This Week in Compliance: Crypto AML Rules 2026 Tighten Worldwide

The comfortable read on crypto supervision is that regulators move slowly, act unilaterally, and leave months of silence between announcements. The last ten days disproved all three. Between 7 and 17 April 2026, FinCEN proposed a sweeping AML programme overhaul, FinCEN and OFAC jointly published a stablecoin AML and sanctions rule with secondary-market reach under the GENIUS Act, the FCA opened its final cryptoasset framework consultation, and the European Central Bank publicly backed expanding ESMA's direct supervisory remit over systemically important crypto-asset service providers. The crypto AML rules 2026 landscape these four items sketch out shifted sharply in a single week.

The shape of the week is worth naming up front. FinCEN proposed a programme overhaul on 7 April (1). The US Treasury announced a joint FinCEN/OFAC stablecoin NPRM on 8 April, published in the Federal Register on 10 April (4)(6). The FCA opened CP26/13 on 15 April (9). The ECB published Opinion CON/2026/13 on 9 April backing direct ESMA supervision of large CASPs, with AMLA's customer due diligence consultation already running into an 8 May 2026 close (13)(14). One rulebook per jurisdiction, four jurisdictions in ten days.

The thesis of this recap is simple. FinCEN, the FCA, the ECB, and AMLA each tightened the crypto AML perimeter along the same vector — outcome-based supervision, enforced custody, secondary-market reach, and centrally-supervised customer due diligence. The "we are outside the scope" argument is running out of jurisdictions to hide in.

United States: FinCEN's outcome-based AML programme overhaul

On 7 April 2026 FinCEN issued a Notice of Proposed Rulemaking to "fundamentally reform" the AML/CFT programme requirements under the Bank Secrecy Act and the Anti-Money Laundering Act of 2020 (1). The FDIC, OCC, and NCUA issued concurrent rulemakings mirroring the change for their supervised institutions. Public comment closes 9 June 2026. One absence is worth flagging: Covington's client alert surfaced that the Federal Reserve Board did not join the OCC, FDIC, and NCUA in the concurrent rulemaking — a non-participation Covington read as possibly signalling disagreement with FinCEN's new oversight role over supervisory action (3).

The structural shift is a move from documentation tidiness to programme effectiveness. Gibson Dunn's client alert describes the proposal as a "two-pronged framework" that evaluates whether a financial institution both establishes and maintains its AML/CFT programme — a split that is meant to stop examiners from conflating programme design criticisms with day-to-day implementation criticisms (2). The result is an effectiveness-based evaluation. Filing suspicious activity reports on time is not the same as running an AML programme that catches the pattern those reports were meant to flag.

Risk assessment and the codified Priorities

Two other changes carry weight. The National AML/CFT Priorities move from advisory add-ons into programme inputs, so a financial institution's risk assessment must treat them as design parameters, not as items to reference later. Programmes are expected to allocate resources toward higher-risk customers and higher-risk areas in a way examiners can evidence from the risk assessment itself. The AML/CFT Officer must also be located in the United States under Gibson Dunn's read of the proposal (2). None of this is radical in isolation. Taken together, it redraws where programme-design responsibility sits and how it is evidenced.

Enforcement action versus supervisory action

The proposal draws a sharper line between enforcement action and supervisory action. FinCEN's fact sheet confirms that "only significant or systemic failures" warrant enforcement or significant supervisory action, and federal banking regulators must consult FinCEN at least 30 days before taking significant BSA-related supervisory action (1). The 12-month post-finalisation implementation window means firms that want to be ready will be drafting their response now rather than in Q4.

Topic 1 here is a snapshot, not the full argument. We walked through how the NPRM rewrites the mechanics of monitoring — and why the effectiveness pivot changes what "adequate" transaction monitoring looks like — in our deeper analysis of how the 2026 NPRM rewrites AML transaction monitoring. This recap focuses on the programme-level signal; the Monday piece carries the deeper read.

Stablecoin AML rules reach into secondary markets under the GENIUS Act

On 8 April 2026, Treasury announced that FinCEN and OFAC had jointly proposed a rule to implement the GENIUS Act's AML and sanctions compliance programme requirements for Permitted Payment Stablecoin Issuers (PPSIs) (6). The joint FinCEN/OFAC NPRM was placed on public inspection the following day and published in the Federal Register on 10 April 2026 (FR Doc. 2026-06963), with comments due by 9 June 2026 (4)(5). Three features of the proposal matter most: PPSIs are treated as financial institutions under the Bank Secrecy Act, the rule requires issuers to maintain sanctions compliance programmes, and freeze/block/reject obligations extend into secondary markets.

The secondary-market language is the paragraph practitioners are reading twice. CoinDesk's 8 April coverage captures the operative wording cleanly: the proposal requires stablecoin issuers to have controls to "block, freeze and reject" transactions, and OFAC would require issuers to "run risk-based safeguards for stablecoin activity on primary or secondary markets," with policies that spot and reject transactions "that may violate or would violate U.S. sanctions" (7). That language pushes freeze and sanctions obligations past the issuer's direct customer relationship and into downstream wallets, exchanges, and venues — a design constraint the industry has spent two years arguing was technically impossible.

Why "impossible" just became "required"

The operational question is no longer whether secondary-market enforcement is enforceable. It is what the architecture looks like in production. Elliptic's regulatory-affairs read calls the NPRM's secondary-market sanctions obligation "the first clear regulatory answer" to how a bank-like programme applies to stablecoin issuers, and names the three pieces of the answer: chain analytics to trace downstream flows, issuer-side block lists baked into the token contract, and cooperation from exchanges to honour freeze orders on wallets the issuer never onboarded (8). None of those three are clean, single-tier solutions. Together, they make issuer-level transaction monitoring and sanctions compliance operational rather than theoretical.

Treating a PPSI as a financial institution under the BSA is the load-bearing legal change. That designation carries the full weight of BSA programme requirements — suspicious activity reporting, recordkeeping, customer identification obligations — and lands the issuer inside a compliance regime that was previously reserved for banks and money service businesses. The Treasury announcement framed the proposal as implementing the GENIUS Act's counter-illicit-finance requirements (6). The practical effect is a bank-shaped obligation on a token-issuing entity.

Travel Rule, identity, and the issuer–platform split

A bank-shaped programme on an open network forces the Travel Rule conversation that the stablecoin industry has largely avoided. If an issuer is accountable for sanctions and suspicious activity on secondary-market transfers, the identity metadata those transfers carry has to be usable — and that pushes compliance signals into the infrastructure, not just the issuer. For platforms integrating stablecoins into their rails, the question is no longer only "did we KYC this user?" but "can we present a verifiable compliance status the issuer can rely on when the token moves?" Compliance signals have to travel with the user, not only with the issuer's direct customer relationship.

One alignment is worth flagging. The FinCEN programme NPRM and the PPSI NPRM both close their comment periods on 9 June 2026. That is not a coincidence. Treasury is asking the market to respond to the programme regime and the stablecoin regime in the same window, and the responses to one will shape the other.

United Kingdom: the FCA closes the "decentralisation defence"

The FCA opened consultation CP26/13 on 15 April 2026, consulting on perimeter guidance for seven regulated cryptoasset activities under the UK's future crypto regime (9). The new regime covers issuing qualifying stablecoins in the UK, safeguarding qualifying cryptoassets, operating qualifying cryptoasset trading platforms, dealing as principal or agent, arranging deals, and arranging qualifying cryptoasset staking. The consultation closes 3 June 2026. The FCA crypto rules now on the table will shape how cryptoasset firms operate across the authorisation gateway into full regime commencement.

The 24-hour custody trigger

The sharpest single rule in CP26/13 is the 24-hour custody trigger. Firms that hold client cryptoassets for more than 24 hours, or that can override client authority over those assets, are treated as regulated custodians requiring full safeguarding authorisation (10). Cryptoasset custody that sat in a "we are just infrastructure" grey zone no longer sits there. The rule collapses the ambiguity custodians relied on when they moved client assets between hot and cold storage, or when a platform held user balances in an internal omnibus structure. The 24-hour custody trigger treats the duration and the degree of control as the relevant facts, not the architecture of the back end.

UK-only stablecoin issuance

The second rule with extraterritorial bite is the UK-only stablecoin issuance lifecycle. Qualifying stablecoin issuance is lawful only where the issuer is established in the UK and manages the full lifecycle — issuance, reserve management, redemption. Non-UK issuers lose the ability to serve UK users at scale through a qualifying stablecoin. The implication for foreign issuers is cold: a UK establishment with lifecycle control, or no qualifying-stablecoin access to UK users at all.

The decentralisation defence closed

The third rule is the intellectual centre of the section. The FCA's perimeter guidance states explicitly that smart contracts, public blockchains, or "elements of decentralisation" do not by themselves place an arrangement outside the regulatory perimeter (10). Firms that spent 2024 and 2025 arguing they were "infrastructure, not intermediaries" now face a perimeter guidance that treats technical architecture as a factor in the assessment, not a defence against it. The decentralisation defence has not been outlawed; it has been subordinated. The FCA crypto rules in CP26/13 read the architecture, weigh the degree of human discretion and control, and then decide whether the arrangement sits inside the perimeter. The answer for a lot of cryptoasset activities will be yes.

For platforms operating in the UK, the question the FCA asks is less "does the architecture look decentralised?" and more "can you evidence compliance on every user?" That is the question Zero-Knowledge KYC is built to answer — a verified attestation is portable, auditable, and does not depend on which side of a technical boundary the platform thinks it sits on.

Timeline: gateway to commencement

The FCA's press release confirms the timeline that runs alongside the consultation (11). CP26/13 closes on 3 June 2026. The authorisation gateway opens on 30 September 2026 and closes on 28 February 2027. Full regime commencement is 25 October 2027. Cryptoasset firms that want to serve UK users under the new regime have a defined window to secure authorisation; firms that miss it have to exit the UK market or operate without the regulated-activity permissions the new regime requires. CoinDesk's 16 April analysis read CP26/13 as a perimeter guidance designed to close the specific technical traps practitioners had built their UK presence around — the 24-hour custody gap, the non-UK issuer routing, and the decentralisation defence (12).

The week's second piece of "outside the scope is dying" evidence is this: the UK has defined the edge of its cryptoasset perimeter in enough detail that the architectural arguments no longer survive contact with it.

European Union: direct supervision arrives via ECB, ESMA, and AMLA

The EU leg of the week sits less in a single April news item than in the shape it gives the other three. In Opinion CON/2026/13, adopted 9 April 2026, the European Central Bank (ECB) fully supported the European Commission's proposal to transfer authorisation, monitoring, and enforcement powers over systemically important crypto-asset service providers from national competent authorities to the European Securities and Markets Authority (ESMA). The opinion argued that the transfer would "ensure supervisory convergence, reduce fragmentation and mitigate cross-border risks in crypto-asset markets," and cited the concrete data: of 94 CASPs authorised as of November 2025, 62 intended to operate in seven or more Member States and 47 planned EU-wide activities (13).

The second piece of the ECB opinion is less headline-friendly and more consequential for euro stablecoin scale. The ECB flagged its intent to cap the use of e-money tokens as settlement assets where no central-bank-money alternative exists (13). That is a direct prudential constraint on euro-denominated stablecoin volume — an attempt to prevent e-money tokens from becoming the default settlement layer for euro-denominated markets before the digital euro arrives. It closes a route the market had assumed was open.

AMLA's operational arrival

The EU Anti-Money Laundering Authority (AMLA) ran its first public hearing on 24 March 2026, convening over 1,600 stakeholders to discuss two draft Regulatory Technical Standards — one on customer due diligence under Article 28(1) of the AMLR, one on the criteria for identifying business relationships and occasional and linked transactions under Article 19(9) (14). Written submissions on both RTS remain open until 8 May 2026. From 2028, AMLA directly supervises approximately 40 of the highest-risk EU institutions under the Single Rulebook.

AMLA's CDD consultation is where the technical baseline for identity verification in the EU's next regulatory decade is being drafted. Whether the final RTS leaves room for reusable, selective-disclosure verification — or assumes a single full-PII check per institution — is a question Zero-Knowledge KYC platforms, Verifyo included, are reading carefully. The RTS will travel into national supervisors by 2028, which means the shape of the next decade's customer due diligence practice is being decided in the submissions arriving at AMLA this spring.

The EU is closing the same loopholes as the US and UK, but from a different direction. Direct supervision at the ESMA level replaces the fragmented Member State supervisory tourism that large CASPs had relied on. The ECB's settlement-asset cap closes the euro-bypass route for e-money tokens. AMLA's CDD and business-relationship RTS write the identity baseline for the Single Rulebook. Four instruments, one direction of travel.

Four rulebooks, one direction: the perimeter is being enforced

Step back from the four items and the pattern compresses cleanly. The crypto AML rules 2026 landscape these four items sketch out shares a design pattern. The perimeter is being enforced on three axes at once. First, outcome-based supervision is replacing documentation checks — explicit in the FinCEN NPRM, implicit in AMLA's CDD direction. Second, custody and issuance are being scoped prudentially regardless of technical architecture — the FCA's 24-hour custody trigger and the PPSI-as-financial-institution designation are two expressions of the same move. Third, compliance obligations are reaching past the direct customer relationship into secondary markets and downstream venues — explicit in the stablecoin NPRM, operationalised in the FCA's perimeter guidance, embedded in direct ESMA supervision under MiCA.

The pattern makes specific demands of compliance architecture. Outcome-based supervision rewards programmes that can prove they worked. Prudential scoping rewards architectures that carry compliance signals with the user or the transaction, not with the documents stored in a vendor's data centre. Secondary-market reach rewards portable, verifiable attestations over one-time document checks. Privacy-preserving identity architectures — the category Verifyo sits in — are unusually well-placed for the direction of travel, because a reusable Zero-Knowledge KYC attestation carries proof of compliance without carrying documents, which is exactly what secondary-market and outcome-based regimes demand. What remains to solve is interoperability at scale — Travel Rule data exchange across issuer, wallet, and platform, and ongoing monitoring integrations that connect the attestation layer to transaction-level supervision, neither of which Verifyo offers today.

The near-term calendar is dense. Three of this week's four items cluster their comment periods in a six-day window: the FCA's CP26/13 closes on 3 June 2026, and both the FinCEN programme NPRM and the PPSI NPRM close on 9 June 2026. AMLA's CDD RTS closes slightly earlier on 8 May 2026. Practitioners writing responses now are shaping the rules that will govern the next decade of crypto compliance.

What to watch next

The week's verdict has three parts. First, the comment windows cluster: 8 May for AMLA's CDD RTS, 3 June for the FCA, 9 June for both US NPRMs. A firm that waits for one rule to settle before responding to the others will find the drafting has already happened without it. Second, the direction of travel on crypto AML rules 2026 is no longer ambiguous — outcome-based supervision, enforced custody, secondary-market reach, and centralised customer due diligence are all being pushed at once, and they reinforce each other rather than offering a cheaper alternative to any one of them. Third, the compliance architecture decisions platforms make in Q2 2026 will define which of them survive the 2027–2028 enforcement window.

We cover the compliance architecture questions this week's rulemakings raise across the Verifyo Insights catalogue. The deeper read on what FinCEN's NPRM means for AML transaction monitoring sits alongside this recap; more pieces on the FCA perimeter, the stablecoin NPRM's secondary-market architecture, and AMLA's CDD baseline follow in the weeks ahead.

Sources

1. FinCEN. "Fact Sheet: Proposed Rule to Fundamentally Reform Financial Institution AML/CFT Programs." 7 April 2026. https://www.fincen.gov/system/files/2026-04/Program-NPRM-FactSheet.pdf
2. Gibson Dunn. "FinCEN Proposes Rule to Fundamentally Reform Financial Institution Programs Designed to Fight Illicit Finance." April 2026. https://www.gibsondunn.com/fincen-proposes-rule-to-fundamentally-reform-financial-institution-programs-designed-to-fight-illicit-finance/
3. Covington & Burling. "FinCEN Proposes Reform of AML/CFT Program Requirements." April 2026. https://www.cov.com/en/news-and-insights/insights/2026/04/fincen-proposes-reform-of-aml-cft-program-requirements
4. Federal Register. "Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements." Vol. 91, No. 69, 10 April 2026. FR Doc. 2026-06963. https://www.federalregister.gov/documents/2026/04/10/2026-06963/permitted-payment-stablecoin-issuer-anti-money-launderingcountering-the-financing-of-terrorism
5. govinfo.gov. "Federal Register / Vol. 91, No. 69 / Friday, April 10, 2026 — PPSI AML/CFT Program and Sanctions Compliance Program Requirements." 10 April 2026. https://www.govinfo.gov/content/pkg/FR-2026-04-10/pdf/2026-06963.pdf
6. U.S. Department of the Treasury. "Treasury Proposes Rule to Implement the GENIUS Act's Requirements to Counter Illicit Finance." Press release SB0435. 8 April 2026. https://home.treasury.gov/news/press-releases/sb0435
7. CoinDesk. "U.S. Treasury to propose demands that stablecoin firms be set to police bad transactions." 8 April 2026. https://www.coindesk.com/policy/2026/04/08/u-s-treasury-to-propose-demands-that-stablecoin-firms-be-set-to-police-bad-transactions
8. Elliptic. "Crypto regulatory affairs: US Treasury proposes secondary market sanctions compliance for stablecoin issuers." April 2026. https://www.elliptic.co/blog/crypto-regulatory-affairs-us-secondary-market-sanctions-compliance
9. FCA. "CP26/13: Cryptoasset perimeter guidance." 15 April 2026. https://www.fca.org.uk/publications/consultation-papers/cp26-13-cryptoasset-perimeter-guidance
10. FCA. "Consultation Paper CP26/13: Cryptoasset Perimeter Guidance." April 2026. https://www.fca.org.uk/publication/consultation/cp26-13.pdf
11. FCA. "FCA consults on guidance on UK's future crypto regime." Press release. 15 April 2026. https://www.fca.org.uk/news/press-releases/fca-consults-guidance-uk-future-crypto-regime
12. CoinDesk. "UK's Financial Watchdog Releases Sweeping Crypto Asset Framework for Final Consultation." 16 April 2026. https://www.coindesk.com/policy/2026/04/16/uk-s-financial-watchdog-releases-sweeping-crypto-asset-framework-for-final-consultation
13. European Central Bank. "ECB Opinion CON/2026/13 on supervisory reforms for EU capital-market integration." 9 April 2026. Cited by opinion number (canonical ECB URL not retrievable at source time); confirmed via Reuters summary (The Block): https://www.theblock.co/post/397121/ecb-backs-eu-plan-to-centralize-crypto-supervision-under-paris-based-esma-watchdog-reuters
14. AMLA (Authority for Anti-Money Laundering and Countering the Financing of Terrorism). "AMLA Successfully Concludes First Public Hearing on Draft Regulatory Technical Standards." 24 March 2026. https://www.amla.europa.eu/amla-concludes-first-public-hearing-draft-regulatory-technical-standards_en