Compliance with the new anti–money laundering rules – deadlines, required steps and newly covered entities

Money laundering methods have become increasingly dynamic, sophisticated and harder to delimit geographically, as funds move rapidly across jurisdictions, digital platforms, opaque corporate structures and high‑value assets (luxury goods, real estate, works of art, etc.). Against this backdrop - which amplifies global risks and complicates supervision - the European Union has intervened through the Regulation (EU) 2024/1624 (AML Regulation/AMLR) on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AML/CFT), introducing a common standard intended to harmonize requirements across the Single Market.

The AML regulation shall apply directly in all member states, including Romania, and obliged entities must reach a level of readiness equivalent to that expected in an audit (ready‑to‑audit) at least six months before July 1, 2027. This is to ensure sufficient time to test systems, remediate deficiencies and stabilize procedures ahead of the regulation’s application date.

Implementation handbook – currently being finalized

In addition to the “level‑one” rules set out in the AML Regulation, operational details will be calibrated through “level‑two” instruments developed by AMLA (the EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism). AMLA is required to develop, by July 10, 2026, Regulatory Technical Standards (RTS) and implementation guidelines that will directly influence how internal processes, collected data and applicable thresholds are designed.

These include standards on customer due diligence (CDD) measures - article 28(1) AMLR - clarifying what information and documents must be collected for risk‑based CDD. AMLA will also set criteria regarding the business relationship with the customer, occasional transactions and linked transactions - article 19(9) AMLR. In addition, AMLA will develop standards on group‑level requirements and measures for branches/subsidiaries in third countries - articles 16(4) and 17(3) AMLR.

Finally, AMLA will issue guidelines on the minimum content requirements for the entity‑level risk assessment and on additional sources of information that should be considered when performing the Business‑Wide Risk Assessment - article 10(4) AMLR.

New entities within the scope of AML

The AML Regulation expands the scope of obliged entities to include other higher‑risk financial and non‑financial sectors, such as the trade in precious metals and stones, high‑value goods, service providers and intermediaries for crowdfunding, operators in the field of migration by investment, football agents and professional football clubs. Reference thresholds for “high‑value goods” include, for example: jewelry/watches above EUR 10,000; vehicles above EUR 250,000; and aircraft/watercraft above EUR 7.5 million.

What actually changes?

For newly covered obliged entities, compliance will not only mean following written procedures but also implementing a functional and effective oversight framework. The minimum package includes policies/procedures and internal controls, a risk management framework, a compliance function (AML officer), training and testing employees’ AML knowledge, risk‑based Know‑Your‑Customer (KYC) measures and ongoing monitoring of business relationships, reporting to authorities, record keeping, etc. For many industries, the AML Regulation will need to be implemented at a level comparable to that of the banking and financial sector.

Moreover, to further streamline anti‑money‑laundering efforts, the AML Regulation introduces cooperation rules between the European Public Prosecutor’s Office (EPPO), Member States’ Financial Intelligence Units and the European Anti‑Fraud Office (OLAF). Information exchange is expected to facilitate both detection and the acceleration of accountability for those involved in money‑laundering schemes.

How do we prepare? Roadmap to July 1, 2027

Implementing the requirements under Regulation (EU) 2024/1624 calls for a structured, phased, risk‑based approach. A realistic roadmap to the full application date should include three main stages.

2026 – diagnostic and planning. This stage lays the foundation of the entire compliance program. Its purpose is to identify gaps between current practices and the new EU requirements; map risks (customer typologies, products, channels, jurisdictions) and recalibrate risk appetite; inventory data and flows; and assess existing controls (KYC, screening, transaction monitoring, reporting), etc. The output should be a detailed implementation plan, prioritized considering risk and complexity.

Q4 2026-Q1 2027 – implementation. This is the transformation phase, when requirements are translated into operational processes and functional systems (e.g., operationalizing and automation of customer onboarding and applying CDD; implementing and calibrating screening mechanisms; improving transaction monitoring; optimizing the STR/SAR reporting process; updating the internal framework; and conducting applied training). This stage requires close coordination across business, compliance, risk and IT functions.

Before July 1, 2027 – testing and stabilization. The final stage is essential to validate the effectiveness of the implemented framework (end‑to‑end testing of AML/CFT processes, remediation of identified deficiencies, audit simulations and real internal control tests, etc.) and to ensure sustainable compliance (through performance monitoring and final adjustments). The objective is to reach a “ready‑to‑audit” level that enables the entity to demonstrate compliance not only formally, but also in practice.

In conclusion, Regulation (EU) 2024/1624 marks a shift toward a single EU regulatory system, while secondary legislation (draft RTS and AMLA guidelines) will shape the concrete way in which requirements are applied in practice. A critical point must be emphasized: delaying preparations or treating this process superficially can generate significant risks of operational non‑compliance, sanctions and reputational damage. The complexity of the new requirements, reliance on quality data, systems integration and the need for consistent application in practice make a rapid, last‑minute alignment unlikely. In this context, early preparation is no longer a competitive advantage, but an essential condition for compliance and sustainability under the new EU framework.