AMLA held its 2 July 2026 hearing on draft ongoing monitoring guidelines under Article 26(5) AMLR. What the CDD and transaction rules change, and by when.
Table of contents
On 2 July 2026 the EU's Anti-Money Laundering Authority held a public hearing on its draft AMLA ongoing monitoring guidelines, the first pan-European standard for how obliged entities keep customer records current and watch transactions. Published on 3 June under Article 26(5) of the AML Regulation, the consultation runs to 3 September, with final text due in Q4 2026.
- AMLA published draft guidelines on ongoing monitoring of a business relationship on 3 June 2026 and held its public hearing on 2 July 2026.
- The legal basis is Article 26(5) of Regulation (EU) 2024/1624, the AML Regulation that applies directly across all 27 Member States from 10 July 2027.
- The guidelines have three parts: cross-cutting general principles built on proportionality and technological neutrality, Guideline 1 on keeping customer information up to date, and Guideline 2 on transaction and activity monitoring.
- The consultation closes on 3 September 2026 and the final guidelines are due in Q4 2026, roughly nine months before the rules bite.
- AMLA drew on input from data protection experts, and on 1 July 2026 it and the European Data Protection Board announced joint guidelines on data-sharing partnerships under Article 75 of the AML Regulation.
What did AMLA publish on ongoing monitoring?
AMLA published its draft AMLA ongoing monitoring guidelines for consultation on 3 June 2026 and held a public hearing on 2 July 2026, from 10:00 to 12:00 CEST. The text sets out how firms should keep customer files current and monitor transactions once a relationship is live. AMLA calls this work a core duty: "Ongoing monitoring is an integral component of customer due diligence," its consultation paper states.
The guidelines rest on Article 26(5) of Regulation (EU) 2024/1624, the AML Regulation, which directs AMLA to specify how obliged entities perform ongoing monitoring in a way that is proportionate to risk. They are horizontal, meaning the same principles apply to banks, crypto-asset service providers, and newly covered non-financial firms alike. The consultation closes on 3 September 2026, and AMLA will issue the final version in Q4 2026.
| Milestone | Date | Source |
|---|---|---|
| Consultation opens | 3 June 2026 | AMLA |
| Public hearing | 2 July 2026 | AMLA |
| Consultation closes | 3 September 2026 | AMLA |
| Final guidelines issued | Q4 2026 | AMLA |
| AML Regulation applies | 10 July 2027 | Regulation (EU) 2024/1624 |
How is the draft structured?
The draft has three parts. A set of general principles, built on proportionality and technological neutrality, applies across both guidelines and ties monitoring back to the business-wide risk assessment. Guideline 1 then covers keeping customer documents, data, and information up to date. Firms must run both periodic reviews, timed by the customer's risk level, and event-driven reviews triggered by a change such as a new product, a new beneficial owner, or a sanctions development. AMLA anchors periodic review to Article 26(2) of the AML Regulation and stresses that a fixed calendar cadence is not always the right answer.
Guideline 2 governs transaction and activity monitoring: how obliged entities design, implement, and test the systems that flag unusual behaviour. AMLA accepts manual, automated, or semi-automated approaches, and explicitly allows advanced analytical tools, including artificial intelligence, provided there is "effective human oversight, where needed". The draft ties both disciplines back to the business-wide risk assessment and to sound governance, documentation, and staff training. It also asks firms to weigh the risk that a customer is evading targeted financial sanctions.
What changes for your CDD and monitoring obligations?
The guidelines convert general duties into concrete, testable expectations. Map them to the obligations you already run.
Customer due diligence under Article 20 gains a clearer maintenance layer: your file is not "done" at onboarding, and you must evidence why each review cadence fits the customer's risk. Periodic reviews under Article 26(2) need a documented basis, not a blanket annual sweep. Event-driven reviews must have defined triggers and a workflow that updates the record, not just a flag.
Transaction and activity monitoring must be designed, calibrated, and tested, with escalation paths that feed suspicious activity reporting to your national Financial Intelligence Unit. Sanctions and PEP screening stay in scope, because the draft treats sanctions-evasion signals as part of ongoing monitoring rather than a separate silo. Record-keeping expectations tighten around governance and model documentation, since supervisors will expect to see how an automated tool reached its output. For firms newly in scope, such as certain crypto-asset service providers and traders in high-value goods, this is a first full monitoring framework, not an upgrade.
What is still uncertain about the AMLA ongoing monitoring guidelines?
Several points remain open, and they carry real cost. Proportionality is the headline promise, but the gap between a proportionate design and what a supervisor accepts on inspection is where disputes will land. Smaller and newly covered entities may lack the data and tooling to run event-driven reviews well, and building that capability is not cheap.
The timing is awkward. The final AMLA ongoing monitoring guidelines are due in Q4 2026, yet the AML Regulation itself applies from 10 July 2027, so firms must build against text that could still shift after the 3 September consultation deadline. The privacy tension is unresolved too: richer monitoring means holding and processing more personal data, exactly as AMLA and the European Data Protection Board begin joint work on data-sharing partnerships under Article 75, with their own consultation due in the first half of 2027. Using AI for monitoring adds model-governance and human-oversight burdens that many teams have not staffed for. None of this is fatal, but treating the draft as final would be a mistake.
How does this compare across the EU and to current practice?
Today, ongoing monitoring is governed by 27 national transpositions of the AML directives, supported by European Banking Authority guidelines. Practice varies widely, and a group operating in several Member States often runs different review cadences in each. The AML single rulebook replaces that patchwork with one directly applicable standard, and AMLA's guidelines are the interpretive layer on top.
| Dimension | Current AMLD regime | AMLR plus AMLA guidelines |
|---|---|---|
| Legal form | Directive, transposed nationally | Regulation, directly applicable |
| Ongoing monitoring rules | Fragmented per Member State | Single EU standard, Article 26 |
| Periodic reviews | National practice, EBA guidance | Article 26(2) plus AMLA detail |
| Technology stance | Varied national expectations | Technology-neutral, AI with oversight |
| Scope | Mainly financial sector | All obliged entities, phased to 2029 |
The shift matters most for cross-border groups, which can converge on one operating model, and for sectors entering AML supervision for the first time. Because the AMLA ongoing monitoring guidelines are horizontal, a fintech, a law firm, and a crypto exchange will read the same core expectations, even if the intensity of monitoring differs by risk.
How should compliance teams respond?
Start by reading the draft against your current monitoring policy and logging every gap, then decide whether to respond to the consultation before 3 September 2026. Re-examine your periodic review cadence and write down the risk rationale for each tier. Define your event-driven triggers explicitly, and confirm they actually update the customer record rather than just raising an alert. Test your transaction monitoring calibration and document how any automated or AI component is governed and overseen. Revisit your customer due diligence file structure so updates are evidenced, and reconcile richer monitoring with data-minimisation, a theme we cover in balancing privacy and compliance. Recent cases such as Merrill's SAR monitoring penalty show how calibration failures become enforcement.
Zyphe helps on the maintenance layer that these guidelines put front and centre. A reusable KYC credential lets a customer re-present verified attributes when an event-driven review is triggered, and the data-minimising, decentralised design keeps less personal data sitting in one place while still evidencing current, verified information. See how Zyphe works or book a demo to walk through the fit.
The bottom line
The EU is moving ongoing monitoring from a fragmented, directive-based practice to a single, directly applicable standard, and the AMLA ongoing monitoring guidelines are the working manual for it. The direction is clear even though the text is not final: evidence your review cadences, define your triggers, test and govern your monitoring, and reconcile all of it with data protection. Teams that treat the maintenance of customer files as a continuous, well-documented process, rather than a one-off at onboarding, will adapt to the AML single rulebook with the least friction.
Cited sources
- AMLA, consultation on draft Guidelines on ongoing monitoring of a business relationship
- AMLA, consultation paper under Article 26(5) AMLR (PDF)
- AMLA, public hearing on the draft Guidelines, 2 July 2026
- Regulation (EU) 2024/1624 (AML Regulation), Article 26, EUR-Lex
- EDPB and AMLA to develop joint guidelines on partnerships for information sharing, 1 July 2026
Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.