Blog

NOVEMBER 18, 2025 • 5 MIN READ

Central Bank of Ireland's New AML REQ Explained for Payment and E-Money Institutions

Fiona Jelly,
Founder & CEO of Complyfirst

Table of Contents

What is the New AML REQ?
Who Must Comply and Key Deadlines
Key Changes Introduced
High-Level Changes
Section-by-Section Overview of the New AML REQ
Submission Format and Validation Requirements
Mandatory Data Rules
Step-By-Step Checklist to Submit Your AML REQ
Common Challenges for Irish PI/EMI Firms
How Complyfirst Helps
What We Deliver

The Central Bank of Ireland has redesigned its AML Risk Evaluation Questionnaire to introduce a more structured, data-driven, and prescriptive reporting framework for Irish Payment Institutions and Electronic Money Institutions.

This new AML REQ is not a survey or a one-off data call. It is a core annual supervisory data set that the CBI will use to evaluate ML/TF risks, review firm-level governance, and feed EU-wide AML oversight via AMLA.

Because the return is now schema-driven, mandatory, and XML-only, Irish firms must prepare well ahead of the 13 February 2026 deadline.

TL;DR

The Central Bank of Ireland (CBI) has launched a new AML Risk Evaluation Questionnaire (AML REQ) that replaces the previous REQ for Payment Institutions (PIs) and Electronic Money Institutions (EMIs). The return is now a mandatory, fully XML-based data submission aligned with EU-level AMLA reporting. The first return covers data as at 31 December 2024 and must be submitted by 13 February 2026 via the CBI Portal.

What is the New AML REQ?

The AML Risk Evaluation Questionnaire is the Central Bank of Ireland’s annual ML/TF risk and controls return for Payment Institutions and Electronic Money Institutions.

The redesigned AML REQ is a 13-section XML submission with mandatory fields, strict enumerations, and schema-based validations. It replaces the previous Excel-based REQ and is now aligned with AMLA’s EU-level data reporting model.

Who Must Comply and Key Deadlines

Affected Entities

Payment Institutions operating in Ireland
Electronic Money Institutions operating in Ireland

Key Dates

Reference date: 31 December 2024 (and annually thereafter)
Submission deadline: 13 February 2026 (CBI confirms no extensions)
Portal availability: At least two weeks before deadline
Dry-run testing: Q4 2025

Key Changes Introduced

Old REQ:

8 mixed-format sections
Broad qualitative and quantitative fields
Excel upload
Less structured and low validation burden

New AML REQ:

13 structured, schema-driven sections
XML-only submission
Mandatory fields and strict “not applicable” codes
Embedded CBI Portal validations + post-submission checks
Expanded coverage of customers, products, risks, and controls

High-Level Changes

Full XML/XSD schema enforcement
Mandatory fields; no blanks permitted
Country, product, and activity enumerations
Transaction-level volume/value data by risk tier
Detailed control activity statistics (TM rules, alerts, false/true positives)
More granular geographic breakdowns (customers + funds flow)

Section-by-Section Overview of the New AML REQ

The new AML REQ consists of 13 sections:

General – Legal form, LEIs, PSD2 permissions, business model, cross-border operations.
Inherent Risk – Customer types, products, transaction counts/values by risk tier.
Mitigation & Control – BWRA, CDD, sanctions screening, TM rules and performance, audits.
Physical Presence – Subsidiaries, branches, agents by country.
Residence & Establishment – Customers by country, including high-risk, PEPs, new customers.
Beneficial Owners – BO counts by country and PEP status.
Digital Accounts – Account balances, loads/payouts, high-risk splits.
Prepaid Cards & Vouchers – Balances, loads, payouts, high-risk splits.
Merchant Acquiring – Payment/refund statistics and high-risk splits.
Correspondent Relationships – Respondent institutions, flows, high-risk splits.
Money Remittance – Remittance flows by country and high-risk classification.
Geography of Funds Flow – Source/destination volumes and high-risk indicators.
Transaction Monitoring – Rule inventory, alert counts, true/false positive data.

Submission Format and Validation Requirements

Format Requirements

XML only
Must validate against CBI’s published XSD schema
Excel version is for preparation only; Excel uploads are not accepted

Validation Flow

Pre-submission:
Pass schema checks locally to avoid CBI Portal errors.
Portal checks:
Mandatory hard validations upon upload.
Post-submission:
CBI performs further checks and may request clarification.
Completion:
Firms must “Finalise” and “Sign-Off” to complete the submission.

Mandatory Data Rules

Risk ratings: Use ratings as at the reference date (31 December 2024).
Currency: Report all values in euro.
FX rate: Use either transaction-date or reference-date rate.
Mandatory field logic:
- Use required placeholders: 0, N/A, 2000-01-01, all-zero LEI, Country 00.
- No blank fields permitted.

Step-By-Step Checklist to Submit Your AML REQ

Assign Ownership
- Appoint Board-level and operational owners.
- Define sign-off responsibilities.
- Maintain a documented REQ run-book.
Map Your Data to the Schema
- Map every field to the CBI XSD.
- Build enumerations for products, PSD2 permissions, country codes, and outsourcing statuses.
- Hard-code “N/A” rules to prevent blanks.
Automate Data Extraction
- Customers
- Transactions
- Products
- Risk assessments
- Controls
Prepare Evidence for Supervisory Review
- BWRA approvals
- Policies and procedures
- Training completion
- Compliance and audit testing logs
Run Validations and Dry Runs
- Generate XML early and validate locally.
- Participate in Q4 2025 dry-run testing.
- Confirm “Finalise” + “Sign-Off.”
Maintain a Repeatable Run-Book
- Document sources, transformations, and checks.
- Align with internal controls and governance expectations.

Common Challenges for Irish PI/EMI Firms

Mapping legacy systems to XML schema fields
High granularity of customer and geographic data
TM rule-level statistics not currently centralised
Lack of standardised enumerations
Missing data lineage and documentation
Underestimating build time for XML generation and validation

How Complyfirst Helps

Complyfirst provides the tools and support to deliver a compliant AML REQ submission, aligned to the CBI’s schema and deadlines.

What We Deliver

Full data-to-XSD mapping support
Automated XML generation in CBI-compliant format
Built-in schema checks to avoid rejections
Workflow, sign-off, and version control
1:1 support via Slack and Zoom, including deadline-day assistance

FAQ

The CBI AML Risk Evaluation Questionnaire (AML REQ) is the Central Bank of Ireland’s annual reporting return used to assess money laundering and terrorist financing risks in Payment Institutions and Electronic Money Institutions. It requires firms to submit structured XML data on customers, products, geographic exposure, controls, and governance, forming part of the CBI’s core supervisory dataset.

Yes. The updated AML REQ is required for all Payment Institutions and Electronic Money Institutions supervised by the Central Bank of Ireland. The return forms part of the CBI’s core supervisory data set and is not optional.

No. Excel is for preparation only. The CBI will accept XML files only, and they must validate against the published XSD schema.

No. The CBI has confirmed the 13 February 2026 deadline is fixed and that extensions will not be provided. Firms must prepare early.

The new AML REQ represents the most significant AML data collection requirement Irish Payment Institutions and Electronic Money Institutions have faced. It is technical, prescriptive, and designed to provide the CBI and AMLA with a consistent, data-rich view of ML/TF risks and controls. Firms that prepare now, building data models, XML processes, and governance, will avoid deadline pressure and reduce the risk of regulatory follow-up.

If you want support preparing for the 2026 deadline, get in touch with us touch with us at at Complyfirst for guidance and tools aligned with the CBI’s schema.