AMLR Readiness Programme: 12-Month Roadmap to 10 July 2027

The AMLR (Regulation 2024/1624)¹^[1] applies from 10 July 2027 — fourteen months from now. The CASPs that will navigate cleanly are not the ones who plan a six-week scramble in Q2 2027. They are the ones running a structured 12-month readiness programme starting now, treating AMLR as the largest AML regulatory shift in a decade rather than as a transposition exercise.

AMLR is a directly applicable single rulebook — not a directive that NCAs transpose with national variations. The substance of the rules tightens, the supervisory perimeter expands, and selected CASPs come under direct supervision by the new Authority for Anti-Money Laundering (AMLA). The programme that gets you ready is not a policy refresh; it is a re-architecting of the entire AML function.

This guide covers the seven AMLR deltas that drive most rework, the month-by-month programme structure for the next 12 months, AMLA selected-entity risk, governance during the readiness window, and the realistic resource envelope.

The first thing to internalise: AMLR is not 7AMLD. It is a different legal instrument with different consequences. AMLDs were directives — each NCA transposed them, each transposition varied, each CASP could maintain a programme calibrated to its single home NCA. AMLR is a regulation — directly applicable, identically, in all 27 member states. A CASP serving customers in multiple member states no longer faces 27 transpositions; it faces one rulebook. That is structurally simpler and, in practice, harder.

The second thing: AMLA introduces direct EU supervision of selected entities. CASPs above scale thresholds and operating in multiple member states are candidates for selection. The supervisory cadence under AMLA is materially deeper than most NCAs run today — closer to ECB SSM banking supervision than to CASP authorisation diligence.

AMLR Articles 79–80 prescribe controls on transfers to and from self-hosted wallets above €1,000 — verification of customer ownership of the receiving wallet, risk-scoring of the address, enhanced verification where the wallet is unverifiable. The substance bar is significantly higher than the current EBA guidance and demands platform-engineering work, not a policy update.

CASPs operating in multiple member states inherit a single AML programme that satisfies all NCAs simultaneously. In practice this means raising the floor to the strictest member state and removing variation that exists today between, say, Germany and Lithuania.

AMLR drops the threshold for occasional-transaction CDD from €15,000 to €1,000 for crypto — and abolishes the €1,000 occasional-transaction exemption for many use cases entirely. The result: effectively all crypto CASP customers fall into full CDD. Simplified-due-diligence patterns that work today break.

AMLR tightens UBO identification — including a 25% threshold lowered to 15% in some structured-finance contexts, and requirements to identify natural persons exercising control through means other than ownership. Customer onboarding flows for B2B accounts require deeper structural diligence with documented evidence trails.

Customers from high-risk third countries trigger mandatory EDD with prescribed elements. The list is published by the Commission and updated periodically. CASPs with cross-border B2C books need automated geographic risk scoring and an EDD pathway that can be evidenced to a supervisor on demand.

Mixers, anonymising services, and privacy-coin policies are codified for the first time. Travel Rule alignment to the FATF Recommendation 16²^[2] hardens. CASPs need an explicit, deterministic policy on each, with documented decision trees.

The AMLA Regulation³^[3] creates a new EU-level supervisor. Selected entities — including CASPs above scale and cross-border thresholds — come under direct AMLA supervision. The cadence, depth, and tone of supervision is materially harder than most NCAs.

Map the current programme module-by-module against AMLR articles. Score each module: green (already compliant), amber (needs material rework), red (does not exist). Identify the people, infrastructure, and budget needed to close the red items. Output: a prioritised remediation plan with named owners and target dates.

Rewrite the AML policy stack from the AMLR rulebook outward — not from the existing policy with AMLR amendments stapled on. Customer risk model recalibrated, EDD triggers updated, transaction-monitoring rules tuned to the lower thresholds, sanctions screening uplifted, self-hosted wallet policy operationalised. Board approval of the refreshed framework.

The expensive phase. Onboarding flow re-engineered for the new CDD thresholds. Self-hosted-wallet verification stack built or licensed. Travel Rule provider re-confirmed for AMLR alignment. Geographic risk scoring automated. Transaction monitoring rules retuned and re-baselined against AMLR-era expected volumes. Training delivered.

Pre-emptive supervisory dialogue with the home NCA. Independent AML audit (see article #12). Self-assessment against AMLA selected-entity criteria. Mock inspection. Board attestation of AMLR readiness with documented evidence packs ready for first-day inspection.

AMLA will directly supervise a list of selected obliged entities. The selection criteria privilege scale, cross-border footprint, and inherent risk profile. CASPs operating in 6+ member states or above customer-volume / transaction-volume thresholds are candidates. The selected list is finalised in 2027.

For selected entities, AMLR is a different proposition. AMLA conducts:

• Annual on-site inspections by joint supervisory teams (similar to ECB SSM banking model).

• Continuous off-site monitoring with mandatory reporting cadence.

• Direct enforcement powers — fines up to 10% of annual turnover.

• Coordination with NCAs but with AMLA as primary point of contact.

If your CASP is on the selected list, the readiness programme expands into a two-supervisor operating model with AMLA as primary and the home NCA as secondary. Plan headcount and tooling accordingly.

AMLR readiness is a board-level programme, not a compliance side-project. The minimum governance:

• Named executive sponsor (typically the CCO or COO).

• Monthly steering committee with the MLRO, CTO, Head of Onboarding, internal audit.

• Quarterly board update with phase-gate progress.

• Independent challenge from a retained adviser or internal audit.

• Documented evidence pack — every decision recorded, every rationale captured.

For most CASPs running a credible programme today, yes — provided the 12 months are structured. For CASPs starting from a low base (junior MLRO, generic templates, fragmented infrastructure), 12 months is the floor and 18 months is more realistic. Either way, do not start in Q1 2027.

NCAs are issuing guidance and many run pre-AMLR thematic reviews. Engage actively. The EBA⁴^[4] publishes consolidated guidance that aligns NCA expectations during the transition.

AMLR applies in full regardless of size. Direct AMLA supervision is the differentiator, not the rulebook. A small CASP must still meet the same AMLR substance bar; only the supervisory cadence differs.

Mid-stage CASP (€10–€100M revenue): €500,000–€1.2M all-in for the 12-month programme, including external advisers, infrastructure, additional headcount, and external audit. Larger CASPs scale up; smaller CASPs scale down but rarely below €250,000.

Treating AMLR as a documentation exercise. The substance changes — particularly self-hosted wallet rules and CDD thresholds — drive platform engineering work. Firms that try to comply by rewriting policies in 2027 without re-engineering onboarding, monitoring, and customer-facing controls miss the deadline operationally even when the documents are ready.

• AML Compliance for Crypto Firms — the current AMLD-era programme baseline.

• AML Compliance Retainer for CASPs — the bench model that supports the readiness programme.

• MiCA Compliance Guide for CASPs — authorisation framework that intersects with AMLR.

• Bank Diligence File for a Regulated Crypto Firm — banks now expect AMLR readiness as a banking-relationship criterion.

AMLR is not a deadline you can run a sprint at. It is a twelve-month re-architecting of the entire AML function — policy, infrastructure, supervision, governance. The CASPs that meet 10 July 2027 cleanly are the ones that started in 2026 with phase gates, board accountability, and an honest gap analysis. The ones that wait will spend Q2 2027 in remediation and the rest of the year managing supervisory consequences.