The uncomfortable question is no longer whether banks had AML policies. The question is whether their published claims of group-wide control were ever tested against operational reality.
A new EU standard exposes an old credibility problem
Large European banking groups have told investors, regulators and the public for years that financial-crime risks are managed through reliable global or group-wide frameworks. ING Groep N.V. and Deutsche Bank are clear examples of this reporting pattern.
Their annual reports and public disclosures repeatedly refer to group-wide compliance structures, global KYC initiatives, Anti-Financial Crime governance, strengthened transaction monitoring, improved policies, better tooling and enhanced staff awareness.
But the new AMLA draft Regulatory Technical Standards under Articles 16 and 17 of Regulation (EU) 2024/1624 raise a simple public-interest question:
If these group-wide systems were already effective, why does the EU now need to specify detailed minimum requirements for group-wide AML/CFT policies, information sharing, parent-undertaking responsibility and countermeasures where local law prevents access to risk-relevant information?
This is not merely a technical compliance question. It goes to the credibility of annual-report statements.
Exhibit A: ING’s own words
ING’s 2018 and 2019 reporting did not describe compliance as a narrow local issue. It presented KYC and financial-crime compliance as a group-wide priority.
In its 2018 reporting, ING stated that it was implementing a “global Know Your Customer enhancement programme” to strengthen its “compliance culture and capabilities”.
That is a broad statement. It suggests more than fragmented local remediation. It suggests a group-level compliance transformation.
ING’s reporting also stated that the “KYC Enhancement Programme encompasses all client segments in all ING business units”. That wording matters. It leaves little room for the later argument that the relevant compliance risks were merely local, isolated or confined to one entity.
In 2019, ING went further. It stated that it was “strengthening our global KYC organisation and activities throughout ING” and “rolling out global KYC solutions that all countries can connect to”. ING also stated that the global KYC programme “encompasses all client segments in all ING business units”.
Exhibit B: Deutsche Bank’s own words
Deutsche Bank used similarly confident language.
In its 2018 Annual Report, Deutsche Bank told shareholders: “We achieved all this without compromising on our controls.” It added that it had continued hiring staff in control functions, strengthened its Anti-Financial Crime unit, tightened its “Know your Client” processes and improved systems for reporting suspicious transactions.
Its 2018 Non-Financial Report was even more explicit. Deutsche Bank stated that its Know Your Customer policy “lays down the rules governing our Group-wide approach”. It also stated that the global AFC risk assessment team assesses “clients, products, and transactions” annually and through a “Group-wide Top Risk reporting process”.
In 2019, Deutsche Bank reported that global AFC policies set minimum standards for managing financial-crime risks and that it had materially upgraded KYC, AML and sanctions policies.
The narratives: global control, group-wide risk
These are not modest statements. They are market-facing representations that both groups were building global, bank-wide infrastructure to manage customer due diligence, transaction monitoring and financial-crime risk.
The questions are therefore direct.
If ING had a global KYC organisation, a group-wide enhancement programme and KYC solutions across all business units, where was that group-wide control when ING acquired Payvision – at a EUR 360 Mio valuation in 2018?
If Deutsche Bank had a group-wide KYC approach, global AFC policies and group-wide risk reporting, how could law enforcement later identify more than 80 drop accounts opened with Postbank in 2018?
And for both groups: why did repeated financial-crime failures not trigger a more direct supervisory reassessment of whether their annual-report statements reflected operational reality?
Annual reports are not advertising brochures. They are formal market disclosures.
AMLA: from claims to operational standards
AMLA is not creating the concept of group-wide AML/CFT control from scratch. The predecessor regime already contained such obligations.
Article 45 of Directive (EU) 2015/849 required Member States to ensure that obliged entities forming part of a group implemented group-wide policies and procedures, including data-protection policies and policies and procedures for sharing information within the group for AML/CFT purposes. It also required those policies and procedures to be implemented effectively at the level of branches and majority-owned subsidiaries in Member States and third countries.
The problem of third-country law restricting group-wide AML/CFT control was also not new. Commission Delegated Regulation (EU) 2019/758 already addressed situations where third-country law prevented or restricted the implementation of group-wide AML/CFT policies and procedures in branches or majority-owned subsidiaries.
This makes the credibility problem sharper, not weaker.
If group-wide AML/CFT duties already existed, and if banks such as ING and Deutsche Bank publicly claimed global KYC, Anti-Financial Crime and group-wide compliance capabilities, then AMLA’s draft RTS should not be read as the first appearance of such obligations. They should be read as an attempt to operationalise, harmonise and make enforceable what banks and supervisors should already have taken seriously.
Under Article 16 AMLR, parent undertakings must implement group-wide policies, procedures and controls across the entities under their responsibility. AMLA’s consultation paper refers to uniform group-wide policies, a group compliance function, annual implementation reporting and effective information sharing within the group.
AMLA is therefore not asking whether a banking group can produce impressive compliance wording. It is asking whether the group can identify, assess, exchange and act upon risk-relevant information across the group.
That is the crucial shift: from general compliance language and fragmented national implementation to operational standards, supervisory visibility and a clearer test of whether group-wide control exists in practice.
Why AMLA supervision is necessary
The role of the National (in)Competent Authorities
The conclusion is uncomfortable but unavoidable: if group-wide AML/CFT obligations already existed under the predecessor regime, and if major banking groups publicly claimed global KYC, Anti-Financial Crime and group-wide compliance capabilities, then the problem was not merely a lack of rules.
The problem was supervisory effectiveness.
The Payvision case and similar financial-crime failures raise serious questions about whether National Competent Authorities like the Dutch DNB and the German BaFIN adequately tested the operational substance behind banks’ annual-report statements. Did supervisors verify whether group-wide compliance frameworks actually produced relevant information flows, effective escalation, consolidated risk visibility and timely decisions to exit high-risk business? Or did they accept formal policies and governance language while the underlying payment infrastructure continued to serve high-risk or fraud-linked business models?
Will AMLA improve the situation?
This is precisely why AMLA’s role matters.
AMLA should not become another layer of technical coordination. It must become the authority that tests whether group-wide AML/CFT control exists in practice. Where national supervisors failed to challenge banks’ market-facing compliance narratives, AMLA must be able to look through formal group structures, assess real information flows, identify supervisory blind spots and require corrective action.
For cases involving large cross-border banking groups, payment processors, merchant acquirers and crypto-related payment infrastructure, supervision cannot remain fragmented along national lines. Financial-crime ecosystems are cross-border by design. Their enabling infrastructure is often cross-border as well. AML supervision must therefore be able to follow the risk across entities, jurisdictions and business lines.
The credibility of AMLA will depend on whether it addresses precisely this gap: not only whether banks have policies and publish polished annual reports with reassuring compliance language, but whether those policies actually work; not only whether supervisors receive reports, but whether they challenge them; and not only whether financial groups claim control, but whether they exercise it before victims are harmed.
AMLA does not invent group-wide AML control. AMLA makes it testable. And that exposes the credibility gap in banks’ past group-wide compliance claims.
