This Week in Compliance: FCA Financial Crime Becomes National Security

When the FCA's Chief Executive opened the regulator's Financial Crime Conference with the line “separating financial services from national security is outdated and dangerous,” he framed the week's supervisory direction more cleanly than any other Tier-A announcement that followed. Three Tier-A regulators and one cross-firm investigator synthesis bent the AML perimeter the same way — towards evidence-based supervision and architectural answers to insider attacks.

This recap covers Rathi's speech, AMLA's first systematic diagnostic across all 27 EU Member States, the Senate Banking Committee advancing the CLARITY Act 15-9, the Bank of England's retreat on its sterling stablecoin caps, and the cross-firm synthesis showing DPRK-linked actors moved from external exploitation to embedded-insider access in 2025. Verdict: stop measuring compliance by process artefacts produced, and start measuring by what the evidence can actually defend.

Rathi: separating finance from national security is “outdated and dangerous”

At the FCA Financial Crime Conference on 14 May 2026, Chief Executive Nikhil Rathi announced that from June 2026 the FCA will share more than 5,000 intelligence records with law-enforcement agencies via the Police National Database (1)(2). He paired the integration with a network-analytics programme tested in the payments sector for earlier money-laundering detection, a 17-regulator, 14-country coordination action against finfluencer fraud that has produced guilty pleas, nearly 40 warnings and over 100 account takedowns, and a challenge to Big-Tech platforms that they “cannot sit on the sidelines” against an online investment-fraud surge where the average victim loses around £25,000 (1)(3). The issue, on Rathi's framing, is “a question of fundamental economic and national security”; the FCA's intelligence infrastructure now processes over 52 million records (4).

Network analytics is not a tool announcement. It is the FCA moving from rule-based AML monitoring — did the bank file the SAR within 30 days? did the checklist get completed? — to outcome-based programme assessment, the same direction the FATF Mutual Evaluation methodology has pulled national regulators since 2024. We covered the regulated-entity side of this shift last week.

Rathi's “cannot sit on the sidelines” line tells platforms hosting investment-fraud advertisements they sit inside the supervised compliance perimeter even when they are not the regulated entity (3) — evidence-based supervision rewards programme outcomes, and control-system evidence must be portable and inspectable on a regulator's timeline.

AMLA's Roadshow report maps supervisory fragmentation across 27 Member States

On 11 May 2026 the Anti-Money Laundering Authority published Chair Bruna Szego's 2025 EU-wide Roadshow report — AMLA's first systematic mapping of the AML/CFT supervisory landscape across all 27 Member States, conducted March–December 2025 (5). A paired 2025 survey of non-financial-sector supervisory authorities is the diagnostic the 2027 direct-supervision selection methodology rests on.

AMLA flagged AI-enabled fraud and deepfakes, crypto-assets, instant payments, and sanctions circumvention as major threat vectors across Member States (6) — fraud is now among the fastest-growing predicate offences for money laundering, crypto-assets remain high-risk on anonymity and beneficial-ownership opacity grounds, and sanctions-evasion focus has tightened across Eastern and Northern Europe since 2022. What ties these vectors together is operational shape: the gap between point-in-time KYC artefacts and the dynamic risk surface that emerges between verifications.

Real-estate agents, accountants, notaries, and high-value-goods traders show the lowest AML/CFT maturity in AMLA's Member-State sweep (6)(7). AMLA was direct: “Financial crime risks are evolving faster than many institutions and supervisory structures were designed to handle,” with practices diverging widely on enforcement, FIU capability, and methodology (7). The 2027 selection methodology will widen the perimeter toward jurisdictions where national supervision has been weakest and toward sectors documented as low-maturity — the criteria reward obliged entities that can produce evidence at consistent quality.

CLARITY Act clears Senate Banking Committee in 15-9 vote — risk-based examination standards advance

On 14 May 2026 the Senate Banking Committee voted 15-9 to advance the Digital Asset Market Clarity Act of 2025 (8)(10)(11). Chairman Tim Scott (R-SC) led the markup; Ranking Member Elizabeth Warren (D-MA) voted against. Senators Angela Alsobrooks (D-MD) and Ruben Gallego (D-AZ) crossed to join the panel's 13 Republicans (10)(11) — a market-structure bill clearing Banking with two Democratic votes carries weight into floor-vote arithmetic (13).

What survived is the substantive read. The Tillis-Alsobrooks amendment bars yield on passive stablecoin holdings while permitting rewards on non-passive activities (11). Risk-based AML examination standards for digital-asset brokers, dealers, and exchanges (9). Expanded Treasury special-measure authority, mandatory annual reports on foreign jurisdictions' AML compliance, recurring Treasury reports on offshore stablecoins, and a federal floor for crypto-kiosk regulation (9). A Democratic proposal granting Treasury sanctions authority over DeFi services drew unified Democratic support but Republican members blocked it (11) — signalling where floor-vote politics will land on the DeFi-mixer question. Six banking trade groups including BPI and the ABA endorsed the committee passage (12).

The supervisory direction is the link to the rest of the week — risk-based examination standards mean a covered crypto venue's compliance programme will be assessed on what it can actually defend against, not on whether the box-checking SAR cadence was met. Same direction as Rathi, same direction as AMLA. The FinCEN AML/CFT NPRM that landed in April 2026 is the US-side architectural read on the same shift — we covered it in detail when it dropped. To be clear about scope: transaction monitoring is a flow-side discipline handled by RegTech tools like Chainalysis, Elliptic, or ComplyAdvantage — Verifyo does not perform transaction monitoring. On the identity side, we issue point-in-time Zero-Knowledge KYC attestations that integrating platforms refresh on a documented cadence, anchoring the natural-person layer the BSA-defined “customer” lives at.

Bank of England signals retreat on sterling stablecoin caps

On 14 May 2026, Bank of England Deputy Governor Sarah Breeden told the Financial Times the Bank's earlier proposal — limiting individuals to £20,000 per sterling stablecoin, businesses to £10 million, and requiring at least 40% of stablecoin reserves to sit non-interest-bearing at the central bank — was likely “overly conservative” and was being reconsidered ahead of systemic-issuer applications opening by year-end (15)(16). Breeden signalled openness to allowing systemic issuers to hold up to 60% of reserves in short-term UK government debt and earn a return on part of their backing assets (17). The November 2025 consultation paper is the artefact under reconsideration (14).

At the original numbers, UK sterling-systemic-issuer economics sat well outside MiCA's e-money-token framework and outside the US stablecoin track — Decrypt noted UK issuers could earn yield on only 60% of reserves versus 88% on Circle's USDC backing (16). Pulling those numbers back is the BoE responding to issuer-application optics; holding limits remain on the table, just at less punishing levels.

As the prudential constraint relaxes, the AML/KYC perimeter around sterling-systemic-issuer applicants tightens by relative weight. Transaction-monitoring tools handle the flow side; point-in-time verifiable Zero-Knowledge KYC attestations anchor the natural-person side. Applicants filing by year-end will find more supervisory attention on whether their identity-verification architecture can produce evidence-grade attestations.

DPRK-linked theft accounted for 60% of 2025's $3.4B in crypto theft — and the attack vector changed

On 12 May 2026 crypto.news synthesised year-end estimates from CertiK, Chainalysis, and Elliptic: roughly $3.4B in cryptocurrency stolen during 2025, with DPRK-linked operations accounting for approximately 60% of the total (18). Chainalysis pegged the DPRK 2025 haul at $2.02B, up 51% year-on-year, with cumulative DPRK theft now around $6.75B (18)(19). The February 2025 Bybit compromise alone accounted for $1.5B, confirmed by the FBI's IC3 under the “TraderTraitor” designation (21). North Korean hackers achieved these results with 74% fewer confirmed incidents than in 2024 (19).

The operational shift is the more important story. The regime has moved from external exploitation — phishing, smart-contract exploits, bridge compromises — to embedded-insider access. DPRK operatives are hired into centralised exchanges, custodians, and Web3 firms under false identities, through fake-recruiter social engineering and malware-laden “coding tests” that harvest credentials, SSH keys, browser cookies, and cloud tokens (20). Once inside they hold legitimate credentials and legitimate access patterns — the defensive posture against external exploitation is not the defensive posture against a threat actor with valid credentials. TRM Labs traced the laundering to the “Chinese Laundromat” network of OTC brokers (20).

When the attack vector is the embedded insider, the perimeter is not the firewall — it is the data the firm chooses to retain. A custodian that holds millions of customer-document scans is a target. A custodian that holds proof-of-compliance attestations and no raw documents is not. The architectural problem reduces to one question: can the data the insider could exfiltrate be made not to exist at the host in the first place? That is the wedge we built Verifyo around. Verifyo issues Zero-Knowledge KYC attestations to integrating platforms — platforms receive proof of compliance status, not document images. The customer's identity documents never reach the platform's data stores, so an insider with full access to those stores has nothing of identity-document value to exfiltrate.

When the attack is an embedded insider rather than an external exploit, the architectural answer is that data never collected cannot be the data the insider exfiltrates — evidence-based supervision and data-minimised architecture are the same conversation viewed from two sides of the desk.

What the week meant

Three Tier-A regulators and one investigator-cohort synthesis bent in the same direction. The FCA's Police National Database integration is the supervisor saying “evidence, not artefacts.” AMLA's Roadshow knows where the gaps are and will select accordingly when the 2027 perimeter opens. CLARITY's risk-based examination standards say BSA compliance for digital-asset venues is moving the same way. The Bank of England's stablecoin-cap retreat says the prudential perimeter loosens but the identity-side perimeter does not. The DPRK synthesis says the firewall is not the perimeter — the data retained at the host is.

On the calendar: MAS Singapore's P009-2026 cryptoasset prudential consultation closes Monday 18 May; FCA CP26/13 closes 3 June, reinforcing what Rathi codifies; FinCEN's AML/CFT NPRM plus the GENIUS Act PPSI comment period closes 9 June — the bigger architectural watch item for Q2. Verdict restated: compliance teams that can produce evidence on a supervisor's timeline are the ones the next eighteen months were designed for.

Sources

(1) FCA. “Working together against financial crime — speech by Nikhil Rathi, Chief Executive.” 14 May 2026. https://www.fca.org.uk/news/speeches/working-together-against-financial-crime

(2) Mortgage Solutions UK. “FCA chief warns financial crime is threat to national security.” 14 May 2026. https://www.mortgagesolutions.co.uk/mortgage-news/2026/05/14/fca-chief-warns-financial-crime-is-threat-to-national-security/

(3) AML Intelligence. “FCA boss warns Big Tech cannot 'sit on the sidelines' amid fraud surge.” 14 May 2026. https://www.amlintelligence.com/2026/05/latest-fca-boss-warns-big-tech-cannot-sit-on-the-sidelines-amid-fraud-surge/

(4) The Intermediary. “Financial crime is now a national security issue, says FCA chief executive.” 14 May 2026. https://theintermediary.co.uk/2026/05/financial-crime-is-now-a-national-security-issue-says-fca-chief-executive/

(5) AMLA. “AMLA publishes findings of Chair's 2025 EU-wide Roadshow.” 11 May 2026. https://www.amla.europa.eu/amla-publishes-findings-chairs-2025-eu-wide-roadshow_en

(6) INSIGHT EU MONITORING. “AMLA warns of widening AML gaps as fraud, crypto and sanctions risks intensify.” 11 May 2026. https://ieu-monitoring.com/editorial/amla-warns-of-widening-aml-gaps-as-fraud-crypto-and-sanctions-risks-intensify/1214196

(7) GRC Report. “AMLA's first tour of Europe's financial crime frontline reveals cracks in the system.” 11 May 2026. https://www.grcreport.com/post/amlas-first-tour-of-europes-financial-crime-frontline-reveals-cracks-in-the-system-2

(8) Senate Banking Committee. “Chairman Scott, Senate Banking Committee advance CLARITY Act in historic bipartisan vote.” 14 May 2026. https://www.banking.senate.gov/newsroom/majority/chairman-scott-senate-banking-committee-advance-clarity-act-in-historic-bipartisan-vote

(9) Senate Banking Committee. “CLARITY Act — Fraud and AML factsheet.” May 2026. https://www.banking.senate.gov/imo/media/doc/clarity_act_-_fraud_and_aml.pdf

(10) ABA Banking Journal. “Senate Banking Committee advances CLARITY Act.” 14 May 2026. https://bankingjournal.aba.com/2026/05/senate-banking-committee-advances-clarity-act/

(11) Elliptic. “Crypto regulatory affairs: CLARITY Act passes Senate Banking Committee.” 14 May 2026. https://www.elliptic.co/blog/crypto-regulatory-affairs-clarity-act-passes-senate-banking-committee

(12) Bank Policy Institute. “Banking Trades statement on Senate Banking Committee vote to advance CLARITY Act.” 14 May 2026. https://bpi.com/banking-trades-statement-on-senate-banking-committee-vote-to-advance-clarity-act/

(13) Bloomberg. “Long-stalled crypto market bill wins key Senate committee vote.” 14 May 2026. https://www.bloomberg.com/news/articles/2026-05-14/long-stalled-crypto-market-bill-wins-key-senate-committee-vote

(14) Bank of England. “Proposed regulatory regime for sterling-denominated systemic stablecoins (consultation paper).” November 2025. https://www.bankofengland.co.uk/paper/2025/cp/proposed-regulatory-regime-for-sterling-denominated-systemic-stablecoins

(15) Crypto Times. “Bank of England relooks stablecoin caps as UK mulls easing crypto rules.” 14 May 2026. https://www.cryptotimes.io/2026/05/14/bank-of-england-relooks-stablecoin-caps-as-uk-mulls-easing-crypto-rules/

(16) Decrypt. “Bank of England softens 'overly conservative' stablecoin plans amid industry pressure.” 14 May 2026. https://decrypt.co/367831/bank-of-england-softens-overly-conservative-stablecoin-plans-amid-industry-pressure

(17) Bankless Times. “Bank of England rethinks strict stablecoin limits following crypto pushback.” 14 May 2026. https://www.banklesstimes.com/articles/2026/05/14/bank-of-england-rethinks-strict-stablecoin-limits-following-crypto-pushback/

(18) crypto.news. “North Korean hackers now dominate crypto theft and compliance is racing to catch up.” 12 May 2026. https://crypto.news/north-korean-hackers-now-dominate-crypto-theft-and-compliance-is-racing-to-catch-up/

(19) Chainalysis. “2025 Crypto Hacking Report — Stolen Funds Analysis.” 18 December 2025. https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/

(20) TRM Labs. “North Korea and the industrialization of cryptocurrency theft.” 18 December 2025. https://www.trmlabs.com/resources/blog/north-korea-and-the-industrialization-of-cryptocurrency-theft

(21) FBI IC3. “PSA — North Korea Responsible for $1.5 Billion Bybit Hack (TraderTraitor).” 26 February 2025. https://www.ic3.gov/psa/2025/psa250226