Most Nordic obliged entities will treat AMLR as a compliance scramble. The smarter move is to treat it as a decision about how the institution operates, and the time before 2027 is enough to make that decision properly.
A single rulebook changes the question
In 2024 the EU adopted the most significant overhaul of its anti-money-laundering regime to date. At its centre is the Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624), a directly applicable Single Rulebook that replaces much of the patchwork built up across successive AML directives. Most of its substantive obligations apply from 10 July 2027.
Alongside it sit the Sixth AML Directive (AMLD6, Directive (EU) 2024/1640) and the regulation establishing the Anti-Money Laundering Authority (AMLA) in Frankfurt. Together they bring harmonised rules, EU-level supervision of selected high-risk obliged entities and considerably tighter expectations on customer due diligence (CDD), beneficial ownership and ongoing monitoring.
For anyone running compliance at a Nordic bank, financing or asset-finance company, lender, insurer, asset manager or regulated card programme, it is tempting to file AMLR under "another deadline". But it forces a decision most institutions have been deferring: whether KYC, KYB, transaction-monitoring alert handling and supervisory reporting carry on in separate systems and separate teams, or finally run as one continuous operating model. That is less a compliance question than an operational one. Institutions that use the window to 2027 to settle it, rather than tick a box, will be cheaper to run and easier to examine once the rules take effect.
Why this is an architecture problem
Each firm should validate the final text against EUR-Lex and its own counsel, but the direction of travel is clear:
A harmonised Single Rulebook. AMLR is a regulation, not a directive, so CDD, risk-assessment and record-keeping rules apply uniformly across Member States and narrow the room for national interpretation.
Tighter, more granular CDD. Standardised identification and verification, clearer rules on simplified and enhanced due diligence, and stricter expectations on the quality of the data behind every decision.
Beneficial ownership transparency. A consistent 25% threshold, with the option to apply lower thresholds in higher-risk sectors, and stronger requirements around verifying and refreshing UBO data.
Expanded scope. Crypto-asset service providers, certain high-value goods dealers and other newly covered entities come into the AML perimeter, and the Travel Rule extends to crypto transfers.
An EU-wide €10,000 cash limit on payments in the course of business.
AMLA direct supervision of selected high-risk obliged entities, raising the bar on data quality, evidence and timeliness.
Genuinely continuous monitoring. The expectation is that monitoring runs continuously rather than as a periodic refresh, with documented triggers, escalation and outcomes.
Taken together, these shift AML from a stage-gated check at onboarding into a continuous, evidence-rich discipline that runs through every event in the customer relationship. That exposes a tension most compliance leaders already feel: KYC, KYB, alert handling and supervisory reporting still sit in separate systems and teams. AMLR did not create the problem, but it ends the option of carrying on as before.
Four pressures AMLR will amplify
Most compliance leaders already face the same four pressures. Without an integrated operating model each one keeps getting worse, and AMLR will intensify all of them.
Escalating operating costs. Manual alert handling and the constant cycle of periodic and event-driven review push up headcount in both AML and KYC teams; the recurring cost sits in ongoing monitoring rather than one-off onboarding. Rule tuning and workflow maintenance multiply across siloed systems, and automation stops at each tool boundary.
Blind spots in customer and entity risk. Transaction-monitoring alerts get handled without full customer or entity context. There is no single risk view across customers, UBO structures and transactions, and rules are applied inconsistently between onboarding and ongoing monitoring.
Onboarding friction and lost revenue. KYC and KYB onboarding takes too long for both individuals and corporates. Disconnected workflows force repeated data collection, and compliance friction slows new business and change events.
Difficulty keeping up with regulation. The EU AML package and AMLA are raising expectations for end-to-end control. Supervisors increasingly focus on ongoing due diligence, cross-domain risk signals, explainability and audit trails, which is exactly where fragmented estates struggle to produce evidence on demand.
What a future-proof KYC, KYB and AML operating model requires
Set the vendor question aside for a moment. Whether you build, extend what you already run or buy, the target operating model AMLR points to looks the same. It treats the customer relationship as one continuous lifecycle rather than a series of stage-gated checks, and it holds to a few non-negotiables:
A single entity record and risk model shared across onboarding and ongoing monitoring, so every decision draws on the same context and the same audit trail.
Identity that works across markets: the freedom to plug in any eID or Digital ID vendor for retail and commercial clients and their stakeholders, rather than being locked to one.
Provider-agnostic data capture and pre-screening: the freedom to choose your own data, screening, ID and credit sources and to swap them later through configuration rather than a re-platforming project, with configurable, branded onboarding and due-diligence forms. Required sources change over time, and being locked to one is a risk rather than a convenience.
Instant PEP and sanctions screening, with alert handling that carries full entity and UBO context, without forcing you to replace the transaction-monitoring engine you already trust.
Tooling to investigate complex ownership structures, including visual mapping of stakeholder and UBO relationships for the harder cases.
One time-stamped audit trail across KYC, KYB, AML and any connected credit decision, held against every related stakeholder.
Change by configuration rather than code: the freedom to build and version multiple workflows (by product, segment, jurisdiction and risk level), reorder the checks within them, and add or change rules and data sources as EBA and AMLA guidance lands, without a development project each time. The rulebook will keep evolving after 2027, and the operating model has to absorb that.
Continuous rather than periodic monitoring: event-driven Perpetual KYC and KYB, where a customer is reassessed when something actually changes, not on a fixed schedule.
That last point is what AMLR bends everything towards. A perpetual model resolves entities and risk factors to a common data model, monitors event streams around the clock, and triggers the right follow-up automatically: a PEP or sanctions re-check, an AML risk reassessment, a documentation request, an escalation. Risk classification stops being a snapshot taken at onboarding and revisited on a schedule and becomes a live calculation that updates the moment new data, a screening hit or a transaction signal arrives. This is what AMLA supervision will expect to see evidenced — a defensible, time-stamped record of how the risk picture changed and what the institution did about it, rather than a quarterly refresh script.
This does not mean handing judgement to a machine. The model most compliance teams want is simple to state: automate the simple cases and escalate the complex ones. Clean cases run straight through. The exceptions that need a human, such as a PEP or sanctions hit, complex ownership, a high-risk score or adverse media, branch to structured case handling, with dual control on material decisions and clear escalation. Automation carries the volume and enforces consistency, so scarce analyst time lands on the cases that genuinely need it.
This is increasingly the baseline rather than the frontier, and firms that get there first will be able to demonstrate control while others are still assembling it.
What the new operating model actually buys you
The point of doing this is not to satisfy AMLA. A unified, continuous operating model pays for itself in the business, well beyond the compliance function.
Institutions that have moved this way report a consistent pattern. Manual review falls because alerts arrive with context already attached instead of being reconstructed case by case. Onboarding that used to take days or weeks compresses towards minutes, which shows up directly in conversion and time-to-revenue. The hardest and most expensive corporate and UBO cases stop consuming a disproportionate share of effort. And the audit trail supervisors want is produced as a by-product of the work rather than a separate scramble before an inspection.
The bigger change is in how compliance is seen. It stops being the cost centre that slows the business down and becomes part of how the business grows: quicker to onboard, cheaper to run and more confident under scrutiny. That is a better reason to organise the run-up to 2027 around than the date itself.
How to use the time until 10 July 2027
The window is short for a change that touches policy, data, processes and technology. A pragmatic path:
Gap-assess against the AMLR text and emerging EBA and AMLA guidance, with particular focus on CDD, UBO and ongoing monitoring.
Map your current KYC and AML estate. Which capabilities sit in core systems, which in point tools, which in spreadsheets, which in people's heads?
Define a target operating model built around entity-level lifecycle management, with onboarding, monitoring, alert handling and reporting on the same backbone instead of stage-by-stage hand-offs.
Choose an operating model that absorbs change: composable, API-native, independently assured, able to integrate with the transaction-monitoring engine you already trust, and configurable without a development project for every rule change, whether you build it, extend what you have or buy it.
Pilot, measure and industrialise, using AMLR's transition window rather than waiting for it to close.
The window to 10 July 2027 is short, but it is better seen as an opportunity than a threat. It is the best chance in a decade to retire a fragmented estate and build something better, and the institutions that act early will set the standard others are measured against.
Philip Røer, Product Lead, Stacc CLM
If you are interested in exploring what a continuous KYC, KYB and AML operating model could look like for your institution, read more about Stacc KYC & AML Management or get in touch with the team.
