Financial institutions operate inside one of the densest regulatory environments of any industry. The rules span financial crime, data privacy, consumer protection, capital adequacy, operational resilience, and reporting, and they keep multiplying. Keeping track of which regulations apply to you is the first step toward managing them.
This is a structured list of compliance regulations financial institutions need to know, organised by category. For each, you'll find who it applies to, what it requires in brief, and the body that governs it. Use it as a map rather than legal advice. Specifics vary by jurisdiction and business model, and the rules themselves change.
Financial crime: AML, KYC, and sanctions
Anti-financial-crime rules sit at the top of most institutions' compliance regulations list, because the penalties and reputational stakes are among the highest.
EU Anti-Money Laundering Package (AMLR / AMLD6 / AMLA). The EU's overhauled anti-money laundering regime introduces a single rulebook, a sixth AML Directive, and a new central supervisor. In January 2026, all anti-money laundering and counter-terrorism financing mandates and functions were transferred from the European Banking Authority to AMLA, the new EU Anti-Money Laundering Authority based in Frankfurt. From January 2028, AMLA will directly supervise 40 large, high-risk financial institutions EU-wide, with the AML Regulation applying from mid-2027. Applies to banks, payment firms, crypto-asset service providers, and other obliged entities in the EU.
UK Money Laundering Regulations and the Proceeds of Crime Act. The UK's AML framework requires firms to conduct customer due diligence, monitor transactions, and report suspicious activity. Governed by the FCA for most financial firms.
US Bank Secrecy Act and the AML Act. The foundational US anti-money laundering framework, requiring suspicious activity reporting, currency transaction reporting, and customer identification programmes. Administered by FinCEN.
Sanctions regimes. Institutions must screen against sanctions lists maintained by OFAC (US), OFSI (UK), and the EU's consolidated list. Sanctions compliance is continuous, not periodic, and breaches carry severe penalties.
Underpinning all of these are the recommendations of the Financial Action Task Force (FATF), the global standard-setter whose guidance shapes national AML regimes worldwide.
Data privacy and protection
Financial institutions handle vast amounts of sensitive personal data, putting privacy regulations squarely on the compliance agenda.
GDPR (General Data Protection Regulation). The EU's data protection regime governs how personal data is collected, processed, stored, and transferred. It applies to any organisation handling EU residents' data, regardless of where the organisation is based, and carries fines of up to 4% of global annual turnover. The UK operates an equivalent regime under UK GDPR and the Data Protection Act.
PCI DSS (Payment Card Industry Data Security Standard). A security standard for any organisation that stores, processes, or transmits cardholder data. While not government legislation, it's contractually mandatory for card-handling firms and effectively unavoidable for payments businesses.
Sector-specific privacy rules. In the US, the Gramm-Leach-Bliley Act governs how financial institutions handle consumer financial information, while state-level rules such as the CCPA add further obligations.
Prudential and capital requirements
Prudential regulation ensures institutions hold enough capital and liquidity to absorb shocks. These rules are technical, high-stakes, and currently in a period of significant change.
Basel III / Basel 3.1 (the "Basel III Endgame" or "Basel IV"). The global framework for bank capital adequacy, liquidity, and risk management, set by the Basel Committee. Implementation is now staggered across jurisdictions. In the EU, the CRR3/CRD6 package completed implementation of Basel 3.1 with effect from 1 January 2025, with the exception of the market risk requirements (the Fundamental Review of the Trading Book). In the UK, the Prudential Regulation Authority confirmed a general start date of January 1, 2027 in its final policy statement published in January 2026. In the US, regulators released a proposal to implement the final Basel reforms in March 2026. Applies to banks and, in modified form, to other deposit-taking institutions.
CRR / CRD (Capital Requirements Regulation and Directive). The EU legislative vehicles implementing Basel standards, covering capital, liquidity, leverage, and large exposures for banks and investment firms.
Operational resilience
A newer category, operational resilience regulation reflects how dependent financial services have become on technology and third parties.
DORA (Digital Operational Resilience Act). The EU's comprehensive framework for managing ICT risk in financial services. DORA became fully applicable on 17 January 2025, and centres on ICT risk governance, incident reporting, third-party risk management, resilience testing, and information sharing. It applies to approximately 22,000 financial entities across the EU, and notably extends to critical ICT third-party providers, meaning even cloud and technology vendors outside the EU can fall within scope.
UK operational resilience rules. The FCA, PRA, and Bank of England have their own operational resilience framework, with rules on critical third parties that took effect from 2025, broadly parallel to DORA's third-party provisions.
Consumer protection and conduct
Conduct regulation governs how institutions treat their customers and behave in markets.
FCA Consumer Duty (UK). Requires firms to deliver good outcomes for retail customers, raising the bar from treating customers fairly to actively demonstrating good outcomes across products, pricing, support, and communications.
MiFID II (EU/UK). Governs investment services and trading, covering transparency, investor protection, and transaction reporting. Applies to investment firms, trading venues, and related entities.
US consumer financial protection. The CFPB enforces a range of consumer protection rules covering lending, disclosures, and fair treatment across consumer financial products.
Payments and open banking
Payments-specific regulation has expanded rapidly alongside fintech growth.
PSD2 (Payment Services Directive 2). The EU framework governing payment services, strong customer authentication, and access to account data. It's the regulatory foundation of open banking. A successor framework (PSD3 and the Payment Services Regulation) is in development.
E-money regulations. Govern the issuance of electronic money and the safeguarding of customer funds, applying to e-money institutions and many fintechs.
MiCA (Markets in Crypto-Assets Regulation). The EU's framework for crypto-asset service providers and issuers, bringing much of the crypto sector into formal regulation.
How to keep track of it all
This list is a snapshot, and an incomplete one by necessity. The full obligation set for any given institution depends on its jurisdictions, products, and structure. What's consistent is the direction of travel: more regulations, more frequently, with steeper consequences for falling short.
Tracking all of this manually doesn't scale. A large institution can receive hundreds of regulatory alerts a day across these categories. The practical answer is a structured approach: maintain a single library of the obligations that apply to you, map each to the controls that satisfy it, and monitor for changes continuously rather than scrambling when a deadline approaches.
That structured approach is exactly what a governance, risk and compliance framework provides, and what regulatory compliance software operationalises. The institutions that handle this well don't track regulations in spreadsheets. They build the obligation set into a working system that flags change, maps impact, and keeps evidence audit-ready.
How Finnulate helps you stay on top of compliance regulations
Finnulate is an AI-native compliance platform that turns a sprawling, shifting set of compliance regulations into a structured, monitored, and audit-ready system.
- Regulatory ingestion and requirement extraction: updates across AML, data privacy, prudential, operational resilience, and conduct rules are ingested and converted into structured obligations and tasks
- Lineage across regulatory change: amendments, clarifications, and supersessions are linked so you can trace what changed and what it affects
- Obligation and control mapping: each regulation is mapped to the controls that satisfy it, giving you a single library rather than scattered spreadsheets
- Continuous monitoring and alerts: the Autonomous Compliance Module surfaces relevant changes and control gaps as they arise
- Audit readiness by design: evidence and change history are maintained throughout
The list of compliance regulations facing financial institutions keeps growing, and tracking it manually doesn't scale. The institutions that handle this well build their obligation set into a working system that maps each regulation to controls, monitors for change continuously, and keeps evidence audit-ready. That structured approach is what turns a daunting regulatory landscape into something manageable. This article is a general reference, not legal advice. Confirm the specific regulations that apply to your institution with a qualified professional.