What Is Most Likely the Fastest Way to Implement the New EU AML Regulation?

What Is Most Likely the Fastest Way to Implement the New EU AML Regulation?

After more than 15 years of implementing the risk-based approach under the 3rd, 4th and 5th EU AML Directives, one lesson is clear:

The AML framework only works if risk comes first, decisions follow, and execution comes last.

The new EU Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) does not change this logic. It reinforces it.

The fastest way to implement AMLR is therefore not to start with policies, procedures or IT tooling – but to follow the same proven sequence that has worked since AMLD III.

The Risk-Based Approach Is the Starting Point, Not the End

A risk-based approach does not mean “having a risk section in a policy”. It means being able to assess inherent risk and calculate residual risk in a transparent and reproducible way.

Only once that is done can an institution make informed decisions about controls, policies and execution.

Step 1: Assess Inherent Risk and Calculate Residual Risk

The first step is the Business-Wide Risk Assessment (BWRA).

This is where the institution determines:

  • the inherent ML/TF risk of its business model, and
  • the residual risk, based on the effectiveness of existing AML/CFT controls.

This step answers two fundamental questions:

  • What risks does our business create?
  • How much of that risk remains after mitigation?

At this stage, no new policies are designed. The objective is risk transparency, not remediation.

Step 2: Residual Risk Acceptance by Management

Once residual risk is calculated, the management body, and more specifically the compliance manager, must decide:

Which residual risk level is acceptable and which is not?

This decision is the strategic pivot point of AML implementation.

Without an explicit residual-risk acceptance decision:

  • policies have no anchor,
  • procedures lack proportionality,
  • and supervisory expectations cannot be met consistently.

This is not a technical exercise. It is a risk-acceptance decision at management level.

Step 3: Design Policies and Procedures (2nd Line of Defence)

Only after residual risk acceptance does it make sense for compliance officers to:

  • design AML/CFT policies,
  • define procedures,
  • calibrate controls,
  • and set escalation thresholds.

At this stage, policies are no longer generic. They are:

  • risk-specific,
  • proportionate,
  • and aligned with the accepted residual risk.

This is where AMLR policies should be written; not before.

Step 4: Implement and Execute in the First Line of Defence

Once policies and procedures are approved, the 1st Line of Defence (1LoD) can implement and execute them.

The key operational implementation in the 1LoD is Customer Due Diligence (CDD).

CDD is where:

  • risk assessments become operational,
  • policies become executable,
  • and AMLR compliance becomes testable.

Without correct and complete CDD data, no AML framework can function reliably.

Step 5: Build on CDD Data to Implement the Rest of AMLR

Once CDD data is available and reliable:

  • transaction monitoring can be calibrated,
  • suspicious transaction reporting can be tested,
  • ongoing monitoring can be stabilised,
  • outsourcing, reliance and group controls can be verified,
  • record retention and reporting processes can be validated.

At this point, AMLR implementation shifts from design to testing and fine-tuning.

Only then does a controlled “go-live” make sense.

Why This Is the Fastest Way

This approach is not theoretical.

It reflects:

  • 15 years of AMLD implementation practice,
  • supervisory inspection logic,
  • and the practical realities of the Three Lines of Defence.

It avoids:

  • rewriting policies multiple times,
  • rebuilding IT systems after go-live,
  • and retrofitting controls once data problems emerge.

In short: Risk 1st. Decisions 2nd. Execution 3rd.

Bottom Line

The fastest way to implement the new EU AML Regulation is to follow the same proven logic that has governed AML implementation since the 3rd AMLD:

  1. Assess inherent risk and calculate residual risk
  2. Decide which residual risk is acceptable
  3. Design policies and procedures accordingly
  4. Implement CDD in the 1st Line of Defence (1LoD)
  5. Build, test and fine-tune the remaining AMLR obligations before go-live

AMLR raises the bar but it does not reinvent the risk-based approach.

Leave a Reply

Your email address will not be published. Required fields are marked *