Background Impact
Many financial and non-financial organisations are only now beginning to assess the impact of the Authority for Anti-Money Laundering (AMLA). AMLA marks a fundamental shift from Europe’s previously fragmented supervisory landscape to a single EU level authority with direct and indirect powers. AMLA’s Single Rulebook will apply uniformly across all 27 member states from 10 July 2027, establishing one common standard for anti-money laundering/counter terrorist financing (AML/CFT) supervision. The extended scope of the new Single Rulebook will lead to both a significant increase in the number of supervised entities and extend obligations to non‑EU entities when they operate within the EU regulatory perimeter or engage in activities that trigger Anti-Money Laundering Regulation (AMLR) requirements.
Since July 2025, AMLA has established its governance structures, appointed leadership and continued to add staff, opened its head office, advanced the design of central data repositories, and published its Work Programme. As of January 2026, AML/CFT mandates have formally transferred from the European Banking Authority (EBA) to AMLA, accelerating momentum. The initial 40 designated high-risk financial firms subject to direct supervision will be selected by late 2027 and supervision will begin in 2028. Even those entities not initially selected for direct supervision will be impacted by AMLA since entities’ national competent authorities (NCAs), which will remain primarily responsible for AML/CFT supervision, will supervise to AMLA standards as NCAs themselves are subject to AMLA’s oversight.
Through early Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) releases, indirect supervision, data model testing, and enhanced supervisory coordination, AMLA is already shaping expectations well before its onsite supervisory activities begin. Given the scale and pace of change, many organisations feel behind. This year, 2026, must be treated as the year to baseline and accelerate readiness.
AMLA’s Emerging Expectations
With AMLA, there will be innovation and technical changes. On the innovation side, affected entities can expect further coordination amongst financial intelligence units (FIUs) and new intelligent-sharing mechanisms, and access to a new central EU AML/CFT repository of supervisory information collected from all national regulators. Technically, AMLA will introduce new obligations that may require affected entities to make changes to their data models, systems and processes, depending on their current operational maturity and adherence to existing regulations.
AMLA’s Single Programming Document (SPD) sets out 26 RTS, ITS, and guidelines scheduled for release in 2026 and Q1 2027, with around 18 Level 2 measures directly impacting financial institutions. Together, these serve as AMLA’s multiyear road map to provide early visibility into regulatory mandates and the focus of supervisory attention, the depth and structure of data affected entities will need to evidence, and the standards against which governance, controls, and risk management will be assessed. For many affected entities, this is where the scale of change becomes clear and potentially intimidating: the blueprint signals a sustained pipeline of regulatory activity that will require affected entities to manage overlapping consultations, implementation workstreams, and change programmes throughout 2026 and 2027.
Based on AMLA’s initial releases, enhanced scrutiny is expected across high-risk sectors such as banks, payment institutions, e-money providers, and crypto asset service firms. To date, AMLA has released a total of six consultations related to Technical Standards for AMLR, AMLD 6 and AMLA. These Technical Standards, which are outlined in the following chart, are particularly important as they are precursors to day-one supervisory expectations, and act as early expectations for CDD, onboarding, monitoring and governance. The consultation details are as follows:
| Type | Topic | Summary | Consultation Status |
| RTS | AMLR 28(1). Draft Regulatory Technical Standards on Customer Due Diligence. | Establishes uniform CDD requirements, specifying how obliged entities must conduct identification, verification, monitoring, and recordkeeping. Affected entities will be required to accept the electronic identification during onboarding. As such, some affected entities may need to update their digital capabilities to enable the acceptance of the European Digital Identity Wallet for customer identification and verification. | Open – due 8th May 2026 |
| RTS | AMLR 19(9): Draft Regulatory Technical Standards on criteria for identifying business relationships, occasional and linked transactions and lower thresholds. | Defines how to classify linked transactions and introduces lower and stricter harmonised thresholds for when CDD is required.
|
Open – due 8th May 2026 |
| RTS | AMLD 53(10): Draft Regulatory Technical Standards on pecuniary sanctions, administrative measures and periodic penalty payments. | Specifies how sanctions and administrative penalties will be structured, escalated, and applied.
|
Closed – 9th March 2026 |
| RTS | AMLD 40(2): Draft Regulatory Technical Standards on the assessment of the inherent and residual risk profile of obliged entities. | Defines the harmonised scoring model supervisors will use, including indicators, data points, and classification scales.
|
Closed – final report published
|
| ITS | AMLAR 15(3): Draft Implementing Technical Standards on cooperation within the AML/CFT supervisory system for the purposes of direct supervision. | Sets out how AMLA and national financial supervisors cooperate for direct supervision purposes. | Closed – 27th January 2026 |
| RTS | AMLAR 12(7): Draft Regulatory Technical Standards on the risk assessment for the purpose of selecting credit institutions, financial institutions and groups of credit and financial institutions for direct supervision. | Provides the methodology and quantitative criteria for AMLA’s selection of directly supervised entities. | Closed – final report published |
Strategic Board-Level Considerations
Compliance with the new Single Rulebook requires action at the board level, not just operational implementation of the requirements. Key items for board attention include:
- Supervisory engagement: Boards will be expected to ensure their institution can demonstrate compliance on demand, not just describe how they are compliant. Development of a supervisory engagement strategy and central playbook for providing evidence-based demonstration of compliance will be a key success factor.
- Higher governance expectations: AMLA reinforces the need for clear accountability and board-level oversight. Ensuring risk ownership is documented will increasingly become a supervisory focus.
- RegTech and data governance as strategic investments: Supervisory convergence will drive the need for standardised reporting and greater connectedness between entities and systems across geographies. Siloed, legacy compliance infrastructure will no longer be sufficient.
Ten Things to Consider Doing Now
Given the expected wave of RTS and ITS in the coming quarters, what matters now is establishing structured planning. To get started, below are ten practical steps that all affected entities, regardless of whether they expect to be selected as one of the 40 directly supervised entities, should take to help build momentum:
- Establish AMLA-readiness as an enterprise-level transformation: Designate a named senior executive accountable for AMLA readiness, and ensure board visibility, with a steering group and cross-border working group to own AMLA readiness. Take action to ensure leadership appreciates that AMLA is not a policy update; it is an operational, governance, and data transformation programme. Affected entities should ensure that they have a clear plan in place and secure the necessary budget to support this level of transformation.
- Uplift governance structures: Review governance and oversight mechanisms to determine where an uplift will be required to adhere to the new regulatory obligations. This will become especially important for companies operating within a group structure. For groups that are headquartered within the EU, the requirements will apply to their branches and subsidiaries in third countries. On the flip side, entities outside of the EU, but with an EU footprint, are also now part of a centrally coordinated European AML supervision system and subject to AMLA. AMLA expects global organisations with an EU nexus to implement controls that are effective on a global consolidated basis, not just within Europe.
- Launch a data readiness workstream: Confirm governance, lineage, traceability, quality and aggregation of CDD and transaction monitoring data models are all aligned to AMLA’s data-driven supervisory model. These exercises will help support any potential CDD file remediation that may be required and model risk management in relation to AI and machine learning.
- Revisit CDD/EDD standards and refresh cycles: The Rulebook lowers thresholds and standardises CDD expectations, and now is the time to verify and refresh your documentary standards, onboarding rules, and refresh cycles.
- Assess beneficial ownership transparency processes: Confirm the validation, storage, and reporting of beneficial ownership information according to AMLA’s standard.
- Review risk assessments: Ensure business-wide risk assessments use quantitative scoring and work from a defined set of risk factors and structured documentation. Inclusion of a common and quantifiable methodology will help evidence harmonisation and unification across the organisation.
- Perform an AMLA gap assessment: Design a prioritised review against Regulation (EU) 2024/1624 across CDD, beneficial ownership, screening, monitoring, governance, and recordkeeping to help shape a blueprint of where early AMLA readiness vulnerabilities may lie.
- Reassess staffing needs: Consider baseline staffing capacity and capability for 2026–2028, including technical skills, appropriate headcount and specialist expertise where needed.
- Build cross-border policy baselines: Consolidate fragmented local policies into a single EU-aligned standard with controlled local variations. This mirrors the harmonisation AMLA will expect and can serve as a solid baseline to be tweaked as RTS and IT are released.
- Anticipate convergence: Treat 2028’s direct supervision model as the benchmark regardless of selection status. Even for organisations not selected for inclusion in the first 40, AMLA’s methodology will apply across the EU supervisory ecosystem as NCAs will be aiming to apply uniform supervisory approaches to help reduce the current fragmented supervisory approach across Member States. Practically, this may result in fewer local interpretations, and an expanding expectation that regional specific controls must stand up to EU-wide scrutiny and central control testing frameworks.
The Bottom Line
For affected entities and financial crime compliance teams paying close attention, the next year will present a significant opportunity to get ahead. While AMLA acknowledges that it is still building the components of Europe’s new unified AML/CFT authority, it also highlights the challenges and risks associated with operating before that build is complete. Regardless, the Single Rulebook applies starting July 2027, and direct supervision will commence in 2028.
Affected entities that will be best positioned are those that treat AMLA and the EU AML regulations not as a compliance update, but as what they truly reflect: a fundamental transformation of how AML/CFT governance, data, risk management, and controls must operate across the EU. That means acting in 2026 to baseline readiness, close structural gaps, harmonise internal policies, and build the data and governance foundations that AMLA’s supervisory model will demand.
How Protiviti Can Help
Protiviti’s team of global financial crime experts can support your organisation as you prepare for compliance with AMLA and the EU AML regulations. Our team of professionals in the EU, UK and Switzerland frequently collaborate to assist our clients with developing, implementing and reviewing financial crime control frameworks. Protiviti guides organisations through major transformation programmes and helps clients understand and confidently respond to a changing regulatory and compliance environment.
Toby Steindler contributed to this article.
