Investment Firms AML REQ Explained: Everything to Know Before the 30 June 2026 Deadline

The Central Bank of Ireland’s new AML REQ for Investment Firms is a big step up in AML reporting expectations.

The return moves away from broad Excel-based submissions toward much more granular XML reporting, with stricter validation rules and significantly deeper AML/CFT data requirements.

For most firms, the challenge will be operational: pulling together customer, transaction, governance and control data across multiple systems in a format the CBI will accept.

This blog breaks down what has changed, what the CBI is asking for, where firms are likely to run into issues, and what good preparation looks like.

What is the AML REQ for Investment Firms?

The AML REQ (Risk Evaluation Questionnaire) is the Central Bank of Ireland’s annual AML/CFT supervisory return for regulated Investment Firms.

The new version moves from broad Excel-based reporting to much more granular XML submissions, giving the CBI deeper visibility into a firm’s:

• customer risk
• transaction activity
• products and services
• geographic exposure
• AML controls and governance

Who Must Comply and Key Reporting Dates

In short, if you are a CBI-regulated investment firm, you are required to submit the REQ. This includes Irish-authorised entities, Irish branches, and firms operating cross-border into Ireland under Freedom of Establishment or Freedom of Services.

Each regulated legal entity must submit its own REQ. Being part of a group does not remove that obligation, although some sections require aggregated EEA-level data depending on your legal structure.

Key Deadlines

• Submission deadline: 30 June 2026 (hard deadline)
• Reference date: 31 December 2025

No deadline extensions will be granted.

Complyfirst took the pain out of the AML REQ return. The platform generated the XML file for us, and Fiona and Dan were quick and helpful on Teams throughout. We submitted our return to the CBI same day and saved hours of effort.

Fiona Lynch, Head of Risk & Compliance

Learn how

Key Changes Introduced (Before vs After)

The CBI is moving from a one-size-fits-all REQ which was in Excel format, to a sector-specific one in machine-readable XML format. Here’s the difference:

Section-by-Section Overview of AMLREQ_IF

Let’s zoom in.

At a high level, the AMLREQ_IF return is structured to give the Central Bank a detailed view of both your firm’s inherent AML risk exposure and the effectiveness of your AML/CFT control framework.

The AML REQ for investment firms consists of 11 sections:

1. General: This section captures core firm information (legal structure, group structure, LEIs, MiFID activities, international presence, statement of compliance).
2. Inherent Risk: This section focuses on where AML/CTF exposure exists within the business.
3. Mitigation & Control: This is the largest operational section of the return. It captures how your firm manages AML/CFT risk in practice.
4. Physical Presence: This section captures information on the jurisdictions where the firm maintains physical operations or presence.
5. Residence and Establishment: Focuses on customer geographic exposure, including where customers reside or are established.
6. Beneficial Owner: Captures data relating to beneficial ownership identification and verification.
7. Politically Exposed Persons (PEPs): This section focuses on exposure to PEPs, family members, and close associates.
8. Order Execution: Applies to firms conducting order execution activities.
9. Portfolio Management: Focuses on portfolio management activity, including customer segmentation, transaction activity, geography of funds flows, and high-risk exposure.
10. Geography of Funds Flow: Captures where funds originate from and flow to geographically.
11. Transaction Monitoring: This section focuses specifically on transaction monitoring frameworks and alert generation.

What truly sets Complyfirst apart is its ability to simulate a regulator’s review, identifying potential data discrepancies or inconsistencies across multiple reports before submission.

Pamela Crilly, EU COO, TrueLayer

Read case study

Submission Format and Validation Requirements

Now, for the reporting mechanics. 👀

The CBI requires firms to submit the AML REQ in XML format only, generated in line with the official XSD schema provided. Excel versions are available solely to support understanding and will not be accepted for submission.

The XML itself must comply with strict validation requirements, including correct table ordering, approved variable names, valid enumerations, mandatory field formatting, and explicit closing XML tags throughout the file structure.

Even minor technical formatting issues can result in the submission being rejected by the CBI Portal.

Mandatory Data Rules

This is one of the most operationally painful parts of the submission. Every field is mandatory. No blanks are allowed.

That includes fields which are not applicable.

The CBI requires firms to use the below approved placeholder values depending on field type:

And this is where firms relying heavily on manual spreadsheet workflows are likely to experience repeated validation failures.

Naming Convention

Files must follow this structure:

Example: CCCCCC_20251231_A03.xml

Here’s a walkthrough from our AML REQ breakfast session where our CTO, Dan, breaks down the non-negotiables for completing the AML REQ:

So, What Do You Need to Do?

There are no shortcuts, here is what the CBI requires end-to-end.

Step 1: Download the REQ pack

Download the relevant REQ pack from the Central Bank of Ireland, including:

• XML template
• XSD schema
• Guidance notes

Step 2: Read the guidance notes

Review the full guidance PDF document (typically 80-120 pages):

Step 3: Map your firm’s data to the REQ schema

Map internal data sources to the REQ structure.

Every field:

• is mandatory
• has a strict format
• must align to the XML schema requirements

Step 4: Complete the REQ

Complete the return across all required sections.

This includes hundreds of fields covering:

• customers
• products and services
• jurisdictions
• transaction activity
• AML controls
• governance
• monitoring frameworks

Step 5: Validate against the XSD schema

The submission must validate against the official CBI XSD schema before upload. Excel won’t fly! XML only.

Step 6: Obtain sign-off

Complete internal governance and approvals. Typically this involves MLRO and board-level review.

Step 7: Upload to the Central Bank Portal

Submit the validated XML file through the Central Bank Portal before 30th June 2026.

Step 8: Keep an audit trail

The CBI will ask.

How Complyfirst Helps Investment Firms Submit Their AML REQ

Complyfirst provides the tools and support for investment firms to deliver a compliant AML REQ submission, aligned to the CBI’s schema and deadlines.

Plus, your first AML REQ is on us. We’re confident enough in the platform — and in our team — that we’ll get you through your first AML REQ submission for free.

Here’s how we'll help:

• CBI definitions are built in-platform
• N/A codes are auto-applied in one click
• Real-time validation in plain English as you work
• Approvals and audit trail are baked in
• You get 1:1 support, even on deadline day
• Generated XML output, named & ready to upload