As we close out 2025, and look forward to 2026, Moody’s industry practice leads from the US, Europe, Asia-Pacific, and the Middle East take a look at the priorities and themes which could set the tone for the year ahead.
“What became evident in 2025 was how quickly risks have become interconnected and concentrated, reflecting criminal innovation. Traditionally, focus has been about decentralization of anti-money laundering (AML), but today, the acceleration of Organized Crime Groups (OCGs) and Transborder Crime Organizations (TCOs), is diversifying economic and financial crime portfolios. This creates a need for anti-financial crime compliance to double down on data interoperability across typologies like fraud, sanctions, obscured ownership, money laundering, corruption, tax crimes, smuggling, and human trafficking,” says Francis Marinier, Moody’s banking industry practice lead. “We’re seeing a shift towards organizations seeking an orchestrated, unified view of risk. The market is signaling a need for continued engagement between operations, compliance, and data officers, with data providers delivering models that support connected technology architectures, powered by AI and interoperable, grade-A data.”
The world of compliance and third-party risk management looks as though it stands at a crossroads. While the past year brought AI to the fore, news of cyber threats, shifts in sanctions, and other unexpected challenges, it seems the dominant theme emerging for the year ahead may be one of simplification.
“I think 2026 is shaping up to be the year of simplification,” says Ted Datta, Moody’s head of financial crime industry practice. “We’re seeing regulators from the EU to the UK pushing for streamlined regulatory frameworks — enter the Digital Omnibus — and a single rulebook — enter AMLA. Enter the UK anti-money laundering and counter-terrorism financing supervision announced by the FCA. But simplification isn’t just about making things easier; it’s about making complexity manageable. With so many overlapping regulations, banks and other organizations need to focus on what really matters: reducing third-party complexity, unifying data, and getting back to the core of their business. 2026 could be the year to step back, cut through the noise, and adjust compliance programs so they are robust and efficient,” he concludes.
This value-add for organizations able to reduce complexity goes beyond operational efficiency and moves firmly into the realms of competitive advantage. After all, know your customers (KYC) and know your business (KYB) compliance activity isn’t just about weeding out bad actors; it is more often about onboarding and screening legitimate individuals and entities so businesses can thrive and grow.
“I would argue that customer experience and compliance should not be separate priorities. The ability to onboard or screen an individual or entity efficiently, securely, and seamlessly can offer a competitive advantage across banking, insurance, and asset management. The organizations who do this successfully are more likely to win and retain business,” says Marisol Lopez Mellado, Moody’s banking industry practice lead.
While simplification may be a goal, there are, and will always remain, areas of risk that are moving targets.
“Simplification is an important goal, but there will always be risks that move faster than frameworks can adapt. The real concern for risk and compliance leaders often isn’t the threats they are able to quantify and manage; it’s the ones that emerge from nowhere. Whether it’s the next fraud scam, a new kind of cyberattack, deepfakes we haven’t seen before, or a geopolitical event that catches everyone off guard, these are the challenges that can keep teams up at night. Our recent study into unified risk management in fact bears out that leaders are increasingly focused on these “unknowns” that can damage a business,” concludes Chor Teh, Moody’s industry practice lead.
The drive for simplification is also inseparable from the push toward digitalization, much needed to carve a workable route through difficult waters.
Hera Smith, Moody's industry practice lead, says, “Sanctions are a great example of how and why digitalization and automation are so important to third-party risk management, across sectors. The shifting regulatory landscape coupled with the sheer volume and intricacy of ownership networks, thresholds, and subsidiary entities who can be sanctioned by extension, underscores how digital transformation can be important in supporting effective execution of necessary compliance activities, not just for banks, but for insurers, asset managers, and corporates too.”
“Compliance officers of the future, regardless of which sector they work in, will more and more need to anticipate new scenarios, translate them into actionable procedures, and work hand-in-hand with data scientists to embed policies into smart systems and AI agents. It’s not just about compliance or legal acumen anymore, but developing the ability to recalibrate AI tools and communicate effectively with authorities will be essential as the role evolves,” says Nicola Passariello, Moody’s industry practice lead.
“To echo Nicola, our study into AI in risk-related compliance shows just how rapidly the compliance function is evolving. More than 68% of Compliance officers now expect to be hands-on in designing and operating AI-driven compliance programs. This shift isn’t just about adopting new technology—it’s about compliance teams taking an active role in shaping how AI is embedded into risk management processes,” added Lopez Mellado.
The rise of AI-driven scams and deepfakes in financial crime is a stark reminder that technology is a double-edged sword. “For less than $1.00, someone could go on the dark web and buy a deepfake to open a bank account,” says Lopez Mellado.
“For Europe, and everywhere else, fraud was a theme in 2025 and will continue to persist in 2026.” Passariello adds. “The role of transnational and organized crime will remain significant in fraud activities across multiple jurisdictions and all sectors. It’s increasingly intertwined with money laundering, cyber risks, sanctions evasion, and the list goes on.”
“What are the expectations for 2026 relating to fraud prevention? Greater regulatory scrutiny. I also expect we will see the first self-reporting under the UK’s failure to prevent fraud offense, and a continued arms race between criminals, compliance, and anti-financial crime teams,” concludes Datta.
As we look ahead to 2026, risk and compliance leaders in the US and Canada face a landscape shaped by persistent fraud and the need to address bribery and corruption, as well as evolving regulatory expectations and the transformative potential of data and AI.
On the rise of fraud, Rich Graham, Moody’s KYC industry practice lead, highlights that, “Fraud continues to impact both customers, banks, and large corporations. Massive scam centers show no sign of stopping, and romance scams alone have become a multi-billion-dollar problem. Moody’s data and stats from ACAMS in its report into anti-financial crime underscore the scale and sophistication of transnational crime, with organized scam networks driving losses and regulatory scrutiny to new heights."
The use of shell companies and challenges around transparency over beneficial ownership are also potentially fueling issues like fraud, as well as bribery and corruption. Graham notes, “The private sector’s role in providing shell company data is more important than ever. FATF has called shells the ‘getaway vehicle’ for financial crime, and this is a challenge not just in the US, but also in Europe and beyond.”
The need for robust third-party due diligence is echoed by Maurice L. Crescenzi, Jr., Moody’s corporates industry practice lead, who adds, “Corporates need to continue conducting due diligence on their third parties to make sure those third parties are not cartels, TCOs, or shell companies used for nefarious purposes—and also that their business isn’t working with any of these entities indirectly.”
Data interoperability and use of AI are key tools in addressing financial crime, risk management, and compliance challenges. Crescenzi adds, “Chief compliance officers need to continue to take a unified, holistic view of risk as so many types of third-party risks are interrelated—whether it’s fraud, bribery, corruption, human rights violations, financial instability. Data and analytics can help organizations see the bigger picture and manage these risks more proactively, which is going to be a significant area of focus across the corporate world in 2026.”
As the race to adopt AI in risk-related compliance is accelerating, Graham points out, “An AI strategy is only as good as its data strategy. AI is no longer theoretical for US businesses and financial institutions — it’s being deployed to transform fraud detection, transaction monitoring, and risk identification. AI can help teams move from a reactive to a proactive stance, flagging suspicious activity in near real-time and strengthening prevention efforts before significant losses occur.”
On regulatory expectations in the U.S., Alex Feldman, Moody’s industry practice lead, observes that “2026 could be a watershed moment for financial institutions. In 2025, government agencies updated supervisory guidance, encouraged innovation, and aimed to reduce regulatory burdens. In 2026, regulated entities will begin to operationalize these changes. Examiners, policy makers, and private sector compliance professionals are likely to collectively develop a revised framework for what more effective, risk-based anti-financial crime compliance looks like while also trying to incorporate new technologies. With so many stakeholders looking at a rapidly growing number of compliance programs, there is potential for instances of contradictory supervision and enforcement policy. It has never been more important for compliance managers to be involved in dialogues with their regulators and to build a strong understanding of the risks and controls surrounding the tools they use.”
According to our industry practice leads in the APAC and ME regions, organizations will continue navigating a complex risk landscape shaped by regulatory scrutiny, technology shifts, and scam syndicates in 2026.
The following themes highlight the priorities that could define risk and compliance strategies in the year ahead with sharper focus on UBO transparency, embedding operational resilience into organizations’ supply chains, and work to dismantle organized crime networks.
“We’re taking stock of how screening requirements are changing. Although not a new development in 2025, the shift from name-based to ownership-based screening in sanctions and compliance regimes gained momentum through the year.” says Mohamed Daoud, industry practice lead for financial crime and third-party supply chain compliance in Middle East and South Asia. “Looking ahead to 2026, the focus is likely to be on better understanding and mitigating risk associated with ownership structures and UBO—crucial for both financial institutions and corporations. Organizations could look into going beyond the usual sanctions or entity lists in screening to uncover hidden risk through UBO analysis and entity verification.”
To prepare for this shift, organizations could consider investing in investigation tools and data for potentially greater insight on complex ownership structures. Enhancing due diligence processes to support ongoing monitoring or perpetual know your customer (pKYC) checks—moving away from time-based, periodic reviews—could also help compliance teams.
Another area that has made headlines in 2025 and could continue to stay on the radar in APAC/ME for next year are financial scams run by organized crime and scam syndicates.
“Financial scams, and their links to organized crime, remained a high money laundering risk this year,” observes Pamela Chua, industry practice lead for APAC. “Given the region’s proximity to scam hubs, we are seeing increased interest in understanding corporate ownership structures to unravel individuals or entities who are potentially linked to organized crime networks. Third-party due diligence and UBO clarity are essential for banks and corporates to mitigate risk exposure to scam-linked entities.”
“Zooming out on global developments,” adds Chua, “the Prince Group Transnational Criminal Organization (Prince Group TCO) was in the sanctions spotlight in October 2025. The United States’ Office of Foreign Assets Control (OFAC) and the United Kingdom’s Foreign, Commonwealth & Development Office (FCDO) announced sweeping sanctions targets within Prince Group TCO. In 2026, we may see more countries cracking down on entities related to Prince Group TCO in the global fight against scams.”
It would be remiss not to mention tariffs and supply chain disruptions that partially defined the supplier risk landscape in 2025 and how third-party risk management (TPRM) practices adapted to rapid changes.
Choon Hong Chua, head of financial crime and TPRM practice group for the region, highlights, “Third-party risk management (TPRM) remains challenging, especially against the backdrop of increasing geopolitical tensions, tariffs, and export bans. In response to changing tariff policies, institutions in APAC are adopting a ‘wait and see’ approach while they look at beefing up TPRM capabilities. Manufacturers are also researching alternative sourcing to try to insulate themselves from further disruptions.”
“Looking ahead to 2026,” adds Choon, “some pressing priorities organizations have shared with me include: understanding the licenses needed for export; capabilities to recommend alternative suppliers to mitigate supply chain disruptions; and being able to assess risk exposure with N-tier suppliers. We expect trade to remain dynamic next year—in turn, organizations will need to be agile and adaptable.”
In addition to the growing importance of TPRM, cyber risk emerged as a key concern—as evidenced by the spate of cyberattacks on global supply chains and the speed of cloud adoption, particularly in ME.
“As cloud computing and adoption accelerate across ME, cyber risk remains a paramount concern,” explains Daoud.
A recent PwC publication on secure cloud adoption in the region’s financial sector highlighted that nearly 70% of ME organizations plan to migrate most operations to the cloud in the next two years. This trend is shaped by the region’s data residency and data privacy requirements, which mandate local hosting of data on ME cloud zones or private infrastructure.
“Consequently, sovereign clouds are on the rise, and cybersecurity is increasingly becoming a cornerstone for safeguarding national security and cyber resilience,” adds Daoud.
As for the global fight against financial crime, our team will be following the Financial Action Task Force’s (FATF) evaluation of the United Arab Emirates (UAE) and tracing the surge in digital transactions in APAC/ME closely.
“Digital payments and use of cryptocurrency continue to be on the rise in APAC/ME, which means demand for electronic identity verification (eIDV) and fraud detection capabilities has also increased,” notes Xiao Chen, industry practice lead for APAC. “Some regulators in the region are placing more controls on banks to detect fraudulent profiles or transactions in response to the growing number of fraud and scam cases. In the next year, we expect that banks will sharpen their focus on monitoring crypto-related risk as transaction volumes and complexity grow. In addition, as the typology of fraudulent payments evolves, transaction monitoring engines may move from a traditional rules-based approach—one that flags potentially suspicious transactions based on preset rules, such as a minimum transaction amount or payment frequency—to a behavioral-based approach, supplemented by artificial intelligence (AI).”
Daoud concludes by saying “2026 will be an important year for the UAE. After its removal from the FATF grey list in February 2024, the country will chair next year’s Middle East and North Africa FATF (MENAFATF) presidency and possibly go through an onsite assessment in June 2026. In the July 2023 follow-up report for the country’s technical ratings, the UAE was assessed to be largely compliant or compliant across most FATF Recommendations, and only partially compliant for Recommendation 15 on virtual assets (VAs) and virtual assets service providers (VASPs). Regulation of VAs and VASPs has remained central to UAE’s regulatory framework, with the Dubai Virtual Asset Regulatory Authority updating its activity-based Rulebooks for regulation of VAs and VASPs this year. Although the UAE is no longer on the grey list, there is an opportunity for the country to strengthen awareness and compliance in non-regulated sectors as part of a holistic approach to anti-money laundering and counter-terrorism financing (AML/CTF).”
For more information on any of the topics covered in this article, please get in touch with the team here at Moody’s — we would love to hear from you.