Two New EU AML Regulatory Technical Standards

Two New EU AML Regulatory Technical Standards: What Institutions, AML Officers and IT Must Implement by 2028

Two RTS, One Combined Effect

With the new EU AML framework, the focus of anti-money laundering supervision is shifting fundamentally: away from narrative self-assessments and towards standardised, data-driven risk assessments. Two Regulatory Technical Standards (RTS) are central to this shift:

  1. RTS under Article 12(7) AMLR (EU) 2024/1620
    → Methodology for selecting institutions for direct AMLA supervision
  2. RTS under Article 40(2) AMLD (EU) 2024/1640
    → Methodology for assessing inherent risk, quality of controls and residual risk by supervisory authorities

Both RTS (most likely) enter into force on 31 December 2027. From 1 January 2028, national competent authorities (NCAs) must begin collecting the required data from institutions.

RTS 1: Selection for Direct AMLA Supervision (Article 12 AMLR)

2.1_20251216_Final report – RTS under art. 12(7) AMLARHerunterladen

Objective of the RTS

This RTS defines the objective, quantitative criteria according to which AMLA selects institutions and groups for direct supervision.

Key elements

  • Activity in at least six EU Member States
  • Materiality thresholds (e.g. more than 20,000 customers or more than EUR 50 million in annual transaction volume per Member State)
  • A uniform scoring model covering:
    • inherent risk
    • quality of AML controls
    • residual risk
  • Group-wide aggregation

Implications for institutions

Selection is data-driven and reproducible, no longer discretionary.
Institutions must be able to provide reliable metrics at any time – regardless of whether they are currently subject to direct AMLA supervision.

RTS 2: Supervisory Risk Assessment (Article 40 AMLD)

1.1_20251216_FINAL REPORT RTS 40(2) AMLD financial only_FinalHerunterladen

Objective of the RTS

This RTS obliges supervisory authorities to apply a uniform methodology when assessing the risk profile of all financial institutions.

Core elements

  • Harmonised indicators and datapoints (Annex I)
  • A uniform scale from 1 to 4:
    • for inherent risk
    • for quality of controls (inverted)
  • Derivation of a residual risk
  • Annual assessments, plus event-driven reviews
  • No narrative risk justifications

Who is responsible for what?

1. Institutions: Data responsibility without excuse

Although the RTS are formally addressed to supervisors, the practical burden rests squarely with institutions.

Why?

  • All relevant data exist exclusively within institutional systems:
    • core banking systems
    • payments and trading systems
    • KYC systems (e.g. SironKYC)
    • transaction monitoring systems (e.g. SironAML, Smaragd TCM/CBM)
    • case management and STR systems

Responsibilities of institutions

  • Ensuring data availability
  • Consistent aggregation in line with Annex I
  • Reproducibility (cut-off dates, historisation)
  • Provision of data upon supervisory request

The RTS does not prescribe any portal, Excel template or API. Institutions must be able to deliver – regardless of the technical format requested by supervisors.

2. AML Officers: From policy owner to data steward

The role of the Anti-Money Laundering Compliance Officer (AMLCO) is changing fundamentally.

New core responsibilities

  • Substantive definition of RTS metrics
    (e.g. “CDD not in line with Article 20 AMLR”, “review overdue”)
  • Accountability for the substantive consistency of data
  • Management of governance metrics:
    • reporting frequency to the management body
    • BWRA approvals
    • training coverage including the management body
  • Central interface with supervisory authorities

What falls away

  • Narrative risk explanations
  • Informal “case-by-case arguments”
  • National special interpretations

The AMLCO becomes the accountable owner of a data-driven AML control model.

3. IT departments: A critical success factor for RTS compliance

Without IT, there is no RTS readiness.

Responsibilities of IT

  • Identification of the single source of truth for each datapoint
  • Technical extraction from AML, KYC and core systems
  • Automation instead of manual Excel-based collections
  • Ensuring:
    • data quality
    • versioning
    • audit trails
    • reproducibility

Important
The RTS does not introduce a new regulatory return like AnaCredit or large exposure reporting.
However, it requires that data can be presented consistently at any time.

How often will assessments be performed?

  • Annually (default)
  • Every three years only in narrowly defined low-risk cases
  • Ad hoc within four months following material events
    (e.g. changes in the business model or serious AML deficiencies)

The assessment is carried out by the national competent authority, using the RTS methodology. Institutions provide the underlying data.

2027 is not a deadline, but a turning point

The two RTS mark the transition to a measurable, comparable and data-driven AML supervisory regime in the EU.

For institutions

  • Data become a supervisory risk
  • Preparation is unavoidable

For AML officers

  • Responsibility shifts from narrative text to metrics

For IT departments

  • AML becomes a structured data product

Those who control their AML data by 31 December 2027 will not be caught off guard on 1 January 2028.
Those who wait will be overtaken by the methodology.

Act now – establish RTS readiness systematically

The impact of the two RTS does not begin in 2028, but now, during the preparation phase. A structured approach today avoids operational overload, data chaos and supervisory escalation later.

The following 5 Steps should be initiated without delay:

  1. Inform the responsible member of the management body
    Responsibility for RTS readiness is not delegable.
    The relevant board or senior management member (e.g. Risk, Compliance, COO or IT) must be formally informed and involved, as governance, resource and budget decisions are required.
  2. Apply for budget and additional resources for 2026 and 2027
    RTS readiness is a multi-year undertaking.
    Targeted funding must be secured for:
    • AML subject-matter resources
    • IT and data capacity
    • reporting and quality assurance
      Without early budget approval, a structural bottleneck will arise from 2027 onwards.
  3. Define and convene a Steering Committee
    An interdisciplinary steering committee is essential:
    • AML Compliance Officer (overall substantive responsibility)
    • IT/Data (technical implementation)
    • Risk/Finance, where appropriate
    • Internal Audit (observer role)
      The committee should be formally appointed and meet on a regular basis.
  4. Carry out structured project planning
    Based on the RTS requirements, a binding project roadmap to 31 December 2027 must be established, covering:
    • Annex I gap analysis
    • KPI and definition standardisation
    • technical data enablement
    • governance and control readiness
    • a dry run prior to entry into force
      RTS readiness must not be treated as a side project.
  5. Assess the need for external support and obtain proposals
    Where internal capacity or specialist expertise is insufficient, external support should be sourced at an early stage, for example for:
    • Annex I data modelling
    • KPI definition and audit readiness
    • project and implementation support
      External assistance is not a weakness, but prudent risk management.

RTS readiness is not a question of whether, but of how well prepared. Those who decide now remain in control. Those who hesitate will be forced to react.

The right time to start is NOW!

1766075152776Herunterladen

Source: https://www.amla.europa.eu/policy/regulatory-instruments_en

Leave a Reply

Your email address will not be published. Required fields are marked *