If you run AML compliance in a financial institution operating in the EU, July 2027

needs to be at the top of your priorities. That is when the EU's Anti-Money

Laundering Regulation (AMLR), the Sixth Anti-Money Laundering Directive, and the

EU's central beneficial ownership and bank account registers all go live. This article

sets out what is changing, why it matters, and what your compliance team needs to be

doing right now.

What Is Changing

A Single Rulebook

Previously, EU AML obligations were set out in Directives. Each member state had to

transpose those Directives into national law. That step introduced variation, resulting

in different definitions, thresholds, and supervisory expectations. Some national

implementations were stricter. Some were more permissive. For firms operating

across borders, that meant maintaining parallel compliance frameworks and

navigating conflicting requirements. The standard applied to your firm depended

heavily on where you were supervised. Regulators across the EU were not working

from the same baseline, making consistent enforcement impossible.

The AMLR removes those variations. It takes the form of a Regulation, not a Directive, so it applies uniformly across all 27 member states. No transposition subject to national interpretation. The text that applies in Frankfurt applies in Dublin, Madrid, and Bucharest in exactly the same way. Finding the easiest jurisdiction to operate in is no longer an option.

Your current compliance framework needs to be benchmarked against the AMLR text

itself, not against the national rules your policies were built around. Where those

national implementations fell short of what the Regulation now requires, the gap is

yours to close.

The Anti-Money Laundering Authority (AMLA)

AMLA matters to your firm whether or not you fall under its direct supervision. It will

become fully operational in 2028 and will directly supervise 40 of the EU's highest-

risk financial institutions, based on cross-border footprint and risk profile. The

selection process starts in mid-2027. That number is fixed for now, but the framework

is designed to grow. Firms outside the initial scope should not treat that as a

permanent position.

Additonally, AMLA will hold binding powers over directly supervised entities and will

coordinate and oversee national regulators and Financial Intelligence Units across the

EU. Supervision will be more consistent across member states than anything firms

have experienced under the previous regime.

National regulators will remain the principal supervisor for the vast majority of firms,

but they will be operating within a framework that AMLA sets and monitors. AMLA

has been explicit that it expects board-level oversight and independent challenge from

the firms it supervises, and national regulators will be applying the same standard. If

your governance structure cannot demonstrate that today, it needs to change.

For smaller firms outside AMLA's direct scope, supervision is unlikely to change

immediately. The more pressing issue is commercial. Larger banks and payment

partners are already raising the standards they expect from the firms they work with,

and access to banking infrastructure, payment networks, and partnerships will

depend on demonstrable compliance with the new framework.

Beneficial Ownership Registers

EU-wide beneficial ownership and bank account registers go live in 2027. When they

do, regulators will be able to check your due diligence in real time. The defence firms

have historically relied on, that they asked the right questions, documented the

answers, and had no reason to doubt the client, becomes much harder to run when the

underlying data is independently accessible. Gaps between what a client told you and

what the register shows will be visible immediately.

Your systems need to connect to these registers before they go live, and your beneficial

ownership verification methodology needs to be built around independent

corroboration. Client declarations alone will not be sufficient. Firms unable to

demonstrate independent verification will find it very difficult to defend their due

diligence to a regulator who has access to the data in real time.

Crypto and Payment Transparency: Already in Effect

The Transfer of Funds Regulation is already in force. The rules requiring full

traceability for crypto-assets and payment transactions are live now, not something

firms are working toward. If your institution handles either and is not meeting ToFR

standards today, your firm is already afoul of the rules.

For CASPs, the regulatory direction has been consistent for several years. Firms that

treated crypto-asset regulation as something to monitor rather than act on are now

operating with a real gap to close.

Timeline

2025

The EBA's AML mandate transferred to AMLA on 31 December 2025. Before that

transfer, the EBA launched a public consultation in March 2025 on four draft

Regulatory Technical Standards: risk profile assessment of obliged entities, selection

criteria for direct AMLA supervision, customer due diligence requirements, and

financial penalties and administrative sanctions. The EBA submitted its response to

the European Commission's Call for Advice on 30 October 2025.

2026: The Position Now

AMLA is consulting on most standards through the first half of 2026, with

consultation periods closing by May 2026. Firms can submit responses to open

consultations directly via the AMLA website, and doing so is a practical way to track

where standards are heading before they are finalised. AMLA will then submit its

detailed rules, reporting standards, and guidelines to the European Commission by 10

July 2026, and the Commission is expected to adopt and endorse those standards

before 10 July 2027, when the AMLR enters into force.

Waiting for final standards before acting is a mistake. The core obligations are already

in the AMLR text. CDD requirements, beneficial ownership verification standards,

and transaction monitoring governance are set out in enough detail to act on now.

Waiting for final standards before starting a gap analysis leaves less than 12 months to

fix what you find.

Three things need to be on your agenda now.

Gap analysis. A structured comparison between your current framework and what the

AMLR requires, covering CDD standards, transaction monitoring governance,

beneficial ownership verification methodology, suspicious activity report quality and

decision-making, and your risk assessment approach.

Technology. Can your systems connect to the EU beneficial ownership and bank

account registers? Can they handle real-time screening at volume? Can they produce

audit-ready records without weeks of manual work?

Governance. AMLA expects board-level oversight and independent challenge. If your

current governance structure cannot demonstrate that, it needs to change before an

inspector asks about it.

July 2027

Everything goes live: the AMLR, AMLD6, and the central registers. Being compliant at

that point means policies that reflect the new standards, systems that connect to the

required infrastructure, trained staff, and documentary evidence to show a regulator.

2028

AMLA will take on direct supervisory responsibility, and inspections will become

more rigorous and consistent across the EU. AMLA has signalled that its inspection

method will be evidence-based, so inspectors will want to see that controls work in

practice, not just that they exist in policy.

The Window Is Closing

The firms that are ahead completed their gap analyses in 2025. They are upgrading

their technology now, building governance frameworks this year, and treating July

2027 as a fixed point.

The firms waiting for final standards, assuming their current practices are close

enough, or planning to act in late 2026 will be racing against the clock with very little

room for error. The core obligations are clear enough to act on now. The firms that

move first will have the time to fix what they find.

If you want to understand where your framework stands today, I am happy to talk.

Everett Morgan | Independent Financial Crime Advisory |morgan@claritasrisk.com

| Former VP, Anti-Financial Crime, Deutsche Bank | ICA Dip(AML) | Dip(FinCrime)

| 20 years Tier 1 bank AML experience