Financial Services

Adoption of EU AML/CFT Package – key requirements and impact on financial services firms

Written by

Dr. Michael Huertas

RegCORE Client Alert | Banking Union | Capital Markets Union | Insurance Union 


After long and intense negotiations, the EU’s co-legislators, the European Parliament and the Council agreed details, along with some last-minute surprises, on 18 January 2024 on the EU’s new anti-money laundering (AML) and countering financing of terrorism (CFT) Package.See here.Show Footnote

It should be noted that the AML/CFT Package has been long in the making. It was first proposed by the European Commission on 20 July 2021 and built upon the European Commission’s May 202 AML and CFT “Action Plan” that followed as a response to several very public AML/CFT scandals. A lot has changed since then. So too has the efficacy and the degree of fragmentation of the EU’s existing AML/CFT financial crime, supervision and enforcement framework which this Package is set to comprehensively overhaul. 

The AML/CFT Package not only strengthens existing laws but replaces EU Directives, and thus fragmentation, with an EU Regulation and maximum harmonisation Directive.Importantly, the AML/CFT Package does not propose an absolute maximum harmonisation approach, as this is incompatible with the risk-based nature of the AML and CFT regime, but it does close conceptual gaps and divergences by raising the current standard to a much tougher level of uniformity of rules, their interpretation and application in respect of “obliged entities”. This means that Member States, where not prohibited in the respective components of the Package, will be able to introduce rules going beyond the legislation, but only where specific national risks justify this on a risk-based approach.Show Footnote It also creates a new EU-level Anti-Money Laundering Authority (AMLA) which is expected to become operational during 2025 and begin direct supervision in 2026. The AML/CFT Package aims to achieve all of this through three complementary legislative instruments, comprised of the: 

  1. AML Regulation (AMLR), which, as an EU Regulation, is directly applicable in the EU-27 and replaces the EU’s existing 4th and 5th AML Directives (AMLD).A correlation table in Annex IV to the AMLR identifies which AMLD4 provisions are being moved into the AMLR and where they can be found. The same approach is also used in the Annex to AMLD 6 which sets out which AMLD 4 provisions are moved to AMLD 6 and where these can be found.Show Footnote AMLR focuses on streamlining rules concerning customer/client/counterparty due diligence (CDD), reporting and transparency on beneficial owners, the use of anonymous instruments, including crypto-assets;
  2. AMLD 6, which complements the AMLR, contains those reforms that have to be transposed i.e., implemented into national law and thus use an EU Directive to do so. Such rules relate to penalties as well as powers and administrative measures relevant to national competent authorities (NCAs) and financial intelligence units (FIUs) in Member States; and 
  3. AMLA Regulation (AMLA-R), which contains directly applicable provisions that create and enable AMLA’s operation. AMLA will have direct supervisory and enforcement powers as well as a mandate to be a central authority coordinating all national AML/CFT supervisors not just those in the financial services sector), with a view to improving the effectiveness and consistency of AML and CFT supervision and enforcement. Although the AMLA will not replace national AML and CFT supervisors, it will have some direct supervisory powers over certain high-risk financial institutions and will be able to directly impose fines and penalties on persons who fail to comply with the AMLR. 

Each of the AMLR, AMLD 6 and AMLA-R will now be finalised and presented to Member States’ representatives in the Committee of Permanent Representatives and the European Parliament for approval. If approved, the Council and the Parliament will have to formally adopt the texts before they are published in the EU’s Official Journal and enter into force.

Following the entry into force, further technical rulemaking will follow. These will take the form of Implementing Technical Standards (ITS) and Regulatory Technical Standards (RTS). Further details on this further rulemaking and requirements on obliged entities (including beyond the financial services sector)Traders of luxury goods such as precious metals, precious stones, jewellers, horologists and goldsmiths will become subject to stricter CDD and reporting obligations. Traders of luxury cars, airplanes and yachts as well as cultural goods (like artworks) will also become obliged entities. Professional football clubs and agents will become obliged entities.  However, as the sector and its risk is subject to wide variations, member states will have the flexibility to remove them from the list if they represent a low risk. The rules will apply after a longer transition period, kicking in 5 years after entry into force, as opposed to 3 years for the other obliged entities.Show Footnote will be available from standalone coverage from our EU RegCORE.

Equally, the European Commission is expected to conduct a supranational AML/CFT risk assessment and communicate recommendations to EU Member States on measures they should follow. Member States will also carry out national risk assessments and commit to effectively mitigating the AML/CFT risks identified in the national risk assessment. Considerations expressed therein are also very relevant to the obligations and expectations set in respect of financial services firms and obliged entities enumerated in the legislative and regulatory rulemaking instruments.

This Client Alert assesses the key features of the AML/CFT Package, the key considerations for financial services firms (but also for other types of persons that are “obliged entities”) in terms of their internal policies and procedures as well as systems and controls and what impacts this has, specifically in relation to legal considerations and client-facing documentation.

The analysis in this Client Alert should be read in conjunction with coverage from our EU RegCORE on the revised Wire Transfer Regulation (WTR II also known as the Wire and Crypto-asset Transfer Regulation – WTCR), which also extends the so-called “travel rule” from fiat to crypto-asset transfers.See further details here and here.Show Footnote

This Client Alert should also be read in conjunction with jurisdiction specific as well as thematic coverage on related considerations, including those beyond the law, from our PwC colleagues. 

Key features of the AML/CFT Package

The AMLR introduces a number of reforms to principles that were previously set out in the AMLDs 4 and 5, which it replaces, as well as specific new measures that the AMLR introduces. These include:

  • Expanding the scope of the existing definition of “obliged entities” to include (i) all types of crypto-asset service providers (CASPs) (see our coverage on the WTCR on the extension of the travel rule and the EUR 1,000 threshold for monitoring), (ii) crowdfunding service providers that fall outside the scope of the EU’s Crowdfunding Regulation and are already obliged entities and to (iii) mortgage lenders and consumer credit providers as well as intermediaries that are not credit institutions or financial institutions who are already “obliged entities”;
  • Clarifying requirements on:

o    Allocating a member of the board or senior management to the role of compliance manager for AMLR compliance; 

o    Application of conduct of business standards for groups (which will be subject to further rulemaking under relevant RTS) and group-wide measures;

o    Role of parent entities that are themselves not obliged entities;

o    Conditions under which other structures (such as networks and partnerships) should apply group-wide measures; 

  • Introducing de-risking criteria in AML/CFT procedures as well as clarifying the definition and categorisation of politically exposed persons (PEPs);
  • Clarifying CDD requirements, which are more granular, including: 

o    The purpose of CDD and what mitigating measures should be applied;

o    Clearer and more detailed provisions on identifying persons in CDD and verifying their identity; 

o    The conditions for using electronic identification means including as in the EU’s eIDAS Regulation, which the European Commission hopes will facilitate easier use of digital identity solutions and allow for greater cross-border cooperation in line with the EU’s Digital Finance Strategy; 

o    The standard datasets for identifying natural and legal persons. AMLA will produce RTS including specific simplified CDD measures (SDD) that obliged entities may implement in lower risk situations identified in the European Commission’s AML/CFT supranational risk assessment. The RTS will also further specify detailed identification and authentication elements for onboarding;

o    The conditions on which obliged entities can rely on CDD performed by another obliged entity and can outsource functions to other entities or service providers. As in the existing framework, a risk-based approach must be applied. Providers based in high-risk third countries, countries with compliance weaknesses, and any other country that poses a threat to the EU must not be relied on for performing CDD or used for outsourcing purposes; 

  • Creating a new category of “high risk profile customers” which include high-net worth individuals (HNWIs), offshore financial centres and those persons subject to sanctions; 
  • Streamlining (ultimate) beneficial ownership requirements but equally lowering the threshold of participation i.e., when someone is to be categorised as an (ultimate) beneficial owner for CDD purposes (i.e., 5% for HNWIs and 15% for others as opposed to the current level of 25%) as well as increasing transparency (register reporting) and identification requirements; 
  • Providing for a registration requirement on the beneficial ownership of all foreign enitites that own real estate with retroactivity until 1 January 2014;
  • Deepening of simplified CDD processes to be used for “low-risk” customers with indications and contradictions; 
  • Adding guidance on suspicious activity/transaction reports (collectively herein, SARs) by clarifying red flags that raise suspicion;  
  • Clarifying the cap on large cash payments by introducing a provision preventing traders in goods or services from accepting cash payments of over EUR 10,000 for a single purchase. This upper limit will not apply to private arrangements between individuals. Member States will be able to maintain lower limits at the national level. The European Commission is required to assess the benefits and impacts of lowering the threshold within three years of the AMLR’s application; 
  • Formalising the requirement that obliged entities need to conduct CDD on any person who carries out an occasional transaction in cash between EUR 3,000 and 10,000;

AMLD 6, in support of the reforms in the AMLR, also:

  • Responds to the changing threat landscape by broadening the previous AMLDs’ scope (expanded application, including to new types of threat actors, facilitators, criminals and accomplices) as well as offences such as self-laundering as well as more generally aiding and abetting;
  • Facilitates the prosecution of legal persons by extending the criminal liability of natural persons (employees) linked to legal entities both for corporations and partnerships; 
  • Improves and strengthens interstate cooperation by resolving the issue of dual criminality through the introduction of specific requirements relating to the exchange of information between jurisdictions;
  • Setting stricter penalties (imprisonment as well as financial penalties for AML/CFT breaches);

AMLA-R, aside from creating and setting out the operation of this new EU-level supervisory authority, also creates an integrated and Europeanised system of operation with AMLA at the helm of the NCAs with an AML/CFT supervisory mandate.  

Remedying and rolling out access to (new) registers

The AML/CFT Package also seeks to remedy the restrictions that followed the Court of Justice of the European Union’s (ECJ) ruling in the Sovim case, whereby a number of (ultimate) beneficial ownership registers suspended access to the public.See coverage here.Show Footnote Pursuant to the AML/CFT Package in addition to supervisory and public authorities as well as obliged entities, persons of the public with “legitimate interest” (details of which will have to be defined to further anchor this point, which was contested in the Sovim case) including press and civil society (equally to be defined) may access the registers. Entities in charge of the registers are also granted powers to carry out inspections at the premises of legal entities registered, in case of doubts regarding the accuracy of the information in their possession. 

Moreover, in order to facilitate investigations into criminal schemes involving real estate, real estate registers are to be accessible to NCAs through a single access point, making available for example information on price, property type, history and encumbrances like mortgages, judicial restrictions and property rights. 

While it is certainly welcome, at least from a practical CDD aspect that access to (ultimate) beneficial ownership registers will be made accessible again more freely, such move may not be free from legal challenge or certain pre-conditions (possibly differing between Member States). Equally, welcome, at least form the perspective of perhaps a more transparent real estate market, will be the concept of greater information on real estate transactions – for now however such real estate register will not be accessible to future purchasers nor estate agents or the general public. Again here, legal challenges could ensue so it is expected that operators of registers will want to tread carefully in ensuring that data recorded and access thereto reflects the principles set out in EU data protection laws as well as the overarching EU Charter of Fundamental Rights. 

AMLA’s mandate and scope of operations

The European Commission characterises AMLA as the central component of the AML/CFT Package and to also take over existing AML/CFT roles and work entrusted to date to the European Banking Authority (EBA). The cross-border nature of financial crime necessitates further efforts at the EU level to promote stronger collaboration amongst NCAs. 

The primary function of AMLA is to provide oversight and monitoring of AML/CFT prevention, supervision and enforcement in the private sector, ensuring adherence by all obliged entities and not just financial services firms to the EU’s rules. The objective is to create a unified AML and CFT supervisory system that encompasses both the financial and non-financial sectors. 

This new “Europeanised” system will be built on shared supervisory approaches and the alignment of rigorous supervisory criteria. AMLA will also run a number of shared resources, such as an AML/CFT database of supervisory information. Such databases also aim to support the work of FIUs who, pursuant to the AML/CFT Package, will have immediate and direct access to financial, administrative and law enforcement information, including, but not limited to, tax information, information on funds and other assets frozen pursuant to targeted financial sanctions, information on transfers of funds and crypto-transfers, national motor vehicles, aircraft and watercraft registers, customs data, and national weapons and arms registers.

AMLA’s supervisory roles

AMLA will not fully supplant the roles and priorities of national AML/CFT NCAs, as the European Commission deems them crucial components of the EU’s enforcement framework. Instead, AMLA will serve as the central element of this new supervisory system, which will include both AMLA and NCAs – drawing some lessons perhaps from the Banking Union and the Single Supervisory Mechanism (SSM). Accordingly, as discussed below, AMLA will also substitute NCAs and directly supervise specific high-risk financial firms, coordinate supervision for both the financial and non-financial sector, supervise sanctions compliance as well, as in addition to having rulemaking powers also have the power to settle disagreements with a binding effect in the context of financial sector supervisory colleges and, in any other case, upon the request of a financial supervisor.

AMLA will equally need to collaborate closely with pertinent EU and national entities, such as the European Supervisory Authorities (ESAs) – namely, the EBA, ESMA, and EIOPA – as well as the SSM. AMLA will also have the authority to establish agreements with regulatory or supervisory bodies in third countries. NCAs will also get advantages from this new system in instances where they have had particular difficulties, such as a scarcity of resources, as reciprocal aid will be accessible upon request. This may entail the interchange of staff, temporary assignments, training, or the sharing of best practices. 

Within the non-financial sector, AMLA will provide only indirect supervision by overseeing and coordinating NCAs or self-regulatory bodies (SRBs). NCAs will also be able to voluntary set up a supervisory college for a non-financial sector entity operating across borders if it is deemed needed. It is conceivable however, that, in keeping with the experience of the SSM, certain firms, in particular in certain sectors such as gaming and gambling, AMLA will take an interest and compel NCAs to designate such non-financial entities as “high-priority indirect supervised firms” in particular where they operate across borders.

In the financial sector, it will provide indirect supervision of some financial institutions by monitoring and coordinating NCAs but will have powers of direct supervision for a smaller number of financial services firms. AMLA-R also entrusts AMLA with operating a reinforced whistleblowing mechanism however AMLA will only deal with reports coming from the financial sector or reports from NCAs. For the non-financial sector whistleblowing channels will remain with the NCAs.

The firms will be under direct supervision, as defined in the AMLA-R, are those that are deemed the most high-risk financial institutions. These are generally understood as being comprised of those financial firms operating across borders that have been assessed as posing a high AML/CFT risk. RTS will standardise the methods and benchmarks used by NCAs to categorise the risk and categorisation criteria of such financial institutions. AMLA and NCAs should not have any discretion in determining the list of financial institutions that are subject to direct supervision. The list will undergo a comprehensive evaluation every three years.The European Commission had deliberated the possibility of subjecting all significant or transnational financial institutions to EU-level supervision for AML/CFT measures. However, it dismissed this approach as being excessive in relation to the desired outcome and it should be noted that the SSM also in part focuses on AML/CFT risks in its own supervisory mandate.Show Footnote Ahead of such RTS, these firms are generally considered to be those that are active in a considerable number of Member States and, in rare situations, require prompt emergency measures to address the imminent threats of AML/CFT breaches. The selection process which will be set out in full in the RTS will rely on objective criteria related to risk categorisation and cross-border activity, in order to achieve equitable and unbiased selection. 

In order to ensure openness and clarity for the appropriate financial institutions, the European Commission had suggested that AMLA could commence the initial selection procedure on 1 January 2025 and then release a list of the chosen financial institutions within one month of that date. The initial group of chosen financial institutions is expected to be transferred to supervision at the EU level beginning in 2026, which may be up to 40 groups and entities in the first selection process.See statements available here.Show Footnote Regardless of whether a selected financial institution fails to meet the selection criteria throughout the three-year period, it will still be subject to direct supervision by AMLA.

AMLA will also have the authority to request the European Commission to make a decision to subject a financial institution to its direct oversight, regardless of the aforementioned requirements. This situation might arise when there are signs of AML/CFT violations that are not being effectively and appropriately addressed by the appropriate NCA. The transition to direct supervision would occur only if a procedural process concludes with an European Commission ruling affirming it. Prior to this, AMLA would be expected to have instructed the NCA to take a specific action to address the shortcomings. However, if the supervisor failed to take this action within a specified timeframe, AMLA may present the matter to the European Commission, seeking a decision to transfer supervisory authority. The European Commission has a one-month timeframe to finalise and implement its judgement. Within this framework, the duration of direct oversight should align with the timeframe required by the AMLA to address the risks associated with the particular financial institution, with a cap of three years.

Financial services firms that consider they are at risk of being included in such direct supervision category may want to consider what improvements they may wish to make between now and the start of AMLA direct supervision to improve compliance and remedy any deficiencies or perceived weaknesses so as to mitigate any adverse consequences of direct supervision by AMLA.

AMLA will have rulemaking powers to draft and implement both implementing technical standards (ITS) and regulatory technical standards where this is provided for under the AMLA-R, the AMLR and AMLD6. Moreover, AMLA will have powers to adopt guidelines and recommendations addressed to all or any sub-sector of obliged entities as well as NCAs and/or to provide advice and input to the European Commission, the European Parliament and the European Council on aspects of AML/CFT policy, including the risks linked to third countries. In order to prevent redundancy, inconsistencies, and legal ambiguity, AMLA must collaborate closely with the European Data Protection Board (EDPB) when formulating guidelines and recommendations that have a substantial effect on personal data.

The European Commission had originally intended for AMLA to be constituted on 1 January 2023 and commence the majority of its operations on 1 January 2024. With the AMLA-R now near the finish line, AMLA, once its location has been agreed, is expected to achieve full staffing by the earliest during 2025 and commence direct supervision of specific financial institutions by 2026. Supervision can commence only after the completion and implementation of the AML/CFT Single Rulebook and thus both AMLR and AMLD 6 are published in the Official Journal of the EU.   

AMLA’s governance and operational capabilities 

AMLA will consist of a Chairperson and an Executive Director. The Executive Director will supervise the operational aspects of the AMLA, including budget execution, resource allocation, personnel management, and procurement. The Chairperson will serve as the representative of the AMLA and will oversee the operations of the following boards:

  • Executive Board. This will serve as the governing body of AMLA. AMLA will have authority over decisions about individual obliged entities (i.e., firms subject to the AMLR and AMLD regime) and NCAs. It will also make decisions regarding its draft budget and other items pertaining to the operation and functioning of AMLA.
  • General Board. There will be two alternative compositions, one including the heads of NCAs, and the other involving AMLA's FIU activities. The General Board will implement all regulatory instruments. AMLA may also offer its perspective on any decision concerning financial institutions under direct supervision, which is formulated by a joint supervisory team (JST), prior to the Executive Board's final decision.

The European Commission has determined that AMLA’s entire annual expenditure, once it is fully operating, will amount to EUR 45.6 million. Once AMLA has expanded its workforce to around 250 employees, projected to occur no earlier than the end of 2025, its funding will be allocated as follows: 25% from the EU budget and 75% from financial contributions made by specific obliged entities. The process for establishing the roster of obliged entities that are required to make financial contributions, as well as deciding the specific amount of these contributions, will be specified in a Commission Delegated Act.

Approximately 100 out of the AMLA's total workforce of 250 will be dedicated to directly overseeing financial institutions. They will be employed in JSTs together with the staff of the corresponding NCAs. Similar to the operational practice of the SSM, every JST shall be headed by an AMLA JST Coordinator but in contrast to the SSM will be situated in the Member State where the corresponding financial institution has its main office. 

AMLA’s JSTs will conduct comprehensive evaluations and appraisals for directly supervised high-risk financial institutions at both the individual-entity and group-wide levels, actively engage in overseeing the entire group, and establish and update a robust system to evaluate the risks and weaknesses of the designated institutions. AMLA will be empowered to:

  • impose specific measures or procedures for particular customers or categories of customer who pose high risks;
  • require financial institutions to take actions, including reinforcing internal procedures or changing governance structure;
  • remove members of a financial institution's management; and
  • adopt binding decisions, administrative measures and proportionate and dissuasive pecuniary sanctions (up to a maximum 10% of total annual turnover or EUR10 million, whichever is higher), in line with AMLD 6. 

For indirect supervision of other financial institutions, AMLA will conduct regular peer and thematic reviews to ensure all NCAs have adequate powers and resources to conduct their tasks. AMLA will enhance the operation of supervisory colleges and promote the alignment of supervisory practices and the advancement of rigorous supervisory standards. AMLA will facilitate the coordination of personnel and information transfers among NCAs and offer them support. AMLA will be authorised to provide requests and orders pertaining to the exercise of NCA’s powers. Additionally, it will have the authority to issue guidelines, opinions, and recommendations to NCAs.

For indirect supervision of non-financial institutions, AMLA will oversee and organise evaluations of supervisory standards and methods in national non-financial sector NCAs or SRBs, if needed. Additionally, AMLA will have powers to compel non-financial supervisors to examine potential violations of regulations that apply to non-financial entities and contemplate implementing penalties or corrective measures. It will conduct regular evaluations and provide support to these supervisors. AMLA will be authorised to give requests and directions regarding the use of non-financial supervisors’ powers. Additionally, it will have the authority to provide guidelines, opinions, and suggestions to non-financial NCAs and SRBs.

Lastly, AMLA has powers to monitor and support the implementation of asset freezes as they apply under EU “restrictive measures” specifically the enforcement of financial sanctions across the EU-27. 

AMLA’s future home

The European Commission submitted its assessment of the nine applications to host AMLA on 10 January 2024.See Assessment Summary here.Show Footnote The European Parliament and the Council will organise joint public hearings of all applicants. These hearings are planned for 30 January 2024. 

The final decision on the location of AMLA’s seat will be made by the co-legislators in the context of interinstitutional negotiations, where the Parliament’s and the Council’s representatives will vote together at the same time with the same number of votes attributed to each co-legislator. The location of the seat resulting from the process will be included in the AMLA-R and formally adopted as part of the text. Following that AMLA will begin its search for senior executives and staff. 

Key considerations for financial services firms

The AML/CFT Package has long been in the works. Now that the details on contents and timelines for the transition to this new legislative, regulatory and supervisory reality are clear, financial services firms (as well as those other “obliged entities”, may want to, both on an individual and group-wide basis, consider:

  1. Ensuring they have a member of the board or senior management assigned to meet the obligations expected in the AML/CFT Package and to set the tone from the top as well as to reflect AML/CFT matters in a firm’s strategic steering; 
  2. Updating their existing or preparing new AML/CFT relevant information in CDD information packs to speed up the processes when they are being requested to provide information for others to complete CDD as part of onboarding and on a periodic basis thereafter; 
  3. Reviewing and revising their AML/CFT risk assessments as well as outsourcing risk assessments, as well as updating any reliance agreements with other obliged entities and/or service providers; 
  4. Reviewing their AML/CFT and financial crime prevention policies, procedures, training materials as well as internal systems and controls along with counterparty and client-facing documentation as well as regulatory reporting to meet the new requirements introduced by the AML/CFT Package, notably in respect of de-risking and mitigating measures. Firms will need to update their overall AML/CFT risk assessments both to meet EU supranational and national risk assessments and the new AMLA framework;
  5. Planning for how to deal with the increased CDD and (ultimate) beneficial ownership verification exercises, including reassessing existing as well as entering into new reliance arrangements with other obliged entities and/or new outsourcing of managed services agreements;  
  6. Implementing and managing new tools and resources to conduct CDD, including enhanced CDD and transaction monitoring as well as on-going screening as it applies to a potentially increased amount of clients that are categorised as “high-risk”; 
  7. Considering and reassessing new (ultimate) beneficial owner monitoring and carrying out new CDD for a range of new types of persons who, as a result of the lowering of the 25% threshold to 15% (or even 5% for HNWIs) from 25%, are now under stricter scrutiny; and
  8. Assessing whether they are likely or what factors (not just shortcomings) would increase the likelihood of becoming subject to AMLA’s direct supervision; 
  9. Ensuring appropriate numbers of suitably qualified staff are available (employed or sourced) to deal with the above compliance but equally the legal documentation priorities that will arise in respect of actioning the above. 

The AML/CFT Package as well as the operationalisation of AMLA, acting pursuant to its own mandate as well as together with NCAs, will require obliged entities generally as well as financial services firms specifically, to make a lot of changes to existing policies and procedures. 

Such change may for some include a need to perform gap analysis of compliance with existing requirements but also the degree of change required to be able to meet new measures both in rules and supervisory expectations. The same consideration applies to revisiting, revising and re-engaging on counterparty and client facing documentation directly as well as in situations when acting through an intermediary. 

Lastly, all obliged entities and in particular financial services firms will want to not only conduct such assessments in respect of reviewing their own arrangements but also reviewing the arrangements of others and what that means for one’s own AML/CFT compliance and risk exposure. 


The AML/CFT Package marks a paradigm shift in regulating, supervising and combatting financial crime prevention in respect of all obliged entities and financial services firms specifically based in or otherwise doing business in the EU-27. As AMLA moves into operational action, NCAs and SRBs are also likely to sharpen their supervisory focus both in terms of activity in the EU-27 as well as exposures to third countries. Ultimately, the EU’s move in this space may well be followed by a number of similar efforts to strengthen AML/CFT compliance by other third countries that are members of FATF. 

All of this is likely to impact not just internal operations and compliance efforts for both existing and new business relationships but equally will require changes across counterparty, client and customer-facing documentation and processes along the entirety of the relationship lifecycle. 

It is also to be anticipated that a number of technological solutions and tools, including those that are already active in the European market (including those headquartered outside the EU), will need to adapt some of their offering to meet the AML/CFT Package’s reforms (in addition to other changes such as DORA – see our standalone coverage on that development). Such change at service providers may also act as a catalyst for greater consolidation of offerings and services that financial services firms as well as obliged entities use across the EU-27.

In summary, while the effort to meet this legislative, regulatory and supervisory environment may mean heightened costs on the path to 2026, there may also be a number of longer-term benefits for those early preparers actively moving to build a more streamlined operational approach to compliance with this newest revised chapter of the Single Rulebook for the EU-27. 

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.  

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via or our website.