For years, anti-money laundering regulations in Europe were a patchwork of rules. The same European directive was interpreted, transposed and enforced in 27 different ways across the 27 Member States — with all the loopholes and grey areas that entailed. That era is now coming to an end. With the arrival of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism — AMLA for short — Europe is, for the first time, gaining a single central supervisory authority and a single set of directly applicable rules. For financial institutions, this is not merely a legal footnote, but a multi-year transition that is already beginning to take effect.
Below, I’ll outline what AMLA is, what milestones lie ahead and — above all — what specific changes are in store. I’ll conclude with an observation that often gets overlooked in many analyses: the hardest work isn’t in the legal aspects, but in your data.
What is AMLA?
AMLA was established by Regulation (EU) 2024/1620 and is based in Frankfurt. The authority has been operational since 1 July 2025 and has been developing its organisational structure, governance and supervisory methodologies ever since. A key turning point came around the turn of the year: on 1 January 2026, the European Banking Authority (EBA) formally transferred its AML/CFT powers to AMLA. As a result, AMLA has become the beating heart of European anti-money laundering policy — for both the financial and non-financial sectors.
The essence of the reform can be summed up in one word: harmonisation. Whereas, until now, the rules were set out in directives which each Member State had to transpose into its own legislation, there will now be a single set of rules that is directly applicable. No more national variations, but a single version that applies equally everywhere and is interpreted by a single authority.
The timeline that matters
The roll-out will take place in phases. It is tempting to see 2028 as the starting point, but the years leading up to it will determine whether you are ready by then.
- 1 July 2025 — AMLA is becoming operational and is entering the build-up phase.
- 1 January 2026 — AML/CFT powers are being transferred from the EBA to the AMLA.
- 10 July 2026 — AMLA is intended to produce a comprehensive set of technical standards and guidelines (RTS, ITS and guidelines); at its core are standards on risk assessment, the selection of institutions for direct supervision, customer due diligence and sanctions.
- 10 July 2027 — The Single Rulebook will apply directly in all 27 Member States.
- Late 2027 / 2028 — selection of the approximately 40 high-risk institutions that will come under the direct supervision of AMLA; this direct supervision will actually begin in 2028.
The period between now and 2027 is therefore not a waiting room, but the time in which you get your organisation in order.
What exactly is changing?
A single set of rules, ready to use. The main effect is that the scope for differing national interpretations will disappear. Customer due diligence, transaction monitoring and governance will all be assessed against a single common standard. For institutions operating in several countries, this will mean less fragmentation in the long term — but in the short term, above all, a single, higher standard.
Direct and indirect supervision. AMLA will directly supervise a limited group of large, cross-border institutions — expected to number around 40. The rest of the sector will remain under the supervision of national regulators, but within a common framework overseen by AMLA. This means that even those not directly selected will be subject to the new standard.
The bar is being raised. Expect stricter customer due diligence, tougher requirements for transaction monitoring, more data-driven and AI-supported supervision, and tougher enforcement. The focus is shifting from “do you comply with the letter of the law” to “does your system demonstrably work?”.
Sanctions with real bite. For the most serious, systemic infringements, AMLA can impose fines of up to 10 million euros or 10 per cent of annual turnover — whichever is higher. This represents a different level of severity to what the sector was used to.
The blind spot: it’s in your data
This is the point that is often overlooked in many AMLA analyses. AMLA is frequently dismissed as a compliance issue, something for the Financial Crime department. But if you look closely, you will see that the new requirements stand or fall on something far more fundamental: the quality, provenance and manageability of your data.
Stricter customer due diligence and effective monitoring require reliable, timely and well-defined data — on customers, transactions and counterparties. Data-driven supervision means that the regulator will soon be looking not only at your policies, but at what your systems actually produce. This is precisely the same discipline that the sector is already familiar with from BCBS 239 and the ECB’s expectations regarding risk data aggregation, as well as from the operational resilience required by DORA. The common thread: data governance, data quality and the chain from source to reporting.
To put it another way: an AML policy that looks sound on paper but is based on data that nobody really trusts will not stand up to scrutiny under data-driven supervision. The institutions that will come out on top in the future are not necessarily those with the most comprehensive policy document, but those with demonstrably reliable client and transaction data. Preparing for the AMLA is therefore also — and perhaps above all — a finance and data transformation challenge.
What to do in 2026?
Direct supervision will not begin until 2028, but it is worth starting preparations now. Those who wait will find it more difficult and costly to bridge the gap to the new standard later on, within an increasingly tight timeframe. Three concrete steps for the coming year:
- Carry out a thorough gap analysis against the new standard — not just in terms of policy, but also in terms of processes, data and systems.
- Enhance data and monitoring: ensure that data quality, definitions and ownership are in order, so that customer due diligence and transaction monitoring are demonstrably effective.
- Ensuring governance and administrative involvement: the new requirements call for ownership at management level, not for a project that gets bogged down at the bottom of the organisation.
In conclusion
AMLA is not a one-off regulatory change, but the most significant overhaul of European anti-money laundering supervision in decades — and a transition that will take place over several years. That is precisely why postponement is not a neutral choice: every month you make use of now is a month you will not have to make up for under time pressure later on. And the organisations that approach this wisely do not treat AMLA as a compliance obligation in its own right, but as an opportunity to make structural improvements to their data, processes and governance.
Sources: Regulation (EU) 2024/1620 (establishing the AMLA); AMLA (amla.europa.eu); European Banking Authority (eba.europa.eu); European Commission — AML package. Figures and data as at June 2026.
Services
Career
About us
Contact