AMLA: What It Requires and Who It Applies To

What is AMLA?

Regulation (EU) 2024/1620, known as the AMLA Regulation, creates the Anti-Money Laundering Authority as a dedicated EU supervisory body with direct powers over the highest-risk financial institutions across the bloc. The European Parliament and Council adopted it in May 2024. It entered into force on 9 July 2024, with AMLA beginning operations in Frankfurt on 1 July 2025.

The case for it was built on a decade of documented failure. The Danske Bank scandal, which ran from 2007 to 2015, saw roughly €200 billion in potentially suspicious flows move through a single Estonian branch while multiple national supervisors either missed it or lacked a cross-border mandate to act. ING's €775 million settlement with Dutch prosecutors in 2018 exposed the same pattern. Wirecard's 2020 collapse added a third. AMLA's architects explicitly cited these failures in the legislative record when the European Commission published its proposal in July 2021.

The authority creates a two-tier supervisory structure. It directly supervises a selected cohort of up to 40 high-risk, cross-border obliged entities, with full on-site inspection powers and binding supervisory decisions issued directly to those firms. For the remaining tens of thousands of EU obliged entities, AMLA functions as a standard-setter and coordinator: it issues binding technical standards, runs supervisory colleges, and can investigate and override national supervisors where they're applying EU rules inconsistently.

Frankfurt was selected as AMLA's home in November 2023 after a competitive process involving six candidate cities. The authority assumes full direct supervisory powers over its initial cohort from 1 January 2028.

Who does AMLA apply to?

AMLA's formal scope covers all "obliged entities" as defined in the companion EU AMLR (EU) single rulebook. In practice, the population breaks into two tiers.

Directly supervised by AMLA (selection expected in 2026):

• Credit institutions (banks) operating in at least six EU member states with an elevated residual risk profile
• Other financial institutions, including payment institutions and electronic money institutions, meeting the same cross-border and risk criteria
• Crypto-asset service providers licensed under MiCA (EU) that operate across multiple member states at significant scale

An institution doesn't opt into direct AMLA supervision. It's selected through a risk-based assessment that weighs inherent risk, geographic footprint, and supervisory track record. The first selection round completes in 2026; direct supervision commences from 1 January 2028.

Indirectly affected through national supervisors (all other obliged entities):

• All other EU-licensed banks, regardless of size
• Electronic money institutions and payment institutions below the direct supervision threshold
• Insurance companies distributing life or unit-linked products
• Investment firms and asset managers
• Mortgage credit intermediaries
• Crowdfunding service providers
• Crypto-asset service providers below the direct supervision threshold

Even if an institution isn't selected for direct supervision, it's still bound by AMLA's binding technical standards and guidelines. National supervisors apply AMLA's methodology when examining those entities. The rulebook is the same across the EU; only the examiner differs.

What does AMLA require?

AMLA imposes obligations at two levels: on obliged entities to run effective AML programs, and on national supervisors to apply AMLA's standards consistently. For obliged entities, the core obligations are:

1. Business-wide risk assessment. A documented, management-body-approved AML/CFT risk assessment covering customer base, products, delivery channels, geographies, and counterparty relationships. This document must be reviewed and updated whenever material changes occur, and at minimum annually.

2. Customer due diligence. Know Your Customer (KYC) verification at onboarding is the baseline. Standard Customer Due Diligence (CDD) applies across the board. Enhanced Due Diligence (EDD) is mandatory for politically exposed persons, customers from high-risk third countries, and relationships where ownership structures are deliberately opaque.

3. Beneficial ownership identification. Firms must identify and verify the Ultimate Beneficial Owner (UBO) at the 25% ownership threshold, consistent with FATF Rec 24 (FATF). They must also document and report discrepancies between customer-provided information and what appears in EU member state beneficial ownership registers.

4. Ongoing transaction monitoring. Continuous automated monitoring of customer transactions against expected behavioral baselines. Threshold-based alerts are the floor, not the ceiling.

5. Suspicious transaction reporting. When there are reasonable grounds to suspect money laundering or terrorist financing, firms must file a report with their national FIU without tipping off the customer. The obligation aligns with FATF Rec 20 (FATF). There is no de minimis threshold.

6. Record retention. Five years from the end of the business relationship for both CDD records and transaction records. AMLA can extend this to ten years through a direct supervisory decision for selected entities.

7. Group-level policies. EU parent institutions must apply group-wide AML/CFT policies across all subsidiaries and branches, including those in third countries where local law sets a lower standard. Where local law prohibits applying EU-standard controls, the institution must notify its national supervisor.

8. Training. Annual AML training for all relevant staff, documented with attendance and assessment records. Role-appropriate programs are required for frontline staff, compliance teams, and senior management.

What evidence do regulators expect?

AMLA examiners won't arrive looking for reassurance. They'll work backward from documents to transactions, checking whether controls actually caught anything.

The core audit-day checklist:

• AML policy and procedures manual. Board-approved, dated, with version history. Examiners check the approval date against when AML rules changed; unexplained gaps are a finding.
• Business-wide risk assessment. Not a template. A document that reflects actual products, actual customer geography, and actual residual risk ratings after controls. Updated when you launched a new product or entered a new market.
• CDD files. Identity verification documents, source of funds for higher-value relationships, source of wealth for EDD customers. Examiners sample files to confirm that collection dates align with account opening dates.
• Transaction monitoring system configuration. Documented alert thresholds, tuning history, alert volumes by category, and analyst disposition records. An examiner who sees 2,000 alerts closed per analyst per month will ask questions.
• STR filing register. Every filing with the documented rationale. Every decision not to file where an alert was reviewed and dismissed. Both directions require a paper trail.
• Training records. Completion rates by role, assessment pass rates, and the training content itself. Role-specific modules matter for compliance staff and relationship managers.
• Independent testing results. Annual AML program testing by internal audit or a qualified third party, with documented findings, management responses, and evidence that remediation actually happened.
• Management reporting. Board and senior management briefings on AML performance, open issues, and regulatory developments. Examiners verify whether leadership actually received and acknowledged this material.

Common failure modes

The patterns that produce AMLA citations aren't new. They're the same failures EU supervisors have been documenting for over a decade.

• CDD files that exist at onboarding and nowhere else. Risk ratings set at account opening and never refreshed. A customer with a moderate-risk rating in 2019 can become high-risk by 2024 after a change of ownership, new product usage, or geographic expansion into a sanctioned jurisdiction.

• Transaction monitoring calibration drift. Rules implemented at system launch and never re-tuned as customer behavior and typologies evolve. Alert volumes either overwhelm analysts or collapse to near-zero, both signs of a broken system. The European Banking Authority's 2022 Opinion on ML/TF risks identified transaction monitoring weaknesses, including inadequate calibration, as among the most common findings across supervised institutions.

• Inconsistent group policy application. EU parent group, solid program. Third-country branch, local standard applied instead. ING's €775 million Dutch prosecution and the Pilatus Bank collapse both exposed exactly this: group policies in place, local application absent.

• STR decisions without documented rationale. Alerts escalated to compliance with a single-line description, then closed with no written reasoning. When AMLA traces backward from a filed report or a missed case, every decision in the chain needs documentation.

• VASP-related coverage gaps. Institutions with crypto clients or product lines that haven't applied the FATF VA Guidance (FATF) standards. AMLA's direct supervision of cross-border crypto-asset service providers makes this an immediate examination priority.

• Board-level disconnection. A compliance-owned AML program that leadership never reviews. Examiners ask board members whether they reviewed the last risk assessment. If they can't answer, that's a governance finding.

Penalties for non-compliance

AMLA's fining authority is direct and substantial for entities under its supervision.

For directly supervised entities, Article 26 of Regulation (EU) 2024/1620 sets the maximum administrative sanction at the higher of €10 million or 10% of total annual turnover for serious, repeated, or systematic violations. Periodic penalty payments to compel compliance with a supervisory decision reach €100,000 per day. AMLA can also issue public censure notices, publishing the entity's name and the nature of the breach on its website, and can temporarily prohibit senior managers from exercising their functions.

For entities supervised at national level under AMLA-harmonized standards, the EU AMLR (EU) sets the same maximum for legal persons: the higher of €10 million or 10% of annual turnover. Natural persons face up to €5 million.

The enforcement record from the preceding framework shows what's coming. The EBA issued a breach of Union law recommendation against the Malta Financial Services Authority in December 2018 over its supervision of Pilatus Bank (EBA Decision EBA/2018/07), resulting in the bank's license being revoked. In December 2022, Danske Bank pleaded guilty to fraud and agreed to forfeit $2.06 billion to the US Department of Justice, described at the time as the largest money laundering case in US history. Both cases involved precisely the cross-border supervisory gaps AMLA is designed to close.

Related regulations and frameworks

AMLA sits at the center of a legislative package. Understanding it requires understanding what it connects to.

EU AMLR 2024. The EU AMLR (EU) (Regulation (EU) 2024/1624) is the substantive rulebook AMLA enforces. Where AMLA is the authority, the AMLR contains the actual obligations: CDD requirements, UBO thresholds, transaction monitoring standards, and STR triggers. The two regulations are inseparable in practice.

6AMLD. The 6AMLD (EU) harmonized criminal AML law across member states, expanded predicate offenses to 22 categories, and introduced criminal liability for legal persons. AMLA's administrative powers sit alongside the criminal enforcement that 6AMLD enables.

MiCA and the Travel Rule. MiCA (EU) licenses EU crypto-asset service providers; AMLA directly supervises the highest-risk cross-border CASPs among them. The EU TFR (EU) extends travel rule obligations to crypto transfers, consistent with FATF Rec 22 (FATF) and the FATF virtual assets guidance.

National transposition. EU member states must align national AML law with the accompanying directive by mid-2027. UK-based groups with EU subsidiaries face UK MLR 2017 (UK-FCA) requirements for UK entities and AMLA standards for their EU operations, two separate compliance programs.

US AMLA 2020. The AMLA 2020 (US-FinCEN) shares the EU's reform agenda: stronger supervisory coordination, beneficial ownership registries, and technology modernization. The two regimes don't align directly, but any institution operating in both jurisdictions manages obligations under both simultaneously.

How FluxForce supports AMLA compliance

FluxForce's AI agents map directly to AMLA's core obligations. Aiden Flux automates Customer Due Diligence (CDD) and ongoing risk rating refresh; stale profiles are flagged before an examiner finds them. Nova Sentinel covers transaction monitoring with documented rationale for every alert disposition. Every decision produces an explainable audit trail, which is what AMLA examiners will look for on day one. FluxForce's Regulatory Compliance Automation platform is built for the supervisory standard AMLA sets. Book a demo to see it in action.