DEV Community

Cover image for AMLA Is Coming Online: What the EU's New Anti–Money Laundering Authority Means for Builders and Regulators
Thomas
Thomas

Posted on

AMLA Is Coming Online: What the EU's New Anti–Money Laundering Authority Means for Builders and Regulators

#fintech #regtech #compliance #dataengineering

If you work anywhere near payments, banking, crypto, or fintech in Europe, a new acronym is about to land in your backlog: AMLA — the EU's Authority for Anti-Money Laundering and Countering the Financing of Terrorism. Headquartered in Frankfurt, it spent the last year moving from "org on paper" to an authority that is collecting data, drafting rules, and getting ready to supervise institutions directly.

This post walks through what AMLA is for, the concrete steps it has taken, where it stands today (June 2026), and why national regulators — and the teams who build their data pipelines — should care.

What is AMLA actually for?

AMLA exists to fix a structural problem: for 35 years the EU fought money laundering through directives that each member state implemented its own way, producing 27 slightly different rulebooks and 27 levels of enforcement rigor. AMLA is the EU's attempt to centralize and harmonize that.

Three things make it different from the alphabet soup of existing EU bodies:

  1. An integrated mandate. For the first time, AML supervision and financial-intelligence coordination sit under one roof, instead of being split across separate institutions.
  2. Direct supervision. From 2028, AMLA will directly supervise up to 40 of the highest-risk cross-border financial institutions — not via national regulators, but itself. The shortlist gets selected in 2027.
  3. A Single Rulebook. AMLA writes the detailed technical rules (Regulatory Technical Standards, or RTS) that turn the high-level AML Regulation — Regulation (EU) 2024/1624 — into concrete obligations applied consistently across all member states.

For builders, the headline is this: AML compliance is shifting from "interpret your national regulator's guidance" toward "implement one common EU methodology, and submit standardized data to a central authority." That's a data-engineering problem as much as a legal one.

The chronology: from roadshow to running system

Here's the sequence of moves that got AMLA to where it is today.

2025 — Listening and mapping

Between March and December 2025, AMLA Chair Bruna Szego ran an EU-wide Roadshow, visiting all 27 member states to meet supervisors, financial intelligence units (FIUs), and private-sector representatives. It was AMLA's first systematic engagement with the people who do the actual work. In parallel, AMLA ran a 2025 survey collecting how non-financial-sector supervisors across the EU run their risk assessments. The findings report was later published on 11 May 2026 as a common reference point for the whole ecosystem.
🔗 https://www.amla.europa.eu/amla-publishes-findings-chairs-2025-eu-wide-roadshow_en

16 March 2026 — The first data collection exercise

AMLA published the reporting package for a data collection and testing exercise to calibrate its risk-assessment models. Sampled entities (notified individually through their national authorities) got an interpretative note, an XLSX template, and a recorded webinar, with a submission deadline of 22 April 2026.

The models being calibrated do double duty: they feed the 2027 selection of entities for direct supervision, and they push toward a common EU-wide method for scoring money-laundering risk. If you've ever owned a regulatory-reporting pipeline, you know the pattern — template, interpretative note, internal data mapping, submit. This is that, at EU scale.
🔗 https://www.amla.europa.eu/amla-launches-data-collection-exercise-test-risk-assessment-models_en

24 March 2026 — The first public hearing

AMLA held its first-ever public hearing, drawing over 1,600 stakeholders across two sessions on two cornerstone RTS:

  • Business relationships vs. occasional transactions (Art. 19(9) AMLR) — the distinction that decides when obliged entities must run customer checks, plus rules on "linked transactions" to stop people from splitting payments to dodge thresholds.
  • Customer due diligence (Art. 28(1) AMLR) — what information and documents must be collected for standard, simplified, and enhanced CDD.

Written consultations stayed open until 8 May 2026.
🔗 https://www.amla.europa.eu/amla-concludes-first-public-hearing-draft-regulatory-technical-standards_en

11 May 2026 — Cross-border supervision rules go to consultation

AMLA opened consultation on draft RTS for home–host supervisory cooperation: how the "home" supervisor of a cross-border group and the "host" supervisors in other states divide responsibilities. Notable technical detail — a simplified disclosure regime where information shared inside the EU supervisory system can be passed to other members without prior consent from the originating supervisor (subject to notification). A dedicated public hearing was set for 28 May 2026.
🔗 https://www.amla.europa.eu/amla-holds-public-hearing-consult-draft-rts-home-host-supervisory-cooperation_en

12 May 2026 — The countdown to direct supervision begins

AMLA published the reporting package national supervisors will use to identify "provisionally eligible" entities for the 2027 selection. The timeline it set:

  • 10 June 2026 — public webinar walking through the template
  • 15 August 2026 — national supervisors collect the data
  • end-September 2026 — provisional list of eligible entities finalized

This is the concrete on-ramp to that pool of ~40 directly supervised institutions.
🔗 https://www.amla.europa.eu/amla-takes-next-step-toward-2027-selection-entities-direct-supervision_en

20 May 2026 — Group-wide requirements hearing

A public hearing (650+ participants) on draft RTS for group-wide requirements — Articles 16(4) and 17(3) of Regulation (EU) 2024/1624. AMLA bundled both mandates into one instrument: 16(4) on implementing group-wide policies and controls, 17(3) on upholding equivalent standards in third countries where local law gets in the way. Consultation runs until 16 June 2026 (still open as of this writing).
🔗 https://www.amla.europa.eu/amla-concludes-public-hearing-draft-rts-group-wide-requirements_en

9 June 2026 — The first AMLA Conference

AMLA held its first conference at the Alte Oper in Frankfurt, themed "Building Trust, Enhancing Integrity." Over 360 in-person guests from all 27 member states, plus a livestream audience, three panels, and keynotes from the European Commission and MEPs.
🔗 (Programme) https://www.amla.europa.eu/first-amla-conference_en
🔗 (Recap) https://www.amla.europa.eu/amla-successfully-concludes-its-first-conference_en

The technically interesting part wasn't the speeches — it was the framing. Chair Szego argued that financial crime is now "qualitatively different — not simply greater in scale, but increasingly cross-border and harder to trace," driven by crypto-asset misuse and AI-assisted laundering. Panel 3 went straight at this with blockchain analytics, AI-supported detection, and cross-border data sharing — featuring Europol, Chainalysis, the BIS, and N26. The recurring message: as a brand-new authority, AMLA can bake these capabilities in from day one rather than bolting them on.

Where things stand today (mid-June 2026)

  • Rules: Multiple RTS are in flight. The first batch (CDD, business relationships) closed consultation in May; group-wide requirements close 16 June; home–host cooperation just had its hearing. AMLA is now turning thousands of written submissions into final standards.
  • Data: The model-calibration exercise wrapped its April submission window, and the eligibility data collection for the 2027 selection is the active workstream — national supervisors collecting through 15 August, provisional list by end-September.
  • Institution-building: Roadshow findings published, first hearings done, first conference done. AMLA has moved from setup into steady operation.

The forward path, per Vice-Chair Vega Serrano's closing remarks: finish a unified legal framework that cuts fragmentation, prepare for direct supervision of a core group of institutions, and strengthen the flow of actionable intelligence to investigators.

Why this matters for regulators (and the people who build their systems)

This is where the abstraction turns into work tickets.

For national competent authorities (NCAs), the role is changing. They're no longer the top of the chain — they're now the data-collection and identification layer feeding a central EU authority. They organize collection from obliged entities in their remit, run error-correction and alignment phases with home supervisors, and apply AMLA's specifications rather than their own. Practically, that means new reporting templates, new interpretative notes, and tighter cooperation obligations under the home–host framework and supervisory colleges.

For obliged entities (banks, payment firms, crypto platforms, and increasingly the non-financial sector), a few concrete implications:

  • One methodology, not 27. A common EU risk-assessment model means your risk scoring needs to map to AMLA's definitions, not just your local regulator's interpretation.
  • Standardized, machine-readable reporting. XLSX templates with strict interpretative notes are the interface. Internal data mapping to those schemas is now a recurring engineering task, not a one-off.
  • The ~40 question. If your institution is large and cross-border, the 2027 selection is real. Calibrating systems for AMLA-grade data requests now is cheaper than scrambling in 2028.
  • Convergence is the point. As panellists put it, regulatory convergence isn't bureaucratic overhead — it's an operational need that gives cross-border firms clearer expectations and more legal certainty.

The through-line is that AML is becoming a data interoperability problem. Consistent schemas, deterministic reporting logic, clean lineage, and the ability to respond to centralized data calls on a deadline — that's a RegTech and data-engineering agenda, and it's arriving on a fixed calendar.

TL;DR

AMLA spent its first operational year listening (2025 Roadshow), drafting the Single Rulebook (a wave of RTS consultations through spring 2026), and standing up the machinery for direct supervision (model calibration + eligibility data collection). The next hard dates are 15 August and end-September 2026 for the selection pipeline, 2027 for the shortlist, and 2028 for go-live on direct supervision. For regulators, the center of gravity shifts toward Frankfurt and toward standardized data. For builders, the smart move is to treat AML compliance as a data-platform problem now.

References

All facts above are drawn from AMLA's official communications:

Top comments (0)