Was ist Schatten-KI im Unternehmen?

Schatten-KI bezeichnet den Einsatz von KI-Tools durch Mitarbeitende ohne offizielle Freigabe, Governance oder Sicherheitsleitplanken. Typisch sind private Accounts bei ChatGPT, Gemini oder spezialisierten KI-Tools für Texte, Analysen oder HR-Prozesse.

Warum ist Schatten-KI für Geschäftsführer besonders riskant?

Geschäftsführer gelten rechtlich als Betreiber aller im Unternehmen eingesetzten KI-Systeme. Schatten-KI kann zu DSGVO-Verstößen, Verstößen gegen den EU AI Act und persönlicher Haftung wegen Organisationsverschuldens führen.

Welche Rolle spielt der EU AI Act bei Schatten-KI?

Der EU AI Act stuft KI-Systeme in Risikoklassen ein. Werden Hochrisiko-KI-Systeme wie HR-Scoring oder Leistungsbewertung unkontrolliert genutzt, verletzt das Pflichten wie Risikomanagement, Dokumentation und menschliche Aufsicht.

Ab wann haftest du persönlich als Geschäftsführer?

Persönliche Haftung droht, wenn du weißt oder wissen müsstest, dass KI im Unternehmen genutzt wird, aber keine Governance-Strukturen etablierst. In diesem Fall liegt Organisationsverschulden nach § 43 GmbHG vor.

Welche Bußgelder drohen bei Verstößen gegen den EU AI Act?

Der EU AI Act sieht Bußgelder von bis zu 35 Millionen Euro oder 7 % des weltweiten Jahresumsatzes vor. Schatten-KI kann damit ein existenzbedrohendes Risiko für Unternehmen darstellen.

Reicht ein Verbot von KI-Tools aus?

Nein. Reine Verbote führen häufig zu noch mehr Schatten-KI. Entscheidend ist ein strukturierter Governance-Rahmen, der Innovation ermöglicht und Haftungsrisiken minimiert.

Was ist ein AI Compliance Officer?

Der AI Compliance Officer ist eine zentrale Governance-Rolle, die Anforderungen aus EU AI Act, DSGVO und internen Richtlinien in den Arbeitsalltag übersetzt und IT, Recht, Fachabteilungen und Geschäftsführung koordiniert.

Welche ersten Schritte solltest du jetzt gehen?

Starte mit einer KI-Inventur, klassifiziere die eingesetzten Tools nach Risikoklassen und etabliere eine verbindliche AI Policy. So reduzierst du Haftungsrisiken und schaffst Rechtssicherheit.

Wie schützt eine AI Policy vor Haftung?

Eine AI Policy definiert erlaubte Tools, den Umgang mit Daten, Transparenzpflichten und Human-in-the-loop-Regeln. Sie zeigt Aufsichtsbehörden, dass du deiner Organisationspflicht aktiv nachkommst.

Ist KI-Governance ein Wettbewerbsnachteil?

Nein. Klare KI-Governance schafft Vertrauen, ermöglicht sichere Innovation und schützt vor Bußgeldern, Reputationsschäden und persönlicher Haftung.

AMLD6 Sanctions Framework | Fines & Penalties under Article 53

Geschrieben von Andreea Pop am 4. April 2026. Veröffentlicht in Allgemein.

Sanctions under Art. 53 AMLD6: How costly will breaches become?

How costly will breaches of the Anti-Money Laundering Act become from 2026?

With AMLD6 and the new AMLA RTS drafts from February 2026, fines will rise to up to 10% of annual turnover or €5 million. The decisive factor is AMLA’s new categorisation, which draconically penalises systemic failures in customer data updates (Art. 33 RTS).

AMLA takes the helm: The new compliance sanctions catalogue

Europe’s anti-money laundering supervisor AMLA has officially taken control and, right at the start of 2026, ignited the next stage of regulation. With the conclusion of the consultation procedures on the regulatory technical standards (RTS) on 9 March 2026, the era of regulatory non-commitment in Europe is coming to an окончательный end.

These standards form the operational foundation for Regulation (EU) 2024/1624 (AMLR) and Directive (EU) 2024/1640 (AMLD6). At the centre of strategic attention is in particular Article 53 of AMLD6. Here, AMLA now defines the methodological framework for compliance failures: the classification of the severity of breaches and the calculation of the resulting fines will in future be carried out according to Europe-wide harmonised, strict criteria.

This regulatory upheaval brings with it a fundamental paradigm shift:

From intervals to risk: The move away from rigid five-year deadlines for customer updates in favour of a dynamic, risk-based approach pursuant to Art. 33 of the RTS draft.
A management task: An operational tour de force that demands far more from management than merely administrative “ticking the box”.
Investment pressure: Strategic foresight now requires investment in smart IT automation and an entirely new logic of internal resource allocation.

Anyone who cuts costs in the wrong place can quickly get caught in the gears of a supervisor that will in future impose drastic periodic penalty payments on systemic failures. As the deadline for comments has just expired, an immediate analysis of the sanctions methodology is now vital for institutions in order to limit financial exposure risk.

FAQ: Sanctions under Art. 53 AMLD6 – risks, deadlines & responsibilities

What is the central objective of Art. 53 AMLD6?

Article 53 of Directive (EU) 2024/1640 (AMLD6) aims to harmonise sanctions mechanisms across Europe. AMLA defines the methodological “price tag” for compliance breaches here. The approach moves away from discretionary national fines toward a transparent calculation logic oriented to the severity of the breach and systemic risk.
Which deadlines must institutions currently observe without fail?

The timelines are extremely tight: for the consultation on the sanctions regime, the official deadline already ends on 9 March 2026. For the RTS on customer due diligence (CDD) and business relationships, there is time until 8 May 2026. In addition, AMLA will hold an important public online hearing on 24 March 2026.
What changes with the removal of the 5-year CDD deadline?

Under Art. 33 of the RTS draft, the rigid five-year deadline for customer updates is replaced by a dynamic, risk-based approach. This means review cycles must now be managed individually. For institutions, this requires major investment in IT automation to monitor risk profiles in real time.
What strategic responsibility does the C-level have?

Management bears increased liability for resource allocation and system integrity. The management team must ensure the budget is available for the necessary technology adjustments to rule out systemic failure. As the sanctions methodology becomes more predictable, financial exposure risk rises directly in the event of inaction.
What is behind the “online registration trap”?

Under Art. 19(9) AMLR, online registrations with ongoing access could in future be mandatorily classified as a business relationship rather than an occasional transaction. This massively expands KYC obligations to user groups that previously operated below lower thresholds and requires a redesign of the monitoring logic.
How does the role of the Compliance Officer change?

The Compliance Officer becomes the strategic risk manager of the new sanctions methodology. They must assess how breaches are weighted internally to be prepared for AMLA inspections. In addition, deadline management and coordinating participation in European consultation procedures fall within their core responsibilities.
Which operational tasks will fall to the Money Laundering Reporting Officer?

MLROs must translate the technical standards into practice. This includes identifying linked transactions (Art. 3 RTS), adapting KYC software to dynamic intervals, and validating sector thresholds for occasional transactions.
What immediate steps should institutions take now?

1. Sanctions gap analysis: Align internal severity levels with the new AMLA criteria.
2. IT audit: Check KYC software for the ability to support dynamisation.
3. Financial assessment: CFO calculation of potential periodic penalty payments.
4. Submission: Use the last chance to influence the sanctions regime.
Why is the methodology for calculating fines so critical?

Because AMLA sets uniform multipliers and base amounts. A systemic error in IT logic will therefore no longer be treated as an isolated incident but as a multiplicable risk, which can drastically increase the total amount of fines.

I. Timeline & schedule overview

1. Deadlines for the consultation on sanctions and fines

This concerns the draft regulatory technical standards (RTS) on the classification of the severity of breaches and the setting of fines pursuant to Art. 53(10) of Directive (EU) 2024/1640.

Internal deadline (VIB): feedback from member companies will be accepted until 3 March 2026.
External deadline (AMLA): the official submission deadline for statements ends on 9 March 2026 at 23:59 (CET).

2. Deadlines for customer due diligence (CDD) and business relationships

This includes the RTS drafts on customer due diligence obligations (Art. 28(1) AMLR) as well as on criteria for business relationships and thresholds (Art. 19(9) AMLR).

Internal deadline (VIB): comments from member companies on both papers are requested by 27 April 2026.
External deadline (AMLA): the official submission deadline to the authority is 8 May 2026 at 23:59 (CET).

3. Date for the public hearing

Online hearing: AMLA has announced a public online hearing for 24 March 2026, specifically addressing the drafts on business relationships and customer due diligence.

These new benchmarks in EU anti-money laundering prevention require timely review, as the deadline for the sanctions regime in particular is very short.

AMLA Consultations 2026: Deadlines and hearing

Overview of internal and external deadlines on sanctions, fines,
customer due diligence obligations and business relationships
as well as the date of the public online hearing

Topic area	Content / background	Deadlines / date
Sanctions and fines RTS on severity of breaches and fines Urgent	Concerns the draft regulatory technical standards (RTS) on classifying the severity of breaches and setting fines pursuant to Art. 53(10) of Directive (EU) 2024/1640.	Internal deadline (VIB): Feedback from member companies by 3 March 2026.External deadline (AMLA): Official submission deadline ends on 9 March 2026 at 23:59 (CET). Very short implementation window
Customer due diligence (CDD) Customer due diligence obligations AMLR	Covers the RTS drafts on customer due diligence obligations pursuant to Art. 28(1) AMLR.	Internal deadline (VIB): Comments by 27 April 2026.External deadline (AMLA): Official submission deadline is 8 May 2026 at 23:59 (CET).
Business relationships and thresholds Criteria for business relationships Thresholds	Concerns the RTS drafts on criteria for business relationships and thresholds pursuant to Art. 19(9) AMLR.	Internal deadline (VIB): Comments by 27 April 2026.External deadline (AMLA): Official submission deadline is 8 May 2026 at 23:59 (CET).
Public online hearing AMLA consultation on CDD and business relationships Hearing	AMLA has announced a public online hearing focusing specifically on the drafts on business relationships and customer due diligence.	Date: 24 March 2026 Format: Public online hearing
Assessment Practical relevance Action needed	The new benchmarks in EU anti-money laundering prevention require prompt review and substantive assessment by affected institutions and associations.	It should be particularly highlighted that the deadline for the sanctions regime is very short and should therefore be reviewed as a priority.

II. Obligations for those responsible, including normative references

1. C-level (management / boards)

Management bears ultimate responsibility for proper AML organisation. The new RTS drafts require strategic engagement with the following points:

Resource allocation for the risk-based approach: Since the blanket five-year deadline for data updates is replaced by a risk-based approach (Art. 33), management must ensure sufficient budget and technology are available to dynamically monitor individual risk profiles.
Liability and sanctions management: The consultation on Art. 53(10) of Directive (EU) 2024/1640 defines the severity of breaches and the calculation of fines. The C-level must align the internal control system so that systemic errors are avoided, as AMLA sets clear benchmarks for high sanctions here.
Strategic positioning: Management should authorise participation in the consultation procedures (via associations such as VIB) to safeguard the institution’s interests when shaping the final standards.

2. Compliance Officer

The Compliance Officer steers the implementation of the regulatory framework and the interface with the supervisor:

Analysis of the sanctions methodology: They must assess how the new method for setting periodic penalty payments and fines affects the company’s risk profile.
Deadline management: Monitoring the extremely short submission deadlines—particularly 9 March 2026 for the sanctions regime—falls within their area of responsibility.
Participation in hearings: Coordinating participation in AMLA’s public online hearing on 24 March 2026 on business relationships and due diligence obligations is a core task.

3. Money Laundering Reporting Officers (Anti-Money Laundering Officers)

For the MLRO, immediate operational adjustment obligations arise for day-to-day practice:

Revision of CDD processes: The shift from rigid to risk-based updating (Art. 33) requires an adjustment of internal guidelines for customer review (KYC).
Monitoring of online services: Under the new RTS on Art. 19(9) AMLR, it must be examined whether online registrations that provide ongoing access will in future be strictly classified as a business relationship (instead of an occasional transaction) and monitored accordingly more intensively.
Identification of linked transactions: Criteria must be implemented to reliably identify transactions that are considered “linked” under Art. 3 of the RTS draft.
Technical input statement: They must consolidate internal expertise and deliver comments on the papers to VIB by 3 March and 27 April 2026 respectively.

· EU 2024/1640 · AMLR · RTS consultation 2026

by role & function ultimate responsibility for AML organisation

allocation, sanctions management, authorisation of association work

Action field	Specific obligation	Deadline	Priority
CDD processes Art. 33 AMLR	Adjust internal KYC policies: implement the shift from rigid to risk-based updates of customer review.	27 Apr 2026	High
Online services Art. 19(9) AMLR	Review online registrations: classify ongoing access as a business relationship rather than an occasional transaction and monitor intensively.	27 Apr 2026	High
Linked transactions Art. 3 RTS draft	Implement detection criteria for transactions that are considered “linked” under the RTS draft.	27 Apr 2026	Medium
Technical input VIB submission	Consolidate internal expertise and deliver comments to VIB on time: sanctions by 3 March, CDD/business relationships by 27 April 2026.	03 Mar & 27 Apr	High

Focus area	Your tangible added value
Compliance	Confidence in action: Classification of current requirements (e.g., DORA / NIS 2, EU AI Act, ESG, compliance), so you know exactly what is actually relevant for liability and practice.
Optimization	Efficiency instead of bureaucracy: Implement regulatory requirements with smart processes, suitable tools, and efficient outsourcing structures.
Regulatory	Use an early warning system: Structured assessment of new supervisory priorities and regulatory trends before they become acute pressure to act.
Exchange	Advantage through dialogue: Exchange in a protected setting with specialists and executives at eye level—with proven solutions from your peers.

AMLD6 Sanctions Framework | Fines & Penalties under Article 53

Sanctions under Art. 53 AMLD6: How costly will breaches become?

AMLA takes the helm: The new compliance sanctions catalogue

FAQ: Sanctions under Art. 53 AMLD6 – risks, deadlines & responsibilities

I. Timeline & schedule overview

AMLA Consultations 2026: Deadlines and hearing

II. Obligations for those responsible, including normative references

Regulatory implementation & supervisory interface

Operational adjustment obligations & KYC processes

III. Key issues and risk overview

Risk overview C-level

S+P C.O.R.E.