Merchant Onboarding: Global Regulatory Update May 2026

Merchant onboarding regulatory updates for May 2026 highlight growing global scrutiny around onboarding governance, safeguarding oversight, beneficial ownership verification, stablecoin relationships, and the operational effectiveness of risk-based onboarding controls across regulated payment environments. 

May 2026 is a month of convergence: regulators across every major region moved simultaneously, and the through-line was the same. Compliance programs that exist only on paper, onboarding controls that cannot be traced back to documented risk frameworks, and poorly governed partner relationships are all coming under heavier scrutiny. The goalposts for what "good" looks like have moved, and they have moved everywhere at once. Verification alone is no longer enough. Supervisors increasingly expect firms to show that the full onboarding decision is risk-based, governed, and supportable under review.  

‍

In this update (for merchant onboarding and compliance teams):

What changed: Risk frameworks elevated globally; stronger safeguarding enforcement; new stablecoin AML obligations; expanded supervisory scrutiny across the EU, UK, Asia, and Australia.

Why it matters: Supervisors are no longer waiting for firms to identify their own weaknesses. Licenses are being revoked, findings published, and programs examined. Weak onboarding now creates direct regulatory and reputational exposure.

Regulatory signals: Risk-based onboarding is becoming the foundation of modern merchant onboarding, with regulators expecting onboarding decisions and customer risk assessments to be clearly tied to documented risk frameworks. Verification confirms that individual checks have passed. What supervisors increasingly want to see is whether the full onboarding decision is supported by a documented, risk-based framework. 

What to do next:

• Trace your onboarding risk logic back to a documented business-wide risk assessment
• Build safeguarding oversight into payment partner onboarding and ongoing risk governance processes. 
• Begin treating stablecoin issuer partners as regulated financial institution counterparties
• Review document verification controls for any cross-border investment account onboarding

‍

United States

FinCEN/OFAC Joint Proposed Rule: AML/CFT and Sanctions Compliance Requirements for Payment Stablecoin Issuers

Deadline: 9 June 2026

Issued By: Financial Crimes Enforcement Network and Office of Foreign Assets Control, US Department of the Treasury

Applies To: All permitted payment stablecoin issuers (PPSIs) operating in the US, and any PSP, bank, or fintech that processes, hosts, or partners with stablecoin-based payment products. Broadly relevant to any institution whose merchants or partners use stablecoins for payments or settlement.

Summary:

• What: FinCEN and OFAC have jointly proposed a rule that brings payment stablecoin issuers inside the Bank Secrecy Act (BSA) for the first time, treating them as financial institutions with full AML/CFT and sanctions compliance obligations.
• Why: Treasury identified stablecoin payments as creating increasing illicit finance and sanctions risk due to their scale, speed, and cross-border reach, requiring stablecoin issuers to operate under financial institution-level compliance standards.  
• What's Next: Comments are due 9 June 2026. The proposal signals Treasury’s direction on AML/CFT and sanctions expectations for stablecoin issuers, and firms involved in stablecoin activity should begin assessing onboarding and monitoring readiness now 

Key Changes Proposed:

• PPSIs will be formally defined as financial institutions under the BSA, bringing them inside the full AML/CFT regulatory framework for the first time.
• Risk-based AML/CFT programs, ongoing customer due diligence (OCDD), and beneficial ownership monitoring would become mandatory.
• Suspicious activity reporting, Travel Rule, and recordkeeping obligations would apply to qualifying transactions.
• Sanctions compliance programs would need controls for risk assessments, monitoring, testing, training, and sanctions enforcement.
• Firms would need the technical capability to block, freeze, or reject prohibited or sanctioned transactions.

What This Means for Merchant Onboarding Teams: 

If merchants or partners use stablecoins for payments or settlement, onboarding teams will increasingly need to assess those relationships through a stronger AML/CFT and sanctions lens. That includes understanding which stablecoins are being used, which issuers are involved, and whether those issuers operate under appropriate compliance controls.

The proposal also increases the importance of ongoing due diligence, beneficial ownership monitoring, and sanctions screening for stablecoin-related relationships. Static onboarding reviews will become harder to defend where customer risk, transaction activity, or sanctions exposure can change over time.

Recommended Actions:

• Identify merchants and partners involved in stablecoin activity and classify them as higher-scrutiny onboarding relationships where appropriate.
• Expand KYB processes to assess AML/CFT controls, sanctions programs, and governance frameworks alongside commercial due diligence.
• Strengthen beneficial ownership capture and ongoing monitoring to ensure customer information remains accurate and current.
• Review onboarding workflows to ensure stablecoin-related relationships can be risk-rated, escalated, and monitored dynamically.
• Ensure onboarding data supports sanctions screening, Travel Rule compliance, and traceable onboarding decisions.

How OnBoard Helps: 

OnBoard helps firms strengthen risk-based merchant onboarding in the US for stablecoin-related merchant and partner relationships under evolving AML/CFT and sanctions requirements.

• Integrated KYB, KYC, AML, and sanctions screening helps verify stablecoin-related merchants, beneficial owners, and counterparties against sanctions lists and regulatory data sources, supporting the proposed requirements for ongoing due diligence, suspicious activity monitoring, and sanctions controls.
• Portfolio OCDD continuously monitors merchant and ownership changes, enabling earlier detection of evolving stablecoin and sanctions risk after onboarding. 
• Risk-based workflows automatically fast-track lower-risk merchants while escalating stablecoin-related, high-risk, or sanctions-exposed cases for additional review, helping teams adapt to tighter AML/CFT expectations without rebuilding the entire onboarding process.
• Audit-ready reporting maintains clear records of onboarding data, screening results, risk assessments, and compliance decisions for regulatory review.
• White-label onboarding allows payment providers to apply consistent AML/CFT, sanctions, and risk-based onboarding controls across partner programs while enabling partner-led onboarding journeys under centrally governed risk, compliance, and approval controls. 

Source: Financial Crimes Enforcement Network

‍

United Kingdom

PS25/12 Supplementary Safeguarding Regime for Payment Institutions and E-Money Institutions

Effective Date: 7 May 2026

Issued By: Financial Conduct Authority

Applies To: All FCA-authorized and registered payment institutions and e-money institutions operating in the UK, including PayFacs, PSPs, digital wallets, and any firm that holds customer funds in the course of providing payment or e-money services.

Summary:

• What: The FCA's new Supplementary Safeguarding Regime came into force on 7 May 2026, replacing the previous safeguarding rules under the Payment Services Regulations 2017.
• Why: The FCA identified weaknesses in safeguarding practices across payment and e-money firms, increasing the risk of customer fund shortfalls and delays in returning funds if firms fail. The new regime is designed to strengthen safeguarding controls and improve FCA oversight.
• What's Next: Firms must now comply with the new rules across CASS 10A, CASS 15, SUP 3A, and SUP 16.14A.

Key Changes:

• Customer funds must now be safeguarded under rules that closely mirror the FCA's CASS regime, a significantly higher bar than the previous safeguarding requirements.
• Firms must maintain resolution packs, which are documented records of how their safeguarding arrangements work, to allow faster resolution if the firm fails.
• Monthly safeguarding reporting and mandatory annual audits will increase regulatory scrutiny of payment firms and their safeguarding controls.
• Firms using third parties within safeguarding arrangements must apply stronger due diligence and oversight controls.

What This Means for Merchant Onboarding Teams: 

While the new safeguarding regime does not directly regulate merchant onboarding, it clearly signals the FCA’s broader push toward stronger safeguarding controls, oversight, and accountability across payment providers.

For firms still relying heavily on manual onboarding and review processes, this increases exposure to manual errors, inconsistent due diligence, weak audit traceability, and evolving partner compliance risks. Structured, risk-based onboarding and ongoing oversight will become increasingly important as regulatory expectations around safeguarding controls continue to rise.

Recommended Actions:

• Review whether current onboarding processes provide sufficient oversight, consistency, and documentation when assessing payment institutions and EMI partners.
• Reduce reliance on manual onboarding and review processes where safeguarding, compliance, and fraud risks may be harder to detect consistently.
• Build structured safeguarding and regulatory due diligence checks into payment partner onboarding workflows.
• Maintain clear records of onboarding decisions, compliance reviews, and supporting evidence for payment partners handling customer funds.
• Establish ongoing monitoring processes for regulatory, audit, or safeguarding-related changes affecting payment institutions and EMI partners.

How OnBoard Helps: 

OnBoard helps firms strengthen safeguarding oversight and reduce onboarding risk for payment and e-money firm partners under the FCA’s new safeguarding regime.

• Audit-ready monitoring maintains clear, traceable records of onboarding decisions, compliance checks, and supporting evidence, strengthening safeguarding oversight and regulatory readiness.
• Portfolio OCDD continuously monitors partners for changes in risk profiles, ownership structures, regulatory standing, and compliance exposure, helping teams identify safeguarding risks before customer fund exposure grows.
• Management-by-exception workflows automatically route higher-risk payment partners for review while allowing lower-risk cases to move through onboarding faster and more consistently. 
• OnBoard AIQ™ extracts, collects, and validates  information from structured and unstructured documents, reducing manual errors and strengthening onboarding controls against evolving fraud and compliance threats.
• White-label onboarding allows providers to maintain centralized safeguarding and compliance controls across partner ecosystems while enabling branded partner-led onboarding journeys under consistent governance. 

Source: Financial Conduct Authority

‍

European Union

AMLA Draft Regulatory Technical Standards on Group-Wide AML Requirements

Effective Date: Public hearing 28 May 2026; final RTS expected later in 2026

Issued By: EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA)

Applies To: All EU-regulated financial groups, including banks, PSPs, EMIs, and payment institutions operating through subsidiaries or branches, particularly those with entities in multiple EU member states or with subsidiaries and branches outside the EU.

Summary:

• What: AMLA has published draft guidelines setting minimum requirements for how financial institutions conduct business-wide AML risk assessments across customers, products, services, transactions, delivery channels, and geographic exposure. 
• Why: AMLA is seeking to strengthen how firms identify, assess, and manage AML risk across the organization, supporting more informed and risk-based decisions around customer, product, geographic, and operational risk exposure. 
• What's Next: Written submissions are still open. Once finalized, these RTS will be binding across all EU member states and will form a core part of AMLA's supervisory expectations.

Key Changes Proposed:

• Parent companies and group-level compliance functions will be directly responsible for ensuring all subsidiaries and branches, including those in third countries, meet EU AML standards.
• New criteria would determine which EU parent entity is responsible for AML oversight where multiple EU entities are owned by a non-EU head office.
• Group-wide AML/CFT requirements would also apply to certain organizational structures beyond traditional financial groups.

What This Means for Merchant Onboarding Teams: 

The draft RTS increases the importance of maintaining consistent onboarding governance and AML oversight across subsidiaries, branches, and jurisdictions while still adapting onboarding controls to local regulatory and risk requirements. 

For onboarding teams, this places greater focus on localized onboarding workflows, stronger beneficial ownership verification across cross-border entities, and consistent documentation of customer and geographic risk exposure across the group. Firms relying heavily on manual onboarding processes may face greater exposure to inconsistent ownership checks, jurisdictional compliance gaps, and weak audit traceability across different entities and regions.

Recommended Actions:

• Review whether onboarding controls can adapt to local jurisdictional requirements while still maintaining consistent group-wide AML oversight.
• Maintain structured audit trails showing how customer, ownership, and geographic risks are assessed across entities and jurisdictions.
• Review whether onboarding workflows can account for local compliance requirements across different jurisdictions while still maintaining consistent group-wide AML oversight, particularly for multi-regional providers operating through subsidiaries, branches, or partner entities.

How OnBoard Helps: 

OnBoard helps multi-regional providers maintain consistent AML oversight across jurisdictions while still adapting onboarding controls to local compliance requirements.

• Jurisdiction-specific workflow configuration allows firms to localize their onboarding, KYB, KYC, AML checks, and documentation requirements across different entities, regions, and regulatory environments from a single platform.
• Audit-ready monitoring maintains structured records of onboarding decisions, ownership verification, jurisdictional risk assessments, and AML reviews across subsidiaries and branches.
• Ongoing customer due diligence monitors customers and partners for changes in ownership structures, jurisdictional exposure, regulatory standing, and risk profiles after onboarding.
• White-label onboarding allows financial groups to maintain centralized AML governance and onboarding standards while supporting localized onboarding journeys across subsidiaries, partner entities, or regional operating models under consistent group-level control. 

Source: Anti-Money Laundering Authority 

‍

Australia

AUSTRAC Supervisory Campaigns & AML/CTF Transitional Rules

Effective Date: Launched 8 May 2026

Issued By: AUSTRAC

Applies To: All virtual asset service providers (VASPs) operating in Australia, including crypto exchanges, OTC crypto-to-cash operators, custodians, and brokers. Also relevant to any PSP, bank, or fintech that onboards VASPs as merchants or partners, or processes payments for the virtual assets sector.

Summary:

• What: AUSTRAC launched two targeted supervisory campaigns on 8 May 2026 to examine how Australia's virtual asset sector is managing AML/CTF risk under the landmark reforms that took effect on 31 March 2026.
• Why: AUSTRAC considers the virtual assets sector to present elevated money laundering risk and is increasing supervisory oversight as Australia expands AML/CTF obligations across custody, brokerage, exchange, and other virtual asset services. The transitional rules are intended to help existing reporting entities move from legacy applicable customer identification procedures (ACIP) to the new risk-based initial CDD framework in a controlled way. 
• What's Next: Existing reporting entities may continue using current ACIP onboarding procedures until March 30, 2029 while transitioning to the new risk-based initial CDD framework. Ongoing CDD obligations still apply from March 31, 2026, and firms using ACIP must maintain documented transition policies by July 1, 2026.

Key Changes:

• AUSTRAC is engaging directly with 36 OTC crypto businesses under its “Ramps and Rails” campaign, assessing business models, service channels, transaction scale, and AML/CTF risk management controls.
• AUSTRAC is also reviewing 27 local crypto exchanges, with supervisory focus on reform readiness and governance arrangements.
• Australia is replacing the narrower “digital currency exchange” (DCE) classification with the broader “virtual asset service provider” (VASP) framework, expanding AML/CTF obligations across more virtual asset services.
• Existing reporting entities may continue using current ACIP onboarding procedures until March 30, 2029 while transitioning to the new risk-based initial CDD framework. Firms using ACIP must maintain documented transition policies identifying affected customer groups and planned transition timelines.
• Newly regulated tranche two businesses and VASPs will have until July 29, 2026 to notify AUSTRAC of their AML/CTF compliance officer.

What This Means for Payment Providers and Onboarding Teams: 

For payment providers onboarding VASPs and crypto-related businesses, the transitional rules increase the importance of clearly managing how different customer groups are onboarded and monitored during the move from legacy ACIP procedures to the new risk-based customer due diligence (CDD) framework.

From July 1, 2026, firms using ACIP must maintain documented transition policies while still applying ongoing CDD obligations across all customers. This increases the need for stronger onboarding controls, documentation, and defensible audit records  throughout the transition period.

Recommended Actions:

• Add AUSTRAC VASP register verification to your KYB checklist for any crypto or virtual asset business you onboard. The register is publicly searchable.
• Review your risk classification for VASP customers in Australia. The new regulatory framework changes their risk profile and your CDD obligations.
• If you're a VASP, make sure your AML/CTF programme is fully documented and functional under the post-31-March framework.
• Ensure onboarding records and audit trails clearly document customer risk assessments, escalation decisions, and AML/CTF reviews. 
• Brief your onboarding and compliance teams on the difference between the old DCE regime and the new VASP framework.

How OnBoard Helps: 

OnBoard helps payment providers strengthen merchant onboarding in Australia for VASPs and crypto-related businesses transitioning from legacy ACIP procedures to the new risk-based CDD framework under AUSTRAC’s AML/CTF reforms.

• Smart Forms allow providers to adapt onboarding flows in real time to support AUSTRAC’s new risk-based CDD requirements, ensuring only the most relevant customer and risk information is captured without rebuilding the entire onboarding journey from scratch. 
• Audit-ready monitoring maintains structured records of onboarding decisions, AML/CTF reviews, customer risk assessments, and transition controls throughout the ACIP transition period.
• Integrated KYB, KYC, and AML screening helps providers verify VASP customers, beneficial owners, sanctions exposure, and regulatory standing throughout onboarding.
• OnBoard AIQ™ extracts, validates, and collects key information from structured and unstructured documents, supporting stronger verification of customer and ownership information under the new CDD framework. 
• White-label onboarding allows payment providers to maintain centralized governance, onboarding standards, and compliance controls across partners, agents, or specialist channels  onboarding crypto-related merchants and VASP customers.

Source: AUSTRAC & Department of Home Affairs 

‍

Singapore

FATF/APG Mutual Evaluation Report: Singapore 2026

Effective Date: Published 6 May 2026

Issued By: Financial Action Task Force (FATF) and Asia/Pacific Group on Money Laundering (APG)

Applies To: Any financial institution, PSP, or bank with operations in Singapore, correspondent banking relationships with Singapore-based institutions, or merchants and customers based in Singapore.

Summary:

• What: FATF and APG published Singapore's full mutual evaluation report on 6 May 2026, assessing the effectiveness of its AML/CFT framework following an on-site visit in July 2025.
• Why: FATF mutual evaluations are designed to assess whether countries are effectively applying global AML/CFT standards in practice. While Singapore received strong overall results, FATF identified areas where risk-based controls, beneficial ownership transparency, and AML/CFT outcomes need to be more consistent and demonstrable.
• What's Next: Singapore has been placed in FATF regular follow-up and will report back to FATF and APG on its progress against a three-year roadmap of recommended actions. Key focus areas include improving transparency for complex arrangements and Unregistered Foreign Companies, prioritizing complex high-value money laundering investigations, and implementing more targeted proliferation financing risk mitigation measures. 

Key Findings:

• Singapore’s AML/CFT framework was assessed as competent, coordinated, and generally effective in addressing financial crime risks.
• FATF identified fraud, particularly scams and cyber-enabled fraud, as Singapore’s most significant money laundering threat.
• Singapore’s public-private coordination and cross-agency collaboration were highlighted as key strengths supporting AML/CFT risk management.
• Singapore was recognized as having a robust licensing framework designed to prevent criminals and their associates from owning or controlling financial institutions and VASPs.
• Singapore has implemented a beneficial ownership registry for legal entities, but FATF identified limited mechanisms to ensure the accuracy of the information held within the registry, particularly for complex arrangements and certain foreign company structures

What This Means for Merchant Onboarding Teams: 

Singapore remains a well-regulated jurisdiction, but FATF’s findings make clear that firms are now expected to demonstrate that onboarding controls operate effectively in practice, not just exist within documented compliance frameworks. 

For payment providers onboarding Singapore-linked merchants and partners, this increases the importance of stronger beneficial ownership verification, defensible customer risk assessments, and clear audit trails showing how fraud, jurisdictional, and ownership risks are identified and escalated. Firms relying heavily on fragmented or manual onboarding processes may face greater exposure to inconsistent reviews and weak risk documentation.

Recommended Actions:

• Review CDD and onboarding controls for Singapore-linked merchants and partners to ensure risk assessments are genuinely risk-based and consistently applied.
• Strengthen beneficial ownership verification processes for Singapore-based entities, particularly where ownership or control structures are complex.
• Ensure onboarding records clearly document customer risk assessments, escalation decisions, and AML/CFT review outcomes.
• Review fraud and cyber-enabled fraud controls for Singapore-linked onboarding relationships, given FATF’s identification of fraud as Singapore’s most significant money laundering threat.
• Update internal country risk assessments and onboarding policies to reflect the May 2026 FATF/APG mutual evaluation findings

How OnBoard Helps: 

OnBoard helps firms demonstrate stronger risk-based onboarding, beneficial ownership verification, and AML/CFT oversight in practice under FATF’s heightened focus on effective and demonstrable AML controls.

• Integrated decisioning and management-by-exception workflows automatically escalate higher-risk customers, ownership structures, fraud indicators, or jurisdictional exposures while lower-risk cases move through onboarding more efficiently.
• Audit-ready monitoring maintains a full traceable record of onboarding decisions, AML/CFT reviews, beneficial ownership checks, and risk escalations, helping firms evidence that onboarding controls are operating effectively in practice.
• Integrated KYB, KYC, and AML screening automatically validates key customer and beneficial ownership information against trusted global data sources, helping firms strengthen verification controls where FATF identified limitations in the accuracy mechanisms supporting Singapore’s beneficial ownership registry, particularly for Variable Capital Companies and Unregistered Foreign Companies.
• OnBoard AIQ™ extracts, validates, and collects key information from structured and unstructured documents, strengthening beneficial ownership verification and improving consistency across higher-risk onboarding reviews. 
• Smart Forms dynamically collect the most relevant customer, ownership, fraud, and jurisdictional risk information from the very first onboarding touchpoint without rebuilding onboarding workflows from scratch.

Source: FATF

‍‍

Hong Kong

HKMA/SFC Joint Circular on Investment Account Opening Controls and AML for Registered Institutions

Effective Date: 22 May 2026

Issued By: Hong Kong Monetary Authority (HKMA) and Securities and Futures Commission (SFC)

Applies To: All HKMA banks and registered institutions carrying out regulated securities activities in Hong Kong, particularly those onboarding Mainland China investors or managing investment accounts. Relevant to any institution with Hong Kong operations or a Hong Kong-based banking partner.

Summary:

• What: The HKMA and SFC have issued a joint circular requiring banks to audit their investment account opening processes for forged or questionable identity documents and to close any affected accounts.
• Why: Regulators identified material risks from fraudulent documents being accepted during account opening, particularly for investment accounts serving cross-border customers.
• What's Next: Banks must carry out an internal review as soon as practicable, with a clear expectation of immediate action where document authenticity concerns are identified. 

Key Changes:

• Registered institutions must immediately review recent investment account openings to identify any cases where document authenticity is in question.
• Accounts opened using fraudulent documents must be closed.
• HKMA reiterated that institutions must apply a risk-based AML/CFT approach when providing both investment and non-investment account services to Mainland China customers.
• HKMA emphasized that staff must receive proper training and institutions must maintain sufficient controls and resources to identify document fraud and comply with AML/CFT obligations.

What This Means for Payment Providers: 

For payment providers, the message is hard to ignore. Regulators are raising the bar on what “acceptable onboarding” looks like, especially for higher-risk and cross-border customers.

If your onboarding process still relies heavily on manual document reviews, inconsistent checks, or fragmented controls, the risk exposure is growing fast. A single forged document slipping through can quickly become a regulatory issue, a fraud loss, or a reputational problem that is difficult to defend. Risk-based onboarding, automated document verification, and stronger ongoing monitoring are rapidly becoming the expected standard across customer and merchant onboarding environments.

Recommended Actions:

• Review where manual reviews or fragmented onboarding controls may be exposing your merchant onboarding process to forged documents, inconsistent verification, or AML/CFT risk.
• Strengthen document authenticity checks and identity verification for higher-risk and cross-border merchants, especially where ownership structures or customer activity are harder to verify.
• Make sure merchant onboarding decisions, escalation actions, and AML/CFT reviews are clearly documented and easy to defend during regulatory reviews or fraud investigations.
• Monitor whether merchant activity remains consistent with the stated purpose and expected behavior of the account after onboarding.

How OnBoard Helps: 

OnBoard helps payment providers strengthen risk-based onboarding and ongoing monitoring for higher-risk and cross-border merchant relationships where document fraud, identity verification failures, and weak auditability create growing AML/CFT and reputational exposure.

• Integrated KYB, KYC, and AML screening automatically validates customer and identity information against trusted global data sources, helping payment providers reduce exposure to forged documents, onboarding fraud, and inconsistent verification decisions.
• OnBoard AIQ™ helps teams extract, validate, and verify key information from structured and unstructured identity documents, reducing operational pressure on manual review teams while improving the speed and consistency of higher-risk onboarding reviews.
• Audit-ready monitoring maintains a full traceable record of onboarding decisions, document verification checks, AML/CFT reviews, and escalation actions, giving providers stronger evidence during internal reviews, regulatory examinations, and fraud investigations.
• Portfolio OCDD continuously monitors customer activity and risk indicators after onboarding, helping institutions identify behavior that may be inconsistent with the stated purpose of the account before issues escalate into larger AML/CFT or reputational risks.

Source: Hong Kong Monetary Authority

‍

United Arab Emirates 

ADGM FSRA Finalized Enhancements to AML/CFT Framework

Effective Date: 21 May 2026

Issued By: Financial Services Regulatory Authority (FSRA), Abu Dhabi Global Market (ADGM)

Applies To: All financial institutions, PSPs, virtual asset service providers, and designated non-financial businesses and persons licensed within the Abu Dhabi Global Market. Also relevant to any firm considering ADGM as a jurisdiction for licensing or expansion.

Summary:

• What: The FSRA finalized and published enhancements to its AML/CFT framework on 21 May 2026, following industry consultation, with amendments to both the Financial Services and Markets Regulations 2015 and the Anti-Money Laundering and Sanctions Rulebook.
• Why: The updates align ADGM's framework with developments in UAE federal legislation and evolving international standards, including the latest FATF recommendations, as the UAE prepares for its next FATF mutual evaluation in June 2026.
• What's Next: The FSRA has indicated minimal operational impact for most firms, but the changes should be used as a prompt to future-proof compliance frameworks and ensure internal AML documentation is consistent across both federal and ADGM rules.

Key Requirements:

• The AML Rulebook reinforces that firms must apply a clear risk-based approach to AML/TFS compliance. Risk assessments must be objective, proportionate to the risks identified, based on reasonable grounds, properly documented, and regularly reviewed and updated.
• Firms are required to maintain documented business risk assessments covering customer types, products, services, delivery channels, and geographic exposure.
• Customer risk assessments must consider factors such as beneficial ownership, ownership structures, geographic exposure, products and services used, and the purpose of the business relationship to determine the appropriate level of customer due diligence.
• Customer due diligence requirements have been strengthened around beneficial ownership identification, ongoing monitoring, and maintaining up-to-date customer information.
• The Rulebook introduces clearer requirements for firms relying on third parties to perform customer due diligence, including assessing the adequacy and reliability of those arrangements.

What This Means for Merchant Onboarding Teams: 

The updated AML Rulebook raises the pressure on payment providers to prove their onboarding controls are genuinely risk-based, not just policy-driven. Regulators now expect firms to clearly document how customer risk is assessed, how beneficial owners are verified, and how higher-risk customers are escalated and monitored over time.

For providers working with cross-border customers, complex ownership structures, or third-party onboarding partners, weak documentation or inconsistent risk decisions can quickly become a regulatory and reputational risk.

Recommended Actions:

• Review whether your onboarding workflows clearly document how customer and business risk decisions are assessed and approved.
• Strengthen beneficial ownership verification controls for higher-risk or complex ownership structures.
• Reassess any third-party onboarding or verification providers to ensure their controls, screening processes, and audit trails meet ADGM AML expectations.
• Make sure onboarding decisions, AML reviews, and escalation outcomes are easy to trace, review, and defend during regulatory examinations.

How OnBoard Helps: 

OnBoard helps payment providers operationalize risk-based merchant onboarding through governed verification, consistent escalation, and auditable ongoing compliance controls. 

• Integrated KYB, KYC, and AML screening helps validate customer, business, and beneficial ownership information against trusted global data sources, improving the accuracy and consistency of customer risk assessments.
• Configurable onboarding workflows allow providers to apply different risk rules, escalation paths, and due diligence requirements based on customer risk, jurisdiction, or ownership structure.
• OnBoard AIQ™ helps teams collect, verify, and assess onboarding information faster, reducing manual reviews while improving customer due diligence quality.
• Audit-ready monitoring and OCDD help firms maintain a clear record of onboarding decisions, risk assessments, and AML reviews while continuously monitoring for emerging risk changes after onboarding.

Source: ADGM & Anti-Money Laundering and Sanctions Rulebook (AML) 

‍

Cross-market signals for onboarding and compliance teams

May 2026 makes one thing increasingly clear: regulators are no longer assessing onboarding as a standalone compliance process. They are assessing whether onboarding decisions are risk-based, governed, traceable, and capable of operating effectively across increasingly complex payment ecosystems, not just whether isolated checks have been completed. 

• Risk-based onboarding is becoming a supervisory expectation, not just a compliance best practice
• Stablecoin relationships are attracting the same scrutiny traditionally applied to regulated financial institution counterparties
• Safeguarding oversight is becoming a material onboarding and partner governance consideration
• Regulators are focusing more heavily on whether onboarding controls operate effectively in practice, not simply whether policies exist
• Beneficial ownership verification and ongoing due diligence expectations continue to tighten across jurisdictions
• Fragmented onboarding processes and weak auditability are becoming increasingly difficult to defend under regulatory scrutiny
• Cross-border onboarding governance is becoming more important as firms manage subsidiaries, branches, and jurisdiction-specific obligations
• Payment providers are expected to maintain clearer escalation pathways, defensible onboarding decisions, and stronger documentation standards

This is no longer just an onboarding efficiency challenge. It is an operational governance challenge that begins at the point of entry.

OnBoard by MVSI supports that shift by bringing digital onboarding, KYB, AML screening, underwriting, and ongoing customer due diligence (OCDD) into a single controlled architecture for regulated payment environments.

We work with payment providers, acquirers, PayFacs, lenders, and banks to operationalize risk-based onboarding, automate decisioning, and maintain ongoing  visibility over merchant risk, ensuring onboarding remains consistent, auditable, and aligned with evolving regulatory expectations.

If your onboarding model still depends on fragmented workflows, manual escalation handling, or disconnected oversight processes, May’s regulatory updates show why those operational gaps are becoming increasingly difficult to justify under supervisory review.

‍

This content is provided for general information only and does not constitute legal or regulatory advice.