What the New AMLA CDD Requirements Mean for Your Business
On 24 March 2026, the EU Anti-Money Laundering Authority (AMLA) held its first ever public hearing. Over 1,600 stakeholders joined, from banks and fintechs to real estate firms and legal professionals. The focus? Two sets of draft Regulatory Technical Standards (RTS) that will reshape how businesses across Europe perform customer due diligence (CDD). If your firm operates in or serves clients in the EU, the new AMLA CDD requirements for 2026 and beyond deserve your attention.
These draft standards mark a turning point. For the first time, a central EU authority is playing a leading role in setting harmonized rules on what information to collect, how to verify customer identities and when to apply simplified or enhanced checks. Fragmented, country-by-country CDD frameworks are expected to reduce over time under the new regime.
Why AMLA Changes the Game for Customer Due Diligence
Until January 2026, anti-money laundering supervision sat with the European Banking Authority (EBA). That changed when AMLA introduced centralized supervision and rulemaking, while the EBA continues to play a supporting role in AML/CFT oversight. Based in Frankfurt, AMLA now plays a central role in building the EU’s single AML/CFT rulebook for financial crime prevention.
This transfer matters because the EBA’s guidelines were just that: guidelines. National regulators could interpret them differently and they often did. The result was a patchwork of CDD expectations that made cross-border compliance expensive and confusing. AMLA’s regulatory technical standards, by contrast, are expected to become binding across all EU member states once adopted by the European Commission as delegated or implementing acts.
For compliance teams, this shift moves the EU closer to a harmonized rulebook, although some national supervisory differences will remain. That sounds simpler on paper, but the transition itself will require careful planning and potentially significant changes to existing processes.
Inside the Draft RTS: What AMLA Expects on CDD
AMLA published its draft RTS on 9 February 2026 and opened a public consultation running until 8 May 2026. The standards cover three core areas that every obliged entity needs to understand.
Standard Customer Due Diligence
The draft RTS specifies the minimum information and documents that firms must collect when onboarding customers and verifying the identity of beneficial owners. Notably, AMLA’s draft RTS appears to take a more proportionate approach to mandatory data collection than some earlier EBA draft guidelines, though firms should review the specific provisions directly to assess the impact on their onboarding procedures. The goal is a proportionate, risk-based approach that avoids burdening low-risk customers with excessive documentation demands.
One significant development is the recognition of eIDAS-compliant digital identity for remote onboarding. Firms that adopt eIDAS Regulation-compliant electronic identification may streamline their verification processes, subject to a risk-based approach and additional controls where required. This opens the door for faster, more efficient digital onboarding across the EU.
Simplified Due Diligence
For lower-risk scenarios, the RTS outlines when firms can apply simplified due diligence (SDD). The conditions are clearly defined, giving compliance teams a practical framework rather than vague guidance. Firms will need to document their risk assessments carefully and demonstrate that the reduced measures are appropriate for each customer category.
Enhanced Due Diligence
On the other end of the spectrum, the draft further formalizes the use of dynamic triggers for enhanced due diligence (EDD). Rather than relying on static risk categories alone, the RTS encourages firms to use ongoing monitoring data and behavioral indicators to determine when a customer relationship requires deeper scrutiny. This is a meaningful shift toward continuous, risk-responsive compliance rather than a tick-box exercise performed only at onboarding.
Business Relationships vs. Occasional Transactions: Why the Distinction Matters
The second set of draft RTS tackles a question that has caused headaches for compliance professionals for years. When does a series of transactions become a business relationship? And how should firms handle linked transactions that might be structured to avoid CDD thresholds?
AMLA’s morning session at the public hearing focused specifically on these definitions. The standards set out criteria for distinguishing business relationships from occasional transactions, a classification that determines when full CDD must be performed. Getting this wrong can expose firms to regulatory action, so clarity here is welcome.
The RTS also addresses linked transactions. Criminals sometimes split large transactions into smaller amounts to stay below reporting thresholds, known as structuring or smurfing. The new standards provide guidance on identifying and aggregating linked transactions to close this gap.
For money service businesses, payment providers and firms handling high volumes of one-off transactions, these definitions will have a direct operational impact. Compliance teams should review their current transaction monitoring rules and assess whether their systems can accurately classify relationships and detect linked activity under the new framework.
AMLA CDD Requirements 2026: Key Dates and Deadlines
Understanding the timeline is critical for planning your compliance response. Here are the milestones that matter.
The public consultation on the CDD and business relationship RTS remains open until 8 May 2026. AMLA has encouraged all stakeholders, particularly those in the non-financial sector, to submit written feedback. This is your opportunity to influence the final standards.
AMLA is expected to submit its final draft RTS to the European Commission by 10 July 2026. After that, the Commission will review and adopt the standards, potentially with modifications.
The underlying requirements in the Anti-Money Laundering Regulation (AMLR) are expected to apply from 10 July 2027. This is expected to give obliged entities roughly one year from the finalization of the RTS to update their AML policies, procedures, systems and controls.
By 2028, AMLA is expected to begin directly supervising around 40 high-risk financial institutions across the EU. The selection process will start in 2027 based on a risk assessment methodology that AMLA is currently finalizing.
Who Needs to Act and What Should They Do Now?
The AMLA CDD requirements apply to all obliged entities under the EU AML framework. That includes banks, investment firms, insurance companies, payment service providers, crypto asset service providers and designated non-financial businesses and professions (DNFBPs) such as real estate agents, lawyers, accountants and dealers in precious metals.
If your firm falls into any of these categories, here are five steps to take now.
First, read the draft RTS documents. They are publicly available on AMLA’s website and provide the most authoritative view of what will be expected. Do not rely solely on third-party summaries.
Second, conduct a gap analysis. Compare your current CDD procedures against the draft requirements. Identify areas where your processes fall short or where your data collection practices need to change.
Third, assess your technology. The move toward eIDAS-compliant digital identity and dynamic EDD triggers will require capable systems. If your onboarding platform cannot support electronic identity verification or risk-based trigger mechanisms, start evaluating solutions now.
Fourth, consider submitting feedback to the consultation before 8 May 2026. If the draft standards create practical challenges for your sector, this is the time to raise those concerns.
Fifth, engage qualified compliance professionals to guide your transition. The shift to harmonized EU standards is significant and getting the implementation right from the start will save time, cost and regulatory risk down the line. Compliance7 supports firms in navigating these types of regulatory transitions.
The Bigger Picture: AMLA’s 2026 to 2028 Roadmap
The CDD standards are just one piece of AMLA’s ambitious agenda. On 4 February 2026, the authority published its first multi-year plan, the Single Programming Document (SPD), covering 2026 to 2028. The SPD outlines three strategic priorities: completing the AML single rulebook, advancing supervisory convergence across EU member states and strengthening enforcement capabilities.
AMLA also published a separate draft RTS on pecuniary sanctions, administrative measures and periodic penalty payments. The consultation on this set of standards closed on 9 March 2026. By 10 July 2026, the European Commission may publish supplementary delegated acts that further specify the requirements for sanctions.
Looking further ahead, AMLA’s direct supervision of high-risk entities from 2028 is expected to create a more centralized regulatory environment. Firms selected for direct supervision will deal with AMLA examiners rather than their national regulator, bringing a more centralized and potentially more rigorous oversight approach.
For compliance teams, the message is clear. The EU is building a more unified, more demanding AML framework and the building blocks are being laid right now. Firms that start preparing early will be better positioned than those that wait for the final rules to land.
Preparing Your Compliance Program for AMLA
The transition to AMLA’s harmonized framework is not something to tackle in the final months before the 2027 deadline. A proactive approach will reduce operational disruption for larger organizations and demonstrate good faith to regulators.
Start by designating a project lead or working group responsible for tracking AMLA developments. Assign someone to monitor the consultations, read the final RTS when published and coordinate the necessary changes across your organization.
Review your risk assessment methodology. AMLA’s emphasis on dynamic, risk-responsive CDD means that static risk models may no longer be sufficient. Consider whether your firm uses ongoing monitoring data effectively to adjust customer risk ratings over time.
Train your staff. Front-line employees who handle onboarding and transaction monitoring need to understand the new expectations. Invest in training programs that explain the practical implications of the AMLA CDD requirements, not just the legal text.
Finally, document everything. Regulators expect to see evidence that your firm has assessed the new standards, identified gaps and taken steps to address them. A clear audit trail of your preparation process will serve you well during future supervisory reviews.
At Compliance7, we work with financial institutions, fintechs, VASPs and DNFBPs to build and strengthen their AML compliance programs. If you need help strengthening your AML compliance program, book a free consultation with our team.
This article is for informational purposes only and does not constitute legal or regulatory advice. For guidance specific to your business, consult a qualified compliance professional.
