AMLA 2026 Guidelines: The Shift to Living Risk Profiles
New AMLA guidelines mandate real-time monitoring by July 2026. Living risk profiles are replacing static KYC for global financial compliance.
The era of the 'static' customer file is officially ending. By July 10, 2026, the EU's Anti-Money Laundering Authority (AMLA) is set to issue definitive guidelines on ongoing and transaction monitoring that will fundamentally tighten expectations for regulated firms. Compliance teams must now evidence coverage across all exposure points, moving away from periodic reviews toward what regulators describe as living risk profiles.
The death of periodic KYC refresh cycles
For decades the industry relied on refreshing high-risk customers every year and low-risk customers every five years. The speed of illicit finance has outpaced these manual cycles. AMLA now requires that customer data be kept up to date whenever circumstances change or a firm becomes aware of a relevant new fact.
This shift prioritizes explainable programs where firms must not only have the data but also demonstrate why their specific monitoring controls are effective for their risk appetite.
Real-time requirements for 2026
The practical consequence of these reforms is a sharper focus on crypto-adjacent exposure and cross-border flows. Regulators are increasingly testing whether a firm's governance can handle jurisdictional divergence, where sanctions or identity requirements in one region move out of sync with another.
To remain compliant, firms are shifting toward agentic compliance suites. These systems, like the deepidv verification engine, allow for continuous screening against global sanctions and adverse media without the lag of batch processing.
AMLA Living Risk Profiles FAQ
- What are the new AMLA monitoring guidelines for 2026?
- AMLA is mandating that firms move from periodic KYC updates to continuous, risk-based monitoring. Guidelines due in July 2026 will require firms to update customer profiles immediately upon any significant change in risk status or behavior.
- How often must high-risk customers be updated under the new rules?
- While the maximum cap remains 1 year for high-risk customers, the new focus is on trigger-based updates. If a customer's ownership structure or transaction pattern shifts, the profile must be updated regardless of the annual deadline.
- Why is explainability important in AML governance?
- Regulators now expect firms to provide a clear audit trail of why certain monitoring decisions were made. It is no longer enough to have a tool. The firm must prove the tool's effectiveness and the logic behind its risk thresholds.
- Does this apply to crypto and virtual assets?
- Yes. The guidelines explicitly require coverage for onboarding and transaction monitoring in crypto-adjacent processes, including strict adherence to Travel Rule requirements.
Relevant Articles
The Crypto Travel Rule: Phase One Deadlines for 2026
A guide to crypto compliance under FATF Recommendation 16.
May 11, 2026
The EUDI Wallet Deadline: Late 2026 Mandatory Rollout
Member states must offer EUDIWs to citizens by December 2026.
May 11, 2026
Deepfake Attacks on Liveness Detection Surge by 311%
Synthetic identity fraud is the new frontline.
May 11, 2026
What is deepidv?
Not everyone loves compliance — but we do. deepidv is the AI-native verification engine and agentic compliance suite built from scratch. No third-party APIs, no legacy stack. We verify users across 211+ countries in under 150 milliseconds, catch deepfakes that liveness checks miss, and let honest users through while keeping bad actors out.
Learn More