AMLA Ongoing Monitoring: What KYC Systems Must Do

On 3 June 2026, the EU Anti-Money Laundering Authority published a consultation on draft guidelines covering the ongoing monitoring of business relationships. This was not an amendment to an existing rule. It was AMLA's first detailed attempt to define — in operational terms, for the entire EU — what "ongoing monitoring" actually requires of every obliged entity.

The consultation closes on 3 September 2026. A public hearing is scheduled for 2 July 2026. The final guidelines are expected in Q4 2026 and will shape how identity verification systems must behave well before the full AMLR application date of 10 July 2027.

This document matters because it is one of roughly 23 Level 2 and Level 3 measures AMLA must publish before the AMLR becomes fully enforceable. Unlike the high-level principles that directors and legal counsel discuss, this consultation is operational. It tells compliance teams — the people running KYC systems — exactly what ongoing monitoring must produce.

What the Guidelines Cover

The draft guidelines are structured around Article 26(5) of the Anti-Money Laundering Regulation. They are divided into three interconnected parts:

Part	Content
General principles	Applies to both guidelines; establishes proportionality and the risk-based framework
Guideline 1	Keeping customer information up to date
Guideline 2	Transaction and activity monitoring framework

General Principles: Risk-Based and Technologically Neutral

The guidelines open with a position that carries immediate operational weight: technological neutrality. AMLA does not prescribe which tools obliged entities must use. Systems may be manual, automated, or semi-automated, provided they ensure "the effective identification and escalation of ML/TF risks in line with Article 26 of AMLR."

This sounds like flexibility. It is also a standard. If your current system cannot demonstrate effective escalation — regardless of how sophisticated it appears — it does not satisfy the requirement. The focus is on outcomes, not inputs.

Proportionality applies across the sector. Firms subject to the AMLR range from major cross-border banks to crowdfunding platforms and football clubs. The guidelines account for this by tying obligations to risk appetite, customer classification, and the nature of the business relationship. A small crowdfunding platform will not face the same operational requirements as a Tier 1 CASP with 500,000 users. Both will be expected to document how their monitoring meets the threshold.

For a broader understanding of AMLA's supervisory posture and enforcement authority, see AMLA: the EU's new AML authority and what it demands of CASPs.

Guideline 1: Keeping Customer Information Current

The first guideline addresses one of the most underexamined obligations in KYC compliance: what happens after onboarding.

Most identity verification discussions focus on the initial check — document verification, liveness detection, sanctions screening. AMLA's Guideline 1 is about the ongoing obligation to keep that information accurate. Under the draft framework, obliged entities must update customer information at intervals tied to customer risk:

• High-risk customers: review period capped at one year
• Standard customers: review period capped at five years
• Trigger-based updates: required when the firm becomes aware of a relevant new fact or change in circumstances — regardless of scheduled review timing

The phrase "relevant new fact" is deliberately broad. A change in a customer's business activity, a new beneficial ownership structure, an adverse media hit, an anomalous transaction pattern — any of these can constitute a trigger. The compliance function must have a documented process for detecting and acting on such triggers.

In practice, many firms maintain static customer records and run periodic reviews on a calendar basis only. Under AMLA's framework, that model does not satisfy Guideline 1.

The interaction between Guideline 1 and the AMLA CDD technical standards is critical. The CDD RTS defines what identity information must be collected at onboarding. Guideline 1 defines how often and under what circumstances that information must be refreshed. Together, they form the full lifecycle obligation for customer identity.

Guideline 2: Transaction and Activity Monitoring

The second guideline addresses how transactions and customer activity must be monitored throughout the relationship.

AMLA's draft framework does not specify transaction velocity thresholds, value limits, or behavioral analytics models. Instead, it establishes the structural requirement: obliged entities must operate a monitoring framework capable of identifying patterns inconsistent with the customer's known profile and escalating those inconsistencies for review.

Key elements the framework must include:

• Baseline establishment: the firm must maintain an understanding of the customer's expected behavior — transaction types, volumes, frequencies, counterparties
• Deviation detection: unusual activity relative to that baseline triggers review
• Escalation pathway: anomalies must reach the appropriate level of the compliance function within a defined timeframe
• Documentation: monitoring logic, thresholds, and escalation records must be auditable

This framework is intentionally process-neutral. AMLA does not require a specific transaction monitoring system. But it does require that whatever system is in place can demonstrate these four elements in a way a supervisor could verify.

Who Is Newly Covered

The ongoing monitoring guidelines apply across all obliged entities under the AMLR. This includes sectors that were not previously subject to EU-level AML monitoring requirements at this level of formality.

AMLA specifically highlighted the following newly covered entity types:

• Crowdfunding service providers
• Investment migration operators
• Football clubs and agents
• Credit intermediaries
• Non-financial mixed-activity holding companies
• Certain crypto-asset service providers
• Traders in high-value goods

For firms in sectors newly obliged under the AMLR, this consultation is particularly urgent. These entities have not previously had to design transaction monitoring frameworks at this level of formality. The July 2 public hearing is an opportunity to engage with AMLA's interpretation before it is finalized.

Crypto-asset service providers face a compound obligation. The MiCA Travel Rule requirements from 1 July 2026 govern transaction data transmission between CASPs. AMLA's ongoing monitoring guidelines govern what must happen internally after that data is received. Both apply simultaneously.

The Architecture Gap This Exposes

AMLA's guidelines surface a structural gap that many compliance teams have not yet resolved: the difference between verification and monitoring.

Verification is episodic. A customer submits a document, a system checks it, a decision is made. The event has a start and an end.

Monitoring is continuous. The customer relationship does not close after onboarding. Transactions continue. Circumstances change. New risks emerge. Article 26 of the AMLR requires that obliged entities track the entirety of that relationship over time — not just the moment when it began.

Most legacy KYC systems were built for verification. They collect documents, run checks, and produce a pass/fail output. They were not designed to maintain a living risk profile that updates on trigger events, flags anomalous patterns, and escalates findings automatically.

This is the architecture gap AMLA's guidelines will expose. Firms that pass the CDD check at onboarding but cannot demonstrate ongoing monitoring capability are not compliant with Article 26. The guidelines make this explicit.

The shift from point-in-time verification to continuous, intelligence-driven monitoring is not a theoretical aspiration — it is now a regulatory requirement. Joinble's AI Agents are built on this operational model: they monitor customer relationships continuously, detect changes in real time, and escalate anomalies without waiting for scheduled review cycles.

What Compliance Teams Should Do Now

The consultation closes 3 September 2026. Final guidelines come in Q4 2026. The AMLR applies fully from 10 July 2027. That creates approximately 13 months from finalized guidelines to full compliance — a window that sounds comfortable and is not.

Audit your current customer data maintenance process. Document how often customer information is reviewed, what triggers an ad hoc review, and whether those triggers are monitored automatically or by human review.

Map your transaction monitoring coverage. Identify which customer types, transaction channels, and business lines are covered by existing monitoring logic. Document gaps explicitly.

Assess your escalation pathway. Who receives anomaly alerts? Within what timeframe? Are those pathways documented in a format a supervisor could verify?

Respond to the consultation. AMLA is actively seeking input from newly obliged entities. If your firm falls into one of the listed categories, participation is both an opportunity to shape the final text and a signal to supervisors that your organization is engaged.

Begin infrastructure conversations now. If your current system cannot support trigger-based customer data updates and documented escalation pathways, vendor conversations should start before the guidelines are final — not after.

FAQ

What are AMLA's ongoing monitoring guidelines? Draft guidelines published June 3, 2026 under Article 26(5) of the AMLR. They define how obliged entities must maintain customer information and monitor transactions throughout the business relationship. Final guidelines are expected in Q4 2026.

When do the guidelines apply? The AMLR applies from 10 July 2027. Obliged entities should begin gap assessment and infrastructure planning immediately, given the approximately 13-month window between expected final guidelines and full application.

Who is covered? All entities obliged under the AMLR: banks, payment institutions, crypto-asset service providers, crowdfunding platforms, investment migration operators, football clubs, credit intermediaries, and traders in high-value goods.

What does Guideline 1 require? Obliged entities must keep customer information current on a risk-based schedule — maximum one year for high-risk customers, five years for standard customers — plus trigger-based updates whenever a relevant change in circumstances occurs.

What does Guideline 2 require? A transaction and activity monitoring framework with a documented customer baseline, deviation detection, a defined escalation pathway, and auditable records.

Can firms use manual monitoring processes? Yes. AMLA's guidelines are technologically neutral. Manual, automated, and semi-automated approaches are permitted. However, manual processes alone are unlikely to satisfy the continuous and trigger-based nature of the requirement at scale for most obliged entities.