AMLA: What It Requires and Who It Applies To

What is AMLA?

AMLA (the Anti-Money Laundering Authority) is a new EU regulatory agency created by Regulation (EU) 2024/1620, published in the Official Journal on 19 June 2024. It's the EU's institutional answer to a decade of high-profile failures: Danske Bank's roughly €200 billion in suspicious flows through its Estonian branch, ING's €775 million Dutch settlement in 2018, and the systemic gaps that let criminal funds cross EU borders while national supervisors operated in silos.

The core problem AMLA is designed to fix is regulatory fragmentation. Before AMLA, AML supervision was handled by national competent authorities (NCAs) under directives that required domestic transposition. That meant 27 different implementations of the same rules, 27 different supervisory cultures, and predictable arbitrage for sophisticated laundering networks. The 2022 EBA peer review on AML/CFT supervision (European Banking Authority, Anti-Money Laundering and Countering the Financing of Terrorism, 2022) documented CDD quality deficiencies across 13 of the 27 member states. That's not an outlier. That's the norm that AMLA is built to correct.

AMLA changes the architecture in two ways. First, it acts as direct supervisor for the EU's most systemically significant cross-border obliged entities, up to 40 at any one time. Second, it coordinates and peer-reviews all national supervisors across the EU. Frankfurt was selected as AMLA's seat in November 2023.

The regulation is part of a broader 2024 EU AML package. The EU AMLR (EU) (Regulation (EU) 2024/1624) provides the single substantive rulebook that AMLA will supervise and enforce. The recast 6AMLD (EU) covers national supervisory architecture and FIU mandates, with transposition required by 2027. AMLA itself is the institutional pillar: the body that holds institutions to the single rulebook.

Full operational capacity, including direct supervision, is expected by mid-2028. Between now and then, AMLA is building its supervisory methodology, hiring staff, and running coordination exercises with NCAs.

Who does AMLA apply to?

AMLA's supervisory reach covers two tiers.

Directly supervised entities (DSEs) are the highest-risk cross-border obliged entities. AMLA will directly supervise up to 40 at any time, selected using a risk-scoring methodology that assesses cross-border presence across at least six EU member states, transaction volumes, and product risk indicators. The first selection process runs in 2025, with direct supervision beginning in 2028.

Indirectly supervised entities are all other obliged entities subject to the AMLR. NCAs remain the frontline supervisors for these firms. AMLA sets binding technical standards, conducts thematic reviews, and peer-reviews NCA performance. If AMLA identifies persistent supervisory failures by an NCA, it can request corrective action or, in extreme cases, assume direct supervision.

Covered entity types include:

• Credit institutions: banks, savings banks, and EU branches of non-EU banks operating cross-border
• Electronic money institutions (EMIs): e-money issuers and payment service providers
• Crypto-asset service providers (CASPs): exchanges, custodians, and wallet providers regulated under MiCA (EU), which classifies them as obliged entities
• Investment firms and asset managers: portfolio managers, fund managers, and alternative investment fund managers
• Life insurance undertakings and intermediaries
• Trust and company service providers (TCSPs)
• Notaries, lawyers, accountants, and auditors when handling financial transactions or corporate structuring
• Real estate agents for transactions above €10,000
• Dealers in high-value goods (luxury vehicles, art, jewellery) for cash transactions above €10,000

The jurisdictional scope covers all 27 EU member states. Non-EU entities with EU branches or subsidiaries that meet the cross-border risk criteria are eligible for direct supervision.

What does AMLA require?

The substantive obligations flow from the AMLR, which AMLA supervises. The core requirements institutions face under the AMLA regime:

1. Risk-based AML/CFT programme: A documented, board-approved programme with a current business-wide risk assessment, policies, controls, and procedures. Annual review is mandatory. This is the institutional translation of FATF Rec 1 (FATF).

2. Customer due diligence: Identification and verification of all customers before establishing a business relationship. Customer Due Diligence (CDD) must be applied on an ongoing basis, with records retained for at least 5 years after the relationship ends. DSEs face 10-year retention requirements under enhanced obligations.

3. Enhanced due diligence for high-risk scenarios: Mandatory Enhanced Due Diligence (EDD) for politically exposed persons, customers from EU-listed high-risk third countries, correspondent banking relationships, and any customer assessed as high-risk. Senior management approval is required before establishing or continuing these relationships.

4. Beneficial ownership identification and verification: Institutions must identify and verify the Ultimate Beneficial Owner (UBO) of all legal persons and trusts. No ownership chain can be left unresolved above the 25% threshold. Nominee layers must be looked through. This mirrors FATF Rec 24 (FATF) directly.

5. Transaction monitoring: Real-time and retrospective monitoring for patterns consistent with money laundering or terrorist financing. Monitoring thresholds must reflect the institution's own risk profile and must be reviewed regularly. Static, never-updated rules are a supervisory red flag.

6. Suspicious transaction reporting: Prompt reporting to national Financial Intelligence Units via the FIU.net network. The AMLR doesn't fix a universal reporting window, but most NCAs require SAR (Suspicious Activity Report) filing within 24 to 72 hours of suspicion forming.

7. Travel Rule compliance: Transfers of funds and crypto-assets above €1,000 must carry full originator and beneficiary information under the EU TFR (EU).

8. Annual staff training: All relevant staff must complete AML/CFT training each year. Training records must be retained for at least 5 years.

9. Group-wide policies: Financial groups must apply consistent AML/CFT standards across all branches and subsidiaries, including those outside the EU.

10. Reporting to AMLA: DSEs must report directly to AMLA's supervisory teams, participate in supervisory colleges, and respond to information requests within AMLA's specified timeframes.

What evidence do regulators expect?

When AMLA or an NCA examines an institution, they're looking for evidence the programme actually works, not just that it exists on paper. The audit-day checklist:

Governance and programme documentation

• Board-approved AML/CFT policy with a dated revision history showing at least annual review
• Written terms of reference for the Money Laundering Reporting Officer (MLRO), with documented evidence of direct board access
• Current business-wide risk assessment covering products, customer types, geographic exposure, and distribution channels
• Multi-year compliance plan with milestones and resource allocations

Customer files

• CDD files with verified identification, dated UBO resolution, and documented risk ratings for every customer
• EDD files for PEPs, high-risk nationals, and correspondent banks, each with visible senior management sign-off
• Ongoing monitoring evidence: periodic review dates, triggers for re-KYC, and records of reviews completed

Transaction monitoring

• Alert logs showing each alert reviewed, with analyst notes and disposition recorded
• Threshold calibration documentation explaining why monitoring rules are set where they are
• False positive rate tracked over time. Examiners increasingly treat undocumented threshold decisions as a governance gap.

SAR records

• Internal escalation log showing the date suspicion formed, the date reported, and the approving officer
• Evidence that tipping-off controls are in place and tested

Training records

• Role-specific training records for at least the past 5 years, with completion dates and assessment results

Technology audit logs

• System audit trails for automated screening and monitoring tools
• Sanctions list update logs and documented hit-testing results, showing the database is current

Common failure modes

AMLA was created because national supervision kept missing the same problems. The failure patterns repeat:

• Stale CDD files: Customers onboarded years ago with no re-KYC despite clear risk triggers, such as PEP status changes, adverse media, or new geographic exposure. The EBA's 2022 peer review found CDD quality deficiencies in 13 of 27 member states. This is the single most common finding across European supervisory reviews.

• Transaction monitoring thresholds set once and never revisited: The Danske Bank scandal, which involved approximately €200 billion in suspicious transactions through its Estonian branch between 2007 and 2015, included monitoring systems that flagged a small fraction of what they should have caught. Denmark's Finanstilsynet published its enforcement findings in September 2018.

• Beneficial ownership left unresolved: Firms accepting UBO declarations from customers without independent verification. AMLA's supervisory methodology will specifically test whether UBO chains are documented, verified, and kept current.

• Low-quality SAR narratives: Filing SARs to clear backlogs rather than to report genuine suspicion. Short, templated SARs without adequate narrative are consistently flagged in FIU feedback across EU member states.

• MLRO without authority or resources: The MLRO role treated as an administrative function rather than a decision-making one. AMLA's governance requirements will test whether the MLRO has direct board access, adequate staffing, and demonstrable independence from business lines.

• Group-wide policy gaps: Policies applied in the EU head office but not enforced in non-EU branches or subsidiaries.

Penalties for non-compliance

AMLA introduces direct sanctioning power that national supervisors have never had over cross-border institutions. The penalty structure under Regulation (EU) 2024/1620 and the AMLR:

For directly supervised entities:

• Administrative fines up to €10 million or 10% of total annual turnover, whichever is higher, for serious, repeated, or systematic infringements
• For named individuals (executives and MLROs): fines up to €5 million
• Additional measures: public reprimands, disgorgement of profits, and temporary bans on individuals from holding management positions

For indirectly supervised entities:

• NCAs apply the AMLR's harmonised penalty framework, with upper limits of the higher of €10 million or 10% of total annual consolidated turnover for credit institutions and financial institutions

Pre-AMLA enforcement illustrates the scale of exposure. ING Bank paid €775 million in a 2018 Dutch prosecution settlement covering failures that included processing transactions for sanctioned entities and inadequate CDD (Dutch Public Prosecution Service, September 2018). ABN AMRO paid €480 million in a 2021 Dutch criminal settlement for AML programme deficiencies (Dutch Public Prosecution Service, April 2021). The FCA fined Commerzbank AG London Branch £37.8 million in June 2020 for persistent AML control failures spanning several years.

AMLA's direct sanctioning power is designed to close the arbitrage gap where weak national enforcement let problems persist across borders. Institutions with cross-border operations should calibrate their compliance programmes to the most demanding NCA standard, not the average.

Related regulations and frameworks

AMLA is the supervisory pillar of a three-part 2024 EU AML package. Understanding how the pieces fit together matters for compliance planning.

Within the EU AML package:

• EU AMLR (EU) (Regulation (EU) 2024/1624): The single rulebook directly applicable in all 27 member states without transposition. This replaces the directive model that produced inconsistent national implementations under 4AMLD and 5AMLD.
• 6AMLD (EU) recast: Covers national supervisory architecture and FIU mandates. Member states must transpose by 2027.

International foundations:

• The AMLR and AMLA's supervisory methodology are built directly on FATF standards. FATF Rec 10 (FATF) underpins the CDD requirements; FATF Rec 20 (FATF) underpins suspicious transaction reporting. AMLA will use FATF mutual evaluation methodology when assessing national supervisors.

Adjacent EU regulations:

• MiCA (EU): CASPs regulated under MiCA are obliged entities under the AMLR and fall within AMLA's supervisory reach. The two regimes overlap directly for crypto firms operating at scale across the EU.
• EU TFR (EU): The Transfer of Funds Regulation requires originator and beneficiary information on fund and crypto-asset transfers, directly within AMLA's supervisory mandate.
• DORA (EU): Financial institutions subject to AMLA supervision must also comply with DORA's operational resilience requirements. The two regimes share obligations on third-party risk management and incident reporting.

National equivalents:

• The UK's UK MLR 2017 (UK-FCA), supervised by the FCA, is the post-Brexit parallel. UK institutions with EU operations face both regimes.
• The US equivalent framework is the BSA (US-FinCEN), supervised by FinCEN and the prudential regulators. For global institutions, AMLA and BSA obligations will need to be managed in parallel.

How FluxForce supports AMLA compliance

FluxForce's AI agents automate the transaction monitoring, CDD review, and SAR drafting workflows that AMLA's supervisory methodology examines most closely. Nova Sentinel continuously screens transactions and customer data against current risk profiles. Aiden Flux handles ongoing customer review queues, prioritising by risk score and triggering EDD workflows when thresholds are crossed. Every decision comes with a full audit trail and evidence package, so examiners see exactly why each alert was escalated or closed. Book a demo to see how FluxForce maps to your AMLA obligations.