AMLR 2027: The compliance roadmap for banks and financial institutions
With Regulation (EU) 2024/1624 (Anti-Money Laundering Regulation, or AMLR) and Regulation (EU) 2024/1620 establishing the Anti-Money Laundering Authority (AMLA), the European Union is carrying out the biggest system shift in anti-money-laundering prevention since the first AMLD was introduced in 1991. From 10 July 2027, the directly applicable AMLR will replace large parts of the directive-based 6th AMLD (Directive (EU) 2018/1673 and its predecessors) — national room for implementation will fall away. For banks, payment service providers, crypto-asset service providers (CASPs) and other entities subject to Art. 3 AMLR, this means: the previous heterogeneity between § 1 GwG (Germany), Art. 2 GwG (Switzerland) and § 2 FM-GwG (Austria) will be replaced by an EU-wide Single Rulebook.
This article outlines the compliance roadmap: what changes in substance, which milestones are mandatory, and how screening infrastructures must be technically adapted so that 10 July 2027 does not become an audit finding.
The new AML package at a glance
The EU AML package consists of four legal acts, published in the Official Journal in June 2024 and entering into force in stages:
AMLR (Regulation (EU) 2024/1624): Single Rulebook with directly applicable due diligence obligations, PEP definition, UBO transparency, cash limits (EUR 10,000 EU-wide). Applies from 10 July 2027.
AMLA Regulation (Regulation (EU) 2024/1620): Establishment of the EU supervisory authority based in Frankfurt am Main. Operational start in 2025, direct supervision from 2028.
6th AMLD revised (Directive (EU) 2024/1640): Remaining directive elements (FIU organisation, national supervision, register access). Transposition deadline 10 July 2027.
Transfer of Funds Regulation (Regulation (EU) 2023/1113): Travel Rule for crypto transfers. Already applicable since 30 December 2024.
What changes compared with the 6th AMLD?
The decisive paradigm shift lies in the legal form: while the 6th AMLD left room for national implementation (with the well-known result of inconsistent definitions across Member States), the AMLR applies directly in all 27 Member States. The CJEU’s case law on directive-conform interpretation (established case law since von Colson, Case 14/83) becomes obsolete for large parts of AML regulation — the provision itself is applicable.
In substance, the AMLR brings four key tightenings:
Harmonised PEP definition (Art. 2(1) no. 34 AMLR): The previously nationally divergent catalogues are replaced. Nationally expanded PEP lists (for example, mayors above a certain population threshold) fall away unless they are expressly maintained by Member States in a published list under Art. 33(4) AMLR.
Enhanced due diligence (Art. 20 et seq. AMLR): Customer Due Diligence (CDD) is split into standard, enhanced and simplified due diligence, with precise trigger points. Unlike under § 10 GwG, a purely risk-based approach is no longer enough — the catalogue of trigger cases is exhaustive.
UBO thresholds (Art. 52 AMLR): The 25% threshold remains the basic rule, but may be lowered to 15% by delegated act of the Commission (for example for extractive industries and real estate).
EU-wide cash limit (Art. 80 AMLR): EUR 10,000 for commercial transactions. Member States may be stricter — Germany has so far had no limit, while Switzerland (as a non-EU country) remains at CHF 100,000 under Art. 8(1) GwV.
The role of AMLA: from policy coordinator to direct supervisor
The AMLA, based in Frankfurt, is the institutional core of the reform. Its role is structured in three layers:
Regulatory harmonisation: drafting technical regulatory standards (RTS) and implementing technical standards (ITS) with binding effect once approved by the Commission.
Indirect supervision of all entities subject to the rules through peer reviews and coordination of national supervisors (BaFin, FMA Austria, CSSF Luxembourg, etc.).
Direct supervision of around 40 selected cross-border financial institutions from 2028 under Art. 12 of the AMLA Regulation — with independent sanctioning powers of up to 10% of annual turnover.
For the Swiss FINMA, AMLA is not directly responsible, but in practice it will become the anchor point for equivalence decisions. Any Swiss institution maintaining correspondent banking relationships with EU banks will in practice need to mirror AMLA standards.
Timeline 2025 → 2027: the critical milestones
Quarter | Milestone | Obligation for entities subject to the rules |
|---|---|---|
Q4 2025 | AMLA operational in Frankfurt | Appoint an AMLA contact person within the compliance team |
Q1 2026 | First RTS drafts on CDD and PEP | Gap analysis: existing policies vs. AMLR drafts |
Q2 2026 | Consolidated AMLA guidelines | Adjust internal policies, training concept |
Q4 2026 | Final RTS on access to UBO registers | Technical connection to the new UBO registers |
Q1 2027 | Parallel operation of old law/AMLR | Dual running of internal systems, documentation |
10 July 2027 | AMLR directly applicable | Full operationalisation, clean-up of legacy cases |
Q3 2027 | First AMLA peer reviews | Audit-ready documentation, SAR statistics reporting |
PEP definition: the end of national special routes
Art. 2(1) no. 34 AMLR defines politically exposed persons (PEPs) exhaustively. The definition covers heads of state, heads of government, ministers, members of national parliaments, judges of supreme courts, members of audit courts, central bank board members, ambassadors and chargés d’affaires, as well as senior military officers. It also includes board members of state-owned enterprises and heads of international organisations.
The practical effect is significant: § 1(12) GwG (Germany), Art. 2a GwG (Switzerland) and § 2 no. 6 FM-GwG (Austria) are already largely compatible, but still contain national nuances (for example, the inclusion of certain party officials in Austria). These nuances will disappear or will in future require explicit national publication under Art. 33(4) AMLR. Institutions using EU-wide screening must convert their PEP databases to a Single Source of Truth and reclassify legacy categories (national PEPs, formal PEPs).
For Family Members and Known Close Associates (Art. 2(1) no. 35 and 36 AMLR), an expanded but harmonised definition applies. The 12-month post-office period after leaving office remains in place (Art. 42 AMLR); it may be extended on a risk-based basis.
Due diligence obligations: standardised and tightened
The AMLR structures Customer Due Diligence in three tiers:
Standard CDD (Art. 20 AMLR): Identification, verification, UBO determination, purpose of the business relationship, ongoing monitoring. Verification must be completed no later than before the business relationship is established.
Enhanced Due Diligence (Art. 28–35 AMLR): Mandatory for PEPs, high-risk third countries (Commission list under Art. 29 AMLR), complex structures, unusually large transactions and correspondent banking relationships with third countries.
Simplified Due Diligence (Art. 27 AMLR): Permitted only after a documented low-risk assessment and in exhaustively defined scenarios. Unlike under the 6th AMLD, the catalogue must be interpreted narrowly.
New is the requirement for automated ongoing monitoring (Art. 25 AMLR) — the previous German practice of relying on sample checks for smaller customers will in future only be sustainable within the framework of Simplified Due Diligence.
Documentation requirements: audit-ready by design
Art. 77 AMLR requires retention of all CDD records for at least five years after the end of the business relationship, with the possibility of extension to ten years where justified by the interests of the national authorities. The records must be kept in a format that allows machine-readable evaluation — in practice, this creates a digitisation obligation for institutions with legacy paper files.
For the risk assessment document under Art. 10 AMLR, the rule is: it must be updated annually, documented in writing and made available to the competent supervisory authority within five business days upon request. Institutions using manual Excel-based risk matrices will hardly be able to meet this; migration to structured compliance tools is, in practice, unavoidable.
What applies in Switzerland, Austria and across the EU?
Germany: BaFin remains in charge, but under AMLA rules
The Money Laundering Act (GwG) and § 25c KWG remain formally in force, but from 10 July 2027 they will largely be overlaid by the directly applicable AMLR. § 25h KWG (data processing) and the sanction provisions in §§ 56 et seq. KWG remain relevant under national law. BaFin remains the competent supervisor and will be integrated into the AMLA coordination mechanism. National specifics such as BaFin’s interpretation and application notes (AuA) will lose their binding force for AMLR matters; they will be replaced by AMLA guidelines.
Austria: FMA under the Single Rulebook
The Financial Markets Anti-Money Laundering Act (FM-GwG) will — similar to the German GwG — be partly replaced by the AMLR. In its 2024 circular on preparing for AMLR implementation, the FMA already signalled that national interpretative room from 2027 onwards will be construed narrowly. Responsibility for stock exchange participants remains with the FMA under § 25 FM-GwG, while notaries and lawyers are subject to their respective chambers under § 1(1) no. 11 FM-GwG in conjunction with § 8a NO or § 8a RAO.
Switzerland: not an EU Member State, but effectively in the corridor
Switzerland is not a direct addressee of the AMLR. The relevant laws remain the Anti-Money Laundering Act (GwG, SR 955.0), the Anti-Money Laundering Ordinance (GwV, SR 955.01) and the GwV-FINMA (SR 955.033.0). FINMA Circulars 2016/7 (video and online identification) and 2023/1 (operational risks) remain applicable. In practical terms, however, every Swiss financial intermediary with EU customer relationships will have to comply with AMLR standards in order not to be excluded from EU correspondent banking relationships. The ongoing total revision of the GwG (message of 22 May 2024, BBl 2024 1483) already incorporates key AMLR elements — in particular the introduction of a transparency register for beneficial owners modelled on Art. 51 et seq. AMLR.
EU third countries and equivalence
Under Art. 29 AMLR, the Commission will establish the list of high-risk third countries in delegated acts. The existing FATF high-risk list remains the reference point, but will be interpreted autonomously by the EU. For British, Swiss and US institutions, the rule is: no automatic equivalence — banks must document their own enhanced due diligence measures for correspondent banking relationships in these jurisdictions, as long as no explicit equivalence decision exists.
Technical implementation: what needs to be adjusted now
For screening and compliance infrastructure, five concrete areas of action arise:
PEP databases must be converted to the AMLR definition. Legacy categories (national PEPs, quasi-PEPs) must be migrated or removed. The database must map the harmonised attribute set under Art. 2 AMLR and algorithmically track the 12-month post-office period.
UBO screening requires connection to the new transparency registers under Art. 51 et seq. AMLR. Access takes place via an EU-wide BORIS system (Beneficial Ownership Registers Interconnection System). Institutions need a technical connector.
Transaction monitoring systems must reflect the expanded trigger catalogues in Arts. 24–26 AMLR. Rule trees and thresholds need to be revised, especially for crypto-asset transfers under Regulation (EU) 2023/1113.
The customer risk-rating engine must be able to map the new three-tier structure (Standard/Enhanced/Simplified) and document each classification automatically — including change history under Art. 77 AMLR.
Background checks for employees in compliance functions (Art. 11 AMLR — Integrity of Staff) are explicitly designed as an ongoing obligation. One-time hiring checks are no longer sufficient; recurring reviews must be established.
Harmonisation of national supervisors: BaFin, FMA, FINMA
The new supervisory model connects national supervisors through a unified Supervisory Handbook, which AMLA must publish under Art. 8 of the AMLA Regulation. BaFin and FMA will in future assess institutions using common methodologies. For institutions with branches in several EU Member States, this means a significant simplification: the previous practice of diverging review approaches (for example, different requirements for the risk assessment document between Germany and Austria) will no longer apply.
FINMA is not part of this mechanism, but cooperates through bilateral memoranda of understanding. The existing cooperation between FINMA and BaFin will be expanded to include AMLA-related information flows.
Conclusion: the compliance roadmap is not optional
The AMLR is not a regulatory fine-tuning exercise, but a system change. Anyone showing up for the first AMLA peer review in Q3 2027 without having converted their PEP database, risk analysis and documentation infrastructure to the Single Rulebook will receive findings — with a potentially existential sanctioning dimension under Art. 75 AMLR. The next eighteen months are the operational bottleneck. Institutions that start planning now, complete their gap analysis by Q2 2026 and are in dual running by Q1 2027 will make the transition cleanly. Everyone else will not.
Indicium Technologies supports banks, payment service providers and compliance teams in converting PEP and UBO screening systems to AMLR compliance. Our GDPR-compliant platform covers harmonised PEP lists, UBO verification against EU registers and automated ongoing monitoring — fully documented, audit-ready, and operated as SaaS from Frankfurt.
Book a demo and we will show the AMLR roadmap specifically for your institution.
Read more — related articles
Nabil El Berr
