AMLA’s Draft Guidelines on Ongoing Monitoring of a Business Relationship under Article 26(5) AMLR

AMLA’s Draft Guidelines on Ongoing Monitoring of a Business Relationship under Article 26(5) AMLR

The Draft Guidelines on ongoing monitoring of a business relationship under Article 26(5) of Regulation (EU) 2024/1624 mark one of the most important implementation steps under the new EU Anti-Money Laundering Regulation (AMLR).

Article 26 AMLR requires obliged entities to conduct ongoing monitoring of business relationships and transactions performed by customers. At first sight, this may sound like a continuation of traditional transaction monitoring and periodic KYC refresh. However, AMLA’s Draft Guidelines go much further.

The Guidelines transform ongoing monitoring into a comprehensive customer lifecycle framework. This framework connects customer due diligence, customer risk classification, periodic reviews, event-driven reviews, transaction monitoring, activity monitoring, sanctions-related risk indicators, alert handling, escalation, technology governance and effectiveness testing.

For banks, payment institutions, crypto-asset service providers, investment firms, insurers, real estate professionals, lawyers, notaries, accountants and other obliged entities, the message is clear: ongoing monitoring under AMLR is no longer a standalone transaction-monitoring process. It is the operating system of the entire AML/CFT customer relationship.

What Is Article 26 AMLR About?

Article 26 AMLR deals with ongoing monitoring of the business relationship and monitoring of transactions performed by customers.

Obliged entities must monitor business relationships to ensure that transactions are consistent with:

  • the obliged entity’s knowledge of the customer;
  • the customer’s business activity;
  • the customer’s risk profile;
  • where necessary, information about the origin and destination of funds.

They must also detect transactions that require more thorough assessment under Article 69(2) AMLR.

In addition, customer documents, data and information must be kept up to date. The maximum review period is one year for higher-risk customers and five years for all other customers.

Article 26 also requires event-driven reviews where there is a change in relevant customer circumstances, where the obliged entity has a legal obligation to contact the customer, or where the obliged entity becomes aware of a relevant fact pertaining to the customer.

Finally, Article 26 introduces regular verification of targeted financial sanctions exposure. For credit institutions and financial institutions, this verification must also take place upon any new designation in relation to targeted financial sanctions.

Why AMLA’s Draft Guidelines Matter

The Draft Guidelines matter because they clarify how obliged entities should implement Article 26 AMLR in practice.

AMLA’s approach is based on four core principles:

  • risk-based application;
  • proportionality;
  • horizontal applicability across financial and non-financial sectors;
  • technological neutrality.

This means that AMLA does not impose one single technical solution. Manual, semi-automated and automated monitoring frameworks may all be acceptable, provided that they are effective, documented, proportionate and capable of identifying and escalating relevant money laundering and terrorist financing risks.

The Guidelines are especially important because they broaden the traditional understanding of monitoring. AMLA does not only refer to transaction monitoring. It introduces the concept of transaction and activity monitoring.

This is a major development. Many obliged entities do not directly process payments or transactions. For them, relevant risks may arise from customer instructions, mandates, assets, ownership changes, business activities, behavioural anomalies or other relationship events. AMLA’s terminology therefore makes the framework applicable across the entire AMLR population.

AMLA Guideline 1: Keeping Customer Documents, Data and Information Up to Date

The first main part of the Draft Guidelines focuses on keeping customer information up to date.

This covers both periodic reviews and event-driven reviews.

The underlying supervisory expectation is that customer information must not become static after onboarding. Customer due diligence must remain accurate and risk-relevant throughout the business relationship.

Sources for Updating Customer Information

Obliged entities may use several sources to update customer information, including:

  • official registers;
  • government databases;
  • competent authority databases;
  • reputable commercial data providers;
  • reliable open sources;
  • information provided directly by the customer;
  • information provided by other obliged entities;
  • combinations of these sources.

The reliability and independence of the source must be assessed on a risk-sensitive basis.

Customer confirmations may be used, but they are not automatically sufficient in all cases. Depending on the risk, the obliged entity may need to verify customer-provided information against independent and reliable sources.

Where a representative provides information on behalf of the customer, the obliged entity must assess whether that person has the necessary knowledge and authority to provide or confirm the information.

Periodic Customer Information Reviews

Periodic reviews remain a central element of Article 26 AMLR.

The maximum update periods are:

Customer categoryMaximum update period
Higher-risk customers1 year
All other customers5 years

However, AMLA emphasises that these are maximum periods. More frequent updates may be necessary depending on the customer’s risk profile.

The depth and intensity of a periodic review should be risk-based. Not every review must automatically result in a full re-KYC exercise.

For example, where a low-risk business relationship exists but no new activity has occurred and no new product or service has been provided, the review may be adjusted. A proportionate review could include checking business registers, performing PEP and adverse media screening, and reviewing internally whether the nature or purpose of the relationship has changed.

The important point is that the review must still be meaningful. It must assess whether the customer information remains accurate and whether the customer risk profile remains appropriate.

What Must Be Assessed During Periodic Reviews?

AMLA identifies several key areas that should be assessed during periodic customer information reviews:

  • customer identification information;
  • beneficial ownership information;
  • legal status of legal entities;
  • valid statutory representation;
  • purpose and intended nature of the business relationship;
  • source of funds where applicable;
  • whether the customer, beneficial owner or relevant person has become a politically exposed person, family member or close associate.

The transaction or activity history may also be used to assess whether the source of funds remains consistent with the expected customer profile.

Where existing customer due diligence information does not sufficiently explain the source of funds, additional information must be obtained.

Event-Driven Reviews

Event-driven reviews are one of the most important elements of the Draft Guidelines.

Obliged entities must have policies, procedures, processes and controls to define and detect trigger events. These events may arise from customer behaviour, monitoring outputs, other internal controls or external information.

AMLA gives several examples of trigger events.

These include:

  • changes in identity details;
  • changes in nationality;
  • changes in residency;
  • changes in legal form;
  • changes in ownership structure;
  • changes in directors;
  • changes in authorised signatories;
  • changes in representatives.

Behavioural, Activity-Based or Transactional Anomalies

These include:

  • unusual transaction patterns;
  • inconsistent behaviour;
  • unexplained changes of professional service providers;
  • unusual changes in IP address or device location where relevant;
  • activity that deviates from the expected customer profile;
  • activity inconsistent with the purpose and intended nature of the relationship.

Risk-Relevant Information or Adverse Findings

These include:

  • new adverse media;
  • new PEP status;
  • legal proceedings related to potential ML/TF violations;
  • regulatory notices;
  • internal intelligence;
  • warnings issued by competent authorities.

Changes in Financial Situation, Source of Funds or Business Activity

These include:

  • significant changes in financial standing;
  • changes in financing structures;
  • changes in asset composition;
  • changes in control;
  • use of new products or services;
  • engagement with higher-risk jurisdictions;
  • engagement with higher-risk counterparties.

The key message is that customer reviews are not only calendar-based. They must also be triggered by relevant risk events.

Expired Identity Documents: No Automatic Re-Collection

One of the most practical points in the Draft Guidelines concerns expired identity documents, passports or equivalent documents.

AMLA does not require automatic re-collection of all expired identity documents.

Instead, obliged entities must apply a risk-based assessment. Relevant factors include:

  • the risk associated with the customer;
  • the risk associated with the business relationship;
  • the risk associated with the issuing country;
  • how long the document has been expired;
  • whether the document has up-to-date security features;
  • whether a new document would provide updated or additional identity information;
  • whether there are doubts about the accuracy, authenticity or adequacy of previously obtained identification data.

Where updating is necessary, the obliged entity must decide whether the document must be updated without delay or whether it can be updated during the next scheduled review or next customer interaction.

This is a major simplification compared with purely mechanical document-refresh practices. It allows resources to be directed to situations where the updated document has real risk-mitigation value.

Suspension or Restriction Measures Where Information Is Missing

The Draft Guidelines also address what should happen where the customer does not provide updated information.

Where an obliged entity is unable to keep customer information up to date, it must refrain from carrying out transactions and must terminate the business relationship if it cannot comply with its obligations.

Before termination, however, the obliged entity may temporarily suspend or restrict transactions, activities or services if this allows the ML/TF risks to be effectively managed.

This may be relevant where:

  • the customer does not respond;
  • updated documents are missing;
  • customer confirmation is outstanding;
  • the institution has made repeated reasonable efforts to obtain the information.

AMLA emphasises that suspension or restriction is only a temporary measure. If the obliged entity ultimately cannot comply with its customer due diligence obligations, termination must follow.

AMLA Guideline 2: Transaction and Activity Monitoring

The second main part of the Draft Guidelines is the transaction and activity monitoring framework.

This is the real operational core of the AMLA document.

The framework must be based on the obliged entity’s business-wide risk assessment and must cover all products and services in order to support a holistic understanding of customer behaviour.

The framework must be capable of identifying transactions and activities that materially deviate from expected behaviour and may be unusual or suspicious.

It must also be capable of identifying patterns, behaviours or linkages that may indicate risks related to the non-implementation or evasion of targeted financial sanctions, where such risks are identifiable through ongoing monitoring.

Beyond Traditional Transaction Monitoring

The most important conceptual shift is that AMLA moves beyond narrow transaction monitoring.

Ongoing monitoring must also capture activities, behaviours, events and changes in circumstances.

This is particularly important for non-financial sectors or business models where the obliged entity does not execute or control transactions.

For example, monitoring may involve:

  • review of customer documentation;
  • review of instructions;
  • review of mandates;
  • review of assets involved;
  • review of source of funds;
  • review of counterparties;
  • review of funding arrangements;
  • event-driven reviews;
  • escalation of unusual behaviour identified by staff.

This makes Article 26 AMLR relevant not only for banks and payment institutions, but also for a wide range of non-financial obliged entities.

Manual, Automated and Semi-Automated Monitoring

AMLA recognises three types of monitoring frameworks:

  • manual monitoring;
  • semi-automated monitoring;
  • automated monitoring.

The appropriate model depends on:

  • the size of the obliged entity;
  • the nature of the business;
  • transaction and activity volumes;
  • frequency of activity;
  • complexity;
  • overall ML/TF risk exposure.

Manual monitoring may be appropriate for smaller entities or entities with limited transaction data. Automated or semi-automated systems may be necessary where the volume, speed or complexity of transactions and activities justifies them.

The key supervisory test is not whether an entity uses advanced technology. The test is whether the monitoring framework is effective.

Automated and Semi-Automated Systems

Where automated or semi-automated systems are used, obliged entities must ensure that rules, scenarios, thresholds, models and behavioural baselines are clearly defined and capable of detecting relevant ML/TF risks.

Detection logic and configuration must be documented, tested and recorded.

Where an obliged entity uses a pre-configured or externally developed monitoring tool, default settings must not be accepted blindly. They must be reviewed, assessed and calibrated to the institution’s specific risk profile, business model, size, nature and complexity.

This is highly relevant for institutions relying on vendor systems. Supervisors will expect institutions to understand how the tool works and why its configuration is appropriate.

One of the most important sections of the Draft Guidelines is the link between customer due diligence and ongoing monitoring.

AMLA expects CDD processes, sanctions screening processes and the monitoring framework to operate in an integrated and coordinated manner.

Monitoring outputs must be used to inform:

  • customer due diligence updates;
  • customer risk classification;
  • risk-mitigating measures;
  • enhanced due diligence;
  • potentially the business-wide risk assessment.

This creates a closed-loop model.

Customer Profiles and Expected Behaviour

The monitoring system must not operate separately from KYC. Alerts and monitoring outputs must feed back into the customer profile.

Obliged entities must use customer profiles for monitoring. These profiles must be based on verified CDD information.

Customer profiles should include:

  • the purpose of the business relationship;
  • the intended nature of the relationship;
  • expected transactions where relevant;
  • envisaged activities;
  • expected behavioural profile.

Monitoring must be calibrated to this baseline so that deviations from expected behaviour can be identified reliably and without undue delay.

This is a key practical point. Without a meaningful customer profile, the institution cannot properly determine whether behaviour is unusual.

Peer Groups and Reference Groups

AMLA allows the use of reference groups or peer groups, but only as a supporting tool.

Peer groups must not replace the institution’s understanding of the individual customer.

A transaction or activity that does not deviate from the peer group may still be suspicious when viewed against the individual customer’s profile.

The absence of deviation at peer-group level must not be used on its own to dismiss risk indicators identified at individual customer level.

Pre-Transaction, Real-Time and Post-Transaction Monitoring

The Draft Guidelines distinguish between different forms of monitoring.

Pre-Transaction and Pre-Activity Monitoring

This involves assessing transactions or activities before they are carried out or completed.

Where the obliged entity can assess or intervene before execution, it should apply pre-transaction or pre-activity monitoring.

This may include review of:

  • mandates;
  • instructions;
  • contractual arrangements;
  • assets involved;
  • customer due diligence information.

Real-Time Monitoring

Where the obliged entity can assess or intervene at the point of execution, real-time monitoring should form part of the framework where relevant.

This is particularly important for payment services, instant payments, crypto transfers and other high-speed financial services.

Post-Transaction and Post-Activity Monitoring

Post-transaction monitoring involves assessing transactions and activities after they have been carried out.

This is essential for identifying:

  • patterns;
  • linkages;
  • cumulative risk indicators;
  • behavioural anomalies;
  • suspicious activity over time.

AMLA explicitly recognises that some risks only become visible when transactions and activities are considered together over time.

Handling Monitoring Outputs

Monitoring outputs must be assessed without undue delay, prioritised based on risk and escalated where further analysis is required.

Obliged entities must be able to explain how outputs were assessed, escalated and acted upon.

They must also monitor and manage backlogs of pending monitoring outputs.

This is a critical supervisory point. A system that generates alerts but does not resolve them in a timely and risk-based manner is not effective.

Automated Closure of Alerts

AMLA permits automated closure of monitoring outputs only in limited circumstances.

Automated closure should only be used where automated analysis does not indicate suspicious or unusual activity or other material ML/TF risk indicators.

It should not be used for higher-risk customers or situations requiring enhanced scrutiny.

The decision logic must be understandable and documented. Effectiveness must be subject to human oversight, including validation through sampling and review of potential missed cases.

Internal Controls and Effectiveness Testing

The monitoring framework must be periodically reviewed and tested.

The purpose is to ensure that it remains effective and aligned with the business-wide risk assessment.

Effectiveness should not be assessed solely by:

  • number of alerts;
  • number of suspicious activity reports;
  • breadth of typology coverage.

Instead, obliged entities should assess:

  • relevance of outcomes;
  • risk-based nature of outcomes;
  • ability to identify ML/TF risks;
  • timeliness of escalation;
  • appropriateness of decisions;
  • recurring deficiencies;
  • ability to address emerging risks.

This is a major shift from quantitative alert metrics to outcome-based effectiveness assessment.

Data Quality

Data quality is central to the Draft Guidelines.

Obliged entities must implement:

  • data quality controls;
  • data validation processes;
  • regular data cleansing.

Data used in the monitoring framework must be complete, accurate, timely and properly attributed to customers, counterparties, assets or activities.

Where data deficiencies may affect monitoring outcomes, they must be documented together with the assessment and mitigating measures.

Poor data quality will therefore become a direct AML monitoring weakness.

Use of Technology, AI and Advanced Analytics

AMLA’s approach to technology is balanced.

The Draft Guidelines do not mandate artificial intelligence, machine learning or advanced analytics. However, obliged entities should assess whether such tools would enhance the identification and escalation of ML/TF risks.

The use of technology is not, by itself, evidence of effectiveness.

Effectiveness depends on whether the tool helps detect and escalate relevant risks without undue delay.

Where advanced analytical tools are used, obliged entities must ensure:

  • governance;
  • safeguards;
  • explainability;
  • oversight;
  • challenge;
  • documentation;
  • responsibility for monitoring decisions;
  • performance monitoring;
  • detection of model drift or performance degradation.

Where third-party providers are used, the obliged entity must ensure that sufficient information is available to meet these requirements. If not, the tool should not be used for monitoring functions that materially influence outcomes or decisions.

Targeted Financial Sanctions and Ongoing Monitoring

Although sanctions compliance is not fully operationalised in the Draft Guidelines, AMLA clearly connects ongoing monitoring with risks of non-implementation or evasion of targeted financial sanctions.

Monitoring frameworks should be capable of identifying patterns, behaviours or linkages that may indicate sanctions evasion risks, including through:

  • intermediaries;
  • ownership or control structures;
  • counterparties;
  • assets;
  • transaction patterns.

This connects Article 26 AMLR with the broader EU sanctions compliance agenda.

Practical Impact for Obliged Entities

The Draft Guidelines will have significant practical consequences.

Obliged entities should assess whether they can demonstrate:

  • scheduled periodic reviews;
  • annual reviews for higher-risk customers;
  • five-year maximum review cycles for other customers;
  • documented event-driven review triggers;
  • integration between CDD and monitoring;
  • customer profiles based on verified information;
  • monitoring across all products and services;
  • documented rationale for manual, automated or semi-automated monitoring;
  • calibrated vendor systems;
  • documented alert handling;
  • risk-based prioritisation of monitoring outputs;
  • management of alert backlogs;
  • data quality controls;
  • effectiveness testing;
  • technology governance;
  • human oversight of advanced tools;
  • documentation of limitations and mitigating measures.

The Strategic Message

The strategic message of the Draft Guidelines is simple but far-reaching.

AMLA is turning ongoing monitoring into the core mechanism of customer lifecycle supervision.

The old model was often:

KYC onboarding, periodic refresh, transaction monitoring alerts.

The new model is:

CDD, customer profile, periodic review, event-driven review, transaction and activity monitoring, alert assessment, risk reassessment, enhanced due diligence, suspicious activity reporting and business-wide risk feedback.

This is a closed-loop AML/CFT operating model.

Key Takeaways

The Draft Guidelines on ongoing monitoring of a business relationship under Article 26(5) of Regulation (EU) 2024/1624 represent a major step in the implementation of the EU AML Single Rulebook.

They clarify that ongoing monitoring is not limited to transaction monitoring. It includes customer information management, periodic reviews, event-driven reviews, transaction and activity monitoring, behavioural analysis, sanctions-related risk indicators, alert handling, data quality, internal controls, technology governance and effectiveness testing.

For obliged entities, the challenge is clear. AML compliance can no longer be organised as disconnected silos. KYC, screening, transaction monitoring, risk assessment, sanctions detection, escalation and suspicious activity reporting must operate as one integrated customer lifecycle framework.

The future supervisory question will not be whether an institution has a transaction monitoring system.

The question will be whether the institution can demonstrate that it understands the customer throughout the relationship, detects relevant changes without undue delay, escalates unusual or suspicious behaviour effectively and keeps its monitoring framework aligned with its real ML/TF risk exposure.

That is the real meaning of ongoing monitoring under Article 26 AMLR.

Downloads

Consultation Paper – Article 26(5) AMLRDownload

Sources: https://www.amla.europa.eu/policy/public-consultations/consultation-draft-guidelines-ongoing-monitoring-business-relationship_en

Leave a Reply

Your email address will not be published. Required fields are marked *