AMLA readiness: staying ahead of the regulatory tidal wave

The new AML/CFT regulatory landscape

The regulatory landscape for anti-money laundering (AML) and countering the financing of terrorism (CFT) is currently undergoing its most significant change since the enactment of the First AML Directive in 1990. In the past, EU legislation was based on directives, which required transposition and resulted in a mosaic of (partially) diverging national legislation across the 27 Member States.

With the enactment of the AML Regulation, the European Union has committed to harmonising legal requirements by submitting obliged entities to a Single European Rulebook. As a result of this ambition, the EU regulatory landscape is becoming more comprehensive and complex.

Besides three regulations and a directive (collectively referred to as level 1 regulations), almost 40 standards and guidelines will be issued in the next four years. This puts obliged entities into a challenging position. To ensure that they comply with the new requirements, they must start their preparations now – particularly where changes to IT systems and data models are involved.

However, the ongoing detailing of the rulebook means that they need to retain flexibility to adjust to the evolving requirements. Institutions should remain close to their peers, conduct regular benchmarking over the period and adopt an iterative transformation approach to ensure full compliance with the new rules by July 10, 2027.

Level 1 regulations: 2024 legislative package 

The EU AML/CFT legislative package, adopted on May 30, 2024, consists of four acts: the AML Regulation, the Sixth AML Directive, the AMLA Regulation, and the revised Fund Transfer Regulation, already adopted on May 31, 2023, and in application since December 30, 2024.

The AML Regulation forms the core of the legislative package. It contains the substantive legal provisions (e.g., on risk management, and customer due diligence) and is directed at the obliged entities. The Regulation will – with limited exceptions (e.g., the new obligations for professional football clubs and agents) – directly apply in all Member States as of July 10, 2027, and will largely replace the current system of (partially diverging) national AML acts; in Ireland the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.

The Sixth AML Directive is primarily directed at the Member States and includes, among others, national measures for high-risk sectors, requirements for the establishment of various national registers (e.g., containing information on ultimate beneficial owners or real estate ownership), and standards for the supervision of obliged entities. Member States must transpose the Directive – again with limited exceptions – into national legislative acts until July 10, 2027.

As of today, the government of Ireland has not proposed a draft bill to transpose the Directive. The European Commission has previously called out the State for incorrectly transposing the Fourth and Fifth AML Directives. Therefore, we expect heightened focus on the transposition of the Sixth AML Directive by all parties and consequently timely action by the Irish government.

In addition to the general date of application, the acts contain nearly 100 relevant due dates, including Member State notifications, Commission delegated acts, and AMLA guidelines.

The AMLA Regulation deals with the creation of a new EU agency, the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA). The Authority, headquartered in Frankfurt, Germany, will directly supervise selected obliged entities in the financial sector, including crypto-asset service providers, coordinate the work of national competent authorities and financial intelligence units, and further clarify the requirements under the Single European Rulebook. AMLA, under its first chair Ms Bruna Szego, has commenced operations on July 1, 2025, and is expected to reach full scale in 2028, when it is also due to take on direct supervision.

Level 2 and 3 regulations: AMLA’s regulatory mandate

The acts task the newly established AMLA with contributing to the harmonisation of practices of obliged entities and the convergence of supervision mandates of Member State authorities across the Union by issuing specifying regulatory standards.

To achieve this objective, AMLA will draft 13 regulatory technical standards (RTS) and six implementing technical standards (ITS) and submit these to the Commission for adoption as delegated acts. Regulatory technical standards are a means to complete the Single European Rulebook.

They must be technical in nature and may not imply strategic decisions or policy choices. Implementing technical standards are a means to ensure uniform conditions for the implementation of the rulebook. Before submitting draft standards to the Commission, AMLA is obliged to conduct open public consultations and to analyse the potential related costs and benefits. Collectively, these standards are referred to as level 2 regulations.

Further, AMLA will issue 20 guidelines, which aim to specify conditions, criteria and elements for the application of obligations or exceptions under the acts. These guidelines are also called level 3 regulations.

The ITS and RTS will continue to be drafted until July 2026 and should therefore be adopted by the Commission ahead of the general date of application, although the regulatory simplification agenda may postpone the enactment of some of these standards. In contrast, many guidelines will only be published on or after July 10, 2027. This puts obliged entities in a difficult position. They must prepare for the upcoming changes without knowing the full picture. Obliged entities must therefore find a way to take the required preparatory steps without completely removing their flexibility to adapt to the upcoming specifying level 2 and 3 regulations.

Organisations are advised to analyse the level 1 regulations, assess their current capabilities (i.e., with respect to technology and data), and determine whether they are sufficient to facilitate the required changes. If significant gaps are identified, the organisation should initiate the necessary steps to set itself up for success. The initial analysis should then be repeated whenever further specifying regulations are adopted.

Recent EBA response to the Commission’s call for advice

Until now, the European Banking Authority (EBA) has been the main AML/CFT regulator in the European Union. The EBA continues to support AMLA during its startup phase and aims to ensure the continuity of AML prevention efforts in the Union. On March 12, 2024, the EBA received a call for advice from the Commission on four draft RTS under the future AML framework. These draft RTS have since undergone public consultation and are expected to be submitted to the Commission in October 2025.

Of particular interest to obliged entities is the draft RTS under Article 28 (1) of the AMLR on customer due diligence. The draft consists of eight sections and aims to provide additional information on the fulfilment of the requirements under customer due diligence as well as simplified and enhanced due diligence. However, the draft remains vague in multiple areas, often referring to “necessary information”, “risk-sensitive measures” and “additional information”, without specifying a clear minimum standard for compliance with these regulations.

Most importantly, the EBA acknowledges that obliged entities may not be able to uplift their entire customer base to comply with the new requirements by July 10, 2027, and instead proposes a risk-based approach. Obliged entities should prioritise higher risk customers and may complete the uplift of other customers later, if they do not exceed a five-year transition period. The wording suggests that higher risk customers must be uplifted until July 10, 2027, however, this remains open to interpretation.

Once adopted the delegated act will apply to already existing customers and new customers onboarded after its entry into force. The transitional period appears to start with the entry into force of the draft RTS which does not match the general date of application of the AML Regulation and thereby creates further uncertainty for organisations.

Firm readiness

More than a year has passed since the publication of the EU AML/CFT legislative package. While this still leaves obliged entities with almost two years until the general date of application, the new requirements are so substantial that organizations are well advised to start preparing for the upcoming changes early.

The starting point of the change process should be an analysis of the legislative acts to identify the regulatory changes relevant to the obliged entity’s business model. Entities should then create a plan to direct their transformation. This should at a minimum include the relevant requirements, the affected processes, systems, and controls, their desired target state, the responsible owners, and timelines for achieving the respective uplifts from current to target state.

Among others, obliged entities should consider the following components when designing their transformation plans:

Gap and impact assessment

• Obliged entities should review their existing (group-wide) AML framework and assess the impact of the new requirements to determine the organisation’s areas of greatest concern.
• The structure of the assessment should be created by the group compliance function but consider information provided by the subordinated entities’ first-line risk owners and compliance departments.
• The output of this assessment should list the relevant regulatory changes, describe their impact on the organisation (i.e., which processes, systems or controls are affected to what degree) and ultimately inform their transformation plan with regards to prioritisation, timeline and resource allocation.
• Organisations should consider regular benchmarking against peers to ensure their interpretation of legal requirements is in line with the industry. This can help avoid regulatory findings and additional remediation efforts.

Policies and procedures

• Obliged entities should update their policy framework across all three lines of defence. This includes the level 1 policy documents (e.g., the organisation’s AML policy) as well as subordinated procedures and operational guidelines.
• To facilitate this review, a policy impact assessment should be conducted, based on the organisation’s wider gap and impact assessment. The material changes identified should then drive remediation efforts and be included in role-specific training plans.
• Organisations should include the relevant stakeholders in the process and assure that policies are regularly review and kept up to date.

Data management

• Obliged entities should review their existing data management practices and implement a robust framework that enables seamless collection, consolidation, management, and distribution of data.
• Data quality is critical to enable processes and controls to operate effectively. The completeness, accuracy and timeliness of data must be continuously assured by implementing appropriate preventative and detective controls.
• AMLA’s central database of information collected from national competent authorities will likely create a trickle-down effect, where regulators request more structured data from supervised entities. Obliged entities should prepare for these increased information demands by enhancing their internal databases.
• These efforts should be aligned to the organisation’s risk-based approach. If done right, they can support the obliged entity’s cost agenda by identifying and removing redundancies and inefficient (manual) processes.

IT infrastructure

• AMLA will operate a data-driven supervisory approach. This will also impact the way national competent authorities supervise their subjects. The Central Bank of Ireland’s sector-specific risk evaluation questionnaires (REQs) are an early example of this relationship.
• Firms can expect their supervisors to request more data points at more frequent intervals. This necessitates that organisations review their data models and the IT infrastructure that supports them. In this context, obliged entities should also consider leveraging new technologies such as artificial intelligence to expand their existing IT capabilities.
• The implementation of the new regulatory requirements creates momentum for change and therefore an opportunity to go beyond what is legally required to enable the organisation to become more effective, efficient and sustainable.
• Organisations may, for example, focus on increased automation to reduce headcount and risk of manual error, better detection through improved data mining and pattern recognition or improved customer satisfaction through reduction of touchpoints and the creation of a more seamless experience.

Resourcing

• Obliged entities should ensure that their teams are adequately staffed and equipped to implement and operate the new requirements.
• Additionally, organisations should review if they have the required expertise and experience to fulfil the expanded catalogue of requirements (e.g., concerning the mitigation of the risk of non-implementation or evasion of TFS).
• If required, additional training should be performed or resources with the needed expertise hired to close any gaps.

Compliance culture

• Obliged entities should promote a positive compliance culture. This starts with an adequate board involvement (tone-at-the-top) and must be embedded at all levels of the organisation. Leaders should foster a culture of trust and open communication, where issues can be brought up without fear of repercussions.
• Organisations should also implement and maintain appropriate channels to allow employees to anonymously report unethical or illegal conduct.
• Organisations should enable customers, distributors, suppliers, and business partners to comply with their respective obligations, and provide them with information and training to assure risk is managed along the entire value chain.

The current progress of a firm may indicate whether its regulatory monitoring process is operating effectively. More than one year into the transition period, obliged entities should have completed an initial gap and impact assessment and have drafted a high-level transformation plan.

With most of the level 2 regulations expected to being issued until July 2026, organisations should start designing and implementing regulatory changes in a modular approach as more detailed information becomes available, with the full-scale transformation starting latest mid of next year.