VASP counterparties, particularly those providing infrastructure services
  • improve SAR processes with a focus on analytical quality, relevance, and actionable intelligence
  • align internal AML frameworks with FIU expectations on typology detection and reporting standards

Institutions operating in Estonia or engaging with Estonian VASPs should treat the findings as a signal that the market has moved from expansion to concentration, with supervisory focus shifting toward service quality, transparency of crypto flows, and intelligence value of reporting rather than formal compliance output volume.