AML & KYC Compliance Software for European Businesses
The EU's Anti-Money Laundering Regulation (AMLR) is the most significant overhaul of EU AML rules in a decade. It creates direct obligations for thousands of businesses across financial services, legal, accounting, and real estate. ComplyOne makes compliance manageable — without a dedicated compliance officer.
Core AML & KYC Requirements
Customer Due Diligence (CDD)
Verify customer identity, understand the nature of the business relationship, and assess risk. Ongoing monitoring required — not just at onboarding.
Know Your Customer (KYC)
Identify beneficial owners (individuals owning >25%), screen against sanctions lists, and assess PEP (Politically Exposed Person) status for every customer.
Suspicious Activity Reporting
Document and report suspicious transactions or activity to your national Financial Intelligence Unit. No tipping off permitted once a report is filed.
AML policies & procedures
Maintain a written AML policy covering risk assessment, CDD procedures, employee training, record-keeping, and escalation processes. Regularly reviewed.
Ongoing monitoring
Customer due diligence doesn't end at onboarding. You must monitor transactions and update customer risk profiles when circumstances change.
Record-keeping
Retain CDD documents and transaction records for at least 5 years after the business relationship ends. Accessible to regulators on request.
Which Businesses Are Obliged Entities
If your business appears above, AML obligations apply regardless of company size.
The Risk-Based Approach
AML compliance is not one-size-fits-all. The level of due diligence required depends on the risk each customer presents.
Low risk
Simplified CDD
Basic identity verification. Permitted for low-risk customers such as listed companies or certain public bodies.
Normal risk
Standard CDD
Full identity verification, beneficial ownership check, understanding of business relationship. Required for most customers.
High risk
Enhanced CDD
Additional checks required for PEPs, customers from high-risk countries, complex structures, or unusual transactions.
How to Approach AML Compliance: First Steps
AML compliance is built on a few well-documented processes. Most obliged entities can establish a solid baseline in 8–12 weeks.
Confirm you are an obliged entity
AML obligations apply to a specific list of business types — financial institutions, lawyers, accountants, real estate agents, crypto-asset providers, and more. Review the full list carefully against all your business activities. Size does not exempt you — even small firms in these categories face the same obligations as large institutions.
Conduct a business-wide risk assessment
Assess your exposure to money laundering and terrorist financing risk based on your customer base, products, delivery channels, and geographies. This risk assessment is the foundation of your AML programme — it determines the intensity of due diligence required and must be reviewed regularly and after significant changes to your business.
Build your KYC and CDD procedures
Document your process for identifying and verifying customers, screening against sanctions lists, assessing PEP status, and understanding the purpose of the business relationship. Define clear triggers for Simplified CDD (low risk), Standard CDD (most customers), and Enhanced CDD (PEPs, high-risk countries, complex ownership structures).
Set up ongoing transaction monitoring
Customer due diligence doesn't end at onboarding. Implement monitoring to detect unusual transaction patterns — including unexpected volumes, geographies, or transaction types inconsistent with the stated business purpose. Document your monitoring approach and staff escalation procedures.
Establish SAR filing and record-keeping
Create a documented process for filing Suspicious Activity Reports (SARs) with your national Financial Intelligence Unit. Ensure all CDD documents and transaction records are retained for at least 5 years after the business relationship ends — and that they are accessible to regulators on demand.
Know your AML gap in 5 minutes
Free compliance check. Covers AMLR, GDPR, DORA, and every other EU regulation that applies to your business.
Start Free AML CheckAML & KYC FAQ
What is the EU Anti-Money Laundering Regulation (AMLR)?
The EU Anti-Money Laundering Regulation (AMLR) is the EU's updated AML framework, replacing the previous AMLD directives with a directly applicable regulation. It entered into force in 2024 and will apply fully from 2027, establishing harmonised KYC, customer due diligence, and suspicious activity reporting requirements across all EU member states.
Which businesses are subject to AML obligations?
AML obligations apply to 'obliged entities' — a broad category including banks, payment institutions, e-money firms, crypto-asset service providers, accountants, lawyers, notaries, real estate agents, tax advisors, auditors, and trust/company service providers. If your business handles significant financial flows or provides financial services, you're likely in scope.
What is Customer Due Diligence (CDD)?
CDD is the process of identifying and verifying your customers' identity and assessing the risk they pose. Standard CDD applies to most customers. Enhanced Due Diligence (EDD) is required for high-risk customers — including Politically Exposed Persons (PEPs), customers from high-risk countries, and complex ownership structures. Simplified CDD applies to low-risk customers.
What are the penalties for AML non-compliance?
Fines vary by member state but can be severe. For credit and financial institutions, penalties of up to €5 million or 10% of annual turnover are typical. The AMLR introduces harmonised minimum penalties across the EU. In addition to financial penalties, businesses can face licence revocations and public naming.
We're a small business — do AML rules really apply to us?
If your business falls in an obliged entity category (accountants, lawyers, estate agents, crypto providers, etc.), yes — regardless of size. The AMLR does not have a small business exemption. However, a risk-based approach means lower-risk businesses with lower-risk customers can apply proportionate measures.
What is a Suspicious Activity Report (SAR)?
A SAR is a report filed with your national Financial Intelligence Unit (FIU) when you suspect a customer or transaction involves money laundering or terrorist financing. Filing is a legal obligation — and tipping off the customer that you've filed is a criminal offence. ComplyOne provides SAR documentation templates and filing logs.
What is a Politically Exposed Person (PEP) and how does it affect compliance?
A Politically Exposed Person is someone who holds or has recently held a prominent public position — including politicians, senior government officials, judges, senior military officers, and state enterprise executives — along with their close family members and known associates. AML regulations require Enhanced Due Diligence for PEPs due to heightened corruption risk. You must screen for PEP status at onboarding and maintain monitoring throughout the business relationship.
How does the new AMLR differ from the AMLD6 directive?
The Anti-Money Laundering Regulation (AMLR) is a directly applicable EU regulation — unlike AMLD6, which was a directive requiring national implementation and created variation across member states. The AMLR creates uniform rules across all EU member states and establishes a new EU Anti-Money Laundering Authority (AMLA) with direct supervisory powers over high-risk obliged entities. Full application is expected from 2027.
Related compliance areas