Leave an application
COREDO > Blog > The director and AML liability personal risks in 2026

The director and AML liability personal risks in 2026

Avatar photo
Updated: 26.01.2026
Content

I founded COREDO when it became clear: global expansion of companies is not constrained by the speed of registration or the cost of a license, but by management’s ability to manage AML and sanctions-compliance risks systematically and demonstrably. Over ten years the COREDO team has completed dozens of projects in the EU, the UK, Singapore and Dubai, helping clients register legal entities, obtain financial licenses (crypto, forex, payment services, fintech) and build viable AML programs. In this article I have compiled the practical experience and tools I use myself and that we implement for clients. It will address the personal liability of a director, the requirements for 2026, and how to turn compliance into a strategic advantage rather than a set of punitive risks.

Why the director is in the crosshairs

Illustration for the section «Why the director is in the crosshairs» in the article «Director and AML responsibility - personal risks in 2026»

The director is not only the “tone from the top”, but also the primary recipient of claims from regulators and banks. A director’s AML liability has ceased to be an abstraction: in EU and UK practice the approach of corporate and personal accountability is actively applied, combining corporate liability for money laundering and the director’s criminal and civil liability. Courts increasingly apply the doctrine piercing the corporate veil when they see personal involvement or negligence of management, as well as ineffective internal controls.

Fiduciary duties and the standard of care for directors imply duty of care and duty of loyalty: a director must reasonably organize the AML internal control system, provide resources, appoint a qualified MLRO/AML officer and document oversight. Delegation of AML functions reduces the operational burden, but does not remove residual responsibility. Our experience at COREDO has shown: it is timely oversight by the board of directors and the reporting line, supported by minutes and metrics, that becomes key exculpatory evidence when claims arise.

Frameworks 2020–2026: what is changing

Illustration for the section «Frameworks 2020–2026: what is changing» in the article «Director and AML responsibility - personal risks in 2026»

Between 2020 and 2026 regulators accelerated the “compliance revolution.” AMLD5 strengthened beneficial ownership registers (beneficial ownership registers), expanded requirements for VASP/virtual asset service providers and enhanced EDD for high-risk jurisdictions. AMLD6 (EU Sixth Anti-Money Laundering Directive) established corporate liability, expanded the list of predicate offences and introduced liability for aiding and abetting and incitement. At the same time, FATF recommendations for management and national practices of FIU, FCA, EBA, MAS and HKMA came into effect, strengthening the emphasis on a risk-based approach (RBA) and the role of the director.

The European AML directive 2026: it is not a single document but a final configuration: a single AML rule (AMLR), the institutionalization of supranational supervision and clarification of management’s responsibilities. In 2026 companies operate in an environment where directors are expected to provide active oversight, set a risk appetite, approve threshold indicators and demonstrate the effectiveness of monitoring systems. COREDO’s practice confirms: regulators and banks check not only the existence of policies but also their implementation, KYC/KYB data, the speed of investigations and the quality of SARs.

At the same time the overlap between AML and privacy is growing: GDPR and AML data sharing require lawful bases, transparent notices and a well-considered data retention policy. These are supported by data minimization, the appointment of a DPO and clear retention periods that align with AML data retention requirements.

The director’s role in AML policy

Illustration for the section «The director's role in AML policy» in the article «Director and AML responsibility - personal risks in 2026»
The director is responsible for the full viability of the AML policy, not its PDF version. This includes setting the risk appetite, appointing and overseeing the MLRO, approving RBA matrices, transaction monitoring protocols for management and an independent channel for hotlines and internal reporting of breaches. The COREDO team builds reporting lines so that the MLRO has direct access to the board and can escalate incidents without delays.

Separate section: UBO disclosure and the director’s responsibility. In complex holding structures (including offshore links) the director must ensure transparency, verify beneficial owners and record in the minutes the grounds for relying on counterparties’ documentation. Otherwise the risks of criminal liability for AML increase, especially in schemes to conceal beneficiaries and nominee-arrangements, where the risks for nominee directors are many times higher.

Delegating CSP without losing control

Many companies rely on corporate service providers (CSPs) and external corporate services. This is rational but requires governance: SLAs with KPIs for KYC/KYB, checks of the provider’s compliance culture, regular audits and an incident playbook. The responsibility of corporate service providers does not replace the director’s personal responsibility, so contracts include disclaimers of liability and indemnification, but the director documents oversight and effectiveness testing.

How a director can reduce AML risks by 2026

Illustration for the section «How a director can reduce AML risks by 2026» in the article «Director and AML responsibility - personal risks in 2026»
I assemble a five-layer program: counterparties, transactions, sanctions/PEP, investigations and evidentiary base. This structure provides a quick overview for the board and a clear architecture for auditors.

Onboarding: KYC, KYB and EDD as a pipeline

  • KYC customer screening for companies and KYB for corporate counterparties is built on risk stratification: jurisdiction, industry, product, channels. Enhanced due diligence (EDD) obligations are activated by red flags: complex trusts, politically exposed persons (PEP), links to high-risk countries, and cross-border transactions with atypical transaction economics.
  • Sanctions compliance and the director’s personal risks require sanctions screening across multiple sanctions lists, PEP checks and conflict-of-interest management. To reduce false positives through data enrichment we connect external data and transaction context, which increases scoring accuracy.

Transaction monitoring and alerts

  • Real-time transaction analytics and alerts are important, but their value is determined by the process: a closed loop from detection to investigation and SAR. The COREDO team implements a risk-based approach (RBA) in rules, configures threshold indicators and key AML metrics: investigation speed, FP rate, SAR rate and the share of cases with confirmed economic substance.
  • For digital assets, AML requirements for directors include blockchain analytics and transfer tracing, accounting for the travel rule for virtual asset providers and risk management of crypto conversion services. AML specifics in DeFi and smart contracts require scenarios for self-hosted wallets, mixer risks and chains with bridges.

Documentation as protection for the director

  • Directors and evidence of good faith (exculpatory evidence) are built on keeping compliance logs and proofs of good faith: board minutes, MLRO reports, a refusal-to-serve log, EDD checklists and the rationale for decisions on non-standard cases.
  • The SAR filing process and MLRO duties are important not only legally but also reputationally. The director ensures resources for timely reporting of suspicious activities (SAR), as well as legal privilege and information sharing during investigations: through agreed channels with external lawyers.

Incident management and investigations

  • A playbook for internal AML investigations includes triggers, team composition, timelines, evidence retention rules and a communication plan with banks and the FIU. Incident management for suspicious activities should complement, not replace, the SAR process.
  • Remediation programs and appointing an independent monitor can be mitigating factors. COREDO’s practice confirms: a transparent remediation roadmap and checkpoints at 30/60/90 days help reduce regulatory risks.

Training for staff resilience

  • A director’s AML duties in 2026 include personal training: training programs for top management and proof of AML training are recorded in HR systems and board minutes. This is critical as evidence in an AML investigation against the director.
  • D&O insurance and AML risk coverage reduce financial consequences, but it’s important to understand exclusions in the D&O policy for AML breaches. I recommend an annual gap analysis: what is covered, what is excluded, and what limits are needed for cross-border claims.

Cooperation with banks and regulators

Illustration for the section 'Cooperation with banks and regulators' in the article 'Director and AML responsibility - personal risks in 2026'
Interaction with regulators and investigations: an area where the director sets the tone. Regulators EBA, FIU, FCA, MAS, HKMA expect a mature dialogue: a clear reporting structure, readiness for thematic reviews and regulator inspections, and documented risk governance. In cross-border cases mutual legal assistance and international cooperation come into play, which requires consistency of data and a coherent legal strategy.

Interaction with banks and the director’s role in KYC processes go beyond the onboarding package. Correspondent banking and enhanced monitoring require advance preparation: a description of the business model, sources of funds, sanctions policy and an SAR playbook. The solution developed at COREDO includes a “dossier for the bank” with compliance metrics, which reduces the number of follow-up queries and speeds up onboarding at international banks.

AML Economics: CAPEX vs OPEX ROI Metrics

A strong compliance program pays off if you measure it. AML economics: CAPEX vs OPEX when implementing systems should rely on TCO and clear KPIs: reduction of FP rate, speed of escalations, conversion of alerts into SARs and time to close investigations. The technology stack for an AML office: monitoring and screening includes sanctions and PEP lists, case management, graph-based link searches, blockchain analytics and BI.
Cost optimization of an AML program for holdings is achieved through centers of competence, unified standards and local adaptations. Regulatory sandboxes for crypto companies (for example, in Singapore or certain EU jurisdictions) help test monitoring without the risk of a “production outage”. At COREDO we built pilots where reductions in false positives reached double-digit percentages thanks to data enrichment and dynamic thresholds.

COREDO case studies: licenses, registration, AML

  • EU and payment services. The COREDO team supported company registrations and obtaining EMI/PI licenses in the EU, building a sanctions screening policy, EDD protocols for high-risk clients and board oversight through quarterly MLRO reports. The correspondent bank approved the account after presentation of the “director’s dossier” with exculpatory documentation.
  • Forex and investment services in Cyprus. For a multi-jurisdictional group we implemented AML procedures for holding structures, developed a risk appetite with threshold indicators and conducted an AML audit and formalized management’s responsibilities as an annual calendar. As a result, the company passed the regulator’s thematic review without sanctions.
  • Crypto and digital assets in Estonia, the UK and Dubai. Our experience at COREDO showed that the travel rule and blockchain tracing require leadership attention. We built monitoring protocols, implemented a hot/cold wallets policy, addressed risks of crypto conversion services and established cooperation with the FIU on SARs. In Dubai the project was based on the local regulator’s requirements and international FATF standards.
  • Asia and payment licenses. In Singapore the project included third-party risk management and vendor management, the intersection of GDPR-like rules with AML, as well as interaction with banks on KYC. The client obtained a license, and the board received clear performance metrics.

In all cases we took into account risk-based Due Diligence in M&A and the risk of personal liability, especially when acquiring portfolios inherited from regulated entities. In two projects the board approved defensive strategies: exculpatory documentation and protocols for closing historical “tails”.

Board risk management

Compliance culture and board accountability are evident in three situations: during scaling, in a liquidity crisis, and when winding down the company’s operations and the risks to former directors. In the wind-down phase the director documents client exits, notifications to regulators, data retention and the end of monitoring; otherwise civil-law sanctions and disqualification from managing a company are possible.

In cross-border transactions the risks of facilitation and the commission of crimes through corporate channels increase, especially in correspondent payments and agency schemes. I recommend limitation-of-liability and indemnification clauses in agreements with partners, but always with confirmed oversight. Where there are sanctions or secondary sanctions, the director personally assesses the risk of refusing to proceed with the transaction.

Transfer and Transitional Provisions 2026

Compliance Revolution 2026: requirements for executives strengthen the director’s role in demonstrable risk management. The transfer and transitional provisions of the AML reforms provide adaptation periods, but regulators expect interim results: system pilots, training, initial metrics. At COREDO we prepare clients in advance for thematic inspections: forensic accounting expertise in investigations, asset confiscation and recovery, as well as international legal assistance require a coordinated strategy and a playbook for internal AML investigations.

Director’s daily plan: concrete steps

  1. Week 1–2: update the risk map, approve the risk appetite and AML threshold indicators. Re-check UBO disclosures and beneficiary registers, close documentation gaps.
  2. Week 3–4: conduct a sanctions screening stress test, review PEP and EDD protocols for high-risk clients. Approve onboarding workflows and red-flag indicators.
  3. Week 5–6: launch an audit of transaction monitoring, evaluate real-time alerts, implement reduction of false positives through data enrichment. Configure key AML metrics and board reports.
  4. Week 7–8: conduct training for the board, MLRO and senior executives; record evidence of training. Update the D&O policy and verify exceptions related to AML violations.
  5. Week 9–10: sign SLAs with the CSP and critical vendors, strengthen supplier risk management and the board’s accountability. Re-check the SAR filing process and legal privilege.
  6. Week 11–12: conduct a thematic review of readiness for a regulatory visit, prepare exculpatory evidence: minutes, reports, decision log, remediation plan.

What the director gets: managed risk

When a director runs the program as described above, they don’t get “tick-boxes” but protection: evidence of due diligence, clear control over residual risks, and stable relationships with banks. At COREDO we measure compliance ROI not in words but in numbers: investigation speed increases, the share of false positives decreases, SARs are filed on time, and onboarding at banks is faster.
The solution developed by COREDO combines strategies for the EU, the UK, Singapore, Dubai and CIS countries. We take into account FATF recommendations and their implementation, AMLD5/AMLD6 requirements, the specifics of licenses (crypto, forex, payment services), as well as the reality of cross-border operations. This approach builds trust and gives management the freedom to act.

Conclusions

I believe in compliance as a growth strategy. A director who invests in AML governance gains a sustainable business model and demonstrable integrity. The COREDO team helps to move from policy on paper to a living system: from company registration and obtaining financial licenses to building AML procedures for holding structures, digital assets and complex cross-border models.

If you are preparing your business for the 2026 requirements, start with manageable steps: risk appetite, board oversight, monitoring technologies, documented SAR practice and management training. COREDO’s practice confirms: this order of actions reduces directors’ personal AML-related risks and strengthens the company’s position in the international market.

LEAVE AN APPLICATION AND GET
A CONSULTATION

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap    © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved | llms.txt