The EU’s Anti-Money Laundering (AML) Package represents a significant step toward greater harmonisation, stronger financial integrity, and enhanced protection of EU citizens and businesses. As the Anti-Money Laundering Regulation (AMLR) moves toward implementation, there is an opportunity to ensure that its practical application fully delivers on these objectives while preserving proportionality, a genuine risk-based approach, and the international competitiveness of EU-based financial institutions.

This paper highlights a limited number of areas where implementation choices, supervisory guidance, and upcoming Level 2 and Level 3 measures could materially improve effectiveness, reduce unintended friction, and support consistent outcomes across Member States and third-country operations.

1. Rebalancing Prescriptiveness and the Risk-Based Approach

While the AMLR is formally grounded in a risk-based approach, it introduces a significantly more prescriptive set of detailed requirements. This shift risks prioritising procedural compliance over effective risk management, particularly in lower-risk scenarios. A few examples:

• Customer Identification and Verification: Uniform requirements to collect expanded sets of static customer data, irrespective of risk profile, may deliver limited incremental risk mitigation in lower-risk relationships. In many cases, dynamic indicators, such as transactional behaviour, deviations from expected activity, and usage patterns over time, are more effective in identifying misuse, impersonation, or emerging risk. Greater flexibility to balance static and dynamic measures would support a more effective risk-based framework.
• Calibration of Customer Due Diligence: The AMLR sets out harmonised due diligence elements that must always be applied. While this supports consistency, it may reduce the ability to calibrate the depth and intensity of due diligence in line with evolving customer risk profiles. Allowing more flexibility in how these elements are applied would help focus resources on higher-risk relationships, while mitigating de-risking and unnecessary friction for lower-risk customers and SMEs.

Ongoing Monitoring and Periodic Review: Prescribed review intervals and narrowly defined conditions for simplified measures may constrain event-driven or continuous monitoring models that respond to changes in customer behaviour, geographic exposure, or business activity. Greater recognition of risk-triggered reviews, alongside periodic cycles, would enhance effectiveness without weakening safeguards.

Taken together, these elements point to an opportunity to reaffirm supervisory expectations that focus on risk outcomes rather than uniform procedural application that is only focused at detailed technical compliance.

1. Proportionate Group-Wide Application in Third Countries

The AMLR requires EU-regulated institutions to apply group-wide AML/CFT measures, including across third-country branches and subsidiaries. When combined with increasingly prescriptive requirements, this can create operational friction in jurisdictions with different legal, data, or documentation frameworks—particularly for lower-risk business models.

Even limited divergences between EU and local requirements can translate into customer friction, onboarding delays, and disproportionate documentation burdens without corresponding risk-mitigation benefits. At scale, these effects may influence commercial decisions and unintentionally disadvantage EU-regulated institutions in global markets.

There is an opportunity for Level 2 and Level 3 measures to clarify that group-wide obligations should be applied in a differentiated and risk-based manner, including the ability to rely on equivalent third-country AML/CFT frameworks where residual risks are appropriately identified, mitigated, and overseen at group level. This would preserve high standards while supporting proportionality and competitiveness.

2.  Preventing Re-Fragmentation Through Supervisory Execution

Harmonisation achieved in legislation can be undermined if supervisory execution allows fragmentation to re-emerge in practice. As supervision becomes more centralised at EU level, it is critical that interactions between AMLA and national competent authorities (NCAs) actively prevent deviating interpretations on a Member State level. Harmonisation should extend to consistent application of regulatory requirements, including the risk-based approach to supervision. 

Clear guardrails are needed to ensure that EU-level standards replace, rather than accumulate on top of, national practices. In particular, effective implementation would benefit from:

• Strong expectations around data minimisation and reuse across authorities
• Mechanisms to prevent duplicative or overlapping information requests
• Coordinated supervisory engagement where multiple authorities are involved
• Consistent expectation setting on the risk-based approach to AML

Without such safeguards, operational gaps risk being filled by divergent national practices, leading to de-harmonisation through execution, precisely the outcome the new AML framework is designed to prevent.

Call to Action: Role of Level 2 and Level 3 Measures

The success of the AMLR will depend heavily on how it is implemented in practice. Regulatory Technical Standards, Implementing Technical Standards, and supervisory guidance provide a critical opportunity to:

• Reinforce an outcomes-focused, genuinely risk-based approach
• Enable proportionate group-wide application across third-country jurisdictions
• Promote supervisory convergence through clear operational expectations to prevent divergent national practices 
• Ensure that harmonisation at EU level is preserved through execution

Clear, pragmatic guidance in these areas would support consistent supervisory expectations, effective risk mitigation, and a strong, competitive EU financial sector operating in a global market.

About us: The European FinTech Association (EFA) is a not-for-profit organization representing leading FinTech companies of all sizes from across the EU. It brings together a diverse group of 40+  FinTech providers ranging from payments, to lending, banking, robo-advice, investment as well as software-as-a-service for the finance sector, with a clear focus on enabling a single market for digital financial services. For more information, visit www.eufintechs.com

Download the PDF version of the statement: