Executive Summary
May 26: The FCDO designated 18 crypto entities as part of the Kremlin-backed A7 network, including Huobi Global S.A. (HTX), EXMO, Rapira, Bitpapa, Aifory, and Nueva Cryptologia. The network processed an estimated $90 billion in 2025.
May 28: The FCA published its sanctions systems and controls review covering 150-plus firms. The sequencing was deliberate. The review is the audit template for what comes next.
The gap: Adding the names to your screening list is the floor, not the ceiling. A7's routing methodology was specifically designed to operate through entities not yet named. Name-screening alone does not catch it.
This week: At a live working session with government agencies, crime-fighting organisations, and major banks, we ran a bank's own transaction data against known A7-connected intermediaries. The bank's assessment was that the dataset had no crypto exposure. What we found was not just crypto exposure. The bank was actively being used as part of the A7 routing structure without knowing it.
The deadline: EU AI Act high-risk obligations apply from 2 August 2026. AMLA directly applicable from 10 July 2027. OFAC, EU, VARA, ADGM, and Asia Pacific regulators will follow the FCDO in sequence. The look-back window to complete before any of them acts is now.
The A7 Network: What Was Sanctioned and Why It Matters Beyond the Names.
The FCDO's May 26 package was broader than a list of exchange names. The designation described a functioning payments and procurement network built to route funds outside Western sanctions architecture. The UK's public assessment: A7 processed an estimated $90 billion in 2025, financing military procurement and routing proceeds from Russian oil sales.
The named entities span three jurisdictions already on most internal risk registers: Kyrgyzstan (Eurasian Savings Bank), the UAE (Bitpapa IC FZC LLC), and Mexico (Nueva Cryptologia). These wrapper structures had been the private assessment of investigators for 18 months. The FCDO list made that assessment public. Public assessments carry a different burden. They change what a compliance officer can claim they did not know.
The UK stated that one exchange in the cluster channelled over USD 1.5 billion back into Kremlin-linked hands. Not an allegation in a court filing. A formal government designation. The designation also bars UK firms from processing payments or maintaining correspondent banking ties with the named entities, widening the effect from "block the named account" to "screen every service relationship that touches the named cluster."
HTX has publicly claimed that the sanctioned entity, Huobi Global S.A., is legally distinct from the HTX exchange. The February 2026 legal record says otherwise: in a filing dated February 2, 2026, Huobi Global S.A. described itself as the entity that "owns and operates HTX" and developed the Huobi Eco Chain. Huobi Global S.A. also holds the HTX trademark in the United States.
This is the FCA's "complex ownership chain" failure reproduced in real time, by the sanctioned entity itself, in a court document.
On June 2, the UK updated its sanctions FAQ with additional operational clarification on the Huobi Global S.A. designation. The UK is not treating this as a closed designation. It is actively defining its scope.
What the FCA Review Actually Said.
£37 billion in assets frozen in the UK as of last year. The FCA reviewed more than 150 firms over three years and found recurring structural failures at the controls level. Not one-off human errors. Structural failures.
The identified root causes map precisely onto crypto-adjacent compliance:
Weaknesses in due diligence. KYC completed at onboarding, file treated as closed. The counterparty you onboarded in 2022 does not have the same risk profile today.
Alert management failures. The system fired. The investigation did not go far enough, or the alert was suppressed before it reached a decision-maker.
Transaction and name screening gaps. High volumes, asynchronous screening, match logic not updated to reflect new entity typologies.
Frozen asset handling. The asset was frozen. The downstream relationship was not. The firm continued processing adjacent transactions.
Licence compliance gaps. OFSI licences obtained for specific transactions, applied more broadly.
The FCA's high-risk exposure indicators: transfers shortly after designation, complex ownership chains, intermediaries, cryptoasset or e-money wallets, cash movement to high-risk jurisdictions, false or incomplete trade documentation. Read that list and then read the A7 network description again. Every item appears somewhere in A7's documented methodology. The indicators are empirical.
One additional detail on sequencing: the FCA commenced legal proceedings against Huobi Global S.A. in the Chancery Division of the High Court in October 2025, months before the May 26 sanctions. The High Court granted permission to serve proceedings out of jurisdiction in February 2026.
The FCDO designation was not the first move. It was the next phase after legal action was already underway. Firms that treated the May 26 list as the opening of this story missed the first chapter.
The Counterparty You Did Not Know You Had.
A firm can have zero direct transactions with Huobi Global S.A. and still have material exposure. The FCA is explicit: third parties, intermediaries, correspondent banks, and cryptoasset wallets are all vectors.
OTC desks and shared counterparties. If your market-maker has Huobi relationships in their counterparty stack, your settlement exposure traces back through their books.
Payment processors and fiat rails. A7's methodology included routing through Georgian and Kyrgyz banking structures. If your payment processor used correspondent relationships that touched those structures, the fiat pathway is the exposure vector.
Custody and wallet attribution. If your custody infrastructure has interaction history with wallet clusters associated with the named entities, the question is whether you can reconstruct that history on demand.
UAE and LatAm wrappers now confirmed as A7 routing structures. Firms that transacted with entities in these geographies with A7 ownership chains need to trace backward to the point of relationship establishment and document what they knew, when, and what they did.
The minimum compliance response: a 24-month look-back across all direct and indirect counterparty activity, covering on-chain transfers, off-chain payment flows, settlement instructions, fiat rails, UBO chains, and internal referrals. For anything linked, the file needs the screening result, investigator decision, rationale, and remediation action.
That is not an aspirational standard. That is the minimum that holds up.
The Methodology Problem: Why Knowing the Name Is Not Enough.
The A7 network's operational advantage is not that its entities are unknown. It is that its routing nodes are unnamed until after the routing is complete. The Kyrgyz bank, the UAE wrapper, the Mexican entity were operationally useful precisely because they were not yet on a designations list. The FCDO naming them now is retrospective validation. The network reconstitutes.
Name-based screening is necessary. It is not sufficient.
This is not theoretical. Richard Sanders, one of the analysts whose foundational attribution work made the May 26 designations possible, documented this week that Huobi has been cycling its hot wallets daily. The wallets last less than 24 hours in some cases. The cycling is deliberate: a wallet that turns over faster than a labelling provider can update its database generates transactions that clear screening tools as clean. The second layer of the problem: Tether will not freeze wallets linked to these entities without being compelled to do so by legal process. A court order in a 24-hour window is not a realistic instrument. The network does not need the labels to be wrong. It only needs them to be slow.
The FCA review's emphasis on complex ownership chains, intermediaries, and wallet clusters is a description of typological exposure: the risk that emerges from how money moves, not only from who it belongs to.
The architecture that closes this gap is Transaction Foundation Models, the three-layer framework we have been developing with institutional clients. A foundation model trained on a bank's own transaction history learns the behavioral patterns of money movement: how value accelerates through intermediary nodes, how layering creates temporal signatures, how geographic routing through specific jurisdictions correlates with specific risk typologies. The A7 network would generate detectable behavioral signatures long before any entity in its routing chain appeared on a designations list.
That layer does not exist as a plug-and-play product today. It is an architecture being assembled from established AI components in a specific sequence, with the regulatory explainability layer built in from the start rather than retrofitted. The institutions that begin that build now are the ones whose systems will survive the August 2026 and July 2027 regulatory deadlines.
Published production results from comparable deployments: 130 per cent improvement in fraud recall at Revolut. Fraud detection on card-testing attacks moving from 59 per cent to 97 per cent at Stripe. Pattern-based detection finds what name-based screening misses.
What Happened When We Ran the Test Live.
This week, Cointegrity participated in a working session with government agencies, private-sector crime-fighting and compliance organisations, and several major banks. One of the banks provided a sample transaction dataset. The operating assumption in the room: no crypto exposure in the data. The bank's own assessment was that it was clean for known crypto counterparties.
We ran the dataset against the A7-connected intermediary network: the known wrapper structures, the confirmed routing entities, the documented counterparty cluster from the designations and the typology work that preceded them.
The results did not confirm the hypothesis.
The dataset contained material crypto exposure running through known A7-linked intermediaries. Not direct transactions with named entities. The bank was not a passive bystander with incidental crypto connections. It was actively being used as part of the A7 routing structure, through intermediaries sitting inside its existing counterparty relationships, without any flag in its own systems.
The banks present had not been expecting that result. Several had been operating on the assumption that clean name-screening meant clean data.
That assumption did not survive the demonstration.
This is the gap the FCA review describes structurally. A bank with no flagged direct exposure, a compliance team that believed it had full visibility, and a set of connections that intermediary-level matching found in their own data, in a live setting, in front of the people responsible for the controls that missed it.
The full architecture, behavioral pattern detection against A7-style routing typology rather than intermediary name-matching, is the next layer. The three-step Transaction Foundation Models framework is the road map for how institutions get there. What the demonstration showed is that even the intermediary matching step, which requires no new AI infrastructure, already finds what name-screening alone does not.
Detection Is Not Defensibility.
The FCA's root cause list includes alert management failures specifically. Not systems that failed to detect. Systems where the alert fired, the investigation was conducted, and the record is inadequate.
The system worked. The documentation did not. In an enforcement action, those two outcomes are not distinguishable.
The EU AI Act's high-risk obligations take effect on 2 August 2026. AML risk profiling is classified as high-risk under Annex III. A system without a decision tracing layer cannot meet the explainability requirement. It cannot be deployed for high-stakes decisions from August onward. That is the text of the regulation.
The decision tracing layer, the third layer of the architecture, does not make the detection decision. It explains it: in terms a compliance officer can read, a regulator can audit, and a court can challenge. When an AML alert fires, it surfaces the network-level reasoning rather than a score no one can interrogate. When a counterparty is cleared, it records the basis.
This Is Not a UK Story. The Sequencing Is Global.
The FCDO acted first. Every major sanctions jurisdiction that has moved in lockstep with UK designations since February 2022 now has the same predicate on its desk. That list includes OFAC, the EU framework under Council Regulation (EU) 833/2014, VARA, ADGM, Japan's FSA, the MAS, and Hong Kong's SFC.
The A7 network's confirmed geography runs through all of their jurisdictions. The UAE is not a passive observer: Bitpapa IC FZC LLC is a UAE-incorporated entity, and VARA and ADGM have consistently moved against designations that threaten the UAE's regulatory positioning. The EU has AMLA arriving on 10 July 2027 with explicit scrutiny of opaque transaction monitoring systems, and AMLA's direct enforcement powers now cover CASP licence holders under MiCA, meaning an exchange or custody provider with A7 exposure faces AMLA enforcement directly, not via national NCAs alone. OFAC has the flow figure, the exchange brand, and the coordination history to act.
The question is not whether these regulators follow. It is which one your next supervisory examination comes from.
The 24-month look-back is the same exercise regardless of which jurisdiction asks for it first. Do it once, document it properly, and it is defensible everywhere.
The MoU Nobody Has Priced.
One line in the May 28 FCA review received almost no coverage: the FCA signed a new Memorandum of Understanding with OTSI (the Office of Trade Sanctions Implementation) on intelligence sharing. OTSI became operational in October 2024.
The practical implication: a compliance failure surfacing in FCA supervision can now be cross-referenced against OTSI's trade sanctions data. Firms treating financial and trade sanctions compliance as separate tracks should now treat them as a shared evidence base. The A7 network's documented activity includes both financial flows and procurement support. The MoU means both regulators are working from the same dataset.
The Operational To-Do List.
The FCA review is a findings document. Findings documents with this specificity are, in effect, audit templates for what the next examination will cover. Here is what that audit will look for.
- Look-back scope. 24 months, all counterparties connected to named entities or confirmed associated structures. On-chain and off-chain.
- Alert quality review. Not just whether alerts fired. Whether investigations are adequately documented and the reasoning is recoverable.
- Correspondent banking and payment processor audit. Map fiat rails to upstream correspondent relationships. Identify any that touched Georgian, Kyrgyz, or Emirati banking structures in the A7 cluster.
- Wallet attribution. Establish whether wallet cluster attribution can be reconstructed independently of a single vendor.
- UBO chain refresh. If UBO records for counterparties in the A7 geographic cluster were last updated before May 26, they need refreshing.
- Licence compliance documentation. Any OFSI, EU, ADGM, or VARA licence or supervisory exemption obtained during the look-back period reviewed for scope and documented as applied.
The A7 and A7A5 entity typology, wallet cluster identification methodology, and confirmed LatAm and Gulf wrapper structures are documented in the glossary at cointegrity.io. That reference was built before the FCDO designations confirmed what the typology assessment had already mapped.
Two Types of Banks.
The first type has added the 18 names to its screening list, sent a note to the board, and is moving on. The compliance team did the correct thing. The box is checked. Someone is feeling reasonably satisfied.
The second type looked at the A7 network's documented methodology, understood that the routing structures worked precisely because they were not yet named, and started asking a different question: what does this modus look like in our transaction data before the next designations list drops. That question leads to a different architecture. Not name-screening with a longer list. Behavioral pattern detection against the typology, decision tracing that makes every result auditable, and a control layer that finds the exposure while there is still time to remediate rather than explain.
The second type is who we work with. If that is your institution, the architecture is at cointegrity.io and the team is reachable.
To the first type: good luck with the next supervisory review. Whichever jurisdiction gets there first.
The Work Behind the Headlines.
Designations like this do not emerge from a government database. They are built on years of wallet labeling, on-chain tracing, and investigative work done by a small number of analysts who were doing it before it was institutionally fashionable. Richard Sanders, ChainArgos, Chainalysis, and others whose names never appear in a press release contributed foundational attribution work that makes enforcement actions like May 26 possible. That work deserves acknowledgment.
The ChainArgos case study on TRM Labs' Iran analysis, published September 2025, is also worth reading alongside this piece. Its central argument maps directly onto the A7 problem: measuring only the largest known node and calling it the ecosystem is confirmation bias. Smaller entities grow unobserved in the gap. The Iranian crypto market is not declining. It is decentralising. That pattern, an ecosystem under pressure fragmenting into harder-to-hit smaller targets, is the A7 playbook as well.
The infrastructure layer gets built by people doing unglamorous work. This piece stands on their shoulders.
The Crypto Circuit is a weekly intelligence briefing from Cointegrity. This deep-dive special was published separately from the regular weekly issue.
Torstein, Cointegrity | June 2026
Related internal resources: A7 Network, Huobi, Sanctions Screening, AML.