EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can Help
Proportional, risk‑based customer due diligence in practice
Under AMLR and the draft standards on CDD, firms must verify information that reflects the risk level of each relationship. In lower‑risk situations, simplified due diligence can reduce the amount of information collected. In higher‑risk situations, Enhanced Due Diligence (EDD) requires a deeper review of source of funds, source of wealth, transaction patterns and exposure to politically exposed persons.
Remote onboarding is now a mainstream expectation. The introduction of the European Digital Identity Framework, including eIDAS 2.0 and the European Digital Identity Wallet, will raise the level of assurance for digital identification. Firms will need to accept these identification methods when customers choose to present them. A practical workflow is to confirm identity and beneficial ownership first and then collect information on purpose and intended nature. Additional EDD can be applied if indicators of elevated risk appear.
A harmonized approach to risk assessment
The draft technical standards introduce a single structure for assessing inherent risk, control quality and residual risk. Inherent risk is determined by customer, product, channel and geography. Control effectiveness is determined by governance, monitoring and escalation arrangements. Residual risk determines the level of supervisory attention and internal resourcing. Automation is encouraged but supported by manual override so that expert judgment remains part of the process. Annual risk re-assessments will be expected for most firms. Low‑risk firms may follow longer cycles. AMLR also clarifies the timing for periodic know your customer (KYC) reviews, which will drive adoption of perpetual and event‑driven KYC processes.
Direct AMLA supervision: are you in scope?
From 2028, AMLA will directly supervise up to 40 selected obliged entities. Eligibility hinges on operating in six or more Member States and exhibiting high residual risk. While the final selection criteria are set by the RTS and AMLA, it has been said that there will most probably be at least one directly supervised entity from each EU member country, ensuring broad geographic representation and oversight. Draft RTS proposes materiality thresholds per Member State (e.g., greater than 20,000 customers or greater than €50m transactions) to count cross-border activity. Firms near these thresholds should assess footprint, data readiness, and supervision readiness now. AMLA will also coordinate national supervisors and support FIUs (e.g., FIU.net and joint analyses), creating a more cohesive supervisory culture even for entities not directly supervised.
Direct AMLA supervision
From 2028, AMLA will directly supervise up to 40 firms that meet the criteria for high residual risk and cross‑border presence. Draft criteria include operating in at least six Member States and meeting thresholds such as customer numbers or transaction volume. Firms close to these thresholds should evaluate their operational footprint, data readiness and supervisory preparedness. AMLA will also coordinate national authorities and support Financial Intelligence Units to promote more consistent supervisory cultures across the European Union.