Article

AML/CTF Playbook: EU Edition #2: The EU Anti-Money Laundering Authority (AMLA)—the new supervisory framework

AML/CTF Playbook: EU Edition #2: The EU Anti-Money Laundering Authority (AMLA)—the new supervisory framework
The EU’s anti-money laundering (AML) and counter-terrorist financing (CFT) framework is undergoing its most significant reform to date. At its centre stands the Anti-Money Laundering Authority (AMLA), a new EU agency with a broad mandate: directly supervising a select group of high-risk financial institutions, coordinating national competent authorities (NCAs) and Financial Intelligence Units (FIUs), and developing a single EU-wide rulebook for AML/CFT requirements to close long-standing gaps between national regimes and ensure a consistent, high standard of AML/CFT compliance across the internal market.

AMLA was legally established in 2024 and in early 2025 opened its office in Frankfurt am Main, having been selected as host city ahead of Paris, Dublin and Madrid. It commenced operations in summer 2025 and had grown to approximately 120 staff by year-end, with a target headcount of 450 by the end of 2027.

Until supervision begins in 2028, AMLA is focusing on five workstreams to build operational readiness: delivering critical Level 2 mandates (in particular on customer due diligence and business-wide risk assessments), fostering supervisory convergence across member states, operationalising the FIU coordination framework, preparing for indirect supervision, and developing its risk-analysis capabilities.

This briefing aims to explain AMLA’s structure, powers and supervisory approach, and sets out the key practical implications for affected institutions.

Key takeaways—AMLA at a glace: structure, powers and supervisory model

Governance: how AMLA is organised

AMLA is governed by a General Board, an Executive Board, a chair and an executive director. The General Board is primarily responsible for rulemaking—in particular technical standards submitted to the European Commission and guidelines—and meets in either a supervisory or a FIU composition, depending on the subject matter.

The Executive Board, comprising a chair, a vice chair and four further independent full-time members, is responsible for operational management and for binding individual decisions vis-à-vis obliged entities and NCAs.

The chair represents AMLA and chairs both Boards; the executive director handles day-to-day management, the work programme and the budget.

Roughly one-quarter of AMLA’s budget will come from the EU; the remainder will be financed through supervisory fees levied on supervised institutions. The European Commission (EC) estimates annual costs of around EUR45 million.

Rulemaking: the single rulebook

A central element of the reform is the new single rulebook across the EU. The Regulation (EU) 2024/1624 (the “AML Regulation” or AMLR) is its substantive cornerstone and, as a directly applicable regulation, establishes uniform AML/CFT requirements without national implementation discretion, closing the gaps left by previous directives. The AMLR will apply from July 10, 2027.

AMLA is tasked with drafting regulatory technical standards (RTS) and implementing technical standards (ITS) (together “Level 2 Acts”) to further specify requirements under the AMLR for adoption by the EC. AMLA took over this role from the European Banking Authority (EBA) in January, 2026, which developed first drafts of Level 2 Acts for the most important topics (such as the RTS for Art. 28 AMLR for specification of the customer due diligence requirements) and is consulting on the first Level 2 Acts; the rulebook will ultimately comprise 19 Level 2 Acts that further specify the AMLR and leave limited room for national deviation.

AMLA also develops the Level 3 Acts, i.e., guidelines, recommendations and joint supervisory manuals (“Level 3 Acts”). Although not strictly formally binding, these instruments define AMLA’s supervisory expectations and are, in practice, applied by NCAs and incorporated into market practice.

A detailed overview of the Level 2 and Level 3 Acts is provided in the Annex to this briefing, including also implementing and delegated Acts developed solely by the EC, as per July 1, 2026.

Supervision: a two-tier model inspired by the Banking Union

The new supervisory system is built on a two-tier system, broadly comparable to the Banking Union’s Single Supervisory Mechanism (SSM) for credit institutions with the European Central Bank (ECB) and the NCAs as prudential supervisory authorities. That said, AMLA’s task will also be to directly supervise a limited number of so-called high-risk obliged entities, while the supervision of all other entities remains with NCAs subject to AMLA’s coordination and intervention powers.

It can be expected that AMLA’s supervisory framework will be viewed as a blueprint for the restructuring of the European Securities and Markets Authority (ESMA) as envisaged under the Market Integration and Supervision Package.

(a) Direct supervision of high-risk obliged entities (first tier)

From 2028, AMLA will directly supervise up to 40 credit and financial institutions classified as high-risk obliged entities. For these institutions, AMLA will replace the relevant NCAs as the main AML/CFT supervisor. The number of directly supervised entities may grow in subsequent selection cycles.

(i) Selection methodology

In December 2025, AMLA published its final report on the RTS under Art. 12(7) of Regulation (EU) 2024/1620 (the “AMLA Regulation” or AMLAR) setting out the selection methodology. To be in scope of direct supervision by AMLA, an obliged entity must:

  • operate in at least six member states and
  • operate material cross-border activities under the freedom to provide services (subject to thresholds of 20,000 customers or EUR50m in annual transaction volume per member state).

From that pool, AMLA will select those whose residual AML/CFT risk profile is classified as high. The methodology is based on a harmonised assessment of both inherent and residual risk and defines the relevant data points and criteria. NCAs submitted preliminary lists of eligible institutions to AMLA in a preparatory phase between December 2025 and February 2026.

Following a data collection exercise which began in spring 2026, where institutions have received questionnaires in this respect, AMLA published a reporting package on May 12, 2026, for the identification of provisionally eligible obliged entities, with national supervisors required to submit data by August 15, 2026. A provisional list is expected by the end of September 2026, forming the analytical basis for the first formal selection round in 2027. Following a further data collection exercise in Q1 2027, the actual selection will be carried out between July and December 2027.

The direct supervision will then start in 2028. The list of directly supervised entities will be published and reviewed every three years. Most importantly, it should be noted that the formal selection process will start in 2027.

In addition to the regular cycle, direct supervision may be triggered in the following exceptional cases: (i) as the result of a decision of the EC where an institution systematically breaches AML/CFT requirements, a material AML/CFT risk exists and the relevant NCA fails to comply with AMLA’s remedial requests; or (ii) by AMLA itself, for a limited period and upon NCA’s request, in particular where the institution has committed serious breaches or one of the conditions in Art. 14 AMLAR is met.

(ii) Framework for information transfer between AMLA and NCAs

AMLA will put in place a structured process to enable the secure transmission of supervisory data and documentation from NCAs to AMLA. The framework is intended to be completely operational by the end of 2026, thereby supporting a seamless handover to direct supervision as of 2028.

(iii) AMLA’s framework for direct supervision

AMLA is operationalising its direct supervisory function, including a consistent framework covering methodologies, supervisory tools and processes, procedural safeguards for supervised entities (such as the right to be heard, access to file and the separation of investigation and supervisory functions) and internal governance (in particular the separation of supervisory and enforcement tasks).

Supervision will be carried out, as under the SSM, by so-called joint supervisory teams (JSTs). The JSTs are composed of AMLA and NCA staff, led by an AMLA coordinator and based in the member state of the institution’s head office, thereby broadly mirroring the SSM model. JSTs carry out assessments at both an individual and group level.

AMLA aims for a consistent, data-driven approach, supported by standardised data quality checks, harmonised risk indicators and JST dashboards for off-site supervision, complemented by structured follow-up after on-site inspections.

(iv) AMLA’s supervisory and enforcement powers

  • Information requests: AMLA may request any information necessary for its tasks (Art. 17 AMLAR) and can conduct formal investigations—including access to documents, books, IT systems and algorithmic decision-making processes and interviews of staff and third parties (Art. 18 AMLAR). This also includes on-site inspections, including unannounced (Art. 19 AMLAR). Where sanctionable breaches are suspected, an independent investigation team must be appointed separately from the JST.
  • AMLA’s administrative measures: Where breaches are identified or are imminent, AMLA may, among other things, impose a range of administrative measures, including issuing compliance orders, restricting business activities, requiring governance changes, temporarily banning individuals from management functions, publishing statements (“naming and shaming”) and proposing the withdrawal of authorisation to the competent prudential supervisor (Art. 21 AMLAR).
  • Pecuniary sanctions: AMLA may impose fines on selected obliged entities under its direct supervision for intentional or negligent breaches of requirements under the AMLR and the Transfer of Funds Regulation (Regulation (EU) 2023/1113, TFR), in particular where such breaches are serious, repeated or systematic. Depending on the circumstances, fines may range from EUR100,000 to EUR2m or up to 1% of annual turnover (whichever is higher) as a basic amount, and are adjusted by taking into account aggravating and mitigating factors. The maximum amount of a fine may reach 10% of the annual turnover or EUR10m, depending on the type of breach. Sanctions are subject to judicial review by the Court of Justice of the European Union (CJEU) (Art. 22 AMLAR).
  • Periodic penalty payments: To enforce its decisions, AMLA may impose periodic penalty payments of up to 3% of average daily turnover (legal persons) or 2% of average daily income (natural persons), for an initial period of six months, renewable once for a further six months (Art. 23 AMLAR).

(v) Legal protection against AMLA measures

Mirroring the SSM, any natural or legal person directly and individually affected by an AMLA decision in the exercise of its direct supervisory powers, including administrative measures, fines and periodic penalty payments, may request a review by the so-called Administrative Board of Review (ABoR), comprising five independent members not otherwise involved in AMLA’s supervisory or enforcement activities. The ABoR examines procedural and substantive legality and may confirm, annul or amend the decision. The review does not preclude subsequent recourse to the CJEU.

(b) Indirect supervision and NCA oversight (second tier)

All obliged entities not selected for direct supervision, including the entire non-financial sector, fall within AMLA’s indirect supervision. In this tier, NCAs remain responsible for day-to-day supervision, while AMLA exercises an oversight, coordination and convergence role.

The main elements of indirect supervision can be summarised as follows:

(i) Key elements of indirect supervision

  • AMLA exercises indirect supervision by helping to develop harmonised supervisory standards (in particular Level 2 Acts), monitoring NCAs’ application of those standards and supporting them through training, dialogue and technical assistance. To deliver on this role, AMLA is building a risk-based supervisory framework comprising risk mapping, assessment methodologies and supervisory tools (e.g. reviews, benchmarks, peer comparisons and data analytics).
  • AMLA also establishes and chairs AML/CFT supervisory colleges for obliged entities with establishments in at least three different member states. Within these colleges, NCAs coordinate their supervisory activities and develop joint supervisory plans, supported by a secure AMLA IT platform that enables sharing of risk assessments, inspection findings and enforcement measures (subject to professional secrecy and data-protection rules).
  • A key tool of indirect supervision is supervisory convergence reviews: systematic assessments through which AMLA evaluates and promotes the alignment of supervisory practices across NCAs, identifies divergences in methodology, risk assessment and enforcement, and drives a consistent, high-quality AML/CFT supervisory standard across the EU.

(ii) Response to breaches and supervisory failure

Where assessments reveal serious deficiencies, AMLA may escalate as follows: (i) request the NCA to investigate breaches and consider sanctions, requiring a response within ten working days; (ii) if the response is inadequate, request the EC to consider temporarily transferring direct supervisory responsibility to AMLA; and (iii) investigate systematic deficiencies in the application of EU AML/CFT law and issue a recommendation, with the EC able to issue a formal opinion if compliance is not achieved within one month.

(iii) AMLA’s role as mediator

In addition, where disagreements arise between NCAs of different member states, in particular in the context of cross-border supervision, AMLA may act as mediator and, failing agreement, adopt a binding decision requiring the authorities concerned to take or refrain from specific action.

FIU coordination: strengthening cross-border information sharing

Today, the so-called Financial Intelligence Units (FIUs) are the national authorities that receive, analyse and disseminate suspicious activity reports (SARs) filed by obliged entities, serving as the interface between the private sector and law enforcement. Until now, cross-border cooperation between FIUs has largely depended on bilateral arrangements and informal channels.

Going forward, AMLA does not replace national FIUs but rather establishes, under Art. 39–48 AMLAR, a structured coordination and support mechanism to enhance the effectiveness, consistency and timeliness of FIU activities across the EU. In this role, AMLA coordinates joint analyses of cross-border suspicious transactions, develops common standards and templates, issues guidelines on analytical methodologies and risk indicators, and facilitates secure, rapid information exchange between FIUs.

Cooperation with other EU bodies and third countries

AMLA operates within a wider EU ecosystem of supervisory and law enforcement authorities. The AMLAR provides the basis for structured cooperation with EU and national bodies, including the European Supervisory Authorities (ESAs) and competent authorities responsible for AML/CFT and related financial regulation. AMLA is also expected to enter into specific cooperation arrangements with the European Anti-Fraud Office (OLAF), Europol, Eurojust and the European Public Prosecutor’s Office (EPPO), supporting ongoing exchange on typologies, risk indicators and other strategic insights.

AMLA may also cooperate with third-country authorities, including through administrative arrangements, contributing to international AML/CFT coordination and global standard-setting.

Practical implications: what affected institutions should do now

The new regime introduces a two-tier AML/CFT supervisory model that will affect financial institutions in different ways depending on whether they are subject to direct or indirect supervision by AMLA. As a first step, institutions should assess whether they may fall within the scope of AMLA’s direct supervision, as the degree of impact will largely depend on this classification. The following practical implications should be considered:

  • Institutions that fall within the scope of direct supervision by AMLA should assess now whether they meet the eligibility criteria and prepare for an increased level of supervision by AMLA compared to the indirectly supervised entities. This includes reviewing internal AML/CFT governance, ensuring data quality for AMLA’s reporting requirements, and anticipating the formation of JSTs. Experience with the SSM and direct supervision by the ECB suggests that direct supervision by AMLA will change not only the intensity of supervision, but also the supervisory culture to which directly supervised institutions are accustomed. For indirectly supervised entities, meaningful changes are also to be expected, and a thorough impact analysis is therefore advisable. The key impact for these institutions will be felt through the harmonised single rulebook.
  • At the same time, the new regime also presents opportunities: the single rulebook is intended to deliver a genuine level playing field across the EU. However, particularly in the area of indirect supervision, it could still be possible that the NCAs may de facto continue to apply and interpret the harmonised rules differently, which could undermine the intended consistency.