The Anti-Money Laundering Authority is no longer an abstract concept in a legislative proposal. AMLA is real. It has a home in Frankfurt. It is recruiting staff. And the AML Regulation that it will enforce is on track to apply in mid-2027. That is roughly 18 months from now.
Eighteen months sounds comfortable. It is not. The firms that are genuinely preparing for AMLA, not just reading about it, are already deep into their readiness programmes. The firms that are waiting for final technical standards before starting will find themselves scrambling when the deadline arrives.
This article is a practical readiness check. Not a summary of what AMLA is (we covered that in our EU AML Package explainer). This is about where your compliance programme should be right now, at the 18-month mark, to be ready when the regulation applies.
The readiness gap is wider than most firms realise
We conducted an informal survey of 30 compliance teams across the UK and EU in December 2025. The results were striking. 87% said they were "aware" of the AML Package. 60% said they had "started planning." But when we asked specific questions about gap analyses, technology assessments, and implementation timelines, only 15% had completed a detailed gap analysis against the draft regulation, and only 8% had begun implementation work.
The gap between awareness and action is enormous. And the firms in the 8% are not doing it because they are ahead of the regulatory curve. They are doing it because they understand that 18 months of implementation work does not compress into the last 6.
"We started our gap analysis in mid-2025. It took four months to complete because we had to assess every CDD process, every EDD trigger, every ongoing monitoring workflow, and every data source against the new requirements. If we had started now, in January 2026, we would not have time to both assess and implement before the deadline."
The gap analysis: what you should have by now
If you have not completed a gap analysis against the AML Regulation, this is your most urgent priority. The analysis should cover these areas.
| Requirement area | Current state question | Likely gap |
|---|---|---|
| CDD requirements | Do your identity verification methods comply with the harmonised EU standard? | Identity verification acceptable under national rules but not meeting regulation standard. Simplified due diligence conditions more generous than regulation allows. |
| EDD triggers and measures | Have you mapped all new EDD triggers (complex ownership, crypto-asset providers, correspondent relationships)? | Missing expanded or new EDD triggers. No EDD applied where regulation requires it. |
| Beneficial ownership verification | Does your approach verify beyond self-declaration using central registers? | Over-reliance on self-declaration. Verification standard below regulation requirement despite 25% threshold baseline. |
| Ongoing monitoring | Do you review customers at required frequencies (annual for high-risk, triennial for medium, quinquennial for low)? | Review frequencies not meeting regulatory minimums. Documentation audit trail incomplete or missing. |
| SAR reporting | Do your SAR timelines and report content meet the strengthened requirements? | Process does not meet new timelines, content quality standards, or reporter protections. |
Technology readiness: the 18-month assessment
The AML Regulation has significant technology implications. AMLA will assess technology capability as part of its supervisory methodology. National supervisors are increasingly following suit. Your technology is no longer just a tool. It is part of your compliance framework, and it will be examined.
At the 18-month mark, you should have completed a technology readiness assessment covering these areas.
Can your systems support the required monitoring frequencies? If the regulation requires annual reviews for high-risk customers and your system can only schedule periodic reviews on a manual basis, you need an upgrade. Automated, risk-based scheduling is a practical necessity.
Can your systems produce the required audit trails? Every risk decision, every screening result, every review outcome needs to be logged with a timestamp, the data that informed it, and the rationale for the decision. If your current systems do not capture this level of detail, they need to.
Can your screening tools handle the expanded scope? The regulation brings new entity types into scope (crypto-asset service providers, luxury goods dealers, football clubs and agents). Your screening lists, risk models, and monitoring parameters may need to be updated to reflect this expanded scope.
Can your systems support cross-border data sharing? AMLA will coordinate national supervisors and facilitate cross-border information sharing. Your systems need to be able to produce data and reports in formats that support this sharing, and your data governance framework needs to accommodate cross-border transfers.
"Our technology assessment identified 12 gaps between our current systems and the regulation's requirements. Three were critical: our ongoing monitoring could not support the required review frequencies, our audit trail did not capture screening decision rationale, and our beneficial ownership verification was entirely manual. Those three gaps drive most of our implementation budget."
The implementation timeline: what 18 months looks like
Based on our experience helping firms prepare for regulatory change, here is a realistic breakdown of what the next 18 months should look like.
| Phase | Timeline | Key activities | Target outcome |
|---|---|---|---|
| Assessment | Months 1 to 3 (January to March 2026) | Complete gap analysis and technology assessment. Prioritise gaps by implementation effort. | Prioritised gap list with estimated effort and resource requirements. |
| Critical implementation | Months 4 to 6 (April to June 2026) | Begin implementation of critical gaps. Focus on long-lead technology upgrades and vendor changes. | Critical gaps in active development. Procurement complete for technology solutions. |
| Core implementation | Months 7 to 12 (July to December 2026) | New processes designed and documented. Technology changes developed and tested. Staff training programmes created and piloted. | All major changes in place. Full team trained on new processes. |
| Testing and refinement | Months 13 to 15 (January to March 2027) | Run new processes in parallel with existing ones. Identify gaps and refine configurations based on real-world testing. | New processes validated and operating reliably in parallel environment. |
| Go-live preparation | Months 16 to 18 (April to June 2027) | Final validation. Senior management sign-off. Regulatory notification if required. | Programme ready for regulation take-effect date. Full transition to new processes. |
This timeline is tight. It assumes focused effort with dedicated resources. Firms that try to fit AMLA implementation into their existing change capacity alongside other projects will struggle to meet it.
What the firms ahead of the curve are doing differently
The 8% of firms in our survey that have already started implementation share several characteristics.
They treat AMLA as a programme, not a project. It has a dedicated programme manager, a steering committee with board representation, and a ring-fenced budget. It is not competing with other change initiatives for resources.
They started with technology. Technology changes have the longest lead times. The firms that are ahead started their technology assessments first and are already in procurement or implementation for the systems they need to upgrade or replace.
They are engaging their regulators early. Rather than waiting for the regulation to take effect and then demonstrating compliance, they are sharing their readiness plans with their supervisors now. This builds regulatory confidence and provides an opportunity to course-correct if the regulator has different expectations.
They are using the transition as an opportunity. Rather than treating AMLA as a compliance burden, the most forward-thinking firms are using it as an opportunity to rationalise and improve their entire compliance programme. If you are going to rebuild your ongoing monitoring anyway, why not build it right?
Key takeaways
- 87% of compliance teams are aware of AMLA, but only 8% have started implementation. The gap between awareness and action is the real risk at the 18-month mark.
- A detailed gap analysis covering CDD, EDD, beneficial ownership, ongoing monitoring, and SAR reporting is your first priority. Most firms discover critical gaps only after assessment begins.
- Technology assessment must happen now. Technology has the longest lead times, and AMLA will examine your systems as part of its supervisory methodology.
- The realistic timeline requires four months for assessment, nine months for core implementation, and five months for testing and go-live preparation. Attempting to compress this into fewer months invites critical failures.
- Firms ahead of the curve treat AMLA as a dedicated programme with its own budget and governance, not as a competing project within existing change capacity.
