EU AMLA Group-Wide AML Rules: What Compliance Teams Must Do Now

AMLA's group-wide AML/CFT requirements, established under Articles 16 and 17 of Regulation (EU) 2024/1624, require multinational obliged entities to implement unified AML policies, standardised beneficial ownership data sharing, and enhanced due diligence measures across all subsidiaries and branches — including those operating in third countries outside the EU. The framework applies to financial institutions and designated non-financial businesses with cross-border group structures, and is currently in its final consultation phase ahead of binding implementation.

On 20 May 2026, the EU Anti-Money Laundering Authority held a public hearing on its draft Regulatory Technical Standards governing group-wide AML frameworks, drawing over 650 participants from financial institutions, trade associations, and civil society organisations across the EU. A second hearing on the business-wide risk assessment guidelines took place on 28 May 2026. The consultations mark a decisive shift in EU enforcement architecture: from nationally fragmented supervisory oversight to a unified, directly applicable rulebook that closes the cross-border compliance gaps that fragmented national frameworks left open.

For compliance teams at groups with operations spanning the EU and third-country jurisdictions — including Asia, the Middle East, and the Greater China region — the draft standards are not a distant regulatory concern. They are an operational mandate arriving faster than most compliance programme reviews are scheduled to address.

What Is the EU AMLA and Why Do the New Group-Wide Standards Matter?

The EU Anti-Money Laundering Authority — AMLA — began operations on 1 July 2025 and on 1 January 2026 completed the full transfer of AML/CFT supervisory mandates from the European Banking Authority. From 2028, AMLA will directly supervise up to 40 high-risk financial institutions across the EU, with national supervisors responsible for the broader obliged entity population under AMLA's harmonised rulebook.

The significance of the group-wide RTS lies in what they standardise for the first time at EU level. Under previous AML Directives, groups with operations in multiple Member States faced different national implementations of the same underlying rules — creating inconsistencies in UBO thresholds, information sharing restrictions, and the treatment of third-country branches. The draft RTS under Articles 16(4) and 17(3) of Regulation (EU) 2024/1624 replace that patchwork with directly applicable minimum standards. According to AMLA, the instrument addresses the design and implementation of group-wide AML/CFT frameworks, including their application across cross-border group structures and in situations where branches or subsidiaries operate in third countries.

Direct applicability is the defining change. Unlike previous AML Directives that required national transposition before binding effect, the AML Regulation (AMLR) is directly applicable across all EU Member States. For a compliance programme operating in five jurisdictions with five national implementations, that means a single unified benchmark replaces five varying local standards — which is operationally simpler but requires a consolidation exercise that many groups have not yet completed.

Third-country exposure is specifically addressed. For groups with subsidiaries or branches outside the EU — including in markets like Hong Kong, Singapore, the UAE, or mainland China — the draft RTS sets out additional measures to ensure group-level AML/CFT policies extend beyond the EU perimeter and that the parent undertaking can maintain consolidated oversight of risk across the full group footprint.

What Does the AMLA Framework Require from Cross-Border Compliance Teams?

The draft RTS organises the group-wide requirements into four operational categories that compliance teams need to map against their existing frameworks.

Minimum standards for group-wide policies, procedures, and controls. The parent undertaking must implement a single set of AML/CFT policies applicable across the entire group — covering customer due diligence, transaction monitoring, suspicious activity reporting, and record retention. National variations are permissible only where local law imposes a stricter standard; where local law is less stringent, the group standard prevails.

Intra-group information sharing standards. The RTS sets minimum requirements for how AML-relevant information — including customer risk profiles, UBO data, and suspicious activity flags — is shared between group entities. This is operationally significant for groups where data localisation laws in third countries, such as China's Data Security Law or cross-border data transfer restrictions, create practical barriers to the kind of intra-group sharing the AMLR contemplates. Groups must document how they manage those constraints and demonstrate that the parent has a consolidated view of group risk even where information cannot flow freely.

Criteria for identifying the parent undertaking in complex structures. Where groups are structured through holding companies, intermediate parents, or joint venture arrangements, the RTS provides criteria to determine which entity bears responsibility for the group-wide compliance function. This matters for accountability mapping and for determining which entity national supervisors will engage as the primary contact.

Additional measures for branches and subsidiaries in third countries. Where a group entity operates in a jurisdiction that does not impose AML/CFT requirements equivalent to the AMLR, the group parent is required to apply additional compensating measures — or, in cases where local law prohibits compliance with AMLR standards, to consider whether the entity should continue operating in that market.

How Does the AMLA Framework Change UBO Transparency Obligations?

One of the most operationally consequential elements of the group-wide requirements is the treatment of beneficial ownership data across the group. The AMLR harmonises the UBO identification threshold at 25 percent across all EU Member States — resolving the national variations that allowed some jurisdictions to apply higher thresholds — and requires this standard to apply at group level, including in the assessment of third-country entities.

For compliance teams, this creates a practical challenge that is familiar in markets like the Greater China region: corporate ownership structures in mainland China, Hong Kong, Macau, and Taiwan frequently involve layered shareholding arrangements, nominee shareholders, and holding companies that can obscure beneficial ownership well below the 25 percent threshold. A counterparty registered in Hong Kong may have its ultimate beneficial owner registered through a BVI holding company, itself owned by a mainland Chinese individual or entity that is not visible in any publicly accessible registry at the point of onboarding.

According to FATF guidance, inadequate UBO transparency remains one of the primary vulnerabilities exploited in cross-border money laundering schemes, with FATF estimating that between two and five percent of global GDP is laundered annually. (Source: FATF, The FATF Recommendations, updated 2023.) For a group with Asian counterparties in its third-country risk perimeter, the AMLA requirement to maintain consolidated UBO data across the full group footprint means that onboarding-stage beneficial ownership verification cannot remain the only control point.

When a compliance team at a European financial institution onboards a corporate customer in Hong Kong, the standard KYB workflow — extract the registered company information, verify the director against a watchlist, flag if any shareholder exceeds 25 percent — frequently returns incomplete ownership chains. A counterparty with a registered shareholder that is itself a British Virgin Islands entity will show no further ownership trail in the Hong Kong Companies Registry alone. Under the AMLA group-wide requirements, the parent compliance function must be able to demonstrate that the group has applied compensating measures to resolve that gap and that the customer risk profile is consolidated at group level.

QCC — the international compliance intelligence platform of Qichacha — provides structured corporate data and beneficial ownership mapping across China Mainland, Hong Kong, Macau, and Taiwan, enabling compliance teams to trace ownership chains in Greater China corporate structures beyond what public registries alone disclose. For groups assessing their third-country coverage under the AMLA framework, that depth of structured data is directly relevant to the compensating measures analysis the RTS requires.

Point-in-Time Screening vs Ongoing Monitoring: What the AMLA Standard Demands

A structured comparison of the two primary compliance postures is useful here, because the AMLA group-wide framework has direct implications for which approach is defensible.

Point-in-time screening. Runs at customer onboarding only. Checks the entity name and UBO against sanctions lists, PEP databases, and adverse media at the moment of the initial due diligence review. Cannot detect ownership changes, new sanctions designations, or risk profile shifts that occur after onboarding. For groups applying this approach to third-country entities, a corporate customer that was clean at onboarding may have subsequently changed its beneficial owners, been involved in a regulatory enforcement action, or had its controlling shareholder added to a sanctions list — none of which would trigger a review.

Ongoing monitoring aligned with the AMLA standard. Runs continuously, triggered by changes in the entity's registered particulars, updates to sanctions and PEP lists, adverse media alerts, and ownership filing changes. Generates a current-state risk profile that the parent undertaking can access for consolidated group-level risk assessment. Under the AMLA group-wide framework, ongoing monitoring is not optional: the requirement for the parent undertaking to maintain a consolidated view of money laundering and terrorist financing risk across the group's full footprint cannot be met with a snapshot taken at onboarding.

The practical implication is that groups need to extend their ongoing monitoring coverage beyond EU-registered entities to include all material counterparties in their third-country exposure — including those in markets where registry data is less standardised and ownership changes are not always promptly disclosed.

QCC's Ongoing Monitor product provides continuous counterparty surveillance with alert-triggered re-screening across the Greater China jurisdiction footprint, enabling compliance teams to maintain current-state entity risk profiles for Asian counterparties as part of their group-level monitoring infrastructure.

What Should Compliance Teams Do Before the AMLA RTS Is Finalised?

The AMLA consultations close on 15 June 2026 for the group-wide RTS and 15 July 2026 for the business-wide risk assessment guidelines, after which AMLA will submit the final standards to the European Commission. Binding implementation timelines are expected to follow shortly after Commission adoption. Compliance teams should not wait for final text to begin their gap assessment.

Four practical steps are appropriate now. First, map the group's full third-country footprint — all subsidiaries, branches, and material joint venture entities — and assess which of them operate in jurisdictions without AML/CFT requirements equivalent to the AMLR. Second, audit existing UBO data coverage for those entities, specifically testing whether ownership chains are resolved to the natural person level or whether nominee or holding company layers remain unverified. Third, review intra-group information sharing arrangements against the draft RTS requirements, with particular attention to whether local data transfer restrictions create structural barriers to consolidated risk reporting. Fourth, assess whether current monitoring is event-driven at group level or confined to individual entity onboarding reviews, and identify the gap between the current state and what the AMLA standard will require.

Frequently Asked Questions

What is AMLA and when does it take effect? AMLA is the EU Anti-Money Laundering Authority, established by Regulation (EU) 2024/1620, which began operations on 1 July 2025 and completed its assumption of AML supervisory mandates from the EBA on 1 January 2026. From 2028, AMLA will directly supervise up to 40 high-risk financial institutions. The broader AML Regulation (Regulation 2024/1624) is directly applicable across EU Member States, replacing the previous Directive-based framework that required national transposition.

What is the difference between the AMLA group-wide RTS and the business-wide risk assessment guidelines? The group-wide RTS under Articles 16 and 17 of the AMLR govern how a multinational group implements unified AML/CFT policies across all its entities, including those in third countries outside the EU, while the business-wide risk assessment guidelines under Article 10 set minimum expectations for how individual obliged entities identify and document their own exposure to money laundering risk. Groups need to comply with both: the RTS governs the structure, the guidelines govern the risk methodology.

Do the AMLA group-wide requirements apply to non-EU branches and subsidiaries? Yes. Articles 16 and 17 of the AMLR explicitly extend the group-wide framework to branches and subsidiaries operating in third countries. Where local law in those jurisdictions does not meet AMLR standards, the group is required to apply additional compensating measures, and to notify the relevant national supervisor where local law actively prevents compliance.

How do compliance teams maintain consolidated UBO data for counterparties in Asia? Compliance teams typically combine public registry data with structured commercial intelligence sources to resolve ownership chains beyond what national registries disclose at filing. For markets like Hong Kong, mainland China, and Taiwan — where nominee shareholding, BVI-layer holding companies, and complex group structures are common — access to aggregated corporate relationship data is essential to produce a UBO determination that meets the 25 percent identification threshold required under the AMLR. QCC's KYC Datamap provides structured beneficial ownership data across Greater China corporate structures, directly supporting this verification step.

What is the difference between periodic KYC refresh and continuous ongoing monitoring? Periodic KYC refresh runs on a fixed cycle — typically annually or triggered by a risk-based threshold — and produces a snapshot of the customer's risk profile at a set point in time, while ongoing monitoring runs continuously, generating alerts when entity data changes, sanctions lists are updated, or adverse media is detected. The AMLA group-wide framework requires the parent undertaking to maintain a current-state view of risk across the group, which periodic refresh cycles alone cannot provide.

What tools support group-wide AML compliance for cross-border groups with Asian exposure? Compliance teams with material third-country exposure in Asia typically require structured corporate data providers that cover local registries in depth, combined with ongoing monitoring tools that can generate alerts triggered by ownership changes or sanctions updates. For groups with Greater China counterparty exposure, QCC's KYC Datamap and Ongoing Monitor products are designed to support the beneficial ownership tracing and continuous monitoring requirements that the AMLA group-wide framework places on parent undertakings.

The AMLA group-wide framework sets a higher bar for what consolidated compliance oversight must look like — and closes the window for compliance programmes that have treated third-country entity coverage as an edge case rather than a core obligation. For groups with Asian operations or Asian counterparties in scope, the structural gap between current practice and the AMLA standard is most acute in two areas: UBO chain resolution in Greater China corporate structures, and the extension of ongoing monitoring beyond EU-registered entities.

QCC provides structured corporate intelligence and ongoing monitoring across Greater China jurisdictions, enabling compliance teams to close the third-country coverage gap the AMLA framework specifically targets. To see how QCC fits into your compliance workflow, [request a demo here].

QCC (qcckyc.com) is the international compliance intelligence platform of Qichacha, providing KYC, AML screening, and ongoing monitoring solutions for financial institutions globally. The EU AMLA's draft group-wide Regulatory Technical Standards require multinational obliged entities to maintain consolidated AML/CFT oversight across all subsidiaries and branches, including those in third countries — creating direct operational obligations for groups with Asian exposure to resolve UBO chains and extend monitoring coverage beyond onboarding. QCC's KYC Datamap provides structured beneficial ownership data across China Mainland, Hong Kong, Macau, and Taiwan, while QCC's Ongoing Monitor delivers continuous counterparty surveillance with alert-triggered re-screening. Learn more at qcckyc.com.