If you run financial crime, compliance, or onboarding at a bank, payments firm, insurer, or fintech, the EU Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) applies from 10 July 2027 — and unlike a directive, it lands as directly applicable law on that date with no national transposition to soften the edges. That is the point of the single rulebook: one harmonised set of customer-due-diligence, beneficial-ownership, and cash-handling rules across all Member States, supervised by a new EU authority, AMLA, seated in Frankfurt. The firms that struggle in 2027 will be the ones that treated it as a 2027 problem. The work that determines whether you are ready — re-baselining your beneficial-ownership data, recutting your enhanced-due-diligence triggers, rewriting your business-wide risk assessment to the new Article 10 template — is gap-analysis work, and the window to run it without disruption is now, in Q2/Q3 2026. This checklist walks the obligation areas you should gap-assess first, and frames each as a run-it-now readiness action rather than a 2027 scramble. The adjacent angle for AI teams: AMLR is an AML regulation, not an AI one — but if you are deploying AML agents to triage alerts, clear hits, or assess ownership at machine speed, those agents are the things that will have to enforce these controls, and they need to be governed accordingly.
Why a regulation, not a directive, changes your timeline
The EU AML package replaces a regime that has been built on directives — most recently the Fourth and Fifth Money Laundering Directives — with a hybrid: a directly-applicable Regulation (the AMLR) for the substantive rules every obliged entity must follow, plus a directive (AMLD6, Directive (EU) 2024/1640) for the institutional and supervisory plumbing that Member States transpose into national law.
The distinction matters for your planning. A directive gives Member States latitude in how they implement, which historically produced the fragmentation the single rulebook is meant to end — different ownership thresholds, different cash limits, different EDD expectations from one jurisdiction to the next. A regulation removes that latitude: the AMLR text is the rule, the same in Dublin, Frankfurt, and Milan, from the day it applies. There is no national implementing act to wait for and no margin of appreciation to lean on.
Practically, that means your gap analysis is against the regulation text itself, not against an as-yet-unwritten national statute. The text is published and stable. What is still in motion are the technical standards AMLA is drafting underneath it — but the obligations they refine are already on the page. You can start today.
AMLA's role: the supervisor and the standard-setter you are gap-assessing toward
The Anti-Money Laundering Authority (AMLA), established by Regulation (EU) 2024/1620, began operations on 1 July 2025 in Frankfurt. It does two things that shape your readiness work.
First, it is a direct supervisor. After a selection process expected in 2027, AMLA will take on direct supervision of a first wave of the highest-risk cross-border financial entities — a group the legislation frames in the order of roughly forty firms in that first cohort — from 2028. Even if your institution is not in that first wave, AMLA sets the supervisory tone and coordinates the national supervisors who examine everyone else. The bar it sets in 2028 is the bar your national regulator inherits.
Second, and more immediately useful, AMLA is the standard-setter. It develops draft regulatory technical standards (RTS) and implementing technical standards (ITS) that fill in the operational detail of the AMLR — for example, the specifics of customer-due-diligence information and the risk factors that drive enhanced due diligence. A critical nuance for your gap analysis: these draft standards are binding only once the European Commission formally adopts them. Until then they are draft, and AMLA's guidelines operate on a comply-or-explain basis. Track them, model against them, but anchor your hard requirements to the regulation text and treat the standards as the detail layer that will tighten — not loosen — what the articles already demand.
The obligation areas to gap-assess first
A full AMLR readiness programme touches dozens of articles. But a small number of obligation areas carry most of the gap risk because they change the data, triggers, or documents you operate on — not just the wording of a policy. These are the ones to assess in your Q2/Q3 2026 window, before remediation timelines compress against the 10 July 2027 date.
The table below is the spine of this checklist. For each obligation area it states what changes under the AMLR and the readiness action to run now. Use it to scope your gap analysis; the sections that follow expand the highest-stakes rows. You can run a structured version of this assessment with our AMLR 2027 readiness gap tool.
| Obligation area | What changes under the AMLR | Readiness action now |
|---|---|---|
| Beneficial-ownership (UBO) identification | Harmonised 25%-or-more ownership/voting-rights threshold for identifying beneficial owners, applied uniformly across the Union, with tightened rules on multi-layered and nominee structures | Re-baseline your existing UBO records against the 25% threshold; flag customers where prior national thresholds or interpretations diverged; identify structures you cannot currently resolve to a natural person |
| Enhanced due diligence (EDD) triggers | A directly-applicable set of EDD situations and risk factors — high-risk third countries, complex/unusual transactions, certain cross-border correspondent relationships — that supersede national variation, with AMLA RTS refining the factor list | Map your current EDD trigger logic against the AMLR's situations; find triggers you apply that the AMLR does not require, and AMLR triggers your rules miss; document the gap per customer segment |
| Article 10 business-wide risk assessment | An explicit, documented business-wide (enterprise-wide) risk assessment obligation: identify and assess the ML/TF risks you are exposed to, keep it up to date, and make it available to supervisors | Pull your most recent enterprise-wide risk assessment and gap it against Article 10's required dimensions; close gaps in coverage, evidencing, and refresh cadence before it becomes an exam artefact |
| EUR 10,000 cash-payment limit | A Union-wide EUR 10,000 ceiling on large cash payments (Article 80); Member States may set lower national limits but not higher | Inventory where your business accepts or facilitates large cash payments; build the control and reporting path to the limit, parameterised so a lower national limit can be applied per jurisdiction |
| Customer due diligence (CDD) baseline | Harmonised CDD identification, verification, and ongoing-monitoring requirements replacing national variants, with AMLA technical standards specifying the data to collect | Re-confirm your CDD data model and verification standards meet the AMLR baseline; remediate thin records before they become onboarding-reject or remediation backlogs in 2027 |
| AMLA technical standards (RTS/ITS) | The operational detail under the articles — CDD data, EDD risk factors, reporting formats — is being drafted by AMLA and becomes binding only on Commission adoption | Assign an owner to track AMLA consultations and adopted standards; model against drafts but commit hard build only as standards are adopted, to avoid rework |
Beneficial ownership: re-baseline your UBO data against the 25% threshold
The single rulebook's harmonised beneficial-ownership rules are, for many firms, the largest hidden data-quality gap. The AMLR fixes a 25%-or-more ownership-or-voting-rights threshold for identifying the beneficial owners of corporate entities, applied uniformly — replacing the situation where the same threshold was read and applied differently across Member States, and where some firms layered their own conservative cuts on top.
The readiness problem is not the rule; it is your back book. If you onboarded customers under a divergent national interpretation, or your records resolve ownership to an intermediate holding company rather than a natural person, those records may not survive an AMLR-grade review. Multi-layered ownership chains and nominee arrangements are exactly where the regulation tightens, and exactly where legacy data is thinnest.
Run the re-baseline now, while you have runway. Pull your UBO population, re-test it against the 25% threshold, and triage into three buckets: records that already resolve cleanly to a natural person at or above 25%; records that need refresh or re-verification; and structures you cannot currently resolve at all. The third bucket is your real 2027 risk, and it takes the longest to clear because it depends on the customer responding. Starting that outreach in 2026 is the difference between a managed remediation and a 2027 onboarding-and-review backlog.
EDD triggers and the Article 10 risk assessment: the documents an examiner will open first
Enhanced due diligence. The AMLR specifies the situations that require EDD — relationships and transactions involving high-risk third countries, complex or unusually large transactions, and certain correspondent relationships, among others — as directly-applicable rules, with AMLA technical standards refining the underlying risk-factor list. Your gap analysis here is a two-way map: trigger logic you currently run that the AMLR does not require (candidates to retire), and AMLR-required triggers your rules do not yet fire on (gaps to close). Do this per customer segment, because the impact concentrates in correspondent banking, high-value private clients, and cross-border flows.
The Article 10 business-wide risk assessment. Article 10 of the AMLR requires obliged entities to identify and assess the money-laundering and terrorist-financing risks they are exposed to at the level of the business as a whole, to document that assessment, keep it current, and make it available to supervisors. For firms that have treated the enterprise-wide risk assessment as a periodic paper exercise, this is a step-change in expectation: it becomes a living, evidenced artefact that an AMLA-tier examiner will open first to understand whether your controls actually match your risk.
Gap-assess your most recent enterprise-wide assessment against Article 10's dimensions now: does it cover your products, customers, geographies, and delivery channels; is the methodology defensible; is the refresh cadence real; and can you evidence that its conclusions actually drove control decisions? You can structure that against the new requirements with our AML enterprise-wide risk assessment tool. Closing these gaps in 2026 is cheap; closing them under examination in 2027 is not.
The EUR 10,000 cash limit and the AMLA standards layer
The cash limit. Article 80 of the AMLR introduces a Union-wide EUR 10,000 limit on large cash payments in the course of a business activity. Member States retain the ability to set lower national limits, but not higher ones, so the practical design requirement is a control that defaults to EUR 10,000 and can be parameterised down per jurisdiction. If any part of your business accepts or facilitates large cash payments, inventory those flows now and build the control and reporting path against the limit, with the per-Member-State lower-limit dimension designed in from the start rather than retrofitted.
The standards layer. Much of the operational specificity of the AMLR — the exact CDD data fields, the detailed EDD risk factors, reporting formats — lands through AMLA's regulatory and implementing technical standards. The discipline for your programme is to separate the stable layer (the regulation articles, which you can build against today) from the tightening layer (the AMLA standards, which become binding only on Commission adoption). Assign an owner to track AMLA consultations and adopted standards, model your design against the drafts so you are not surprised, but commit hard engineering only as standards are adopted. That sequencing avoids the most expensive failure mode in regulatory readiness: building twice.
The AI hook: AMLR sets the controls, your AML agents have to enforce them
AMLR is an anti-money-laundering regulation. It says nothing about AI, and you should not let an AI-governance conversation distract from the CDD, UBO, EDD, and cash-limit gap work above — that work stands on its own. But the two intersect at one precise point: if you are deploying AML agents — to triage transaction-monitoring alerts, adjudicate sanctions and PEP hits, untangle beneficial ownership, or draft suspicious-activity narratives — then those agents are the things that will enforce the AMLR controls at machine speed.
That raises a governance question the AMLR readiness work surfaces but does not answer: when an agent auto-closes an alert, clears a hit, or concludes a UBO determination, can you reconstruct exactly what it did and why, to an examiner's standard? Article 69 of the AMLR already presumes that level of reconstructability — it requires obliged entities to answer a financial intelligence unit's request within five working days, compressible to under 24 hours in urgent cases. A five-working-day clock is a test of whether your agents' decisions were captured at the moment they happened, not reconstructed afterward.
This is where KLA's thesis — govern by execution, not paperwork — meets your AMLR programme. The control and the evidence have to sit inside the agent's execution path. In practice that means policy-as-code gates that decide what an agent may do autonomously versus what requires a named human (Policy Builder, with decisions of allow, warn, require approval, or block); a maker-checker approval step for consequential actions like filing a SAR or clearing a high-confidence sanctions hit (Decision Desk); and a sealed, tamper-evident lineage record of every decision, autonomous or human-approved (Evidence Room). We map this end to end for financial-crime workflows in the companion AML Agent Control & Evidence Map. The AMLR tells you which controls must exist; governing your agents by execution is how you make sure they actually run — and that you can prove it.
Run your gap analysis now: the Q2/Q3 2026 window
The reason to start in mid-2026 rather than mid-2027 is not box-ticking; it is remediation lead time. The two heaviest readiness items — re-baselining UBO data and rewriting the Article 10 risk assessment — both depend on inputs you do not fully control. UBO re-verification depends on customers responding to outreach. A defensible enterprise-wide risk assessment depends on pulling data from across products and geographies and getting sign-off. Both take quarters, not weeks, and both compress badly against a hard date.
Sequence your readiness work so the long-lead items start first: scope the gap analysis across the six obligation areas, then immediately kick off the UBO re-baseline outreach and the Article 10 rewrite while the faster items (CDD data model, cash-limit controls, EDD trigger remap) run in parallel. Reserve the back half of the window for the AMLA standards layer as drafts firm up.
You can run a structured version of this assessment — obligation area by obligation area, with the readiness actions from the table above — using our AMLR 2027 readiness gap tool. It is the fastest way to turn this checklist into a scoped, owned remediation plan while the window is still open.
Frequently Asked Questions
When does the AMLR apply?
The EU Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) applies from 10 July 2027, with a later date of 10 July 2029 for the football sector. Because it is a regulation rather than a directive, it is directly applicable across all Member States on that date with no national transposition — the single rulebook text is the rule everywhere from day one. The accompanying AMLD6 (Directive (EU) 2024/1640) carries the same general 10 July 2027 transposition deadline for the institutional and supervisory provisions Member States implement in national law.
What is the beneficial-ownership threshold under the AMLR?
The AMLR sets a harmonised 25%-or-more ownership or voting-rights threshold for identifying the beneficial owners of corporate entities, applied uniformly across the Union and replacing the divergent national interpretations that existed under the prior directive-based regime. It also tightens the treatment of multi-layered and nominee ownership structures. The main readiness task is re-baselining existing UBO records against the 25% threshold and resolving structures that cannot currently be traced to a natural person.
What is the EUR 10,000 cash limit?
Article 80 of the AMLR introduces a Union-wide EUR 10,000 ceiling on large cash payments made in the course of a business activity. Member States may set lower national limits but cannot set higher ones. Firms that accept or facilitate large cash payments should design a control that defaults to EUR 10,000 and can be parameterised down per Member State, rather than retrofitting jurisdiction-specific limits later.
What does AMLA do, and are its technical standards binding now?
AMLA, the EU Anti-Money Laundering Authority established by Regulation (EU) 2024/1620, began operating on 1 July 2025 in Frankfurt. It is both a direct supervisor — taking on a first wave of high-risk cross-border firms from 2028 after a 2027 selection — and the standard-setter that drafts the regulatory and implementing technical standards under the AMLR. Those draft standards become binding only once the European Commission formally adopts them; until then they are draft and AMLA guidelines operate on a comply-or-explain basis. Anchor hard requirements to the regulation articles and track the standards as the detail layer.
What is the Article 10 business-wide risk assessment?
Article 10 of the AMLR requires obliged entities to identify and assess the money-laundering and terrorist-financing risks to which they are exposed at the level of the business as a whole, to document that assessment, keep it up to date, and make it available to supervisors. It elevates the enterprise-wide risk assessment from a periodic paper exercise to a living, evidenced artefact that an examiner is likely to review first to judge whether your controls match your risk. Gap-assess your most recent assessment against Article 10's dimensions — products, customers, geographies, channels, methodology, and refresh cadence — in 2026.
Does the AMLR regulate AI or AML agents?
No. The AMLR is an anti-money-laundering regulation and does not address AI. The intersection is operational: if you deploy AML agents to triage alerts, adjudicate sanctions hits, or assess beneficial ownership, those agents must enforce the AMLR controls at machine speed, and Article 69's five-working-day FIU response clock (compressible to under 24 hours) presumes you can reconstruct exactly what they did and why. Governing those agents by execution — with policy-as-code gates, maker-checker approval for consequential actions, and sealed lineage evidence — is how you make the controls provably run. AI governance is adjacent to AMLR readiness, not a substitute for the CDD, UBO, and EDD gap work.
Why start the AMLR gap analysis in 2026 rather than 2027?
Because the heaviest readiness items have long lead times you do not fully control. Re-baselining UBO data depends on customers responding to re-verification outreach, and rewriting the Article 10 enterprise-wide risk assessment depends on pulling and validating data across products and geographies — both take quarters, not weeks. Starting in the Q2/Q3 2026 window lets these run as managed remediation rather than a compressed 2027 scramble against a hard application date.
Key Takeaways
The AMLR's 10 July 2027 application date is hard, and the single rulebook gives you no national-transposition cushion to wait behind: the regulation text is the rule, the same in every Member State, from that day. The areas that carry the real gap risk — beneficial ownership re-baselined to the 25% threshold, enhanced-due-diligence triggers recut to the harmonised situations, the Article 10 business-wide risk assessment turned into a living evidenced artefact, the EUR 10,000 cash limit operationalised, and the AMLA standards layer tracked to adoption — are all gap-analysis work whose remediation depends on inputs you do not control and timelines measured in quarters. That is why the window to run it cleanly is now, in Q2/Q3 2026, not in 2027 under examination pressure. Run the gap analysis, sequence the long-lead items first, and turn this checklist into an owned remediation plan with our AMLR 2027 readiness gap tool. And if AML agents are part of your 2027 operating model, remember the adjacent discipline: the AMLR sets the controls, but it is governing those agents by execution — controls and evidence in the execution path, not in a policy PDF — that proves the controls actually run when an examiner asks.