Financial regulation

Key Implications of the Anti-Money Laundering Regulation (AMLR) for Financial Institutions' AML policies

Published on 24th April 2026

Introduction

This memorandum outlines the key implications of the new Anti-Money Laundering Regulation (the AMLR) for obliged entities, with a particular focus on the adjustments required to their internal AML-related policies, procedures and controls.

Dutch financial institutions currently derive their Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) obligations primarily from the Wet ter voorkoming van witwassen en financieren van terrorisme (the Wwft), which implements the Fourth and Fifth Anti-Money Laundering Directive (AMLD4/AMLD5) into Dutch law. From 10 July 2027, the AMLR will apply directly across the European Union as a regulation, causing the Wwft to be revoked. The AMLR introduces a single, directly applicable set of rules, which requires obliged entities under Article 3 AMLR (obliged entities) to update and refine their existing AML documentation, internal governance arrangements and operational processes to ensure alignment with the new harmonised EU standards.

Below, we set out the key areas in which the AMLR introduces new or more prescriptive requirements compared to the current Wwft framework, and the corresponding adjustments that obliged entities must make to their internal AML policies, procedures and governance arrangements. 

 

Building facade

Implications

1. Legal framework

The most obvious change concerns the legal basis underpinning AML policies and procedures. Most obliged entities currently reference the Wwft (and, where applicable, AMLD4) as the legal framework in their internal AML documentation. These references must be updated to reflect the AMLR as the primary legal basis. Obliged entities must conduct a comprehensive review of all AML-related documentation to ensure that statutory references, definitions and cross-references are aligned with the AMLR.

2. Content of policies and procedures

The AMLR is significantly more prescriptive than the Wwft regarding the minimum content of AML policies. Whereas the Wwft requires entities to have policies, procedures and measures that are proportionate to the nature and size of the institution, the AMLR sets out a detailed minimum list of subjects that must be covered by an obliged entity's internal policies, procedures and controls. Specifically, the AMLR requires that these cover, at a minimum:

  1. the business-wide risk assessment and updates;
  2. the risk management framework;
  3. customer due diligence (CDD) procedures, including enhanced due diligence (EDD) and the determination of politically exposed person (PEP), family member and close associate status;
  4. suspicious transaction reporting;
  5. outsourcing and reliance arrangements;
  6. record retention and personal data processing policies;
  7. compliance monitoring, remediation and deficiency management;
  8. fit-and-proper/good repute checks for staff and for agents/distributors;
  9. internal communication of AML policies to agents, distributors and service providers;
  10. training policies; and
  11. internal controls plus independent audit testing.[1]

This list is considerably more detailed than the current Wwft requirements. Obliged entities must therefore review their existing AML documentation to ensure that each of the above subjects is adequately addressed in their policies, procedures and controls.

3. Compliance functions

Under the AMLR, obliged entities are required to establish robust internal compliance functions to ensure adherence to their AML/CFT obligations. Each obliged entity must appoint a compliance manager from within its management body, who bears overall responsibility for ensuring that internal policies, procedures and controls are consistent with the entity's risk exposure and are effectively implemented, and who must report regularly and at least annually to the management body on their implementation.

Separately, obliged entities must appoint a compliance officer, who holds a sufficiently senior position within the organization and is responsible for the day-to-day operation of AML/CFT requirements, including the implementation of targeted financial sanctions, and who serves as the primary contact point for competent authorities and is responsible for reporting suspicious transactions to the Financial Intelligence Unit (FIU). The compliance officer benefits from specific protections against retaliation, discrimination and undue commercial influence, and may only be removed following prior notification to the management body, with the supervisor also to be notified of any such removal. The compliance officer must have the ability to report directly and independently to the management body and, where one exists, to the supervisory body.

Obliged entities are required to provide these compliance functions with adequate resources including staff and technology proportionate to the size, nature and risks of the entity, and must ensure that those responsible for these functions are empowered to propose any measures necessary to maintain the effectiveness of internal controls. Where the size and risk profile of the entity justify it, the roles of compliance manager and compliance officer may be combined and held by a single individual.[2]

It is recommended that entities review whether their current internal governance arrangements are aligned with these AMLR requirements.

4. Employee integrity

The AMLR also introduces specific requirements regarding the integrity of employees and the management of conflicts of interest that go beyond the current Wwft framework. Any employee or person in a comparable position who directly participates in the institution's AML/CFT compliance must undergo a risk-proportionate assessment of their individual skills, knowledge, expertise, good repute, honesty and integrity, both prior to taking up their role and on a recurring basis thereafter.

Critically, the AMLR requires that employees who have a close private or professional relationship with a customer or prospective customer must inform the compliance officer of that relationship and must be prevented from performing any AML/CFT compliance tasks in relation to that customer.[3] Entities must have in place formal procedures to prevent and manage such conflicts of interest. 

5. Suspicious and unusual transactions

A key change under the AMLR is the shift from reporting "unusual" transactions (as currently required under the Wwft) to reporting "suspicious" transactions. In practice, this means that entities must report to the Financial Intelligence Unit (FIU) where they know, suspect or have reasonable grounds to suspect that funds or activities, regardless of the amount involved, are the proceeds of criminal activity or are related to terrorist financing. The reporting obligation extends to attempted transactions and to suspicions arising from the inability to conduct CDD.

Under the AMLR, a suspicion must be based on the characteristics of the customer and their counterparts, the size and nature of the transaction or activity, the methods and patterns thereof, the link between several transactions or activities, the origin, destination or use of funds, or any other circumstance known to the institution, including the consistency of the transaction or activity with the information obtained through the CDD process and the risk profile of the customer.

In addition, the AMLR introduces a concrete maximum deadline of 5 working days for entities to respond to requests for information from the FIU, with the possibility of even shorter deadlines, including under 24 hours, in urgent cases. Under the Wwft, entities are currently required to respond "promptly" to FIU requests, but no hard timeline is imposed.[4]

6. UBO definition

The AMLR significantly expands the beneficial ownership (UBO) framework compared to the Wwft by directly codifying detailed rules on beneficial ownership identification at the EU level, rather than delegating these to national implementing legislation. Key changes include:

  • explicit parallel testing for both ownership interest and control;[5]
  • specific rules for complex multi-layered ownership structures;[6]
  • nominee transparency obligations;[7]]

In addition, the AMLR introduces stricter procedural requirements, including a 28-day deadline for registering and updating beneficial ownership information,[8] and a 14-day deadline for reporting discrepancies to central registers.[9]]

Notably, the AMLR adjusts the UBO identification threshold from "more than 25%" (as currently applied under the Wwft) to "25% or more",[10] meaning that a 25% ownership interest or voting right now also triggers beneficial ownership status. Entities must update their CDD procedures and systems accordingly.

7. PEP definition

The AMLR expands the definition of "politically exposed person" (PEP) compared to the current framework by explicitly including: heads of regional and local authorities (in jurisdictions with at least 50,000 inhabitants); members of governing bodies of political parties at regional and local level; members of supervisory and management bodies of mid-sized and large government-controlled companies at regional and local level; and siblings of persons holding the highest state functions.[11]

Entities must update their PEP screening procedures and lists to reflect this broader definition.

8. Training

Similar to the Wwft, the AMLR requires that employees are familiar with the applicable AML/CFT legal framework. However, the AMLR expands the scope of mandatory training to include awareness of the Regulation on information accompanying transfers of funds and certain crypto-assets (TFR), the institution's business-wide risk assessment, and the internal policies, procedures and controls in place, including those relating to the processing of personal data for AML/CFT purposes.[12]

Entities must review and update their existing training programmes to ensure that these additional subjects are adequately covered.

9. Business-Wide Risk Assessment (BWRA)

Under the AMLR, entities must conduct a documented and regularly updated business-wide risk assessment (BWRA) covering money laundering, terrorist financing and targeted financial sanctions (TFS) evasion risks. The BWRA must take into account the risk variables and risk factors set out in the Annexes to the AMLR, EU-level and national risk assessments, and other relevant publications and information from competent authorities. This is more prescriptive than the current Wwft requirement, which requires entities to take measures to identify and assess their ML/TF risks proportionate to the nature and size of the institution, to document the results, keep them current, and make them available to the supervisory authority on request.

In addition, before launching new products, services or business practices, including new delivery channels or technologies, or entering new customer segments or geographies, entities must assess the associated ML/TF risks and implement appropriate mitigating measures prior to launch.

The BWRA must be drawn up by the compliance officer and approved by the management body in its management function. Where a supervisory function exists, the BWRA must also be communicated to that function.[13]

10. Due Diligence (CDD, SDD, EDD)

The AMLR lowers the threshold for applying CDD to occasional transactions from EUR 15,000 (under the Wwft) to EUR 10,000. For crypto-asset service providers (CASPs), the threshold is set at EUR 1,000, below which minimum identification and verification requirements still apply.[14]

The AMLR integrates targeted financial sanctions (TFS) screening as an integral component of the CDD process, rather than treating it as a separate, stand-alone obligation. Obliged entities must update their CDD procedures to reflect this integrated approach.[15]

For payment initiation services,[16] the AMLR clarifies that the merchant, rather than the end-user payer, is to be treated as the "customer" for AML/CFT purposes. The payment service provider's CDD and ongoing monitoring obligations therefore apply in respect of the merchant. This clarification should be explicitly reflected in the AML policies of payment service providers.[17]

The AMLR introduces mandatory maximum intervals for updating customer information: 1 year for higher-risk customers and 5 years for all other customers. Within these caps, entities must determine appropriate refresh intervals on a risk-sensitive basis.[18]

Under the AMLR, simplified due diligence (SDD) measures are articulated more specifically than under the Wwft. Permissible SDD measures include:

  • post-establishment identity verification (within 60 days, where the specific lower risk identified justifies such postponement);
  • reduced frequency of identification updates;
  • reduced information collection;
  • reduced frequency of ongoing monitoring; and
  • no requirement to establish the source of funds or wealth as a default measure.

Where an entity applies the SDD measure of verifying the identity of the customer and the beneficial owner after the establishment of the business relationship, it must adopt risk management procedures governing the conditions under which it may provide services or perform transactions for the customer prior to verification taking place. Such procedures must include limitations on the amount, number or types of transactions that may be performed, and monitoring to ensure that transactions are consistent with the expected norms for the business relationship.[19]

A key novelty under the AMLR is the introduction of a 5 working-day deadline for the relied-upon entity to provide CDD information and supporting documents to the relying entity. In addition, the AMLR requires that the conditions for such transmission be set out in a written agreement or, in the case of group entities, in an internal group procedure.[20]

The AMLR expressly extends and codifies correspondent relationship EDD obligations for credit institutions, obliged entities and CASPs, requirements that are not yet explicitly provided for under the Wwft. Credit institutions and obliged entities entering into cross-border correspondent relationships with third-country respondent entities must, in addition to standard CDD measures:

  • gather sufficient information to understand the nature of the respondent's business and assess its reputation and the quality of its supervision;
  • assess the respondent institution's AML/CFT controls;
  • obtain senior management approval before establishing new correspondent relationships;
  • document the respective responsibilities of each institution; and
  • in respect of payable-through accounts, satisfy themselves that the respondent has verified the identity of, and performed ongoing due diligence on, customers with direct access to the correspondent's accounts.[21]

Credit institutions and obliged entities must incorporate these requirements into their AML policies.

CASPs must additionally incorporate correspondent crypto-asset relationship EDD procedures into their AML policies.[22]

11. Outsourcing

The AMLR imposes considerably more prescriptive requirements on the outsourcing of AML-related activities than the Wwft, including prior supervisor notification obligations and categories of decisions that may not be outsourced. The following tasks may never be outsourced: the proposal and approval of the business-wide risk assessment; the approval of internal policies, procedures and controls; the decision on the risk profile to be attributed to a customer; the decision to enter into a business relationship or carry out an occasional transaction; FIU reporting of suspicious activities or threshold-based reports (except where outsourced to another obliged entity within the same group established in the same Member State); and the approval of the criteria for the detection of suspicious or unusual transactions and activities. Transaction monitoring is not included in this list of non-outsourceable tasks and may therefore in principle be outsourced, subject to compliance with the general outsourcing conditions under Article 18 AMLR. Obliged entities that use group utility functions or vendor-operated AML tools must review their existing outsourcing arrangements against the AMLR framework.

Entities must develop a dedicated outsourcing policy that, at a minimum:

  • establishes a prior notification procedure towards the competent supervisory authority before any outsourcing arrangement commences;
  • clearly identifies which core AML decisions may never be delegated to a third party (such as risk profiling, customer acceptance and FIU reporting decisions);
  • sets requirements for pre-outsourcing due diligence on prospective service providers;
  • requires written agreements for all outsourcing arrangements;
  • imposes controls on sub-outsourcing;
  • mandates regular oversight and monitoring of service providers; and
  • prohibits outsourcing to providers established in high-risk third countries.[23]

12. Record-keeping

While the base 5 year retention period for AML-related records remains unchanged, the AMLR introduces the possibility of a case-by-case extension of up to a further 5 years upon request of the competent authority under specific circumstances. In addition, the AMLR clarifies that this retention period also applies to records regarding a decision to refuse to onboard a customer.[24]

13. Automated Decision-Making and Artificial Intelligence

The AMLR introduces specific requirements governing the use of automated decision-making tools and AI in AML/CFT processes, a subject not addressed under the Wwft. Where entities use automated systems or AI to make or support decisions on customer onboarding, termination of business relationships, transaction refusal or changes in CDD intensity, the data processed by such systems must be limited to data obtained through the CDD process. In addition, such decisions must be subject to meaningful human review and intervention to ensure their accuracy and appropriateness. Customers have the right to receive an explanation of any decision made through automated means and to challenge such decisions. This right does not, however, extend to decisions relating to suspicious transaction reports submitted to the FIU.[25]

Entities must update their AML policies to set out the governance framework for the deployment of automated decision-making and AI tools, including the allocation of responsibilities for human oversight and the mechanisms for handling customer challenges.

14. Group Policies

The AMLR introduces significantly more prescriptive requirements for group-wide AML/CFT policies than the current Wwft framework. Parent undertakings of groups that include obliged entities must establish and maintain group-wide AML/CFT policies, procedures and controls. These group-wide policies must mirror the minimum content requirements applicable to individual entities (as set out in section 2 above) and must be applied consistently across all branches and subsidiaries within the group, including those established in third countries.

In addition, the AMLR introduces the following specific group-level requirements that must be reflected in group AML policies:

  • the parent undertaking must conduct a group-wide risk assessment, which must take into account the risk factors pertaining to all group entities, including branches and subsidiaries in third countries;[26]
  • the parent undertaking must appoint a group compliance manager, who is responsible for overseeing the implementation of the group-wide AML/CFT framework and for reporting to the management body of the parent undertaking on the adequacy and effectiveness of the group's AML arrangements;[27]
  • the AMLR introduces a mandatory framework for the sharing of suspicious transaction report information within the group, subject to appropriate safeguards. Group entities must share relevant information where such sharing is necessary for the purposes of AML/CFT risk management, unless otherwise instructed by the FIU;[28]
  • notably, the AMLR extends the scope of group-wide AML/CFT obligations beyond traditional corporate groups to include networks and partnerships of obliged entities that share common ownership, management or compliance controls, even where these do not constitute a corporate group in the traditional sense. Entities participating in such arrangements must assess whether they fall within the scope of the AMLR's group-wide requirements and, if so, implement the necessary policies and procedures accordingly.[29]

Obliged entities that are part of a group, network or partnership must review their existing group-wide AML documentation to ensure alignment with these expanded requirements.

15. Targeted Financial Sanctions

The AMLR elevates TFS compliance from a largely separate regulatory obligation to an integrated component of the AML/CFT framework. Under the current Wwft, sanctions screening is primarily governed by the Sanctiewet 1977 and associated regulations, and is not explicitly embedded in the AML/CFT policy framework. As noted in section 10 above, the AMLR changes this by requiring entities to incorporate TFS screening into their CDD processes,[30]their BWRA[31]] and their ongoing monitoring arrangements.[32]

Obliged entities must update their AML policies to reflect this integrated approach and ensure that TFS compliance is no longer treated as a separate obligation but is embedded throughout their AML/CFT framework.

 

Forthcoming Guidance

The Anti-Money Laundering Authority (AMLA) is mandated under the AMLR to develop regulatory technical standards (RTS) and guidelines to further specify a number of the requirements discussed in this memorandum. By 10 July 2026, AMLA is expected to publish among others RTS on the minimum content of the BWRA and guidelines on the elements that obliged entities should take into account, based on the nature of their business and their size, when deciding on the extent of their internal policies, procedures and controls, including as regards the staff allocated to compliance functions. By 10 July 2027, further guidelines are expected on, among others, outsourcing of AML/CFT-related tasks and on indicators of suspicious activity or behaviours. These RTS and guidelines will provide essential detail on the practical implementation of the AMLR requirements and may necessitate further adjustments to internal AML policies, procedures and controls beyond those identified in this memorandum.

.............................................................................................................................................

[1] Article 9 AMLR.

[2] Article 11 AMLR.

[3] Article 13 AMLR.

[4] Article 69 AMLR.

[5] Article 52 and 53 AMLR.

[6] Article 54 AMLR.

[7] Article 66 AMLR.

8] Article 63 AMLR.

[9]Article 24 AMLR.

[10] Recital 107 of preamble AMLR.

[11] Article 2(1)(34) AMLR.

[12]Article 12 AMLR.

[13]Article 10 AMLR.

14]Article 19 AMLR.

[15] Article 20 AMLR.

[16]Service 7 from the PSD2 Annex I payment services, article 4(15) PSD2.

[17] Article 19(6)(d) AMLR.

[18] Article 26 AMLR.

[19]Article 33 AMLR.

[20]Article 49 AMLR.

[21] Article 36 AMLR.

[22]Article 37 AMLR.

[23] Article 18 AMLR.

[24]Article 77 AMLR.

[25] Article 76(5) AMLR.

[26] Article 16(1) AMLR.

[27] Article 16(2) AMLR.

[28] Article 16(3) AMLR.

[29]Article 16(4) AMLR.

[30]Article 20(1)(d) AMLR.

[31]Article 10(1) AMLR.

[32] Article 26(4) AMLR.

Related articles
The EU's SFDR 2.0 – what do asset managers need to know?
09/12/2025 8 mins
Spotlight on Belgium
07/04/2016 4 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

sectors

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up