AMLA Explained: A Plain-Language Introduction

The regulatory landscape for anti-money laundering in Europe is undergoing its most significant transformation in decades. A new central authority is taking shape - one with a broader reach, a more unified rulebook, and a more ambitious mandate than anything that has come before it. Understanding what this authority is, how it came to be, and what makes it genuinely novel is essential for any organisation operating in or with the European market.

What is AMLA?

AMLA is a new European Union regulator that has been set up under the auspices of the European Commission. It stands for the Anti-Money Laundering Authority.

The aim of the authority, according to the European Union website, is to “transform” supervision of anti-money laundering and counter-terrorist financing (AML/CTF), and “enhance cooperation among financial intelligence units (FIUs)” across the 27 EU jurisdictions.

The process of setting up AMLA started in 2021 when the first version of the most ambitious legislative package in the fight against crime in the world was presented by the European Commission to the EU Parliament.

Fast forward to 2024 when the package was approved and AMLA was legally established, and most recently to 2026, where we have witnessed the AMLA executive board appointed by the Council of Europe, with the first Regulatory Technical Standards (RTSs) shared with the public in Consultation and Public Hearings.

What is Different About AMLA?

There are three unique things about AMLA:

1. It has the widest scope of regulated entities in the world – ranging from professional services that include single-person notaries, to lawyers, to real estate agents, luxury goods entities including private jet and yacht makers, to football clubs and everything else in between. Of course, the usual suspects are included: financial institutions such as banks, payments services, insurance, asset management, crypto, wealth, broker-dealers, digital assets and so on.
2. AMLA has a unique regulatory objective to regulate not only financial and the non-bank financial institutions, but also the 27 European FIUs in order to enable better cooperation with the industry as a source of information, as well as for those FIUs to cooperate across the EU borders.
3. Finally, AMLA is to have a single rule book that applies to all the above mentioned “obliged” (=regulated) sectors with all their unique risks, and with that rule book to harmonize the application of the rules across the 27 jurisdictions through supervising national regulators and their application of the rules. While working on harmonizing the rules as its primary goal, AMLA is also looking to allow for unique jurisdictional risks. How that tension will look in practice is something we will have to wait and see, but there is growing concern. The consultation on some of the rules has started in February and will go on all this year with the rules starting to apply from 2027. In the Public Hearings on March 24^th 2026, AMLA recognized these tensions but insisted that the rules will remain simple and single, with guidance potentially expressing more nuance, subject to the industry feedback.

What has AMLA missed?

One curious omission is the regulation of fraud - which is by far the fastest growing crime across the planet, even though we do accept that fraud is a predicate offence to money laundering and thus is theoretically included. As fraud—especially cyber-enabled fraud—continues to increase worldwide, and in financial institution fraud is generally handled separately from AML/financial crime, this seems like a missed opportunity. What is interesting is that the only significant reduction of fraud was seen in Australia around 2024 when the regulators coordinated an intervention jointly with banks, social platforms, internet providers and telecoms (which remain outside the AML regs).

What is AMLA already doing?

AMLA intends to regulate using a data-driven approach and has most recently issued a request for data and information via the national regulators to understand the landscape of some of largest and riskiest institutions in the EU. They have reached out to some 500 institutions via their local regulators seeking rafts of data so that they can decide which of these institutions AMLA will select to regulate directly, replacing the national regulators. We think that wholesale data extractions of this nature may become more common place as AMLA seeks to understand how best to use data to detect weaknesses in its regulatory space.

Among many things AMLA is already doing, is also hiring its staff - aiming to reach “a cruising capacity of 430” FTE by end of 2027. While hiring, the regulator is also writing its standards, the so called Regulatory Technical Standards (RTS). And they are already conducting Public Consultations and Hearings with all the obliged sectors to gather feedback and refine the single rule book as best as possible. Some of the rules are set in the EU Commission’s Regulations, and when they are – AMLA shall not change them through the current consultations. The RTS drafts already published are on CDD, Business Relationships, and Sanctions.

Is AMLA replacing existing regulators?

Well, yes and no – depending on who you are. AMLA plans to select 40 largest and riskiest institutions in the EU to regulate directly (with a few other factors taken into account). In the case of the 40 – supervision by AMLA will indeed replace the local regulators, while everyone else will remain in the domain of local supervision. However, AMLA may choose to look deeper into certain entities beyond the 40 in certain, higher risk circumstances. The 40 “obliged entities” will be determined in 2027.

When do AMLA rules start applying?

The new RTSs should be submitted to the European Commission for approval by July 20^th 2026. Delays are possible, but that is the plan at the time of writing this.

The rules start applying to obliged entities from July 2027. The uneasy fit of some details of the new rules across the vast array of entities, lack of clarity in some detail, and the need for remediation may mean a long tail of work for many, extending well beyond July 2027. AMLA accepted this possibility in the Public Hearing, saying that firms should focus on high risk first, and that a risk- based approach must apply. Supervision by AMLA actually starts a year later, sometime in 2028 according to the AMLA web page, meaning that there is a buffer.

Will AMLA be a strong enforcer of its requirements?

According to Fenergo, since the financial crash in 2007, an estimated US $69 billion in enforcement actions has been levied against financial institutions and individuals for AML compliance violations. For context – that is close to the GDP of Slovenia. or the quarterly revenue of JP Morgan Chase in Q2 of 2025.

The US has historically always been a strong enforcer, and it went well beyond its borders, and has had a profound effect on global regulatory standards and expectations. That may well be the single most important factor that raised the topic of financial crime to Board level significance. However tough it might have been for many institutions to get through the resulting remediations, we do have to thank many of these actions for the progress in the overall controls in the financial services sector, which have now set the global standard.

Looking at the latest figures, the US maintains a firm position atop the “leaderboard” for the total value of fines, but we have seen a significant reduction of fine activity and scale the reduction of that amount in 2025=(-54% ‘25 vs. ’24), while the EU is soaring at a +776% increase, when we include regulatory investigations that have not yet concluded.

Enforcement by value (headline trends)

Global AML/KYC/Sanctions fine values (financial institutions only)

 2024: $4.6bn (≈95% in North America; APAC fell; EMEA modest)

 2025: $3.8bn (North America –58%, EMEA +767%, APAC +44%)

What do these numbers tell us about the future? Likely that the EU, with AMLA at its head, will increase its activity in enforcement. However, considering that direct supervision only starts in 2028, by the time these cases are brought to fruition, we may not see much before H2 of 2029.

At this point, it appears EU enforcement is on the rise - at least in the number of cases by volume, if not by overall value. While AMLA is likely to take time to show its teeth, it is likely that this agency will want to show it means business and thus enforce against both its direct 40 supervised entities and through the national supervisors.

What practical concerns do financial institutions have?

We attended AMLA’s Public Hearing on CDD and Business Relationships and peaked into some of the industry groups’ publicly available concerns around the RTSs.

Some of the most interesting concerns were:

• Mandatory periodic reviews (1-3-5 year) clashing with perpetual KYC programs that monitor on an ongoing basis. This shows that regulators still do not acknowledge that periodic/trigger reviews are still in fact looking at the file at all those points – 1-3-5yrs but that despite the search no risk relevant triggers are raised;
• Country/city-of-birth data point requirement is raising concerns about how many additional docs are required to get that information in the age of focus on customer experience, especially for ‘tradfin” (traditional financial institutions), along with discrimination and financial exclusion concerns;
• Some identity verification requirements seem incompatible with digital-first onboarding (e.g. verification of company docs by notaries in certain cases, the need for more than current docs to prove country and/or city of birth);
• Concerns around beneficial ownership calculations, as well as requirements that curtail the use of beneficial owner and other similar registers in Simplified Due Diligence for verification; thus requiring multiple sources, running counter to digitisation and a lower-friction customer experience;
• Many are concerned that the need for high level language in the RTSs to keep it applicable to all sectors means a considerable amount of opportunity for divergence in application, increasing ambiguity, and removing the element of a level playing field;
• Concerns that despite a stated desire for harmonisation, the changes are bringing confusion into a relatively stable environment - causing upheaval, considerable cost, and more opportunity for criminals to play the system;
• Concerns that a disproportionate burden of change is on entities that are not primarily regulated in the EU.

What are the opportunities brought by AMLA?

Like all change, this one will also bring opportunities alongside its challenges. Europe-centric institutions may find that harmonisation works strongly in their favour, potentially enabling a single-CDD approach across multiple jurisdictions – long considered a holy grail of AML.

Consider an institution with 15 to 20 entities across Europe – each able to draw on a single KYC file for a given customer or entity, across all its jurisdictions, under one cohesive rulebook. Whether that will be achievable in practice, even for the 40 directly supervised entities, remains to be seen.

Also, many institutions are already dealing with some requirements that even if raised as concern by, say, UK institutions, are not new in some of the EU countries, and so by replacing one imperfect set of rules with another but harmonised – may still be a win in the medium to long run.

Many affected institutions are already running programmes to address the coming changes. In some cases, gap analyses have been completed; in larger institutions, implementations are already underway.

Final Notes

There is a lot of nuance and a lot more we do not yet know about AMLA. Their own website is a very good source of information about AMLA and its future actions. https://www.amla.europa.eu/index_en