Broader AML-package obligations
AMLA's ongoing-monitoring guidelines are one slice of the 2024 EU AML package. This page maps the wider obligations — from the AMLR ((EU) 2024/1624), AMLD6 ((EU) 2024/1640), the AMLA Regulation ((EU) 2024/1620) and AMLA's mandated technical standards — that Atlas tracks to stay compliant-by-design.
A 12-lane deep-research pass (web-sourced, adversarially verified) surfaced 53 net-new obligations beyond Article 26 (39 further obligations were already covered by the existing register). 19 are rated must. Every item is planned, tracked under the AMLA broader-obligations epic and additive to the AMLR compliance milestone #284.
Engineering/product documentation, not legal advice. Statuses: In force (the AMLR applies from 10 July 2027) · RTS/ITS pending (AMLA drafting; e.g. the Article 28(1) CDD RTS, final draft to the Commission ~10 July 2026) · Guideline draft. Field-level mandates are intentionally kept in configuration so the final RTS text can be absorbed without schema rebuilds.
Coverage at a glance
| Count | |
|---|---|
| Net-new obligations surfaced | 53 |
| Already covered by the register | 39 |
| Rated must | 19 |
| Tracking epic | #660 |
Customer due diligence & the CDD RTS
The Article 28(1) CDD RTS (AMLA consultation Feb–May 2026, final draft to the Commission ~10 Jul 2026) moves obliged entities from free-text CDD to prescriptive, per-tier information sets with a documented rationale, standards for remote/non-face-to-face verification, and an enumerated list of reliable and independent sources. Atlas classifies the CDD tier from the risk matrix but does not yet enforce the RTS field-completeness, method capture, or source-qualification.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| Per-tier CDD information-set completeness gates + documented rationale | AMLR (EU) 2024/1624 Art 28(1); AMLA draft RTS on CDD (consultation 9 Feb–8 May 2026, EBA base of 30 Oct 2025), final draft due to Commission 10 Jul 2026 | RTS/ITS pending | MUST | #663 |
| Remote verification method + liveness/document-authenticity event capture | AMLR Art 22(1),(6); AMLA draft CDD RTS Art 28(1) (remote onboarding standards) | RTS/ITS pending | MUST | #664 |
| Provider source-reliability classification (RTS-qualified source tagging) | AMLR Art 22(1) + Art 28(1) RTS mandate (specifying reliable independent sources) | RTS/ITS pending | SHOULD | #665 |
| Verification-timing gate on relationship activation (Art 23) | AMLR (EU) 2024/1624 Art 23 (timing of verification) | In force | SHOULD | #666 |
| Relationship-type classification (business relationship vs occasional/linked) | AMLR Art 19, Art 19(9) RTS mandate; thresholds EUR 10,000 / EUR 1,000 (CASP) | RTS/ITS pending | COULD | #667 |
| Third-party CDD reliance provenance record (Art 49) | AMLR (EU) 2024/1624 Art 48–49 (reliance on third parties) | In force | COULD | #668 |
Beneficial ownership
Beneficial ownership under AMLR Chapter IV is a directed graph, not a table — and the hard cases are nominees, multi-layered/opaque structures, sector-conditional thresholds, and foreign entities without a domestic register. Atlas already computes UBOs by traversal; these obligations add the structures the traversal must explicitly detect and describe.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| Nominee-arrangement modelling and nominator resolution | AMLR 2024/1624 Art 53 (control incl. nominee arrangements) + Art 53 nominee disclosure obligation | In force | MUST | #709 |
| Complex/opaque structure detector and organigram gate | AMLR 2024/1624 Art 55 + EBA draft RTS on CDD under AMLR Art 28(1) (complex corporate structure definition) | RTS/ITS pending | MUST | #710 |
| Sector-conditional UBO ownership threshold | AMLR 2024/1624 Art 51 (25% baseline) + delegated power to lower threshold to max 15% for higher-risk categories | In force | SHOULD | #711 |
| Foreign-entity register-independent UBO resolution | AMLR 2024/1624 Art 57-58 (foreign/non-EU legal entities) + Art 63 register-independent verification | In force | SHOULD | #712 |
| Structured ownership-and-control description artifact | EBA draft RTS on CDD under AMLR Art 28(1) (structured ownership/control description) | RTS/ITS pending | SHOULD | #713 |
PEPs, RCAs & source of wealth
PEP handling (AMLR Art 17) turns on the EU consolidated list of prominent public functions, a post-office decay timer with a 12-month floor, and a substantiated source-of-wealth/source-of-funds dossier — beyond the PEP tri-state already tracked.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| EU consolidated prominent-public-function list ingestion + function-based PEP determination | AMLR (EU) 2024/1624 Art 43 (list of prominent public functions) and Art 2(1)(34) definition; combined list published by Commission | In force | SHOULD | #685 |
| Post-office PEP decay timer with 12-month floor and risk-based extension | AMLR (EU) 2024/1624 Art 45 (measures for persons who cease to be PEPs), referencing Art 34(4) | In force | SHOULD | #686 |
| PEP source-of-wealth/source-of-funds substantiation dossier with evidence gating | AMLR (EU) 2024/1624 Art 42(b) | In force | SHOULD | #687 |
| PEP-category risk weighting in the EBA-style matrix | AMLR (EU) 2024/1624 Art 42 (AMLA guidelines mandate); FATF R.12/22 | Guideline draft | COULD | #688 |
High-risk third countries & EDD
High-risk third countries (AMLR Art 29–35) are a three-tier register (EU-autonomous + FATF black/grey), each tier mandating specific EDD measures and, at the extreme, countermeasures (systematic reporting, refuse, terminate). Atlas needs the register, the per-country measure matrix, and the countermeasure state machine.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| EU-autonomous delegated high-risk-country register (Art 29/30/31 three-tier) | AMLR (EU) 2024/1624 Arts 29, 30, 31; Commission delegated acts; Recital 83 | In force | MUST | #680 |
| Per-country prescribed-measure matrix (country → mandated Art 34(4)/Art 35 measures) | AMLR Art 29(3), Art 30(3), Art 34(4), Art 35 | In force | MUST | #681 |
| Measure-level EDD checklist with evidence tracking (Art 34(4)(a)-(g)) | AMLR Art 34(4)(a)-(g) | In force | SHOULD | #682 |
| High-value / HNW-service EDD trigger (Art 34(5) EUR 5M/50M thresholds) | AMLR Art 34(5) | In force | SHOULD | #683 |
| Country-countermeasure state machine (Art 35: systematic-reporting / refuse / terminate) | AMLR Art 35(a)-(b) | In force | SHOULD | #684 |
Targeted financial sanctions
Targeted financial sanctions are a distinct obligation from AML/CFT: screening against EU/UN designation lists, >50%/majority-control aggregation (an entity owned by a designated person is itself frozen), hit adjudication with false-positive evidencing, and a freeze + competent-authority notification flow separate from SAR/STR.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| TFS control aggregation (>50% / majority interest by a designated person) | AMLR (EU) 2024/1624 Art 20(1)(d) | In force | MUST | #705 |
| Sanctions-hit adjudication & false-positive evidencing | AMLR (EU) 2024/1624 Art 20(1)(d); AMLA Art 8/9 internal policies, procedures and controls; forthcoming AMLA CDD/screening guidelines | Guideline draft | MUST | #706 |
| UN-designation interim 'bridge' state (Art 27) | AMLR (EU) 2024/1624 Art 27 (temporary measures for customers subject to UN financial sanctions) | In force | SHOULD | #707 |
| Sanctions freeze + competent-authority notification (distinct from SAR/STR) | CFSP asset-freeze regs (Reg 269/2014, 2580/2001) freeze + report-to-competent-authority duty; distinct from AMLR/AMLD6 FIU reporting | In force | SHOULD | #708 |
FIU reporting
Beyond the SAR/STR lifecycle already tracked (#370), the FIU relationship needs a request-for-information intake with a 5-working-day SLA and AMLA ITS-conformant export schemas.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| FIU request-for-information intake and 5-working-day SLA tracker | AMLR (EU) 2024/1624 Art 69/72 (replies to FIU requests); AMLD6 FIU powers | In force | MUST | #700 |
Record-keeping & data protection
Record-keeping (AMLR Art 77) and the GDPR interplay (Art 76) require a retention-clock scheduler with enforced deletion at expiry, legal-hold overrides, purpose-limitation on AML-collected personal data, and lawful-basis records — the deletion half of the immutable-audit-trail requirement.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| Retention-clock scheduler + enforced personal-data deletion at expiry | AMLR (EU) 2024/1624 Art 77(3) | In force | MUST | #689 |
| Retention legal-hold / extension override on the deletion scheduler | AMLR (EU) 2024/1624 Art 77(3) subpara 2 and Art 77(4) | In force | MUST | #690 |
| AML data-processing notice + lawful-basis record per subject | AMLR (EU) 2024/1624 Art 76(1)(a) | In force | SHOULD | #691 |
| Purpose-limitation enforcement on AML-collected personal data | AMLR (EU) 2024/1624 Art 76 (purpose limitation) | In force | SHOULD | #692 |
| Legal-status classification of adverse-media / criminal-record hits (allegation vs conviction) | AMLR (EU) 2024/1624 Art 76(2) | In force | SHOULD | #693 |
| Transfer-basis + processing-locality record for AML personal data | AMLR (EU) 2024/1624 Art 76 read with GDPR (EU) 2016/679 Chapter V | In force | COULD | #694 |
Governance, controls & training
Internal governance (AMLR Art 9–16) becomes software: a policy-management module with tiered approval and dissemination tracking, a compliance-function role registry, an AMLCO dashboard with the annual report, training records, and group-level policy propagation.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| Policy management module with tiered approval, versioning and dissemination tracking | AMLR Art 9(1)-(3), esp. Art 9(2)(a) ten elements and Art 9(3) approval levels; AMLA guidelines mandate (by 10 July 2026) on proportionality/audit alternatives | In force | MUST | #673 |
| Compliance-function role registry with appointment records and independence attestations | AMLR Art 11(1)-(7) | In force | MUST | #674 |
| AMLCO dashboard + auto-generated annual compliance report | AMLR Art 11(2) (annual report on implementation and outcomes) | In force | SHOULD | #675 |
| Training records ledger tied to compliance roles | AMLR Art 9(2)(a)(x) training policy; Art 13 (training and awareness of employees) | In force | SHOULD | #676 |
| Independent-audit findings & remediation tracker | AMLR Art 9(2)(b)/(3) independent audit function; AMLA guidelines (due 10 July 2026) on when the external-expert alternative applies | Guideline draft | SHOULD | #677 |
| Group hierarchy with policy propagation and group-level compliance role | AMLR Art 16(1)-(4); AMLA RTS mandate on group-wide policies and minimum standards / intra-group information sharing | RTS/ITS pending | SHOULD | #678 |
| Employee good-repute screening record | AMLR Art 9(2)(a)(viii) staff vetting; Art 13 employee screening | In force | COULD | #679 |
Reliance & outsourcing
Reliance on third parties (AMLR Art 48–49) and outsourcing need a reliance dossier (import another obliged entity's CDD as relied-upon evidence), a reliance-agreement register with a 5-working-day underlying-document retrieval SLA, an outsourcing register with supervisor notification, and enforcement that risk-profile and onboarding/SAR decisions are never outsourced.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| Non-outsourceable-decision enforcement: keep risk-profile & onboarding/SAR decisions inside the obliged entity | AMLR (EU) 2024/1624 Art 18(3) (non-outsourceable/decision-sovereignty tasks) | In force | MUST | #695 |
| Third-party reliance dossier: import & attribute another obliged entity's CDD as relied-upon evidence | AMLR (EU) 2024/1624 Art 48-49 (general provisions + process of reliance); Art 50 AMLA guidelines mandate | In force | SHOULD | #696 |
| Reliance agreement register + 5-working-day underlying-document retrieval SLA tracker | AMLR (EU) 2024/1624 Art 49 (5-working-day transmission deadline; written agreement requirement; retained liability) | In force | SHOULD | #697 |
| Outsourcing register + pre-start supervisor-notification workflow | AMLR (EU) 2024/1624 Art 18(1)-(2) (outsourcing, prior supervisor notification, service provider treated as part of obliged entity); Art 18 AMLA guidelines by 10 Jul 2027 | In force | SHOULD | #698 |
| Sub-processor / service-provider geography attestation for outsourced AML tasks | AMLR (EU) 2024/1624 Art 18 (third-country service-provider restriction) | In force | COULD | #699 |
Crypto / CASP / Travel Rule
Atlas serves CASPs, so crypto obligations are in-scope: self-hosted-wallet ownership verification, blockchain-analytics on-chain screening, the anonymity-enhancing-coin/anonymous-account prohibition, crypto correspondent (Art 37) EDD, and the Travel Rule (TFR (EU) 2023/1113).
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| Self-hosted wallet ownership verification + wallet-as-entity in ontology | TFR (EU) 2023/1113 Art 14-16 + EBA/GL/2024/11; AMLR (EU) 2024/1624 Art 79 | In force | MUST | #669 |
| Blockchain-analytics wallet-address & on-chain risk screening | AMLR (EU) 2024/1624 Art 79 (risk factors); TFR (EU) 2023/1113 counterparty/risk provisions; EBA/GL/2024/11 | In force | MUST | #670 |
| Anonymity-enhancing-coin / anonymous-account prohibition flag on CASP product profile | AMLR (EU) 2024/1624 Art 79 | In force | SHOULD | #671 |
| Counterparty / respondent CASP due-diligence assessment (Art 37 crypto correspondent EDD) | TFR (EU) 2023/1113 (counterparty assessment); AMLR (EU) 2024/1624 Art 37 (crypto correspondent EDD) | In force | SHOULD | #672 |
Risk-assessment methodology
Risk assessment (AMLR Art 10/20) needs a BWRA methodology engine (inherent → controls → residual, AMLA's four-band scoring), an SNRA/NRA findings registry as a scoring input, a controls-quality repository, and per-sector inherent-risk libraries.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| BWRA methodology engine (inherent → controls → residual, AMLA four-band scoring) | AMLR (EU) 2024/1624 Art 10(1)-(2); AMLA draft Guidelines under Art 10(4) (MR1-MR4) | Guideline draft | MUST | #701 |
| SNRA/NRA structured findings registry as risk-scoring input | AMLR Art 10(1); AMLD6 (EU) 2024/1640 Art 7 (SNRA) and Art 8 (NRA) | In force | MUST | #702 |
| Controls-quality (design vs implementation) evidence repository feeding residual risk | AMLR Art 10; AMLA draft BWRA Guidelines MR3 | Guideline draft | SHOULD | #703 |
| Per-sector inherent-risk indicator libraries for tenant sector profiles | AMLR Art 10; AMLA draft BWRA Guidelines MR2 (RTS Art 40(2) data points) | Guideline draft | SHOULD | #704 |
AMLA RTS/ITS tracking
Two obligations track the moving regulatory target itself: AMLA ITS-conformant reporting schemas, and an RTS/guideline version registry bound to the rule engine so a rule change is traceable to the instrument that required it.
| Obligation | Legal basis | Status | Priority | Tracking |
|---|---|---|---|---|
| AMLA ITS-conformant SAR/STR export schema | AMLR (EU) 2024/1624 Art 69(3) — ITS on SAR/STR reporting format; consultation closing / final draft Q4 2026, applies from 10 July 2027 | RTS/ITS pending | MUST | #661 |
| RTS/guideline version registry bound to rule engine | AMLAR (EU) 2024/1620 mandates + AMLR Art 28(1)/19(9)/20(3)/26(5)/69(3) delivery timeline 2025-2027; AMLR application date 10 July 2027 | RTS/ITS pending | SHOULD | #662 |
Relationship to the rest of the roadmap
These obligations are the breadth dimension; the AMLA ongoing-monitoring roadmap is the depth dimension on Article 26. Together with the EBA / AMLR compatibility design and the AMLR compliance milestone (#271–#284), they form the compliance-by-design target Atlas builds toward ahead of the AMLR's 10 July 2027 application date.