This Week in Compliance: UK Wholesale Tokenisation and AMLA RTS

This was not a news week. It was an infrastructure week. Three Tier-A jurisdictions and one private-sector vendor move pulled in the same direction — supervisors are no longer accepting process-artefact compliance. They are defining the rails on which cross-border compliance programmes will be assessed. When the FCA and the Bank of England published their joint discussion paper on UK wholesale tokenisation on Monday, they did not simply announce a consultation — they sketched the rail every UK CASP will eventually authorise into. AMLA opened its public hearing on group-wide AML/CFT standards. Treasury OFAC designated the conversion point itself in the Iran sanctions stack. The CFTC rewrote the cooperation framework to gate declination on auditable evidence. And Sumsub answered the regulator-heavy week by widening the bundled-PII envelope.

The thread running through all five items is architectural. Compliance programmes built on point-in-time artefacts will struggle with all four regime moves at once. The architectural alternative is portable, verifiable customer-identity evidence that travels with the customer across rails, jurisdictions, and timelines — designed in alongside the rail, not bolted on after the supervisor arrives.

What the FCA-BoE joint paper actually proposes for UK wholesale tokenisation

On 18 May 2026 the Financial Conduct Authority and the Bank of England, working with the PRA, published a joint discussion paper covering the prudential treatment of tokenised assets, the design of tokenised collateral frameworks, settlement-instrument standards, and near-24/7 infrastructure for UK wholesale financial markets (1)(2). Simon Walls (FCA executive director for markets) and Sarah Breeden (Bank of England deputy governor for financial stability) framed the publication. The Digital Securities Sandbox, now hosting 16 active firms, was cited as the live proof point that the regulatory framework rests on. Feedback closes 3 July 2026; a feedback statement is targeted for summer 2026 (1)(3).

Linklaters' analysis flagged the distinctive structural feature: this is the first cross-authority roadmap on tokenisation in UK wholesale markets that the FCA and BoE have published in lockstep in 2026. The authorities committed to publish a full cross-authority roadmap for the digitalisation of wholesale markets later in 2026 (2). The implication for compliance teams is direct — the prudential treatment of tokenised exposures and the tokenised-collateral framework are being designed alongside the AML perimeter rather than after it. Distributed ledger technology (DLT) is treated as infrastructure, not as a theoretical category; tokenised securities such as bonds, equities, and fund units sit explicitly inside the scope.

Every UK CASP scoping authorisation under FCA CP26/13 will eventually align its customer-identification evidence to the wholesale-tokenisation rail the FCA and BoE are now defining together. Settlement instruments and tokenised collateral move on a different cadence than legacy market plumbing, and customer-identity evidence has to keep up. The compliance perimeter for UK CASPs authorising onto this rail will need customer-identity evidence that travels with the user across the rail — not document copies that have to be re-collected per integration. That is what “portable” means when you write it in supervisory architecture rather than marketing copy.

The 3 July 2026 feedback deadline is the next operative date. The summer 2026 feedback statement is the bigger watch item for any firm modelling UK wholesale tokenisation against its own product roadmap.

Draft RTS reshapes group-wide AML/CFT for cross-border groups

On 20 May 2026 the Anti-Money Laundering Authority held a public hearing on the draft Regulatory Technical Standards under Articles 16(4) and 17(3) of Regulation (EU) 2024/1624 — the AMLR (4)(5). The RTS sets out the design and implementation requirements for group-wide AML/CFT frameworks across cross-border structures. Three substantive provisions sit at its centre: information-sharing among group entities, criteria for identifying the EU parent undertaking where multiple obliged entities connect to a head office in a third country, and additional measures for branches and subsidiaries operating in third countries outside the EU AML perimeter (4)(6). A&O Shearman's analysis confirms the consultation closes 15 June 2026 and AMLA's statutory delivery to the European Commission is targeted for 30 September 2026, inside the 12-month statutory window the AMLR specifies from its entry into force (6).

The architectural read: multinational obliged entities will have to demonstrate that the EU parent and every subsidiary — including third-country branches — apply a coherent set of customer-identification measures across jurisdictions where document standards, supervisory authorities, and FIU capabilities vary widely. Re-collection at every entry point does not scale. The RTS codifies information-sharing duties across the group as a regulatory expectation, not a commercial choice. This is the same UBO evidence architecture the EU is rebuilding on a wider front — a portability problem in compliance dress.

Consultation closes 15 June 2026; AMLA's statutory submission to the European Commission lands 30 September 2026. From 2027 onwards, the RTS is the framework against which group-wide AML/CFT design will be assessed for multinational obliged entities. On the natural-person side of that harmonisation, portable customer-identity attestations remove the re-collection problem when a customer is onboarded across multiple subsidiaries. The business-side harmonisation the RTS also covers — group structures, parent-undertaking criteria, third-country branches — sits in counterparty-verification and entity-level tooling that an obliged entity sources separately. The natural-person attestation layer and that business-side layer are different evidence stacks; an honest reading separates the two.

OFAC moves sanctions screening up to the conversion point

On 19 May 2026 Treasury OFAC designated Iran-based foreign exchange house Amin Exchange — Ebrahimi and Associates Partnership Company — together with its front-company network across UAE, Türkiye, and Hong Kong and 19 vessels involved in petroleum and petrochemical transport (7)(8)(10). The action was framed under the “Economic Fury” campaign with Executive Order 13902 as the statutory hook. Treasury Secretary Scott Bessent and the State Department co-announced (9). Across more than 50 designated companies, individuals, and vessels, the tranche reads as the most consequential US sanctions action of the quarter (10).

Treasury described Amin Exchange as facilitating hundreds of millions in transactions for sanctioned Iranian banks, the National Iranian Oil Company (NIOC), and the Persian Gulf Petrochemical Industry Commercial Company (8). The exchange house was the conversion point between commodity revenues and usable financial channels — the place where the proceeds of Iranian oil sales crossed from real-economy revenue into Iran's shadow banking system. Designating the exchange house AND the front-company network in the same action lifts sanctions screening from “downstream typology” — catch the suspicious wire after it has moved — to “the conversion point itself,” where the exchange house is the designated entity. Bessent put it plainly: “Iran's shadow banking system facilitates the illicit transfer of funding for terrorist purposes” (8).

For any payment provider, fintech, or DASP with USD-corridor exposure to commercial accounts in the UAE, Türkiye, or Hong Kong, the front-company network is now mapped. Secondary-sanctions exposure for non-US institutions extends to anyone that processed value through this network. The geographic specificity matters — front companies in those three jurisdictions is not generic, it is the compliance map. The IRGC nexus runs through the named individuals: Amin Exchange's CEO is identified as a former IRGC officer (8). The shadow fleet of 19 vessels closes the petrochemical loop.

The architectural take is narrow and important. The conversion-point designations sit at the entity and transaction-flow layer; the natural-person KYC side handles whether the customer behind the wallet is on the sanctioned-persons list. Both layers are needed, and they sit in different tools. At verification time, Verifyo screens the natural-person customer against the sanctioned-persons list — that is the sanctioned boolean in the attestation. Transaction-monitoring platforms and entity-screening tools handle the conversion-point and front-company-network layer that an OFAC tranche like this one operates against. Verifyo does not run transaction monitoring or business-entity verification.

CFTC Enforcement rewrites the cooperation-credit framework

On 19 May 2026 CFTC Director of Enforcement David I. Miller issued staff advisory CFTC Letter No. 26-15 establishing the Division's new cooperation policy, effective immediately and superseding all prior advisories on the subject (11)(12). Under the framework, respondents who voluntarily self-report, fully cooperate, effect timely and appropriate remediation, and provide full restitution or disgorgement secure a path to case declination — absent aggravating circumstances. Sullivan & Cromwell's analysis identifies three tiers: full declination for parties meeting all eligibility criteria; penalty reductions of 25–75% for ineligible self-reporters or those with aggravating factors; and up to 25% residual cooperation credit for non-self-reporters (12). The advisory aims to “incentivize cooperation, simplify our approach to cooperation credit, and operate more fairly with parties before the division” (11).

The architectural read is what links this to the rest of the week. The declination path is gated on evidence. The firm has to demonstrate consistent CIP/KYC across the cooperation timeline — the issue-detection moment, the remediation period, the restitution calculation, the root-cause analysis Sullivan & Cromwell flags as part of the “remediation” definition (12). Firms holding reusable, verifier-private customer attestations can demonstrate that consistency without re-running document collection on incumbent customers when the evidence trail is being assembled for a Division of Enforcement sub-investigation. The cooperation narrative is then supported by an evidence trail the firm already holds, not by a forensic reconstruction.

The CFTC cooperation framework joins the FCA, AMLA, and Treasury direction — auditable, evidence-based programme assessment is becoming the supervisory default. A compliance programme is being assessed on what it can actually defend on a supervisor's timeline, not on what artefacts were filed at the front of the timeline.

Sumsub launches a Marketplaces vertical — the bundled-PII envelope widens

On 21 May 2026 Sumsub announced an AI-powered “Sumsub for Marketplaces” platform packaging merchant, seller, and buyer identity verification, behavioural analytics, transaction monitoring, real-time fraud detection and risk scoring, promotion-abuse prevention, and chargeback protection for two-sided platforms in a single vertical SKU (13). Sumsub's chief product officer framed the launch around balancing growth and fraud prevention for marketplaces and e-commerce platforms. Sumsub was named in our crypto KYC providers cohort split earlier this week; the Marketplaces launch is the same vendor's vertical-suite extension. It reads as the private-sector cohort response to a regulator-heavy week — bundle more workflows under one vendor envelope.

The architectural contrast is the more important story. When a vendor packages onboarding, transaction monitoring, and risk scoring into a single vertical, it concentrates more stored customer PII under one vendor's data store than the per-check architecture did. Two-sided marketplaces are particularly exposed because the platform holds identity documents for both sides of every transaction — merchant and buyer. The compliance benefit is operational (fewer integration points, one supplier relationship); the architectural cost is that the honeypot grows.

Bundling more PII workflows under one vendor envelope is one architectural answer to compliance complexity. The other architectural answer is to remove the PII from the receiving platform's data store entirely. This is the architecture we built Verifyo around — integrating platforms receive proof of compliance status (the JSON attestation: kyc_status: verified, the document-country code, the age_over_18 boolean, and the six AML screening booleans for sanctions, PEP, criminal, barred, military, and adverse-media), not document images. The customer's identity documents never reach the platform's data store, so the honeypot a vendor consolidation creates is not the honeypot Zero-Knowledge KYC produces. The honest scope: Sumsub offers transaction monitoring and risk scoring as part of the Marketplaces vertical; Verifyo does not offer transaction monitoring today. For the identity-verification side both providers cover, the architectures diverge on whether the platform holds raw PII.

Tie the five items together: the four regulator moves all reward compliance designs where the customer-identity evidence is portable, verifiable, and consistent across rails and timelines. Bundled vendor envelopes concentrate the evidence in one data store; Zero-Knowledge KYC removes the document copies from the receiving platform entirely. Two architectural directions, one supervisory-architecture week.

What the week meant

Four Tier-A regulators and one vendor-cohort move bent in the same direction. The FCA + BoE joint paper is the supervisor saying “this is the rail every UK CASP will eventually authorise into, and the AML perimeter is being designed alongside it.” AMLA's group-wide RTS is the supervisor saying “cross-border group-wide AML/CFT is being codified into a portability problem.” OFAC's Amin Exchange tranche is the supervisor saying “sanctions screening is moving up to the conversion point itself, and the front-company network is mapped.” The CFTC's cooperation advisory is the enforcement architecture saying “auditable evidence of consistent CIP/KYC across the cooperation timeline is the gate to declination.” Sumsub's Marketplaces vertical is the vendor-cohort response — widen the bundled-PII envelope. The architectural alternative is data-minimisation: remove the PII from the receiving platform entirely, and let proof-of-compliance attestations travel with the customer.

On the calendar: FCA CP26/13 cryptoasset perimeter closes 3 June 2026, directly tied to the UK tokenisation thread; AMLA's group-wide RTS consultation closes 15 June 2026; the FCA-BoE wholesale tokenisation feedback deadline lands 3 July 2026 with the feedback statement targeted for summer. The supervisory question for the next quarter is no longer whether your compliance programme completed the checklist. It is whether your control system can produce coherent evidence across rails, jurisdictions, and timelines on demand.

Sources

(1) Financial Conduct Authority. “FCA and Bank of England set out shared vision for tokenisation in UK wholesale markets.” 18 May 2026. https://www.fca.org.uk/news/press-releases/fca-and-bank-england-set-out-shared-vision-tokenisation-uk-wholesale-markets

(2) Financial Conduct Authority. “Call for input: tokenisation joint vision for UK wholesale markets.” 18 May 2026. https://www.fca.org.uk/publications/calls-input/future-tokenisation-joint-vision-authorities-uk-wholesale-markets

(3) Bank of England. “FCA and Bank of England set out shared vision for tokenisation in UK wholesale markets.” 18 May 2026. https://www.bankofengland.co.uk/news/2026/may/fca-and-boe-set-out-shared-vision-for-tokenisation-in-uk-wholesale-markets

(4) AMLA. “Public Hearing on the draft RTS on group-wide minimum requirements and additional measures for subsidiaries and branches in third countries.” 20 May 2026. https://www.amla.europa.eu/events/public-hearing-draft-rts-group-wide-minimum-requirements-and-additional-measures-subsidiaries-and-2026-05-20_en

(5) AMLA. “Consultation on the draft RTS on group-wide minimum requirements and additional measures for subsidiaries and branches in third countries.” 9 April 2026. https://www.amla.europa.eu/policy/public-consultations/consultation-draft-rts-group-wide-minimum-requirements-and-additional-measures-subsidiaries-and_en

(6) A&O Shearman. “AMLA consults on group-wide requirements and guidelines for BWRAs.” 16 April 2026. https://finreg.aoshearman.com/amla-consults-on-group-wide-requirements-and-guidelines-for-bwras

(7) US Department of the Treasury. “Economic Fury Targets Networks Generating Billions for Iran's Terrorist Regime.” 19 May 2026. https://home.treasury.gov/news/press-releases/sb0502

(8) GlobalSecurity.org (republication of US Treasury press release). “Economic Fury Targets Networks Generating Billions for Iran's Terrorist Regime.” 19 May 2026. https://www.globalsecurity.org/wmd/library/news/iran/2026/05/iran-260519-treasury01.htm

(9) US Department of State, Office of the Spokesperson. “United States Sanctions Iranian Financial and Shipping Networks.” 19 May 2026. https://www.state.gov/releases/office-of-the-spokesperson/2026/05/united-states-sanctions-iranian-financial-and-shipping-networks

(10) Business Standard. “US imposes fresh sanctions on Iran-linked exchange firms, oil vessels.” 19 May 2026. https://www.business-standard.com/world-news/us-imposes-fresh-sanctions-on-iran-linked-exchange-firms-oil-vessels-126051901940_1.html

(11) US Commodity Futures Trading Commission. “CFTC Staff Issues Advisory on Cooperation in Enforcement Matters” (press release 9234-26). 19 May 2026. https://www.cftc.gov/PressRoom/PressReleases/9234-26

(12) Sullivan & Cromwell LLP. “CFTC Division of Enforcement Issues New Cooperation Policy Advisory.” 20 May 2026. https://www.sullcrom.com/insights/memo/2026/May/CFTC-Issues-New-Cooperation-Self-Reporting-Policy

(13) PR Newswire (Sumsub corporate press release). “Sumsub Introduces AI-powered Platform for Marketplaces.” 21 May 2026. https://www.prnewswire.com/news-releases/sumsub-introduces-ai-powered-platform-for-marketplaces-302778821.html