Once finalized, these standards will set the framework for compliance across the EU and are expected to bring significant changes for all AML-obliged entities. Our article provides a focused analysis of the RTS, outlining the key points and potential impacts for stakeholders.
The regulatory steps
Following the publication of the AML Package, the EU Commission issued a Call for Advice to the European Banking Authority (EBA). The Call for Advice is a formal request from the European Commission for technical input on developing regulatory technical standards and guidelines, which are necessary for the implementation of the regulations and directive. As part of this mandate, on March 6, 2025, the EBA opened a Consultation asking the relevant stakeholders to comment on the EBA’s RTS. The deadline for submitting comments is scheduled for June 6, 2025, with the submission of the final RTS to the EU Commission due by October 31, 2025. After this, the RTS will become part of the AML Package and be enforceable across the EU.
In particular, the EBA was requested to develop the RTS on four distinct matters:
1. Risk profile assessment
On this aspect, the RTS envisage the introduction of a harmonized scoring methodology for assessing and classifying the inherent and residual risk profiles of obliged entities across the EU. This methodology requires supervisors to use a single set of data points and objective indicators, minimizing subjective assessments and leaving no room for self-assessment by the entities themselves. The process involves three steps: assessing inherent risk, evaluating the quality of AML/CFT controls, and determining the residual risk profile. The scoring system is designed to be flexible, allowing for justified adjustments by supervisors within strict parameters, and ensures that residual risk can never exceed inherent risk. This harmonization aims to make risk assessments comparable across member states, reduce compliance costs for cross-border institutions, and enable supervisors to focus resources on higher-risk entities.
2. Selection of supervised entities
The EBA will establish a clear, quantitative materiality threshold to determine when a financial institution’s cross-border activities under the freedom to provide services are significant enough to count towards eligibility for direct supervision by the new Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA). The first requirement is that the obliged entity is operating in at least six member states, including the home state. Specifically, an entity is materially operating in a member state if it has more than 20,000 resident customers or if the value of transactions exceeds EUR50 million in that state—either threshold suffices.
The RTS also align the risk assessment methodology for selection with the harmonized approach used for entity-level risk assessments, ensuring consistency and comparability.
For group-wide assessments, a weighted average method is introduced to reflect the relative importance and risk of each group entity, preventing lower-risk entities from diluting the group’s overall risk score.
Transitional rules limit the use of supervisory judgment (meaning use of discretion in connection with the expert knowledge of the entity) in the first selection round to ensure comparability.
3. Customer due diligence
The most significant addition in this RTS is the detailed specification of the information and documentation that obliged entities must collect for standard, simplified, and enhanced customer due diligence (CDD), as well as the harmonization of verification methods across the EU.
The RTS introduce a principles-based, risk-sensitive approach that balances prescriptive requirements with flexibility, notably allowing for alternative robust means of online identity verification when eIDAS-compliant solutions are not available.
It also clarifies the application of new CDD standards to existing customers, introducing a risk-based transition period of up to five years, with priority given to higher-risk relationships.
The RTS further detail requirements for understanding complex ownership structures, beneficial ownership verification, and sector-specific simplified due diligence measures, aiming to reduce regulatory arbitrage and foster a level playing field.
4. Penalties, administrative measures, and periodic penalty payments
The fourth RTS presented by the EBA addresses the risks faced by obliged entities if they fail to comply with the AML package. It provides specific indicators for supervisors to determine the severity of breaches, including duration, repetition, and impact. Breaches are classified into four categories of severity, influencing the penalties or administrative measures imposed.
Notable additions include the possibility of reduced penalties for cooperation with authorities and effective remedial actions. Conversely, lack of cooperation can result in higher penalties. Administrative measures, such as business operation restrictions or changes in governance structure, are applied only for severe breaches (category three or four).
The RTS outlines the process for imposing periodic penalty payments on breaching entities. Supervisors must submit a detailed statement justifying the imposition, allowing the entity responsible to make written submissions. Periodic penalties can be set on a daily, weekly, or monthly basis and are enforced only for the period of non-compliance.
Conclusions
The RTS signal a fundamental transformation in the EU’s anti-money-laundering landscape, moving beyond incremental compliance to establish a unified supervisory framework. This is not simply regulatory housekeeping—it is a redefinition of the rules of engagement between financial institutions and supervisors, with the EBA setting a new standard for transparency, accountability, and operational rigor.
For obliged entities, the current consultation period is a critical juncture. It is the final opportunity to shape requirements that will define competitive positioning, operational models, and technology investments for years to come. The harmonized risk-profiling methodology will favor those who can demonstrate robust, data-driven controls, while exposing any lingering weaknesses in governance or infrastructure. The new materiality thresholds for AMLA supervision, though seemingly modest, will have far-reaching implications for cross-border strategy and demand a proactive, holistic approach to compliance planning. The harmonized customer due diligence regime is a catalyst for operational excellence. Early adopters will not only ensure compliance but also gain efficiencies, build client trust, and set the pace for innovation in the market. The revised penalties framework further raises the stakes, rewarding genuine remediation and making half-measures increasingly costly.
Although the AML Package will not be fully operational until July 2027, the benefits of early alignment—ranging from process efficiencies to enhanced supervisory relationships—will accrue much sooner. As the regulatory landscape continues to evolve, we will provide further analysis and guidance once the final stage of the regulation is reached.
