Preparing for AMLR & AMLA: our callouts

Introduction & executive summary

Image: Timeline of some key EU legislation change dates³

FIU remit

Today⁴, FIUs act as intelligence centres and conduits. In the Netherlands, FIU-Nederland receives vast numbers of reports⁵, analyses them, and forwards cases to prosecutors or law enforcement. Freezing an account or wallet is not in the FIU’s remit, which requires a judicial order or prosecutorial warrant. The EU AML rulebook changes this, which the of our key AMLR and AMLA callouts.

Under Article 21 of AMLD6 (complementing the AMLR), FIUs gain the direct power to suspend transactions, accounts or wallets for up to five working days: no need to wait for a prosecutor to sign paperwork. The intent is to stop suspicious funds before they vanish in the hours it takes for a freeze-order to be drafted.

For institutions, this means a new class of regulatory orders. Alongside court warrants, FIs will now receive direct FIU suspension requests. Execution must be immediate, and systems will need to distinguish suspension orders (short-lived, auto-lift after expiry) from longer freezes.

This power is particularly relevant when viewed against PSD2 and the Instant Payments Regulation (IPR). Instant SEPA transfers settle in seconds, not days. If FIUs cannot act without prosecutorial delay, the funds are gone. With suspension powers, FIUs can at least put a temporary hold while deciding if escalation is justified. Technically, this will demand very tight integration between compliance case management and payment systems. The regulatory framework and payment requirement are now aligned, but execution risk is high if institutions cannot react in real-time.

The NL case: suspicious vs unusual

The Netherlands has long taken a different approach to reporting. Under the Wwft, obliged entities report “ongebruikelijke transacties” (unusual transactions). The FIU then applies its intelligence and law enforcement database access to filter the dataset.

Conversely, the AMLR harmonizes reporting obligations across the EU. The standard is “suspicious transactions” — those where there are reasonable grounds to suspect ML/TF. This aligns with FATF requirements and is the model in most other Member States. For the Netherlands, the impact is significant:

• Lower report volumes: No more mass filings of objectively unusual activity. FIU NL will see fewer but more targeted reports. No more automated reporting by certain
• Higher burden on compliance teams: Suspicion requires judgement. Analysts must apply typologies, red flags, and escalation governance before deciding to file.
• Shift of filtering responsibility: The task of distinguishing useful from noise moves from FIU to the private sector.

The question arises: how can banks and PSPs apply a suspicion test without the prosecutorial and intelligence resources that government prosecutors hold? Practically, this demands a mature compliance setup:

• Data enrichment from KYC, transaction history, watchlists and adverse media. Leveraging certain AI methods may help find real value here
• Typology-driven monitoring scenarios aligned to FATF, EBA and FIU guidance.
• A formalized suspicion decision tree, ensuring analysts escalate reports consistently, continuously updated by;
• Stronger feedback loops with the FIU, who will be required under AMLR to provide sharper (and hopefully more timely) feedback on reporting usefulness.

ID&V timeliness

Here is an interesting one: under AMLR Article 33.1(a) institutions must ensure customers and beneficial owners are identified and verified within 60 days of onboarding, without exception. This removes EU member state flexibility and forces stricter timelines for corporate onboarding. This section also removes the ability of FI’s to employ a broad-strokes risk-based approach to prioritizing the Identification and Verification (ID&V) of customers or Ultimate Beneficiary Owners (UBO’s – for whom the definitions also broaden in section AMLR chapter IV). For many FI’s, this the of our AMLR and AMLA callouts.

While this may seem immaterial given innovation in customer onboarding systems (e.g. using third-party service providers), the reality is that generally a significant percentage of customers still require manual follow-up to finalize ID&V. Under AMLR, ID&V backlogs are no longer acceptable and reliance on earlier guidelines (e.g. ‘occasional transactions rules’) or ‘reasonable timeframes’⁶ will no longer be warranted.

While UBO registry harmonization is also a facet of the AMLR bringing some respite to Article 33.1, current status indicates that there is a long way to go before FIs can rely on these across the EU, and individual member-state privacy issues can make for an unclear way forward.

Virtual IBAN information sharing

Article 22.3 of the AMLR discusses new requirements on transparency in virtual IBANs. In response, the EBA has included in its draft RTS⁷ the following requirement:

“[an FI] shall provide to the issuer of the virtual IBAN the information for identifying and verifying the identity of that natural or legal person using the virtual IBAN within a time period that enables the credit institution and financial institution servicing the bank or payment account to fulfil its obligation”

The above is in line with an earlier EBA notes on the use of Virtual IBANs⁸, and the potential to share information to meet AMLT/CTF requirements. The AMLR however, combined with the EBAs new (draft) RTS seem to enforce the information sharing requirement. Combined with a world where instant payments and account suspensions will exist (see above), the “time period that enables …” in the above quote is likely to mean ‘instantly’. This would constitute a significant change to virtual IBAN use, and requires careful implementation in payment and AML processes in order not to upset normal payment flows

Specifically refined high-risk markers

Among the many changes, we call out two high-risk customer markers which could have a wide impact on FIs: PEPs and Complex structures. The reason being that for both, the group which will require additional (enhanced) due diligence (EDD) will grow substantially.

• PEP definitions and requirements: The categories of PEPs are now set at EU level, reducing national discretion and increasing scope. This includes domestic as well as foreign roles, senior executives of state-owned enterprises, and members of central bank boards. Unlike before, domestic PEPs cannot be subject to lighter obligations, as EDD now always applies. Notably, the outcome of the EDD can be anything, ranging from low to unacceptable customer risk.⁹
• Complex structure definitions: Under current legislation, a complex structure requires EDD given the potential of such structures to facilitate money laundering. What a complex structure is, is however undefined. In the EBA’s interpretation of the AMLR¹⁰, it is now fully defined along the primary indicator of 2 organization layers, combined with one of four other markers. In our experience, this new definition is much broader than current market practise, nominating many other structures as complex.

Other relevant topics

Beyond the above changes, the AMLR introduces myriad other obligations that executives should not overlook. We highlight a selection of our interpretation of big ticket items below:

• Back to objective indicators: In a blast from the past, the AMLR requires the reporting of all transactions of a certain type above a threshold (e.g. Watches and clocks above EUR 10.000). Notably, transactions involving high-value goods of various values will always be required to be reported. We are sceptical as to the value of these reports¹¹, but it appears to nonetheless be a regulatory requirement warranting management attention and procedural implementation.
• Third-party reliance: Tighter rules on relying on third parties for CDD will limit outsourcing models and demand stronger contractual controls. The AMLR specifically states an FI will remain liable for outsourced processes, bringing with it an agency problem. This becomes particularly relevant e.g. in the area of timely (outsourced) sanctions list management.
• Group-wide policies: The AMLR requires consistent AML/CFT policies across groups, including in third-country branches and subsidiaries, unless host-country law prohibits alignment.
• Sanctions and asset freezes: Closer integration of AML and restrictive measures (sanctions) frameworks will blur the lines between traditional AML monitoring and EU foreign policy enforcement.
• AMLA oversight: The new EU-wide AMLA regulatory body will oversee an initial 50 Financial Institutions, and operate alongside national regulators. As of writing, the list of Obliged Entities under AMLA supervision remains a mystery, but it is likely to include some of the largest EU institutions¹².

Each of the above is individually material. Taken together, they close gaps and inconsistencies that regulators previously managed through national discretion and lawmaking.

The take-away

The AMLR is not another incremental directive. It is a directly applicable rule-set, with no national wiggle room. Its companion, the AMLA, will enforce consistently across borders by a new supervisor. The direction of travel is clear: a level playing field. For executives, preparation means:

• Review reporting frameworks: If you operate in the Netherlands, prepare for the shift from unusual to suspicious transactions. This will require new staff training, process governance and activity monitoring design.
• Upgrade case management: Ensure systems can differentiate between FIU suspensions, prosecutorial freezes, and instant-payment escalations, and apply appropriate technical measures.
• Invest in real-time monitoring: Instant payments and immediate regulatory enforcement are around the corner: compliance cannot be batch-based.
• Engage with FIUs: Push for (timely) typology feedback and guidance. The AMLR obliges FIUs to provide it to strenghten AML frameworks, but dialogue will be key in shaping useful practice.
• Tighten onboarding: Ensure processes can deliver UBO verification, revised red flag analysis, and full customer due diligence within the new timelines.

The AMLR is an opportunity as well as a challenge. Institutions that adapt early can not only avoid regulatory friction but also build trust with customers and supervisors. Those that delay will find themselves caught between faster payment rails and stricter compliance rails.

---

Let’s explore how to future-proof your compliance architecture and maximize regulatory alignment!

Footnotes

1. Hidden away in the depths of the EU archive here ↩︎
2. The European Banking Authority has traditionally provided various interpretations of EU laws and international (e.g. FATF) guidance to harmonize the EU FI landscape. ↩︎
3. Note: since the publication of this post (August 2025), the EU has amended it’s ambition and vision to publish various supporting documents (“level 2 acts”) which may drastically change the timeline displayed here. Please see the EU announcement here for all details ↩︎
4. Midway 2025, for future readers ↩︎
5. Over 2 million per year ↩︎
6. As per the Fourth and Fifth EU AML Directives, where reasonable could mean ‘indefinite’ in low risk cases ↩︎
7. Specifically, in article 8 here ↩︎
8. Specifically in EBAs 2024 report here, in section 3.3.52 ↩︎
9. We request FI’s don’t overburden the farmer turned machiavellian politician with massive conflicts of interest ↩︎
10. Specifically, in article 11.1 ↩︎
11. Don’t just take it from us: To quote the NL FIU (annual report 2024 – p8): “Therefore, in themselves they [objective indicator reports] usually give no cause to initiate or direct a further analysis” ↩︎
12. All entities operating in at least six EU Member States and whose residual risk profile is “high” (likely based on the EBA RTS data elements annex drafted in 2025) are eligible for direct AMLA supervision ↩︎