The EU’s new Anti-Money Laundering Authority (AMLA – the Authority)) moved from concept to reality in summer 2025 as it began operations in Frankfurt. The Authority has a mandate to drive supervisory convergence, coordinate Financial Intelligence Units (FIUs) and, from 2028, directly supervise a set of high-risk, cross-border financial institutions. The EU Anti Money Laundering Regulation (AMLR) sets out the framework.
The Authority will serve as a single EU hub to develop a harmonised supervisory methodology, run thematic reviews, coordinate national supervisors and FIUs, and build common data tools. It will draft regulatory and implementing technical standards (adopted by the European Commission) and can issue guidelines and recommendations. Structured questionnaires and a single interaction platform will be used to collect comparable AML/CFT data across the bloc, reducing duplicative reporting and friction for cross-border groups.A shortlist of supervised entities will be published following a selection process beginning no later than 1 July 2027. The process will be repeated every three years. Initially focused on financial institutions with high residual money laundering/terrorist financing (ML/TF) risk and operations in at least six Member States, the Authority will commence direct supervision six months after publishing the list. The first cohort will cover up to 40 entities, with scope to expand in subsequent cycles as resources grow.
AMLA’s Deliverables
At the heart of the Authority’s mandate is the development of a harmonised supervisory methodology. The Authority is tasked with setting clear benchmarks for how risks are classified, and with defining the way supervisors evaluate customer risk, business models and delivery channels. To ensure consistency, it will coordinate the use of common questionnaires and standardised tools, replacing the patchwork of national practices with a single EU-wide framework.
A second strand of activity will be thematic reviews. Each year, the Authority will identify priority themes that cut across borders — for example, vulnerabilities in specific sectors or typologies of financial crime — and lead coordinated on-site and off-site assessments. By aligning these reviews across Member States, the Authority aims to surface systemic risks and spread best practice more effectively.
For the highest-risk cross-border institutions, the Authority will go further and exercise direct supervisory powers. This includes conducting group-level reviews and assessments, imposing tailored supervisory requirements, and, where necessary, applying administrative measures or pecuniary sanctions. These powers are intended to create a credible deterrent and ensure that entities selected for direct supervision meet a consistently high standard of compliance.Finally, the Authority has a systems-building role. It will create a single interaction platform and a central AML/CFT database, giving supervisors and supervised firms a common channel for reporting and information exchange. This digital backbone is designed to increase efficiency, reduce duplication, and provide the consistency needed for credible EU-wide oversight.
Timelines and Implications for Firms
The new Authority’s 2025 work programme is focused on building the institution: recruitment, governance, budget setting, and MoUs with key actors including the ECB and European Supervisory Authorities (signed in June 2025). It is also mapping supervisory data transfers such as the integration of the EBA’s EuReCA database. The goal is to have operational cooperation mechanics in place while the supervisory selection methodology is finalised.
The companion AMLR will apply directly across the EU from 10 July 2027. That gives firms a two-year runway to align policies, technology and data models to directly applicable EU AML rules, with the Authority’s first direct supervision wave starting in 2028.
Preparatory activities firms should be considering include:
- Creating an AMLA readiness workstream: a multi-disciplinary team spanning AML/BSA, prudential liaison, legal and technology. Mapping the group’s EU cross-border footprint is essential, as it is a core selection criterion.
- Aligning policies to the AMLR: inventory all KYC/EDD, correspondent banking, PEP/sanctions and CTF controls and plan for the Regulation’s directly applicable rules from mid-2027. Note that national “gold-plating” measures will fall away when AMLR applies.
- Rationalising data: expect structured, comparable data calls via the Authority’s platform. Catalogue where CDD data, SAR metrics, model performance indicators and training/QA evidence live; standardise definitions and lineage.
- Preparing for EU-level thematic reviews: treat them like coordinated sprints. Build playbooks and artefact packs (risk assessments, model validation files, sanctions screening metrics) that can be rapidly supplied across jurisdictions.
Non-EU groups with EU subsidiaries or passporting structures will experience AMLR and the new Authority through their EU entities and group-wide assessments. Governance, documentation and data traceability must be consistent with EU expectations, even if parent-level policies differ in other regime
The combination of a single supervisory methodology, common tooling and direct supervision of the riskiest cross-border entities will raise the bar. Weak control environments will be harder to hide behind fragmented national practices. Banks that invest early in data standardisation and model governance will face fewer surprises in the 2027–2028 transition. RegTechs that can export artefacts aligned to the Authority’s methodology—such as audit-ready exports, standard taxonomies and robust model governance controls—will be well placed to support firms once the first selection lists land.
Subscribe to our newsletter
