Skip to main content

Broader AML-package obligations

AMLA's ongoing-monitoring guidelines are one slice of the 2024 EU AML package. This page maps the wider obligations — from the AMLR ((EU) 2024/1624), AMLD6 ((EU) 2024/1640), the AMLA Regulation ((EU) 2024/1620) and AMLA's mandated technical standards — that Atlas tracks to stay compliant-by-design.

Roadmap status — not yet implemented

A 12-lane deep-research pass (web-sourced, adversarially verified) surfaced 53 net-new obligations beyond Article 26 (39 further obligations were already covered by the existing register). 19 are rated must. Every item is planned, tracked under the AMLA broader-obligations epic and additive to the AMLR compliance milestone #284.

Legal status & not legal advice

Engineering/product documentation, not legal advice. Statuses: In force (the AMLR applies from 10 July 2027) · RTS/ITS pending (AMLA drafting; e.g. the Article 28(1) CDD RTS, final draft to the Commission ~10 July 2026) · Guideline draft. Field-level mandates are intentionally kept in configuration so the final RTS text can be absorbed without schema rebuilds.

Coverage at a glance

Count
Net-new obligations surfaced53
Already covered by the register39
Rated must19
Tracking epic#660

Customer due diligence & the CDD RTS

The Article 28(1) CDD RTS (AMLA consultation Feb–May 2026, final draft to the Commission ~10 Jul 2026) moves obliged entities from free-text CDD to prescriptive, per-tier information sets with a documented rationale, standards for remote/non-face-to-face verification, and an enumerated list of reliable and independent sources. Atlas classifies the CDD tier from the risk matrix but does not yet enforce the RTS field-completeness, method capture, or source-qualification.

ObligationLegal basisStatusPriorityTracking
Per-tier CDD information-set completeness gates + documented rationaleAMLR (EU) 2024/1624 Art 28(1); AMLA draft RTS on CDD (consultation 9 Feb–8 May 2026, EBA base of 30 Oct 2025), final draft due to Commission 10 Jul 2026RTS/ITS pendingMUST#663
Remote verification method + liveness/document-authenticity event captureAMLR Art 22(1),(6); AMLA draft CDD RTS Art 28(1) (remote onboarding standards)RTS/ITS pendingMUST#664
Provider source-reliability classification (RTS-qualified source tagging)AMLR Art 22(1) + Art 28(1) RTS mandate (specifying reliable independent sources)RTS/ITS pendingSHOULD#665
Verification-timing gate on relationship activation (Art 23)AMLR (EU) 2024/1624 Art 23 (timing of verification)In forceSHOULD#666
Relationship-type classification (business relationship vs occasional/linked)AMLR Art 19, Art 19(9) RTS mandate; thresholds EUR 10,000 / EUR 1,000 (CASP)RTS/ITS pendingCOULD#667
Third-party CDD reliance provenance record (Art 49)AMLR (EU) 2024/1624 Art 48–49 (reliance on third parties)In forceCOULD#668

Beneficial ownership

Beneficial ownership under AMLR Chapter IV is a directed graph, not a table — and the hard cases are nominees, multi-layered/opaque structures, sector-conditional thresholds, and foreign entities without a domestic register. Atlas already computes UBOs by traversal; these obligations add the structures the traversal must explicitly detect and describe.

ObligationLegal basisStatusPriorityTracking
Nominee-arrangement modelling and nominator resolutionAMLR 2024/1624 Art 53 (control incl. nominee arrangements) + Art 53 nominee disclosure obligationIn forceMUST#709
Complex/opaque structure detector and organigram gateAMLR 2024/1624 Art 55 + EBA draft RTS on CDD under AMLR Art 28(1) (complex corporate structure definition)RTS/ITS pendingMUST#710
Sector-conditional UBO ownership thresholdAMLR 2024/1624 Art 51 (25% baseline) + delegated power to lower threshold to max 15% for higher-risk categoriesIn forceSHOULD#711
Foreign-entity register-independent UBO resolutionAMLR 2024/1624 Art 57-58 (foreign/non-EU legal entities) + Art 63 register-independent verificationIn forceSHOULD#712
Structured ownership-and-control description artifactEBA draft RTS on CDD under AMLR Art 28(1) (structured ownership/control description)RTS/ITS pendingSHOULD#713

PEPs, RCAs & source of wealth

PEP handling (AMLR Art 17) turns on the EU consolidated list of prominent public functions, a post-office decay timer with a 12-month floor, and a substantiated source-of-wealth/source-of-funds dossier — beyond the PEP tri-state already tracked.

ObligationLegal basisStatusPriorityTracking
EU consolidated prominent-public-function list ingestion + function-based PEP determinationAMLR (EU) 2024/1624 Art 43 (list of prominent public functions) and Art 2(1)(34) definition; combined list published by CommissionIn forceSHOULD#685
Post-office PEP decay timer with 12-month floor and risk-based extensionAMLR (EU) 2024/1624 Art 45 (measures for persons who cease to be PEPs), referencing Art 34(4)In forceSHOULD#686
PEP source-of-wealth/source-of-funds substantiation dossier with evidence gatingAMLR (EU) 2024/1624 Art 42(b)In forceSHOULD#687
PEP-category risk weighting in the EBA-style matrixAMLR (EU) 2024/1624 Art 42 (AMLA guidelines mandate); FATF R.12/22Guideline draftCOULD#688

High-risk third countries & EDD

High-risk third countries (AMLR Art 29–35) are a three-tier register (EU-autonomous + FATF black/grey), each tier mandating specific EDD measures and, at the extreme, countermeasures (systematic reporting, refuse, terminate). Atlas needs the register, the per-country measure matrix, and the countermeasure state machine.

ObligationLegal basisStatusPriorityTracking
EU-autonomous delegated high-risk-country register (Art 29/30/31 three-tier)AMLR (EU) 2024/1624 Arts 29, 30, 31; Commission delegated acts; Recital 83In forceMUST#680
Per-country prescribed-measure matrix (country → mandated Art 34(4)/Art 35 measures)AMLR Art 29(3), Art 30(3), Art 34(4), Art 35In forceMUST#681
Measure-level EDD checklist with evidence tracking (Art 34(4)(a)-(g))AMLR Art 34(4)(a)-(g)In forceSHOULD#682
High-value / HNW-service EDD trigger (Art 34(5) EUR 5M/50M thresholds)AMLR Art 34(5)In forceSHOULD#683
Country-countermeasure state machine (Art 35: systematic-reporting / refuse / terminate)AMLR Art 35(a)-(b)In forceSHOULD#684

Targeted financial sanctions

Targeted financial sanctions are a distinct obligation from AML/CFT: screening against EU/UN designation lists, >50%/majority-control aggregation (an entity owned by a designated person is itself frozen), hit adjudication with false-positive evidencing, and a freeze + competent-authority notification flow separate from SAR/STR.

ObligationLegal basisStatusPriorityTracking
TFS control aggregation (>50% / majority interest by a designated person)AMLR (EU) 2024/1624 Art 20(1)(d)In forceMUST#705
Sanctions-hit adjudication & false-positive evidencingAMLR (EU) 2024/1624 Art 20(1)(d); AMLA Art 8/9 internal policies, procedures and controls; forthcoming AMLA CDD/screening guidelinesGuideline draftMUST#706
UN-designation interim 'bridge' state (Art 27)AMLR (EU) 2024/1624 Art 27 (temporary measures for customers subject to UN financial sanctions)In forceSHOULD#707
Sanctions freeze + competent-authority notification (distinct from SAR/STR)CFSP asset-freeze regs (Reg 269/2014, 2580/2001) freeze + report-to-competent-authority duty; distinct from AMLR/AMLD6 FIU reportingIn forceSHOULD#708

FIU reporting

Beyond the SAR/STR lifecycle already tracked (#370), the FIU relationship needs a request-for-information intake with a 5-working-day SLA and AMLA ITS-conformant export schemas.

ObligationLegal basisStatusPriorityTracking
FIU request-for-information intake and 5-working-day SLA trackerAMLR (EU) 2024/1624 Art 69/72 (replies to FIU requests); AMLD6 FIU powersIn forceMUST#700

Record-keeping & data protection

Record-keeping (AMLR Art 77) and the GDPR interplay (Art 76) require a retention-clock scheduler with enforced deletion at expiry, legal-hold overrides, purpose-limitation on AML-collected personal data, and lawful-basis records — the deletion half of the immutable-audit-trail requirement.

ObligationLegal basisStatusPriorityTracking
Retention-clock scheduler + enforced personal-data deletion at expiryAMLR (EU) 2024/1624 Art 77(3)In forceMUST#689
Retention legal-hold / extension override on the deletion schedulerAMLR (EU) 2024/1624 Art 77(3) subpara 2 and Art 77(4)In forceMUST#690
AML data-processing notice + lawful-basis record per subjectAMLR (EU) 2024/1624 Art 76(1)(a)In forceSHOULD#691
Purpose-limitation enforcement on AML-collected personal dataAMLR (EU) 2024/1624 Art 76 (purpose limitation)In forceSHOULD#692
Legal-status classification of adverse-media / criminal-record hits (allegation vs conviction)AMLR (EU) 2024/1624 Art 76(2)In forceSHOULD#693
Transfer-basis + processing-locality record for AML personal dataAMLR (EU) 2024/1624 Art 76 read with GDPR (EU) 2016/679 Chapter VIn forceCOULD#694

Governance, controls & training

Internal governance (AMLR Art 9–16) becomes software: a policy-management module with tiered approval and dissemination tracking, a compliance-function role registry, an AMLCO dashboard with the annual report, training records, and group-level policy propagation.

ObligationLegal basisStatusPriorityTracking
Policy management module with tiered approval, versioning and dissemination trackingAMLR Art 9(1)-(3), esp. Art 9(2)(a) ten elements and Art 9(3) approval levels; AMLA guidelines mandate (by 10 July 2026) on proportionality/audit alternativesIn forceMUST#673
Compliance-function role registry with appointment records and independence attestationsAMLR Art 11(1)-(7)In forceMUST#674
AMLCO dashboard + auto-generated annual compliance reportAMLR Art 11(2) (annual report on implementation and outcomes)In forceSHOULD#675
Training records ledger tied to compliance rolesAMLR Art 9(2)(a)(x) training policy; Art 13 (training and awareness of employees)In forceSHOULD#676
Independent-audit findings & remediation trackerAMLR Art 9(2)(b)/(3) independent audit function; AMLA guidelines (due 10 July 2026) on when the external-expert alternative appliesGuideline draftSHOULD#677
Group hierarchy with policy propagation and group-level compliance roleAMLR Art 16(1)-(4); AMLA RTS mandate on group-wide policies and minimum standards / intra-group information sharingRTS/ITS pendingSHOULD#678
Employee good-repute screening recordAMLR Art 9(2)(a)(viii) staff vetting; Art 13 employee screeningIn forceCOULD#679

Reliance & outsourcing

Reliance on third parties (AMLR Art 48–49) and outsourcing need a reliance dossier (import another obliged entity's CDD as relied-upon evidence), a reliance-agreement register with a 5-working-day underlying-document retrieval SLA, an outsourcing register with supervisor notification, and enforcement that risk-profile and onboarding/SAR decisions are never outsourced.

ObligationLegal basisStatusPriorityTracking
Non-outsourceable-decision enforcement: keep risk-profile & onboarding/SAR decisions inside the obliged entityAMLR (EU) 2024/1624 Art 18(3) (non-outsourceable/decision-sovereignty tasks)In forceMUST#695
Third-party reliance dossier: import & attribute another obliged entity's CDD as relied-upon evidenceAMLR (EU) 2024/1624 Art 48-49 (general provisions + process of reliance); Art 50 AMLA guidelines mandateIn forceSHOULD#696
Reliance agreement register + 5-working-day underlying-document retrieval SLA trackerAMLR (EU) 2024/1624 Art 49 (5-working-day transmission deadline; written agreement requirement; retained liability)In forceSHOULD#697
Outsourcing register + pre-start supervisor-notification workflowAMLR (EU) 2024/1624 Art 18(1)-(2) (outsourcing, prior supervisor notification, service provider treated as part of obliged entity); Art 18 AMLA guidelines by 10 Jul 2027In forceSHOULD#698
Sub-processor / service-provider geography attestation for outsourced AML tasksAMLR (EU) 2024/1624 Art 18 (third-country service-provider restriction)In forceCOULD#699

Crypto / CASP / Travel Rule

Atlas serves CASPs, so crypto obligations are in-scope: self-hosted-wallet ownership verification, blockchain-analytics on-chain screening, the anonymity-enhancing-coin/anonymous-account prohibition, crypto correspondent (Art 37) EDD, and the Travel Rule (TFR (EU) 2023/1113).

ObligationLegal basisStatusPriorityTracking
Self-hosted wallet ownership verification + wallet-as-entity in ontologyTFR (EU) 2023/1113 Art 14-16 + EBA/GL/2024/11; AMLR (EU) 2024/1624 Art 79In forceMUST#669
Blockchain-analytics wallet-address & on-chain risk screeningAMLR (EU) 2024/1624 Art 79 (risk factors); TFR (EU) 2023/1113 counterparty/risk provisions; EBA/GL/2024/11In forceMUST#670
Anonymity-enhancing-coin / anonymous-account prohibition flag on CASP product profileAMLR (EU) 2024/1624 Art 79In forceSHOULD#671
Counterparty / respondent CASP due-diligence assessment (Art 37 crypto correspondent EDD)TFR (EU) 2023/1113 (counterparty assessment); AMLR (EU) 2024/1624 Art 37 (crypto correspondent EDD)In forceSHOULD#672

Risk-assessment methodology

Risk assessment (AMLR Art 10/20) needs a BWRA methodology engine (inherent → controls → residual, AMLA's four-band scoring), an SNRA/NRA findings registry as a scoring input, a controls-quality repository, and per-sector inherent-risk libraries.

ObligationLegal basisStatusPriorityTracking
BWRA methodology engine (inherent → controls → residual, AMLA four-band scoring)AMLR (EU) 2024/1624 Art 10(1)-(2); AMLA draft Guidelines under Art 10(4) (MR1-MR4)Guideline draftMUST#701
SNRA/NRA structured findings registry as risk-scoring inputAMLR Art 10(1); AMLD6 (EU) 2024/1640 Art 7 (SNRA) and Art 8 (NRA)In forceMUST#702
Controls-quality (design vs implementation) evidence repository feeding residual riskAMLR Art 10; AMLA draft BWRA Guidelines MR3Guideline draftSHOULD#703
Per-sector inherent-risk indicator libraries for tenant sector profilesAMLR Art 10; AMLA draft BWRA Guidelines MR2 (RTS Art 40(2) data points)Guideline draftSHOULD#704

AMLA RTS/ITS tracking

Two obligations track the moving regulatory target itself: AMLA ITS-conformant reporting schemas, and an RTS/guideline version registry bound to the rule engine so a rule change is traceable to the instrument that required it.

ObligationLegal basisStatusPriorityTracking
AMLA ITS-conformant SAR/STR export schemaAMLR (EU) 2024/1624 Art 69(3) — ITS on SAR/STR reporting format; consultation closing / final draft Q4 2026, applies from 10 July 2027RTS/ITS pendingMUST#661
RTS/guideline version registry bound to rule engineAMLAR (EU) 2024/1620 mandates + AMLR Art 28(1)/19(9)/20(3)/26(5)/69(3) delivery timeline 2025-2027; AMLR application date 10 July 2027RTS/ITS pendingSHOULD#662

Relationship to the rest of the roadmap

These obligations are the breadth dimension; the AMLA ongoing-monitoring roadmap is the depth dimension on Article 26. Together with the EBA / AMLR compatibility design and the AMLR compliance milestone (#271–#284), they form the compliance-by-design target Atlas builds toward ahead of the AMLR's 10 July 2027 application date.