The stack most firms still run was built for a regime that no longer exists
Directive-era muscle memory
Most MLROs still talk about AMLD6 readiness as if the directive were the destination. It is not. AMLD6 has been transposed, AMLA is operational, the AML Regulation lands in July 2027, and the UK has quietly stopped copying EU text across. The anti money
laundering compliance stack most firms built during the 4AMLD and 5AMLD years was shaped by directive-level discretion — every Member State bent the text to its own supervisor, and firms calibrated around that bend. Discretion is the thing the new regime is
removing, and the stack was not written with that in mind.
What changed while the industry wasn’t watching
The argument in one line: the anti money laundering stack is not wrong, it is built on the wrong assumption about where the rules come from. Three things moved at once. AMLA in Frankfurt became the direct supervisor of selected high-risk obliged entities.
The AML Regulation (EU) 2024/1624 became a directly applicable single rulebook on CDD, beneficial ownership and internal controls, set to apply from 10 July 2027. And the UK declined to mirror any of it, leaving the Money Laundering Regulations 2017 as the
operative baseline on this side of the Channel. For firms, the money laundering regulations they lived under yesterday are not the ones they will be audited against tomorrow, and the risk assessment they wrote last year was scoped to neither.
The single rulebook is not a rebrand of AMLD6
AMLA and the shift to direct supervision
Regulation (EU) 2024/1620 creates a Union-level supervisor with a specific remit: direct supervisory and enforcement powers over a selected population of high-risk obliged entities, and a coordinating role over national AML supervisors from mid-2025. AMLA
does not supervise every EU firm, and that precision matters — most financial institutions will still deal with their national regulator day to day. The operating shift is narrower and sharper than the press releases suggest. For the slice of the market inside
AMLA’s direct perimeter, money laundering supervision has stopped being purely national. For everyone else, the tone of national supervision is now being set by a Union-level body reading from a Union-level text.
AMLR replaces discretion with obligation
The AML Regulation (2024/1624) is the instrument that does the real work. Customer due diligence, beneficial ownership, internal controls, PEP and EDD rules — all of them now live in a directly applicable Regulation rather than a money laundering directive
filtered through twenty-seven transpositions. Apply date: 10 July 2027, with a limited carve-out to 10 July 2029 for certain obliged entities in Article 3(3)(n) and (o). AMLR is not an update to the directives. It is the end of directive-level discretion.
Firms that built their policies controls and procedures around national flavour — UK reg 18 weightings, a German interpretation of beneficial owners, a French ongoing monitoring cadence — will find those choices reconciled back to a single text they did not
draft.
AMLD6 is now the thin layer, not the thick one
Directive (EU) 2024/1640 is narrower than the industry shorthand implies. It sits over FIUs, beneficial ownership registers, bank account registers, real estate data access and the Member State architecture around supervisors and cooperation duties, with
transposition due by 10 July 2027. That is real work, but it is plumbing. The obligations that bind an obliged entity — the anti money laundering aml requirements a firm actually performs against customers — sit in the Regulation, not the directive. A compliance
stack that still treats AMLD6 as the primary axis for preventing money laundering or terrorist financing has its weights upside down.
The risk assessment is where the old stack fails first
FATF Recommendation 1 still anchors the logic
The risk-based approach has not changed. FATF Recommendation 1, updated in November 2023, still requires countries and financial institutions to identify, assess and mitigate their ML and TF risks, and to apply controls commensurate with those risks. The
firm-wide risk assessment is the load-bearing wall of every anti money laundering programme, the place where money laundering risk and terrorist financing risk factors are named and weighted. The new EU rules do not soften that foundation. They harden it —
by removing the national wiggle room that once let firms frame their risks around a friendly supervisor’s taxonomy.
Firm-wide risk assessments written for the wrong regime
Most firm wide risk assessment documents in circulation today were drafted against MLR 2017 regulation 18, reviewed annually against UK typologies, and quietly reused. Under the AML Regulation, the threshold moves from reasonable in your jurisdiction to
consistent with the single rulebook. That breaks two things at once: inherited mitigants that quietly leaned on national carve-outs, and matter level risk assessments that used UK or Member State taxonomies rather than the AMLR classification. The gap is not
cosmetic — it is the difference between a control the supervisor can trace and one they cannot.
The operator move is to treat the next firm-wide review not as a refresh but as a gap analysis against the AMLR articles on CDD, EDD and internal controls. A senior MLRO should start where the old stack is most opinionated: customer segmentation logic, geographic
risk drivers, product risk weightings. Those are the places where directive-era discretion got encoded into business-as-usual, and they are the first places a single rulebook supervisor will read.
Customer due diligence under a directly applicable rulebook
CDD stops being a local design choice
Under the directives, customer due diligence requirements reached firms through national transposition — each Member State wrote its own verbs over the top. Under AMLR, the customer due diligence requirements apply as written. Identification, verification,
understanding of the intended nature of the business relationship, ongoing monitoring of customer information — the words are the same, the discretion is not. Firms that localised their CDD playbooks to match each national regulator’s expectation on a new
account now have to reconcile those playbooks back to a single text. Every diligence measure that used to say where national law requires needs a new home, or it needs to go.
Enhanced due diligence and PEPs: the EDD perimeter is widening
FATF Recommendations 12 and 22 still set the PEP baseline — senior management approval, source-of-wealth and source-of-funds checks, enhanced ongoing monitoring, and extension to DNFBPs. The EBA’s ML/TF Risk Factors Guidelines (EBA/GL/2021/02, as amended
in 2023 and 2024) translate that baseline into the EU cut and now explicitly cover crypto-asset service providers. Enhanced due diligence is no longer a UK-flavoured list of triggers bolted onto a national rulebook. It is a harmonised weighting exercise a
supervisor can score against a known set of risk factors, and high risk customers, politically exposed persons and the rest of the EDD perimeter sit inside that scoring rather than alongside it.
Policies, controls and procedures: the document most firms underwrite badly
What the rulebook actually asks for
Both the AML Regulation and MLR 2017 require written policies controls and procedures proportionate to risk, with an accountable money laundering reporting officer and defined responsibilities for relevant employees. The FCA’s Financial Crime Guide (FCG
3), updated via Policy Statement PS24/17 in late 2024, sets the UK expectation on top of that baseline — internal controls proportionate to money-laundering risk, proliferation financing added to the remit, and the MLRO at the centre of the firm’s compliance
architecture. FCG is guidance, not law, but it is the expectation the FCA will read a firm’s aml policies against, and any aml compliance program or anti money laundering policies document written without it in mind will read as incomplete.
Where the document quietly drifts from the control
Policy documents get reviewed annually. Controls get tuned quarterly. Procedures get rewritten whenever a product team ships something new. Over a couple of years, the three drift apart, and the MLRO attestation starts covering a document that no longer
describes the operation. Under a single rulebook regime, that drift is the first thing a supervisor notices, because the reference text is public and fixed — non compliance with the rulebook is easier to prove when everyone is reading the same article numbers.
The fix is mechanical: anchor the annual review to the rulebook article numbers rather than to internal headings, and make the regulatory obligations and legal obligations the chapter structure of the document.
Suspicious activity reporting is still a UK statutory spine
POCA section 330 sets the threshold, not the form
For UK firms, the SAR regime is not a procedure. It is a criminal statute. Under section 330 of the Proceeds of Crime Act 2002, a person in the regulated sector who has reasonable grounds to suspect money laundering and fails to disclose to the nominated
officer or the National Crime Agency commits a criminal offence carrying up to five years imprisonment. Keep the phrase reasonable grounds to suspect verbatim, because any softer wording misstates the statutory threshold in certain circumstances an MLRO cannot
afford to blur. Suspicious activity reporting is a crime act obligation before it is a compliance obligation, and the two are not the same conversation.
The SAR numbers the MLRO needs to know
The UKFIU received 872,048 suspicious activity reports in 2023-24, a modest 1.5% rise on the previous year, while Defence Against Money Laundering requests fell 23% to 57,081 and DAML refusals rose 44% to 2,881 — £190.3m of assets denied to suspected criminals.
The story is not volume. It is sharper use of the DAML mechanism by the National Crime Agency against money laundering activity linked to serious and organised crime and other criminal activity. Firms that calibrate their suspicion thresholds to raw SAR volume
are reading the wrong signal; the one worth watching is the refusal rate.
Ongoing monitoring, MLROs and the scope of the regulated population
Monitoring stops being a quarterly review
Ongoing monitoring under AMLR and the EBA guidelines is continuous, risk-calibrated and reactive to trigger events — not a batch process run on a schedule. The EBA Risk Factors Guidelines give the weighting logic; the rulebook gives the obligation. The practical
consequence for risk management is that monitoring owned by a quarterly committee will underperform against a supervisor reading the same guideline, because the supervisor’s yardstick is event-driven and the committee’s is calendar-driven. A programme designed
to prevent money laundering at the transaction layer has to move at transaction speed, not at governance speed.
Who supervises whom is not obvious anymore
In the UK, the FCA covers the regulated financial perimeter, but HMRC still supervises money service businesses, high value dealers, trust or company service providers and the rest of the non-FCA population under the Money Laundering Regulations 2017, using
a risk-based inspection model. In the EU, selected obliged entities will move under AMLA direct supervision from mid-2025 onward. Sole practitioners and small firms that assumed their supervisor would never change are the population most likely to be caught
flat-footed — not because they missed a rule, but because the business they thought they understood now answers to a different reader.
What a credible 2026–27 readiness programme looks like
The UK baseline is still MLR 2017, and it is not standing still
UK firms should stop treating MLR 2017 as a transitional artefact. In its 2022 follow-up, FATF rated the UK compliant or largely compliant on 39 of 40 Recommendations and kept the country in regular follow-up — a credible baseline, not a gold-standard ceiling.
Regulations 18, 19, 27, 33 and 40 still anchor UK money laundering compliance and aml compliance practice, and the FCG sits on top of them. The divergence from AMLR is a feature to plan around, not a gap to paper over, and the regulatory obligations on UK
firms are now distinct enough that we follow the EU text is no longer a defensible shortcut.
The operator move for firms touching both regimes
For firms with EU and UK footprints, the readiness work is not two programmes. It is one mapping exercise. Anchor controls to AMLR article numbers where the EU rulebook bites, anchor the UK side to MLR 2017 and the FCG, and write the firm-wide risk assessment
so that a supervisor in either jurisdiction can trace a control back to a source text without an interpreter. The output is a single document with two reading orders, and the test is whether a regulator can find the control they are looking for inside a minute.
That is the test the directive-era stack fails and the new one has to pass.
The firms that will struggle in 2027 are not the ones that missed AMLD6. They are the ones that treated AMLD6 as the finish line. Anti money laundering compliance stopped being a directive problem the day the AML Regulation was signed, and the firms that
have already rewritten their risk assessment against the rulebook will be the ones a supervisor reads quickly. Everyone else will be read slowly, which is the part of the new regime nobody advertises and every MLRO should plan for.
By Victor Mendez, Co-Founder & CMO, Verifyo
