The 2026 KYC/AML regulatory landscape: what changed

The twelve months ending in Q1 2026 produced more substantive KYC/AML rule updates than any single year since the Bank Secrecy Act was enacted. Across three regulators (FinCEN, the FCA, and the FATF) the through-line is the same: beneficial ownership transparency, continuous monitoring, and the expectation that verification is no longer a one-time event.

This post is a field guide. What changed, what compliance teams need to operationalise, and where the CredFlare platform already speaks to each requirement.

FinCEN: beneficial ownership goes from form to workflow

The Corporate Transparency Act's BOI rule, fully enforced as of Q4 2025, closed the loophole that allowed opaque shell structures to open accounts without naming their real owners. Reporting companies now file BOI directly with FinCEN, and financial institutions are expected to reconcile that database against the ownership information they collect at onboarding.

What this means in practice: UBO verification is no longer an optional enhanced-due-diligence step for higher-risk customers. It is baseline for any legal entity, and the reconciliation with FinCEN's BOI registry has to be continuous, not one-and-done. If ownership changes after onboarding and you don't detect it, you own the miss.

CredFlare's Compliance Profiles already model this as a first-class concept. UBO collection runs alongside identity verification in the same workflow, and ongoing monitoring re-runs the watchlist and BOI check every 30 days by default.

FCA: perpetual KYC is now the expectation

The FCA's Financial Crime Thematic Review 2025 made the regulator's position explicit: periodic refresh cycles, the 1/3/5-year review cadence that most banks operated on for a decade, are no longer adequate. The expectation now is perpetual KYC: a posture where risk scoring continuously recalculates from live data, and customer re-verification is triggered by signal, not by calendar.

Signals that should trigger a refresh, per the review:

• A change in beneficial ownership, control, or corporate structure
• A change in PEP status, adverse media hit, or sanctions screening flag
• Transaction pattern deviations that exceed customer-specific thresholds
• Expiry of any identity document on file

The operational challenge is that most legacy KYC stacks cannot react to signals. They were designed around batch jobs and form submissions. Moving to perpetual KYC is less a policy change than an architectural one.

FATF: Travel Rule finally has teeth

FATF Recommendation 16, the Travel Rule, has existed since 2019. Through 2025, its enforcement was uneven. Most jurisdictions allowed self-attestation and accepted counterparty gaps as the cost of an immature VASP ecosystem. That window has closed.

The 2026 FATF Plenary update raised the threshold: any virtual asset transfer above $1,000 USD equivalent must carry originator and beneficiary information verified against identity documents, not customer-supplied KYC alone. For exchanges and custodial wallets, this means the verification layer that was historically a compliance checkbox is now on the critical path for every transaction.

The biggest tell that a compliance stack is behind: the same customer is asked to upload their passport once at signup, then again at a $10,000 transaction, then again at account recovery. Three separate verifications, three separate records, zero re-use.

Universal Verification Numbers solve exactly this: a document verified once against its authenticity, expiry, and the FATF-aligned data fields receives a UVN that any downstream partner can verify instantly without re-collecting the document. The Travel Rule requirement maps one-to-one onto UVN metadata.

What compliance teams should operationalise in 2026

1. Treat KYC as a service, not a form. If your verification workflow lives in a different stack than your monitoring and reporting, you will miss signals. Centralise.
2. Instrument signal-based re-verification. Wire ownership, PEP status, and document-expiry events into the same queue that triggers customer outreach.
3. Audit your UBO coverage. The gap between what you collected in 2022 and what BOI now expects is usually where the examiner starts.
4. Pre-build your exam artefacts. SAR narratives, audit trails, and watchlist hit histories should be exportable to regulator-friendly formats on demand, not reconstructed under pressure.

The compliance teams that will come out of 2026 looking good are the ones that stop thinking of KYC as a point-in-time form and start thinking of it as a continuous system. The regulators already have.