AML compliance for payment institutions is in a period of structural change. The EU Anti-Money Laundering Authority is becoming operational. Perpetual KYC is replacing periodic review cycles. AI-generated synthetic identities are defeating onboarding controls that were built for a different threat environment. And regulators are shifting from assessing whether controls exist to measuring whether they demonstrably work.
The regulatory landscape: AMLA and the EU AML single rulebook
The European Anti-Money Laundering Authority assumed operational authority in July 2025, taking direct supervisory responsibility for high-risk financial entities including certain crypto firms. AMLA's broader framework is moving toward a single EU AML rulebook — by 2027, firms operating across EU member states will follow one unified set of rules rather than navigating each country's national implementation of the EU AML directives. For payment institutions operating cross-border in the EU, this is operationally significant: compliance frameworks designed for the most demanding national implementation will largely transfer, but inconsistencies in transaction monitoring calibration and PEP screening thresholds that were acceptable under the directive regime will need to be resolved.
In the GCC, the CBUAE issued updated AML/CFT/CPF guidance in April 2026, covering proliferation financing risk, enhanced correspondent banking due diligence, trade finance monitoring expectations and dynamic ongoing monitoring replacing static periodic screening. SAMA's AML framework has been progressively tightened through 2024–2026, with particular focus on cross-border remittance corridors and virtual asset service providers. QCB maintains requirements broadly aligned with FATF recommendations, with enhanced expectations for cross-border payment monitoring given Qatar's significant expatriate remittance flows.
Know Your Customer: from periodic review to perpetual KYC
Traditional KYC operates on a scheduled cycle — low-risk customers reviewed every three to five years, high-risk customers annually. In practice, this means a customer whose risk profile changes materially — a politically exposed person status change, a sanctions addition, adverse media — may not be caught until the next scheduled review. Perpetual KYC (pKYC) replaces this with continuous, event-driven monitoring: when a trigger occurs, the system detects it and initiates a review immediately.
Deloitte estimates that institutions using pKYC achieve 60% better early risk detection compared to periodic review cycles. PwC analysis suggests KYC maintenance costs reduce by up to 40% through automation of the review cycle. The business case is driven by reduced regulatory exposure and operational efficiency — manual periodic review at scale is expensive and error-prone.
The practical implementation requires integration between identity data stores, sanctions and PEP databases, adverse media monitoring, and case management systems. Many payment institutions carry this data across multiple disconnected platforms, which makes event-driven monitoring difficult. The institutions best positioned for pKYC are those that have already invested in unified compliance data platforms.
PEP identification and sanctions screening
Politically Exposed Person identification is a foundational KYC obligation that is becoming increasingly complex. PEP databases have expanded significantly, and the definition of a PEP now encompasses not just the individual in public office but their immediate family members and known close associates. Identifying PEP status across a large customer base requires continuous screening against maintained databases — not a one-time check at onboarding.
The sanctions landscape has become substantially more complex. Sanctioned vessel profiles more than doubled between 2023 and 2025, driven by shadow fleet activity linked to Russia, Iran and Venezuela. Alternative payment channels, cryptocurrency, and complex corporate structures are being used to obfuscate sanctions exposure. AML screening that covers traditional account holders but not digital asset counterparties creates a regulatory gap that examiners are increasingly identifying. Global regulators imposed $3.8 billion in AML, KYC, sanctions and CDD penalties in 2025 — with fintechs, neobanks and crypto platforms absorbing some of the largest enforcement actions.
Fenergo's Global AML Fines Report shows approximately $4.6 billion in enforcement actions against financial institutions in 2024, reinforcing that PEP and sanctions screening failures remain among the most consistently penalised compliance gaps. The OKX enforcement ($504 million) and BitMEX ($100 million) in 2025 illustrate the scale of exposure for payment firms with inadequate controls.
AI in AML: the false positive problem and the adversarial threat
Rules-based transaction monitoring systems generate alert volumes that compliance teams cannot meaningfully review. False positive rates of 95–99% are common — meaning that for every genuine suspicious activity report, compliance teams review 20–100 alerts that lead nowhere. Machine learning models that incorporate customer risk profiles, transaction context and network analysis can substantially reduce false positive volumes while improving detection rates for genuine suspicious activity.
The 2026 regulatory direction is toward explainable AI in AML — regulators and boards expect firms to document how AI-driven decisions are made and auditable. A model that produces a risk score without a traceable reasoning path is increasingly unacceptable to examiners. This requirement aligns with the EU AI Act's transparency obligations for high-risk AI systems and is being adopted as best practice by regulators globally.
The adversarial dimension is serious. AI can be used to systematically probe AML controls — testing transaction patterns to identify monitoring thresholds and blind spots across institutions. AI-generated deepfakes are actively defeating biometric liveness detection at onboarding. Payment institutions need to treat their compliance controls as systems under active attack and test them accordingly.
What payment institutions should be doing now
The most important structural question for compliance leaders in 2026 is whether onboarding, screening, transaction monitoring and case management are connected in a unified environment or operated as disconnected systems. Fragmented compliance architecture creates coverage gaps, makes investigation slow and expensive, and cannot deliver the audit trail that regulators increasingly require. Institutions that have not yet assessed their architecture against the AMLA single rulebook expectations should do so before 2027.