Speed is becoming the defining factor in KYC and AML as firms move into 2026. Customer risk now evolves far more quickly than traditional review cycles can accommodate, while illicit finance continues to fragment into smaller, harder-to-detect flows.
At the same time, sanctions regimes remain volatile and misaligned across jurisdictions, and AI is accelerating activity on both sides of financial crime, said KYC360.
Criminals are using automation to scale deception, while regulators are raising expectations for explainable, auditable, AI-enabled controls. Against this backdrop, compliance teams face mounting pressure to modernise operating models without sacrificing defensibility.
One of the clearest shifts is the move away from periodic KYC refreshes towards perpetual KYC. Static review cycles struggle to keep pace with changes in ownership structures, geographic exposure, or product usage. When customer risk profiles lag reality, downstream monitoring and alerting decisions are built on flawed assumptions.
As a result, many firms are adopting dynamic customer lifecycle management, supported by event-driven refresh triggers and closer integration between onboarding, monitoring, screening and case management. A clear evidence trail showing what changed and how the firm responded is becoming just as important as the control itself.
This approach is reinforced by regulatory reform. Under the EU Anti-Money Laundering Regulation, firms must keep customer data and documentation up to date, with review periods capped at one year for higher-risk customers and five years for others. Updates are also required whenever circumstances change or new relevant information emerges. By 10 July 2026, AMLA is due to issue guidelines on ongoing and transaction monitoring, which is expected to tighten supervisory expectations around what “effective” monitoring looks like in practice. Technology that supports live risk management across the client lifecycle can help firms meet these standards while reducing unnecessary customer friction.
Crypto-related risk remains another priority heading into 2026. While cryptocurrencies continue to attract illicit activity, the pattern is shifting towards smaller, fragmented flows routed through creator-economy platforms such as tipping services, subscription tools and digital goods marketplaces. These channels are designed for high-volume, low-value transactions, allowing illicit activity to blend into normal user behaviour. FATF has highlighted growing concerns around stablecoins, noting increased illicit use since 2024 and warning of a significant uptick in fraud and scam activity involving virtual assets. For firms, this translates into a sharper expectation that crypto-adjacent exposure points are properly covered across onboarding, monitoring and travel rule compliance.
Enforcement pressure also shows no sign of easing. In the UK alone, the FCA fined Monzo £21m, Barclays £43m and Nationwide £44m in 2025 for serious AML control failings. Many of these cases related to historical weaknesses that had already been addressed, underscoring that regulators are increasingly focused on ongoing effectiveness rather than point-in-time remediation. Supervisors are also probing whether programmes are explainable, testing not just what controls exist, but why they were designed that way, who owns them, and how they operate together. Strong governance, clear accountability and data-driven oversight are now central to enforcement resilience.
Regulatory reform will add further complexity in 2026. In the UK, a single AML supervisor for professional services firms and mandatory Companies House ID verification for directors and PSCs will reshape AML and KYB expectations. In the EU, AMLA’s build-out and progress towards a single rulebook will drive greater consistency across member states, while EU Digital Identity Wallets are set to change how identity assertions are reused in onboarding. Australia’s “Tranche 2” reforms will extend AML/CTF obligations to lawyers, accountants, real estate agents and other non-financial sectors from 1 July 2026, significantly broadening the compliance perimeter.
Sanctions volatility remains a further challenge, with indirect exposure through ownership links, trade finance and maritime activity posing growing risk. Authorities, including the UK National Crime Agency, have highlighted the use of maritime “shadow fleets” to evade sanctions, reinforcing the need for contextual screening that goes beyond simple name matching.
AI sits at the centre of these developments. While firms are using machine learning to reduce false positives and surface complex patterns, criminals are using the same tools to probe controls and exploit weaknesses. Identity assurance is a particular pressure point, as deepfakes and synthetic media raise the bar for onboarding. As AI adoption expands, regulators and boards will increasingly expect firms to evidence how AI-driven decisions are governed, explained and controlled. Competitive advantage will come not from deploying more AI, but from deploying auditable AI built on strong data foundations and clear accountability.
In 2026, business-as-usual compliance will not be enough. Firms that succeed will be those that build living risk profiles, tighten governance and evidence trails, and adopt technology in a way that remains transparent and defensible. Done well, compliance becomes an operational advantage, reducing friction, strengthening resilience and improving the customer experience.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
