Skip to content
← Dossiers

Hot topics · regulator priorities

What's live now — FCA, FINMA and the EU

July 2026·UK · CH · EU
RegulatoryCryptoAMLCurrent

A maintained board of the themes currently occupying the FCA, FINMA and the EU authorities — each with what is happening, why it matters, and what a well-advised firm does about it. Drawn from the primary documents, not commentary.

Three supervisors, one direction of travel.

How this board is kept honest

Reviewed quarterly against the primary sources: FCA consultation papers and priorities, FINMA Guidance and the annual Risk Monitor, and the AMLA / ESMA / EBA workplans. Every card carries its source and the date it was last verified — currently July 2026.

Each card below carries a heat tagLive now, Deadline set, or Direction — indicating how immediate the item is.

FCA — United Kingdom

The final crypto rulebook lands

Heat: Live now · Published 30 Jun 2026

The FCA published its final policy statements and guidance, completing the crypto roadmap. Highlights: a bespoke prudential sourcebook (CRYPTOPRU) with capital and annual self-designed stress tests; stablecoin standards eased after consultation — the K-SII capital coefficient cut from 2% to 1% with a £350k permanent minimum, plus backing-asset and redemption rules; a new Market Abuse Regime for Cryptoassets (MARC); Consumer Duty and Ombudsman access for retail; DeFi in scope where there is an identifiable controlling entity.

  • Trigger — Final policy statements under the FSMA (Cryptoassets) Regulations 2026. Still to come: the perimeter policy statement (Sep 2026) and consultations on DeFi guidance, DLT operational resilience and the Financial Crime Guide.
  • Who — Trading platforms (QCATPs), intermediaries, custodians, staking arrangers and stablecoin issuers serving UK clients; systemic stablecoins supervised jointly with the Bank of England.
  • When — Pre-application (PASS) meetings from Jul 2026; gateway 30 Sep 2026 – 28 Feb 2027; mandatory regime 25 Oct 2027.

So what — Gap analysis can now run against final text, not drafts — and existing AML registration does not convert, so the authorisation case must be built from scratch.

Source: FCA — final rules press release

Cryptoasset authorisation gateway

Heat: Deadline set · Gateway opens 30 Sep 2026

The application window for the new FSMA cryptoasset regime runs 30 September 2026 – 28 February 2027, ahead of commencement on 25 October 2027. CP26/13 consulted on the perimeter; the final perimeter policy statement lands in September. History sets the bar: the FCA rejected or saw withdrawn over 90% of MLR crypto registrations.

  • Trigger — FSMA 2000 (Cryptoassets) Regulations 2026 — a statutory instrument widening the regulated perimeter; CP26/13 consults on the guidance interpreting it.
  • Who — UK crypto exchanges, custodians, staking/lending providers, stablecoin issuers — including firms holding only MLR registration today.
  • When — Apply 30 Sep 2026 – 28 Feb 2027; regime live 25 Oct 2027.

So what — Application quality is existential. Pre-application file-building — BWRA, monitoring evidence, governance — is exactly a rapid-review engagement.

Source: FCA — cryptoasset regime

Market abuse comes to crypto

Heat: Direction · CP25/15 · Feb 2026

MAR-equivalent rules extend to cryptoasset markets under the new regime — wash trading, spoofing and insider dealing on crypto venues become enforceable offences on a par with equities.

  • Trigger — The same Cryptoassets Regulations, plus FCA consultation CP25/15 on market-integrity rules for crypto venues.
  • Who — Trading platforms, brokers and market-makers in cryptoassets serving UK clients.
  • When — With the new regime — Oct 2027; surveillance build must start earlier.

So what — Trading venues need surveillance capability they have never had to evidence before; expect early test cases.

Source: FCA — cryptoassets regime policy statements

Change-in-control & sanctions tightening

Heat: Live now · MLR Amendments · 2026

The Money Laundering (Amendment) Regulations 2026 strengthen scrutiny of who owns and controls registered crypto businesses (revised Schedule 6B) and stitch AML into the broader sanctions and national-security framework; some measures bite from February 2027.

  • Trigger — Money Laundering and Terrorist Financing (Amendment) Regulations 2026 — an SI amending the MLRs 2017.
  • Who — FCA-registered cryptoasset businesses, their owners, and anyone acquiring control of one.
  • When — Most provisions 2026; crypto-specific measures phased to Feb 2027.

So what — Ownership changes now attract supervisory scrutiny earlier — map your cap table before the regulator does.

Source: MLRs 2017 — the SI (as amended)

AI in AML — allowed, if explainable

Heat: Direction · Ongoing

The FCA accepts AI in transaction monitoring and customer risk assessment on one condition: the firm can explain why the model produced the outcome. Supervisors themselves are using advanced analytics to spot AML weaknesses earlier.

  • Trigger — Supervisory expectation under the existing MLRs 2017 and SYSC — no new statute; the standard arrives through supervision.
  • Who — Any firm using AI or machine scoring in monitoring, screening or customer risk assessment.
  • When — Now — applied in current supervisory reviews.

So what — Model documentation and explainability testing become part of the AML file — a reviewable, evidenceable artefact.

Source: FCA — financial crime

FINMA — Switzerland

FINIG amendment — the two new licences

Heat: Deadline set · Consultation closed 6 Feb 2026

The Federal Council's proposal creates a payment-institution licence (stablecoin issuance, FinTech cap removed) and a crypto-institution licence (custody incl. staking, trading, exchange) — moving crypto intermediaries from SRO-only oversight to direct FINMA supervision.

  • Trigger — Federal Council consultation to amend the Financial Institutions Act (FinIA/FINIG) and Art. 1b Banking Act — primary legislation, so Parliament decides.
  • Who — Swiss crypto custodians, exchanges, staking providers and stablecoin issuers currently under SRO-only AML supervision.
  • When — Consultation closed 6 Feb 2026; dispatch to Parliament next — realistically in force 2027–28.

So what — The end of the SRO era for crypto. Positioning work — gap analysis against the draft licence conditions — should start before the dispatch is published.

Source: FINMA — news

AML risk analysis judged on substance

Heat: Live now · Guidance 04/2026 · 4 Jun 2026

FINMA's re-review of banks' Art. 25(2) AMLO-FINMA risk analyses: risk tolerance must be documented and translated into limits; KRIs are not limits; systematic exceptions-to-policy read as an undeclared change of risk appetite. Explicitly extended to FinIA institutions.

  • Trigger — FINMA Guidance 04/2026, interpreting the existing duty in Art. 25(2) of the FINMA AML Ordinance — no new law, sharpened expectations.
  • Who — Banks first; explicitly also portfolio managers, trustees and other FinIA-licensed institutions.
  • When — Now — the benchmark for current audits and supervisory reviews.

So what — The risk analysis is now a supervisory benchmark for enforcement exposure. An independent substance-check of it is cheap insurance.

Source: FINMA — Guidance 04/2026 (risk analysis)

Crypto custody & digital fraud

Heat: Live now · Guidance 01/2026 + Apr 2026

Custody delegations to foreign sub-custodians only where equivalent supervision and insolvency protection exist; separately, new guidance on digital fraud risks targets online onboarding fraud and account takeover — with the laundering of fraud proceeds through bank accounts squarely in frame.

  • Trigger — FINMA Guidance 01/2026 (custody) and the April 2026 digital-fraud guidance — supervisory interpretations of existing banking and AML law.
  • Who — Crypto service providers using foreign sub-custodians; banks and Art. 1b fintechs with online onboarding.
  • When — Now — both apply immediately as supervisory expectations.

So what — Custody-chain mapping and onboarding-fraud controls are now inspectable expectations, not best practice.

Source: FINMA — digital fraud guidance

Operational resilience — the uneven middle

Heat: Live now · In force 1 Jan 2026

Guidance 05/2025 benchmarked 267 institutions against Circular 23/1: only 12–15% had integrated resilience into one framework, and 85% of the largest categories had not yet tested. Half of reported cyberattacks came through outsourcing partners.

  • Trigger — FINMA Circular 2023/1 (the binding rules) read through Guidance 05/2025 (the market-wide gap report).
  • Who — Banks, securities firms and financial-market infrastructures — pressure highest on supervisory categories 1–3.
  • When — Expectations in force since 1 Jan 2026; the 2026 supervisory cycle tests them.

So what — FINMA has told the market where the gaps are, with numbers. Institutions should assume the 2026 cycle inspects exactly those gaps.

Source: FINMA — annual media conference 2026

EU — AMLA · ESMA · EBA

AMLA is operational

Heat: Live now · Operational since 1 Jul 2025

The new authority has assumed EU-level AML/CFT responsibilities and is building toward direct supervision of the highest-risk cross-border entities. The single rulebook (AMLR) applies from 10 July 2027 — the technical standards defining it are being written now.

  • Trigger — The AMLA Regulation (EU) 2024/1620 — directly applicable EU law creating the authority.
  • Who — National FIUs and supervisors immediately; the highest-risk cross-border financial groups (including CASPs) face selection for direct supervision.
  • When — Took up operations 1 Jul 2025 (the EBA→AMLA handover of AML/CFT mandates completed 1 Jan 2026); direct supervision of selected entities from 2028.

So what — The selection criteria for direct supervision are the new strategic risk: know whether you could be on the list, and what the file would show if you were.

Source: AMLA — EBA/AMLA mandate handover (Jan 2026)

MiCA: the enforcement phase

Heat: Live now · Since 1 Jul 2026

The last transitional regimes closed on 1 July. National authorities moved from registration to enforcement — France's AMF published a blacklist of unauthorised providers and ordered orderly wind-downs, and BaFin has blocked offshore exchange domains. Passporting frictions between member states are the emerging pain point.

  • Trigger — MiCA — Regulation (EU) 2023/1114; Art. 143(3) set the grandfathering clock that has now run out.
  • Who — Every crypto-asset service provider serving EU clients, wherever incorporated — and the banks and funds exposed to them.
  • When — Transition closed 1 Jul 2026; enforcement is the current phase.

So what — Counterparty checks against the ESMA register are now table stakes; unauthorised-CASP exposure in your client base is a live regulatory liability.

Source: ESMA — Markets in Crypto-Assets Regulation (MiCA)

Travel rule with teeth

Heat: Live now · TFR in application

The Transfer of Funds Regulation applies FATF's travel rule to all CASP transfers — with EDD on third-country counterparties and verification of unhosted-wallet ownership. The rule is FATF Recommendation 16, extended to virtual assets; FATF's 2025 targeted update found most jurisdictions have laws but few have supervisory findings, and called for further work on VASP licensing and cross-border action; the EU intends to be the exception.

  • Trigger — Recast Transfer of Funds Regulation (EU) 2023/1113, implementing FATF Recommendation 16 for crypto transfers.
  • Who — All EU CASPs on every transfer — including identification duties around unhosted (self-custodied) wallets.
  • When — Applicable since 30 Dec 2024; supervisory findings now ramping.

So what — Counterparty-discovery and wallet-attribution capability is the differentiator — precisely a blockchain-analytics service line.

Source: FATF — Recommendation 16 / virtual assets

AMLR — the single rulebook countdown

Heat: Deadline set · Applies 10 Jul 2027

One directly-applicable AML regulation replacing national transpositions: harmonised CDD, beneficial-ownership at 25%, EU-wide cash cap, expanded obliged entities. Eighteen months of gap-analysis time remains.

  • Trigger — The AML Regulation (EU) 2024/1624 — a regulation, not a directive: it applies directly, with no national transposition to wait for.
  • Who — All obliged entities EU-wide — banks, CASPs, payment firms, plus newly-scoped sectors.
  • When — Applies 10 Jul 2027; AMLA technical standards land through 2026–27.

So what — Gap analyses against AMLR should run in 2026, not 2027 — remediation queues at the deadline will be long and expensive.

Source: EUR-Lex — Regulation (EU) 2024/1624 (AMLR)

The language, decoded

If you have been away for five years, start here. The cards above use the regulators' own vocabulary. Each term below is a different kind of instrument, with a different legal weight — knowing which is which tells you how seriously, and how quickly, to react.

Statute vs statutory instrument

A statute (Act of Parliament / federal act) is primary law. A statutory instrument or ordinance is secondary law made under it — faster to change, equally binding. The UK MLRs and the Swiss AMLO are secondary law.

CP — consultation paper (e.g. CP26/13)

A formal FCA proposal, numbered by year (CP26/13 = 2026, paper 13). It is not the rulebook and not law: it publishes draft rules and invites comment. The final rules arrive months later in a Policy Statement (PS) and only then enter the FCA Handbook. Its value is direction of travel — in practice final rules change little from the CP, so reading one buys 12–18 months of preparation time.

FCA Handbook · PERG

The FCA's rulebook. PERG is its perimeter guidance — the chapter that answers "is my activity regulated at all?", which is where every crypto firm's analysis starts.

MLR registration vs FSMA authorisation

MLR registration is an AML-only check. FSMA authorisation is the full regime — governance, capital, conduct, Consumer Duty. The UK is moving crypto from the first to the second.

FINMA Guidance vs Circular vs Ordinance

Three instruments, descending legal weight. An ordinance (Verordnung) is binding secondary law. A circular (Rundschreiben) is FINMA's published interpretation of law, applied in supervision. Guidance (Aufsichtsmitteilung / Communication / Comunicazione) creates no new rules: it reports findings and states expectations, which FINMA applies from publication. Originals are authoritative in DE, FR and IT; English versions are translations.

EU Regulation vs Directive

The refresher: a regulation applies directly in every member state, word for word, from its application date; a directive must first be transposed into national law, which takes years and varies by country. MiCA, the TFR, the AMLR and the AMLA founding text all take the direct form — the EU chose speed and uniformity. Why it matters at both desks: the practitioner gets one text to comply with and no national gloss to hide behind; the strategist gets hard, simultaneous dates across 27 markets — the compliance calendar is the market-entry calendar.

RTS / ITS

Regulatory / implementing technical standards: the detailed rules an EU regulation delegates to agencies (AMLA, EBA, ESMA) to draft, adopted by the Commission. The AMLR's real content is arriving this way through 2026–27.

CASP vs VASP

Same actors, two vocabularies: VASP is FATF's global term; CASP is MiCA's licensed category. ESMA has maintained the EU-wide public register of authorised CASPs since national authorisations began in 2025 — the first pan-EU list of who may lawfully serve EU clients, and since the 1 July 2026 transition cut-off, the definitive one. If a counterparty is not on it, it cannot lawfully serve EU clients.

AMLA — mind the collision

In EU usage, AMLA is the new Anti-Money Laundering Authority in Frankfurt. In Swiss usage, AMLA is the Anti-Money Laundering Act of 1997. This board uses the EU sense in the EU column and the Swiss sense on the Swiss AML page.

Where probative.io comes in

Each topic on this board maps to a skill we already field. Not commentary — working capability: secure intake, independent analysts, and analytics that produce the evidence these regimes now demand. How a review runs →

  1. Authorisation file-building — BWRA, governance and monitoring evidence assembled to gateway standard — for the FCA window and, in time, the Swiss crypto-institute licence.
  2. Independent AML risk-analysis review — a substance-check of the Art. 25(2) analysis against the Guidance 04/2026 benchmark, before the auditor or supervisor does the same.
  3. Monitoring & typology stress-testing — would your systems catch the known typologies? Tested with real scenarios, documented as evidence.
  4. Counterparty & wallet analytics — ESMA-register screening, travel-rule counterparty discovery and wallet attribution — the TFR's operational demands, run as a service.
  5. AMLR gap analysis — current controls mapped against the single rulebook and the incoming technical standards, with an evidenced remediation plan — in 2026, ahead of the queue.

Orientation, not advice · verify against the primary texts

Working on a matter this touches?

Start a conversation