Regulatory Updates Newsletter: January 2026

Treasury Secretary Scott Bessent announced a suite of AML initiatives targeting fraud in Minnesota’s government nutrition programs. FinCEN issued a Geographic Targeting Order requiring banks in Hennepin and Ramsey Counties (Minneapolis) to report detailed information on U.S. dollar transfers, and a FinCEN Alert urging institutions to detect and report fraud in child nutrition benefits. 

FinCEN also issued four information subpoenas to Minnesota money services businesses and provided law enforcement training on using financial data (e.g., SARs) in fraud cases. These actions build on prior enforcement against a major fraud ring that stole billions from school lunch programs, shifting the emphasis from prosecution to prevention and data-driven detection.

Implications

• Signals U.S. focus on using financial data (BSA filings, GTOs) to prevent welfare fraud.

• Pressures banks/MSBs to bolster AML controls (e.g., enhanced monitoring of benefit payments).

• Demonstrates FinCEN’s role in cross‐sector coordination (GTOs, alerts, law enforcement training).

• May lead to broader AML guidance for pandemic‐related or public-benefit programs nationwide.

The FCA secured a £265,523.96 confiscation order against Andrew Currie, who defrauded investors via the now-collapsed Collateral peer-to-peer lending platform. Currie was previously jailed (2023) for fraud and money-laundering; the confiscation order (imposed Jan 9, 2026) represents the value of assets still recoverable for victims. 

FCA enforcement director Steve Smart said the action “is a clear warning to fraudsters” that ill-gotten gains will be seized. The order requires repayment or up to 3 years’ imprisonment for non-payment, with proceeds earmarked for victim compensation.

Implications

• Reinforces FCA’s commitment to pursuing financial crime and returning funds to victims.

• Highlights risks of high‐return P2P schemes and the FCA’s enhanced powers under the new public offers regime.

• Signals that FCA will leverage criminal and civil tools (CofF authorities) to dismantle fraud networks.

• May prompt other regulators to pursue similar confiscations in crypto or fintech fraud cases.

On 20 January 2026, the European Commission launched a “digital cybersecurity package” to bolster EU resilience. The proposal amends the NIS2 Directive and revises the EU Cybersecurity Act. Key elements include stricter ICT supply-chain security requirements and streamlined certification for digital products (making cybersecurity “secure by design”). 

It also simplifies compliance (e.g., harmonised reporting of ransomware attacks) and strengthens ENISA’s coordination role. The goal is to reduce compliance burden for ~28,700 firms (including ~6,200 SMEs) while tightening controls on critical infrastructure operators

Implications

• Accelerates digital operational resilience in finance, aligning with broader DORA objectives.

• May lead to new EU cybersecurity standards that financial firms and third-party ICT providers must follow.

• Highlights EU's emphasis on reducing fragmentation and easing cross-border supervision under ENISA.

• Sets the stage for future directives affecting financial services (e.g. tighter software certification, mandatory breach reporting).

As of 1 January 2026, the EBA has formally transferred all its AML/CFT mandates and functions to the new Authority for Anti-Money Laundering (AMLA). AMLA now sits at the center of the EU’s AML/CFT system, supervising 40 of the largest cross-border firms. The handover “marks a milestone in the EU’s fight against financial crime”, concluding the EBA’s standalone AML remit. 

EBA’s AML guidelines, databases (e.g., EuReCa), and risk assessments have been ported to AMLA to ensure continuity. Under the new regime, AMLA will finalize the EU “single rulebook” on AML, drive supervisory convergence, and coordinate FIU information exchange.

Implications

• Centralizes EU anti-money laundering oversight to achieve more consistent enforcement across member states.

• Industry should prepare for direct AMLA supervision (40 large institutions) and revised standards when issued.

• Continues EBA’s prudential role in AML (capital/regulatory requirements) but shifts compliance supervision to AMLA.

• Likely to accelerate EU adoption of the 6th AML Directive and related technical standards via AMLA.

  (Source- AMLA)

The RBI imposed penalties on two cooperative banks in January 2026 for breaches of lending norms. On 22 Jan, Shri Kanyaka Nagari Sahakari Bank (Pune) was fined ₹8 lakh for violating RBI directions on advances to housing developers. 

A week earlier, Nandura Urban Co-op Bank (Maharashtra) was fined ₹1 lakh for exceeding prescribed loan exposure limits to certain members. The penalties under the Banking Regulation Act stemmed from supervisory inspections. The RBI noted that these actions are for “deficiencies in regulatory compliance” and do not invalidate the underlying transactions.

Implications

• Emphasizes RBI’s scrutiny of risk management and lending practices in the cooperative sector.

• Warns other banks to comply strictly with exposure ceilings and priority sector norms.

• Underlines the RBI’s intent to use penalties as a deterrent for governance lapses.

• May prompt further AML/KYC inspections of small banks and NBFCs as well.

On 14 January 2026, the European Supervisory Authorities (EBA, EIOPA, ESMA) and the UK’s BoE, PRA, and FCA signed a Memorandum of Understanding under DORA. The MoU establishes a cooperation framework for supervising “critical ICT third-party providers” (CTPPs) across the EU and UK. 

It sets out principles for joint oversight, information-sharing, and coordinated examinations of ICT vendors serving financial institutions. This cross-border MoU reflects the equivalence assessment of confidentiality laws and aims to strengthen operational resilience by ensuring consistent treatment of cloud/SaaS providers used by banks and insurers in both jurisdictions.

Implications

• Formalizes EU–UK post-Brexit regulatory cooperation on ICT risk to ease oversight of major tech vendors (e.g., cloud providers).

• Firms using third-party ICT must expect aligned EU/UK supervision under DORA, reducing dual-regulator conflicts.

• Enhances systemic resilience by coordinating on cyber incidents and vendor management across borders.

• Signals priority on operational resilience and may lead to joint supervisory exercises under DORA Articles 36/44.

Singapore’s IMDA released a new Model AI Governance Framework for Agentic AI, providing guidance for the safe deployment of autonomous AI “agents” capable of initiating actions, accessing systems, and interacting with other agents without continuous human input. The framework builds on Singapore’s earlier AI governance principles but addresses novel risk vectors associated with agentic systems, including unauthorized actions, unintended privilege escalation, opaque decision-making, and expanded data-access risks.

The framework sets out both technical and organisational measures, emphasising clear accountability, pre-deployment risk assessments, ongoing monitoring, and the preservation of meaningful human oversight for high-impact or sensitive use cases. IMDA positions the framework as voluntary but expects it to inform enterprise governance practices and future regulatory approaches, particularly as the adoption of agentic AI accelerates across financial services and other regulated sectors.

Implications

• Firms deploying agentic AI systems should reassess governance structures to ensure clear accountability, human-in-the-loop controls, and defined escalation pathways for autonomous actions.

• Risk and compliance teams will need to expand AI risk frameworks beyond model accuracy and bias to include agent autonomy, system access rights, and interaction risks across multiple AI agents.

• Technology teams should implement stronger monitoring, logging, and kill-switch mechanisms to detect and intervene in unintended or unauthorized agent behaviour.

• The framework signals Singapore’s intent to shape global norms for advanced AI governance; multinational firms should anticipate similar expectations emerging in other jurisdictions.