By Stuart Watkins, CEO, Zenoo
The Anti-Money Laundering Authority is no longer an abstract concept in a legislative proposal. AMLA is real. It has a home in Frankfurt. It is recruiting staff. And the AML Regulation that it will enforce is on track to apply in mid-2027. That is roughly 18 months from now.
Eighteen months sounds comfortable. It is not. The firms that are genuinely preparing for AMLA, not just reading about it, are already deep into their readiness programmes. The firms that are waiting for final technical standards before starting will find themselves scrambling when the deadline arrives.
This article is a practical readiness check. Not a summary of what AMLA is (we covered that in our EU AML Package explainer). This is about where your compliance programme should be right now, at the 18-month mark, to be ready when the regulation applies.
The readiness gap is wider than most firms realise
We conducted an informal survey of 30 compliance teams across the UK and EU in December 2025. The results were striking. 87% said they were "aware" of the AML Package. 60% said they had "started planning." But when we asked specific questions about gap analyses, technology assessments, and implementation timelines, only 15% had completed a detailed gap analysis against the draft regulation, and only 8% had begun implementation work.
The gap between awareness and action is enormous. And the firms in the 8% are not doing it because they are ahead of the regulatory curve. They are doing it because they understand that 18 months of implementation work does not compress into the last 6.
"We started our gap analysis in mid-2025. It took four months to complete because we had to assess every CDD process, every EDD trigger, every ongoing monitoring workflow, and every data source against the new requirements. If we had started now, in January 2026, we would not have time to both assess and implement before the deadline."
The gap analysis: what you should have by now
If you have not completed a gap analysis against the AML Regulation, this is your most urgent priority. The analysis should cover these areas.
CDD requirements. The regulation harmonises CDD across the EU, replacing national transpositions. Map your current CDD processes against the regulation's requirements. Identify where your current approach relies on national discretions that will disappear. The most common gaps we see: identity verification methods that are acceptable under current national rules but may not meet the regulation's standard, and simplified due diligence conditions that are more generous under current national rules than the regulation allows.
EDD triggers and measures. The regulation defines specific EDD triggers that are consistent across all member states. Some are familiar (PEPs, high-risk third countries). Others are expanded or new (complex ownership structures with more than two layers, crypto-asset service providers, certain types of correspondent relationships). Map your current EDD triggers and compare. Where you currently do not apply EDD, but the regulation requires it, that is a gap.
Beneficial ownership verification. The regulation mandates specific requirements for beneficial ownership identification and verification, including cross-referencing against central registers. If your current approach is based on self-declaration with limited verification, you have a significant gap. The 25% threshold remains the baseline, but the verification standard is higher than many firms currently apply.
Ongoing monitoring. The regulation sets minimum frequencies for customer risk reviews: annual for high-risk, triennial for medium-risk, quinquennial for low-risk. Every review must be documented with a clear audit trail. If your current ongoing monitoring programme does not meet these frequencies, or if your documentation does not meet the required standard, that is a gap.
SAR reporting. The regulation and the accompanying directive strengthen requirements around suspicious activity reporting, including timelines for filing, quality standards for report content, and protections for reporters. Review your SAR process against these requirements.
Technology readiness: the 18-month assessment
The AML Regulation has significant technology implications. AMLA will assess technology capability as part of its supervisory methodology. National supervisors are increasingly following suit. Your technology is no longer just a tool. It is part of your compliance framework, and it will be examined.
At the 18-month mark, you should have completed a technology readiness assessment covering these areas.
Can your systems support the required monitoring frequencies? If the regulation requires annual reviews for high-risk customers and your system can only schedule periodic reviews on a manual basis, you need an upgrade. Automated, risk-based scheduling is a practical necessity.
Can your systems produce the required audit trails? Every risk decision, every screening result, every review outcome needs to be logged with a timestamp, the data that informed it, and the rationale for the decision. If your current systems do not capture this level of detail, they need to.
Can your screening tools handle the expanded scope? The regulation brings new entity types into scope (crypto-asset service providers, luxury goods dealers, football clubs and agents). Your screening lists, risk models, and monitoring parameters may need to be updated to reflect this expanded scope.
Can your systems support cross-border data sharing? AMLA will coordinate national supervisors and facilitate cross-border information sharing. Your systems need to be able to produce data and reports in formats that support this sharing, and your data governance framework needs to accommodate cross-border transfers.
"Our technology assessment identified 12 gaps between our current systems and the regulation's requirements. Three were critical: our ongoing monitoring could not support the required review frequencies, our audit trail did not capture screening decision rationale, and our beneficial ownership verification was entirely manual. Those three gaps drive most of our implementation budget."
The implementation timeline: what 18 months looks like
Based on our experience helping firms prepare for regulatory change, here is a realistic breakdown of what the next 18 months should look like.
Months 1 to 3 (January to March 2026): Complete gap analysis and technology assessment. If you have not started, start now. If you have started, finish. The output should be a prioritised list of gaps with estimated implementation effort for each.
Months 4 to 6 (April to June 2026): Begin implementation of critical gaps. Focus on the changes that require the most lead time: technology upgrades, vendor changes, process redesigns. Critical gaps should be in active development by the end of this period.
Months 7 to 12 (July to December 2026): Core implementation. The bulk of your implementation work should happen in this window. New processes designed and documented. Technology changes developed and tested. Staff training programmes created and piloted. The goal is to have all major changes in place by the end of 2026, leaving the first half of 2027 for testing and refinement.
Months 13 to 15 (January to March 2027): Testing and refinement. Run your new processes in parallel with your existing ones. Identify gaps and issues in a controlled environment. Refine your technology configurations based on real-world testing. Train your full team on the new processes.
Months 16 to 18 (April to June 2027): Go-live preparation. Final validation. Senior management sign-off. Regulatory notification if required. The regulation takes effect, and your programme is ready.
This timeline is tight. It assumes focused effort with dedicated resources. Firms that try to fit AMLA implementation into their existing change capacity alongside other projects will struggle to meet it.
What the firms ahead of the curve are doing differently
The 8% of firms in our survey that have already started implementation share several characteristics.
They treat AMLA as a programme, not a project. It has a dedicated programme manager, a steering committee with board representation, and a ring-fenced budget. It is not competing with other change initiatives for resources.
They started with technology. Technology changes have the longest lead times. The firms that are ahead started their technology assessments first and are already in procurement or implementation for the systems they need to upgrade or replace.
They are engaging their regulators early. Rather than waiting for the regulation to take effect and then demonstrating compliance, they are sharing their readiness plans with their supervisors now. This builds regulatory confidence and provides an opportunity to course-correct if the regulator has different expectations.
They are using the transition as an opportunity. Rather than treating AMLA as a compliance burden, the most forward-thinking firms are using it as an opportunity to rationalise and improve their entire compliance programme. If you are going to rebuild your ongoing monitoring anyway, why not build it right?
