How can EU leaders get ahead as AMLA and AMLR transform supervision

From rules to structured data

AMLA’s supervisory model and the draft technical standards shift expectations toward structured data, consistent risk scoring and coordinated crossborder reviews. The combined framework of AMLR, the Sixth Anti Money Laundering Directive (AMLD6), the AMLA Regulation and associated technical standards creates a predictable baseline for both regulators and firms. Supervisory engagement will increasingly depend on the quality, structure and traceability of the information firms provide.

Proportional, riskbased customer due diligence in practice

Under AMLR and the draft standards on CDD, firms must verify information that reflects the risk level of each relationship. In lowerrisk situations, simplified due diligence can reduce the amount of information collected. In higherrisk situations, Enhanced Due Diligence (EDD) requires a deeper review of source of funds, source of wealth, transaction patterns and exposure to politically exposed persons.

Remote onboarding is now a mainstream expectation. The introduction of the European Digital Identity Framework, including eIDAS 2.0 and the European Digital Identity Wallet, will raise the level of assurance for digital identification. Firms will need to accept these identification methods when customers choose to present them. A practical workflow is to confirm identity and beneficial ownership first and then collect information on purpose and intended nature. Additional EDD can be applied if indicators of elevated risk appear.

A harmonized approach to risk assessment

The draft technical standards introduce a single structure for assessing inherent risk, control quality and residual risk. Inherent risk is determined by customer, product, channel and geography. Control effectiveness is determined by governance, monitoring and escalation arrangements. Residual risk determines the level of supervisory attention and internal resourcing. Automation is encouraged but supported by manual override so that expert judgment remains part of the process. Annual risk re-assessments will be expected for most firms. Lowrisk firms may follow longer cycles. AMLR also clarifies the timing for periodic know your customer (KYC) reviews, which will drive adoption of perpetual and eventdriven KYC processes.

Direct AMLA supervision: are you in scope?

From 2028, AMLA will directly supervise up to 40 selected obliged entities. Eligibility hinges on operating in six or more Member States and exhibiting high residual risk. While the final selection criteria are set by the RTS and AMLA, it has been said that there will most probably be at least one directly supervised entity from each EU member country, ensuring broad geographic representation and oversight. Draft RTS proposes materiality thresholds per Member State (e.g., greater than 20,000 customers or greater than €50m transactions) to count cross-border activity. Firms near these thresholds should assess footprint, data readiness, and supervision readiness now. AMLA will also coordinate national supervisors and support FIUs (e.g., FIU.net and joint analyses), creating a more cohesive supervisory culture even for entities not directly supervised.

Direct AMLA supervision

From 2028, AMLA will directly supervise up to 40 firms that meet the criteria for high residual risk and crossborder presence. Draft criteria include operating in at least six Member States and meeting thresholds such as customer numbers or transaction volume. Firms close to these thresholds should evaluate their operational footprint, data readiness and supervisory preparedness. AMLA will also coordinate national authorities and support Financial Intelligence Units to promote more consistent supervisory cultures across the European Union.

Implications for crossborder mergers and acquisitions

The single rulebook reduces uncertainty after closing transactions, but presign diligence will need to go further. Buyers will focus on data quality, beneficial ownership information, connectivity to national and European registers and alignment with the new onboarding and monitoring standards. The consistency of enforcement, including potential financial penalties, will require buyers to model remediation more explicitly.

Group-wide expectations

The new framework reinforces parentlevel responsibility for groupwide AML and counter terrorism financing programs. This includes consistent policy implementation, controlled information sharing, confidentiality safeguards and compliance with data protection law. Previous rules required mechanisms for sharing suspicious activity information. The single rulebook strengthens these expectations across all jurisdictions in which groups operate.

Technology and the pursuit of trust

Firms aiming to succeed under the new regime should consider investing in strong data lineage, high-quality reporting, reliable digital identity services and automated risk assessment. Integration with European registers for beneficial ownership, bank accounts and real estate will become essential. Firms that treat identity verification, continuous KYC and travel rule processes as core infrastructure will reduce supervisory friction and support growth strategies such as acquisitions and crossborder expansion.

Practical next steps

• Conduct a gap analysis against AMLR and the draft technical standards and ensure onboarding focuses on riskrelevant information in line with simplified and enhanced due diligence options.
• Deploy automated risk scoring for inherent, control and residual risk and integrate eIDAS and European Digital Identity Wallet capabilities to support eventdriven and perpetual KYC.
• Update governance to reflect outsourcing arrangements, sanctions screening, transaction monitoring, confidentiality expectations and groupwide information sharing. Provide training so teams understand how to apply proportionality in digital environments.

Final thought: Focus on building trust through compliance and transparency

The EU AML package rewards firms that build strong data foundations and apply riskbased methods with discipline. AMLR takes effect in 2027, and AMLA begins direct supervision in 2028. Early action may help reduce compliance costs, support market access and strengthen competitive positioning.