AMLA: Europe's New AML Authority Is Now Operational — WEurope's anti-money laundering landscape is undergoing its most significant structural transformationhat Compliance Officers Need to Know in 2026

Why AMLA Matters: The End of Fragmented Supervision

For years, the EU's AML framework suffered from a structural weakness: directives were transposed into national law differently across member states, creating an uneven patchwork of supervision and enforcement. Large financial groups operating across borders could — intentionally or not — exploit these inconsistencies. The result was well documented: supervisory arbitrage, divergent CDD standards, and enforcement gaps that financial crime actors exploited systematically.

AMLA is the EU's decisive answer to this fragmentation. Rather than issuing recommendations to national authorities, AMLA will directly supervise the highest-risk financial institutions in the EU, and indirectly coordinate supervision across all member states through a unified rulebook and common methodology.

The Milestone of 24 March 2026: AMLA's First Public Hearing

On 24 March 2026, AMLA held its first public hearing — a landmark event in the development of the EU's new AML/CFT framework. This hearing marked a clear signal that AMLA is moving from institutional setup to substantive regulatory action. It also signals an increased engagement with industry stakeholders, which is unusual for a supervisory authority in its first year of existence. For compliance practitioners, the fact that AMLA is already holding public hearings means the window for influencing how the regulatory framework is shaped is still open — but narrowing fast.

Key Milestones and the Road to 2028

Understanding the AMLA timeline is essential for any compliance team building a roadmap. Here is where things stand:

July 2025 — Operational launch. AMLA assumed its legal powers and dual mandate: direct supervision of high-risk entities and coordination of national Financial Intelligence Units (FIUs). At launch, the authority employed approximately 80 core professionals, focused on supervisory design, FIU coordination, and rulebook harmonisation.

January 2025 — Governance milestone. The Council of the EU appointed Bruna Szego as the first AMLA Chair, and Nicolas Vasse was named permanent Executive Director. MoUs were signed with the ECB, EBA, ESMA, and EIOPA.

December 2025 — First supervisory instruments published. AMLA published draft Regulatory Technical Standards (RTS) on risk assessments and entity selection methodology. For the first time in EU history, supervisors across all member states will use a common methodology to assess money laundering and terrorist financing risks. A public consultation ran until 27 January 2026.

2026 — Testing and preparation phase. This is the year where AMLA works with national supervisors to test the risk assessment methodology before it becomes operational. Technical standards on CDD, risk classification, transaction monitoring, and governance structures are being finalised. This is the year compliance teams must act.

July 2027 — Full legal powers activated. From 10 July 2027, the new EU AML Regulation (AMLR) becomes directly applicable across all member states — no national transposition required. This is a fundamental change from the previous directive-based approach.

July 2027 to end of 2027 — Selection process. AMLA will select approximately 40 of the most complex, highest-risk financial institutions for direct supervision. Initial scoping work is already underway. AMLA must publish the list of selected entities without undue delay after the selection process concludes.

January 2028 — Direct supervision begins. AMLA assumes full direct supervisory authority over selected entities, with broad investigatory powers: information requests, on-site inspections via joint supervisory teams, access to internal audit reports, databases, and decision-making processes — including those generated by algorithms.

What "Direct Supervision" Actually Means in Practice

The term "direct supervision" deserves unpacking. AMLA will directly supervise approximately 40 entities — those with significant cross-border exposure and elevated financial crime risk profiles. This is expected to include large banks, payment institutions, and crypto-asset service providers.

For selected entities, AMLA will replace the role of national competent authorities in day-to-day supervision. It will deploy joint supervisory teams (JSTs) composed of AMLA staff and national supervisors. It will be able to request documents, interview staff, access systems, and conduct on-site inspections. It will have the power to impose sanctions.

For all other entities — the vast majority of European financial institutions — AMLA will exercise indirect supervision by ensuring national authorities apply EU standards consistently. The unified rulebook, the common risk assessment methodology, and the harmonised technical standards will apply regardless of whether you are directly supervised by AMLA or not.

What This Means for Investment Funds and AIFMs

As professionals focused on alternative investment funds, this evolution deserves particular attention. AIFMs — including those regulated by the CSSF in Luxembourg — operate in a regulatory space that AMLA will increasingly shape, even if they are unlikely to be among the 40 directly supervised entities initially.

Several implications stand out. The AMLR, directly applicable from July 2027, will standardise CDD obligations, ongoing monitoring requirements, and beneficial ownership identification across the EU. Luxembourg's AIFM sector — accustomed to navigating CSSF AML circulars alongside AIFMD obligations — will need to align its internal frameworks with the new single rulebook. The era of jurisdiction-specific AML interpretations is coming to an end.

AMLA is also expected to focus significantly on cross-border situations — precisely the environment in which international fund managers operate. Sub-fund structures, multi-jurisdiction distribution, delegation arrangements, and complex investor bases are all areas where AMLA's harmonised approach will have direct operational impact.

For fund compliance teams, the immediate priorities should be: reviewing existing CDD frameworks against AMLA's forthcoming technical standards, updating business-wide risk assessments to reflect AMLA's emerging risk classification methodology, and ensuring that governance and senior management accountability structures are sufficiently robust to withstand direct regulatory scrutiny.

The Data-Driven Supervision Model

One of AMLA's most consequential characteristics is its stated commitment to a data-driven supervisory approach. Unlike traditional AML oversight — which relied heavily on periodic inspections and document reviews — AMLA intends to build a centralised data infrastructure, the AMLA Database, to support risk-based supervision at EU level.

AMLA has already published the reporting package for its data collection and testing exercise, with sampled entities invited to download templates and engage with the process. The RTS on the AMLA Database had a statutory deadline of 27 December 2025, though AMLA has flagged that some technical standard deadlines are at risk due to recruitment challenges.

This shift toward quantitative, data-driven supervision has profound implications. AML compliance teams that cannot produce clean, structured, exportable data about their risk exposures will face significant difficulties. "Black box" compliance systems — those that produce defensible outputs without a transparent audit trail — will attract heightened scrutiny.

My Assessment: 2026 Is the Year to Act

I have spent over 25 years working in compliance across major international financial institutions and as a Conducting Officer and CEO of a Luxembourg-regulated AIFM. In that time, I have lived through multiple waves of AML regulatory reform — from FATF mutual evaluations to the AIFMD compliance build-out to the EU's successive AML Directives.

AMLA is different in nature, not just in degree. It represents a structural shift in how financial crime risk is governed in Europe — from decentralised, directive-based national supervision to centralised, regulation-based, data-driven EU-level authority. The implications for compliance frameworks, governance structures, and operational processes are profound and non-negotiable.

My recommendation to fellow compliance officers: do not wait for the 2027 legal deadline. The methodology AMLA is testing in 2026 will shape how your institution is assessed for risk. Engage with the public consultations. Review your CDD and monitoring frameworks against AMLA's published RTS. Strengthen senior management accountability. And ensure your data infrastructure can support the supervisory expectations of a digital-first EU regulator.

The compliance profession is changing. AMLA is part of that change. Understanding it deeply — not just tracking the headlines — is what sets effective compliance officers apart.

Sylvain Aubry

CEO & Conducting Officer, CIM Europe S.à r.l. (CSSF-approved AIFM, Luxembourg)

Member, ALCO | Member, Luxembourg National AML Committee

April 2026