The EU's new Anti-Money Laundering Regulation takes effect in July 2027. For the first time, there will be a single AML rulebook applicable across all EU member states — replacing the patchwork of national implementations that created inconsistency and gaps across the bloc.
For businesses already subject to AML obligations, this means reviewing existing programmes against a harmonised standard. For businesses newly in scope, it means building a programme from scratch. Either way, the obligations are substantive. Here is what you need to have in place.
1. Define your customer risk appetite in writing
Before you can build an AML programme, you need to define who you are willing to onboard and under what conditions. What customer types, geographies, business sectors, and transaction profiles are acceptable? Where are your limits?
This document — your risk appetite statement — is the foundation of your entire AML programme. It informs your due diligence procedures, your risk scoring model, your monitoring triggers, and your escalation thresholds. Without it, the rest of your programme lacks a coherent basis.
2. Build a Customer Due Diligence procedure
Customer Due Diligence (CDD) is the process of identifying, verifying, and understanding your customers before and during the business relationship. Your CDD procedure must document:
- What information you collect at onboarding (name, address, date of birth, document type for individuals; registered name, registration number, registered address, business purpose for entities)
- How you verify that information (document checks, electronic verification, registry searches)
- How you assess the purpose and nature of the business relationship
The procedure must be written down, applied consistently, and kept current as regulatory requirements evolve.
3. Identify beneficial ownership on every entity customer
When your customer is a company, a trust, or another legal structure, you must identify who ultimately owns or controls it. The threshold under EU AML law is 25% ownership or control. If no individual meets this threshold, you must identify the senior management official.
This is not optional and there are no exceptions. Beneficial ownership information must be collected at onboarding, verified against available sources (including EU beneficial ownership registers), and kept current throughout the relationship. Shell structures and complex ownership chains must be traced through to the natural person at the top.
4. Screen against EU and UN sanctions lists — at onboarding and ongoing
Every customer must be screened against relevant sanctions lists before onboarding. This includes EU consolidated sanctions lists, UN Security Council sanctions lists, and any national lists applicable to your business.
Screening at onboarding is the minimum. Sanctions lists change — new designations are added, existing ones are modified. A customer who was clean at onboarding may be sanctioned six months later. Your screening programme must run on an ongoing basis, with a process for handling positive matches and a clear escalation path.
5. Screen for Politically Exposed Persons
Politically Exposed Persons (PEPs) are individuals who hold or have held prominent public functions — heads of state, senior politicians, senior government officials, senior judicial officials, central bank governors, senior military officers, and directors of state-owned enterprises. Their immediate family members and known close associates are also treated as PEPs.
PEPs require Enhanced Due Diligence: more detailed information collection, senior management approval before establishing the relationship, more frequent ongoing monitoring, and a higher level of scrutiny on the source of funds and wealth.
Your onboarding process must include PEP screening, and your ongoing monitoring must flag customers who become PEPs after onboarding.
6. Document your customer risk scoring model
AML regulations require a risk-based approach — which means applying more scrutiny to higher-risk customers and relationships. But a risk-based approach only holds up if your risk scoring methodology is documented, consistently applied, and defensible to a regulator.
Your risk scoring model should cover: customer type and sector, geographic risk (country of incorporation, country of operation, country of residence), product and service risk, delivery channel risk, and transaction patterns. The factors, weightings, and resulting risk categories (low, medium, high) must be documented. A regulator will want to see your methodology, not just your decisions.
7. Implement ongoing transaction monitoring
AML compliance doesn't end at onboarding. Your business relationship with a customer must be monitored on an ongoing basis. Transaction monitoring means reviewing customer activity for patterns that are inconsistent with the expected profile of the relationship — unusual volumes, unusual counterparties, structuring (breaking transactions into smaller amounts to avoid thresholds), transactions inconsistent with stated business purpose.
This doesn't necessarily require sophisticated software for smaller businesses. What it does require is a documented approach, clear triggers for investigation, and a process for escalating suspicious activity.
8. Establish a Suspicious Activity Reporting process
When staff identify activity they suspect may be related to money laundering or terrorist financing, there must be a clear process for what happens next. Who receives the internal report? Who makes the decision whether to file an external Suspicious Activity Report (SAR) with the Financial Intelligence Unit? Who actually submits the SAR?
This process must be documented before you need it. Filing a SAR under time pressure without a pre-established process increases the risk of errors, missed filings, and tipping off the customer — which is itself a criminal offence.
9. Appoint a Money Laundering Reporting Officer
Your AML programme must have a named owner: a Money Laundering Reporting Officer (MLRO). The MLRO receives internal suspicious activity reports, makes the decision to file or not file with the Financial Intelligence Unit, and serves as the primary point of contact for regulatory inquiries.
The MLRO must have sufficient seniority, independence, and access to information to fulfil the role effectively. They must be registered with your competent authority where required. For smaller businesses, this may be a senior individual with multiple responsibilities — but the role and the person must be clearly named.
10. Train every customer-facing employee annually
Everyone on your team who has contact with customers — onboarding, relationship management, customer service, sales — must understand what money laundering is, how to recognise red flags in their specific role, what their internal reporting obligations are, and how to use your internal SAR process.
This must be a recurring programme — not a slide deck shown once at onboarding. Training must be logged: who attended, when, what was covered. Annual completion is the standard regulatory expectation. In an investigation, you will be asked for evidence.
The EU's new Anti-Money Laundering Regulation takes effect July 2027. One unified rulebook across all member states. The transition period is shorter than it looks.
Knowing the 10 steps and having them documented, monitored, and auditable are two different things.
Check your AML/KYC readiness
Find out where your customer due diligence and monitoring programme has gaps before the new regulation takes effect.
Free Compliance CheckThis article is for informational purposes only and does not constitute legal advice. For legal advice specific to your situation, consult a qualified attorney licensed in your jurisdiction.