AMLA – Iterative gap analysis is key to implementation

The compliance effort required by the new AML/CFT framework varies widely between markets and institutions. Tailored, iterative gap analysis is key to effective prioritisation. Firms can take a range of actions to ensure compliance and optimise the efficiency of their AML/CFT activities.

The EU’s anti-money laundering (AML) reforms are a gamechanger for European companies with a duty to enforce AML, combat terrorist finance (CFT), and implement targeted financial sanctions.

Harmonisation is a fundamental goal of the new AML/CFT framework. Variations in current national approaches mean that complying with the new regime will require very different levels of effort between member states. The impact on individual obliged entities (OEs) will also vary according to size, geographic footprint, and business model.

As a result, it’s critically important for every OE to map the gaps between national AML rules and the new regulations, and between their existing compliance frameworks and the capabilities they will need in future. In our experience, a three-step gap analysis is key to accurately assessing the impact of the new framework and prioritising effectively. Firms should ask themselves:

Financial institutions comparing the new regulations with existing legislation — such as Germany’s AML Act - are already identifying potentially significant challenges, such as the need for material technology changes to meet revised standards for customer due diligence or data aggregation. The need for co-ordinated action across all three lines of defence, not just within Compliance functions, is another common feature.

The picture is further complicated by uncertainty over the final shape of the AML/CFT Single Rulebook. AMLA’s recently published Single Programming Document anticipates the finalisation of more than 20 Level 2 standards and Level 3 guidelines during 2026, with more to follow before the new framework’s application date of July 2027 (see Single Rulebook article). This uncertainty is making some OEs reluctant to implement changes before the final regulatory picture is clear.

In our view, however, the tight timelines and the scale of changes facing many institutions mean that OEs should begin assessing and addressing the impacts of the new AML landscape now, if they have not already done so. If they wait for perfect clarity before acting, it will be too late. Early identification and prioritisation are critical to achieving compliance efficiently and effectively.

This means that gap analysis needs to be an iterative process, not a one-off exercise. That’s true for multinational institutions with large compliance functions, for smaller financial firms, and for non-financial companies with limited regulatory expertise (see Non-FS article).

OEs can also take advantage of support from external experts with the ability to provide supervisory insights and validate internal impact assessments. Professional advisors can also provide benchmarking comparisons and share insights into industry best practice.

Finally, OEs should ensure they’re identifying the opportunities of change as well as the challenges. There is significant scope for more centralised, streamlined AML/CFT processes to enhance their efficiency, flexibility and scalability. We believe that OEs should:

• Establish a robust governance framework to monitor evolving requirements and manage the transition to the new regime.
• Engage with all functions and business units as soon as possible, fostering cross-organisation alignment and momentum.
• Use an iterative gap analysis methodology to identify and prioritise the changes needed to be ready for application of new framework by July 2027.
• Take advantage of opportunities to align implementation plans with technology releases and updates, including those provided by external partners.