By Tatiana Rassokha, Compliance Officer, CAMS
The first time I analyzed the regulation of a country I had never visited, I realized: compliance preparations are similar to getting ready for travel. You study the map, check entry requirements, learn how things actually work on the ground. The terrain’s unfamiliar, the rules local, and getting lost? Expensive.
Understanding a regulatory environment isn’t one-time-event—it’s continuous. Like any worthwhile journey taking, it needs a well-planned route.
First Impressions: What the Locals Say
The first thing you do before any trip, you ask people who’s been there for recommendations, advice and examine the destination on the map. In AML, that means checking peer intelligence and assessing a country’s international standing.
FATF mutual evaluations serve as the entry point for understanding financial services stability and a country´s position on the AML/CFT map. The mutual evaluations assess both technical compliance with the 40 Recommendations and the practical effectiveness of a country’s AML/CFT regime. The gap between what the law says and what institutions do, can sometimes differ significantly. A jurisdiction may have a robust legal framework while lagging on enforcement, supervision, or reporting culture.
FATF maintains two public watchlists — «Jurisdictions under Increased Monitoring» (grey list) and «High-Risk Jurisdictions Subject to a Call for Action» (black list) — updated after each Plenary. A country’s position on these lists directly impacts correspondent banking access, the level of Enhanced Due Diligence foreign partners must apply, and the overall jurisdictional scrutiny.
These lists aren’t static. They reflect country’s implementation efforts and highlight areas needing improvement. South Africa was removed from the grey list in October 2025 after 32 months, having addressed all 22 items in its FATF action plan. The Philippines – in February 2025 after nearly four years, having tightened casino supervision and expanded AML requirements for remittance services.
Reading the Terrain: The Law of the Land
You don’t study a language before a holiday — you just make sure you can read the critical signs. In AML, primary laws are your traveller’s essential signals which cannot be ignored: what the jurisdiction demands, where the boundaries are, what triggers consequences. You don’t need fluency — but you must understand the warning signs before walking past them. Most importantly – you need current – up to date – information.
In 2025 alone, multiple countries overhauled their AML regulations:
Mexico lowered its beneficial ownership threshold from 50% to 25% in July 2025. The LFPIORPI reform added real estate development to the list of vulnerable activities and granted the Financial Intelligence Unit direct standing in criminal investigations.
In the UAE, Federal Decree-Law No. 10/2025 replaced the 2018 legislation entirely in mid-October. It expanded the definition of predicate offences to include tax evasion and digital crime, brought VASPs under full AML/CFT oversight, and raised corporate fines to AED 100 million. The legal landscape was fundamentally redrawn.
Following the Trail Markers: Secondary Regulation and Supervisory Guidance
Knowing the law is step one. Following the trail markers regulators leave behind — that’s what keeps you on course.
In Mexico, the CNBV publishes fraud prevention management requirements and mandates specific monitoring behaviors for institutions. In the UAE, the Central Bank issued over AED 370 million in fines in 2025, including a single AED 200 million penalty against an exchange house for AML framework failures.
Missing these primary and secondary legislative steps means your “journey” can go really wrong.
The cost? Consider N26 example. In March 2021, Italy’s Banca d’Italia fined the German neobank €3.6 million and ordered it to cease onboarding Italian customers entirely. The issue wasn’t scale—it was ignoring local requirements. N26 failed to report suspicious transactions to Italy’s Financial Intelligence Unit for over a year, inadequately verified customer identities, and lacked procedures to assess ML/TF risks. The regulator’s message was blunt: N26 treated Italy like an extension of its German operation, not a distinct regulatory jurisdiction. By May 2022, N26 withdrew from Italy completely. The cost wasn’t just the fine—it was the entire market.
Choose Your Accommodation— Sector-Specific Rules
Just as the place you stay shapes your travel experience, the sector you operate in determines which rules apply. Requirements across banking, fintech, insurance, real estate, and virtual assets are rarely identical and assuming that they are – can be costly.
In Mexico, traditional banks face different CDD thresholds and biometric verification requirements than fintechs authorized under the Ley Fintech. Real estate developers weren’t even classified as «vulnerable activities» until the July 2025 reform a gap that left transactions worth billions outside regulatory scope for years.
In the UAE, the 2025 AML Law now subjects VASPs — crypto exchanges, wallet providers, and DeFi platforms — to the full regulatory regime: licensing, control frameworks and oversight equivalent to banks. Article 30 goes further, prohibiting anonymity-enhanced virtual assets that prevent transaction traceability. If your platform allows privacy coins or unmonitored peer-to-peer transfers, you’re non-compliant by design.
In the Philippines, casinos and offshore gaming operators sat at the heart of the country’s grey-listing. The 2026–2030 strategy zeroes in on gaming and cash-intensive businesses, forcing operators to prove—not promise—that surveillance systems work. The country’s regulatory shift raises a harder question: how many other jurisdictions are one problem away from reclassifying an entire sector as high-risk?
Weather Check: What’s on the Horizon
A traveler checks the weather before packing. In AML, the FATF sets the forecast and ignoring it means walking into a potential storm unprepared.
At its February 2026 plenary in Mexico City, the FATF elevated cyber-enabled fraud to a strategic priority, approving guidance on how criminals exploit instant payments, digital platforms, and social engineering. A Companion targeted report on Stablecoins and Unhosted Wallets targets – Peer-to-Peer Transactions that bypass institutional controls.
The FATF’s 5th Round methodology—now being applied in Mexico, the UAE, and South Africa—places greater weight on demonstrated effectiveness. Countries face a six-year evaluation cycle with three years to close gaps before public escalation. For institutions, that means monitoring systems that “detect patterns”, identity verification that “prevents fraud”, and reporting that “contributes to intelligence”.
No Room for Improvisation
Some travelers swear their best trip was the one they didn’t plan. That romantic notion has no place in anti-money laundering compliance. Here, you must be prepared. Your timing must be precise. Your documents must be ready. Your defenses must anticipate threats you haven’t seen yet.
That’s where the analogy breaks down. A missed flight means rebooking and irritation. A missed regulatory requirement means fines, license reviews or suspension, or public enforcement action, consequences that can end businesses, not just inconvenience them.
We have recent examples. In July 2025, the FCA fined Monzo Bank £21 million. Onboarding systems failed to flag implausible addresses, thousands of high-risk customers enrolled even after specific prohibition from the supervising authority. The bank’s defense that systems were «being improved»—collapsed under evidence that alerts were ignored for months. The lesson: good intentions without operational discipline are legally worthless.
Whether you’re entering a new market, onboarding customers from an unfamiliar jurisdiction, or bracing for regulatory scrutiny, success significantly depends on reading every layer of a country’s regulatory terrain. Full preparation still won’t protect you from complexity of legislative reforms, fresh enforcement actions, or shifting supervisory priorities. But similar to mandatory travel insurance, you know your options better.
What You Bring Back
Staying compliant is the journey that never actually ends. You can study every map, memorize every rule, and pack for every scenario — but compliance, like travel, teaches you most when you’re already on the ground.
The difference is that in AML what you bring back isn’t a souvenir, it’s institutional memory: the systems that held, the gaps you found before regulators did, and the discipline to treat every jurisdiction as if your license depends on it. Because it does.