From rulebook to reality: Preparing for AMLA and the 2027 AMLR reforms

Europe is entering one of the most consequential periods of anti-money laundering (AML) reform in recent memory. The Anti-Money Laundering Authority (AMLA) assumed its rule-setting mandate in 2026, and from July 10, 2027, the Single Rulebook, the AML Regulation (AMLR), applies directly across EU member states, with the Sixth AML Directive (AMLD6) transposed around the same time. For firms that built their programs around national transpositions and the interpretive leeway those allowed, this is a structural change to how obligations are defined and enforced.

This was the focus of the opening session of The Future of Compliance Europe, where our Executive Director of Financial Crime Compliance Strategy, Iain Armstrong, was joined by Gwenael Bouleau, Head of Compliance at Edenred Payment Solutions, and Marcel Kroitblat, Director of Compliance and MLRO at Moss. 

Drawing on that discussion, this article sets out where existing programs are most exposed, how to run a gap analysis while the technical standards are still being finalized, and why effectiveness under the new regime comes down to data.

Where existing programs are most exposed

The end of national discretion is more fundamental than it first appears. For years, firms operating across multiple EU jurisdictions have juggled distinct national frameworks, each with its own interpretation, supervisory tone, and threshold for best practice. Under the AMLR, the same rules apply directly in every member state. 

Five areas stand out as most likely to expose gaps: customer due diligence (CDD), enhanced due diligence (EDD), the EU-wide €10,000 cash payment ceiling, beneficial ownership, and the treatment of politically exposed persons (PEPs), alongside an expanded scope that now covers crypto-asset service providers.

Beneficial ownership is the deepest near-term gap. The definition shifts away from most national frameworks, and approaches that currently rely on a match against a national transparency register will no longer be sufficient on their own.

“The new calculation method will mean that, in most cases, there will be more beneficial owners we need to identify. We need to store more data points, and overall, the onboarding process will become more complex.”

Marcel Kroitblat, Director of Compliance and MLRO at Moss 

Beyond onboarding, the near term will bring a surge in discrepancy reports as registers and customer declarations fall out of step, and a period of educating corporate customers on what has changed and why. The longer-term picture is more encouraging: harmonization removes interpretation risk. A single five-year retention period, for example, replaces divergent national rules such as Belgium’s 10-year requirement and reduces the legal exposure tied to personal data retention. Sustained attention will be needed on applying consistent CDD and EDD triggers, where gaps are easiest to introduce by accident.

Running a gap analysis against a moving target

With level two and level three standards still being finalized in phases, no firm can be fully ready yet. That is not a reason to wait. The more useful response is a gap analysis that starts from the firm’s current state rather than from the regulation.

In practice, that means confirming that existing policies and procedures map cleanly to the current national baseline, then working line by line against the AMLR and flagging anything still dependent on draft standards so it can be revisited once finalized. The discipline matters because effectiveness will be judged on evidence. When an internal or external auditor asks how a conclusion was reached, documented reasoning is the strongest defense against a significant finding. Because guidance is arriving in waves, with the business-wide risk assessment expected first, the work can be sequenced by what supervisors are expected to see soonest, and it must stay anchored to the firm’s risk appetite rather than the letter of the rulebook alone.

One assumption is worth retiring early. Direct supervision by AMLA or continued oversight by a national regulator changes the supervisor, not the standard. Smaller, lower-risk institutions will have fewer areas to map, but the expectations are the same.

“It may change who comes knocking at your door, but it doesn’t change what they expect to find when they do.”

Iain Armstrong, Executive Director of Financial Crime Compliance Strategy at ComplyAdvantage

Effectiveness is now a data problem

AMLA has been explicit that it will focus on outcomes and demonstrable effectiveness, in line with the direction set by the Financial Action Task Force (FATF). It will operate a central database and its own risk-scoring model, benchmarking firms against one another across the union. For compliance teams, that reframes effectiveness as a question of data.

Two priorities follow. The first is data reporting. Institutions face well over 100 data points to report, some of them new and some not yet held in a structured format, which means building reporting into the data model rather than bolting it on later. 

The second is risk assessment, where AMLA’s expectation of quantified rather than qualitative analysis will change how programs are built and evidenced. A unified, future-ready data architecture is the foundation for both. A program designed to produce structured, auditable data on demand is far better placed to demonstrate effectiveness, and it gives compliance leaders a single, defensible source of truth when supervisors come to benchmark them.

“Building a future-ready data model is the best way forward to be able to demonstrate effectiveness in compliance.”

Gwenael Bouleau, Head of Compliance at Edenred Payment Solutions 

The constraint is lead time, not the rulebook

The hardest part of the transition is not interpreting the rulebook but finding the time to prepare for it. Tighter deadlines put real pressure on legacy systems. Financial intelligence units may allow only five days, and sometimes 24 hours, to respond to a request, which batch-based systems can struggle to meet, and firms will need clear service-level agreements from vendors and internal teams to keep pace. The operational reach is wide. Onboarding funnels, core banking systems, and name-screening tools all have to change, and people need to be trained on new processes before any of it goes live.

“The core challenge here isn’t necessarily the rulebook itself. It’s the lead time, and what you need to get done during that interim period. The things that take longest are the things you want to be starting now.”

Iain Armstrong, Executive Director of Financial Crime Compliance Strategy at ComplyAdvantage

None of these dates are expected to move. AMLA is set to publish its first list of institutions selected for direct supervision around July 2027, with direct supervision beginning January 1, 2028, and extended deadlines for higher-risk sectors such as professional football clubs and their agents. Some expect it could be 2030 before the picture fully settles.