AMLR implementation in practice
The most important KYC adjustments for obligated parties until 10.07.2027
The EU-AMLR is for Money laundering entities One of the most comprehensive changes of recent years. Not just a "pure compliance issue", but with direct implications for KYC processes, data requirements, and daily work in onboarding and support.
The AMLR regulations will apply from July 10, 2027. as a directly applicable Single Rulebook for all obliged entities; the new methodologies for customer and goods receipt identification must then be implemented in a binding manner.
This makes it clear: The clock doesn't start ticking in 2027; preparations must begin beforehand so that teams can consistently implement the new requirements. In this article, we provide a practical overview of what exactly you can expect and where early action is particularly worthwhile.
Article 20 as a "script" for onboarding: more structure, more data points
Article 20 reads as familiar in principle, but a few things shift significantly along the process chain. In conjunction with Article 22 of the AMLR, identification is conceived more broadly: In addition to traditional authentication methods, electronic identification means according to eIDAS or qualified trust services will also be used in the future.
In practical terms, this means that the authentication procedure must be clearly documented as a separate, auditable field in the KYC data record, including traceable storage (e.g. document copy/authentication data), so that it can withstand later reviews and audits.
More data points for natural and legal persons
AMLR and RTS significantly refine the KYC data set:
For natural persons, this includes, among other things, country of birth in addition to place of birth, all nationalities, detailed identification data, and unique identifiers. For legal entities, this includes, among other things, registration and tax identifiers (e.g., commercial register number, LEI, tax ID), date and country of incorporation, industry/sector, and information on governing bodies and powers of representation.
The purpose and intended nature of the business relationship must be recorded in accordance with AMLR and the RTS in such a way that they are technically comprehensible and analyzable. In practice, this leads away from purely free text to clearly structured fields (e.g., products/use case, expected transaction volumes, participating countries/counterparties) with defined mandatory fields and standardized questions during onboarding.
Beneficial owner: new investigation logic, new practical questions
With AMLR, UBO identification becomes the core of KYC because it directly determines whether screening (sanctions/PEP), risk assessment and ongoing monitoring are based on the "right" people.
Crucially, this is not just about additional data fields, but about a systematized methodology with three approaches to beneficial ownership: ownership interest (Art. 52), control (Art. 53), and the coexistence of ownership and control in complex structures (Art. 54). These components must each be examined independently and in parallel. In practice, this tends to lead to more identified beneficial owners, including the "needle in the haystack."
“Adding strands” is not a detail, but a game changer.
In the case of ownership, indirect ownership is first calculated for each chain of participation and then added across parallel chains. For example: two 15% holdings across two chains result in 30% and thus a UBO (indirect ownership interest) above the 25% threshold.
This seems trivial, but is operationally important because this addition is explicitly required and must be modeled in a system-wide way (otherwise results are difficult to verify and explain).
Control is more than ">50%" and coexistence catches mixed cases.
Control is the principle of domination with an expanded concept of control: Not only formal majorities count, but also "control in other ways" – such as acting in concert, appointment/removal rights, veto rights or influence on profit distributions.
This is precisely where the practical question becomes relevant: Where do we draw the line to ensure consistency? During onboarding, a standardized questionnaire and checklist (instead of relying on gut feeling in individual cases) and a clear explanation are helpful, because many customers cannot immediately categorize these situations.
Coexistence then serves as a safety net for multi-tiered structures in which ownership and control interact; the sequence ownership → control → mixed cases → consolidation has proven effective in maintaining internal consistency.
Sanctions, PEP and reviews: from "adjacent" to core KYC operation
Article 20(d) Sanctions review An explicit KYC component. The check not only verifies whether customers or beneficial owners are themselves listed, but also, in accordance with EU sanctions guidelines, whether listed persons control the customer or have a majority stake (in practice, usually 50% or more ownership or control).
The practical effect: The screening pool becomes broader (including legal representatives) and structures must be collected in such a way that intermediate companies are also eligible for screening; otherwise, the review remains incomplete or poorly justified.
PEP becomes dynamic; events beat lists.
The mandatory scope of PEP screening includes customers, UBOs, and potentially other persons acting on their behalf, including family members and close associates. An expansion of the scope of screening is also expected, resulting in more PEP scenarios and thus more instances requiring enhanced due diligence.
Event-based triggers are particularly relevant from an operational perspective: changes in roles, new public offices, or cabinet reshuffles should be promptly incorporated into a renewed PEP screening. Ideally, this should not only occur after all lists have been formally updated, but also be risk-based and event-driven.
Reviews as a production system: Tight schedule plus triggers "in between"
AMLR sets clear guidelines for reviews: updates must be made at least every five years, and at most annually for customers with elevated risk. For low-risk customers, updates can be less frequent on a risk-based basis, provided ongoing monitoring reveals no changes. In practice, this can be supported, for example, by customer confirmation that the information remains unchanged.
In addition, event-driven updates are triggered by specific events, such as changes to the UBO (Understanding Balance Sheet), business structure, or transaction patterns, and also PEP (Potentially Expected Persons) incidents. For institutions that have previously operated with very long cycles (10-15 years) in the low-risk sector, this is a crucial issue: standardization, automation, and structured data are becoming essential to ensure that the volume remains manageable with the existing staff.
Existing customer migration: plannable, but only with program control
AMLR isn't solely a new customer issue. It applies to existing customers whenever an update or relevant customer interaction is already planned. The question, therefore, isn't "if," but "how" to migrate without disrupting daily operations.
For business relationships existing before July 10, 2027, the draft EBA-RTS on Article 28 AMLR provides for a risk-based transition window of up to five years, in practice until July 2032 at the latest.
A two-step approach is helpful in practice: first data acquisition, then data collection. First, the new fields in the KYC/CRM system must actually exist and be verifiable; only then does the question arise of how to populate them efficiently (customer contact, data provider, register, documents).
Migration also introduces new structural data that many databases currently do not have available for screening, e.g., intermediate beneficial owners for sanctions screening.
Roczniewski