EU-AML Regulation 2027: Why all obliged entities should prepare now

July 7, 2025

EU flags in front of a large building

From July 10, 2027, the Anti-Money Laundering Regulation (AMLR), due to its legal character as directly applicable EU law, will replace existing national laws such as the German Money Laundering Act (GwG). This means that identification, risk assessment, and monitoring obligations will apply EU-wide according to the same wording – without any leeway for individual countries in implementation.

The regulation is implemented by Regulatory Technical Standards (RTS) These RTS, which AMLA is developing by 2026/27, specify in detail which data points must be collected for customer due diligence, pKYC frequencies, risk scores, or UBO determination.[1] Those who align their KYC and monitoring setup with these drafts now will save on expensive ad-hoc adjustments later and reduce liability risks.

What this article delivers – your benefits at a glance

  • Quick overview about the EU AML package and the key milestones until 2027
  • The Roadmap – key milestones from 2025 to 2027
  • The central RTS innovations and their influence on the KYC process
  • Insights into KYCnowHow we are already adapting our platform to upcoming EU standards

This will give you clear guidance through the regulatory jungle and concrete steps to ensure your compliance setup is future-proof in good time.

AMLR, AMLD6 and AMLA at a glance

The EU has this Anti-Money Laundering Package (AML Package) adopted on 31 May 2024. It comprises three closely interlinked legal acts – a regulation, a directive and the establishment of a new supervisory authority – thus creating for the first time a virtually fully harmonized legal framework against money laundering and terrorist financing in all Member States.

a pillar.
 Key message
 Important for those obligated to pay taxes
AMLR – Regulation (EU) 2024/1624
 Establishes immediately applicable, detailed obligations for customer due diligence, pKYC frequencies, beneficial ownership transparency and the handling of anonymous instruments.
 No national implementation is needed; processes must be uniform across the EU by 10 July 2027.[2]
AMLD6 – Directive (EU) 2024/1640
 Harmonizes supervision, FIU cooperation, sanctions and the national implementation of supervisory and penal frameworks.
 To be transposed into national law by mid-2027; it will primarily affect governance, reporting, and sanctioning practices.[3]
AMLA – Authority (Regulation (EU) 2024/1620)
 Establishes the Anti-Money Laundering Authority, headquartered in Frankfurt; 400-500 employees, start of operations mid-2025. It will have direct oversight of high-risk cross-border institutions and coordinating powers over all other supervisors.[4][5]
 Consistent enforcement of the "Single Rulebook" is expected, including on-site inspections and fines of up to 10% of annual turnover or at least twice the profit from the violation if higher.

Timetable until AMLR go-live (2024 – 2027)

Overview of the introduction of AMLR

Following the official adoption of the AML package on 31 May 2024[6] led the EBA in March 2025 their consultation on the four key Regulatory Technical Standards (RTS); a public hearing took place on April 10, 2025 instead, and comments could be submitted until June 6, 2025 to be submitted. The EBA will then send its final recommendation to the EU Commission – deadline. 31 October 2025 – and thus paves the way for the technical elaboration by the new regulatory authority AMLA, which will provide the crucial CDD-RTS at the latest July 10, 2026 must be completed. From July 10, 2027 The AMLR ultimately replaces all national money laundering laws and applies directly to all obliged entities in the EU.

The Regulatory Technical Standards (RTS)

The AMLR and AMLD6 refer to a total of four RTS packages, which were initially developed by the EBA (European Banking Authority), as the AMLA only became operational on July 1, 2025. Having commenced its work, the AMLA has now assumed responsibility for all AML/CTF-related regulatory technical standards (RTS) and guidelines and will independently finalize or further develop them. The drafts address, among other things...

  • Methodology for Entity Risk Assessments (Art. 40 AMLD6)
  • Selection criteria for AMLA direct supervision (Art. 12 AMLR)
  • Mandatory data sets & eID requirements in the CDD (Art. 28 AMLR)
  • Fines grid & Periodic Penalty Payments (Art. 53 AMLD6)[7]

Five points are particularly crucial for the KYC process:

Unified Entity Risk Assessment

National supervisory authorities must assess the inherent and residual risk of each obliged entity using a EU-wide identical methodology, taking into account sectoral and national risks, record and at least annually Reassess. Only institutions with very low risk are permitted to switch to a three-year cycle. This establishes, for the first time, a comparable risk taxonomy and clearly defined review frequencies.[8]

Clear thresholds for AMLA direct supervision

The new EU authority will only assume direct supervision of a narrowly defined group of cross-border financial institutions. Level 1 Rulebook (AMLA Regulation) currently specifies two basic criteria:

  • Geographical footprint – the institute (or group) is in at least six member states operationally active, whether through branches or via the freedom to provide services.
  • Residual risk “high” – The national supervisory authority classifies the remaining ML/TF risk as high. However, a fixed euro or points threshold has not yet been established.

The Level 1 rulebook (AMLA-VO) deliberately sets a fixed points or euro threshold. not yet AMLA will define the exact risk methodology in supplementary technical standards.[9]

Beneficial Ownership Transparency & CDD Mandatory Data Set

  • Definition & Threshold: The beneficial owner is any natural person who owns a business, express trust, or similar legal arrangement. ultimately owns or controlsA direct or indirect share of ≥ 25% the voting or capital rights are sufficient.[10]
  • Mandatory data records: The CDD-RTS determines which data points must be recorded for natural and legal persons – including structured UBO information, legal entity identifier, proof type and eIDAS-compliant means of identification.[11]

EU-wide framework for sanctions & Periodic Penalty Payments (PEPP)

A harmonized set of indicators assigns severity levels to violations and defines a method for how to address them. daily accumulating PePPs Fines will be calculated if conditions are not met on time. This is intended to ensure that fines and measures are comparable and effective across all member states.[12]

Review cycles & pKYC triggers

Obligated entities will be required to provide customer and UBO data in the future. at least every five years Update; in the case of higher risks or trigger events (e.g., change of address or shareholding), significantly earlier. The RTS specify reportable events and minimum workflow steps – a basic requirement for automated reporting. perpetual KYC models.

Impact on the KYC process — from initial identification to offboarding

Onboarding: standardized data set & digital identities
Upon initial customer contact, the CDD-RTS will require a standardized minimum data set across Europe. For natural persons, this includes, among other things, name, date of birth, nationality, current address, and (if applicable) a Legal Entity IdentifierFor companies, master data, UBO data, and registration IDs are also required. Identity verification should primarily be carried out via eIDAS-compliant electronic identity means, which brings video- or wallet-based methods into the mainstream.

Risk Assessment & Classification
Immediately upon enrollment, each customer must be classified into one of four ML/TF risk categories. The underlying scoring scheme is defined by the RTS; it is identical in all member states and forms the basis for audit intervals, monitoring intensity, and reporting obligations.

Ongoing screening & event monitoring
Name, media, and sanctions list screenings remain mandatory but will be supplemented by continuous data monitoring. KYCnow already monitors this. 37 data points (including company status, UBO structure, functionaries, register and financial data) and triggers a workflow with every relevant change – a concept that meets the future RTS requirements for “event-driven reviews”.

Mandatory reviews: new intervals from 2027 onwards
Instead of the previous 2–15-year AML cycles, the AMLR prescribes significantly shorter maximum intervals:

  • High risk: annual full inspection
  • Medium risk: all 5 years
  • Simplified due diligence: risk-based, no fixed framework
    In the event of significant events (e.g., change of beneficial ownership), an ad-hoc review is required immediately.

Beneficial Owner Updates & Transparency Register Matching
The 25% threshold will apply in the future to Shares, voting rights and other control. Companies must therefore track every structural change – including accumulation chains across multiple levels – and reconcile it with the registers.

EU-AML 2027 — Conclusion & 5 concrete to-dos for obliged entities

The new EU AMLR brings an unprecedented level of harmonization, shorter audit intervals, and granularly defined data sets. All financial and non-financial service providers must align their KYC, screening, and reporting processes with it by July 10, 2027, at the latest. Those who only begin the transition shortly before the deadline risk high costs, operational bottlenecks, and fines.

  • Gap analysis against the RTS drafts – checking where data fields, workflows or documentation do not yet meet future requirements in order to plan budget and resources in a timely manner.
  • Ensure data inventory & API capability – capture all sources of master, transaction and UBO data and ensure that a standardized, machine-readable exchange via API is possible.
  • Launch pKYC pilots – test event-based monitoring in high-risk segments to refine trigger logics and review workflows by 2026.
  • Establish UBO graph & register matching – model shareholding chains including “other ownership interests ≥ 25%” and automatically integrate transparency registers.
  • Sharpen governance and awareness – more closely integrate compliance, IT and specialist departments; prepare employees for new review cycles, reporting obligations and penalty mechanisms.

The technical details of the RTS make quick ad-hoc solutions virtually impossible. Those who start now with structured pilot projects, a solid data foundation, and clear responsibilities will not only be compliant by 2027, but will also be able to demonstrate more efficient KYC processes and a robust risk profile.

With KYCnow, you'll remain on the regulatory side in the future. We're already working on implementing the new requirements in our platform.

 

Sources

[1] EBA Consultation Paper on draft RTS under the new EU-AML framework, March 2025
[2] Regulation (EU) 2024/1624, OJ L 2024/1624 of June 19, 2024 thumb up
[3] Directive (EU) 2024/1640, OJ L 2024/1640 of June 19, 2024 thumb up
[4] Regulation (EU) 2024/1620, OJ L 2024/1620 of June 19, 2024 thumb up
[5] WSJ report on the Frankfurt location decision wsj.com
[6] Regulation (EU) 2024/1624 of May 31, 2024, OJ L 2024/1624, June 19, 2024
[7] EBA public hearing presentation, April 10, 2025
[8] EBA Consultation Paper, Executive Summary – Risk Assessment Methodology & Review Frequency (Art. 40 AMLD6)
[9] Regulation Tomorrow Blog, “EBA consults on draft RTS for AMLA operations”, 06/03/2025
[10] Regulation (EU) 2024/1624, Art. 52 para. 1 – 25% threshold for beneficial owners
[11] EBA Consultation Paper, Draft RTS – Customer Due Diligence (Art. 28 AMLR), p. 33 ff.
[12] Regulation Tomorrow Blog, ibid., section “Sanctions and administrative measures (Art. 53(10) AMLD6)”

Photo by Marco: https://www.pexels.com/de-de/foto/fahnen-verwaltung-fahnenmasten-europaische-kommission-13153479/

Roczniewski