New Ongoing Monitoring Requirements under Art. 26 (1) AMLR

New Ongoing Monitoring Requirements under Art. 26 (1) AMLR

Article 26(1) of Regulation (EU) 2024/1624 (AMLR) marks a decisive shift in the EU AML/CFT framework. What was previously treated as a combination of transaction monitoring rules and periodic reviews is now elevated to a single, integrated legal obligation: ongoing monitoring of the business relationship as a whole.

This provision does not merely refine existing practices. It eliminates siloed AML architectures and establishes a relationship-centric, risk-calibrated monitoring standard that supervisors will expect institutions to evidence from day one of AMLR application.

Ongoing Monitoring Targets the Business Relationship – Not Just Transactions

Article 26(1) AMLR requires obliged entities to conduct ongoing monitoring of business relationships, explicitly including transactions undertaken by the customer throughout the course of that relationship.

The legal object of monitoring is therefore not the transaction in isolation, but the customer relationship over its entire lifecycle.

Practical implication

Transaction monitoring systems that operate independently from customer due diligence (CDD), risk profiling, or purpose and intended nature assessments are no longer sufficient. Monitoring must be embedded into the CDD framework itself.

The core test under Article 26(1) AMLR is consistency. Transactions must be consistent with:

  • the obliged entity’s knowledge of the customer,
  • the customer’s actual business activity,
  • the customer’s risk profile, and
  • where necessary, information on the origin and destination of funds.

This consistency assessment is cumulative, not optional.

What “knowledge of the customer” means under AMLR

“Knowledge” refers to documented, validated and retained CDD information, including beneficial ownership, control structures, business purpose, and expected behaviour. It is not limited to customer declarations.

Risk profile as an active monitoring parameter

The customer risk profile is no longer a static classification used only to determine CDD depth. Under Article 26(1), it becomes a live calibration factor for monitoring logic, tolerance thresholds, and escalation decisions.

Origin and Destination of Funds: Risk-Triggered, Not Blanket Analysis

Article 26(1) AMLR introduces a proportionality-driven approach to source and destination of funds:

  • Analysis is mandatory where necessary, based on risk and inconsistency indicators.
  • It is neither optional nor universally required for every transaction.

Institutions must therefore demonstrate a risk-triggered drill-down mechanism: baseline consistency checks first, enhanced analysis when deviations or risk indicators emerge.

Mandatory Detection Below the STR Threshold (Article 69(2) AMLR)

A critical but often overlooked element of Article 26(1) AMLR is its explicit reference to Article 69(2).

Ongoing monitoring must detect transactions that require a more thorough assessment, even where no suspicion has yet arisen.

Why this matters

AMLR formally introduces a mandatory intermediate layer between:

  • normal monitoring, and
  • suspicious transaction reporting (STR).

Binary alert models (“STR or close”) are therefore non-compliant. Institutions must evidence enhanced scrutiny, contextual investigation and documented assessments below the STR threshold.

Cross-Product Monitoring Is No Longer Optional

Where a business relationship covers more than one product or service, Article 26(1) AMLR requires that CDD and monitoring cover all products and services.

This establishes a clear legal principle:
the customer relationship is unitary, even if products are not.

Supervisory consequence

Product-siloed monitoring setups (e.g. payments, lending, custody monitored separately without customer-level aggregation) directly breach Article 26(1), unless a consolidated customer view exists.

Group-Wide Information Must Be Used – Not Just Available

Article 26(1) AMLR goes beyond earlier group-wide cooperation concepts. If a customer also has relationships with other entities within the same group — whether AML-obliged or not — relevant information from those relationships must be taken into account.

This is a use obligation, not merely an access permission.

Key clarification

Institutions can no longer rely on arguments such as:

  • “the other group entity is not subject to AML/CFT”, or
  • “systems are not connected”.

If relevant information exists within the group and is ignored, Article 26(1) AMLR is violated.

What Supervisors Will Expect to See

From a supervisory and audit perspective, compliance with Article 26(1) AMLR requires demonstrable evidence that:

  • monitoring is relationship-centric and lifecycle-based,
  • transactions are assessed against documented customer knowledge and real activity,
  • risk profiles actively influence monitoring logic,
  • enhanced assessments below STR level are systematically performed,
  • monitoring is aggregated across products and services, and
  • group-wide customer information is operationally integrated.

Article 26(1) AMLR Forces Structural Change

Article 26(1) AMLR is not a technical adjustment. It is a structural mandate that dismantles fragmented AML models and replaces them with a single, coherent monitoring doctrine.

Institutions that continue to treat transaction monitoring, CDD, risk assessment and group information as separate compliance silos will face immediate supervisory friction under the new EU AML framework.

The message of Article 26(1) AMLR is clear: Ongoing monitoring is no longer a system. It is the backbone of the entire AML/CFT control framework.

Leave a Reply

Your email address will not be published. Required fields are marked *