FinCrime Intelligence Weekly
OFAC tightens on Iran and extends a Lukoil window, AMLA and a new EU anti-corruption directive advance, and an Australian court shows ignoring a regulator only raises the bill.
Marco’s Take
Marco Beranzoni
Welcome to Issue 1 of FinCrime Intelligence Weekly. This is your weekly, high-signal briefing: facts sourced, actions named, no filler. It is built for working financial crime professionals who need to know what changed and what to do about it.
This week’s pattern is convergence. OFAC tightened pressure on Iran’s shipping networks while extending a conditional window for Lukoil divestment negotiations. The EU Anti-Money Laundering Authority (AMLA) opened consultation on its business-wide risk assessment guidelines, and a new anti-corruption directive entered into force. Australia’s courts confirmed what we already know: ignoring a regulator’s infringement notice does not make it go away. It makes the bill bigger.
The observation worth carrying into next week is this. Supervisors in different jurisdictions are no longer moving on separate timelines. AMLA’s 2028 direct-supervision clock, OFAC’s 28 June negotiation deadline, and the Financial Action Task Force’s June plenary are all pulling toward the same point. Compliance functions that still treat this as a series of separate national obligations will find the seams uncomfortable very soon. So here is the one slightly uncomfortable thing to do this week: open your sanctions programme and confirm who owns the Lukoil GL 131F tracking task, because that window closes on 28 June and “we did not know” will not land well with OFAC.
See you next Monday.
Marco
OFAC designated two Hong Kong entities and one Chinese firm for moving Iranian petroleum behind concealed ownership, triggering immediate screening obligations for US persons and correspondent banks.
Castra Licensee and Princeton Securities each face court-imposed penalties materially higher than the original fixed-amount infringement notices they chose not to pay.
The EU anti-money laundering authority aired draft guidelines at a 28 May 2026 hearing that define the minimum framework every obliged entity must use to assess its own ML and TF risk.
Directive (EU) 2026/1021 harmonises corruption offence definitions and minimum penalties across the bloc, giving member states two years to write it into national law.
The new general licence authorises due diligence and contingent contracts for Lukoil International GmbH but explicitly bars any actual sale or asset transfer without a separate OFAC authorisation.
What changed this week, why it matters, and what to do about it.
| Region | Update | Why it matters | Action |
|---|---|---|---|
| US | On 19 May 2026, President Trump signed an executive order directing banks to consider customers' immigration status in risk decisions. Treasury must issue red-flag guidance within 60 days, federal regulators must issue credit-risk guidance within 60 days, Treasury must propose Bank Secrecy Act (BSA) amendments within 90 days, and a joint customer-identification reform proposal is due within 180 days. | This reframes know-your-customer (KYC) and customer due diligence (CDD) risk models in a way that has little direct precedent in existing BSA guidance. Institutions caught between the executive order and existing fair-lending obligations face genuine legal tension until Treasury and the prudential regulators publish the promised guidance. | Log the 60-day and 90-day deadlines from 19 May 2026. Assign someone to track the Treasury red-flag guidance, do not rebuild your CDD risk-scoring model before that guidance lands, and flag the tension to your legal function now. |
| US | FinCEN (US Financial Crimes Enforcement Network) and OFAC published a joint proposed rule under the GENIUS Act that would classify permitted payment stablecoin issuers as financial institutions under the BSA, requiring anti-money laundering (AML) and countering the financing of terrorism (CFT) programs plus sanctions compliance programs. The public comment period closes 9 June 2026. | This brings a significant segment of crypto payments infrastructure inside the formal BSA perimeter for the first time. Stablecoin issuers without BSA programs will need to build them, and banks that service those issuers will need to reassess their exposure to any compliance gaps in their customers' programs. | Submit or read public comments by 9 June 2026. If you bank stablecoin issuers, begin a gap assessment of their current AML and sanctions controls against BSA requirements before the rule finalises. |
| EU | AMLA held a public hearing on 28 May 2026 on draft Guidelines on business-wide risk assessment (BWRA) under Article 10(4) of Regulation (EU) 2024/1624. The draft sets four minimum requirements for how obliged entities must conduct an enterprise-wide money laundering and terrorist financing risk assessment, feeding the unified EU AML rulebook ahead of AMLA's direct supervision of 40 institutions from 2028. | The BWRA guidelines will become binding minimum standards across EU member states. Institutions using internally developed methodologies that do not map to the four minimum requirements will need to rebuild or re-document before AMLA's supervisory scrutiny begins. | Obtain the AMLA draft and map your current BWRA methodology against the four minimum requirements. Identify gaps now. A 2027 remediation is far less painful than a 2028 supervisory finding. |
| Global | The FATF (Financial Action Task Force) June 2026 plenary is the final session under the Mexican presidency. Giles Thomson assumes the FATF presidency on 1 July 2026. Namibia is among the jurisdictions being assessed for possible exit from the FATF grey list at this plenary. | Grey-list changes alter correspondent banking risk assessments and require updates to country-risk matrices. A Namibia exit, if confirmed, removes a current enhanced due diligence (EDD) trigger for many institutions. The presidential handover may also signal a shift in FATF workplan priorities. | Confirm the plenary outcome dates and monitor FATF's public statements. If Namibia exits the grey list, update your country-risk ratings and review any accounts placed under EDD solely on the basis of that listing. Brief your front office before they ask. |
On 19 May 2026, President Trump signed an executive order directing banks to consider customers' immigration status in risk decisions. Treasury must issue red-flag guidance within 60 days, federal regulators must issue credit-risk guidance within 60 days, Treasury must propose Bank Secrecy Act (BSA) amendments within 90 days, and a joint customer-identification reform proposal is due within 180 days.
Why it matters:This reframes know-your-customer (KYC) and customer due diligence (CDD) risk models in a way that has little direct precedent in existing BSA guidance. Institutions caught between the executive order and existing fair-lending obligations face genuine legal tension until Treasury and the prudential regulators publish the promised guidance.
Action:Log the 60-day and 90-day deadlines from 19 May 2026. Assign someone to track the Treasury red-flag guidance, do not rebuild your CDD risk-scoring model before that guidance lands, and flag the tension to your legal function now.
FinCEN (US Financial Crimes Enforcement Network) and OFAC published a joint proposed rule under the GENIUS Act that would classify permitted payment stablecoin issuers as financial institutions under the BSA, requiring anti-money laundering (AML) and countering the financing of terrorism (CFT) programs plus sanctions compliance programs. The public comment period closes 9 June 2026.
Why it matters:This brings a significant segment of crypto payments infrastructure inside the formal BSA perimeter for the first time. Stablecoin issuers without BSA programs will need to build them, and banks that service those issuers will need to reassess their exposure to any compliance gaps in their customers' programs.
Action:Submit or read public comments by 9 June 2026. If you bank stablecoin issuers, begin a gap assessment of their current AML and sanctions controls against BSA requirements before the rule finalises.
AMLA held a public hearing on 28 May 2026 on draft Guidelines on business-wide risk assessment (BWRA) under Article 10(4) of Regulation (EU) 2024/1624. The draft sets four minimum requirements for how obliged entities must conduct an enterprise-wide money laundering and terrorist financing risk assessment, feeding the unified EU AML rulebook ahead of AMLA's direct supervision of 40 institutions from 2028.
Why it matters:The BWRA guidelines will become binding minimum standards across EU member states. Institutions using internally developed methodologies that do not map to the four minimum requirements will need to rebuild or re-document before AMLA's supervisory scrutiny begins.
Action:Obtain the AMLA draft and map your current BWRA methodology against the four minimum requirements. Identify gaps now. A 2027 remediation is far less painful than a 2028 supervisory finding.
The FATF (Financial Action Task Force) June 2026 plenary is the final session under the Mexican presidency. Giles Thomson assumes the FATF presidency on 1 July 2026. Namibia is among the jurisdictions being assessed for possible exit from the FATF grey list at this plenary.
Why it matters:Grey-list changes alter correspondent banking risk assessments and require updates to country-risk matrices. A Namibia exit, if confirmed, removes a current enhanced due diligence (EDD) trigger for many institutions. The presidential handover may also signal a shift in FATF workplan priorities.
Action:Confirm the plenary outcome dates and monitor FATF's public statements. If Namibia exits the grey list, update your country-risk ratings and review any accounts placed under EDD solely on the basis of that listing. Brief your front office before they ask.
Typology of the week
Fraudsters operating from organised compounds, primarily across Southeast Asia, recruit victims through social media and dating platforms, cultivate a relationship over weeks or months, then introduce the victim to a fraudulent investment platform. The platform shows fabricated profits to encourage larger deposits. When the victim attempts to withdraw, the funds are blocked or fees are demanded until the account is drained. Proceeds flow immediately into cryptocurrency wallets, typically through chains of self-hosted wallets, cross-chain bridges, and mixing services, before converting to fiat through over-the-counter (OTC) brokers or exchanges with weaker controls. The fraud is inherently transnational: the compound, the crypto infrastructure, and the victim's bank account may each sit in different jurisdictions. On 29 April 2026, a Department of Justice-led international operation involving the FBI, Dubai Police, and other agencies resulted in at least 276 arrests, dismantled at least nine scam centres, restrained more than US$701 million in cryptocurrency, and seized 503 fake investment websites. That operation also documented the use of forced-labour recruitment to staff the compounds.
Example
A customer aged 58 with a standard retail current account begins receiving messages on a social media platform from a new contact who eventually introduces her to a cryptocurrency investment platform showing consistent monthly returns. Over eleven weeks she makes seven outbound transfers to an account held at a payment processor in a Southeast Asian jurisdiction, each described as investment transfer. She then begins sending smaller transfers described as withdrawal tax. None are flagged because each individual transaction falls below the manual review threshold and no single transfer matches a sanctions list. A retrospective review after she reports the fraud would show the beneficiary account was connected to a cluster of accounts receiving identical descriptions from dozens of other retail customers at the same bank. This is illustrative of a real documented pattern, not a single specific case.
Recent actions and the control lessons behind them.
AUSTRAC / Castra Licensee and Princeton Securities (NSW)
Control failure:Both firms missed mandatory AML and CFT reporting obligations under Australian AML/CTF legislation, then failed to respond to AUSTRAC infringement notices. The failures were not exotic: mandatory reports were not filed, and when the regulator formally notified the firms, neither took corrective action within the notice period. The Federal Court imposed civil penalties on 26 May 2026.
Lesson:An infringement notice is not a negotiation opener. It is a record that the regulator has already identified the failure and offered a chance to remedy it. Ignoring it removes any credit for cooperation and adds costs. For smaller reporting entities with thin compliance functions, the lesson is structural: mandatory reporting must have a named owner, a deadline calendar, and a failsafe review, not a process document that assumes everything will work.
Community Federal Savings Bank (Office of the Comptroller of the Currency)
Control failure:The OCC's consent order, announced 21 May 2026, cited BSA program deficiencies including failures in suspicious activity reporting and violations of the USA PATRIOT Act information-sharing requirements. The bank operates in a banking-as-a-service and sponsor-bank context, so its BSA program must cover not just its own direct customers but end-user activity flowing through its fintech partners.
Lesson:Sponsor banks cannot treat their fintech partners' AML programs as a black box. The OCC expects the sponsor to see through the partnership to the underlying customer activity and to file SARs based on what that activity shows. If you provide banking-as-a-service, review whether your contractual access to partner transaction data is sufficient to discharge your own BSA obligations. Access rights on paper are not the same as a working data feed and a live rule set.
Ultra Electronics Holdings Ltd (UK Serious Fraud Office DPA)
Control failure:The UK Serious Fraud Office (SFO) approved a deferred prosecution agreement (DPA) on 1 May 2026 for failure to prevent bribery under section 7 of the Bribery Act 2010, relating to conduct in Algeria and Oman. The legal test under section 7 is whether the organisation had adequate procedures to prevent bribery, and the DPA record indicates those procedures were inadequate.
Lesson:Section 7 is, in practice, a strict-liability offence. The only full defence is demonstrating adequate procedures. In a week when an EU anti-corruption directive entered into force, the Ultra Electronics outcome is a timely prompt to test your anti-bribery procedures against the standard of adequacy, not just existence. A policy nobody trained on and nobody tested is not a procedure.
Generative AI tools have cut the cost and skill needed to produce convincing voice and video clones of executives, finance directors, and customers. Fraudsters use these clones to impersonate a known individual in a call or video session and instruct a payment, approve an account change, or confirm a beneficiary. Because the instruction appears to come from a trusted source, authorised push payment (APP) fraud carried out this way often bypasses transaction-monitoring rules built around anomalous sender behaviour. The control response has three parts. First, out-of-band confirmation: any payment instruction arriving by phone, video, or email above a defined threshold must be confirmed by calling back on a number held in the firm's own records, not a number provided in the instruction. Second, liveness checks: for customer channels where identity is being re-verified, passive liveness detection or hard-to-spoof challenge-response tests reduce synthetic-media risk. Third, payee verification: confirming the legal name registered to the destination account, as under the UK's Confirmation of Payee scheme, catches cases where the account behind the claimed identity does not match. Review whether your callback procedures are documented, tested, and known by staff, not just listed in a policy.
The FinCEN and OFAC joint proposed rule under the GENIUS Act, with a comment deadline of 9 June 2026, would treat permitted payment stablecoin issuers as financial institutions under the BSA. For compliance teams at issuers and at the banks that service them, the implications are material. At issuance and redemption, sanctions screening must cover the wallet address, the beneficial owner of that address to the extent identifiable, and the counterparty jurisdiction. Wallet-level controls need defining: which wallets the issuer will transact with, how it handles a wallet that appears on the SDN list after issuance, and the freeze-and-block procedure for a wallet linked to a sanctioned party. For banks already banking issuers, a customer previously treated as a money service business now carries a full financial-institution designation, which raises the due diligence standard. Read the proposed rule, separate genuinely new obligations from those already required under state money transmitter licences, and file or track comments by 9 June 2026.
Career & Skills Corner
The AMLA BWRA consultation this week is a signal, not a surprise. Supervisors across jurisdictions have been moving toward structured, documented, auditable enterprise risk assessments for years. The question is whether your methodology is ready to be put in front of a supervisor and held against a set of minimum requirements. Start with structure before content. A BWRA is not a collection of departmental risk registers stapled together. It is a documented, reasoned analysis of the institution's overall exposure to money laundering and terrorist financing risk, taking into account the customer base, the products, the channels, the geographies, and the third-party relationships. Each dimension needs to be assessed, scored, and aggregated, and the aggregation methodology needs to be written down and defensible. The four minimum requirements in AMLA's draft are worth reading even if your institution is not directly in AMLA's scope. They represent the current European consensus on a minimum-standard BWRA and are likely to inform UK and other supervisory expectations too. The skill to develop is not writing the BWRA. It is defending it. Supervisors will ask why a risk was scored the way it was, who approved the methodology, and what changed since the last assessment. Practise walking a sceptical audience through your scoring logic for your highest-risk product or segment. A BWRA you can defend out loud, from memory, on the material decisions, is one that will survive scrutiny. One you can only point at is not.
Next week I am tracking two things closely. The FATF June 2026 plenary is the meeting I am most focused on: grey-list decisions will force immediate updates to country-risk matrices for institutions with Namibian or other newly-listed exposure, and the presidential handover to Giles Thomson on 1 July 2026 is worth watching for signals about the incoming workplan, particularly on virtual assets and beneficial ownership. The second item is the 9 June 2026 comment deadline on the FinCEN and OFAC GENIUS Act stablecoin proposed rule. I will be reading the industry submissions to understand where the practical friction sits, because the gap between what the rule requires and what issuers can deliver today is where the next enforcement cycle will begin.
Turn this weekly intelligence into a career. Marco’s AML & Financial Crime course takes you from curious to hireable.
AML & Financial Crime course →