Under pressure: the race to meet EU AML rules
August 2026 | FEATURE | BANKING & FINANCE
Financier Worldwide Magazine
Financial institutions across Europe are bracing for substantial impacts from strengthening anti-money laundering (AML) and countering the financing of terrorism (CFT) requirements.
In May 2024, the European Union (EU) adopted a comprehensive AML/CFT reform package. This legislation imposes stronger obligations on all ‘obliged entities’, including accountants, auditors and tax advisers. It will significantly affect daily operations and compliance responsibilities in areas such as customer due diligence, beneficial ownership transparency, targeted financial sanctions, suspicious activity reporting and record retention.
Due to apply from July 2027, compliance with this landmark package represents a major undertaking, and one that many firms do not yet appear ready to meet. According to PwC’s ‘EMEA AML Survey 2026’, preparations are off track, with only around one third of institutions expecting to be ready by the deadline. The findings point to a sector under sustained pressure, with rising costs, uneven preparedness and increasing regulatory divergence shaping the next phase of AML transformation.
“The biggest blind spot we see is the assumption that existing compliance structures are fit for purpose with minor adjustment needed – in most cases, they are not,” argues Miroslav Ðuric, a senior associate at Taylor Wessing. “Even in some EU member states where national requirements on AML were in some respects even stricter than the EU standard, the existing framework cannot be deemed as 1-1 equivalent to the new AML rulebook that will start to apply with the AML Regulation (AMLR) and Sixth Money Laundering Directive (AMLD6) going live.”
He adds that the new AML rulebook introduces a far more granular and prescriptive set of obligations covering areas such as beneficial ownership, risk assessments, enhanced due diligence and senior management accountability. These changes should not be treated as a modest upgrade to existing frameworks, but instead require detailed analysis and benchmarking against current compliance systems as part of a comprehensive gap assessment.
For Anna Kostus, a senior managing director at FTI Consulting, the EU AML package represents a step change from a fragmented, directive-based regime to a Single Rulebook with directly applicable, harmonised obligations. Ensuring compliance therefore demands enterprise-wide transformation rather than a straightforward policy update. Many firms are underestimating the extent of operational change required, including the need to standardise data, establish consistent governance across business units and modernise legacy know your customer (KYC) systems.
“Unfortunately, uncertainty over final standards has encouraged delay, but the key risk for firms is not running out of time, it is misallocation of effort,” believes Ms Kostus. “Firms are focusing on documented frameworks instead of operationalisation. As timelines compress, those that fail to embed changes into processes, systems and controls may end up with misaligned, ineffective frameworks.”
The shift toward a more unified and harmonised regulatory framework is also reshaping how institutions approach governance and compliance across the EU. “The real significance of the EU AML package is that, for the first time, the European financial sector is moving toward a common supervisory language across all member states,” explains Kyriaki Stinga, a partner at Elias Neocleous & Co. “The Single Rulebook is not simply introducing stricter requirements; it is fundamentally changing how institutions are expected to govern, evidence and operationalise financial crime controls across jurisdictions.
“Many firms still approach readiness as a series of compliance workstreams rather than a broader governance and cultural transformation,” he continues. “The greatest challenge is creating integrated operating models built on consistent data, harmonised controls and clear accountability. Institutions that recognise this early will be better positioned to manage regulatory scrutiny, operational resilience and long-term trust.”
A new centre of gravity in EU AML supervision
In addition to the Single Rulebook, the EU’s AML framework is evolving through the creation of a new supervisory authority. The Anti-Money Laundering Authority (AMLA) represents a significant shift in oversight across the bloc. Responsibility for key EU-level AML/CFT functions has been transferred from the European Banking Authority (EBA) to the AMLA, reflecting a move toward a more centralised and assertive regime for tackling financial crime.
“In my view, the shift from an EBA coordination framework to a direct AMLA supervisory framework of selected obliged entities is genuinely transformative for cross-border groups, but not necessarily in the way firms expect,” says Mr Ðuric. “The practical difference is not primarily about the volume of supervisory expectations, since these will be anchored in the statute. It is far more about consistency in supervision and enforcement through elimination of the existing fertile ground for supervisory arbitrage.
“For institutions that have historically structured their operations partly with an eye on which national competent authority applies the softest – or, depending on the risk appetite of the institution, the hardest – touch, the need for such calculation will soon disappear entirely,” he continues. “On the flip side, firms operating across different EU member states will be able to operate with greater legal and regulatory certainty without the risk of gold-plating at the enforcement level, which has been observed in the past. From an operational perspective, this will require greater centralisation of internal compliance work, capable of keeping pace with developments at a pan-European level rather than at individual member state level.”
“For many firms, customer due diligence remains the most resource-intensive and operationally challenging aspect of AML compliance.”
According to Ms Kostus, the AMLA’s expanded role aligns with a broader shift toward data-driven supervision. “Institutions, especially cross-border groups, should expect more granular, continuous monitoring driven by harmonised data reporting and analytics, enabling earlier identification and escalation of risks,” she says. “Direct supervision reduces interpretive divergence, replacing fragmented national approaches with a single supervisory lens and consistent expectations.
“The practical impact is less opportunity for regulatory arbitrage and more coordinated, risk-based interventions, including joint inspections and group-wide assessments. Firms will need to invest in robust, standardised data architectures, as supervisory scrutiny will increasingly hinge on the quality, comparability and timeliness of information rather than periodic, document-led reviews,” she adds.
Raising the bar for customer verification
For many firms, customer due diligence remains the most resource-intensive and operationally challenging aspect of AML compliance. As organisations prepare for implementation of the EU’s evolving framework, pressure is mounting to ensure that KYC, client onboarding and ongoing monitoring processes are not only compliant but also scalable and efficient.
Against a backdrop of growing regulatory expectations, increasingly complex ownership structures and rising customer volumes, institutions are reassessing long-established procedures, investing in technology and improving data quality to avoid compliance gaps and costly remediation.
According to Dorina Mastora, deputy compliance officer at Elias Neocleous & Co., the transition to a harmonised EU AML regime is redefining customer due diligence as a core institutional capability rather than a procedural requirement. “Under the Single Rulebook, supervisory expectations will increasingly be shaped by an institution’s ability to demonstrate consistent, reliable and scalable customer risk management across jurisdictions and business lines,” she points out. “The institutions likely to lead in this environment are those repositioning KYC from a reactive control function into a strategic governance capability embedded across the customer lifecycle.
“This requires leadership-driven investment in integrated data frameworks, continuous risk-based monitoring, and stronger operational alignment between compliance, technology and business functions. Firms that move early will be better positioned to strengthen resilience, accelerate onboarding efficiency and build long-term supervisory credibility,” she adds.
As Mr Ðuric observes, most institutions built their KYC onboarding architecture around national regulatory requirements and commercial practicality, leading to significant variation in identity verification approaches across jurisdictions. This divergence has largely been driven by differences in national rules governing permitted verification methods.
For example, photo identification has been fully accepted in some EU member states, while regulators elsewhere, including in Germany, have gone further by questioning whether video identification providers can subcontract elements of their process, a stance that arguably extends beyond their supervisory remit into the realm of lawmaking.
The AMLR and the emerging regulatory technical standards from the AMLA on customer due diligence are expected to bring a significantly higher degree of harmonisation and legal certainty, particularly for cross-border organisations. However, in practical terms the planned shift toward identity verification compliant with electronic identification, authentication and trust services, or eIDAS, as the default approach may push some established methods, such as video identification, into a secondary or fallback role.
“This certainly puts institutions in front of significant operational challenges, since many have built their entire onboarding systems and processes around a handful of verification methods, with video identification and account verification being the most common examples, and this looming change is raising concern across the industry,” adds Mr Ðuric.
For Ms Kostus, firms need to move from periodic, front-loaded checks to continuous, risk-based customer management aligned with clearer regulatory expectations. The new regime reduces ambiguity by introducing defined ownership thresholds, minimum review frequencies and clearly identified high-risk customer categories requiring enhanced due diligence, thereby increasing both the scale and intensity of reviews.
“To avoid bottlenecks, firms should adopt dynamic risk scoring, trigger-based reviews and real-time data integration across KYC, transactions and adverse media monitoring,” she notes. “Standardising data and building reusable KYC utilities will be key. Critically, updating and enriching legacy data now is essential to avoid poor data quality constraining onboarding capacity and ongoing monitoring later.”
For organisations to remain compliant, enhanced due diligence must form part of broader frameworks designed to adapt to regulatory change without repeated system overhauls.
As Ms Kostus emphasises, frameworks must be designed for regulatory fluidity. “That means prioritising configurable rule engines, modular architectures and application programming interface-based integrations over hard-coded processes, so requirements can be adjusted as AMLA technical standards crystallise through 2026,” she says. “Equally important is embedding joint ownership between first and second lines in both design and regulatory interpretation. This reduces the risk of overly theoretical or overly operational bias and avoids rework later.
“Firms should anchor common data models, centralised control libraries and version-controlled policies to ensure consistency as rules evolve. Sandboxing and scenario testing will help simulate changes before deployment,” she adds.
From obligation to opportunity
While much of the discussion around AML reform has focused on compliance, a growing number of organisations are taking a broader strategic view. Firms that move early to modernise governance, enhance data capabilities and embed effective risk management processes may strengthen stakeholder trust, improve operational resilience and differentiate themselves over time. As regulatory expectations evolve, the challenge shifts from achieving compliance to using AML investment as a source of long-term advantage.
“The strongest institutions are no longer viewing AML through a narrow compliance lens,” says Ms Stinga. “They are using it to strengthen governance, improve transparency and reinforce institutional credibility at a time when trust has become a defining competitive asset. The leaders in this space are those embedding financial crime oversight into strategic decision making, supported by accountable leadership, robust data governance, intelligent technology and a culture of integrity across the organisation.
“In a more volatile global environment, these capabilities are becoming essential not only for managing risk, but also for sustaining confidence, resilience and long-term growth,” she adds.
As the implementation deadline approaches, organisations face a narrowing window in which to prepare. Those best positioned for success will treat compliance as part of a wider transformation agenda spanning governance, technology, data and risk management. While challenges remain significant, careful planning can support the development of more resilient and adaptable businesses.
© Financier Worldwide
BY
Richard Summerfield