AML 2026: Navigating the New Compliance Landscape

ERM Pilot | Compliance Risk Management Series, Part 1 of 3 by William Hord - Chief Strategy Officer

The Anti-Money Laundering Act of 2020 (AMLA) initiated the most significant modernization of the U.S. anti-money laundering and countering the financing of terrorism (AML/CFT) framework in decades. While many institutions initially viewed AMLA as a future compliance challenge, examination expectations have already shifted. Regulators increasingly expect financial institutions to demonstrate not only awareness of regulatory changes, but also a disciplined process for assessing, implementing, and governing those changes.

Today, AML compliance is no longer evaluated solely through the effectiveness of transaction monitoring systems, Suspicious Activity Report (SAR) filings, or sanctions screening programs. Examiners are also assessing an institution's ability to adapt to a rapidly evolving regulatory environment.

AML Modernization Continues to Reshape Compliance Programs

The AML Act amended the Bank Secrecy Act in several significant ways, including expanded information-sharing authorities, a renewed focus on national AML/CFT priorities, and efforts to modernize beneficial ownership reporting requirements.

One of the most widely discussed components of AMLA was the Corporate Transparency Act (CTA), which established a beneficial ownership information reporting framework administered by FinCEN. However, litigation, regulatory revisions, and Treasury policy changes have substantially altered the scope and applicability of CTA reporting requirements since the law's original enactment. As a result, financial institutions continue to monitor developments closely while evaluating the potential operational implications for customer due diligence, beneficial ownership verification, and overall AML program governance.

At the same time, FinCEN's broader modernization agenda continues through ongoing rulemaking, guidance updates, and implementation of the national AML/CFT priorities framework. Financial institutions should expect continued regulatory evolution in areas such as beneficial ownership, information sharing, digital assets, and other emerging AML/CFT risks.

For institutions, the challenge is no longer simply understanding regulatory change. The challenge is building an organizational process capable of identifying, assessing, and implementing change in a timely and effective manner.

The Risk-Based Approach Is Receiving Increased Supervisory Attention

Federal regulators continue to emphasize that AML compliance programs must be risk-based and tailored to an institution's unique risk profile.

For credit unions, the NCUA's 2026 Supervisory Priorities identify BSA/AML/CFT compliance as a key examination focus area. Examiners are evaluating whether institutions have appropriately identified and assessed their specific risks and whether monitoring, due diligence, and control activities are proportionate to those risks.

This expectation is not new. What has evolved is the level of scrutiny surrounding implementation.

Institutions should expect examiners to closely evaluate how higher-risk customer categories, products, services, and geographic exposures are identified, assessed, and monitored. This may include digital asset-related businesses, high-cash-volume industries, foreign transactions, and customers operating in elevated-risk jurisdictions.

Programs that apply largely uniform monitoring and due diligence practices across all customer relationships may face increased scrutiny if they cannot demonstrate a clear connection between identified risks and implemented controls.

Examiners increasingly want to see evidence that institutions understand their unique risk environment and have allocated resources accordingly.

Sanctions Compliance in a More Complex Environment

Sanctions compliance remains a critical component of AML/CFT risk management.

The geopolitical environment has become significantly more complex over the past several years, driven by developments involving Russia, Iran, North Korea, cybercrime organizations, and digital asset-related sanctions programs. As sanctions regimes continue to evolve, institutions face increasing pressure to maintain effective screening, monitoring, and escalation processes.

Regulators are not simply evaluating whether sanctions screening systems exist. Examiners are focused on the effectiveness of those controls, including the quality of alert management processes, the timeliness of sanctions list updates, escalation procedures, and documentation supporting sanctions-related decisions.

For smaller institutions, including many credit unions, maintaining effective sanctions compliance programs can be particularly challenging as regulatory complexity grows while compliance resources remain limited.

Change Management Has Become an Examination Topic

One of the clearest themes emerging from recent supervisory guidance is the growing importance of regulatory change management.

Regulators increasingly expect institutions to demonstrate that they have a structured process for identifying regulatory developments, assessing operational impacts, updating policies and procedures, training personnel, and validating implementation.

In many respects, change management itself has become a compliance control.

As AML/CFT requirements continue to evolve, examiners are evaluating whether institutions possess the organizational infrastructure necessary to respond effectively to regulatory change. Institutions that rely on informal processes or ad hoc implementation efforts may find it increasingly difficult to demonstrate compliance readiness.

A sound AML change management program should include:

A formal process for monitoring FinCEN, OCC, NCUA, and other regulatory guidance;
Documented impact assessments for significant regulatory developments;
Defined ownership and accountability for implementation activities;
Policy and procedure updates aligned with regulatory changes;
Training programs tied to new requirements; and
Validation activities confirming that changes have been effectively implemented and operationalized.

Looking Ahead

The AML compliance environment into 2026 is defined by continuous change, evolving threats, and increasing supervisory expectations.

While transaction monitoring, SAR reporting, and sanctions compliance remain foundational, regulators are placing greater emphasis on governance, risk-based decision-making, and an institution's ability to adapt to regulatory change.

Organizations that establish strong change management processes, maintain truly risk-based AML programs, and demonstrate effective governance over evolving AML/CFT requirements will be better positioned to meet examiner expectations and manage emerging risks in the years ahead.

ERM Pilot's Compliance module includes a Regulations register, Obligations tracking, and Fig — our AI assistant — to help map regulatory changes to your compliance program efficiently. Start your free trial at ermpilot.com.

Article References —

1. Office of the Comptroller of the Currency. Fiscal Year 2025 Bank Supervision Operating Plan. Washington, D.C.: OCC, October 2024. Available at: https://www.occ.gov/news-issuances/news-releases/2024/nr-occ-2024-111a.pdf

2. National Credit Union Administration. NCUA's 2026 Supervisory Priorities. Letter to Credit Unions, January 14, 2026. Available at: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/ncuas-2026-supervisory-priorities

3. National Credit Union Administration. 'NCUA Issues 2026 Supervisory Priorities Letter to Credit Unions.' Press Release, January 14, 2026. Alexandria, VA: NCUA. Available at: https://ncua.gov/newsroom/press-release/2026/ncua-issues-2026-supervisory-priorities-letter-credit-unions

4. Office of the Comptroller of the Currency. Semiannual Risk Perspective, Spring 2025. Washington, D.C.: OCC. Available at: https://www.occ.gov/publications-and-resources/publications/semiannual-risk-perspective/files/pub-semiannual-risk-perspective-spring-2025.pdf