On 1 July 2025, the Council of the European Union confirmed Frankfurt as the seat of the new Anti-Money Laundering Authority (AMLA), and by January 2026 the body began assembling the supervisory architecture that will directly oversee approximately 40 of the EU's highest-risk financial institutions starting in 2028. AMLA 2026 compliance requirements now sit at the top of board-level risk agendas across the bloc, and for good reason: under Regulation (EU) 2024/1620, the Authority can impose administrative pecuniary sanctions of up to 10% of total annual turnover on selected obliged entities for serious, systematic, or repeated breaches of directly applicable AML rules. That penalty ceiling is roughly double what most national supervisors have historically imposed, and it applies regardless of whether the violation produced measurable harm.

The regulatory shift is structural rather than cosmetic. For the first time since the 1991 First Anti-Money Laundering Directive, the EU has created a single supervisory authority with binding decision-making power over private-sector firms, ending more than three decades of fragmented enforcement across 27 national regimes. AMLA will operate alongside two other pillars of the 2024 AML package: Regulation (EU) 2024/1624, the new Single Rulebook directly applicable to all obliged entities, and Directive (EU) 2024/1640, the Sixth Anti-Money Laundering Directive (AMLD6), which governs Financial Intelligence Units and national supervisors. Together these instruments replace the patchwork that has produced widely divergent enforcement outcomes — from the €775 million Danske Bank settlement in Denmark to the €8.5 million ABLV resolution in Latvia for arguably comparable failings.

For compliance officers, the practical question is no longer whether AMLA will affect operations but when and how deeply. Direct supervision begins on 1 January 2028 for the selected obliged entities, but indirect effects — through binding regulatory technical standards, supervisory convergence guidance, and joint supervisory teams — will reshape compliance expectations throughout 2026 and 2027. Firms that wait until 2028 to begin remediation will find themselves negotiating with a supervisor that has already published its methodology, staffed its inspection teams, and signaled its enforcement priorities.

This explainer sets out what AMLA is, what it can do, which firms it will supervise directly versus indirectly, and what concrete steps a compliance function should be taking in 2026 to be defensible by the time the Authority's first on-site inspections begin in early 2028. The analysis draws on the final published texts of Regulation (EU) 2024/1620, Regulation (EU) 2024/1624, and Directive (EU) 2024/1640, alongside the European Banking Authority's 2024 transition opinion and the Council's seat decision of June 2024.

Understanding AMLA 2026 Compliance Requirements

The **Anti-Money Laundering Authority (AMLA)** is defined as a decentralized EU agency established under Regulation (EU) 2024/1620 with legal personality, headquartered in Frankfurt am Main, and tasked with direct supervision of selected obliged entities, indirect supervision of national authorities, and coordination of Financial Intelligence Units across the EU. The Authority's structure includes a General Board (with both supervisory and FIU compositions), an Executive Board of five full-time members, and a Chair appointed by the Council after European Parliament approval. The first Chair, Bruna Szego, took office in early 2026, and the Authority's full operational capacity is scheduled for mid-2027.

Three powers distinguish AMLA from any predecessor body. First, it can adopt binding individual decisions addressed directly to selected obliged entities, including remediation orders, sanctions, and removal of senior managers. Second, it can issue regulatory technical standards (RTS) and implementing technical standards (ITS) that, once endorsed by the European Commission, become directly applicable law in all 27 Member States. Third, it can conduct on-site inspections without prior notice and demand any document, data extraction, or interview it considers necessary, with non-cooperation itself constituting a sanctionable offense under Article 21 of Regulation (EU) 2024/1620.

The Single Rulebook and what changes substantively

Regulation (EU) 2024/1624 — the AML Regulation, distinct from the AMLA founding regulation — replaces the customer due diligence (CDD), beneficial ownership, and reporting provisions previously contained in the Fourth and Fifth Anti-Money Laundering Directives. Because it is a regulation rather than a directive, it applies directly without national transposition, eliminating the gold-plating and under-implementation that has historically produced 27 different versions of "the same" obligation. The substantive changes that matter most for AMLA 2026 compliance requirements include a harmonized EU-wide cash payment limit of €10,000, a beneficial ownership threshold lowered to 25% plus one share or any equivalent control indicator, and an explicit prohibition on banks holding correspondent relationships with shell institutions or with crypto-asset service providers operating without authorization.

The CDD framework is also substantially tightened. Enhanced due diligence is now mandatory not only for politically exposed persons but for any customer linked to a high-risk third country identified by the European Commission under Article 29 of Regulation (EU) 2024/1624, and the standard CDD identification thresholds for occasional transactions drop to €10,000 (or €1,000 for transfers of funds and crypto-asset transfers under the recast Transfer of Funds Regulation). Obliged entities must apply the new framework from 10 July 2027, the date the AML Regulation becomes applicable, meaning that policy rewrites, system reconfigurations, and staff training programs need to be substantially complete by Q1 2027 to allow for testing.

Scope: which firms are obliged entities

The list of obliged entities under Article 3 of Regulation (EU) 2024/1624 is broader than its predecessor and includes credit institutions, financial institutions, crypto-asset service providers (CASPs) authorized under MiCA, crowdfunding service providers outside the scope of Regulation (EU) 2020/1503, mortgage and consumer credit intermediaries, professional football clubs and football agents (subject to a Member State opt-out for clubs below specified turnover and division thresholds), and traders in luxury goods including precious metals, precious stones, and high-value vehicles, aircraft, and vessels. The inclusion of CASPs is particularly consequential: every CASP authorized under the Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) is automatically an obliged entity, with no de minimis carve-out.

EU Anti-Money Laundering Authority Impact: Direct vs Indirect Supervision

AMLA's supervisory model operates on two tiers. Direct supervision will apply to a small number of "selected obliged entities" identified through a risk-based selection process set out in Article 13 of Regulation (EU) 2024/1620. The first selection round runs through 2027, with direct supervision commencing 1 January 2028. The Authority is expected to select up to 40 entities in this first cohort, drawn from credit institutions, other financial institutions, and crypto-asset service providers operating in at least six Member States and meeting risk-profile criteria assessed across customer base, products, geographies, and delivery channels.

For directly supervised firms, AMLA replaces the home-state national competent authority for AML/CFT purposes. A Joint Supervisory Team (JST) — composed of AMLA staff and seconded national supervisors — will lead day-to-day supervision, conduct the annual supervisory review, and propose any sanctioning decisions to the Authority's Executive Board. The model deliberately mirrors the European Central Bank's Single Supervisory Mechanism, and firms that are also significant institutions under the SSM will effectively face two parallel JSTs, one prudential and one AML, with formal coordination protocols but distinct mandates.

Indirect supervision and the long reach of convergence

Indirect supervision is where the EU Anti-Money Laundering Authority impact will be felt most broadly. Even firms that never appear on the selected entity list will face supervisory expectations shaped by AMLA through three mechanisms. The Authority drafts the regulatory technical standards that define, for example, what constitutes adequate transaction monitoring, how customer risk scoring must be documented, and what record-keeping formats supervisors will accept. It conducts peer reviews of national supervisors and can issue recommendations that effectively force a national authority to tighten its supervisory practice. And it operates a central database — the AML/CFT database under Article 11 of Regulation (EU) 2024/1620 — into which national supervisors must feed inspection findings, sanctions, and material weakness reports.

The practical effect is that a mid-sized German Sparkasse never directly supervised by AMLA will nonetheless be examined by BaFin against guidelines drafted in Frankfurt, using methodology piloted on directly supervised firms, with findings entered into a database that AMLA staff can interrogate. National supervisors retain formal authority over non-selected entities, but their discretion narrows substantially. By most estimates, between 12,000 and 15,000 EU credit institutions, payment institutions, e-money institutions, and CASPs will fall under this indirect regime.

Sanctions architecture and the 10% turnover ceiling

Article 22 of Regulation (EU) 2024/1620 sets out AMLA's direct sanctioning power over selected obliged entities. For serious, repeated, or systematic breaches of directly applicable AML provisions, the maximum administrative pecuniary sanction is the higher of 10% of the total annual turnover of the legal person in the preceding business year or €10 million. For natural persons holding management responsibility, the ceiling is €5 million. These figures align with the upper end of GDPR sanctions and substantially exceed previous AML penalty frameworks in most Member States; for context, Germany's Geldwäschegesetz before the reform capped corporate fines at €1 million for most violations, with a higher ceiling reserved for the most serious cases.

Sanctions are determined according to criteria including the gravity and duration of the breach, the degree of responsibility, the financial strength of the person, profits gained or losses avoided, cooperation with the Authority, and previous breaches. AMLA must publish all final sanctioning decisions on its website, identifying the entity by name unless publication would be disproportionate or jeopardize an ongoing investigation, with the publication remaining online for at least five years.

AMLA Regulatory Timeline: Key Dates From 2024 to 2029

The AMLA regulatory timeline is fixed in primary legislation and provides limited flexibility for implementation slippage. The package was published in the Official Journal on 19 June 2024 and entered into force on 9 July 2024. From that date, a sequence of operational milestones drives the practical compliance calendar.

During 2025, the Authority's governance structures were established: Bruna Szego was confirmed as Chair, the Executive Board was appointed, and the seat agreement with Germany was finalized. The General Board held its inaugural meeting in early 2025, and recruitment for the Authority's projected staff complement of approximately 430 began in parallel. By 31 December 2025, AMLA was required to be formally established as a legal entity, a milestone that was met.

Throughout 2026, AMLA's primary deliverable is the body of Level 2 measures — regulatory technical standards, implementing technical standards, and guidelines — that will operationalize the Single Rulebook. The European Banking Authority transferred its existing AML mandates to AMLA in two phases ending in 2025, and the new Authority's first major RTS package, covering supervisory methodology, customer due diligence specifics, and the selection criteria for direct supervision, is expected for Commission endorsement by Q4 2026. Compliance teams should treat each consultation as both a compliance preview and an advocacy opportunity; the consultation responses received during 2026 will shape the binding text adopted in 2027.

The pivotal date is 10 July 2027, when Regulation (EU) 2024/1624 becomes applicable and Member States must have transposed Directive (EU) 2024/1640. From that date, the Single Rulebook applies directly to all obliged entities, regardless of whether AMLA's direct supervision has commenced. National supervisors will enforce the new rules until 1 January 2028, when AMLA's direct supervision over selected obliged entities begins. The first selection list is expected to be published in the second half of 2027 to allow firms a structured handover period.

By the end of 2029, AMLA will conduct its first comprehensive review of the selection methodology and sanction practice, with a report to the European Parliament and Council. That review is the first formal opportunity for adjustments to scope, thresholds, or supervisory practice, and firms that have accumulated documented experience with the new framework will have a credible basis for engagement.

The transposition risk for AMLD6

While Regulation (EU) 2024/1624 applies directly, Directive (EU) 2024/1640 (AMLD6) requires transposition by 10 July 2027 and governs the powers of national supervisors and FIUs, beneficial ownership registers, and access by competent authorities. Historically, transposition delays have produced enforcement gaps; the Fourth AML Directive's transposition deadline was missed by 22 of 28 Member States in 2017, leading to Commission infringement proceedings against most of them. Compliance teams should track transposition status in each jurisdiction of operation through 2026 and the first half of 2027, because beneficial ownership register access, suspicious transaction reporting formats, and tipping-off rules are all governed by AMLD6 and will vary by national law during the transition.

European AML Reform Financial Institutions Must Prepare For

For financial institutions, the European AML reform financial institutions must prepare for breaks down into six concrete workstreams that should be running in parallel through 2026 and 2027. Each workstream has measurable deliverables and dependencies on AMLA's Level 2 publications, but none can wait for final RTS texts to begin.

The first workstream is governance and accountability mapping. Article 11 of Regulation (EU) 2024/1624 requires every obliged entity to designate a member of the management body responsible for AML/CFT compliance and a separate compliance officer at sufficiently senior level. The two roles must be distinct, the compliance officer must have direct access to the management body, and group structures must designate a group compliance officer. For firms that have historically combined these functions or placed AML compliance below executive committee level, organizational changes need to be in place well before July 2027 to allow the compliance officer to demonstrate effective tenure during any subsequent inspection.

The second workstream is the customer due diligence rebuild. Standardized identification data, risk classification methodologies, and ongoing monitoring frequencies are now specified at EU level rather than left to national supervisory expectation. Firms should run a gap analysis against Articles 16 to 46 of Regulation (EU) 2024/1624 during 2026, prioritizing the categories where divergence between current practice and the new text is largest. Crypto-asset service providers, which in many cases have only been subject to AML supervision since 2020, face the steepest CDD remediation curve.

Data, technology, and the transaction monitoring question

The third workstream concerns data architecture. AMLA's draft RTS on transaction monitoring, expected for consultation in mid-2026, is anticipated to require structured data formats, retention of model documentation including training data lineage for any machine learning systems, and demonstrable testing against typologies published by the Authority. Firms relying on legacy rules-based monitoring with limited tuning history should assume that the supervisory expectation by 2028 will be closer to model risk management standards under SR 11-7 in the United States than to the looser frameworks historically tolerated in much of Europe.

The fourth workstream is beneficial ownership data quality. Regulation (EU) 2024/1624 lowers the ownership threshold to 25% plus one share, refines the definition of "control through other means," and requires obliged entities to verify beneficial ownership information against the central registers established under AMLD6 and to report discrepancies. The discrepancy reporting obligation is the operationally significant change: a firm that identifies a difference between its CDD file and the register must report it, and failure to do so is itself a sanctionable breach. Firms should expect to make discrepancy reports at scale during the first 12 months of register integration, and process design should anticipate volume.

Sanctions screening and the high-risk third country list

The fifth workstream addresses sanctions and high-risk third country screening. The European Commission maintains a list of high-risk third countries under Article 29 of Regulation (EU) 2024/1624, distinct from but overlapping with the FATF (Financial Action Task Force) grey and black lists. Enhanced due diligence is mandatory for any business relationship or transaction involving a listed jurisdiction, and the EDD measures specified in Article 34 are prescriptive: senior management approval, additional information on the source of funds and source of wealth, enhanced ongoing monitoring, and where appropriate, restrictions on the relationship. Firms that have historically applied a single risk-based EDD framework will need to overlay the prescriptive EU list-driven requirements without weakening their broader risk-based approach.

The sixth workstream is reporting infrastructure. FIU reporting formats are being harmonized under AMLD6, with goAML or equivalent structured data standards expected to become the norm across EU FIUs by 2028. Suspicious transaction report (STR) submission systems, supporting documentation workflows, and feedback loops from FIUs need to be ready for a higher-volume, more structured environment. Firms operating across multiple Member States should expect transitional inconsistency through 2027 and budget accordingly for parallel reporting capability.

AML Compliance Strategy Europe 2026: A Practical Operating Model

An effective AML compliance strategy Europe 2026 firms can defend before AMLA inspectors needs to be built around three operating principles. First, documentation must precede activity rather than follow it; AMLA's inspection methodology, modeled on ECB SSM practice, will start from policies, procedures, and committee minutes and work outward. Second, group-level consistency matters more than ever, because the Authority can demand evidence of how a group risk appetite translates into local execution across multiple Member States. Third, supervisory dialogue itself becomes a control: firms that wait to be told what is expected will be at a structural disadvantage compared with those who engage in consultations, attend industry roundtables, and document their interpretation of evolving guidance.

The operating model implication is that the second line of defense — the AML compliance function — needs sufficient seniority, headcount, and technology investment to operate as a peer of the prudential risk function. Many EU firms have historically resourced AML compliance at a fraction of the level allocated to credit risk or market risk, and the new sanctions ceiling, combined with the public naming convention for AMLA decisions, makes that allocation indefensible. Boards should be receiving formal AML readiness reporting at least quarterly from 2026 onward, with specific milestones tied to the AMLA regulatory timeline.

What to do in the next twelve months

In the period from Q2 2026 to Q1 2027, four actions are non-negotiable. Firms should complete a documented gap assessment against Regulation (EU) 2024/1624, identifying every clause where current policy diverges from the new requirement and assigning a remediation owner and date. They should appoint or confirm the management body member responsible for AML compliance and the senior compliance officer, with documented terms of reference satisfying Article 11. They should engage with each AMLA consultation that touches their business model, even where the response is brief, to establish a record of regulatory engagement. And they should benchmark their transaction monitoring, customer risk rating, and EDD frameworks against publicly available supervisory expectations from the European Banking Authority's existing AML guidelines, which will form the baseline for AMLA's first methodology.

For firms that may be selected for direct supervision — broadly, large cross-border banks operating in six or more Member States, major payment institutions, and the largest CASPs — an additional preparatory step is to model the JST relationship. This means identifying the senior executives who will engage with AMLA, ensuring they have capacity, and running tabletop exercises on inspection scenarios. The ECB SSM experience suggests that the first 18 months of direct supervision are the most operationally intense, and firms that have rehearsed will manage that period materially better than those that have not.

Frequently Asked Questions

Q: Will my firm be directly supervised by AMLA?

Direct supervision applies only to selected obliged entities chosen by AMLA under the criteria in Article 13 of Regulation (EU) 2024/1620, expected to total approximately 40 firms in the first 2028 cohort. To be selected, an entity must operate in at least six Member States and meet risk-based thresholds related to customer base, products, and geography. All other obliged entities remain under national supervision but are subject to AMLA's binding technical standards and indirect oversight.

Q: What is the maximum penalty AMLA can impose?

For selected obliged entities that are legal persons, AMLA can impose administrative pecuniary sanctions up to the higher of 10% of total annual turnover in the preceding business year or €10 million for serious, repeated, or systematic breaches under Article 22 of Regulation (EU) 2024/1620. For natural persons in management roles, the ceiling is €5 million. Sanctions are published on AMLA's website with the entity named, and the publication remains accessible for at least five years.

Q: When do the new AML rules actually start applying?

Regulation (EU) 2024/1624 — the Single Rulebook — becomes applicable on 10 July 2027 and applies directly without national transposition. AMLA's direct supervision of selected obliged entities begins on 1 January 2028. Member States must transpose Directive (EU) 2024/1640 by the same 10 July 2027 deadline, with full operational maturity expected by the end of 2029.

Practical Readiness Checklist for the Next 18 Months

Compliance leaders should treat the period from Q2 2026 through Q4 2027 as a structured remediation program with board-level sponsorship, not as business-as-usual policy refresh. The following sequence of concrete actions should be tracked against fixed dates and reported to the audit or risk committee on a quarterly cadence.

By the end of Q3 2026, complete a full gap assessment against the 88 articles of Regulation (EU) 2024/1624, with each gap rated by remediation effort and supervisory criticality, and confirm board-level designation of the management body member responsible for AML compliance and a distinct senior compliance officer with documented direct access to the board. By the end of Q4 2026, submit responses to each AMLA consultation affecting your business model, complete an inventory of beneficial ownership data quality across all customer files above the new 25% threshold, and finalize a target operating model for the AML compliance function with headcount, technology, and budget approved through 2028.

By the end of Q2 2027, complete the rebuild of customer due diligence policies, transaction monitoring rules, and enhanced due diligence procedures against the new framework, with system changes deployed and tested. By the end of Q3 2027, conduct a full readiness rehearsal — ideally an external review — covering the documentation, governance, and technology stack a JST inspector would examine.