How firms can prepare for EU AML uncertainty with proactive measures

This article covers key aspects of the EU AML Package, from AMLA’s enforcement measures and data considerations to AMLR implementation tips.

In brief:

• The new EU AML Regulation (AMLR), which applies from 10 July 2027, brings harmonized as well as more detailed and prescriptive AML/CFT rules.
• Questions on supervisory convergence, risk-related components of the AML/CFT framework, and data implications merit further thought and discussion.
• Practitioners should ask the right questions now in relation to their AML/CFT frameworks to avoid costly delays or errors as 10 July 2027 approaches.

The new EU Anti-Money Laundering Regulation (AMLR) is both highly detailed and more prescriptive compared to previous AML Directives. As a result, many firms are accordingly performing gap analyses and assessing resource needs to achieve compliance with the AMLR in time for 10 July 2027. Rather than providing article-by-article recaps, this article aims to raise exploratory questions on the AMLR and wider AML Package that warrant further exploration as implementation is ongoing across member states, and close with some thoughts on AMLR preparation.

Supervisory convergence under AMLR: the impact of AMLA’s enforcement actions

Alongside the AMLR, the new Anti-Money Laundering Authority (AMLA) will drive EU AML/CFT harmonization through its Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS) and Guidelines, its common AML/CFT supervisory methodology, supervisory peer reviews and other supplementary tools at its disposal, including targeted supervision and enforcement. Focusing on the latter, AMLA will directly supervise a small, dynamically selected cohort (around 40) of high-risk and cross-border credit and financial institutions and can impose administrative measures and pecuniary sanctions on those institutions. For all other obliged entities, national competent authorities (NCAs) remain the primary supervisors and enforcers under the EU AML/CFT framework. 

While AMLA’s enforcement decisions bind only their addressees, published outcomes and reasoning — to the extent that they are made fully public — will likely serve as influential benchmarks for how financial and credit institutions, particularly, interpret and operationalize the AMLR and related technical standards and Guidelines. 

A central question is how AMLA’s enforcement actions will interact with established national practice that has matured under NCAs’ enforcement actions. Even where national practice is not in conflict with the AMLR, it may diverge from AMLA’s expectations on topics such as the design and execution of the business-wide risk assessment, procedures for AML/CFT model risk management or the application of a risk-based approach more broadly. In the near term, some friction seems plausible: NCAs may maintain stricter or looser interpretations of AML/CFT obligations while AMLA signals different AML/CFT baselines for the roughly 40 institutions under its direct supervision. AMLA’s tools for AML/CFT harmonization are designed to compress durable gaps in interpretation and practice, but firms should plan for a transitional period of compliance complexity as supervisory approaches converge.

Unpacking the ‘risk management framework’

AMLR Article 9(2)(a)(ii) requires that an obliged entity’s policies, procedures and controls encompass its ‘risk management framework’. The scope of this framework is not elaborated on in the AMLR, and, unlike the other areas in scope of Article 9(2)(a), the ‘risk management framework’ is not referenced in the fourth AML Directive (4AMLD). In the absence of clearer guidance in the AMLR, roles and responsibilities across the three lines of defense and the management body should probably be codified as part of the ’risk management framework’. It should arguably also include how risks are managed, from risk appetite statements to ongoing KPI/KRI monitoring and Management Information systems as well as procedures for handling breaches of risk appetites.

More broadly, firms should consider codifying how they manage AML/CFT within a holistic risk management framework rather than a check-box exercise across, e.g., the business-wide risk assessment, customer due diligence (CDD) and ongoing monitoring as siloed processes.

Model risk management

Additionally, there is no explicit mention of Model Risk Management (MRM) in the AMLR, in contrast to 4AMLD. While AMLR mentions the use of automated processes, machine learning technologies and AI, it does so in specific contexts such as information exchange within partnerships and personal data processing. However, the application of such technologies arguably presupposes an MRM framework. The upcoming AMLA Guideline required by Article 9(4) may provide more clarity on this topic, but for the time being the MRM framework is also a candidate for inclusion within the ‘risk management framework’.

The AML Package’s implications for data

There are plenty of indications across the AMLR and the broader ”AML Package” that data will be a focal point for supervisors and obliged entities going forward. For example, extensive and minimum-mandatory information and datapoints are stipulated in relation to the business-wide risk assessment, identification and verification of the identity of customers and beneficial owners, and CDD more broadly. 

Furthermore, the AMLR requires obliged entities to respond fully and quickly to information requests from the Financial Intelligence Unit (FIU) or other competent authorities regarding business relationships. Last but not least, the Draft RTS under Article 40(2) of the new AML Directive includes a comprehensive list of data points for supervisors to use in assessing and classifying risk profiles of obliged entities. While the list is not final, it is clear that obliged entities will need to provide substantial data to supervisors on an ongoing basis, some of which will not be readily available today. 

Are entities prepared or preparing for the implications of these data demands for their AML/CFT frameworks, ranging from relatively ‘smaller-scale’ measures such as revamping KYC forms to collect additional customer information, to larger undertakings such as the application, maintenance, storage and timely reporting of that data?

What practitioners can do next

While this article is intended to be exploratory and we won’t know all of the answers to the questions raised above in the near-term, an article delving into the AML Package and AMLR wouldn’t be complete without listing a few key steps practitioners can take when preparing for AMLR implementation, specifically:

1. Conduct gap assessments:
   A thorough gap assessment of existing AML/CFT measures against the AMLR requirements is a good starting point. This also includes estimating resource and capacity needs across the first and second lines of defense. This should include reviewing system and data architectures now, as implementing AMLR-compliant changes should be expected to have potentially long lead times. One component of this review is assessing data availability, lineage and quality, as well as capabilities to provide data on request to FIUs and other competent authorities. If not already established, an AML/CFT data strategy and data quality standards may need to be implemented accordingly.
2. Establish interpretation councils:
   More broadly, practitioners that EY is working with are taking additional proactive steps such as setting up so-called interpretation councils. These councils typically combine first and second line expertise to review and advise on AMLR interpretation and implementation strategies. This can help in establishing a sound basis for risk-based compliance with the AMLR that can be supplemented with additional requirements that come through RTS/ITS and Guidelines.
3. Assign responsibility:
   Assigning one person with overall responsibility for implementing the AMLR is key for structuring and focusing efforts as well as priorities, including through the development of a roadmap. Besides facilitating the necessary preparatory assessments and initiating change initiatives now, assigning responsibility and ownership helps establish a solid foundation before the anticipated publication of numerous RTS and Guidelines from mid-2026. Ultimately, setting the scene and asking the right questions now could mean avoiding costly missteps as we approach 10 July 2027.