Perspectives
IntroductionRegulation

The EU's new AML controls: what it means for your firm.

The AMLR, AMLD6 and the EU central registers all enter into force on the same day. A practitioner's view on the work that should already be under way.

By Everett MorganSummer 20268 min read
Frankfurt European financial district at dusk
Executive summary

Most firms I meet have heard of the AMLR. Fewer have sat down and mapped what it will actually require them to change before July 2027. That gap is narrowing fast.

Three things go live in July 2027: the Anti Money Laundering Regulation, the Sixth Anti Money Laundering Directive, and the EU's central beneficial ownership and bank account registers. Each creates a concrete obligation. Together, they represent the most significant structural change to EU financial crime compliance in a generation. This article sets out what changes, what it means for your firm, and why the firms that act now will be better placed than those waiting for final standards.

What is changing

A single rulebook

EU AML obligations were previously issued as Directives, requiring each member state to transpose them into national law. That transposition step introduced meaningful variation: different definitions, different thresholds, and different supervisory expectations depending on where a firm was based.

Some national implementations were stricter, others more permissive. Firms operating across borders maintained parallel controls and managed conflicting requirements. Consistent enforcement was structurally impossible when regulators did not work from the same baseline.

The AMLR removes those variations.

It takes the form of a Regulation, not a Directive, so it applies uniformly across all 27 member states without transposition or national interpretation. The text that applies in Frankfurt applies in Dublin, Madrid and Bucharest in exactly the same way. The strategy of finding the most permissive jurisdiction to operate from is no longer available.

The Anti Money Laundering Authority (AMLA)

AMLA matters to your firm whether you fall under its direct supervision or not.

AMLA becomes fully operational in 2028 and will directly supervise 40 of the EU's highest-risk financial institutions, selected on the basis of cross-border footprint and risk profile. The selection process starts in mid-2027. The number is fixed for the initial period, but the framework is designed to grow. Firms outside the initial scope should not read that as a permanent exemption.

AMLA holds binding powers over directly supervised entities and will coordinate national regulators and Financial Intelligence Units across the EU. The supervisory baseline rises for everyone, not only the 40 firms under direct oversight.

National regulators remain the principal supervisor for most firms, but they now operate within a framework AMLA sets and monitors. If I were sitting in your Board meeting and your firm is not in the initial 40, the question I would put is this: has your national regulator told you what it will now expect of you that it did not expect eighteen months ago? Most Boards I meet cannot answer that.

AMLA has been explicit about governance expectations. It expects genuine board-level oversight and independent challenge, and national regulators will apply the same standard. Governance that cannot demonstrate real engagement with financial crime risk, rather than simply reporting on it, needs to change before an inspector arrives.

For smaller firms outside direct AMLA scope, the commercial pressure may arrive before the regulatory one. Larger banks and payment partners are already raising the standards they expect from firms they work with. Access to banking infrastructure, payment networks and correspondent relationships now depends on demonstrable compliance with the new framework, not just the old one.

Beneficial ownership registers

EU-wide beneficial ownership and bank account registers go live in 2027. When they do, regulators can check your due diligence against independent data in real time.

Firms have relied for years on a straightforward defence: they asked the right questions, documented the answers, and had no reason to doubt the client. That defence becomes very difficult to run when the underlying data is independently accessible. Gaps between what a client told you and what the register shows become visible to a regulator immediately, and to you only when you are being asked about them.

Your systems need to connect to these registers before they go live. Your beneficial ownership verification methodology needs to be built around independent corroboration, not client declarations alone. I have found that this is one of the areas where firms most consistently overestimate the adequacy of their current approach. The question is not whether you asked, but whether you checked.

Crypto and payment transparency

The Transfer of Funds Regulation is already in force. The rules requiring full traceability for crypto assets and payment transactions are live now. If your institution handles crypto or payments and is not meeting ToFR standards today, it is already in breach, and July 2027 is a separate problem from the one already in front of you.

For CASPs, the regulatory direction has been consistent for several years. Firms that treated crypto asset compliance as something to monitor rather than act on are carrying a gap that only grows. The AMLR does not soften the ToFR requirements; it builds on them.

Timeline

  1. 2025

    The EBA's AML mandate transferred to AMLA on 31 December 2025. Before that handover, the EBA launched a public consultation in March 2025 on four draft Regulatory Technical Standards: risk profile assessment of obliged entities, selection criteria for direct AMLA supervision, customer due diligence requirements, and the framework for financial penalties and administrative sanctions. The EBA submitted its response to the European Commission's Call for Advice on 30 October 2025.

  2. 2026

    AMLA is consulting on most standards through the first half of 2026, with consultation periods closing by May. Firms can submit responses directly through the AMLA website, which remains the most practical way to track where requirements are heading before they are finalised. AMLA will submit its detailed rules, reporting standards and guidelines to the European Commission by 10 July 2026. The Commission is expected to adopt those standards before 10 July 2027, when the AMLR enters into force.

  3. July 2027

    Everything goes live: the AMLR, AMLD6, and the central beneficial ownership and bank account registers. Being compliant at that date means four things in practice: policies that reflect the new standards, systems that connect to the required infrastructure, staff trained against the new rules, and documentary evidence that a regulator can inspect on arrival.

  4. 2028

    AMLA takes on direct supervisory responsibility, and inspections will be more rigorous and consistent across the EU than anything firms have experienced under the previous regime. AMLA has been explicit that its inspection method is evidence-based. Inspectors will want to see that controls work in practice, not simply that they exist in a policy document.

What firms should do now

Waiting for final standards before acting is the mistake I see most often. The core obligations are already set out in the AMLR text with enough specificity to act on: CDD requirements, beneficial ownership verification standards, transaction monitoring governance. Starting the gap analysis in late 2026 leaves fewer than twelve months to fix what you find, procure what you need, and train the people responsible for delivery.

Three things need to be on your agenda now.

Gap analysis

A structured comparison between your current framework and what the AMLR requires, covering CDD standards, transaction monitoring governance, beneficial ownership verification methodology, SAR quality and decision-making, and your firm-wide risk assessment approach. I have found that firms consistently underestimate the gap in beneficial ownership verification, where client declarations have been treated as sufficient for too long.

Technology

Can your systems connect to the EU beneficial ownership and bank account registers? Can they handle real-time screening at volume? Can they produce audit-ready records without weeks of manual preparation? If the honest answer to any of these is uncertain, that uncertainty needs to be on the Board's agenda before the end of this year.

Governance

AMLA expects board-level oversight and independent challenge, and national regulators will apply the same standard. One pattern I see repeatedly: governance frameworks that look adequate on paper but cannot demonstrate that the Board has ever changed a decision on the basis of financial crime risk information. That is the test AMLA will apply.

The window is closing

The firms that are in good shape completed their gap analyses in 2025. They are upgrading systems now, building governance structures this year, and treating July 2027 as a fixed and non-negotiable point.

Other firms are waiting for final standards to be published, assuming their current practices are close enough, or planning to begin work in late 2026. Those firms will be managing a remediation programme under time pressure, with limited capacity to address what they find.

The core obligations are clear enough in the existing AMLR text to act on now. The firms that start first will have the time to fix what they find. The ones that start late will be presenting their gap analysis to a Board that is already asking why it was not done earlier.

If you want to understand where your framework stands today, I am happy to talk.

About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation