Speed is emerging as the defining challenge for KYC and AML in 2026. Customer risk now changes faster than traditional review cycles can keep up with, while illicit finance is increasingly fragmented into smaller, harder-to-detect flows.
According to KYC360, at the same time, sanctions regimes remain volatile and inconsistent across jurisdictions, and AI is accelerating both criminal innovation and regulatory expectations. For compliance teams, this combination is forcing a rethink of how risk is identified, updated and evidenced across the customer lifecycle.
One of the most significant shifts is the move away from periodic KYC refreshes towards perpetual KYC. Static review intervals struggle to reflect real-world changes such as evolving ownership structures, new geographic exposure or shifts in product usage. When customer profiles are outdated, downstream monitoring and investigations start from flawed assumptions, weakening the overall control framework. As a result, firms are increasingly adopting dynamic customer lifecycle management models, using event-driven triggers and closer integration between onboarding, monitoring, screening and case management. The objective is not only to keep risk profiles current, but also to maintain a clear evidence trail showing what changed and how the firm responded.
This shift is being reinforced by regulation. The EU Anti-Money Laundering Regulation requires customer data and documentation to be kept up to date, with refresh intervals explicitly linked to risk and capped at one year for higher-risk customers and five years for others. Updates are also mandated when material circumstances change or when new relevant information emerges. By 10 July 2026, AMLA must issue guidance on ongoing and transaction monitoring, a move expected to raise the bar on what regulators consider effective, continuous oversight. Firms investing in technology that enables live risk management across the client lifecycle are better positioned to strengthen financial crime controls while reducing unnecessary customer friction.
Crypto-related risk remains another pressure point heading into 2026. Digital assets continue to provide attractive channels for illicit activity, but the typologies are evolving. A notable trend is the rise of micro-laundering through creator-economy rails such as tipping services, subscription platforms and digital marketplaces. These environments are designed for high-volume, low-value transactions, allowing illicit flows to blend more easily into legitimate behaviour. From a typology perspective, FATF has highlighted a growing concentration of illicit activity involving stablecoins since 2024, alongside a “significant uptick” in the use of virtual assets in fraud and scam activity.
The practical implication for compliance teams is a heightened expectation that crypto-adjacent exposure is fully covered across onboarding, transaction monitoring and travel rule compliance. Firms will need to demonstrate how crypto-related alerts are detected, triaged, investigated and resolved, with clear links back to customer risk profiles and ongoing monitoring decisions. Updating typologies to reflect fragmented flows and focusing risk assessments on rapid fraud-to-crypto pathways will be essential to staying ahead.
Regulatory enforcement shows no sign of easing. In 2025, several high-profile UK fines underlined the consequences of weak AML frameworks, including penalties of £21m for Monzo, £43m for Barclays and £44m for Nationwide. While many of these cases related to historical failings, regulators are now increasingly focused on whether firms can demonstrate ongoing effectiveness rather than one-off remediation. Explainability is becoming central, with supervisors asking not just what controls exist, but why they are designed in a particular way, who owns them and how they work together. Continuous, data-driven oversight and robust governance are therefore critical to avoiding enforcement action.
A wave of regulatory reform will further reshape AML and CFT obligations in 2026. In the UK, plans for a single AML supervisor for professional services aim to bring more consistent oversight to legal and accountancy sectors, while mandatory Companies House identity verification for directors and beneficial owners is set to strengthen corporate transparency. For financial institutions, this raises expectations around KYB processes as official registries become more reliable sources of verified data.
At EU level, AMLA is building towards a single AML rulebook, reducing fragmentation across member states. Although direct supervision of high-risk institutions will not begin until 2028, 2026 will see closer coordination between AMLA and national regulators on joint risk assessments and guidance. In parallel, the rollout of EU Digital Identity Wallets by 2026 may alter how identity assertions are delivered and reused in onboarding and KYB workflows, requiring compliance teams to adapt processes accordingly.
Australia’s “Tranche 2” reforms add further complexity. From 1 July 2026, a range of non-financial professions, including lawyers, accountants and real estate agents, will fall within the AML/CTF regime. These entities will be required to implement AML programmes, conduct customer due diligence, report suspicious activity and maintain records, significantly expanding the regulated perimeter.
Sanctions volatility remains another defining feature of the landscape. Exposure is often indirect, arising through ownership structures, affiliates, trade finance or maritime activity rather than named counterparties. Alerts from the UK National Crime Agency on maritime “shadow fleets” highlight the need for contextual screening that goes beyond simple name matching. Firms must be prepared for rapid updates and divergence between jurisdictions as sanctions tighten or ease.
Finally, AI is intensifying the arms race in financial crime. While machine learning is helping firms reduce false positives and detect complex patterns, criminals are using the same tools to probe controls and scale deception. Identity remains the most visible battleground, with Europol warning of the growing use of deepfakes and synthetic media for impersonation and document fraud. As automation expands, regulators and boards are demanding greater explainability and accountability around AI-driven decisions. The competitive advantage in 2026 will come not from deploying more AI, but from deploying auditable AI supported by strong data governance and clear ownership.
In this environment, a business-as-usual approach to compliance is no longer viable. Firms that succeed will be those that build living risk profiles, strengthen governance and evidence trails, and adopt technology in a way that remains transparent and defensible. Done well, compliance can move beyond a defensive obligation and become a source of operational efficiency, resilience and improved customer experience.
Find more on RegTech Analyst.
Copyright © 2026 FinTech Global
