EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can Help
From rules to structured data
AMLA’s supervisory model and the draft technical standards shift expectations toward structured data, consistent risk scoring and coordinated cross‑border reviews. The combined framework of AMLR, the Sixth Anti Money Laundering Directive (AMLD6), the AMLA Regulation and associated technical standards creates a predictable baseline for both regulators and firms. Supervisory engagement will increasingly depend on the quality, structure and traceability of the information firms provide.
Proportional, risk‑based customer due diligence in practice
Under AMLR and the draft standards on CDD, firms must verify information that reflects the risk level of each relationship. In lower‑risk situations, simplified due diligence can reduce the amount of information collected. In higher‑risk situations, Enhanced Due Diligence (EDD) requires a deeper review of source of funds, source of wealth, transaction patterns and exposure to politically exposed persons.
Remote onboarding is now a mainstream expectation. The introduction of the European Digital Identity Framework, including eIDAS 2.0 and the European Digital Identity Wallet, will raise the level of assurance for digital identification. Firms will need to accept these identification methods when customers choose to present them. A practical workflow is to confirm identity and beneficial ownership first and then collect information on purpose and intended nature. Additional EDD can be applied if indicators of elevated risk appear.
A harmonized approach to risk assessment
The draft technical standards introduce a single structure for assessing inherent risk, control quality and residual risk. Inherent risk is determined by customer, product, channel and geography. Control effectiveness is determined by governance, monitoring and escalation arrangements. Residual risk determines the level of supervisory attention and internal resourcing. Automation is encouraged but supported by manual override so that expert judgement remains part of the process. Annual risk re-assessments will be expected for most firms. Low‑risk firms may follow longer cycles. AMLR also clarifies the timing for periodic Know Your Customer (KYC) reviews, which will drive adoption of perpetual and event‑driven KYC processes.
Direct AMLA supervision: are you in scope?
From 2028, AMLA will directly supervise up to 40 selected obliged entities. Eligibility hinges on operating in ≥6 Member States and exhibiting high residual risk. While the final selection criteria are set by the RTS and AMLA, it has been said that there will most probably be at least one directly supervised entity from each EU member country, ensuring broad geographic representation and oversight. Draft RTS propose materiality thresholds per Member State (e.g., >20,000 customers or >€50m transactions) to count cross-border activity. Firms near these thresholds should assess footprint, data readiness, and supervision readiness now. AMLA will also coordinate national supervisors and support FIUs (e.g., FIU.net and joint analyses), creating a more cohesive supervisory culture even for entities not directly supervised.