What is changing
A single rulebook
EU AML obligations were previously issued as Directives, requiring each member state to transpose them into national law. That transposition step introduced meaningful variation: different definitions, different thresholds, and different supervisory expectations depending on where a firm was based.
Some national implementations were stricter, others more permissive. Firms operating across borders maintained parallel controls and managed conflicting requirements. Consistent enforcement was structurally impossible when regulators did not work from the same baseline.
The AMLR removes those variations.
It takes the form of a Regulation, not a Directive, so it applies uniformly across all 27 member states without transposition or national interpretation. The text that applies in Frankfurt applies in Dublin, Madrid and Bucharest in exactly the same way. The strategy of finding the most permissive jurisdiction to operate from is no longer available.
The Anti Money Laundering Authority (AMLA)
AMLA matters to your firm whether you fall under its direct supervision or not.
AMLA becomes fully operational in 2028 and will directly supervise 40 of the EU's highest-risk financial institutions, selected on the basis of cross-border footprint and risk profile. The selection process starts in mid-2027. The number is fixed for the initial period, but the framework is designed to grow. Firms outside the initial scope should not read that as a permanent exemption.
AMLA holds binding powers over directly supervised entities and will coordinate national regulators and Financial Intelligence Units across the EU. The supervisory baseline rises for everyone, not only the 40 firms under direct oversight.
National regulators remain the principal supervisor for most firms, but they now operate within a framework AMLA sets and monitors. If I were sitting in your Board meeting and your firm is not in the initial 40, the question I would put is this: has your national regulator told you what it will now expect of you that it did not expect eighteen months ago? Most Boards I meet cannot answer that.
AMLA has been explicit about governance expectations. It expects genuine board-level oversight and independent challenge, and national regulators will apply the same standard. Governance that cannot demonstrate real engagement with financial crime risk, rather than simply reporting on it, needs to change before an inspector arrives.
For smaller firms outside direct AMLA scope, the commercial pressure may arrive before the regulatory one. Larger banks and payment partners are already raising the standards they expect from firms they work with. Access to banking infrastructure, payment networks and correspondent relationships now depends on demonstrable compliance with the new framework, not just the old one.
Beneficial ownership registers
EU-wide beneficial ownership and bank account registers go live in 2027. When they do, regulators can check your due diligence against independent data in real time.
Firms have relied for years on a straightforward defence: they asked the right questions, documented the answers, and had no reason to doubt the client. That defence becomes very difficult to run when the underlying data is independently accessible. Gaps between what a client told you and what the register shows become visible to a regulator immediately, and to you only when you are being asked about them.
Your systems need to connect to these registers before they go live. Your beneficial ownership verification methodology needs to be built around independent corroboration, not client declarations alone. I have found that this is one of the areas where firms most consistently overestimate the adequacy of their current approach. The question is not whether you asked, but whether you checked.
Crypto and payment transparency
The Transfer of Funds Regulation is already in force. The rules requiring full traceability for crypto assets and payment transactions are live now. If your institution handles crypto or payments and is not meeting ToFR standards today, it is already in breach, and July 2027 is a separate problem from the one already in front of you.
For CASPs, the regulatory direction has been consistent for several years. Firms that treated crypto asset compliance as something to monitor rather than act on are carrying a gap that only grows. The AMLR does not soften the ToFR requirements; it builds on them.
Timeline
- 2025
The EBA's AML mandate transferred to AMLA on 31 December 2025. Before that handover, the EBA launched a public consultation in March 2025 on four draft Regulatory Technical Standards: risk profile assessment of obliged entities, selection criteria for direct AMLA supervision, customer due diligence requirements, and the framework for financial penalties and administrative sanctions. The EBA submitted its response to the European Commission's Call for Advice on 30 October 2025.
- 2026
AMLA is consulting on most standards through the first half of 2026, with consultation periods closing by May. Firms can submit responses directly through the AMLA website, which remains the most practical way to track where requirements are heading before they are finalised. AMLA will submit its detailed rules, reporting standards and guidelines to the European Commission by 10 July 2026. The Commission is expected to adopt those standards before 10 July 2027, when the AMLR enters into force.
- July 2027
Everything goes live: the AMLR, AMLD6, and the central beneficial ownership and bank account registers. Being compliant at that date means four things in practice: policies that reflect the new standards, systems that connect to the required infrastructure, staff trained against the new rules, and documentary evidence that a regulator can inspect on arrival.
- 2028
AMLA takes on direct supervisory responsibility, and inspections will be more rigorous and consistent across the EU than anything firms have experienced under the previous regime. AMLA has been explicit that its inspection method is evidence-based. Inspectors will want to see that controls work in practice, not simply that they exist in a policy document.
What firms should do now
Waiting for final standards before acting is the mistake I see most often. The core obligations are already set out in the AMLR text with enough specificity to act on: CDD requirements, beneficial ownership verification standards, transaction monitoring governance. Starting the gap analysis in late 2026 leaves fewer than twelve months to fix what you find, procure what you need, and train the people responsible for delivery.
Three things need to be on your agenda now.
A structured comparison between your current framework and what the AMLR requires, covering CDD standards, transaction monitoring governance, beneficial ownership verification methodology, SAR quality and decision-making, and your firm-wide risk assessment approach. I have found that firms consistently underestimate the gap in beneficial ownership verification, where client declarations have been treated as sufficient for too long.
Can your systems connect to the EU beneficial ownership and bank account registers? Can they handle real-time screening at volume? Can they produce audit-ready records without weeks of manual preparation? If the honest answer to any of these is uncertain, that uncertainty needs to be on the Board's agenda before the end of this year.
AMLA expects board-level oversight and independent challenge, and national regulators will apply the same standard. One pattern I see repeatedly: governance frameworks that look adequate on paper but cannot demonstrate that the Board has ever changed a decision on the basis of financial crime risk information. That is the test AMLA will apply.
The window is closing
The firms that are in good shape completed their gap analyses in 2025. They are upgrading systems now, building governance structures this year, and treating July 2027 as a fixed and non-negotiable point.
Other firms are waiting for final standards to be published, assuming their current practices are close enough, or planning to begin work in late 2026. Those firms will be managing a remediation programme under time pressure, with limited capacity to address what they find.
The core obligations are clear enough in the existing AMLR text to act on now. The firms that start first will have the time to fix what they find. The ones that start late will be presenting their gap analysis to a Board that is already asking why it was not done earlier.
If you want to understand where your framework stands today, I am happy to talk.



