Less than one year to go.
This is what's on most compliance officers' mind. From July 10, 2027, Regulation (EU) 2024/1624, the EU's Anti-Money Laundering Regulation (AMLR), will apply directly across all 27 Member States.
But the effective deadline isn't 2027. It's now.
The regulatory technical standards that define how to comply are being published throughout 2026.
The Anti-Money Laundering Authority (AMLA) is already operational, already running consultation processes, and already signalling its expectations to national supervisors.
In Luxembourg, the Administration de l'Enregistrement, des Domaines et de la TVA (AED) has reportedly rejected nearly 90% of submitted AML questionnaires. This is a signal that regulators aren't waiting for 2027 to apply scrutiny.
12 months is enough time to prepare. But not enough time to waste.
This article is for compliance teams that want to understand what the EU AMLR actually requires – and what to do about it in the next 12 months.
Key takeaways
- The EU AMLR applies from July 10, 2027 – but the effective preparation window is already open
- AMLA is already operational, writing binding technical standards, and coordinating with national supervisors
- The AMLR introduces a Single Rulebook that applies directly in all 27 Member States – no national transposition, no room for interpretation
- The five biggest compliance program changes: harmonised customer due diligence (CDD) triggers, a unified PEP definition, revised ultimate beneficial owner (UBO) thresholds, harmonised transaction monitoring and suspicious transaction reporting (STR) formats, and mandatory group-wide controls
What the EU AML Package actually is
The AMLR doesn't stand alone. It's the centrepiece of a four-instrument EU AML Package – the most significant overhaul of EU anti-money laundering (AML) prevention since the first directive was introduced in 1991.

The AMLR: the Single Rulebook
Regulation (EU) 2024/1624 establishes a directly applicable Single Rulebook for preventing money laundering and terrorist financing (ML/TF) across all EU Member States.
Directly applicable means what it says: unlike the previous AML Directives, the AMLR does not require national transposition. It applies, uniformly and simultaneously, in every Member State from July 10, 2027.
The previous directive-based model – AMLD4, AMLD5, AMLD6, and their predecessors – left substantial room for national interpretation. The result was fragmentation: slightly different CDD requirements in Germany, different PEP definitions in France, different thresholds in the Netherlands…
The AMLR ends that.
For obliged entities operating across borders, this harmonisation is significant. The rules are the same everywhere. So is the liability.
AMLA: the authority that enforces it
Regulation (EU) 2024/1620 establishes the Anti-Money Laundering Authority (AMLA), headquartered in Frankfurt. AMLA became operational on July 1, 2025. From January 1, 2028, it will directly supervise approximately 40 large, high-risk financial institutions across the EU – the list of directly supervised entities will be published by end of 2027.
For institutions not selected for direct supervision, AMLA still matters:
it coordinates national supervisors, writes the binding regulatory and implementing technical standards (RTS and ITS) that define how the AMLR works in practice, and facilitates joint analysis of cross-border cases by national Financial Intelligence Units (FIUs).
Why this is different from every previous AMLD
The paradigm shift is the legal form.
The AMLR is a regulation, not a directive. It doesn't leave room for national interpretation.
For compliance teams operating across borders, that harmonisation removes years of accumulated complexity – but it also removes the flexibility that national implementation provided. This is the adjustment that requires the most fundamental rethink: there is no longer a "local" version of the rulebook to calibrate to. There is one rulebook. And AMLA enforces it.
Who the EU AMLR applies to
Existing obliged entities: what changes
The AMLR applies to all entities already subject to AMLD4 and AMLD5 – credit institutions, payment service providers, investment firms, insurance companies, and other financial sector participants. For these institutions, the AMLR expands and harmonises existing obligations rather than creating entirely new frameworks from scratch.
What changes is the specificity.
Where AMLD-based national law allowed for a degree of risk-based judgement on CDD triggers, the AMLR introduces an exhaustive catalogue. Where PEP definitions varied by Member State, the AMLR unifies them. Where UBO thresholds were interpreted differently, the AMLR sets a single standard.
More precision means less discretion – and more detailed documentation requirements to prove compliance.
Newly in-scope entities: what you need to know
The AMLR significantly expands the scope of obliged entities. New additions include:
- Crypto-asset service providers (CASPs) – all CASPs authorised under MiCAR (Markets in Crypto-Assets Regulation – also called MiCA) are now fully within AML scope, closing the gap where some crypto businesses operated under national exemptions
- Crowdfunding platforms and intermediaries – platforms authorised under the EU Crowdfunding Regulation
- Consumer credit providers that are not credit institutions
- Mortgage credit intermediaries and creditors not regulated as banks
- Professional football clubs and their agents – for transfers involving significant funds (with a transition period applying until July 2029)
- Traders of high-value goods – including luxury goods, precious metals, gemstones, and works of art where payments exceed €10,000
If your entity type falls into any of these categories, your AML/CFT compliance obligations begin on July 10, 2027 – requiring significant preparation efforts.
What the EU AMLR requires: the five key obligations that will change your program
1. Harmonised CDD and enhanced due diligence triggers
The AMLR introduces a precise, exhaustive catalogue of enhanced due diligence (EDD) trigger cases. Unlike the previous framework, where a purely risk-based approach was sufficient, the new model specifies mandatory trigger points.
CDD is split into
- standard,
- enhanced, and
- simplified categories
each with defined entry conditions. For compliance teams, this means reviewing every CDD workflow against the new trigger catalogue and documenting not just what was done, but why a particular level of due diligence was applied – and how that conclusion was reached consistently.
2. A new, unified PEP definition
The harmonised politically exposed person (PEP) definition under Article 2(1) no. 34 AMLR replaces the previously divergent national catalogues. Nationally expanded PEP lists – for example, mayors above certain population thresholds – fall away unless Member States expressly maintain them in a published list under Article 33(4) AMLR.
The practical implication: your PEP screening configuration needs to be reviewed against the new definition. Rules calibrated to the national PEP catalogue of a specific Member State may no longer be correct after July 10, 2027.
3. UBO transparency at 25% – with a 15% floor in high-risk sectors
The 25% UBO (ultimate beneficial owner) threshold remains the basic rule. But the European Commission may lower it to 15% by delegated act for high-risk sectors – including extractive industries and real estate. Exceeding the 25% threshold will no longer be required. Anyone with at least 25% ownership, voting rights, or other ownership interests is in scope.
More significantly, the AMLR clarifies the calculation logic for multi-tier structures, closing interpretation gaps that have been exploited to obscure beneficial ownership in complex corporate chains.
4. Harmonised transaction monitoring and STR reporting formats
The AMLR requires obliged entities to update their transaction monitoring rules to new harmonised standards, and to implement harmonised suspicious transaction report (STR) formats per AMLA's implementing technical standards. AMLA’s ITS on reporting formats are expected to be published in 2026 – which means institutions need to be monitoring those publications now, not waiting until they appear.
For compliance teams running manual or semi-manual suspicious activity report (SAR) or STR processes, this is the obligation most likely to require material technology investment.
5. Group-wide controls and third-country equivalence
Parent undertakings that are obliged entities must adopt group-wide AML/CFT measures and policies. This includes subsidiaries operating in third-party states, with limited exceptions. Details will be set out in the regulatory technical standards published by AMLA.
Third-country equivalence also requires a fresh review. The updated high-risk third-country list under the AMLR may differ from the lists your current program relies on. Relationships with entities in third countries need to be reassessed against the new framework.
The preparation gap: why July 2027 is closer than it looks
The technical standards are already being published
Between now and July 2027, AMLA must publish 23 Level 2 and Level 3 measures – RTS, ITS, and guidelines.
The direction is clear. But the detail is still being set – which means institutions that aren't monitoring AMLA's consultation pipeline risk being caught out by final standards that differ from the drafts they were tracking.
Regulators are already signalling their expectations
AMLA's influence is being felt through national supervisors before any formal AMLA enforcement begins.
The CSSF (Luxembourg's financial sector supervisory authority) has already aligned its supervisory questionnaire with AMLA's expectations. In its January 2026 newsletter, Luxembourg's AED – the supervisory authority for unregulated investment funds – reported that almost 90% of AML/CFT questionnaires submitted for the 2024 exercise had been rejected, primarily due to missing or incorrect data.
This signals two important things. One: the bar is higher than most institutions currently clear. Two: regulators are not waiting for 2027 to apply it.
The real deadline is earlier than the legal one
The legal deadline is July 10, 2027. But financial institutions cannot treat it as the start of preparation. Rather, it is the finish line for which you must be ready.
"Although 2027 dominates industry planning calendars, the effective timeline is more compressed. By the time the AMLR applies, firms are expected to have redesigned policies, systems and governance."
The operational deadline – the point by which your gap analysis must be complete, your workflows redesigned, your systems updated, and your team trained – is earlier.
EU AMLR compliance checklist: what to do in the next 12 months

1. Confirm your scope
Verify whether your entity type falls within the AMLR's expanded list of obliged entities – particularly for CASPs, crowdfunding platforms, consumer lenders, and mortgage credit intermediaries. If you're newly in scope, the full framework applies from day one.
2. Run a gap analysis against published RTS
Review your existing AML policies, procedures, and compliance framework against the RTS and ITS already published by EBA and AMLA. Identify gaps in CDD procedures, PEP and UBO identification, STR reporting formats, and group-wide controls. This analysis is the foundation for everything that follows.
3. Redesign your CDD and EDD procedures
Map your current CDD workflows against the AMLR's exhaustive trigger catalogue. Document the basis for every due diligence decision. Update onboarding procedures for eIDAS-compliant identity verification where relevant. Standard, enhanced, and simplified CDD categories each need defined entry conditions and documented decision logic.
4. Update your PEP and UBO identification processes
Review your PEP screening configuration against the new unified AMLR definition. Update UBO identification procedures to capture all beneficial owners at the 25% threshold – including those in complex multi-tier structures. Monitor AMLA publications for any delegated act lowering the threshold to 15% in your sector.
5. Review your transaction monitoring rules against harmonised standards
Assess whether your current transaction monitoring rules can accommodate the harmonised STR reporting formats AMLA's ITS will require. Register for AMLA consultation notifications to track publishing dates. Update monitoring thresholds and escalation procedures to align with the new framework.
6. Assess your audit trail and reporting infrastructure
The AMLR requires obliged entities to respond fully and quickly to information requests from FIUs and other competent authorities. The data points required will not all be readily available in most institutions today. Assess whether your audit trail captures everything AMLA supervisors will expect – and whether it can be retrieved and presented without manual reconstruction.
7. Monitor AMLA consultations through 2026
AMLA's consultation papers are the clearest signal of supervisory expectations available before formal enforcement begins. Register for consultation notifications. Review published RTS and ITS as they appear. Assign ownership of the monitoring process to a named individual – EY recommends assigning one person with overall responsibility for implementing the AMLR to ensure preparatory assessments are initiated and change initiatives are prioritised.
How Marble is built for AMLR readiness
The AMLR doesn't just raise the bar. It resets the specifications entirely.
Compliance programs built around AMLD4 and AMLD5 – with rules calibrated to national interpretations, PEP lists maintained for specific Member States, and audit trails assembled manually – need to be rebuilt against a new, harmonised standard.
Marble is built to make that rebuild precise and auditable. Every component maps to a specific AMLR requirement.
CDD and EDD: configurable rules that match the new trigger-point catalogue
Marble's no-code rule builder lets compliance teams define CDD and EDD workflows against the AMLR's exhaustive trigger catalogue – by customer type, transaction type, jurisdiction, and risk score. Rules that were calibrated to national frameworks can be updated without IT dependency, without downtime, and without a new implementation project. The logic fits the new standard. The record proves it.
PEP and sanctions screening: harmonised lists, real-time and scheduled
Marble screens against the full range of lists required under the AMLR – including OFAC (Office of Foreign Assets Control) SDN, EU Consolidated, HM Treasury (OFSI), and UN Security Council Resolutions (UNSCR) – with automated list updates and configurable match thresholds. PEP screening applies the unified AMLR definition, not a national variant. Real-time screening at the point of onboarding and transaction, plus scheduled re-screening across the full portfolio.
Transaction monitoring: rules calibrated to harmonised STR reporting formats
Marble's transaction monitoring engine supports harmonised suspicious transaction reporting formats – configurable to AMLA's ITS as they are published, without requiring a platform migration. A/B testing lets you validate rule changes against live data before promoting to production. Alert-to-case conversion rates are tracked, so you can demonstrate rule performance – not just rule presence – to supervisors.
Audit trail: the unalterable record AMLA will ask for
Every action in Marble is logged, timestamped, and unalterable. The audit trail is built in real time as cases unfold – not reconstructed after the fact. When AMLA or a national supervisor requests documentation of how a decision was reached, the record is already ordered, searchable, and complete. No reconstruction. No gaps.
Data sovereignty: keeping your compliance data where EU law requires it
Marble supports both SaaS and on-premise deployment, with the ability to switch as requirements change.
For EU institutions with data residency obligations – or for non-EU institutions processing EU data under GDPR (General Data Protection Regulation) and AMLR data retention rules – this means your compliance data stays where your legal obligations require it, without compromising the platform's capability.
Everything falls into place. Precisely.
July 2027 is the deadline. The preparation window is now.
The AMLR doesn't leave room for late starts. The standards are being set now. The supervisors are watching.
The gap between where most compliance program currently sit and where the AMLR requires them to be is real.
12 months is enough time to close it, but not enough time to waste.
Map the gap. Set the rules. Build the record that proves your program works.
See how Marble is built for AMLR readiness →
Frequently asked questions about the EU AMLR
What is the EU AMLR?
The EU AMLR – formally Regulation (EU) 2024/1624 – is the EU's directly applicable Single Rulebook for preventing money laundering and terrorist financing. It replaces the previous patchwork of AML Directives with a uniform framework that applies in all 27 EU Member States simultaneously from July 10, 2027, without national transposition. It covers CDD obligations, PEP and UBO identification, transaction monitoring, STR reporting, and group-wide controls for all obliged entities.
When does the EU AMLR apply?
The AMLR applies from July 10, 2027 for most obliged entities. Some sector-specific obligations – particularly for professional football clubs – have a transition period extending to July 10, 2029. However, the regulatory technical standards published by AMLA throughout 2026 define the detailed compliance requirements, meaning institutions need to be reviewing and implementing those standards now, well in advance of the formal application date.
Who does the EU AMLR apply to?
The AMLR applies to all entities already subject to AMLD4 and AMLD5 – including credit institutions, payment service providers, investment firms, and insurance companies – as well as a significantly expanded list of newly obliged entities: CASPs, crowdfunding platforms, consumer credit providers, mortgage credit intermediaries, professional football clubs, and traders of high-value goods above €10,000.
What is the difference between AMLR and AMLD6?
The AMLR (Regulation EU 2024/1624) is directly applicable in all Member States – it does not require national transposition. AMLD6 (Directive EU 2024/1640) is a directive, meaning each Member State must transpose it into national law by July 10, 2027. The AMLR governs private-sector obligations (what obliged entities must do); AMLD6 governs national supervisory mechanisms and institutional frameworks (how Member States must organise AML supervision). Both apply from July 10, 2027.
What does the EU AMLR require for transaction monitoring?
The AMLR requires obliged entities to conduct transaction monitoring using harmonised standards defined in AMLA's implementing technical standards. This includes updated STR reporting formats, harmonised risk factor criteria, and documented decision logic for monitoring rule thresholds. Institutions should review whether their current transaction monitoring systems can accommodate these harmonised formats and update accordingly before July 10, 2027.
Reference list
- DLA Piper, New EU anti-money laundering rules: What to know (December 2024): https://www.dlapiper.com/en-us/insights/publications/global-anti-corruption-perspective/new-eu-anti-money-laundering-rules-what-to-know
- Norton Rose Fulbright, Harmonisation of European money laundering prevention (2025): https://www.nortonrosefulbright.com/en/knowledge/publications/32bd49d3/harmonisation-of-european-money-laundering-prevention
- webID Solutions, AMLR Compliance Guide: Implementing EU Anti-Money Laundering Regulation (March 2026): https://webid-solutions.com/en/resources/blog/achieving-amlr-compliance/
- A&O Shearman, EU's New AML Package: Authority, Regulations and Directives (November 2024): https://www.aoshearman.com/en/insights/what-does-the-eu-aml-package-mean-for-business
- A&L Goodbody, The EU's new Anti-Money Laundering Authority – FAQ (July 2025): https://www.algoodbody.com/insights-publications/the-eus-new-anti-money-laundering-authority-alg-faqs
- Grant Thornton, Update on EU money laundering legislation (November 2025): https://www.grantthornton.ch/en/insights/eu-aml/
- Deloitte Legal, The New EU AML Package (July 2025): https://www.deloittelegal.de/dl/en/services/legal/perspectives/eu-aml-paket-wendepunkt-geldwaeschepraevention.html
- PwC Ireland, The EU's new Anti-Money Laundering Authority: What it means for your business (June 2025): https://www.pwc.ie/services/audit-assurance/insights/eu-new-anti-money-laundering-authority.html
- Indicium Technologies, AMLR 2027: The compliance roadmap for banks and financial institutions (May 2026): https://www.indicium.ag/en/resources/amlr-2027-compliance-roadmap-banks-financial-institutions
- Fourthline, How to Prepare for AMLA Compliance: What Financial Institutions Must Do Before 2027 (2026): https://www.fourthline.com/blog/how-to-prepare-for-amla-compliance-what-financial-institutions-must-do-before-2027
- EY, How firms can prepare for EU AML uncertainty with proactive measures (December 2025): https://www.ey.com/en_no/insights/financial-services/how-firms-can-prepare-for-eu-aml-uncertainty-with-proactive-measures
- EY Luxembourg, The EU AML package is transforming compliance (March 2026): https://www.ey.com/en_lu/insights/financial-services/how-the-eu-aml-package-is-transforming-compliance-for-financial-firms
- EY Luxembourg, AMLA's approach takes shape: what the new EU AML standards mean for financial institutions (April 2026): https://www.ey.com/en_lu/insights/financial-services/amla-approach-takes-shape-what-the-new-eu-aml-standards-mean-for-financial-institutions
- Moody's, EU AML Framework Update: AMLA and AMLR Explained (March 2026): https://www.moodys.com/web/en/us/kyc/resources/insights/a-review-of-amla-and-amlr-2026.html
- Financial Regulations EU, EU AML Package Guide 2026: AMLR Applies 10 July 2027 (March 2026): https://financialregulations.eu/blog/eu-aml-package-amla-amlr-guide

