Building an AML & KYC Operating Model That Survives Bank and PSP Due Diligence in 2026

AML and KYC requirements for payment companies are entering a new phase. Banks, acquirers and upstream PSPs are applying stricter due diligence standards than ever before, driven by global regulatory reform, increasing fraud risks, and growing scrutiny of digital payment flows. In 2026, the question is no longer whether a PSP or merchant has an AML/KYC framework but whether it can prove that the framework works. For PSPs, PayFacs, BaaS platforms and high-risk merchants, this shift makes a due diligence-ready AML operating model essential for securing banking relationships and expanding into new markets.

The 2026 AML & KYC Landscape: Why Banks and PSPs Are Raising the Bar

The AML landscape for payments businesses is changing quickly. Regulators worldwide are tightening expectations, and banks are applying those expectations throughout their downstream relationships. This means PSPs and high-risk merchants are now held to standards that more closely resemble those applied to financial institutions. The increased focus on fraud, instant-payment risks and cross-border flows has pushed banks to reassess how they evaluate partners, leading to more rigorous onboarding and ongoing due diligence requirements.

FATF, global enforcement and the shift to risk-based, demonstrable compliance

FATF remains the global reference point for AML standards, but what has changed is how regulators expect payment companies to demonstrate compliance. Banks no longer accept high-level policy frameworks without evidence that controls operate consistently. Instead, they look for clear links between risk assessments, due diligence decisions and transaction-monitoring outcomes. For a PSP, this means being able to explain not only what the policy says, but how it is applied in real scenarios and showing documentation that supports those decisions.

EU AML Single Rulebook, AMLA and their impact on PSP onboarding expectations

In Europe, the introduction of the Single Rulebook and the creation of AMLA mark a shift toward more standardised AML requirements across member states. Although full implementation extends beyond 2026, European banks have already raised their onboarding expectations.

Payment companies must provide deeper visibility into customer profiles, beneficial-ownership structures and transaction patterns.

Banks increasingly request enterprise-wide risk assessments and more detailed explanations of business models before opening accounts or providing acquiring services. This means PSPs operating in the EU must maintain a high level of documentation, auditability and control maturity.

The UK’s tightened AML expectations for payment firms and the FCA’s 2026 pressures

The UK continues to intensify its oversight of payments and e-money firms. The FCA has emphasised the need for stronger governance, clearer AML accountability and improved data quality for screening and monitoring. With fraud rising rapidly in the UK, especially across instant-payment channels, banks expect PSPs to adopt more sophisticated monitoring methods and to demonstrate prompt, accurate suspicious-activity reporting. Weak governance or poor-quality KYC files often result in delayed onboarding or outright rejection.

High-risk verticals and instant payments: why Mule risk, APP fraud and synthetic identities reshape KYC requirements

Instant payment systems have changed the risk profile of the entire payments ecosystem. Funds can move across multiple platforms within seconds, giving financial criminals new opportunities to scale mule networks and synthetic identities. PSPs serving high-risk sectors such as gaming, forex, digital goods or crypto-linked platforms face even more scrutiny. Banks expect deeper KYC procedures, closer monitoring of behavioural patterns, and more frequent reviews of customer activity. A static approach to verification is no longer acceptable; ongoing, risk-aligned monitoring is now the standard.

What Banks and PSPs Actually Look For in Due Diligence

Banks and PSPs use due diligence to understand how well a payment company identifies, manages and documents financial crime risk. The process is far more detailed in 2026 than in previous years. A bank’s primary concern is liability: if a PSP or merchant has weak AML controls, the bank becomes exposed. This is why modern onboarding assessments focus heavily on governance, documentation quality, risk segmentation and operational effectiveness.

Governance and ownership transparency: proving accountability from the top

A strong AML programme begins with clear accountability. Banks look closely at who owns the business, how decisions are made, and how AML responsibilities are assigned. They expect transparent beneficial-ownership structures and documented governance processes that involve senior leadership. The MLRO’s role receives particular attention, including their authority, independence and reporting lines. If a PSP cannot show strong senior-level oversight, onboarding becomes difficult.

Customer and merchant risk assessment models aligned with FATF/Wolfsberg

Banks also examine how a PSP assesses risk across customers, geographies and products. A mature risk-assessment model helps determine what level of due diligence is required for each profile. For example, a small domestic merchant may require a basic KYC package, while a cross-border high-risk marketplace may require enhanced due diligence and closer monitoring. Banks want to see a clear connection between risk scores and the controls applied.

KYC/KYB and EDD standards tailored to business type and geography

KYC quality is one of the most common reasons PSPs fail onboarding. Banks assess whether identity information is accurate, complete and verified, and whether beneficial owners are identified correctly. They also review how PSPs adapt their KYC standards based on geography, business sector and ownership complexity. Enhanced due diligence plays a critical role in reviewing high-risk or offshore customers, and banks expect PSPs to provide clear documentation showing how EDD decisions were made.

Screening, monitoring and reporting: demonstrating real operational effectiveness

Monitoring and screening practices are essential indicators of AML maturity. Banks look for systems that operate continuously rather than intermittently, and they expect PSPs to maintain clear investigative logs, escalation procedures and SAR reporting processes. The ability to link monitoring outcomes to specific behaviours such as unusual transaction spikes or geographic anomalies reassures banks that the PSP can detect and respond to suspicious activity promptly.

Independent testing, QA, training and audit trails as evidence of maturity

Finally, banks evaluate how well a PSP maintains quality and oversight across its AML functions. Regular QA reviews, internal audits and third-party assessments provide evidence that controls operate correctly. Training records help demonstrate that operational teams understand AML obligations and apply them consistently.

A PSP that maintains good documentation, testing reports and remediation logs sends a strong signal that it takes AML responsibilities seriously.

Core Components of a Due-Diligence-Ready AML & KYC Operating Model

A payment company entering a new banking relationship in 2026 needs an AML operating model that is not only compliant but convincing. Banks expect PSPs and merchants to maintain a clear, structured approach to managing financial-crime risk, supported by documentation and operational evidence. A strong model gives banks confidence that the PSP will not expose them to regulatory or reputational risk.

Governance framework, risk appetite and policy architecture

A robust AML framework begins with clear governance. Banks expect PSPs to maintain an AML policy that is updated regularly and approved at a senior level, along with well-defined procedures that translate policy into day-to-day action. The MLRO must hold sufficient authority to escalate issues and enforce requirements across the organisation. A documented risk-appetite statement also plays an important role, as it explains which types of customers, sectors and jurisdictions the business is willing to support. This gives banks a clearer picture of how the PSP positions itself within the broader risk landscape.

Enterprise-wide risk assessment (EWRA) and customer segmentation

The EWRA is one of the most important documents a PSP can share during due diligence. It outlines the inherent risks associated with customers, products, delivery channels and geographical exposure, and it explains how controls mitigate those risks. Banks look for evidence that the risk assessment is reviewed regularly and that it informs real operational decisions.

For example:
High-risk merchants should be subject to more detailed verification and closer monitoring. When a PSP can demonstrate how risk scores impact downstream processes, it strengthens its position significantly.

KYC/KYB lifecycle: onboarding, review and ongoing monitoring

Banks pay close attention to how PSPs manage the entire lifecycle of customer relationships. Onboarding is the foundation, but it is only the first step. The PSP must show how it refreshes KYC at appropriate intervals, especially for high-risk customers. Event-driven reviews also matter; these occur when customer behaviour changes significantly, such as during sudden volume spikes or unusual transaction patterns. A clear, well-documented lifecycle demonstrates that the PSP takes a proactive approach to managing financial-crime risk, rather than relying solely on initial verification.

Screening and transaction monitoring capabilities that banks expect in 2026

Screening and monitoring systems are central to AML effectiveness. Banks look for solutions that provide real-time sanctions and PEP screening, along with behaviour-based monitoring that can detect anomalies. PSPs must be able to explain how their monitoring rules are calibrated, how alerts are investigated, and how decisions are documented. In instant-payment environments, banks expect PSPs to detect mule activity and synthetic identities more quickly. Strong monitoring capabilities are often the deciding factor when a bank evaluates whether a PSP can safely handle high-risk flows.

Documentation, auditability and evidence management

Documentation is one of the strongest indicators of AML maturity. During due diligence, banks review sample KYC files, monitoring logs, SAR case notes and governance materials to assess consistency and quality. Good documentation shows that a PSP can reproduce decisions, justify escalations and demonstrate control effectiveness. Banks also appreciate well-maintained audit trails, independent testing reports and remediation records. These materials offer assurance that the AML programme is active, accountable and continuously improving qualities that banks prioritise when selecting partners.

Oversight of Merchants, Sub-Merchants, Agents and BaaS Partners

Banks increasingly expect PSPs to demonstrate strong oversight of every party operating within their payments ecosystem. This includes merchants, sub-merchants, agents, and any embedded partners using the PSP’s infrastructure. In 2026, the rise of platform-based commerce, PayFac models and Banking-as-a-Service arrangements has expanded the scope of AML responsibility. Banks now treat PSPs not simply as processors, but as risk distributors, meaning they must understand and control risks introduced by every downstream participant. Strong oversight is therefore a critical factor in passing due diligence.

Regulator and card-scheme expectations for PayFac and marketplace oversight

Payment facilitators and marketplaces sit at the centre of rapidly expanding merchant ecosystems. Card schemes and regulators have made it clear that PayFacs are responsible for knowing who their sub-merchants are, how they operate and how they manage financial crime risks. Banks expect PayFacs to conduct detailed onboarding on merchants, verify ownership information and understand how each business generates revenue. Ongoing monitoring must also be more proactive, particularly across high-risk categories such as gaming, forex or digital services.

In practice, this means maintaining a complete and accurate merchant portfolio, updating information as businesses evolve, and intervening quickly when transaction patterns deviate from expected behaviour. Banks want confidence that PayFacs can manage the scale and diversity of their sub-merchant base without exposing the banking relationship to unnecessary risk.

BaaS partner risk: what sponsor banks now expect as minimum AML standards

Banking-as-a-Service has grown significantly, but it has also created new layers of AML responsibility. Sponsor banks increasingly review BaaS partners through the same lens used for regulated institutions, emphasizing how well the partner understands and monitors its own end-customers. Banks expect PSPs using BaaS infrastructure to demonstrate clear boundaries of responsibility: who performs KYC, who monitors transactions, who files suspicious activity reports, and who manages investigations.

A lack of clarity in these roles can lead to supervisory issues or regulatory findings for the sponsor bank. As a result, banks now demand that BaaS partners present detailed AML documentation, lifecycle procedures, escalation paths and evidence of past investigations.

Those who cannot demonstrate consistent oversight face onboarding delays or restrictions on the types of flows they are permitted to process.

Merchant monitoring, lifecycle reviews and early warning indicators

Oversight does not stop at onboarding. Banks want partners who actively monitor merchants and users throughout the entire relationship. This includes reviewing transaction trends, identifying sudden spikes or unusual flows, and detecting patterns that indicate higher exposure to fraud or money laundering. High-risk merchants in particular must be subject to scheduled reviews, including updates to beneficial-ownership information and assessments of whether their business activity still aligns with their declared model.

Early warning indicators carry significant weight in due diligence. PSPs should be able to demonstrate how they identify concerning behaviours, such as a surge in chargebacks, rapid growth in unfamiliar regions, or unusual payment velocity and how these triggers initiate internal review or escalation processes. Banks regard a strong early-warning framework as proof that the PSP can detect and address risk before it escalates.

Training, certification and enforceable partner obligations

Clear expectations must also be communicated to partners. Banks look favourably on PSPs that require merchants, agents or BaaS clients to acknowledge AML responsibilities and comply with documented standards. Regular training, guidance materials and clear contractual obligations help reinforce this requirement. Where partners fail to meet expectations, PSPs must show that they take corrective action, whether through remediation, enhanced monitoring or termination of the relationship.

This structured approach to partner oversight signals maturity. It shows banks that the PSP does not simply provide access to payment services but actively governs the ecosystem it supports. In 2026, this level of oversight is essential for maintaining trust and securing stable banking relationships.

How to Prepare for Bank or PSP Due Diligence in 2026

Preparing for bank or PSP due diligence is no longer a matter of assembling documents at the last minute. In 2026, payment companies are expected to show that their AML and KYC processes are organised, tested and ready to be shared. Banks rely on these materials to assess not only the PSP’s risk exposure but also its operational maturity. A well-prepared due diligence approach significantly improves onboarding speed and reduces the likelihood of extended reviews or additional information requests.

Building a ready-to-share AML/KYC Due Diligence Pack

A due diligence pack provides banks with a clear view of the PSP’s AML framework. It typically includes policy documents, governance charts, risk assessments, KYC procedures, monitoring explanations and anonymised examples of investigations. The goal is to demonstrate that controls are consistent, documented and embedded into daily operations. By preparing this pack in advance, a PSP signals readiness and reduces friction during onboarding.

Common red flags that delay, block or terminate onboarding

Banks often pause or decline PSP applications when they encounter unclear ownership structures, weak KYC files, vague business models or gaps in monitoring capabilities. Incomplete documentation, outdated risk assessments and inconsistent decision-making can also raise concerns. Identifying and addressing these gaps early makes a meaningful difference in the outcome.

How to demonstrate control effectiveness, not just control existence

Banks want evidence that AML controls work in practice. This includes examples of escalations, SAR filings, monitoring alerts and remediation activity. Demonstrating how risk scores influence decisions and how alerts are resolved shows that the PSP’s controls operate as intended.

Designing a scalable model that supports new products, new geographies and higher-risk flows

Finally, scalability plays a major role in onboarding decisions. Banks look for AML frameworks that can grow with the business, supporting new customer types, new markets and higher transaction volumes without compromising oversight. A scalable AML model reassures partners that future expansion will not create unexpected risk.

Conclusion

A strong AML and KYC operating model is now essential for payment companies navigating stricter banking and PSP expectations. By demonstrating clear governance, effective controls and consistent oversight, PSPs can build trust, accelerate onboarding and position themselves for sustainable growth in 2026 and beyond.

---

FAQs