Aerial view of frostastaoavatn lake with a vibrant rainbow

How can EU leaders get ahead as AMLA and AMLR transform supervision

Photographic portrait of Manuel Delgado
Manuel Delgado

EY Global FinCrime Solution Leader; EY EMEIA Financial Services FinCrime Solution Leader

5 minute read

AMLA and AMLR will reshape EU oversight, and leaders must act now to compete in a data‑driven supervisory environment.

In brief
  • The EU introduces the Anti Money Laundering Regulation (AMLR) in July 2027 to create a single rulebook that replaces fragmented national rules.
  • The Anti Money Laundering Authority (AMLA) in Frankfurt will strengthen supervision, and direct oversight of high‑risk cross‑border firms begins in 2028.
  • Firms need stronger data foundations, modernized customer due diligence and updated know your customer processes to manage stricter assessment cycles.

Europe is entering a new phase of anti-money laundering regulation as the European Union shifts from diverse national frameworks to a unified supervisory model. The Anti-Money Laundering Authority (AMLA) has been established in Frankfurt, and the Anti-Money Laundering Regulation (AMLR) will introduce directly applicable obligations for the private sector. For senior risk leaders, the central challenge is understanding how to compete in a supervisory environment that is increasingly structured, data driven and cross border.

What’s changed – and why it matters

AMLA began operations in 2025. It will begin directly supervising selected high‑risk and cross‑border institutions in 2028. AMLR (EU) 2024/1624 applies from 10 July 2027 and replaces differing national rules with one set of requirements for all obliged entities. The European Banking Authority has already consulted on a first package of regulatory technical standards that cover Customer Due Diligence (CDD), risk profiling, selection criteria for direct AMLA supervision and sanctions.

Payment and crypto‑asset traceability are already subject to tighter controls because the revised Transfer of Funds Regulation has taken effect. These developments increase comparability across firms. Limited data lineage, inconsistent register connections and uneven group frameworks now affect competitiveness as well as compliance. They can influence access to markets, cost of capital and transaction timelines.

From rules to structured data

AMLA’s supervisory model and the draft technical standards shift expectations toward structured data, consistent risk scoring and coordinated cross‑border reviews. The combined framework of AMLR, the Sixth Anti Money Laundering Directive (AMLD6), the AMLA Regulation and associated technical standards creates a predictable baseline for both regulators and firms. Supervisory engagement will increasingly depend on the quality, structure and traceability of the information firms provide.

How EY can Help

Proportional, risk‑based customer due diligence in practice

Under AMLR and the draft standards on CDD, firms must verify information that reflects the risk level of each relationship. In lower‑risk situations, simplified due diligence can reduce the amount of information collected. In higher‑risk situations, Enhanced Due Diligence (EDD) requires a deeper review of source of funds, source of wealth, transaction patterns and exposure to politically exposed persons.

Remote onboarding is now a mainstream expectation. The introduction of the European Digital Identity Framework, including eIDAS 2.0 and the European Digital Identity Wallet, will raise the level of assurance for digital identification. Firms will need to accept these identification methods when customers choose to present them. A practical workflow is to confirm identity and beneficial ownership first and then collect information on purpose and intended nature. Additional EDD can be applied if indicators of elevated risk appear.

 

A harmonized approach to risk assessment

The draft technical standards introduce a single structure for assessing inherent risk, control quality and residual risk. Inherent risk is determined by customer, product, channel and geography. Control effectiveness is determined by governance, monitoring and escalation arrangements. Residual risk determines the level of supervisory attention and internal resourcing. Automation is encouraged but supported by manual override so that expert judgment remains part of the process. Annual risk re-assessments will be expected for most firms. Low‑risk firms may follow longer cycles. AMLR also clarifies the timing for periodic know your customer (KYC) reviews, which will drive adoption of perpetual and event‑driven KYC processes.

 

Direct AMLA supervision: are you in scope?

From 2028, AMLA will directly supervise up to 40 selected obliged entities. Eligibility hinges on operating in six or more Member States and exhibiting high residual risk. While the final selection criteria are set by the RTS and AMLA, it has been said that there will most probably be at least one directly supervised entity from each EU member country, ensuring broad geographic representation and oversight. Draft RTS proposes materiality thresholds per Member State (e.g., greater than 20,000 customers or greater than €50m transactions) to count cross-border activity. Firms near these thresholds should assess footprint, data readiness, and supervision readiness now. AMLA will also coordinate national supervisors and support FIUs (e.g., FIU.net and joint analyses), creating a more cohesive supervisory culture even for entities not directly supervised.

 

Direct AMLA supervision

From 2028, AMLA will directly supervise up to 40 firms that meet the criteria for high residual risk and cross‑border presence. Draft criteria include operating in at least six Member States and meeting thresholds such as customer numbers or transaction volume. Firms close to these thresholds should evaluate their operational footprint, data readiness and supervisory preparedness. AMLA will also coordinate national authorities and support Financial Intelligence Units to promote more consistent supervisory cultures across the European Union.

 

Implications for cross‑border mergers and acquisitions

The single rulebook reduces uncertainty after closing transactions, but pre‑sign diligence will need to go further. Buyers will focus on data quality, beneficial ownership information, connectivity to national and European registers and alignment with the new onboarding and monitoring standards. The consistency of enforcement, including potential financial penalties, will require buyers to model remediation more explicitly.

Group-wide expectations

The new framework reinforces parent‑level responsibility for group‑wide AML and counter terrorism financing programs. This includes consistent policy implementation, controlled information sharing, confidentiality safeguards and compliance with data protection law. Previous rules required mechanisms for sharing suspicious activity information. The single rulebook strengthens these expectations across all jurisdictions in which groups operate.

Technology and the pursuit of trust

Firms aiming to succeed under the new regime should consider investing in strong data lineage, high-quality reporting, reliable digital identity services and automated risk assessment. Integration with European registers for beneficial ownership, bank accounts and real estate will become essential. Firms that treat identity verification, continuous KYC and travel rule processes as core infrastructure will reduce supervisory friction and support growth strategies such as acquisitions and cross‑border expansion.

Practical next steps

  • Conduct a gap analysis against AMLR and the draft technical standards and ensure onboarding focuses on risk‑relevant information in line with simplified and enhanced due diligence options.
  • Deploy automated risk scoring for inherent, control and residual risk and integrate eIDAS and European Digital Identity Wallet capabilities to support event‑driven and perpetual KYC.
  • Update governance to reflect outsourcing arrangements, sanctions screening, transaction monitoring, confidentiality expectations and group‑wide information sharing. Provide training so teams understand how to apply proportionality in digital environments.

Final thought: Focus on building trust through compliance and transparency

The EU AML package rewards firms that build strong data foundations and apply risk‑based methods with discipline. AMLR takes effect in 2027, and AMLA begins direct supervision in 2028. Early action may help reduce compliance costs, support market access and strengthen competitive positioning.

Summary 

The EU is moving to a unified Anti‑Money Laundering framework through the Anti-Money Laundering Regulation and the new Anti-Money Laundering Authority in Frankfurt. Together, they introduce direct supervision for selected high‑risk cross‑border firms, harmonized risk assessment standards and stronger expectations for customer due diligence, digital identity, and ongoing know your customer reviews. Firms must enhance data quality, governance, onboarding and monitoring processes to meet more consistent and data‑driven supervisory expectations. Early action will reduce compliance costs, support market access and strengthen competitive positioning in the evolving EU regulatory environment.

About this article

Photographic portrait of Manuel Delgado
Manuel Delgado
EY Global FinCrime Solution Leader; EY EMEIA Financial Services FinCrime Solution Leader
Passionate about the creation of sustainable value for customers, people, and society. Keen traveler.
Related topics
Financial services
Anti-money laundering regulations
Innovation
Risk
Disrupting financial crime

Related articles

Why the EU Anti-Money Laundering Authority brings both promise and challenges

Discover the challenges and promise of the EU’s new Anti-Money Laundering Authority (AMLA), in unifying regulations and enhancing financial crime prevention.

Manuel Delgado + 1

How EU Anti-Money Laundering laws can help spur strategic innovation

Learn how financial services firms can harness the new AML rules to shape the future of fighting financial crime and gain a competitive edge.

Manuel Delgado

How new regulation on financial crime will impact the EU AML regime

A new ambitious package overhauls the current EU AML regime, introducing significant change for EU-based firms. Read on to understand the impacts.

Bram van Sunder

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.