What FATF, FCA and EBA Expectations Mean for Banks
As financial crime risks grow more complex, geopolitical instability reshapes exposure profiles, and enforcement actions continue to make headlines, 2026 is emerging as a defining year for Know Your Customer (KYC) and customer due diligence (CDD). Banks are operating in an environment characterised by volatile sanctions regimes, increasingly complex ownership structures, heightened fraud risk, and sustained regulatory pressure to evidence effectiveness rather than intent.
Across jurisdictions, regulators are no longer asking whether firms have KYC policies, procedures, and systems in place. Instead, they are asking whether those controls work in practice, whether they are proportionate to risk, and whether senior management can demonstrate clear oversight and accountability. In this context, KYC is no longer viewed as a static onboarding exercise, but as a continuous risk management discipline that spans the entire customer lifecycle.
Signals from the Financial Action Task Force (FATF), the UK Financial Conduct Authority (FCA), and the European Banking Authority (EBA) all point in the same direction: deeper scrutiny of onboarding quality, beneficial ownership identification, governance, management information, and the controlled use of technology. For banks, the implication is clear, KYC is becoming a core supervisory priority and a board‑level issue, not merely a compliance function.
From policy to proof: FATF’s effectiveness agenda shapes 2026
The FATF’s October 2025 update to its Recommendations did not radically rewrite global AML and KYC standards. Instead, it reinforced a theme that has been building for several years: the gap between formal compliance and real‑world effectiveness. FATF has been explicit that technical adherence to requirements is insufficient if it does not result in meaningful risk mitigation.
This emphasis is reflected in the fifth round of FATF mutual evaluations (2024–2027), which place heavy weight on outcomes and effectiveness. Countries and by extension the firms operating within them are assessed on whether KYC frameworks genuinely enable institutions to identify, assess, and manage financial crime risk. Throughout 2026, banks can expect national regulators to intensify supervisory engagement as they prepare for or respond to evaluation findings.
For financial institutions, FATF’s direction of travel means supervisors will increasingly test:
- Whether beneficial ownership determinations are supported by corroborated evidence rather than unsupported declarations
- Whether customer risk assessments meaningfully influence the depth, frequency, and intensity of CDD measures
- Whether ongoing customer understanding is refreshed dynamically when risk indicators change
- Whether documentation is sufficiently clear, consistent, and auditable to support supervisory review
KYC programmes that rely heavily on static checklists, templated narratives, or infrequent periodic reviews are increasingly misaligned with FATF’s expectation of continuous, risk‑based customer due diligence.
FCA supervision in 2026: data, outcomes and accountability
In the UK, financial crime remains one of the FCA’s most prominent supervisory priorities, and the regulator has been clear about its ambition to become more assertive, more interventionist, and more data‑led. This philosophy is already shaping how banks’ KYC frameworks are assessed and will become even more pronounced in 2026.
From 1 January 2026, the FCA takes on an expanded role as the sole AML supervisor for certain professional services sectors, reflecting government concern over inconsistent AML standards and weak supervisory outcomes. While banks have long been subject to FCA oversight, this broader reform underscores a regulatory mood of reduced tolerance for weak evidence and slow remediation.
For banks, the practical implications in 2026 include:
- Increased use of thematic reviews focused on onboarding, enhanced due diligence, and high‑risk customer segments
- More granular requests for management information covering customer risk distribution, onboarding outcomes, and control effectiveness
- Greater challenge of subjective judgement where decisions cannot be clearly evidenced or justified
KYC frameworks will increasingly be assessed through:
- The quality, consistency, and usefulness of management information (MI)
- Clear end‑to‑end audit trails for onboarding, refresh, escalation, and exit decisions
- Evidence that sanctions exposure, geographic risk, ownership complexity, and adverse information are fully embedded into customer risk assessments
The FCA’s message is unambiguous: policies and process maps are no substitute for data, metrics, and demonstrable outcomes.
EU AML reform and AMLA: convergence becomes unavoidable
Across the European Union, 2026 represents a pivotal transition year as the EU’s comprehensive AML reform package moves from legislation toward implementation. Central to this shift is the creation of the Anti‑Money Laundering Authority (AMLA), designed to drive greater consistency and supervisory convergence across Member States.
Although AMLA’s direct supervision of selected institutions will follow in later phases, 2026 is critical for setting the technical foundations. By 10 July 2026, AMLA must deliver draft Regulatory Technical Standards (RTS) that will directly shape how KYC is implemented across the EU.
These RTS will cover:
- Customer due diligence information requirements and minimum data standards
- Group‑wide AML/CFT policies, procedures, and internal controls
- Expectations for ongoing monitoring and lifecycle risk management
For banks operating across multiple EU jurisdictions, these developments signal a clear move away from nationally interpreted KYC approaches toward harmonised, group‑level frameworks. Divergent onboarding thresholds, inconsistent documentation standards, and locally customised risk methodologies will become increasingly difficult to justify.
Many institutions will therefore use 2026 as a preparation year to rationalise KYC frameworks, align data standards, and strengthen group‑wide governance in anticipation of closer supervisory convergence.
EBA priorities: embedding KYC into governance and risk frameworks
The EBA’s 2026 Work Programme, published on 1 October 2025, reinforces the expectation that AML and KYC controls are embedded within firms’ broader governance and risk management frameworks. While the EBA does not directly supervise individual banks, its guidance strongly influences how national competent authorities conduct supervision.
Key themes relevant to KYC in 2026 include:
- Clear alignment between business‑wide risk assessments and customer‑level KYC controls
- Defined governance structures that allocate accountability for AML and KYC decision‑making
- Strong oversight of outsourcing arrangements and reliance on third‑party data providers
The EBA’s direction reinforces the view that KYC is not a standalone compliance task, but a core enterprise risk control that intersects with operational risk, conduct risk, and reputational risk.
Beneficial ownership: an enduring and unresolved challenge
Despite years of regulatory attention, beneficial ownership transparency remains one of the most persistent weaknesses in KYC frameworks. Complex corporate structures, nominee arrangements, trusts, and cross‑border ownership chains continue to challenge traditional onboarding processes.
In 2026, supervisors are likely to intensify scrutiny of:
- How banks identify and evidence indirect ownership and control
- The extent to which ownership conclusions rely on corroborated sources rather than customer assertions
- Whether changes in ownership or control are captured promptly and reflected in risk assessments
- Whether ownership risk triggers enhanced due diligence, senior management review, or escalation
This focus reinforces the broader regulatory shift toward living customer profiles, where ownership understanding evolves continuously rather than being refreshed only at fixed review points.
Technology and intelligent KYC under supervisory scrutiny
By 2026, the use of automation, AI, and advanced analytics in KYC is no longer novel. Regulators broadly accept that technology can enhance coverage and consistency, but supervisory expectations have moved firmly toward governance, explainability, and control.
Regulators across the UK and EU are increasingly focused on:
- Transparency and explainability of automated or model‑assisted KYC decisions
- Model governance, validation, testing, and performance monitoring
- Clear change‑management processes for updates to logic, thresholds, and data sources
- Evidence that technology improves risk identification and decision quality, not merely efficiency
Banks deploying intelligent KYC capabilities in 2026 must be prepared to explain how decisions are made, demonstrate appropriate oversight, and evidence alignment with regulatory expectations.
What 2026 means for banks in practice
Taken together, the regulatory signals for 2026 are consistent and reinforcing.
KYC is evolving:
- From static, periodic reviews to continuous customer understanding
- From policy‑led compliance to evidence‑driven supervision
- From fragmented national approaches to greater international convergence
Banks that treat 2026 as a preparation year strengthening their governance, improving data quality, and embedding KYC more deeply into risk management will be better positioned to reduce remediation risk and withstand supervisory challenge.
Credibility, accountability and board‑level ownership
The year ahead is less about new rulebooks and more about credibility. FATF mutual evaluations, FCA data‑led supervision, and EU convergence under AMLA are all converging on the same outcome: regulators expect banks to prove that KYC works in practice.
For banks, 2026 is the year KYC firmly belongs in the boardroom, not as a box‑ticking exercise, but as a strategic control central to trust, resilience, and long‑term value.
