.png)
2025 was Reform, 2026 is Execution
- 1 day ago
- 4 min read
In 2025, compliance felt like a project. Policies were updated, risk assessments refreshed, board packs referenced reform milestones, vendors were onboarded and systems configured. For many organisations, it was a year of visible progress, activity that could be tracked, reported and measured.
In 2026, however, progress becomes proof. Reform activity may be quantifiable, but execution discipline must be demonstrated, and demonstration requires evidence.
The Quiet Test
Late last year, an independent review was conducted for a mid-sized reporting entity. On paper, its AML framework had been recently modernised. Policies were current. A risk assessment had been signed off. Monitoring technology was in place.
The review did not focus on documentation. It focused on behaviour.
Over a three-month sample period, the findings were subtle:
Alerts were cleared within SLA, but rationale was inconsistent.
Enhanced due diligence had been triggered in policy, but not always in practice.
Risk ratings were applied correctly, but rarely revisited.
Escalations occurred, but documentation did not always reflect the reasoning behind them.
Nothing suggested deliberate neglect. Nothing suggested absence of framework. But together, the gaps formed a pattern. The framework existed. Operational discipline was uneven. This is the distinction 2026 will increasingly expose.
The Implementation Gap
Reform years prioritise structure:
Do you have an AML program?
Is your risk assessment documented? Have you defined monitoring parameters?
Execution years ask different questions:
How often are those parameters recalibrated?
Who owns the decision to change them?
When a high-risk client profile shifts, how quickly is it reassessed?
If an alert is dismissed, can the rationale withstand scrutiny?
These questions do not test awareness. They test control.
The Risk of Overconfidence
Organisations that invested significantly in reform during 2025 may assume the hardest work is complete.
In reality, the difficult phase is quieter and more sustained.
Execution requires:
Consistent case documentation.
Clear ownership.
Parameter testing.
Independent oversight.
Board-level understanding beyond summary metrics.
It requires endurance, not just implementation.
Global Financial Crime Roundup
2026 So Far
It’s February. The fraudsters clearly didn’t take a holiday break.
We’re barely eight weeks into 2026, and already the enforcement headlines are stacking up.
If Q1 was meant to ease us in gently, regulators didn’t get the memo.
So far this year, we’ve seen:
Sanctions breaches tied to weak screening controls
Monitoring failures where suspicious activity was identified, but not escalated
Inadequate customer due diligence on high-risk entities
Politically exposed persons missed entirely
Third-party payment flows with no documented rationale
Risk assessments that haven’t been updated in years
AML programs that exist on paper, but not in practice
Governance breakdowns where boards were “unaware” of systemic gaps
None of this is new. That’s the point.
The patterns are familiar. The consequences are not.
What’s emerging early in 2026 isn’t creative new criminal typologies, it’s regulators doubling down on fundamentals:
Documentation.
Evidence.
Escalation discipline.
Independent oversight.
The message is consistent across jurisdictions: “Almost compliant” is no longer defensible. And while the year is still young, the enforcement tone is already clear , scrutiny is tightening, and expectations haven’t softened.
The message is consistent across jurisdictions: “Almost compliant” is no longer defensible. And while the year is still young, the enforcement tone is already clear, scrutiny is tightening, and expectations haven’t softened.
If January and February are any indication, 2026 won’t be a year for passive frameworks or half-reviewed programs. It will be a year where controls are tested.
More to come.
WhiteLight Insight
The Most Expensive Word in Compliance: “Later”
Hesitation.
“We’ll review our options later.”
“We’ll bring in support later.”
“We’ll strengthen the framework later.”
Later has a way of becoming pressure. In this market, the difference isn’t awareness. It’s action. Strong frameworks don’t come from good intentions. They come from clear decisions about structure, oversight and the people responsible for delivering it. Waiting doesn’t simplify compliance. It compounds it. Regulators don’t assess intention. They assess action. In 2026, “we were planning to” won’t carry weight.
When it comes to your AML framework and the team behind it, the critical move is the decision to act. Because “later” has a habit of becoming costly.
AUSTRAC Updates:
Visibility Changes Behaviour
When registration opens for newly captured Tranche 2 entities, it will be viewed by many as administrative.
In reality, it’s structural.Registration creates visibility.
From that point, AUSTRAC holds formalised data about who you are, the services you provide, your size and scale, and where you sit within the broader risk landscape of your sector. That information enables segmentation, comparison and supervisory prioritisation.
In short, registration moves you from unknown to observable. And visibility changes behaviour, on both sides.
For regulators, it sharpens focus.
For businesses, it raises the standard.
The conversation shifts from “we are preparing” to “show us the framework.” Risk assessments, governance oversight, training records and documented decision-making are no longer theoretical. They are accountable.
The first key milestone in a new regime isn’t enforcement. It’s identification. And identification changes the tone. Once you register, AUSTRAC doesn’t just know your name.
It knows:
• Your industry
• The services you provide
• Your size and scale
• Your customer exposure
• Your declared risk profile
That data allows patterns to emerge and outliers to stand out. You move from operating in relative obscurity to operating within a structured regulatory view.
From invisible to observable.
And visibility changes behaviour.
Comments