AMLA - The Future of Compliance in the EU

AMLA is moving from concept to reality, and this session brought three senior compliance practitioners together to examine what that transition looks like from the inside. Drawing on direct experience across ING, NatWest, and the broader European regulatory landscape, the panel explored AMLA's three-part mandate: directly supervising 40 of the highest-risk cross-border institutions, indirectly overseeing national regulators across all 27 member states, and establishing a unified rulebook through regulatory technical standards.

The conversation examined the live data collection exercise currently engaging 500 institutions, through which AMLA will determine its initial supervisory cohort, and what that process signals about the authority's direction of travel.

The following questions were from our AMLA - The Future of Compliance in the EU audience, with answers provided by our panelists after the conclusion of our live session. 

Q: You mentioned a "data collection" step. Can you provide an overview of the data requested and comment on whether it contravenes any data privacy laws?

A: AMLA has launched a data collection exercise to test its risk assessment models. AMLA is obliged to operate in harmony with EU data protection laws -- it would not make sense for a new regulator to breach the laws of its parent framework. For further reading, the Global Coalition to Fight Financial Crime has published an interesting piece on aligning AML/CFT and GDPR priorities.

Q: My understanding is that AMLA will not have extraterritorial supervisory authority beyond the EU. Can anyone speak to the potential indirect supervision of non-EU subsidiaries of EU parent companies?

A: AMLA's mandate is explicitly confined to obliged entities established in the EU, supervised either directly by AMLA (for selected high-risk entities) or indirectly via National Competent Authorities (NCAs). That said, non-EU subsidiaries should not consider themselves entirely out of reach. Where risk flows into the EU (for example, through reliance on non-EU subsidiary CDD, correspondent banking, or transactions conducted on behalf of a subsidiary) AMLA or NCAs may take an interest when supervising the EU parent.

Q: Do we expect local regulators such as BaFin and DNB to stand down their local regulations in favour of AMLA's RTSs? What timelines should we expect, and is there a risk of a two-tier regulatory system?

A: It was made clear at AMLA's Public Hearing that the RTSs are intended to supersede other EU regulation and guidance. AMLA has deliberately avoided excessive detail in the RTSs to prevent narrowly worded language from excluding certain industry cases. The CDD team in particular demonstrated genuine openness to industry input -- written comments are accepted until 8 May and it is well worth submitting them.

On the two-tier risk: it is important to remember that Europe currently operates across 27 different jurisdictional standards. AMLA's stated direction of travel is harmonisation and a risk-based approach. Institutions with mostly EU presence should benefit in the long run; those with only limited EU exposure may find it burdensome for little gain.

Key dates:

• 2026 -- AMLA publishes guidelines and technical standards (6 more RTSs expected this year)
• 10 July 2027 -- The AML Regulation becomes directly applicable across all EU Member States
• End of 2027 -- AMLA selects the first ~40 high-risk obliged entities for direct supervision
• 2028 -- AMLA begins full direct supervision

On phasing, AMLA has indicated that for CDD, entities are expected to address high-risk first -- full compliance on day one is not the expectation.

Q: Are we now able to perform KYC once across the EU rather than 27 separate processes -- for both new onboarding and periodic reviews?

A: This is one of the most anticipated improvements under AMLA, and yes, it is expected to be a significant benefit. It will be fascinating to see how local supervisors (NCAs in some countries, AMLA directly for the 40 selected entities) apply the harmonised standard in practice.

Q: Do we know if any member states are planning to go above and beyond AMLA's framework?

A: AMLA is clear that member states cannot redefine or add to its rules. However, supervision style and local practice will inevitably vary day to day, and AMLA acknowledges this. The important context is that we are moving from 27 different standards to one -- even with some initial inconsistency, this is a significant step toward harmonisation overall.

Q: What benefit does Simplified Due Diligence (SDD) actually provide? It feels like negligible benefit at first glance.

A: Some larger corporate banking institutions see genuine value in SDD, particularly where the risk profile of a customer category clearly supports a lighter-touch approach. Its benefit will likely depend heavily on the specific business model and customer base.

Q: Will country MLROs still be expected to track and report compliance at a local level rather than at an EU-wide level?

A: Yes -- local EU MLROs will still need to fulfil their own compliance obligations. However, those obligations will be set against a harmonised EU standard, meaning an MLRO in one EU country will increasingly be working to the same framework as their counterpart in another EU jurisdiction within the same group.

Q: What are the biggest opportunities we are seeing from the AMLR?

A: The answer depends on who you are and how AMLA operates in practice. The signals so far are encouraging -- risk-based supervision and industry cooperation are high on AMLA's agenda. If that translates into RTS feedback being genuinely incorporated, outcomes-focused supervision rather than box-ticking, and stronger public-private cooperation, there is real potential to prevent more financial crime.

For businesses primarily in the EU, harmonisation could be transformative: single CDD processes across 27 countries, removal of more prescriptive local rules, and a more centralised compliance function. For new entrants and start-ups, a harmonised environment could meaningfully reduce the cost of building a compliant financial services business in the EU.

The risks are equally real -- AMLA is a new authority with limited staff and significant responsibilities, and early supervision could be inconsistent. As an industry, there is a collective responsibility to engage constructively and make the most of what could be a genuinely important step forward for EU AML/CFT effectiveness.