EU banks bracing for AML rules & major vendor shift

European financial institutions face a decisive year in 2026 as preparations intensify for the European Union's new Anti-Money Laundering Regulation, according to Krik Gunning, chief executive and founder at identity verification provider Fourthline.

The regulation will apply from July 2027. Gunning warned that the window for effective implementation is shorter than many boards assume and that decisions on know-your-customer and anti-money laundering systems will need to crystallise over the next 18 months.

He said a growing divide is emerging between firms that have already begun detailed assessments of their frameworks and those that remain in a holding pattern.

"There is a concerning split in the market with some organisations ahead of the curve, having started their assessment processes and setting up the necessary frameworks for compliance; other businesses taking a 'wait and see' approach may be stung by the AMLR tail. And this will be the determining factor as to which financial institutions smoothly transition versus those that will scramble to comply," said Gunning, CEO and founder, Fourthline.

Gunning argued that institutions now need to map backwards from the 2027 deadline, identify regulatory requirements in detail, and test whether current providers can meet them within the available timeframe. "Turning a 2027 problem into a 2026 priority is the only way forward," he said.

The vendor shift

Forthcoming compliance standards are expected to trigger what Gunning described as a "great vendor migration" as banks and fintechs reassess longstanding relationships with KYC and AML suppliers.

He said that, in contrast with normal procurement cycles, many institutions will have to replace vendors that they regard as satisfactory on service or price grounds, because those firms cannot meet the AMLR framework.

This shift will affect both large banks and newer digital entrants. Gunning said institutions will have to allocate substantial internal resources to review third-party providers, run tenders where necessary, and manage the transition of systems.

He said this will place compliance, technology and business units under pressure to coordinate change programmes and avoid service disruption. Firms that delay reviews risk entering 2027 without compliant solutions in place.

According to Gunning, late movers also face a narrower choice of vendors and compressed implementation timetables. He said this could result in institutions accepting relationships that are technically compliant but less aligned with their long-term strategy.

The expected reshuffle of suppliers opens space for regulation technology providers that have already aligned products with the AMLR requirements. Gunning said these firms could gain ground on incumbents that wait for final implementation deadlines before upgrading their systems.

Compliance as strategy

Gunning set out a broader argument that regulatory adherence now sits at the centre of commercial competitiveness in European finance.

He cited comments from the Netherlands Minister of Finance, Eelco Heinen, on the scale of current spending. Heinen has said that money laundering checks cost banks €1.4 billion annually in the Netherlands, and that similar levels of expenditure across the European Union could reach roughly €45 billion a year.

Gunning said many institutions still frame compliance as a cost line and focus on meeting minimum thresholds at the lowest possible expense. He argued that firms which treat it as a "value driver and a competitive advantage" can lower fraud losses and operational costs and can enhance their standing with regulators and customers.

He added that customers benefit from more streamlined onboarding when risk controls and identity verification are designed and integrated properly rather than added under time pressure.

According to Gunning, 2026 will act as a testing point. Institutions that invest in internal culture and expertise around compliance now will adjust more quickly as additional rules emerge. Those that regard it only as a burden may face repeated remediation exercises and more constrained vendor choices.

He said this divergence is likely to influence which firms adapt and grow under the new regime and which struggle with rising regulatory demands.

Fraud threats rise

At the same time, financial institutions are confronting a rapid increase in deepfake material and synthetic identities.

Gunning said deepfake tools now create convincing but false images, videos and audio with consumer-grade software. Synthetic identity fraud combines real and fabricated personal data into profiles that can pass basic checks.

He said successful attacks expose firms to direct financial losses and reputational damage with regulators, investors and customers. Single-point controls and manual checks are no longer sufficient in this environment.

Gunning said institutions should adopt multiple layers of scrutiny that each address different aspects of the customer journey. He cited advanced liveness checks, biometric analysis, behavioural analysis, device fingerprinting and document verification as examples of the types of controls that can operate together.

In his view, each additional layer increases the likelihood that fraudulent activity is identified before it reaches account opening or transaction stages.

The combination of the AMLR deadline, changing vendor landscape and evolving fraud techniques means European financial institutions now face a complex period of adjustment. Gunning said the organisations that start preparation in 2026 will stand in stronger positions when the new rules begin to apply in 2027.