AMLA is coming. Is your organisation ready for 2027?
With July 2027 approaching fast and regulatory technical standards still emerging, financial institutions cannot afford to wait. Here is what you should be doing right now.
Discussion surrounding AMLA is everywhere right now and rightly so. But for all the attention it is receiving, there remains a striking amount of uncertainty, whether it be about timelines, technical standards or about what exactly will be required and when. That uncertainty is real and it is not entirely of the industry’s making.
What it cannot be, however, is an excuse to stand still. The institutions that will be in the strongest position by July 2027 are not waiting for every detail to be confirmed before they act. They are making progress now, on the things they can already see clearly, while building the flexibility to absorb what is still to come.
With July 2027 approaching fast and regulatory technical standards still emerging, financial institutions cannot afford to wait. Here is what you should be doing right now.
Discussion surrounding AMLA is everywhere right now and rightly so. But for all the attention it is receiving, there remains a striking amount of uncertainty, whether it be about timelines, technical standards or about what exactly will be required and when. That uncertainty is real and it is not entirely of the industry’s making.
What it cannot be, however, is an excuse to stand still. The institutions that will be in the strongest position by July 2027 are not waiting for every detail to be confirmed before they act. They are making progress now, on the things they can already see clearly, while building the flexibility to absorb what is still to come.
Want the broader AMLA context? Read here how AMLA and the EU AML Regulation are reshaping supervision, and why 2026 is the year to act.
The gap assessment is proving to be harder than expected
A recent PwC survey1 found that less than 30% of financial institutions have completed a detailed AMLA impact and gap assessment. That statistic deserves to sit with you for a moment because a gap assessment is only the beginning of the journey.
The challenge is partly structural. AMLA continues to publish its regulatory technical standards, consultations remain open and feedback is still being reviewed. Financial institutions are being asked to prepare for a future operating model before every requirement has been finalised. That has created a paralysis in parts of the market with multiple institutions waiting for the final texts before they act.
That is not the way forward. By the time the final texts are signed off by the European Commission, which is expected after summer 2026, the implementation window will have shrunk considerably. The 10th July 2027 is not a distant horizon. For institutions with complex group structures or legacy technology, it is already close.
The companies that will be best positioned are those that realise early on that the hardest work was never going to be interpreting the rules but changing the organisation.
By the time the final texts are signed off by the European Commission, which is expected after summer 2026, the implementation window will have shrunk considerably.
The change runs deeper than compliance
It would be a mistake to approach AMLA as a compliance update. The changes it demands go to the heart of how financial crime programmes are structured, staffed and measured.
Consider the move from periodic, static risk reviews to real dynamic, event-driven assessments. Many banks still follow an approach where a high-risk client is reviewed every twelve months. AMLA’s direction of travel is that risk should be assessed proportionately, based on what is happening in real time. If a risk event occurs, the institution should be able to detect and respond to it rather than wait for the next scheduled review cycle.
Equally significant is the move toward understanding client context rather than simply processing client information. The gap between intent and practice is wide. In too many institutions, an alert still triggers a workflow, a standard operating procedure is followed, boxes are checked and the case is closed. That is not what AMLA has in mind.
This gap between intent and practice is one of the most underappreciated challenges in AMLA preparation, as well as being one of the most human. Investigators are trained to follow a process. Teams are measured on case completion. Workflows are built around efficiency, not curiosity. Closing that gap is specifically an organisational project that starts long before any system is implemented.
Then there is the group-wide consistency challenge that will reshape governance across multinational banks.
Historically, most pan-European financial groups have organised AML compliance locally, within federated structures. What AMLA demands is something different: a shift from federated compliance structures to group-level consistency, where information is aggregated, risk decisions are aligned and reporting flows up to the group.
This is about full cross-border governance transformation.
Where the real readiness gaps lie
Ask where institutions are struggling most and customer due diligence (CDD) will often be at the top of the list. The CDD function typically involves the largest teams, the greatest complexity, the deepest local integration and the heaviest administrative burden. It is also where AMLA’s requirements will land hardest, with new rules focused on additional data collection on clients and corporate structures, stricter standards on beneficial ownership and a requirement for more rigorous ongoing monitoring.
Sourcing a single new data point, such as the country of birth of every client, sounds manageable in isolation. But tracing that seemingly straightforward requirement through the various systems of a large bank takes time, resources and cross-functional coordination to implement properly.
But before any conversation about systems or platforms, institutions need to honestly assess whether their people, structures and ways of working are ready for what AMLA demands. Legacy technology gets most of the attention but legacy thinking, as in how teams are organised, how risk decisions are made and how compliance interacts with the business, is often the deeper obstacle. Technology can be augmented, while culture and organisational design take longer.
Incorporating governance is equally demanding. Institutions with a meaningful international footprint will need to design reporting structures that aggregate compliance metrics across multiple jurisdictions and present them coherently – something that local entities have never been required to do.
AMLA’s direct supervision mandate initially covers 40 significant financial institutions. These are the highest-risk cross-border institutions in the EU, selected by AMLA for direct oversight rather than supervision through national regulators. Its approach will involve, amongst others, comparing key metrics across similar banks. Two banks with similar risk appetite statements and similar type of clients, distribution channels and products but meaningfully different AML metrics will have a lot of explaining to do. That kind of supervisory scrutiny requires governance infrastructure that takes time to build.
For institutions focused on making rapid progress, the priority order would be clear:
1. Complete the gap assessment as a cross-functional exercise with compliance, legal, data, IT and operations all at the table.
2. Begin implementation without waiting for every final text because throughput time will be longer than expected.
3. Build the reporting and governance infrastructure that group-level accountability will demand.
Before any conversation about systems or platforms, institutions need to honestly assess whether their people, structures and ways of working are ready for what AMLA demands.
Implementing AMLR doesn’t need a technology reset
Every regulatory change generates a technology debate and AMLA is no different. Questions that surface tend to focus on:
- Which systems need replacing?
- Which platforms need upgrading?
- Which vendors should be evaluated?
These are reasonable questions but there’s a more important one: How do you modernise existing systems in a way that creates lasting capability rather than another layer of complexity?
The instinct to replace legacy systems entirely is understandable but largely impractical. Financial crime technology is deeply embedded and wired into client, transaction and reporting systems. Replacing it wholesale, particularly against the AMLA timeline, is like open-heart surgery. The more realistic and more valuable approach is augmentation. Financial institutions should identify where current architecture can be enhanced, where data quality can be improved and where detection capabilities are falling short.
The transaction monitoring piece deserves particular attention. Legacy rule-based systems have consistently generated high volumes of false positives while missing genuine risk signals. The efficiency cost is enormous as investigation teams spend too much time on low-value alerts rather than legitimate cases. The effectiveness cost is higher still and this is where AI-powered tools can make a measurable impact. Systems will need to identify behavioural patterns across clients and networks rather than reacting to individual transactions in isolation, reducing false positives while surfacing real risk signals.
AMLA’s alignment with the Financial Action Task Force’s (FATF) growing emphasis on outcomes rather than activity means that institutions need to demonstrate they are finding actual money launderers, not just processing high volumes of alerts.
But the technology conversation cannot stop at capability. It has to address trust.
Explainability must be the foundation of any change
Regulators, compliance teams and investigators all share a common requirement when an AI system flags suspicious behaviour: they need to understand why. A risk score of 95% is not an explanation, it’s just a number. Without the reasoning behind it, it creates more work and it cannot be defended.
This is where the objectives of AMLA and the EU AI Act converge because they both recognise that accountability cannot be delegated to an algorithm. Human oversight, documented governance and explainability are not optional enhancements. They are foundational requirements for any AI deployment in a regulated environment because they are the conditions under which AI can be trusted and used responsibly in financial crime detection.
Governance around AI models also needs to be explicit, from their training and validation to setting the thresholds and reviewing performance over time. Regulators will expect such documentation and compliance teams will need to evolve alongside.
Indeed, the purely legal-background template is no longer sufficient. The compliance function of the future will need data skills, technical literacy, business understanding and actual curiosity about whether the systems they are using reflect reality.
Human oversight, documented governance and explainability are not optional enhancements. They are foundational requirements for any AI deployment in a regulated environment.
Want to read more on how AML teams are evolving as financial crime becomes more digital, complex and data-driven? Read the interview with Stefan Delaet, General Manager Financial Crime at KBC Group, on the changing skills, structures and mindsets required in modern AML.
The four pillars every financial business needs to get right
For institutions serious about being in a defensible position by July 2027, there are four capability areas that need to be in order.
Data quality and ingestion
Everything depends on the quality of the underlying data – detection, monitoring, reporting and investigation. Rather than rebuilding data infrastructure from scratch, this means having a solid view of what data exists, where it lives, how complete it is and where the gaps are relative to what AMLA will require.
Detection enhancement
Legacy transaction monitoring systems are not adequate for the risk-based, behaviour-aware monitoring that AMLA demands. Augmenting them with AI-powered detection built on explainable models that can be governed, monitored and defended is where the real uplift in effectiveness sits.
Alert management and investigation support
This is where the operational cost of financial crime compliance is heaviest: our research has found that over 60% of total cost of ownership in financial crime sits in operations and investigations, not technology. AI-assisted investigation tools and, in time, agentic AI capable of handling the administrative burden of case assembly, represent a significant opportunity to free investigator capacity for risk assessment.
Reporting and dashboarding
Institutions need to be able to demonstrate they are in control: tracking model performance, monitoring key metrics, identifying trends and producing the group-level reporting that AMLA’s supervisory framework will require.
Building AML capability that lasts well beyond 2027
It’s very unlikely that any institution will arrive at July 2027 fully ready. The regulatory landscape is still evolving and new requirements will continue to emerge after the deadline. But this isn’t an excuse to delay, rather it is a reason to build capability from now.
Financial crime will not stop evolving because AMLA has been implemented. Criminal networks will adapt and regulators will raise expectations. AMLR 2.0 will probably follow version 1.0 in time. The institutions that will be in the strongest position in 2027 will be those that treat this moment not as a deadline to survive but as an opportunity to build the infrastructure, governance, data quality and intelligent detection capability that modern anti-money laundering compliance requires.
The clock is ticking down. Is your institution going to be ready in time – or at all?
1 Source: Mind the Gap | EMEA AML Survey 2026 by PwC