At the request of the European Commission, the EBA has developed four Regulatory Technical Standards (RTS) and two technical opinions pave the way for the effective introduction of supervision by the new Anti-Money Laundering Authority (AMLA) and implementing both the Anti-Money Laundering Regulation (AMLR) and the Sixth Anti-Money Laundering Directive (AMLD6). EBA’s recommendations concern institutions subject to AMLR (gatekeepers) in both financial and non-financial sectors.
Taking a proportional, risk-based stance, The EBA draws from existing standards to streamline regulatory frameworks, with the ultimate aim of maximum harmonisation among supervisors, Member States, and sectors. This AMLR alert presents a compact overview of the RTS ‘s scope and highlights their main elements.
Four regulatory technical standards
-
#1 Risk assessment methodologies for obliged entities
The first RTS establishes harmonised methodologies for national supervisors to assess both inherent and residual money laundering and terrorist financing risks faced by obliged entities, in line with Article 40(2) of AMLD6. A uniform risk classification system, low, medium, substantial and high, ensures consistency across both financial and non-financial sectors, with tailored data collection requirements to maintain proportionality and accuracy.
-
#2 Direct supervision criteria for AMLA
The second RTS sets out the methodology for identifying financial institutions subject to AMLA’s direct supervision under Article 12(7) AMLR. This involves a two-stage process: first, determining whether an institution operates in six or more Member States; and second, assessing its residual risk profile, considering inherent risks and the robustness of AML/CFT controls. Institutions that meet at least one materiality threshold, either serving more than 20,000 clients or conducting annual transactions exceeding €50 million in any given Member State, are considered for inclusion. Residual risk is classified into four categories: Low, medium, substantial, or high, based on defined scoring rules.
-
#3 Customer due diligence requirements
The third RTS addresses Customer Due Diligence (CDD) requirements under Article 28(1) AMLR, detailing the information needed for standard, simplified (SDD), and enhanced due diligence (EDD). It underpins the importance of a proportionate, risk-based approach for compliance, specifying the data required to accurately identify and verify customers, such as name, place and date of birth, nationalities and beneficial ownership., This bolsters the integrity of both onboarding and ongoing monitoring processes.
-
#4 Breach classification and pecuniary sanctions
The fourth RTS addresses the classification of breach severity and the determination of financial penalties, as outlined in Article 53(10) AMLD6. By introducing clear criteria for assessing the seriousness of infringements and calculation appropriate fines, the RTS promotes harmonised enforcement and proportionality in supervisory actions across the EU.
Technical opinions
Group-wide information exchange
The initial technical opinion explains how your group should exchange information, under Article 16(4) AMLR. It establishes clear standards for you to follow when sharing data within your business group and specifies what information you need to provide, including:
- Identifying customers and beneficial owners
- Explaining the nature and purpose of your business relationships
- Providing details about suspicious transactions
By following these rules, you will promote transparency and stronger collaboration within corporate structures, making it easier to share vital information while staying compliant with data protection laws.
Base amounts for pecuniary fines
As you consider your organisation's compliance with the latest regulatory requirements, it is important to understand how base amounts for pecuniary fines are determined. The second technical opinion offers you guidance on setting base amounts for financial penalties, as outlined in Article 53(11) AMLD6. The guidelines are designed to calibrate base amounts according to the type of infringement, the nature of your institution, and its turnover. Importantly, the base amount is applied as a range rather than a fixed figure, which means you benefit from flexibility whilst maintaining proportionality in enforcement.
Timeline and next steps
The EBA has taken a proportional, risk-based approach to ensure practical, effective outcomes, drawing on existing standards to streamline regulation and harmonise rules across Member States. This is designed to benefit organisations by creating a more consistent supervisory environment.
Looking ahead, AMLA is responsible for reviewing and adopting the new technical standards. Once AMLA has done so, the European Commission will endorse them before the AMLR comes into force in July 2027. This timeline is crucial for your planning: Be prepared for AMLA’s operations to begin in 2026, and for the new rules to apply from July 2027.
More information
For further information or tailored guidance on how these developments affect your business, please contact our Corporate Crime & Business Integrity team.
