The Regulatory Timeline
Five regulatory deadlines converge between now and the end of 2028. Each creates its own obligations. Together, they define the compliance infrastructure that banks must have in place.
DORA became mandatory in January 2025. Any new vendor engagement must now satisfy ICT resilience requirements: exit strategies, audit rights, resilience testing, incident reporting obligations. Banks evaluating new AML infrastructure vendors must apply DORA due diligence from the start of procurement, not after contract signature.
The EU AI Act's high-risk AI requirements under Annex III apply from August 2, 2026. AML systems that perform profiling of natural persons, specifically customer risk scoring based on behavioural analysis, must meet data governance, technical documentation, human oversight, explainability, and cybersecurity requirements. Banks using AI-based monitoring need to assess classification before August 2026, not after.
AMLR Article 75 applies from July 10, 2027. Cross-institutional information-sharing partnerships become legally permitted. Banks that want to participate from day one must have their infrastructure tested and operational by that date.
AMLA begins direct supervision of 40 selected institutions in the second half of 2027, with direct supervision formally starting in January 2028. The selection criteria include cross-border AML capabilities. Banks in scope for direct supervision will be evaluated on whether they can demonstrate participation in Article 75 partnerships.
PSD3 and PSR application is expected in late 2027 or 2028. The new payments framework will impose additional real-time fraud monitoring requirements that interact with AML obligations.
What Banks Need to Build
Seven capability areas require attention before July 2027.
Entity matching across institutions is the foundational requirement. Cross-institutional detection depends on correctly identifying that a customer at one bank is the same legal entity as a customer at another bank. Standardised identifiers, KvK numbers for Dutch entities, LEI codes for international legal entities, Companies House numbers for UK entities, must be mapped and maintained. Resolution logic for name variations, corporate structures, and beneficial ownership chains must be operational.
Risk comparison protocols must satisfy GDPR data minimisation under Article 5(1)(c). The technical architecture determines the legal risk. An architecture that shares pseudonymised raw transaction records has different GDPR exposure than one that shares only pre-computed risk scores. The legal team and the technical team must design these protocols together.
Cryptographic audit trails are required for supervisor verification. DNB, the FCA, and AMLA will expect to verify that the monitoring system applied documented policies to documented data at documented times. An audit trail that relies on bank self-reporting does not satisfy this expectation. The trail must be independently verifiable without requiring access to the underlying personal data.
DORA-compliant vendor management must be in place from contract signature. Exit strategies, audit access provisions, resilience testing schedules, and incident reporting protocols must be agreed before deployment begins. Retroactively renegotiating vendor contracts after DORA application creates risk.
AI Act compliance documentation is required for any component that performs profiling. If the cross-institutional risk comparison involves AI-generated risk scores, the classification question must be resolved before August 2026. High-risk classification requires data governance documentation, technical documentation, human oversight procedures, and cybersecurity measures.
Integration with existing transaction monitoring systems must be designed for non-disruptive deployment. Banks cannot replace core monitoring infrastructure on this timeline. The Article 75 capability sits alongside existing systems, receiving risk outputs and generating cross-institutional alerts without requiring platform replacement.
Staff training on collaborative intelligence workflows is the final requirement. Compliance analysts must understand what a cross-institutional risk alert represents, how to evaluate it, how to document their independent assessment, and how to file SARs where warranted. The workflow change is modest. The training requirement is not.
The Lead Time Problem
Building cross-institutional monitoring infrastructure from vendor selection to production takes 18 to 24 months for a Tier-1 bank. The procurement process alone, including DORA due diligence, legal review, board approval, and contract negotiation, takes three to six months. Integration and testing take six to twelve months. Regulatory engagement and approval take additional time.
Banks that begin vendor evaluation in Q1 2026 can complete procurement by mid-2026, integration and testing by Q1 2027, and regulatory approval by the July 2027 deadline. The timeline is tight but achievable.
Banks that begin in Q1 2027 cannot meet the July 10 deadline. They may be able to demonstrate progress, but they will not have tested, approved infrastructure operational from the date Article 75 applies. For institutions in scope for AMLA direct supervision, this is a material supervisory risk.
The AMLA Selection Factor
AMLA will select 40 institutions for direct supervision based on criteria that include size, cross-border activity, and AML risk profile. Many of the institutions likely to be selected are headquartered in the Netherlands, Germany, France, and other jurisdictions with substantial cross-border financial activity.
Demonstrating participation in an Article 75 partnership is a strong signal to supervisors. It shows that the institution has invested in the technical infrastructure for cross-institutional detection, has completed the legal analysis and DPIA work, and has trained its compliance staff on the new workflows. Institutions that cannot demonstrate this by H2 2027 will explain to AMLA why the infrastructure is not ready at the point of direct supervision assessment.
The Decision
The regulatory requirements are clear. The timeline is fixed. The technology is tested and pilot-ready. The decision is whether to begin now or explain to supervisors in 2028 why the infrastructure is not ready.
Banks that act in Q2 2026 have time to complete all required steps before July 10, 2027. Banks that wait until 2027 do not. The 16-month window is open. The question is whether to use it.