This Week in Compliance: Trump's Executive Order on BSA CDD Reform

The Trump executive order on BSA CDD reform signed on 19 May and published in the Federal Register on 22 May 2026 sets a 90-day clock running on a federally-named red-flag taxonomy, and that clock is the editorial spine of this week. Around it, AMLA convened three public hearings inside the same five days, OFAC removed 76 outdated entries from the Specially Designated Nationals List as the first tranche of its Sanctions Modernization Effort, and a MiCA-authorised stablecoin issuer in Malta lost roughly $13.5M to a multisig key compromise. AU10TIX's Q1 2026 Global Identity Fraud Benchmark Report supplies the architectural why-now — AI-generated identity fraud has overtaken physical document forgery as the dominant attack class for the first time on record.

Trump's EO 14406 puts a 90-day clock on a federally-named CDD red-flag taxonomy

President Trump signed Executive Order 14406 on 19 May 2026; the Federal Register published it on 22 May at 91 FR 30479–30481 (1). The order directs Treasury and federal financial regulators to propose changes to Bank Secrecy Act regulations strengthening customer due diligence — FinCEN has 90 days to publish a proposed rule codifying a red-flag taxonomy, and Treasury has 60 days to issue an interim advisory (3). The clock is the change, not the political framing.

The EO names three red-flag categories the proposed rule must address. ITIN use to obtain credit products or open depository accounts where the applicant lacks verified lawful immigration status. Foreign consular identification documents presented as primary identity evidence. Shell companies and "complex funnel structures designed to obfuscate the identity of the ultimate beneficial owners" (4). The verbatim title — "Restoring Integrity to America's Financial System" — frames red flags that have lived inside FFIEC examination guidance for two decades, but moves them into formal rule text on a federally-named timeline (1)(2). Federal banking regulators (OCC, Fed, FDIC, NCUA, CFPB) sit alongside Treasury on the consultation track, and the EO's beneficial owners framing rhymes directly with the FinCEN BOI rule already in force.

The architectural problem runs deeper than the red-flag list. A customer identification programme built around document copies and database checks was designed to produce SAR filings after the fact — its evidence flow runs from onboarding capture to back-office review. It was not designed to produce per-red-flag evidence on demand against a federally-named taxonomy, which is what enhanced due diligence on the EO's three named categories will require.

This is where reusable verifier-private attestations earn their keep. A platform can prove a customer's verified status against each named red-flag category — lawful immigration status, foreign consular ID risk, shell-company conduit exposure — without re-keying document copies into every compliance model. The 90-day window closes mid-August; UK banks with US operations (HSBC, Barclays, Standard Chartered) run the same clock.

AMLA's spring cascade: three hearings, one editorial week

AMLA — the EU Anti-Money Laundering Authority, based in Frankfurt — held three public hearings inside the W22 window. On 27 May the authority ran two sessions on three draft Implementing Technical Standards establishing common formats for cooperation between Financial Intelligence Units and reporting mechanisms to the EPPO (7). On 28 May AMLA convened a hearing on the draft Regulatory Technical Standards on Home-Host Supervisory Cooperation under Article 46(4) of Directive (EU) 2024/1640 (8), and a parallel hearing on the draft Guidelines on business-wide risk assessment under Article 10(4) of Regulation (EU) 2024/1624 (9). The BWRA consultation closes on 15 July 2026, with the cumulative cascade running through to September (10).

Three AMLA consultations landing in one editorial week is a tempo signal. Read together, they describe a single direction of travel — EU AML/CFT architecture is shifting from process attestation (did the obliged entity follow the procedure?) toward evidence portability (can the obliged entity produce machine-readable proof that travels with the customer across institutions?). The three drafts sit on the same architectural axis: regulators want the underlying evidence in a shape that travels.

Verifier-private customer attestations slot directly into the customer-risk arm of every consultation simultaneously. For obliged entities and credit institutions pricing their customer-risk evidence architecture against AMLA's direct supervision methodology, the cumulative close window of 60 to 120 days matters more than any individual consultation. Track all four standards together.

OFAC removes 76 outdated SDN entries in first modernisation tranche

On 28 May 2026 OFAC removed 76 entries from its Specially Designated Nationals and Blocked Persons List as the first tranche of Treasury's stated Sanctions Modernization Effort (11). The cohort includes deceased individuals, decommissioned vessels, persons designated as part of illicit financial networks that no longer exist, and individuals designated more than ten years ago who lack sufficient identifiers for continued screening. MLex carried independent corroboration the same day (12). The operational read is straightforward — list-side modernisation cuts the false positives generated by sanctions screening against entries with insufficient identifiers, reducing alert fatigue without altering the screening architecture that consumes the list.

The deeper read is the trans-Atlantic pattern. On 28 January 2026 the OFSI Consolidated List of Asset Freeze Targets closed and the UK Sanctions List became the only source for UK sanctions designations (13)(14). Two major sanctions regimes have pruned low-identifier entries inside four months of each other, with the same operational rationale. List discipline, not list growth, is the 2026 motif — Treasury has signalled subsequent tranches across H2 2026.

StablR's multisig compromise: the live test of MiCA's operational-resilience gap

On 24 May 2026 an attacker compromised a single key in StablR's 1-of-3 multisig token-minting wallet, added themselves as administrator, removed the legitimate signers, and minted approximately 8.35 million USDR and 4.5 million EURR — about $13.5M in unbacked crypto-assets — before StablR froze both tokens (15). CoinDesk disclosed the incident on 26 May. StablR notified the Malta Financial Services Authority, the EMT issuer's NCA, under MiCA Article 30 and Article 19 of the Digital Operational Resilience Act (DORA) (15). Root-cause analyses from Blockaid and GoPlus Security identified the compromise as a key-management failure rather than a smart-contract flaw (16). StablR holds MiCA authorisation as an e-money token issuer.

A MiCA-authorised EMT issuer running a 1-of-3 multisig on the token-minting key is the live operational-resilience case study for the AMLA / EBA RTS package now under consultation. MiCA's reserves-and-disclosures perimeter regulates what the issuer must publish in its white paper and how reserve backing must be structured; it does not currently mandate signer thresholds, HSM isolation, or cryptographic key-management practices for the minting infrastructure that creates tokens against those reserves. The StablR incident is exhibit A for why the next operational-resilience RTS round needs cryptographic key-management requirements rather than disclosure obligations alone.

The shape of the exposed gap is worth naming. Disclosure without specified cryptographic mechanism is what MiCA Article 30 currently is — the issuer must report ICT incidents under DORA Article 19, but the perimeter does not specify the key-management architecture that would have prevented the incident. The same shape exists in document-centric KYC: a perimeter that names the obligation without specifying the cryptographic mechanism that meets it. AMLA / EBA RTS consultations on operational resilience for crypto-asset service providers continue through Q3 2026.

AU10TIX Q1 2026: when the threat model shifts from forgery to generation

On 27 May 2026 AU10TIX published its Q1 2026 Global Identity Fraud Benchmark Report. The dataset covers more than 9 million identity verification transactions processed between 1 January and 31 March 2026, and the headline finding is structural — AI-generated identity fraud has surpassed physical document forgery for the first time on record as the dominant attack class against identity-verification stacks (17). The report identifies three coordinated attack sub-classes: synthetic faces, AI-rendered document layouts, and synthetic-identity stacks assembled from generated artefacts that pass document and biometric checks.

Document-centric verification was designed against a physical-forgery threat model. The optical and tactile features of a physical ID — substrate fingerprint, printing artefacts, embedded security feature — were the integrity surface, and document verification was the discipline of detecting their alteration. AI-generated documents do not have those features to attack. When the threat model shifts from forgery to generation, the integrity surface moves from the document itself to the issuer that stands behind it. Issuer-bound verification answers the substituted question — not "does this document look genuine" but "can the holder produce a verifiable attestation against an authoritative issuer".

This is the substitution Zero-Knowledge KYC was architected for — a reusable issuer-bound attestation that proves the holder's verified status against KYC checks and sanctions screening without re-circulating the underlying document copy, and without the receiving platform ever holding the raw personal data the AI-generated fraud class is built to spoof. The eIDAS 2.0 EUDI wallet is the public-sector instance of the same architectural answer; our earlier coverage of the December 2026 EUDI deadline traces how the public-sector and private-sector tracks converge on the same shape.

Five news items, one architectural diagnosis

Five news items, one shared architectural diagnosis. The US is naming red-flag categories on a 90-day clock without specifying how covered institutions produce per-category evidence. The EU is convening three RTS hearings without specifying the cryptographic mechanism that meets the obligation. Treasury is pruning a sanctions list without altering the screening architecture. A MiCA-authorised stablecoin issuer just demonstrated what happens when a perimeter names the obligation without specifying the mechanism. AU10TIX's benchmark explains the why-now — the threat model has shifted, and the architectures that were good enough for the previous one are not good enough for this one.

On the calendar: FinCEN's 90-day clock runs to mid-August; the BWRA consultation closes 15 July with the cascade carrying through to September; OFAC's subsequent tranches arrive across H2 2026. Track the proposed-rule and consultation-close dates, not the press cycles.

Sources

(1) Federal Register. "Restoring Integrity to America's Financial System (Executive Order 14406)." 22 May 2026. https://www.federalregister.gov/documents/2026/05/22/2026-10400/restoring-integrity-to-americas-financial-system

(2) The White House. "Restoring Integrity to America's Financial System (Presidential Action)." 19 May 2026. https://www.whitehouse.gov/presidential-actions/2026/05/restoring-integrity-to-americas-financial-system/

(3) Cooley LLP (Finsights). "White House Issues Executive Orders Targeting Financial System Integrity, Fintech Innovation." 22 May 2026. https://finsights.cooley.com/white-house-issues-executive-orders-targeting-financial-system-integrity-fintech-innovation/

(4) Ogletree Deakins. "New Executive Order Calls for Stricter Vetting by Financial Institutions." 28 May 2026. https://ogletree.com/insights-resources/blog-posts/new-executive-order-calls-for-stricter-vetting-by-financial-institutions/

(7) AMLA. "AMLA holds public hearings to consult on draft ITS for FIU cooperation." 13 May 2026 (news page); hearing 27 May 2026. https://www.amla.europa.eu/amla-holds-public-hearings-consult-draft-its-fiu-cooperation_en

(8) AMLA. "AMLA holds public hearing to consult on Draft RTS for Home-Host Supervisory Cooperation." 11 May 2026 (news page); hearing 28 May 2026. https://www.amla.europa.eu/amla-holds-public-hearing-consult-draft-rts-home-host-supervisory-cooperation_en

(9) AMLA. "Public Hearing on the draft Guidelines on business-wide risk assessment." Hearing 28 May 2026. https://www.amla.europa.eu/events/public-hearing-draft-guidelines-business-wide-risk-assessment-2026-05-28_en

(10) AMLA. "Consultation on the draft Guidelines on business-wide risk assessment." Consultation period to 15 July 2026. https://www.amla.europa.eu/policy/public-consultations/consultation-draft-guidelines-business-wide-risk-assessment_en

(11) US Treasury. "Treasury Begins Sanctions Modernization Effort by Removing Outdated Entries (Press Release SB0509)." 28 May 2026. https://home.treasury.gov/news/press-releases/sb0509

(12) MLex. "US removes sanctions on 76 targets in 'modernization' effort." 28 May 2026. https://www.mlex.com/mlex/financial-crime/articles/2483090

(13) UK Government (GOV.UK). "The UK Sanctions List." Effective 28 January 2026. https://www.gov.uk/government/publications/the-uk-sanctions-list

(14) Skadden Arps. "UK Moving to a Single List for UK Sanctions Designations." 20 January 2026. https://www.skadden.com/insights/publications/2026/01/uk-moving-to-a-single-list-for-uk-sanctions-designations

(15) CoinDesk. "StablR freezes USDR and EURR after attacker mints $13.5 million in unbacked tokens." 26 May 2026. https://www.coindesk.com/markets/2026/05/26/stablr-freezes-usdr-and-eurr-after-attacker-mints-usd13-5-million-in-unbacked-tokens

(16) The Block. "StablR's EURR and USDR depeg after attacker mints $13.5 million in unbacked tokens through multisig exploit." 26 May 2026. https://www.theblock.co/post/402429/stablrs-eurr-and-usdr-depeg-after-attacker-mints-13-5-million-in-unbacked-tokens-through-multisig-exploit

(17) AU10TIX (via PR Newswire). "Identity Fraud Has Industrialized: AU10TIX Finds AI-Generated Fraud Surpassed Physical Forgery for the First Time." 27 May 2026. https://www.prnewswire.com/news-releases/identity-fraud-has-industrialized-au10tix-finds-ai-generated-fraud-surpassed-physical-forgery-for-the-first-time-302782723.html