Article

EBA’s new AML technical standards: What you need to know

By:
Frankie Cronin,
Jennifer Flannery,
David Henderson,
Shane Quinn,
Jairam Sankar
24 Mar 20257 min read
insight featured image
EBA’s new AML standards redefine compliance for financial institutions. Learn key changes in risk assessment, due diligence & enforcement—act now to stay ahead.
Contents

The European Banking Authority (EBA) released a consultation paper on March 6, 2025, outlining four regulatory technical standards (RTS) in response to the European Commission’s call for advice on the Authority for Anti-Money Laundering and Countering the Financing of Terrorism’s (AMLA) mandates. 

Covering risk assessment, direct supervision, customer due diligence (CDD), and enforcement, these standards mark a significant shift in how financial institutions must manage AML compliance. With the first requirements taking effect this summer, it is vital firms act now to futureproof their compliance strategies.

AMLA’s new regulatory framework is set to take effect in phases. By July 10, 2027, financial institutions must comply with new CDD requirements, prioritising high-risk customers under a risk-based approach. Firms will have a five-year transition period to complete CDD updates for all existing customers. 

AMLA will implement other RTS on risk assessments, direct supervision, and enforcement measures progressively, expecting firms to take immediate steps to align their compliance programs with evolving regulatory expectations.

Regulatory technical standards

  • Risk assessment: Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the sixth Anti-Money Laundering Directive (AMLD6).
  • Direct supervision: Draft RTS on the risk assessment for the purpose of selection of credit institutions, financial institutions and groups of credit and financial institutions for direct supervision under Article 12(7) of the Anti-Money Laundering Authority Regulation (AMLA-R).
  • Customer due diligence: Draft RTS under Article 28(1) of the Anti-Money Laundering Regulation (AMLR) on customer due diligence (CDD).
  • Enforcement: Draft RTS under Article 53(10) of the AMLD6 on pecuniary sanctions, administrative measures and periodic penalty payments.

Understand the key elements of the four draft RTS

In its draft RTS on Risk Assessment of Obliged Entities (Article 40(2) AMLD6), the EBA proposes a harmonised methodology for assessing obliged entities’ inherent risk, control effectiveness, and residual risk, ensuring consistent AML/CFT supervision across the EU.

Key points include:

  • A three-step assessment;
    1. Inherent risk classification;
    2. AML/CFT controls evaluation; and,
    3. Residual risk determination.
  • Harmonised risk indicators and scoring system for uniform supervisory assessments; and,
  • Annual risk reviews, with ad-hoc reassessments for significant business changes.

The draft RTS on Risk Assessment for Direct Supervision Selection (Article 12(7) AMLAR) introduces a standardised risk assessment methodology to evaluate credit and financial institutions’ risk profiles, ensuring consistent and risk-based selection for AMLA’s direct supervision across the EU. 

Key points include:

  • A two-stage process:
    • first, identifying institutions operating in at least six Member States;
    • next, classifying those with a high residual ML/TF risk for direct AMLA supervision.
  • A requirement that institutions meet minimum customer and transaction volume requirements to qualify under the ‘freedom to provide services’ rule; and,
  • Calculation of group-wide risk profiles using a weighted averaging method, emphasising high-risk entities.

The EBA’s draft RTS on Customer Due Diligence (Article 28(1) AMLR) introduces a standardised approach to CDD, including a framework for verifying customers, beneficial owners and politically exposed persons (PEPs) across the EU. 

Key points include:

  • Enhanced due diligence (EDD) for high-risk customers and simplified due diligence (SDD) for low-risk cases to ensure proportionate compliance;
  • Uniform data collection for individuals and entities to maintain consistency across member states;
  • A requirement for obliged entities to consult central registers and verify information using independent and reliable sources;
  • A stipulation that, if beneficial owners cannot be identified, senior managing officials (SMOs) must be verified with the same level of scrutiny; and,
  • Recognition of non-standard identity documents for asylum seekers and other legitimate cases to prevent unnecessary de-risking.

Other important points are:

  • Transaction monitoring—understanding and documenting the purpose of business relationships and transactional behaviour;
  • Sector-specific SDD measures—special provisions for pooled accounts, investment funds and regulated intermediaries, allowing reliance on trusted third-party verification;
  • Verification of the source of funds, wealth and legitimacy of business activities for high-risk clients;
  • Mandatory screening of customers and beneficial owners against EU sanctions lists; and,
  • A requirement for digital identity verification to align with risk profiles and ensure secure authentication for remote onboarding.

New CDD requirements apply to all new customers from July 2027. Obliged entities must ensure compliance for their existing customer base within five years, following a risk-based approach.

With its draft RTS on Pecuniary Sanctions, Administrative Measures and Periodic Penalty Payments (Article 53(10) AMLD6), the EBA establishes a structured approach to classifying AML breaches, determining sanctions, and enforcing compliance—ensuring consistency across the EU. 

Key points include:

  • Classifying breaches into four severity levels based on
    • Duration;
    • Repetition;
    • Intent; and,
    • Impact on financial integrity.
  • Applying pecuniary sanctions proportionate to financial strength, cooperation and past violations;
  • Imposing administrative measures, including business restrictions, license withdrawals and governance changes for serious breaches;
  • Enforcing periodic penalty payments to ensure compliance with supervisory measures; and,
  • Granting the right to be heard before imposing penalties to ensure procedural fairness.

Strategic implications for financial institutions

In the evolving AML regulatory landscape, financial institutions (FIs) must rethink and ultimately enhance their compliance strategies. The new RTS bring significant shifts in enforcement, due diligence, and supervisory expectations, requiring firms to act decisively. 

Certain standards and requirements firms may have deemed industry expectations will now become regulatory requirements. Firms must focus on:

1. Operational adjustments

FIs must proactively enhance AML compliance frameworks, ensuring alignment with risk-based supervision and evolving due diligence requirements. This means stronger governance, more robust internal controls, and structured remediation plans for identified breaches.

2. Technology investments

AI-driven transaction monitoring, automated risk scoring, and real-time data analytics will be non-negotiable. Firms should use in-house or external third-party regtech solutions to streamline compliance, improve risk detection, and reduce manual oversight burdens.

3. Cross-border compliance challenges

Multinational firms must navigate the balance between harmonised EU-wide AML requirements and country-specific regulatory nuances. A centralised but flexible compliance model will be key to maintaining efficiency while adhering to diverse supervisory expectations.

The bottom line? AML compliance is no longer just about ticking boxes—it’s about embedding proactive regulatory resilience into business operations. Firms that invest early in scalable, data-driven compliance strategies will gain a competitive edge in an increasingly scrutinised regulatory environment.

Sustainable compliance: Roadmap for the next five years

Financial institutions should take a phased approach to achieving AMLA compliance, ensuring they stay ahead of regulatory expectations rather than scrambling to catch up.

  1. In the short term, firms should prioritise a comprehensive compliance health check, identifying regulatory gaps, and engaging key stakeholders to align with evolving standards. 
  2. By 2026–2027, their focus should shift to embedding risk-based controls, making the most of AI-driven transaction monitoring and strengthening governance and reporting frameworks. 
  3. Beyond 2028, compliance should no longer be just a regulatory requirement but a core component of corporate governance—driven by continuous improvement, training, automation, and AI-driven efficiencies.

Act early, embrace technology and reinforce governance to navigate AMLA’s regulatory landscape confidently.

How can Grant Thornton help?

At Grant Thornton, we continue to monitor developments in the AML/CFT regulatory landscape and their implications for businesses. Stay tuned for more insights on this critical EBA consultation package. 

If you would like to understand how these changes impact your organisation or need guidance on preparing for AMLA compliance, our experts are ready to assist you.

We offer a comprehensive range of AML/CFT services to support your compliance journey, including:

  • AML/KYC managed service support;
  • Framework and policy development and reviews;
  • Risk assessments;
  • Central Bank of Ireland/EBA-mandated independent reviews;
  • Risk mitigation programme remediation;
  • AML/CFT compliance assurance testing;
  • Operating model building;
  • Systems requirements;
  • Training; and,
  • Horizon scanning.

Discover how we can tailor a solution for your business today—reach out to our team of financial crime experts. 

Contact us
Learn more about how our Financial Crime (AML) solutions can help you
Visit our Financial Crime (AML) page
Learn more about how our Financial Crime (AML) solutions can help you
TAGS  
Authors
  • Frankie Cronin
    Frankie Cronin Frankie is a Partner in Grant Thornton’s Advisory practice and leads the dedicated Business Risk Services team. View Profile
  • Jennifer Flannery
    Jennifer Flannery Jennifer joined Grant Thornton from a Big 4 Regulatory and Financial Crime Advisory team. She has over 12 years of legal, compliance and financial services industry experience. Jennifer specializes in engagements addressing Anti-Money Laundering (‘AML’) and economic sanctions regulatory and compliance matters. She is a qualified Solicitor and is licensed to practice is the UK and Ireland. View Profile
  • David Henderson
    David Henderson David joined Grant Thornton in 2023, and has 16 years experience in financial crime risk management. He has previously worked in financial crime risk management roles in global banks, as well as in consulting, and has also held financial crime policy roles at the UK regulator and HM Treasury. View Profile
  • Shane Quinn
    Shane Quinn Shane is a Director within our Financial Crime Compliance offering and has extensive experience leading and project managing several large scale global Anti-Money Laundering (AML) and Counter-Financing Terrorism (CFT) due diligence exercises. View Profile
  • Jairam Sankar
    Jairam Sankar Jairam is a manager in our Business Risk Services team, with experience in the financial services consulting industry, focusing on regulatory programme management, financial crime risk assessments, AML compliance operations, and client lifecycle management. Get in touch