What AMLR changes for customer due diligence from 2027 to 2032

For the first time, customer due diligence obligations will no longer rest primarily on successive national transpositions. They will be directly governed by a European regulation applicable uniformly across all Member States, supplemented by technical standards. Understanding what this means in practice starts with recognising one thing: the EU AML Package transforms customer due diligence from a principle-based obligation into a harmonised operational standard.

And for institutions still calibrating their frameworks to national interpretations, the window to adapt is shorter than it looks.

What the AMLR single rulebook changes for customer due diligence

The AMLR, as part of the new AML package, establishes a directly applicable framework across all EU member states. Institutions will no longer be able to rely on national margins of interpretation to define their compliance programmes.

In this context, customer due diligence becomes structured around harmonised requirements, particularly with respect to thresholds, simplified due diligence, and the frequency of reviews.

The thresholds triggering certain obligations are now set at the European level. Simplified due diligence remains possible, but it does not constitute an exemption. It must cover all components of CDD and be justified by a documented risk assessment. Proportionality does not remove the obligation to collect and verify information.

The frequency of updates is also clarified.

• High-risk customers must be reviewed at least annually.
• Low-risk customers must be re-examined at a maximum of every five years.

These deadlines become comparable across the Union.

The question will no longer be whether a framework complies with a national interpretation. It will be whether it is aligned with a common European standard.

What AMLR means for new customer relationships from 2027

The regulation is clear: new business relationships established after the date of application must immediately comply with the AMLR framework. No adaptation period will be provided for new customers.

This means that digital onboarding processes must be fully aligned with the new requirements from 2027. Data models, controls, the structure of information, and the justification of decisions must all reflect the harmonised standard.

The alignment of new flows precedes the remediation of the existing portfolio.

The 2027–2032 transition period for existing portfolios

The regulation provides for a maximum transitional period of five years for bringing relationships established before its entry into force into compliance.

This period does not constitute a suspension of obligation. It imposes a progressive transformation, based on a risk-based approach:

• Institutions will need to demonstrate that they have identified priority segments,
• that they have addressed high-risk customers first,
• and that they have a structured KYC remediation plan in place.

Remediation cannot be uniform. It must be justified. Prioritisation becomes an evidentiary element.

Why AMLR remediation is more demanding for legal entities

The compliance burden will not be homogeneous.

For natural persons, remediation will primarily focus on updating data, verifying identity attributes, and confirming the reliability of the sources used.

For legal entities, the logic is different. The upgrade may involve a re-analysis of beneficial owners, enhanced verification of ownership and control structures, and updated documentation of complex situations. The legal and structural complexity of legal entities mechanically increases the analytical and evidentiary effort.

The remediation of the existing portfolio thus becomes a differentiated exercise. Not all customers require the same level of work, and demonstrating that distinction is part of what regulators will expect to see.

AMLR and the implications for internal governance

The 2027 to 2032 transformation is not a one-off project. It requires structured oversight and a client lifecycle management approach that evolves with the portfolio over time.

Institutions will need to be able to present a mapping of their portfolio, a classification by risk level, an upgrade schedule, and progress indicators.

The documentation of trade-offs will be essential. Why was a given segment prioritised? Why was another addressed at a later stage? On what basis was the risk level determined?

In an environment where supervision is becoming more coordinated and where the liability of legal entities is reinforced by AMLD6, the absence of formalised governance constitutes a risk factor. Compliance can no longer be assessed solely on the existence of a procedure. It will be evaluated on the consistency and traceability of decisions.

Conclusion: why AMLR is a strategic turning point

The AMLR does not create a new obligation. It creates an alignment requirement.

Customer due diligence becomes a multi-year programme structured around two distinct milestones.

1. 2027 marks immediate entry into force for new relationships.
2. 2032 is the maximum deadline for bringing the existing portfolio up to standard.

This timeline requires organisational, technological, and documentary anticipation. The real risk is not the isolated gap. It is the absence of a demonstrable trajectory.

The transformation of customer due diligence is now European, harmonised, and progressive. Institutions that build this into their compliance strategy now will be better equipped to demonstrate not just what they have done, but where they are going.

The AMLR is not only a regulatory reform. It is an operational change of scale

Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details or stay in touch via our newsletter ⬇️.