One Year to AMLR: What Private Funds Need to Know Before July 2027
Author:
- Understanding the legal Framework
- The Timeline at a Glance
- What This Means for Private Fund and Asset Management Industry Specifically
- Standardised CDD Data Points and Beneficial Ownership
- Identity Verification
- Ongoing Monitoring
- Documentation and Audit Trails
- Why the Window for Preparation is Shorter Than It Looks
- Building Towards Compliance: Where to Start
The EU's AML Regulation Package: What Fund & Asset Managers Need to Know Before 2027
The countdown to July 2027 has officially started - and the numbers are not reassuring.
According to PwC's EMEA AML Survey 2026, based on responses from more than 500 institutions across 40 countries, only around one third of EU financial institutions expect to be ready for the EU AML Package by next year’s deadline. More than half anticipate operational disruption over the next two years, and around one third expect compliance costs to rise by between 10% and 30%. Customer due diligence has emerged as the central operational bottleneck, with around 40% of institutions viewing CDD requirements as overly rules-based. Private funds and asset managers, which typically run leaner compliance functions than the banks surveyed, face the same deadline with fewer resources.
Twelve months. That is what separates European fund & asset managers from the most significant overhaul of AML regulation in over a decade. And the machinery is moving on schedule: today, 10 July 2026 (exactly one year before the regulation applies) AMLA must submit its final draft technical standards across more than 20 mandates to the European Commission. The drafting phase is ending. What follows is adoption, publication, and enforcement. Moreover, regulators have already signalled that obliged entities may be expected to demonstrate progress toward alignment during the transition period, which means that if you are facing national supervisor reviews in 2026, the standards are already relevant.
This article breaks down what the new AML framework actually consists of, what it means specifically for private fund vehicles and the like, and what steps make sense to take now.
Understanding the legal Framework
First, it is worth understanding the interconnected parts of the new AML framework and how they work together.
The package rests on three legal instruments: the AMLR (the substantive rulebook), AMLD6 (the criminal law and supervisory directive), and AMLAR (the regulation establishing AMLA itself).
AMLR: The Direct Regulation
The Anti-Money Laundering Regulation (Regulation EU 2024/1624 (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401624)) is the legal centrepiece of the new framework. From 10 July 2027, it applies uniformly across all 27 EU Member States, without national variations and no country-by-country transposition.
For private equity and venture capital fund managers, this is not a new obligation in principle – AML/CDD requirements have existed under national law (Germany’s GwG, Luxembourg’s AML Law and CSSF circulars, etc.) for years. What changes is the precision, harmonisation, and enforceability of those obligations.
This matters more than it might sound. Previous EU AML rules came in the form of directives, meaning each Member State transposed them into national law with room to make their own choices, which often lead to different data retention periods, different UBO thresholds, different acceptable verification methods. The AMLR eliminates that room; it applies directly, uniformly, without national variation.
For fund and asset managers operating across multiple EU jurisdictions, that is the structural change: not just tighter rules, but the same rules everywhere.
AMLD6: The Criminal Law Complement
Alongside AMLR, the sixth Anti-Money Laundering Directive (AMLD6 — Directive EU 2024/1640 (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401640)) completes the package. Where AMLR sets out the substantive AML obligations, AMLD6 harmonises the criminal law framework: money laundering offences, minimum sanctions, liability of legal persons, and cooperation between national Financial Intelligence Units. Member States must transpose AMLD6 by 10 July 2027. For fund managers, AMLD6 is primarily relevant as context as it shapes the national enforcement environment within which AMLR operates. Since national transposition deadlines converge with AMLR's application date in July 2027, both layers of obligation come into force simultaneously.
AMLAR and AMLA: The Enforcer
The Anti-Money Laundering Authority (AMLA) is the EU's new supervisory body, headquartered in Frankfurt and operational since 1 July 2025.
Its legal basis is the Anti-Money Laundering Authority Regulation (AMLAR - Regulation EU 2024/1620 (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401620)), which establishes AMLA's mandate, governance, and supervisory powers.
AMLAR is the institutional counterpart to AMLR: where AMLR defines what obliged entities must do, AMLAR defines who enforces it and how.
Supervisory authority
From 2028, AMLA will directly supervise approximately 40 high-risk institutions operating across at least six EU Member States. For the broader market, AMLA coordinates with national authorities to ensure the AMLR and its technical standards are enforced consistently across borders.
How AMLA and national supervisors like BaFin or the CSSF will interact in practice, and what that means operationally for funds, is a topic we cover in detail in a separate article. [LINK: supervision article, add URL on publication]
But AMLA is already active, and its 2026 data collection exercise offers the clearest preview yet of what compliant reporting will look like in practice (https://www.amla.europa.eu/document/download/1462996b-a5c4-46cd-8f03-2a806eef6513_en?filename=Press Release - AMLA to launch data collection exercise to test risk assessment models for the financial sector.pdf).
In early 2026, AMLA launched a data collection and testing exercise, publishing a full reporting package (including template, interpretive note, and supporting materials) to calibrate the risk assessment models that will inform the selection of those 40 directly supervised entities. The exercise involved two groups: institutions potentially eligible for direct supervision, and a representative sample expected to remain under national supervision (to ensure risk assessment methodology becomes consistent across the EU, not just for the top 40). The results will refine indicator definitions, reporting thresholds, and technical specifications ahead of the full 2027 exercise.
In other words: even if your fund is never selected for direct AMLA oversight, the template being stress-tested today is likely to become the reporting standard that national supervisors adopt. The question is not whether this level of structured, data-ready reporting will reach private funds – it is when.
Regulatory function - Legal Instruments and Technical Standards
Developing legal instruments is one of AMLA's core tasks: promoting convergence and consistency of the EU's AML/CFT framework across all Member States.
These instruments come in four forms: Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS), Guidelines (GL), and Recommendations (REC). Together they specify and clarify requirements, support supervisory convergence, and ensure consistent implementation across the EU.
The RTS and ITS carry the same legal weight as AMLR itself: they are binding, not advisory.
AMLA's pipeline for 2026 and 2027 is intensive: the authority is tasked with preparing regulatory instruments across more than 20 mandates, most of them due for submission to the European Commission by 10 July 2026. The pipeline targets the financial sector first, covering areas such as CDD, business-wide risk assessments, group-wide policies, and supervisory cooperation, before extending the same framework to the non-financial sector in a second wave.
In practice, this means the standards most relevant to fund managers are being finalised now.
- RTS on Customer Due Diligence (Article 28 AMLR) – consultation closed May 2026; final draft due to the European Commission 10 July 2026. Specifies the minimum information and documents required for onboarding and beneficial owner verification, taking a proportionate, risk-based approach. The draft RTS explicitly validates eIDAS-compliant electronic identification and the EU Digital Identity Wallet for remote onboarding — digital verification is not just permitted, it is the direction the standard is being written toward (https://www.amla.europa.eu/policy/public-consultations/consultation-draft-rts-customer-due-diligence_en).
- Guidelines on Business-Wide Risk Assessment (Article 10 AMLR) – consultation closed July 2026, final guidelines expected Q4 2026. Proposes four minimum requirements for the conduct of an adequate business-wide risk assessment, applicable across all obliged entities: enabling them to understand risks arising from their business model, customers, products, services, and geographical exposure. For fund managers, this translates into a documented, governance-approved risk framework that must be kept current and reviewed regularly.
- Guidelines on Ongoing Monitoring (Article 26 AMLR) – consultation open until September 2026, final guidelines expected Q4 2026. Sets out core principles for how obliged entities must implement continuous monitoring of business relationships: covering how to keep customer information current and how to structure a transaction and activity monitoring framework across both financial and non-financial sectors.
- Risk Profile Assessment (Article 40 AMLD6) – Final report published December 2025. It establishes a common methodology for supervisors to assess the inherent and residual ML/TF risk profile of obliged entities, introducing a numerical scoring system of 1 to 4 based on weighted indicators covering customer types, products, services, and geographical exposure, with annual reviews required for most entities. Your national supervisor will use this methodology to score your fund and set inspection intensity. The quality of your investor data, KYC documentation, and AML controls will determine that score.
Most of these mandates converge on a single date: 10 July 2026, when AMLA must deliver its final drafts to the European Commission. From that point, the content of the 2027 rulebook is essentially fixed; what remains is adoption and application. Compliance teams waiting for "final versions" before starting their gap analysis should recognise that the final versions are, as of now, written.
The Timeline at a Glance
Understanding the sequencing matters, because preparation time is already running short.
- July 2025: AMLA became operational; coordination with national supervisors began
- December 2025: Risk Profile Assessment RTS (Article 40 AMLD6) finalised
- February to May 2026: AMLA public consultations on the CDD and Business Relationships RTS
- 10 July 2026: AMLA submits final draft RTS to the European Commission, including the CDD RTS (Art. 28) and Business Relationships RTS (Art. 19), exactly one year before application
- Q4 2026: Final Guidelines on Business-Wide Risk Assessment and Ongoing Monitoring expected
- 10 July 2027: KEY TURNING POINT: AMLR and corresponding technical standards take effect across all EU Member States
- End of 2027: AMLA publishes the list of approximately 40 directly supervised entities
- 2028: AMLA assumes full supervisory powers
The July 2027 date is not a soft deadline. It is the point at which legal obligations become enforceable.
What This Means for Private Fund and Asset Management Industry Specifically
Private funds occupy an interesting position in the AMLR landscape. While the regulation was originally designed with banks and payment institutions in mind, its scope extends to alternative investment fund managers, asset managers and their administrators and compliance officers in ways that require careful attention.
Several areas are particularly relevant for fund operations:
Standardised CDD Data Points and Beneficial Ownership
The draft RTS on CDD harmonises what must be collected during investor onboarding across all EU Member States, replacing nationally varied interpretations with a single baseline. For private funds, two changes stand out.
The UBO ownership threshold shifts from "more than 25%" to "25%", a subtle but operationally meaningful change that will bring additional investors into scope for full beneficial ownership verification. More significantly, indirect ownership must now be calculated by multiplying ownership interests at each level of the chain rather than assessing holdings in isolation. A structure where an individual holds 50% of an entity that holds 60% of the investing vehicle must be traced and documented accordingly.
The AMLR also formally introduces the concept of complex structures (intermediary entities sitting between the UBO and the investing entity) as a category requiring more intensive due diligence. For funds with institutional or family office investors, this is no longer an edge case to handle manually.
Identity Verification
AMLR tightens the standards around identity verification at the point of onboarding. Acceptable methods for remote verification are changing: eIDAS-compliant approaches (such as qualified electronic signatures and EU Digital Identity Wallets) become the primary standard, while video identification is demoted to a fallback option requiring documented justification.
Ongoing Monitoring
One-time KYC is no longer sufficient. AMLR requires continuous, risk-based monitoring of investor relationships. Funds need processes and systems capable of tracking changes in investor status, running ongoing name screening against PEP lists, sanctions databases, and adverse media sources, and flagging material changes for review. This is perpetual KYC, and it requires infrastructure, not just intention.
Documentation and Audit Trails
Across the updated framework, the emphasis is not just on the outcome of CDD decisions but on the ability to evidence how they were reached. Data sources used, how beneficial ownership was assessed, how risk indicators were considered, how discrepancies were resolved. All of it must be retained and explainable. Audit trails move from best practice to legal requirement.
Why the Window for Preparation is Shorter Than It Looks
July 2027 is 12 months away. But the actual preparation horizon is considerably shorter.
The uncertainty argument is gone. By 10 July 2026, AMLA must deliver its final draft technical standards to the European Commission, including the two most consequential for investor onboarding: the RTS on Customer Due Diligence (Article 28) and the RTS defining when a business relationship exists (Article 19). From that point, the content of the 2027 rulebook is essentially fixed pending Commission adoption. Funds that have been waiting for "final versions" before starting their gap analysis no longer have that reason. The versions are final enough to act on.
And acting takes time. Technology assessments, vendor evaluations, workflow redesigns, and staff training are sequential, not parallel. If your fund relies on manual onboarding processes, switching to compliant digital infrastructure is not a weekend project, and every month spent deliberating is a month taken from implementation.
There is also the supervisory dimension. Regulators have already signalled that obliged entities may be expected to demonstrate progress toward RTS alignment during the transition period, before the formal 2027 application date. For funds that face national supervisor reviews in late 2026 and 2027, the emerging standards are already operationally relevant.
Building Towards Compliance: Where to Start
For fund managers assessing their current state, a useful starting framework has three stages.
- First, map your current onboarding and KYC processes against AMLR's core obligations. Do you have documented risk assessments for each investor type? Can your identity verification methods meet the incoming eIDAS standards? Is your name screening continuous or only triggered at onboarding?
- Second, evaluate your technology and data infrastructure. Is investor data centralised or scattered across systems? Can you generate the audit trails that AMLR requires? Are you able to report suspicious activity in standardised formats, and do your systems connect to the service providers and administrators you work with?
- Third, consider the operational model. Does your team have the compliance capacity to manage AMLR obligations at scale? For many funds (particularly emerging managers and smaller GPs) the answer will involve a combination of upgraded technology and specialist support.
Preparing for 2027: How Vestlane Supports the Transition
The obligations AMLR formalises (standardised CDD data points, eIDAS-compliant identity verification, perpetual name screening, structured audit trails, and a centralised investor data model) map directly onto what Vestlane was built to deliver for private funds and asset managers.
But regulatory transitions of this scale are not solved by software alone. Vestlane's team combines deep technology, legal, and regulatory expertise, and works alongside fund managers, compliance officers, and administrators to co-shape how their organisations adapt: from translating the incoming standards into concrete workflows to restructuring onboarding processes around them.
Whether you run a venture fund, a private equity vehicle, or a broader asset management platform, the operational foundation the new regulation demands is the same. Compliant, documented, and ready for supervisory review at any time.
If you are reviewing your readiness for 2027, it is worth seeing what that transition looks like in practice.
Frequently Asked Questions
What is the EU AML Package?
The EU AML Package consists of three legal instruments: the AMLR (Regulation EU 2024/1624, the directly applicable rulebook), AMLD6 (Directive EU 2024/1640, harmonising criminal law and supervision), and AMLAR (Regulation EU 2024/1620, establishing AMLA, the EU's new AML authority in Frankfurt). Together they replace nationally fragmented AML rules with a single, uniform EU framework from July 2027.
When do fund managers need to be ready for AMLR?
The AMLR applies from 10 July 2027 across all 27 EU Member States. However, the effective preparation window is shorter: AMLA submits its final draft technical standards to the European Commission by 10 July 2026, fixing the content of the 2027 rulebook, and supervisors have signalled that obliged entities may need to demonstrate alignment progress during the transition period.
How does the AMLR affect private fund managers?
The AMLR standardises CDD data points across all EU Member States, lowers the UBO threshold from "more than 25%" to "25%", requires indirect ownership to be calculated multiplicatively across ownership chains, makes eIDAS-compliant identity verification the primary onboarding standard, and mandates continuous, risk-based investor monitoring with full audit trails - perpetual KYC instead of one-time checks.
:quality(75))
:quality(75))
:quality(75))