How Multinational Companies Stay Audit-Ready Across Jurisdictions

If your compliance team only becomes audit-ready when an audit is announced, you are already behind. That might sound counterintuitive, but it reflects one of the most important shifts in how regulators and auditors across every major jurisdiction now approach compliance reviews. They are not looking for a well-organised folder of policies. They are looking for evidence that your compliance programme actually works in practice, day to day, in every market where you operate.

For a multinational company, that standard is genuinely demanding. You may be operating under the EU's incoming Anti-Money Laundering Regulation, the US Bank Secrecy Act framework, Singapore's MAS Notices, and Australia's AML/CTF Act simultaneously, each with its own documentation expectations, its own ongoing monitoring requirements, and its own evidentiary standards. Meeting all of them in a way that is consistent, scalable, and demonstrable is not a documentation exercise. It is an infrastructure problem.

This article is for compliance leads, MLROs, risk officers, and operations teams at multinational regulated businesses who need a practical, honest account of what audit-readiness across jurisdictions actually requires. We will cover what regulators are looking for in 2026, where compliance programmes typically fail under examination, and what a genuinely audit-ready cross-border infrastructure looks like.

What Regulators Are Actually Looking For in 2026

The Shift From Policy Documentation to Proof of Practice

There is a fundamental change underway in how regulators evaluate compliance programmes, and it matters enormously for any multinational business preparing for examination. The old model was largely about having the right documents: a written AML policy, a KYB procedure, a sanctions screening protocol. If you could produce those documents, you had a compliance programme.

That standard is no longer sufficient. The UK Serious Fraud Office's updated guidance on compliance programme evaluation makes this explicit, noting that the fact an organisation has policies, procedures, and controls in place does not necessarily mean its compliance programme is effective. Regulators will seek to get behind the pronouncements and determine how policies and procedures translate into conduct on the ground. The same principle is echoed by the US Department of Justice, the French Anti-Corruption Agency, and increasingly by financial regulators across the EU and APAC.

Auditors today are trained to identify gaps between policy and practice. They look for evidence that leadership understands compliance obligations, participates in reviews, and supports corrective actions. Board-level oversight, management reviews, and ownership of controls are critical indicators of maturity.

What this means operationally is that audit-readiness is not something you achieve by updating your policy documents before an examination. It is something you either have or you do not, based on how your compliance programme operates every single day.

What Auditors Look For Across Every Jurisdiction

Despite the significant differences between regulatory frameworks in the US, EU, and APAC, auditors across all three regions converge on a consistent set of questions when they examine a compliance programme. Understanding those questions is the starting point for building a programme that holds under scrutiny anywhere.

The first question is: can you demonstrate what decisions were made and who made them? Every onboarding approval, every risk classification, every enhanced due diligence determination needs to be attributable to a named individual with the authority to make that decision, with a record of when it was made and what information it was based on. Auditors want to see timestamped evidence that actions really happened, a consistent inspection history across assets, and clear proof that authorised people performed the work.

The second question is: are your records complete and current, or do they reflect the state of a relationship at onboarding with no evidence of ongoing review? Under FinCEN's CDD Rule framework, financial institutions are required to develop and implement risk-based procedures for conducting ongoing customer due diligence, including regular monitoring to identify and report suspicious activity and, on a risk basis, to maintain and update customer information. The EU's AMLR imposes similar requirements. So does MAS in Singapore and AUSTRAC in Australia.

The third question is: is your compliance programme proportionate to the risks your business actually faces? A risk-based approach is not an excuse for doing less. It is a requirement to demonstrate that you have assessed your risks, documented that assessment, and calibrated your controls accordingly. Under the EU AMLR, the Business-Wide Risk Assessment must be documented, kept up to date, regularly reviewed, drawn up by the compliance officer, and approved by the management body. Where a supervisory function exists, it must also be communicated to it.

The fourth question is: when something went wrong, what did you do about it? Regulators may look for evidence of implementation such as training records, audit trails, testing, and examples of escalation and remediation. Isolated compliance failures do not inevitably mean a compliance programme is ineffective, but the response to those failures matters significantly.

Why the Reactive Approach Has Become a Liability

Audit readiness that is reactive starts when an audit is announced. Audit readiness that is continuous exists whether an audit is scheduled or not. Organisations focused on reactive preparation often rely on reconstruction, pulling together fragmented records after the fact and hoping they align. Auditors are not impressed by volume. They are impressed by coherence.

For multinational companies, the risks of a reactive approach are compounded by scale. Reconstructing a complete, coherent compliance record for one counterparty relationship is hard enough when the documents are scattered across email threads and shared drives. Doing it for hundreds or thousands of counterparties across multiple jurisdictions, each with different documentation standards and different review timelines, is operationally impossible at the standard regulators now expect.

The Regulatory Landscape Multinational Compliance Teams Navigate in 2026

Understanding what makes multi-jurisdictional audit-readiness so demanding starts with understanding how different the regulatory expectations actually are, and how actively they are changing right now.

The EU: A New Rulebook Taking Shape in 2026

The EU published a comprehensive new AML legislative package in June 2024, consisting of three interlocking instruments that together represent the most significant overhaul of European AML compliance in two decades.

Regulation (EU) 2024/1624, the Anti-Money Laundering Regulation (AMLR), is a directly applicable Regulation that will apply identically across all 27 EU member states from 10 July 2027. Unlike the previous AML Directives, which required each member state to transpose the rules into national law, the AMLR leaves no room for national variation. The goal is to end the regulatory arbitrage that previously allowed obliged entities to establish themselves in jurisdictions with lighter enforcement.

Regulation (EU) 2024/1620 established the Anti-Money Laundering Authority, AMLA, as the EU's first centralised AML supervisor, operational since 1 July 2025, headquartered in Frankfurt. AMLA will directly supervise up to 40 selected obliged entities, primarily credit institutions and financial institutions with cross-border operations and the highest money laundering risk profiles. For all other obliged entities, AMLA coordinates national supervisors, sets binding standards through regulatory and implementing technical standards, conducts peer reviews of national supervisors, and builds the single EU AML/CFT supervisory culture. AMLA can impose administrative sanctions of up to €10 million or 10% of annual group turnover, whichever is higher, for the most serious violations.

The critical point for compliance teams is that 2026, not 2027, is the year to act. Between now and 2027, AMLA must publish 23 Level 2 and Level 3 measures, including regulatory technical standards, implementing technical standards, and guidelines, most of them due by 10 July 2026. That makes 2026 the year compliance teams must act, not wait.

As AMLA moves towards operational supervision, supervisors are likely to look beyond outcomes and ask how risk decisions were reached. For EU-wide compliance teams, the practical question is no longer what might change, but what should we be ready to evidence.

One specific new obligation worth noting for multinationals is the Business-Wide Risk Assessment requirement under the AMLR. On 16 April 2026, AMLA opened a public consultation on draft guidelines under Article 10(4) of the AMLR. The consultation runs until 15 July 2026. AMLA expects to issue the final guidelines in Q4 2026. Compliance teams should be tracking these guidelines closely, as they will define the minimum content requirements for a compliant BWRA across all EU obliged entities.

The United States

The US AML compliance landscape in 2026 is defined by a combination of established obligations that have not changed and specific, active reforms that compliance teams need to track carefully.

The foundation is the Bank Secrecy Act framework, which has not changed. Financial institutions including banks, payment processors, money services businesses, and broker-dealers remain subject to robust Customer Due Diligence requirements under FinCEN's CDD Rule. Those requirements cover identifying and verifying the identity of customers, understanding the nature and purpose of customer relationships, and conducting ongoing monitoring.

What has changed is the specific mechanics of how and when beneficial ownership must be collected. On February 13, 2026, FinCEN issued an order granting exceptive relief to covered financial institutions from the CDD Rule's requirement to identify and verify the identity of beneficial owners of legal entity customers at each new account opening. This reflects a broader modernisation effort under Executive Order 14192, aimed at reducing compliance burden without compromising the risk-based framework. Financial institutions that choose to take advantage of this relief will want to update their policies, procedures, and controls on beneficial ownership reviews, as well as their broader CDD and Customer Identification Programme systems.

On the Corporate Transparency Act, FinCEN's March 2025 interim final rule currently limits beneficial ownership reporting obligations to foreign entities registered to do business in the United States. Domestic US companies and US persons are currently exempt. A new rulemaking is expected in 2026, and the regulatory position remains subject to change.

For multinational compliance teams, the important point about the US framework is its sector-by-sector architecture. There is no single overarching AML regulation. FinCEN governs banks and financial institutions, FINRA covers broker-dealers, state regulators add additional layers in certain markets. The fragmentation of global regulatory requirements means businesses must regularly navigate multiple compliance obligations that often conflict or overlap. The US is a particularly clear example of this within a single jurisdiction.

APAC: Fast-Moving Reform With Active Enforcement

Singapore's Monetary Authority (MAS) published revised AML/CFT Notices and Guidelines effective 1 July 2025, extending compliance obligations across the full financial sector to formally include proliferation financing risk assessments and tightening suspicious transaction report filing timelines. MAS is an active enforcement body. In July 2025, it imposed composition penalties totalling S$27.45 million on nine financial institutions for inconsistent implementation of AML/CFT policies.

In Australia, the AML/CTF Amendment Act introduced Tranche 2 reforms that extended AML obligations to real estate professionals, lawyers, accountants, and dealers in precious metals and stones. Tranche 1 entities saw changes take effect from 31 March 2026. Tranche 2 entities must be enrolled with AUSTRAC by 29 July 2026, with full compliance required from 1 July 2026. The reforms bring approximately 100,000 additional entities under AUSTRAC supervision. For businesses that onboard clients or counterparties from these sectors, the Tranche 2 changes directly affect how counterparty risk is classified and what due diligence is required.

Where Cross-Border Compliance Infrastructure Actually Fails

Most compliance failures in multinational organisations are not caused by a failure to understand the regulations. They are caused by a failure of infrastructure, which is a different problem with different solutions.

Fragmented Records Across Systems, Teams, and Geographies

The most common structural failure is document fragmentation. A counterparty relationship is initiated by a business development team. The KYB documents are collected over email. They are saved to a shared drive, or possibly two shared drives in two different regional offices. A compliance reviewer in a different timezone reviews some of them. The UBO declaration is missing but nobody follows up. Six months later, the relationship is active, the documents are incomplete, and nobody is entirely sure what was collected, when, or whether it was ever formally approved.

This is not an unusual scenario. Gaps in documentation, weak audit trails, and inconsistent monitoring of overseas partners are among the most common compliance failures that KYB processes are designed to prevent. For multinational organisations, the fragmentation problem scales with headcount, jurisdictions, and the number of teams that have any role in bringing a business relationship to life.

The cost of weak documentation showed up in audit delays, operational slowdowns, and expanded breach costs in 2025. Organisations that centralised their evidence and automated documentation became audit-ready almost by default.

No Consistent Standard Across Markets

When different regional teams manage their own onboarding processes without a shared standard, drift is inevitable. The compliance team in one office requires articles of association, a UBO declaration, and a registry extract. The team in another office accepts whatever the counterparty sends. The team in a third office has a checklist from two years ago that nobody has reviewed since the last regulatory update.

The absence of harmonised global regulations makes it difficult to create a standardised compliance programme, often resulting in duplicated efforts, higher costs, and potential gaps. The constantly changing regulatory landscape demands continuous monitoring and swift adaptation.

This problem is structural. It cannot be solved by sending another email reminding people about the policy. It requires a workflow system that enforces the standard at the point of collection, making it operationally impossible to proceed without completing the required steps.

No Ongoing Monitoring or Expiry Tracking

Compliance is not a one-time event. Every regulatory framework that governs multinational business relationships, whether the EU's AMLR, FinCEN's CDD Rule, MAS Notices, or AUSTRAC's AML/CTF Act, requires that due diligence documentation be kept current and that business relationships be monitored on an ongoing basis.

In practice, ongoing monitoring is the part of the compliance programme that most frequently fails at scale. A counterparty is verified at onboarding, a file is created, and then nothing happens again unless someone manually checks that the file needs to be reviewed. Documents expire. Ownership structures change. Sanctions screening results go stale. A counterparty that was clean at onboarding may not be clean eighteen months later, and without a system that tracks and flags these changes, the business has no way of knowing.

Automating alerts for document expiration, renewals, and compliance reporting ensures accuracy and improves audit readiness. Routine reviews help detect gaps before authorities do.

Approval Trails That Cannot Withstand Scrutiny

A compliance decision is only as defensible as the record of how it was made. If your KYB approval process relies on a compliance officer sending an email saying "approved," that email thread is your audit trail. It may not survive a regulatory examination. Who approved it? Under what authority? Based on what information? Was it a risk-based decision? Was it escalated? Was it documented in the counterparty's file in a way that is retrievable and coherent?

Control ownership assigns specific individuals responsibility for implementing, monitoring, and maintaining the effectiveness of each internal control. Without clear ownership, accountability weakens, evidence collection stalls, and compliance gaps emerge because teams assume someone else is handling documentation or testing.

For multinational companies, approval trail weaknesses are often discovered during cross-border transactions or when a banking partner requests a compliance review. The problem is not that approvals were not made. It is that the record of those approvals does not meet the evidentiary standard that regulators and counterparties now expect.

What Genuinely Audit-Ready Infrastructure Looks Like

Audit-readiness across jurisdictions requires infrastructure, not just policy. Here is what that infrastructure needs to do.

A Single, Centralised Repository With Controlled Access

Every document related to every counterparty relationship, in every jurisdiction, needs to live in one place with a consistent filing structure, controlled access permissions, and a clear link between documents and the relationships they belong to. This is not a shared drive. It is a structured system where every file has a home, every action on that file is logged, and every reviewer can see exactly what has been collected, what is pending, and what is overdue.

A centralised repository consolidates all compliance documents, policies, audit reports, and regulatory files into one secure platform, creating a single source of truth. For multinational organisations, a single repository also means that a compliance officer in Frankfurt and a compliance officer in Singapore are looking at the same file, in the same state, with the same history. There is no version that is more up to date than another. There is no document that was shared by email but never made it into the official record.

Jurisdiction-Aware Collection Templates That Enforce the Standard

Your document collection process needs to reflect the specific requirements of the jurisdiction you are onboarding from, without requiring your compliance team to reconstruct those requirements from memory every time a new counterparty is initiated.

This means your onboarding workflow needs to know that a German GmbH requires a Handelsregister extract, articles of association, and a UBO declaration tied to the Transparenzregister, while an Australian Pty Ltd requires ASIC registration documentation and a beneficial ownership declaration under the Australian framework, and that both of these differ from what is required for a Singaporean private limited company. The standard is consistent. The templates reflect the jurisdictional reality.

Effective compliance workflow enables you to tailor KYC, KYB, and AML verification by region while maintaining audit readiness.

Risk-Based Tiering With Documented Rationale

Not every counterparty relationship carries the same risk, and your compliance programme should not treat them as if they do. A risk-based approach is a regulatory requirement across all three major frameworks, and it is also the operationally sensible way to allocate compliance resources. The key is that your risk-based decisions need to be documented in a way that is explicitly defensible.

Why was this counterparty classified as standard rather than enhanced? What risk factors were present? What was the risk score? Who made the classification decision? Was it reviewed? Is there a record of that review in the counterparty's file? These are the questions a regulator will ask, and your infrastructure needs to be able to answer them for every relationship in your portfolio.

Immutable, Timestamped Audit Logs

Audit trails are the bridge between compliance policy and provable execution. For multinational compliance programmes, every action taken on every counterparty file needs to be recorded automatically, timestamped, attributed to a named user, and stored in a format that cannot be edited or deleted after the fact.

This covers document receipt, document review, risk classification decisions, approval decisions, escalation events, periodic review completions, discrepancy reports, and renewal requests. The cumulative record of these events for any given counterparty is what you hand to a regulator when they ask you to demonstrate your compliance programme. If that record is complete, coherent, and attributable, you are in a strong position. If it requires reconstruction, you are not.

Automated Renewal Tracking and Expiry Alerts

Every document in your compliance file has either a formal expiry date or a practical refresh requirement, and your system needs to track both. The regulatory expectation across the EU, US, and APAC is not that you verified a counterparty once. It is that your records remain current and that your programme includes meaningful ongoing monitoring.

Automated expiry tracking means that no document lapses without a renewal request being generated and tracked. It means that higher-risk counterparties are reviewed more frequently than lower-risk ones, and that the system enforces that cadence rather than relying on individual compliance officers to remember it. It also means that when a regulatory examination arrives, you can show not just the current state of every counterparty file but the complete history of when each document was refreshed and by whom.

Perpetual KYB introduces continuous oversight to business identity. Instead of treating verification as a one-time onboarding hurdle, it enables teams to monitor business entities throughout their entire lifecycle. Events like ownership changes, new filings, sanctions exposure, or adverse media signals are evaluated as they happen.

Global Standards With Jurisdiction-Specific Overlays

The most effective architecture for a multinational compliance programme is a single, non-negotiable global baseline applied in every market, with jurisdiction-specific requirements added as structured overlays rather than managed as entirely separate processes.

The global baseline covers the core requirements that all your regulatory frameworks share: company identity verification, beneficial ownership documentation, sanctions and PEP screening, risk classification, approval hierarchy, and ongoing monitoring schedule. The overlays cover what is specific to a given jurisdiction, such as the EU's AMLR requirement for a valid proof of registration or recently issued register excerpt every time a new business relationship is entered, Singapore's proliferation financing assessment requirement, or Australia's sector-specific Tranche 2 classifications.

This architecture is more scalable, more consistent, and more defensible under examination than managing a separate compliance programme for each market. Often, multinational companies find that a tailored approach based on regional differences is more effective than a one-size-fits-all strategy, but the tailoring should be built on top of a strong, consistent global foundation.

The Operational Practices That Keep Compliance Teams Ahead of Audits

Infrastructure is necessary but not sufficient. The operational practices around it matter equally.

Aligning Compliance and Operations on the Same Workflow

One of the most common sources of compliance failure in multinational organisations is not a gap in the compliance programme itself but a misalignment between the compliance function and the business teams that initiate counterparty relationships. When a business development team is measured on the speed of onboarding and a compliance team is measured on the thoroughness of verification, the tension between those incentives produces outcomes that serve neither goal well.

The solution is a shared workflow that both teams operate within, with defined stages, defined responsibilities, defined SLAs, and shared visibility into where every onboarding is in the process. Business teams know what compliance requires and why. Compliance teams know when a new onboarding has been initiated and can begin work without waiting for someone to remember to tell them. Neither team can advance a relationship to the next stage without the previous stage being complete.

Regular Internal Reviews That Simulate Examination Conditions

Whether you operate in healthcare, energy, finance, education, manufacturing, or the public sector, the message from regulators and auditors is consistent: they expect organisations to be prepared at all times. Compliance is no longer episodic, nor can it rely on last-minute document gathering. Instead, it must operate with traceability, consistency, and a strong foundation of evidence.

For multinational teams, this means scheduling regular internal reviews that simulate what a regulator would ask for. Select a sample of counterparty files. Can you produce a complete, coherent record for each one? Can you evidence the risk classification decision? Can you show the approval trail? Are all documents current? Do you have a record of the last periodic review? Any gaps identified in an internal review are far less costly than gaps identified by a regulator.

Keeping Regulatory Intelligence Current

Compliance tools leveraging automation and real-time regulatory tracking grew more prevalent in 2025, helping companies monitor shifting requirements across jurisdictions and reduce manual overhead in reporting and audit preparation.

For multinational teams, the regulatory landscape across the US, EU, and APAC is all moving simultaneously. The AMLR's technical standards are being published through 2026. The US CDD Rule is under active revision. Australia's Tranche 2 reforms are being implemented right now. Singapore's MAS Notices took effect in mid-2025. Missing a key change to any one of these frameworks can create a compliance gap that takes months to close.

Regulatory intelligence needs to be treated as an ongoing operational input, not an annual policy review exercise. Whether that means subscribing to official regulatory update services from FinCEN, EUR-Lex, MAS, and AUSTRAC, or using a compliance platform that tracks regulatory changes, the result needs to be that your compliance programme reflects the current state of the law in every market you operate in, not the state it was in when your policies were last updated.

The Documents You Need to Demonstrate Audit-Readiness Across Jurisdictions

While specific requirements vary by regulatory framework, jurisdiction, and risk profile, the following represent the core evidentiary categories that a multinational compliance programme needs to be able to produce for every counterparty relationship in its portfolio.

Current and complete identity documentation includes a valid certificate of incorporation or local equivalent, a recent extract from the relevant national company registry, articles of association, and any amendments to founding documents. "Current" matters here. Registry extracts from 18 months ago have limited assurance value under the evidentiary standards the AMLR and AMLA are establishing.

Beneficial ownership documentation includes a completed UBO declaration supported by documentary evidence of the ownership chain where the structure involves intermediate holding companies, nominee shareholders, or cross-jurisdictional structures. Under Article 15 of Regulation (EU) 2024/1624, obliged entities must collect valid proof of registration or a recently issued register excerpt whenever entering a new business relationship with a legal entity. For higher-risk structures, the chain needs to be traced to the natural persons at the top with documentary support at each layer.

Risk classification records document the basis on which a counterparty was assessed as standard, enhanced, or simplified, the specific risk factors that were considered, the score or outcome of that assessment, and the name and role of the individual who made the classification decision. This is what regulators ask for when they ask whether your programme is genuinely risk-based.

Screening records show that sanctions screening, PEP screening, and adverse media checks were conducted at onboarding, that the results were reviewed, and that any matches or near-matches were investigated and resolved with a documented outcome. Screening records that cannot be tied to a specific date and a specific file have limited audit value.

Ongoing monitoring records demonstrate that counterparty files have been reviewed on a schedule appropriate to their risk classification, that documents have been refreshed as required, and that any changes in risk profile, ownership structure, or sanctions status have been identified, assessed, and documented. Under Article 26 of Regulation (EU) 2024/1624, this is a specific and auditable obligation for EU obliged entities.

Approval records document who approved the business relationship, under what authority, at what stage, and based on what information. For escalated or higher-risk relationships, these records should include documentation of the senior sign-off and the rationale for proceeding.

Conclusion: Audit-Readiness Is the Output of a Well-Built Compliance Programme

The most important insight about staying audit-ready across jurisdictions is also the simplest. Audit-readiness is not a state you achieve by preparing for an audit. It is the natural output of a compliance programme that operates correctly every day, in every market, for every counterparty relationship.

Compliance did not become more chaotic in 2025. It became more structured. Regulators across sectors and regions aligned around the same core themes: transparency, fairness, accountability, resilience, and responsible automation. Documentation is no longer the paperwork of compliance. It is the language of trust.

For multinational regulated businesses, that shift changes what the investment in compliance infrastructure needs to achieve. The goal is not to produce documents when asked for them. The goal is to have a system that produces evidence automatically, continuously, and completely, across every jurisdiction where you operate, so that when a regulator asks for it, the answer is already there.

About SpeedyDD

SpeedyDD is a KYB and due diligence platform built for regulated businesses that need to stay audit-ready across complex, multi-jurisdictional environments. Our mission is to help compliance-first organisations maintain continuous audit-readiness across every business relationship, every market, and every stage of the counterparty lifecycle.

SpeedyDD connects with over 3000 corporate registry data sources across more than 200 countries and territories, giving compliance teams access to registry-sourced verification data rather than self-declared documents alone.

For teams managing compliance obligations across multiple jurisdictions simultaneously, SpeedyDD provides the centralised workflow, document management, and audit trail infrastructure that makes cross-regional audit-readiness operationally achievable.

Frequently Asked Questions

What does audit-readiness actually mean for a multinational company?

Audit-readiness for a multinational regulated business means the ability to produce, at any point in time and for any counterparty in your portfolio, a complete, coherent, timestamped, and attributed record of what was verified, when it was verified, who made the relevant compliance decisions, and on what basis those decisions were made. It is not a matter of having policy documents in place. It is a matter of having a compliance programme that operates correctly every day and generates evidence of that operation automatically. Audit-readiness that is continuous exists whether an audit is scheduled or not. Organisations that rely on reconstruction are increasingly exposed, because auditors are not impressed by volume, they are impressed by coherence.

What are the most common reasons multinational compliance programmes fail under audit?

The most common failures are structural rather than regulatory. Fragmented document records across email threads, shared drives, and multiple systems mean that complete files cannot be assembled quickly. The absence of ongoing monitoring means that documents and risk assessments go stale without anyone noticing. Inconsistent onboarding standards across regional teams produce uneven evidentiary quality. Poor approval trail documentation means that compliance decisions cannot be attributed and evidenced. Gaps in documentation, weak audit trails, and inconsistent monitoring of overseas partners are among the most common compliance failures that KYB processes are designed to prevent. Each of these is an infrastructure problem, not a knowledge problem.

What is the EU AMLR and why does it matter for multinational businesses right now?

Regulation (EU) 2024/1624, the Anti-Money Laundering Regulation, is the EU's first directly applicable AML rulebook, applying identically across all 27 member states from 10 July 2027. Unlike previous Directives, it leaves no room for national variation. For multinational businesses with EU operations or EU counterparties, it raises the floor on CDD requirements, standardises beneficial ownership verification, mandates specific ongoing monitoring obligations, and requires discrepancy reporting within 14 calendar days of detection. AMLA must publish 23 Level 2 and Level 3 regulatory measures, most of them due by 10 July 2026, making 2026 the year compliance teams must act, not wait.

What is AMLA and how does it change compliance supervision in the EU?

AMLA, the Anti-Money Laundering Authority established by Regulation (EU) 2024/1620, became operational on 1 July 2025. It is the EU's first centralised AML supervisor, based in Frankfurt. AMLA will directly supervise up to 40 selected obliged entities with the highest money laundering risk profiles, while coordinating national supervisors for the rest of the sector. It can impose administrative sanctions of up to €10 million or 10% of annual group turnover for the most serious violations. Critically, AMLA is now producing the technical standards that define how the AMLR is applied in practice, including the Business-Wide Risk Assessment guidelines currently under public consultation.

How does the US compliance framework differ in structure from the EU and APAC frameworks?

The most significant structural difference is that the US does not have a single overarching AML regulation. Instead, compliance obligations are organised on a sector-by-sector basis, with FinCEN governing banks and financial institutions under the Bank Secrecy Act, FINRA covering broker-dealers, and state regulators adding further requirements in certain markets. FinCEN has been actively modernising the US AML/CFT compliance framework in 2026, including issuing exceptive relief from the CDD Rule's requirement to identify and verify beneficial owners at each new account opening. The foundational CDD requirements around customer identification, risk profiling, and ongoing monitoring remain fully in force.

What are the key compliance developments in APAC that multinational teams need to track?

Two are particularly significant in 2026. Singapore's MAS published revised AML/CFT Notices effective 1 July 2025 that formally extended compliance obligations to include proliferation financing risk assessments and tightened STR filing timelines across the full financial sector. MAS enforcement is active, with S$27.45 million in penalties issued in July 2025 alone. In Australia, AUSTRAC's Tranche 2 reforms extend AML obligations to real estate professionals, lawyers, accountants, and dealers in precious metals and stones, with full compliance required from 1 July 2026. Both developments affect how multinational businesses classify counterparty risk when dealing with entities in these markets.

What does ongoing monitoring actually require in practice?

Ongoing monitoring means that compliance work does not end at onboarding. Financial institutions are required to develop and implement risk-based procedures for conducting ongoing customer due diligence, including regular monitoring to identify and report suspicious activity and, on a risk basis, to maintain and update customer information. In practice, this means documents need to be refreshed on a schedule appropriate to the risk classification of the relationship. Changes in ownership structure, sanctions status, or regulatory standing at a counterparty need to trigger review outside the scheduled cycle. And the record of that ongoing monitoring needs to be maintained in the counterparty file in a way that is retrievable and attributable.

Why is a shared compliance workflow important for multinational teams?

When different regional teams manage their own onboarding processes without a shared workflow, standards drift, documentation becomes inconsistent, and the evidentiary quality of files varies across markets. A shared workflow means that every counterparty relationship, regardless of which team or which market initiated it, goes through the same defined stages, produces the same categories of documentation, and generates the same quality of audit trail. Standardising processes is a cornerstone of effective cross-border compliance. When working with local teams or local professionals, consistent processes ensure that findings align with global compliance goals.

How often should counterparty files be reviewed after onboarding?

Review frequency should be calibrated to the risk classification of the relationship. Higher-risk relationships warrant more frequent review, typically annually or more often if risk factors change. Lower-risk relationships may follow a longer review cycle. What matters is that the review schedule is documented in your compliance policies, that the system enforces it, and that every completed review is recorded in the counterparty file with a timestamp and the name of the reviewer. Out-of-cycle reviews should be triggered by any material change in counterparty risk profile, including ownership changes, new sanctions matches, adverse media, or changes in regulatory status.

What is the relationship between GDPR and AML obligations for EU-regulated businesses?

GDPR applies alongside AML obligations, not instead of them. The interaction between GDPR's data minimisation and purpose limitation principles and AML's requirements for comprehensive, long-term CDD record retention creates a genuine tension that compliance teams need to manage deliberately. The AMLR is not a licence to ignore GDPR. Both apply simultaneously. Your document management and data retention policies need to reflect both frameworks, including the basis for retaining personal data collected as part of CDD, the retention period, and the access controls that govern who can view that data.