Eltoma Corporate Services — Authorised Corporate Services Provider
Articles are provided for general informational purposes by an authorised corporate services provider and do not constitute legal advice.

The EU anti-money laundering and counter-terrorist financing framework is entering a new phase. This is not merely another compliance update. It is a structural reset in the way AML/CFT rules are written, supervised and enforced across the European Union.
For many years, EU AML policy has been driven principally through directives. Directives created a common legislative direction, but left Member States to transpose and implement rules through national law. The result was a broadly aligned framework, but with material differences in local interpretation, supervisory practice, enforcement appetite and operational expectations.
The new EU AML package seeks to reduce that divergence. It introduces a more harmonised private-sector rulebook, creates the Authority for Anti-Money Laundering and Countering the Financing of Terrorism, commonly known as AMLA, and promotes greater consistency in supervision and enforcement. The intended direction is clear: the EU is moving away from fragmented implementation and towards a more coherent AML/CFT architecture.
This development matters well beyond banking. Company service providers, lawyers, accountants, tax advisers, investment advisers, real estate professionals and other gatekeepers form part of the wider AML control environment. For international business owners and investors, structures involving EU companies, cross-border ownership chains, nominee arrangements, trusts, private investment vehicles or higher-risk jurisdictions will need to be more clearly documented and more readily explainable.
The European Commission has previously identified fragmentation, uneven supervision and limitations in cooperation among financial intelligence units as weaknesses in the EU AML framework. Its 2020 AML/CFT action plan was built around six pillars, including a single EU rulebook, EU-level supervision, improved FIU cooperation and better use of information for enforcement purposes.
The current legislative package should be understood as the practical continuation of that policy direction. The EU’s objective is not simply to create more detailed legal rules, but to create a more dependable system in which risks are identified, supervised and enforced more consistently across the internal market.
The commercial rationale is straightforward. Money laundering and terrorist financing risks are not confined by national borders. A client relationship may involve a Cyprus company, a non-EU parent, an offshore shareholder, a European bank account, third-country operations and payments from several jurisdictions. If supervisory standards differ materially from one Member State to another, the integrity of the wider system is weakened.
The new approach does not remove national regulators or professional judgement. However, it creates a more structured environment in which obliged entities and supervisors are expected to apply common standards with greater consistency.
The concept of a single rulebook is central to the EU AML reset. In practical terms, important private-sector AML obligations are moving into directly applicable EU legislation. This matters because a regulation applies directly, whereas a directive requires national transposition.
Historically, AML directives allowed Member States to implement common EU objectives through national laws. That approach had benefits, particularly where local legal systems and professional sectors differed. It also created scope for uneven implementation. In cross-border business, divergence was often visible in the detail: what evidence was sufficient, how beneficial ownership was verified, how source of wealth was assessed, how high-risk clients were escalated and how breaches were sanctioned.
A single rulebook does not mean every client file will look identical across Europe. Risk-based compliance necessarily requires judgement. A low-risk domestic trading company and a complex cross-border investment structure should not be treated in the same way. What changes is the benchmark against which that judgement is assessed. Firms will increasingly need to demonstrate consistency with EU-level expectations, not merely historic local practice.
For CSPs and professional advisers, this is a material shift. A compliance file should not simply contain documents. It should explain the client, the ownership chain, the business rationale, the funding, the screening results, the risk assessment and the decision reached. The file should be capable of being reviewed and understood by a supervisor who was not involved in the original onboarding.
AMLA’s press release of 8 July 2026 illustrates the direction of travel. AMLA announced a common EU approach to enforcing AML/CFT rules, under which supervisors across the EU will apply a harmonised and consistent approach to breaches.
The significance of the announcement lies in its practical consequence. Until now, the same type of breach could attract different enforcement outcomes depending on the Member State, supervisor, sector and local regulatory culture. AMLA’s standards are designed to reduce that divergence by providing supervisors with a common method for assessing breach gravity and determining enforcement outcomes.
This is not merely a technical supervisory development. Enforcement is where regulatory expectations become real. A legal obligation may look similar on paper, but if one jurisdiction treats a breach as minor and another treats it as serious, the compliance culture across the EU remains uneven. AMLA’s approach is intended to promote consistency while preserving proportionality, effectiveness and deterrence.
The message to professional firms is clear. AML compliance must be capable of external review. Where a firm accepts a client, applies simplified or enhanced measures, relies on third-party documentation, clears an adverse media result, treats a beneficial owner as verified or accepts source of wealth evidence as sufficient, the rationale should be recorded. The existence of a form may not be enough; the reasoning behind the form may be equally important.
AMLA’s approach contemplates a common, step-by-step method. Supervisors will assess the gravity of a breach by reference to shared indicators, including matters such as duration, repetition and impact. The breach is then classified by level of gravity, and common criteria guide the appropriate enforcement outcome.
This distinction matters. A single missing certified copy may be materially different from a repeated failure to identify beneficial owners. A minor administrative oversight may be materially different from a systemic failure to conduct ongoing monitoring. A late file refresh may be materially different from onboarding a high-risk structure without understanding its commercial rationale.
For CSPs and professional firms, the practical lesson is that compliance weaknesses will be assessed not only by formal existence, but also by seriousness, persistence and effect on the firm’s AML control framework. A one-off deficiency may be remediable. A pattern of incomplete ownership analysis, weak escalation records, inadequate screening evidence or unsupported risk ratings may suggest a deeper governance issue.
The best protection is not excessive bureaucracy. It is disciplined, proportionate and well-evidenced compliance. The file should show what was requested, what was received, what was checked, what risks were identified, who reviewed them and why the firm was comfortable to proceed.
Public discussion of AML reform often focuses on banks, payment institutions and other financial sector entities. That is understandable, because those institutions sit at the centre of financial flows. However, the EU AML framework also applies across a wider regulated population, including non-financial sectors.
Professional gatekeepers can be highly relevant to AML risk. A company can be incorporated before funds ever move through a bank. A nominee arrangement can obscure control before an account is opened. A tax or legal adviser may understand the purpose of a structure before a transaction is executed. A CSP may maintain the registered office, corporate records, director services, accounting coordination and ongoing administration through which the structure operates.
Accordingly, the reform should be understood as a gatekeeper compliance development. It is relevant to professionals who create, administer, advise on or maintain legal structures that may be used for legitimate business, but which may also be misused where ownership, control or economic purpose is opaque.
For serious professional service providers, this is also an opportunity. Firms with clear procedures, robust files, trained staff and defensible escalation processes will be better placed to demonstrate the quality of their controls. In an environment of greater supervisory consistency, good compliance should become a competitive strength rather than a mere administrative cost.
For business owners and investors, the practical effect of the EU AML reset will be seen in onboarding and ongoing monitoring. Professional service providers are likely to ask more detailed questions, request more structured evidence and revisit files more regularly.
This should not be viewed as hostility towards legitimate business. The EU framework does not prohibit cross-border structuring, holding companies, investment vehicles, trusts, family-office arrangements or international trading structures. Rather, it requires the structure to be understandable, commercially rational and capable of risk assessment.
Clients should therefore expect questions not only about legal ownership, but also about control. Who ultimately owns the structure? Who exercises voting rights? Who appoints directors? Who provides funding? Who benefits economically? Why is the structure organised in that way? What jurisdictions are involved and why? These questions are central to modern AML analysis.
The same applies to source of funds and source of wealth. Where a structure is funded by a shareholder loan, capital contribution, asset sale, dividend, inheritance, investment return, crypto-asset disposal or third-party financing, the professional service provider may need evidence demonstrating the origin and legitimacy of the funds. In higher-risk cases, the source of the client’s broader wealth may also need to be understood.
Clients using EU-facing structures should expect clearer evidence requests at the outset of the relationship and at periodic intervals thereafter. A typical request may include passports, proof of address, corporate documents, registers of directors and shareholders, ownership charts, group structure charts, financial statements, contracts, tax information, bank statements, evidence of source of funds and an explanation of the commercial purpose of the structure.
Where the ownership chain includes trusts, nominees, private foundations, offshore companies or layered holding companies, further information may be needed. Where the client or structure is connected to higher-risk jurisdictions, politically exposed persons, adverse media, crypto-assets, high-value assets or unusual transaction flows, enhanced due diligence may be required.
Professional service providers may also need to refresh information. A client file that was adequate at onboarding may become incomplete if the business model changes, a new shareholder is introduced, transactions become inconsistent with the expected profile, new jurisdictions are involved or screening results identify new information.
These requests should not be treated as merely internal preferences of the CSP. They reflect a regulatory environment in which supervisors are expected to apply more consistent standards and professional firms must be able to demonstrate why a client was accepted, retained or escalated.
Professional firms should treat the EU AML reset as an opportunity to review the quality and defensibility of their AML framework. The starting point is the AML manual, but the review should not stop there. The more important question is whether procedures are applied consistently in practice and whether the evidence retained on file supports the decisions made.
Key areas for review include client risk-rating methodology, beneficial ownership verification, source of funds and source of wealth standards, PEP and sanctions screening, adverse media review, reliance on third-party documents, escalation procedures, suspicious activity reporting protocols, record retention, internal quality control and staff training.
Firms should also examine whether their systems allow a reviewer to reconstruct the decision-making process. Where a high-risk client is accepted, the file should show who approved the client and why. Where an adverse media result is cleared, the basis for clearance should be recorded. Where a beneficial owner is identified through a complex chain, the evidence should support the conclusion.
The objective is not to create unnecessary paperwork. The objective is to ensure that the compliance file tells the story of the client relationship in a way that is accurate, complete and defensible.
The new EU AML framework should not be viewed simply as an additional compliance burden. It represents a shift towards a more consistent and disciplined AML environment across the EU. The creation of a single rulebook, the establishment of AMLA and the development of common enforcement principles all point in the same direction.
For businesses and investors, the practical lesson is that legitimate structures must be explainable. Ownership, control, funding and commercial purpose should be capable of being evidenced. For CSPs, lawyers, accountants and tax advisers, AML compliance must be more than a checklist. It must be a documented, risk-based and reviewable process.
AMLA’s common enforcement approach is a timely reminder that the EU is seeking not only common rules, but common supervisory outcomes. In that environment, the strongest compliance file will be one that demonstrates proportionality, professional judgement and a clear audit trail. The new standard is consistency, evidence and defensibility.
The EU is moving towards a more harmonised AML/CFT framework built around a single rulebook, AMLA and more consistent supervisory and enforcement outcomes across Member States.
No. Risk-based judgement remains important. The difference is that firms will increasingly need to demonstrate that their judgement is consistent with EU-level expectations and properly evidenced on file.
AMLA is intended to promote supervisory convergence and consistency. Its common enforcement approach signals that similar breaches should be assessed more consistently across the EU.
Clients may be asked for identity documents, proof of address, corporate records, ownership charts, financial statements, contracts, bank statements, tax information, source-of-funds evidence and an explanation of the structure’s commercial purpose.
No. Banks are central to AML controls, but the wider AML framework also affects professional gatekeepers, including CSPs, lawyers, accountants, tax advisers and others involved in creating or administering legal structures.
They should review their AML manual, risk-rating methodology, beneficial-ownership verification, source-of-funds and source-of-wealth standards, screening records, escalation process, suspicious activity reporting protocol, record retention and staff training.
Articles are provided for general informational purposes by an authorised corporate services provider and do not constitute legal advice.

Receive updates with practical insights on international business, law, tax, accounting, and compliance.
Be the first to hear about our latest discounts and special offers!
Follow our Telegram channel for offshore industry news:
Want updates by e-mail?
Enter your email address below to subscribe to our newsletter!