Regulation
April 9, 2026 · Mohan Paranthaman & Karthik Iyengar
An article-by-article compliance map for the chain that runs from the business-wide risk assessment through to ongoing transaction monitoring.
The European Anti-Money Laundering Regulation (Regulation (EU) 2024/1624, commonly referred to as AMLR) is the most significant overhaul of the European AML/CFT framework in two decades. It is one component of a four-part legislative package that also includes the Sixth Anti-Money Laundering Directive (AMLD6), the AMLA Regulation (AMLAR) which establishes the new Anti-Money Laundering Authority in Frankfurt, and the Revised Transfer of Funds Regulation. The package was adopted on 31 May 2024 and entered into force on 10 July 2024. The substantive obligations on obliged entities under the AMLR become applicable on 10 July 2027.
For methodology, the AMLR creates a chain of obligations that a single article does not capture. Article 10 requires every obliged entity to draw up a documented business-wide risk assessment, approved by the management body. Article 20 requires customer due diligence measures to be commensurate with the risks identified in that assessment. Article 22 calibrates the depth of identification and beneficial-owner verification to the resulting customer rating. Article 26 requires ongoing monitoring of the relationship and of transactions to be conducted on a risk-sensitive basis, with review cadence and monitoring intensity differentiated by rating. Each link in the chain is individually a regulatory requirement; collectively they constitute the operational expression of the risk-based approach.
The remainder of the paper begins with the package timeline, sets out what each of the four AMLR articles requires with the evidence an examiner will ask for and what compliant and non-compliant institutions look like in practice, maps what BaFin is already enforcing under the February 2025 update to the Auslegungs- und Anwendungshinweise to the AMLR articles that codify the same expectations from July 2027, and concludes with a practical sequence of steps for the fifteen months that remain.
What's inside
| Section | Chapter |
|---|---|
| Section 1 | The Package, the Timeline and Where Things Stand Today AMLR + AMLD6 + AMLAR + revised Transfer of Funds Regulation. What's in force, what AMLA is drafting now, what takes effect in July 2027. |
| Section 2 | The Four Articles, as a Chain Articles 10, 20, 22 and 26. Each box a defensible checkpoint; each arrow a documented link that must hold under examination. |
| Section 3 | The Article-by-Article Compliance Map What each article requires, what an examiner asks for, and what compliant and non-compliant institutions look like in practice. |
| Section 4 | Article 10 — The Business-Wide Risk Assessment The four minimum requirements AMLA's draft guidelines set out, the proportionality provision, and the trigger conditions that catch most mid-tier institutions. |
| Section 5 | Article 20 — Customer Due Diligence Measures Why the explicit calibration requirement and the explicit record-keeping requirement together change the substantive standard. |
| Section 6 | Article 22 — Identification and Verification Beneficial-ownership verification and the 14-day register-discrepancy reporting window. |
| Section 7 | Article 26 — Ongoing Monitoring Why uniform annual review across the customer base is not, on a strict reading, risk-sensitive monitoring. |
| Section 8 | From the BaFin AuA to the AMLR The expectations BaFin is already examining against today, and the AMLR articles that codify them from July 2027. |
| Section 9 | The Fifteen Months That Remain Six phases, the governance calendar, and the practical sequence we recommend for institutions starting in Q2 2026. |
Before the article-by-article analysis, it is worth orienting on the legislative package as a whole. The AMLR does not stand alone. It is one of four instruments adopted together on 31 May 2024 as a comprehensive overhaul of the EU AML/CFT framework, and the substantive standard institutions will face from 10 July 2027 is the product of all four working together.
AMLR
The single rulebook for obliged entities. Applies directly across all 27 member states without national transposition, eliminating the divergence in implementation that has historically characterised the AML directives.
AMLD6
The institutional and supervisory framework: how supervisors operate, how FIUs are structured, how beneficial-ownership registers function, and how cross-border cooperation works. Member States transpose by 10 July 2027.
AMLAR
Establishes AMLA, the new EU-level Anti-Money Laundering Authority headquartered in Frankfurt. Operational since 1 July 2025; took over AML responsibilities from the EBA on 1 January 2026.
ToFR
The revised Transfer of Funds Regulation. Adopted separately in 2023 and already in force. Extends payment-information requirements to crypto-asset transfers.
The EU AML Package Timeline
Key milestones for AMLR, AMLD6 and AMLA implementation.
31 May 2024
AMLR, AMLD6, AMLAR adopted by EU legislature
10 July 2024
AMLR and AMLD6 entered into force
Legally binding, not yet applicable to obliged entities.
1 July 2025
AMLA became operational
Frankfurt headquarters.
31 December 2025
EBA handed over AML functions to AMLA
9 February 2026
AMLA launched first public consultations
Draft RTS on CDD, sanctions and business relationships.
24 March 2026
AMLA held first public hearings on draft RTS
16 April 2026 — now
AMLA opened consultation on Article 10(4) BWRA guidelines
8 May 2026
Public consultation on the first batch of RTS closes
10 July 2026
AMLD6 partial transposition deadline
BO registers (Articles 11–13, 15). AMLA's deadline for ~23 technical standards.
15 July 2026
Article 10(4) BWRA consultation closes
Q3 2026
Revised RTS submitted to European Commission
Q4 2026
Final Article 10(4) BWRA guidelines expected
1 July 2027
AMLA begins first selection process for direct supervision
10 July 2027
AMLR fully applies. AMLD6 full transposition deadline. AMLD4/AMLD5 repealed.
2028
AMLA begins direct supervision of selected entities
10 July 2029
Football clubs and agents come into scope
The timeline above shows where the package stands as of April 2026. Three observations are worth drawing out.
The first is that the AMLR has been in force, in the technical legal sense, since 10 July 2024. It is legally binding today; what changes on 10 July 2027 is that the substantive obligations on obliged entities become applicable. This distinction matters because national supervisors have already begun to align their examination expectations with the AMLR’s substantive standard, even though the AMLR itself is not yet directly enforceable against obliged entities. BaFin’s February 2025 update to the AuA is the clearest example of this; Section 8 of this paper sets out the equivalences.
The second observation concerns what AMLA is producing now. The regulation itself is, as is typical of EU regulations, drafted at a relatively high level of generality. The detail is to be supplied through Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS) and Guidelines, of which AMLA is required to publish approximately twenty-three by 10 July 2026. Several of these are now in active consultation. On 9 February 2026, AMLA launched its first three public consultations on draft RTS, covering customer due diligence under Article 28 AMLR, criteria for identifying business relationships and linked transactions under Article 19 AMLR, and pecuniary sanctions under Article 53 of AMLD6. AMLA held public hearings on these draft RTS on 24 March 2026, and the consultation period closed on 8 May 2026. On 16 April 2026, AMLA opened a further consultation on draft guidelines under Article 10(4) AMLR, the article that governs the business-wide risk assessment; that consultation closes on 15 July 2026, with final guidelines expected in the fourth quarter of 2026. Revised RTS will be submitted to the European Commission in the third quarter of 2026, and the final RTS will apply from 10 July 2027 alongside the AMLR itself.
The third observation concerns AMLA’s own supervisory mandate. From 1 July 2027, AMLA begins the first selection process for direct supervision; from 2028, AMLA will directly supervise up to forty selected cross-border institutions identified as the highest-risk in the EU. The remaining obliged entities will continue to be supervised by national authorities, but with AMLA coordinating supervisory practices and standards across the union. The selection criteria favour institutions that operate in six or more member states and exhibit high residual risk under the methodology that AMLA itself has developed. For mid-tier institutions in a single jurisdiction, AMLA direct supervision is unlikely; for the largest cross-border banks and financial groups, it is now expected, and the readiness work that the AMLR window allows for is correspondingly more consequential.
The AMLR places the four articles examined in this paper in two adjacent chapters of the regulation. Chapter II of the AMLR concerns the internal policies, procedures and controls of obliged entities, and includes Article 9 (which sets out the ten internal policies every obliged entity must have, of which the BWRA is the first) and Article 10 (the BWRA itself). Chapter III concerns customer due diligence, and includes Article 20 (CDD measures), Article 22 (identification and verification of customer and beneficial owner), and Article 26 (ongoing monitoring of business relationship and monitoring of transactions). The chapter division is structurally important. Article 10 establishes the institution’s view of its own risk; Articles 20, 22 and 26 are the operational consequences of that view.
The AMLR Compliance Chain
Each box is a defensible regulatory checkpoint in its own right; each arrow is a documented link that must hold under examination.
Article 10
Business-wide risk assessment
ML, TF and TFS risks identified across customers, products, channels and geographies.
Article 20
Customer due diligence
CDD intensity calibrated to the risk identified in the Article 10 BWRA.
Article 22
Identification and verification
Customer and beneficial-owner identity verified to risk-appropriate depth.
Article 26
Ongoing monitoring
Transaction monitoring and review cadence tied to the customer rating.
Where the chain typically breaks in current practice
10 → 20
BWRA disconnected from CDD
CDD calibrated by template, not by the institution's own BWRA. EDD applied to PEPs because the law requires it, not because the BWRA identified the exposure as material.
20 → 22
Verification not differentiated
Identification depth not differentiated by customer risk classification. Standard documents collected for every customer regardless of rating.
22 → 26
Rating doesn't drive monitoring
Customer rating produced at onboarding does not drive monitoring intensity. TM scenarios run uniformly; review cadence is annual for all customers.
All four
No documented chain
The chain exists in operational practice but cannot be explained on demand. This is the gap that converts a supervisory finding into an AMLR breach.
The breakage between Articles 10 and 20 is the most consequential because everything downstream depends on it: if CDD is calibrated by template rather than by the institution’s own risk assessment, the rest of the chain inherits the disconnect. Enhanced Due Diligence applied to PEPs because the law requires it for PEPs, rather than because the BWRA identified PEP exposure as a material risk in this specific business, does not satisfy the AMLR. The Article 20 standard requires not only that EDD be applied to defined categories but that the institution be able to demonstrate the link between its own risk assessment and its CDD calibration.
The map below sets out, for each of the four articles, the substantive requirement, the evidence an examiner will ask for, and what compliant and non-compliant institutions look like in practice.
| Article | Requirement | Evidence the examiner asks for | Non-compliant institution | Compliant institution |
|---|---|---|---|---|
| Article 10 Business-wide risk assessment | Identify and assess ML, TF and targeted financial sanctions risks, considering risk variables (Annex I) and risk factors (Annex II, III). Documented, kept up to date, drawn up by Compliance Officer and approved by management body in its management function. | The BWRA document with version history. Mapping to Annex II/III factors. Management Board minutes approving the assessment. Trigger log for re-assessment (new product, new market, internal or external event). Evidence of input from Article 7 EU and Article 8 national risk assessments. | Generic, template-based document last updated when the institution was much smaller. No mapping to Annex factors. No documented Management Board approval. No re-assessment triggered by recent product launch. | Institution-specific BWRA tracing every identified risk to a specific Annex factor. Board-approved with date and resolution number. Trigger log showing re-assessments after each product launch and after the February 2025 AuA update. |
| Article 20 Customer due diligence measures | Apply CDD measures commensurate with the risks identified. Standard, simplified or enhanced measures triggered by the customer risk classification, which itself derives from the BWRA. Records of decisions taken, supporting documents and justifications kept. | Customer risk model with documented factor weights traceable to BWRA. CDD playbook mapping each rating tier to a defined intensity. EDD decision records with rationale. Override audit trail. Sample of customer files showing that applied CDD matches assigned rating. | CDD intensity is uniform across the customer base. EDD applied only because the law requires it for PEPs, not because the BWRA identified the exposure. Customer risk ratings exist but do not change what the front office actually does. | Three-tier CDD playbook with documented thresholds. Each factor weight cross-referenced to a BWRA finding. Override approvals captured with date and approver. Sample customer files show alignment end-to-end. |
| Article 22 Identification and verification of customer and beneficial owner | Identify the customer and any beneficial owner; verify identity on the basis of documents, data or information from a reliable and independent source. Depth and method of verification calibrated to the customer’s risk classification under Article 20. | Identification policy with risk-tiered evidence requirements. Beneficial ownership determination methodology with documented logic for control and ownership tests. Records of source verification decisions for higher-risk customers. Discrepancy reporting register. | One identification standard for all customers regardless of rating. Beneficial owner recorded as supplied by the customer with no independent verification. Discrepancies with central registers identified by audit, not by routine reporting. | Risk-tiered verification matrix. Beneficial owner determined through documented application of ownership and control tests. Independent source verification for higher-risk customers. Discrepancies routinely reported to central registers within 14 days. |
| Article 26 Ongoing monitoring of business relationship and transactions | Monitor the business relationship on a risk-sensitive basis. Scrutinise transactions to ensure consistency with the customer’s profile. Update CDD information when triggered, and at intervals calibrated to customer rating. | Transaction monitoring scenario library with each scenario tied to a risk identified in the BWRA. Documented exclusion rationale for typologies not covered. Review-cadence schedule by rating. Sample alerts showing escalation pathway and timing. | Fifty monitoring scenarios run because the vendor shipped them. No mapping to BWRA risks. No documented exclusion rationale. Review cadence is annual for every customer regardless of rating. Customer data decays until the next anniversary. | Each scenario mapped to a BWRA risk; each BWRA risk mapped to at least one scenario or compensating control. Excluded scenarios documented with rationale. Review cadence differentiated: 12 months Low, 6 months Medium, 3 months High. |
Two observations are worth drawing out from the map before the article-by-article narrative.
The first concerns the asymmetry between the Requirement column and the Evidence column. The substantive requirements in Articles 10, 20, 22 and 26 are stated at a relatively high level of generality; the evidence an examiner asks for is correspondingly specific. An institution can be substantively compliant with Article 10, in the sense that it has identified its risks and taken measures, and still fail at examination because it cannot produce the documented BWRA, the management board approval minutes, the trigger log, or the mapping to the Annex II and III risk factors. AMLR compliance is, in operational terms, a documentation discipline as much as it is a methodological one.
Article 10 of the AMLR requires obliged entities to take appropriate measures, proportionate to the nature, risks, complexity and size of their business, to identify and assess the money laundering and terrorist financing risks to which they are exposed, together with the risks of non-implementation and evasion of targeted financial sanctions. The risk assessment is to take account at minimum of the risk variables in Annex I, the risk factors in Annexes II and III, the findings of the EU-level risk assessment under Article 7 of Directive 2024/1640, the findings of national risk assessments, and information published by international standard setters or by the Commission and AMLA. The assessment is to be documented, kept up to date, regularly reviewed, drawn up by the compliance officer, and approved by the management body in its management function.
On 16 April 2026, AMLA opened a public consultation on draft guidelines under Article 10(4), running until 15 July 2026, with final guidelines expected in the fourth quarter of 2026. The draft sets out four minimum requirements that all obliged entities, across both the financial and non-financial sectors, are to apply when carrying out the BWRA.
01
Legal and operational set-up, customer base, products and services, delivery channels, geographical exposure, and use of new or emerging technologies.
02
Apply the Annex II and III factors to the institution's specific exposure. Document each factor's relevance and the rationale for its weighting.
03
Evaluate the design and operating effectiveness of the controls in place. Identify gaps between control intent and control performance.
04
Combine inherent risk with control quality to produce residual risk. The four-part structure is common to all entities, with proportionality applied to depth and detail.
The proportionality provision in Article 10(4) is important for smaller institutions but is not, as is sometimes assumed, a basis for not producing the BWRA at all. It provides that supervisors may decide, with the exception of credit institutions, financial institutions, crowdfunding service providers and crowdfunding intermediaries, that an individual documented BWRA is not required where the specific risks inherent in the sector are clear and well understood. For all the institutions in scope of this paper, that exception does not apply. A small payment institution with a single product and a domestic customer base will produce a shorter BWRA than a universal bank with global correspondent banking relationships, but it must produce one, and the proportionality test is applied to the depth of the assessment rather than to its existence.
The trigger conditions for review are also worth flagging. The BWRA must be reviewed when internal or external events significantly affect the institution’s risk exposure, and a separate assessment is required prior to the launch of new products, services or business practices, the use of new delivery channels or technologies, or the offering of an existing product to a new customer segment or in a new geographical area.
Article 20 of the AMLR specifies the customer due diligence measures that obliged entities must apply, with two requirements that change the operational standard relative to the position under AMLD5. The first is the explicit calibration requirement: the extent of CDD measures must be commensurate with the risks identified in the Article 10 BWRA, and the institution must be able to demonstrate the link. The second is the explicit record-keeping requirement: institutions must keep records of the actions taken to comply with CDD obligations, including records of the decisions taken and the relevant supporting documents and justifications.
The combination of the two requirements is what changes the substantive standard. Under AMLD5, CDD calibration to risk was an inferred requirement derived from the risk-based approach principle; the institution would be expected to demonstrate it but the regulation did not state it directly. Under Article 20, the demonstration is the requirement. An institution that applies Enhanced Due Diligence to all PEPs because the law requires it for PEPs has not, on a strict reading, satisfied Article 20: it has applied a legal floor without demonstrating that the floor reflects its own risk assessment. The line between these two positions is fine but consequential, and BaFin’s February 2025 AuA already operates on the stricter reading.
In practice, the Article 20 standard is met by three documents that together form the CDD operating layer.
01
Assigns each customer a rating. Factor weights and thresholds traceable to BWRA findings. Without this traceability, the model classifies but does not calibrate.
02
Maps each rating tier to a defined intensity of due-diligence procedures. The operational expression of the calibration requirement, and the document the front office actually uses.
03
Records each instance in which a model rating is overridden, with the original score, the overridden score, the reason, the approver and the date.
The three documents together address the calibration requirement and the record-keeping requirement. Either alone is insufficient.
Article 22 of the AMLR requires obliged entities to identify the customer and any beneficial owner, and to verify the identity of each on the basis of documents, data or information from a reliable and independent source. The substantive requirement has been part of the AML framework for two decades; the AMLR’s contribution is to integrate Article 22 explicitly with Articles 10 and 20, so that the depth and method of identification and verification are calibrated to the customer’s risk classification rather than applied uniformly across the customer base.
The beneficial ownership component of Article 22 is the part that most commonly produces examination findings, and the part on which the AMLR makes the most substantial change relative to the directive that preceded it. The institution must apply the ownership and control tests set out in the AMLR (Articles 51 to 67) to determine the beneficial owner, and must verify that determination through independent sources rather than accept the customer’s self-declaration. Article 24 requires the institution to report to the central beneficial-ownership registers any discrepancy between the information held in the register and the information collected through the institution’s own due diligence. The reporting must be made without undue delay and in any event within fourteen calendar days of detection.
Article 26 of the AMLR is the article that, in operational terms, does the most. It requires obliged entities to monitor the business relationship on a risk-sensitive basis, including by scrutinising transactions undertaken throughout the course of the relationship to ensure that they are consistent with the institution’s knowledge of the customer, the customer’s business and the customer’s risk profile. It requires the documents, data and information held by the institution about the customer to be kept up to date, and it requires the frequency of customer-information review to be calibrated to the customer’s risk classification.
The transaction monitoring component is the operationally largest part of Article 26, and the part on which the connection back to Article 10 is most often broken. The expectation is that the monitoring scenario library is derived from the BWRA: each scenario the institution runs must be tied to a money-laundering or terrorist-financing risk that has been identified in the BWRA, and each risk identified in the BWRA must be addressed by at least one scenario or by an explicitly documented compensating control. Where the institution has chosen not to implement a scenario for a risk it has identified, the exclusion rationale must be documented. An institution that runs fifty scenarios because the vendor shipped them, none of which it can map back to a BWRA finding, is non-compliant with Article 26 read together with Article 10.
The review cadence component is the part most commonly cited in BaFin §44 findings against mid-tier institutions. The expectation is that the cadence is differentiated: a typical compliant practice operates on a 12-month cycle for Low-rated customers, a 6-month cycle for Medium-rated customers, and a 3-month cycle for High-rated customers, with event-driven triggers superimposed on the schedule. An institution that operates a uniform annual review across the entire customer base is not, on a strict reading, applying a risk-sensitive monitoring approach, and is therefore not compliant with Article 26. The current state of practice in the German market is that uniform annual review is the norm rather than the exception, and that the AMLR will require a substantive operational change for most institutions.
The relationship between what BaFin is already enforcing under the February 2025 update to the Auslegungs- und Anwendungshinweise and what the AMLR will codify on 10 July 2027 is closer than the public discourse on AMLR readiness generally acknowledges. The substantive expectations are, in most respects, already in place in German supervisory practice; the AMLR makes them directly applicable across all member states and adds a layer of central enforcement through AMLA.
| BaFin AuA expectation today | AMLR article from July 2027 | If you are not compliant today |
|---|---|---|
| Documented BWRA Institution-specific risk assessment, not a consultancy template; documented and reviewed at material change. | Article 10(1) and (2) Business-wide risk assessment, documented, kept up to date and reviewed on internal or external trigger. | Live BaFin §44 finding; becomes a regulatory breach on 1 July 2027. |
| Separate TF risk assessment Standalone TF analysis distinct from ML; required by the February 2025 AuA update; already cited in current examinations. | Article 10(1) read with Annex III TF and ML risk factors addressed separately; TF cannot be a sub-section of an ML assessment under AMLR. | Already non-compliant with current BaFin expectations; cumulative exposure on AMLR. |
| Scenario rationale documented Each TM scenario justified at inclusion; excluded scenarios documented with rationale; calibration logged. | Article 26 read with Article 10 Ongoing monitoring on risk-sensitive basis; scenarios traceable to BWRA findings or compensating controls. | Common §44 finding pattern across mid-tier institutions; enforced under AMLR centrally. |
| Customer risk model explainability Factor weights justified, thresholds documented, override audit trail; cited in recent BaFin findings against neobanks. | Article 20 read with Article 10 CDD measures commensurate with risks; records of decisions, supporting documents and justifications. | Active enforcement pattern at FCA, BaFin and DNB; codified at EU level by AMLR. |
| Beneficial ownership verification Documented application of ownership and control tests; discrepancies flagged. | Article 22 and Article 24 Identification and verification of beneficial owners; discrepancy reporting. | Frequently inadequate at licensed FinTechs and CASPs. |
The implication of the bridge is twofold. The first is positive: an institution that is currently compliant with the February 2025 AuA is meaningfully ahead of the AMLR transition, and the residual work to reach AMLR compliance is incremental rather than fundamental. The second is more sobering: an institution that is not currently compliant with the AuA is facing not one regulatory deadline but two, because it is already non-compliant under existing supervision and will be additionally exposed under the AMLR from July 2027. The cumulative exposure is not academic. BaFin has shown a consistent pattern through 2024 and 2025 of escalating findings against institutions that fail to remediate within the supervisory cycle, and a finding that is unaddressed when the AMLR takes effect becomes, at that point, a regulatory breach in its own right.
As of the date of this paper, fifteen months remain until 10 July 2027. The window is shorter than it appears once the institutional governance cycle is taken into account. A complete AMLR readiness programme typically has six phases, each of which has its own minimum duration.
01
Against the four articles. One to two months.
02
BWRA, customer risk model and CDD playbook. Two to four months.
03
Bound to the quarterly governance calendar. One to three months.
04
Of the redesigned methodology in the operating systems. Two to four months.
05
Against the new design. One to two months.
06
For supervisory engagement. Two to three months.
The arithmetic is tight even when every phase proceeds without delay.
Two factors compress the timeline further in practice. The first is that institutions that are currently undergoing concurrent supervisory engagement, whether a BaFin §44 examination, an ECB Single Supervisory Mechanism review, or a national competent authority inspection, will need to address those findings before the AMLR work, and the immediate findings consume months of capacity that the AMLR programme cannot recover. The second is the governance calendar: an institution whose management board approves AML methodology changes quarterly will lose, on average, a month and a half of slack relative to the calendar timeline. A two-month delay in the gap analysis can translate to a five-month delay in approval if the next two governance windows are missed.
The practical sequence we recommend, for an institution beginning the work in the second quarter of 2026, is to start with the BWRA because everything else inherits from it; to redesign the customer risk model and CDD playbook in parallel with the BWRA so that the dependencies are visible and the technology integration can begin early; to schedule management board approval against the next available governance window after the BWRA and risk model are drafted, rather than waiting for the full programme to complete; and to engage with the supervisor early on the substantive direction of the methodology rather than presenting a finished product at the eleventh hour.
Mohan Paranthaman and Karthik Iyengar are co-authors at WBP RegTech.
