The EU AML Reform Package: Redefining AML Compliance Architecture
AMLR, AMLD6 and the Draft RTS under Articles 19 and 28
The EU AML reform marks a structural redesign of the anti-money laundering framework across Europe.
With the introduction of Regulation (EU) 2024/1624 (AMLR), alongside AMLD6 and the Draft RTS under Articles 19 and 28, the EU is moving away from fragmented national implementation toward a single, directly applicable supervisory model.
This reform should not be viewed as an incremental tightening of requirements. It represents a redesign of the AML operating model itself, where compliance is increasingly defined through data architecture, system capability and continuous risk interpretation rather than procedural adherence.
By 10 July 2027, Obliged Entities will be operating under a framework that is more harmonised in law, more prescriptive in execution, and materially more dependent on the quality and structure of underlying data.
At its core, the reform redefines how risk is detected, how Customer Due Diligence is executed, and how ongoing monitoring is operationalised.
A Shift in What “AML Compliance” Means
The AMLR replaces a fragmented model shaped by national interpretation with a single EU rulebook that applies directly to obliged entities.
The practical consequence is a change in how compliance effectiveness is assessed. The focus shifts away from whether controls exist, and toward whether institutions can demonstrate continuous, data-driven decisioning across the customer lifecycle.
This is the key structural change introduced by the reform: AML compliance becomes a function of system capability, not documentation completeness.
Articles 19 and 28 sit at the centre of this shift, effectively replacing a staged compliance model with a continuous operating loop.
Article 19 AMLR: Risk Detection Moves Forward in the Lifecycle
Article 19 redefines when AML obligations are triggered by broadening the concept of a “business relationship” and anchoring it in economic substance rather than formal structure.
The effect is a shift from event-driven triggers to behaviour-driven signals. Firms are expected to identify patterns such as repeated activity, transactional clustering and behavioural consistency as part of determining whether CDD obligations arise.
Transactions connected through timing, purpose or structure are no longer assessed in isolation. They must be evaluated as part of a broader behavioural pattern.
This materially shifts the point of risk detection. AML controls are no longer activated at discrete onboarding or threshold events but increasingly emerge from ongoing transaction analysis.
The implication is straightforward: firms are expected to detect risk earlier, and closer to the point of economic activity.
Article 28 AMLR: Compliance Becomes a Data Integrity Function
Article 28 formalises a more demanding evidential standard for Customer Due Diligence.
The emphasis moves decisively away from document possession and toward demonstrable data integrity. Firms must be able to evidence that customer information is accurate, verified, structured, and continuously maintained in a way that supports ongoing monitoring.
This creates a structural change in how CDD is operationalised. It is no longer a file-based process supported by systems, but a data governance process embedded within those systems.
Institutions reliant on static KYC repositories or fragmented data sources will face increasing misalignment with regulatory expectations, particularly where auditability of decision-making is limited.
Beneficial Ownership: From Identification to Structural Mapping
The reform significantly deepens expectations around beneficial ownership analysis.
The focus shifts from identifying a declared ultimate beneficial owner to understanding the full control architecture of a customer relationship, including indirect ownership chains, layered entities, and non-ownership control mechanisms.
Beneficial ownership therefore becomes a structural mapping exercise rather than a threshold identification task.
This increases reliance on external data sources and raises the analytical burden for complex corporate structures, particularly in cross-border contexts.
Continuous Monitoring as the Default Operating State
The AMLR embeds continuous monitoring as the baseline expectation for AML control frameworks.
Customer activity must be continuously assessed against expected behaviour, risk classification, and the stated purpose of the relationship. Deviations are no longer primarily addressed at fixed review points but through ongoing behavioural calibration.
This effectively dissolves the traditional boundary between onboarding, monitoring, and periodic review. AML becomes a continuous control loop rather than a set of discrete processes.
Static review cycles and threshold-based systems remain relevant but are no longer sufficient in isolation.
AML as a System and Data Architecture Problem
A defining feature of the reform is the implicit redefinition of AML as an infrastructure issue.
Firms are expected to maintain integrated systems capable of linking customer data, transactional flows and behavioural indicators into a coherent analytical environment. This includes identifying relationships between transactions, detecting anomalies and ensuring full traceability of decisions.
The regulatory trajectory is aligned with automation, structured data environments and real-time analytical capability.
In practical terms, AML is shifting from a compliance function supported by technology to a technology capability governed by compliance requirements.
AMLD6: Convergence Drives Higher Enforcement Baselines
AMLD6 strengthens supervisory convergence across Member States, reducing interpretative divergence and increasing consistency in enforcement outcomes.
As supervisory alignment improves, compliance gaps become more visible, more comparable and more consistently enforceable across jurisdictions.
The result is a higher and more uniform enforcement baseline. AML deficiencies are more likely to be escalated where they reflect systemic weaknesses in governance, data quality or control design.
This also elevates senior management accountability, as regulators increasingly assess whether AML frameworks are effectively embedded within organisational governance structures rather than operating as standalone compliance functions.
Operating Model Implications
The combined effect of AMLR and AMLD6 is a shift from procedural compliance models toward integrated risk intelligence frameworks.
Three structural adjustments emerge.
First, detection models must evolve from static rule-based thresholds to behavioural and pattern-driven analytics. Second, data architecture must support continuous validation, traceability and integration across systems. Third, governance frameworks must reflect real-time accountability for AML decisioning and escalation.
This is not a refinement of existing AML frameworks. It is a redesign of how AML capability is constructed, deployed and governed.
Conclusion
The EU AML reform establishes a fundamentally different compliance paradigm.
AML is becoming unified in structure, continuous in operation and data-driven in execution. Risk identification, due diligence and monitoring are no longer separate functions but interconnected components of a single operating system.
For Obliged Entities, the challenge is no longer regulatory interpretation. It is organisational readiness, i.e., the ability to build AML frameworks that operate effectively within a continuous, data-intensive supervisory environment.
In this environment, competitive positioning will increasingly depend on the maturity of AML infrastructure, not the completeness of compliance documentation.