AML overhaul: how AMLA and the EU AML Regulation are reshaping supervision, and why 2026 is the year to act

A new era in EU AML supervision

Europe’s AML framework has been creaking at the seams for years. Enforcement has varied wildly between member states and supervisory expectations have been inconsistent. Reporting standards have also differed to an extent that makes cross-border oversight nearly impossible. For financial institutions that meant operational complexity, while for criminals it created opportunities that were quickly exploited.

AMLA is the EU’s answer. It was created under Regulation (EU) 2024/1620 and adopted as part of a wider package aimed at aligning anti-money laundering (AML) and countering financing of terrorism (CFT) rules across the EU. It has legal existence since mid‑2024 and officially started operations in 2025.

Its mission is straightforward. It will introduce a single supervisory authority that ends this longstanding fragmentation, imposes consistent standards and closes the gaps that unlawful networks have exploited for too long.

AMLA’s mandate is wide:

• Coordinate national AML/CFT supervisors and complete the EU Single Rulebook for AML.
• Directly supervise a set of high‑risk cross‑border obliged entities.
• Improve cooperation with Financial Intelligence Units (FIUs) and other EU authorities.
• Set harmonised regulatory and technical standards for implementation.

These aren’t minor adjustments. Together, these factors are fully focused on driving a structural change to centralised, data‑driven AML supervision across the EU. Instead of a mixture of national interpretations, AMLA will introduce the foundation for a more unified, data-driven approach to financial crime oversight across the EU.

The timeline set out by AMLA makes 2026 crucial for all affected entities, but notably for compliance teams. For every obliged entity subject to AML/CFT rules, it’s the year to prepare, as more guidance, standards and expectations are due to take shape before regulation formally takes effect in 2027. That window is shorter than it seems. Anyone treating this as a 2027 problem will find themselves left behind and regulators will notice.

How AMLA regulation changes supervision

For decades, EU member states ran their own AML supervision. Fragmented national frameworks created duplication, inconsistency and regulatory weaknesses that criminals learned to exploit.

In a complete change to its structure, AMLA fixes this with a dual‑layer model:

Direct supervision for the most complex, cross‑border institutions. These entities will be overseen by joint teams led by AMLA, using consistent criteria and methodologies. The intention is to ensure that companies with the greatest cross-border exposure are assessed through a single, consistent supervisory approach, rather than through multiple national interpretations.

Indirect supervision for other companies, where national authorities retain responsibility for most financial institutions and other obliged entities. However, their supervisory process will be shaped by AMLA’s standards, methods and technical guidance. In practice, this means that national supervision will operate within a more consistent EU framework, reducing the differences that have historically existed between jurisdictions.

AMLA is more than an advisory authority. For directly supervised high‑risk entities, it exercises full supervisory and enforcement powers under EU law, including the power to impose sanctions, while national authorities continue to enforce AML/CFT rules for all other obliged entities.

The ultimate goal is a single European supervisory culture that overlays national frameworks with better intelligence sharing and a focus on closing the gaps that have long undermined the EU’s AML defences. The need for such coordinated oversight has been long overdue but it is now expected to improve the detection of money laundering risks and strengthen the overall integrity of the European financial sector.

Whether AMLA delivers on that ambition will depend on execution. But the structure is, finally, fit for purpose.

What this means for banks, fintechs and payment institutions

The impact of AMLA will vary depending on how well‑prepared an institution is, but no obliged entity escapes its reach. For compliance, risk and financial crime teams, the shift from nationally interpreted rules to a single EU framework is a major structural change that will expose weaknesses in governance, data infrastructure, risk methodology and operational design. This is a direct consequence of decades of directive‑based regulation, which required all European financial institutions to design their AML/CFT frameworks around national transpositions and local supervisory practices.

The picture from the industry is mixed. Many institutions, particularly those already operating across multiple jurisdictions, welcome the prospect of harmonised standards. Regulatory clarity, in principle, reduces the cost and complexity of managing different national requirements. EY research¹ found widespread concern about the transition itself from operational disruption to rising compliance costs and the challenge of bringing together years of locally developed processes with a unified EU framework

The four areas where we expect the AMLA impact on banks and other obliged entities will be most visible are:

1. Standardised risk assessment and scoring

AMLA intends to introduce consistent methods for risk assessment, including inherent and residual risk scoring. Draft standards point to more structured and demanding data‑rich risk models to assess financial crime risk. It goes well beyond what most national frameworks currently require and involves a three-step approach:

1. Assessment and classification of each entity’s money laundering/terrorist financing (ML/TF) risk.
2. Reviewing how effective the entity’s AML/CFT controls are at mitigating these risks.
3. Any residual risks should be assessed after all AML/CFT controls have been applied.

This sequencing matters, because it requires institutions to move beyond surface-level compliance and demonstrate a genuinely integrated view of risk. It needs to be one that connects inherent exposure, control effectiveness and lasting risk in a logical, documented chain.

The implication for banks and fintechs is significant. Risk assessment can no longer be a locally-produced document that satisfies a single national supervisor. It must reflect a consistent group-wide methodology, using measurable risk indicators and audit trails capable of withstanding EU-level scrutiny. That means shared definitions, common metrics and a governance process that ensures consistency across jurisdictions. It can no longer be just at the point of regulatory submission but embedded in how risk is monitored and reported day-to-day.

For many institutions, the harder problem is data. Risk scoring models are often built separately in different markets, drawing on varied data sources and applying different thresholds. Consolidating those models, while still demonstrating that the consolidated output is reliable, requires both technical integration and clear model governance.

Firms with decentralised compliance structures or fragmented legacy systems should treat this as an urgent priority to rebuild, not just another 2026 project.

A further consequence of this data-driven approach is that differences between institutions will become more transparent. Common risk indicators and standardised scoring methods will make it easier for supervisors to compare risk profiles, control effectiveness and residual risk across firms and jurisdictions.

This will expose inconsistencies that have often been hidden by national methodologies. Institutions operating in historically less demanding supervisory environments may come under greater pressure, while cross-border groups will be expected to explain why similar activities produce materially different risk outcomes. AMLA’s methodology is therefore not only a supervisory tool, but a mechanism that incentivises institutions to align their approaches by making differences visible, measurable and actionable.

2. Consistent KYC and CDD expectations

Under AMLA’s Single Rulebook, customer due diligence (CDD) expectations will move toward consistency across member states. A new baseline will be set, and that baseline will be at the higher end of current national practice, not the average. Institutions that have calibrated their CDD processes to more permissive national interpretations should expect to close significant gaps. Those already operating at higher standards will have less ground to cover, but will still need to demonstrate that their policies are clearly aligned with the new framework, not merely compatible with it.

This change will affect:

• Onboarding and ongoing monitoring processes.
• Customer risk scoring logic and documentation.
• PEP, sanctions and adverse media screening.
• Data flows to support consistent CDD outcomes.

All of these will need to be reviewed, and in many cases rebuilt, within a single logical policy structure applicable across all EU operations.

Once again, this is not straightforward. The EY survey found that 85% of institutions identified conflicting national legislation and varied interpretation of AML directives as the biggest implementation challenge under AMLA. From our experience, that figure is credible. Years of localised policy development have created compliance structures that are resistant to harmonisation.

Rewriting policies is manageable. Redesigning customer risk models and retraining staff across multiple markets is a far more complex undertaking. In addition, it requires ensuring that group-level standards are applied consistently at the point of customer interaction, which demands sustained programme investment rather than a simple policy refresh.

A critical implication of more consistent CDD standards is tighter integration between KYC and transaction monitoring. Under the Single Rulebook, customer due diligence can no longer be treated as a static onboarding exercise or a periodic refresh obligation disconnected from transactional behaviour. Customer profiles, risk ratings and expected activity patterns will need to feed directly into transaction monitoring solutions. Equally, unusual transaction activity should trigger timely reviews of KYC data, customer risk classifications and due diligence records. In practice, this creates a continuous feedback loop in which KYC informs transaction monitoring, and transaction monitoring drives KYC updates when customer behaviour changes.

The danger of surface-level compliance is a further risk that deserves attention. Institutions that update documentation without genuinely redesigning underlying processes will face scrutiny under AMLA’s more hands-on supervisory model. AMLA’s direct supervision teams will probe how CDD standards are applied in practice, not just what the policy says.

3. Enhanced reporting and data quality

AMLA’s new supervisory risk assessment methodology, built on harmonised indicators and structured data submissions, signals a change: supervision is becoming data‑driven rather than narrative‑based.

In fact, the quality of an institution’s data will itself become a supervisory finding. Regulators will not only assess what controls are in place, they will also judge whether the data feeding those controls is consistent, traceable and auditable across the group.

For many companies, this is where the gap between current state and regulatory expectation is widest. AML data environments in large, multi-jurisdiction banks are often fragmented by design, having grown via years of acquisitions, legacy system constraints and local IT decisions. Transaction monitoring outputs, customer risk scores, SAR data and KYC records frequently sit in separate systems, maintained by separate teams, with no reliable way to combine this at group level.

That fragmentation is no longer defensible. AMLA regulation will expect institutions to demonstrate clear data lineage, from the ability to trace how risk data is generated and transformed to when it is validated and used across the organisation. It will expect group-wide datasets that are consistent and reconcilable. And it will expect reporting outputs that reflect a genuine, integrated view of financial crime exposure rather than a collection of locally-produced reports thrown together at the point of submission.

Meeting this standard requires investment in data governance infrastructure. Firms will need to enhance common data dictionaries, defined ownership of AML data assets, automated data quality controls and the analytical capability to identify and resolve inconsistencies at scale.

For compliance leaders, this means closer engagement with technology, data engineering and model governance functions than most AML programmes have historically maintained. Institutions that continue to treat data quality as an IT problem rather than a compliance risk will find themselves exposed.

4. Elevated governance and accountability

AMLA’s supervisory model is not confined to systems and controls. It extends to how institutions are governed. Senior management and boards will be assessed on their engagement with financial crime risk and the expectation is significant involvement, not formal sign-off. Risk appetite statements, governance frameworks and escalation structures will need to be genuinely aligned with EU standards, rather than simply adjusted to satisfy a regulatory checklist.

Compliance leaders need to be aware that AML can no longer be managed as a specialist function operating in isolation from the rest of the business. Board-level engagement must be evidenced, not assumed. Institutions will need:

• Clearly documented governance frameworks and oversight.
• Alignment between business strategy and financial crime risk management.
• Evidence of board‑level engagement in AML strategy.
• Risk appetite statements aligned with EU standards.
• Strong three lines of defence practices, with accountability at each layer.

AMLA also brings a sharper enforcement dimension. The authority’s ability to impose sanctions directly on obliged entities, whilst using consistent criteria across jurisdictions, removes the flexibility that has historically softened enforcement risk in some member states. Control failures that might previously have attracted national supervisory criticism could now carry significant financial and reputational consequences at EU level.

The resource implications are real. The EY survey found that 60% of institutions expect to need new technology investment to meet AMLA requirements, but technology alone is insufficient. Institutions will need expanded internal capability across data analysis, model governance, regulatory reporting and senior compliance advisory functions. Many will face pressure on specialist talent at exactly the moment when demand across the industry is rising.

The institutions that will navigate AMLA most effectively are those that treat it as an organisational transformation, rather than just another compliance project. It will require coordinated change across compliance, risk, operations, technology and leadership, with sufficient investment and board-level sponsorship to make that change stick.

Act now because the window is narrowing

AMLA is not a future consideration, but an active regulatory programme with a defined timeline and 2026 is the year that will separate institutions that are genuinely prepared from those that are not. The standards, expectations and supervisory methodologies are taking shape now. Waiting for final guidance before acting is a reactive strategy in a supervisory environment that won’t be rewarded.

The case for AMLA regulation is straightforward, albeit overdue. Europe’s fragmented AML framework has been a structural liability for too long. A single supervisory authority with consistent standards, real enforcement powers and a data-driven approach is the right structure. Institutions should accept that, align to it and focus their energy on execution rather than resistance.

For compliance leaders who move with urgency, AMLA offers something genuinely valuable in the form of a more predictable, consistent regulatory environment that rewards well-run compliance programmes and reduces the cost of managing divergent national requirements. That is worth building toward.

But the opportunity is only available to those who act decisively. The institutions that will emerge from this transition in the strongest position are those that start the hard work now.

¹ Source: Navigating the next wave of AML regulation to drive strategic innovation | The role of AMLA by EY