The easy mistake to make with the forthcoming AMLR rules is to wait for perfect clarity. Waiting may feel sensible. In practice, it will leave you with no time to mobilise an effective programme, unclear ownership and a weak answer when boards or regulators ask what has been done so far.
The awkward reality is that AMLR will come into force on 10 July 2027 as planned. AMLA is expected to finalise its guidance ahead of that date, but firms will still face compressed timelines to interpret and implement that detail.
That does not mean every institution should launch a major programme today. It does mean every MLRO or Head of Financial Crime should already have a clear view on what AMLR means for their organisation. We strongly believe firms will benefit from a joined-up Policy (2LOD) and Operations (1LOD) approach. These teams together need to answer key questions such as what can already be assessed, how that impacts the current operating model, and what is being deliberately held pending further standards. That is a much more credible position than either rushing into a redesign or doing nothing at all.
Regulation waits for no one – AMLA is already pushing forward with testing its risk assessment data requirements. This work is currently directed at national supervisors (such as BaFin), which are already consulting with firms in their jurisdictions to support their obligations to AMLA.
Much of the operational detail will arrive through AMLA’s future work, with eighteen final texts due to be published in Q3 and Q4 2026 and two more in Q1 2027. That timeline is not a reason to pause. AMLR was designed as a structural change in rulemaking and supervision, with some interpretive detail around practical implementation intentionally deferred rather than omitted.
For senior leaders, the practical question is simple. Can you explain, today, how AMLR will affect your footprint, where the likely pressure points are, and what your plan is between now and July 2027? If the answer is no, the issue sits with governance rather than legal interpretation.
Several parts of AMLR are already explicit enough to assess without waiting for further technical standards. For example, there are mandatory review cycle maxima, business--day timelines, required content for business-wide risk assessments, defined internal roles and responsibilities, and minimum policy requirements already clear in the text.
That gives firms a sensible starting point. You do not need to predict every future expectation to identify obvious misalignment. If your current review cycles are longer than the AMLR text allows, that is a real issue now. If your policy set or governance model does not meet the minimum expectations already stated, that is already visible. Firms should not assume later guidance will dilute points that are already set out plainly in the regulation.
Based on our experience, the sentiment of guidance does not usually change between consultation and final text. Therefore, it would be prudent to get familiar with the twenty-two consultations being launched in 2026/7 as they are released, putting in place a plan to assess and respond as consultations are finalised, rather than waiting for final texts.
Not every firm needs the same level of activity at this stage. Firms likely to fall within AMLA’s directly supervised population should already be mobilising in a meaningful way. For them, waiting for full clarity won’t be an option. They are visible, easier to identify, and likely to feel the pressure earliest.
While final confirmation of the directly supervised population will come later, most firms can already form a working view based on footprint, cross-border activity and scale.
For firms more likely to sit outside that group, a proactive but proportionate approach still makes sense. This means active assessment, clear ownership and documented decisions. It means understanding the regulation, testing the requirements that are already clear and assessing how EU exposure affects the wider group. A good example is the risk assessment data AMLA requires. All firms in the relevant EU member state will need to produce the data to determine whether they fall inside or outside AMLA’s supervisory risk-based approach. Any changes needed to find and report this data will sit with the firm, even if it is obvious from size and scale that they would not be among the top 40.
Even where the impact is limited, every MLRO or compliance leader should reach a considered position within a timeframe that makes sense for their organisation.
Boards do not need a dramatic message. They need to know whether this is a horizon-scanning item, a readiness exercise or a more active programme, and why.
While firms may not yet need a formal strategy deck, they should already have a working position that demonstrates understanding and ownership. A short internal paper is a practical way to capture this.
For firms that are close to the threshold for AMLA direct supervision (i.e. operates across 6 EU member states; total of ≥ 20,000 customers), this should go further. They should be running a structured, iterative gap analysis with clear governance, with outputs reported through Risk Co or an equivalent forum.
For all other firms, the initial internal paper should cover four areas.
- First, your scope and footprint. Which legal entities, business lines and jurisdictions are affected, directly or indirectly, and on what basis this has been determined.
- Second, the points already clear enough to assess now, along with any material gaps identified and a clear plan for how and when testing will be carried out as further detail is finalised.
- Third, the areas where decisions are being deferred pending RTS or guidance, with named ownership and a trigger for revisiting them to enable active monitoring so they do not inadvertently slip off the radar.
- Fourth, the governance route for oversight and escalation, including how updates reach senior committees or the board and where overall responsibility and accountability sit.
This exercise is most effective when led by operations or a 1LOD advisory team, with a combined 1LOD and 2LOD structure providing oversight and challenge.
The structure of this paper might sound basic, but it gives leaders something many firms still lack on AMLR: a defensible narrative. If challenged, you can show that you have separated known requirements from open questions, assigned accountability and avoided both complacency and overreaction. That is a much stronger place to be.
From what we can see in the market today, a small group of firms are already mobilising substantially. A much larger group have barely started. There is very little middle ground.
Neither extreme is especially attractive. Over-mobilising too early can create cost, noise and redesign work that later needs to be undone. Leaving it on the shelf leads to compressed timelines, reactive decision-making and weaker answers under scrutiny. The clock keeps moving, and the eventual response becomes hurried, defensive and harder to explain.
The better route is steadier than either of those. Test what is already clear. Record what is still moving. Decide what is proportionate for your footprint. Keep the issue visible in governance. That will not remove the uncertainty around AMLR, but it will stop uncertainty turning into drift.
Most firms likely do not need a full AMLR transformation story at this stage. They need a position that can evidence what is understood, what has been tested, what is pending, and who is accountable. That is what boards and regulators are likely to focus on while the detail continues to develop.
.png)
