The Anti-Money Laundering Regulation (AMLR) will take effect in July 2027, and for AML professionals, one of the main challenges is knowing where to begin.
The shift to a single EU rulebook changes how AML frameworks are expected to operate. Requirements that were previously interpreted at a national level will now be applied consistently across the EU.
At the same time, most organisations are not starting from zero. Existing frameworks are already in place, often shaped by years of regulatory expectations, internal processes, and system limitations.
So, the real question is:how can you align what you already have with what AMLR demands, without losing control of your operations?
AMLR readiness: what does the market say?
When speaking with customers, one question comes up consistently: “Where do we even begin?”
Our customer research shows that 67% of institutions have conducted an initial analysis, while 17% plan to start soon. Only 8% have begun a structured implementation, and another 8% have not started at all.
Despite the July 2027 deadline, AMLR is already an active challenge for most organisations.
Confidence levels reflect this uncertainty. 33% say they feel confident, while another 33% are actively working towards readiness, but are not yet confident. 26% report low confidence, and only 8% feel fully prepared.
When looking at the main challenges:
- 33% point to timeline and implementation, driven by limited time, competing priorities, and dependency risks.
- 24% highlight data quality issues, including unclear definitions and fragmented data.
- 24% identify resource constraints, with small teams managing increasing demands.
- 19% struggle with interpretation, where uncertainty around requirements slows progress.
AMLR timeline: where are we, what is happening, and where are we going?
At our latest breakfast seminar, Jonas Karlsson, Managing Director and Head of Financial Crime Prevention at Advisense, focused on answering the questions around timelines, priorities, and how institutions can move forward with confidence.
The AMLA Single Programming Document (SPD) is the central planning tool for AMLR implementation, showcased by Jonas.
It outlines all Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS), and guidelines under the EU AML Package.
As Jonas noted:
"The SPD is the single most important planning document for AMLR implementation. If you haven't read it, you're planning blind.”
Several RTS are currently in consultation, as well as planned on the timeline, including:
- AMLR 16.4: Group-wide policies
- AMLR 19.9: High-risk sectors
- AMLR 23: Risk variables
- AMLR 26.5: Ongoing monitoring
- AMLR 28.1: Customer due diligence information
This staggered release requires institutions to plan iteratively rather than wait for the full regulatory package.
The real timeline: less time than it looks
While the timeline may appear manageable on paper, it's significantly shorter in practice.
Jonas highlighted that:
"While 17 months to July 2027 sounds like a lot…there are maybe 12 effective working months."
Budget cycles, competing priorities, resource constraints, as well as holidays reduce the actual time available for implementation.
The timeline reinforces the need for early prioritisation and structured execution across the company.
How to get started - from policy to practical assessment
As mentioned from our customer research, many institutions have already begun with a gap analysis.
Jonas’ advice is to first understand where your current position through two lenses: maturity and capability.
To conduct an effective maturity assessment, ask yourself these questions:
- How strong is your current AML/CTF framework?
- Is there AMLR awareness at the board and management level?
- Do first-line teams understand the operational impact?
- What is the quality of existing policies and frameworks?
- How effective are current controls and processes?
- Is there a shared understanding across compliance, operations, and technology?
To conduct an effective capability assessment, ask yourself these questions:
- Can your organisation deliver on AMLR requirements?
- Do you have sufficient resources across compliance, business, and technology?
- What competing priorities exist (e.g., the Digital Operational Resilience Act, the Markets in Crypto-Assets regulation)?
- Do you have project governance and execution capacity?
- Is your technology stack ready for change?
- Is there budget authority and investment appetite?
Another step institutions focus on is, of course, understanding the law and identifying which articles to comply with. This often leads to a checkbox approach.
Instead, AMLR requires organisations to build operational capabilities. As Jonas puts it:
“Don't ask 'which articles do we need to comply with?' Ask 'what capabilities do we need to build?’”
These capabilities include:
- Risk assessment: ability to assess, score, and communicate risk
- Customer due diligence:efficient onboarding, verification, and maintenance of customer data
- Monitoring: detection of suspicious behaviour with acceptable accuracy
- Reporting: reliable production of regulatory reports
- Data management: collection, storage, and retrieval of quality data
- Governance: active board ownership and oversight
How Trapets supports AMLR readiness
AMLR increases expectations on consistency, traceability, and control. Institutions must be able to demonstrate how risk decisions are made across the full AML lifecycle.
From regulation to execution, Trapets helps institutions through:
- Structured workflows across customer due diligence, screening, and transaction monitoring
- Consistent risk scoring logic across the customer lifecycle
- Documented decision-making and full audit trails
- Full traceability of model and threshold changes
- Clear alert prioritisation and risk rationale
Curious to learn more about how Trapets can help you in your AMLR efforts? Our experts are here to help you.