AMLA: a new unified, data-driven AML/CFT framework and what this means for banks and supervisory convergence

This shift is underpinned by three core features that will shape the design, implementation, and evidencing of AML supervision at EU level: 

Key features 

• Introduction of a single, data‑driven supervisory model, replacing divergent national practices. 
• A phased transformation, with convergence in 2026, infrastructure development in 2027 and direct AMLA supervision in 2028. 
• Banks must shift to evidence‑based AML, strengthening data governance and the use of robust, documented evidence. 

AMLA’s first work programme marks the operational start of Europe’s new anti-money laundering (AML)/Combating Financial of Terrorism (CFT) framework. In 2026, the Authority remains in transition, still supported by the European Banking Authority (EBA). The programme clarifies its immediate priorities, which include: completing core regulatory mandates, preparing the methodology for selecting institutions that will enter direct supervision in 2028 and coordinating with national authorities to ensure supervisory continuity.  

The creation of AMLA represents a decisive shift in Europe’s approach to AML supervision as  it moves the European Union (EU) beyond coordination and towards genuine integration, not by replacing national bodies but by embedding them within a shared architecture. Banks will have to implement consistent changes in how they address financial crime, moving from narrative and governance‑driven approaches to a system anchored in data and robust, documented evidence. 

This article focuses on what AMLA’s programme actually changes for banks, how supervision will evolve between 2026 and 2028, how AMLA intends to generalise a more systematised trust across Europe, and what boards and CROs must prioritise. 

From fragmentation to integration 

Europe’s AML/CFT regime has long suffered from heterogeneous national interpretations, divergent risk taxonomies and inconsistent supervisory intensity. AMLA’s creation responds directly to this weakness and unlike the EBA‑centred model, which relied on coordination, AMLA introduces: 

• One supervisory doctrine grounded in harmonised regulatory technical standards (RTS) and measurable indicators. 
• One analytical base built on consistent taxonomies, thresholds and evidentiary standards. 
• One intelligence fabric, via the transformation of financial intelligence unit (FIU)-Net into an integrated cross‑border network. 
• One supervisory perimeter, with joint supervisory teams directly overseeing a group of approximately 40 complex cross‑border institutions by 2028. 

Under the previous framework, the EBA could guide and coordinate but national authorities remained autonomous and divergent. As a result, cross‑border banks frequently faced fundamentally different supervisory approaches depending on local jurisdiction. AMLA is designed to close those gaps, with its own risk models, data infrastructure and supervisory teams, applying a unified methodology across the Union.  

An agenda that impacts Banks 

AMLA’s strategic roadmap for 2026–2028 makes its ambition explicit: to reshape the Union’s AML/CFT framework into unified system capable of producing consistent outcomes across jurisdictions and sectors, with direct and significant impacts for banks. 

Phase 1: Laying the foundation (2026)  

• Finalisation of a large share of AMLA’s regulatory mandates. 
• Development of a common supervision model and manual for indirect supervision. 
• Launch of thematic reviews to drive convergence. 
• First phase of harmonised RTS covering customer due diligence, business relationships, enforcement and residual risk assessment. 

This common model is planned to rely on granular data. Banks shall prepare themselves to produce complete, reliable, and traceable data across onboarding, monitoring, case management and reporting. Data will be quantifiable, requiring models to evolve from predominantly qualitative risk assessments to evidence‑based frameworks aligned with AMLA’s harmonised indicators, RTS and EU‑wide taxonomies. 

Phase 2: Building capacity and infrastructure (2027) 

• AMLA staff ramp-up from around 120 to over 400, including data scientists, supervisors and FIU specialists. 
• Deployment of EU-wide data pipelines and initial infrastructure for harmonised risk modelling. 
• Strengthening of FIU-Net and preoperational testing of cross-border intelligence exchange. 

While the internal building of AMLA will directly concern the supervisor itself, the integration of FIU‑Net into a pan‑European intelligence layer means that AMLA will scrutinise alert quality, case documentation, escalation logic and detection‑to‑response timelines. As such, banks will have to ensure that monitoring rules, segmentation methods and scenario libraries are consistent, technically justified and continuously optimised. 

Phase 3: Direct supervision begins (2028) 

• Selection and onboarding of approximately 40 cross-border institutions under direct AMLA oversight. 
• Operation of joint supervisory teams applying fully harmonised models and metrics. 
• First cycle of comparative assessments across the supervised population. 

Under AMLA, onboarding of the 40 banks will be risk-based rather than size-based, with selection in 2027 driven by the  AMLA’s ML/TF risk assessment models currently being tested and calibrated through the 2026 EU-wide data collection exercise. In this new supervisory era, banks will face more assertive expectations, including clearer risk‑appetite articulation, demonstrable understanding of AMLA’s metrics and documented oversight of data‑quality and model‑risk issues. Supervisory cycles are expected to become more frequent, more model‑driven and less tolerant of national idiosyncrasies. 

• Despite remaining uncertainty around the final concrete expectation of AMLA, banks need to take preparatory steps by: 
• Ensuring the robustness of their global information system to ensuretraceability and consistency of AML/CFT data across entities, products and jurisdictions. 
• Ensuring organisational readiness within compliance functions, including sufficient staffing and training, clear allocation of roles and responsibilities for future reporting and robust group-level collection, validation and consolidation processes. 
• Testing governance and escalation frameworks to see if it needs to be adapted to be able to justify residual risk assessments and control effectiveness against harmonised European benchmarks. 
• Assessing technological and analytical capabilities against AMLA’s dataintensive approach and the requirements observed in the datacollection exercise, to determine whether existing tools can support more granular, resourceintensive and repeatable reporting. Banks should consider AIbased solutions as key enablers for scalable, consistent and timely of AML/CFT reporting. In particular, AI will be useful to adapt AML/CFT controls and reduce manual interventions. The focus should be on producing explainable, reproducible and auditable outputs, rather than adopting technology for its own sake, in an increasingly dataintensive supervisory environment. 

A model that is still under construction 

Thus, AMLA is aiming to replace Europe’s fragmented supervisory approaches with a single, datadriven risk architecture built on harmonized and enforceable datasets. The former reliance on qualitative judgement and divergent national taxonomies gives way to a model in which AML/CTF risk is quantified, benchmarked and defensible across the Union.  

However, some questions remain regarding the final configuration of the supervisory model. While AMLA’s strategic direction is clear, its supervisory model is still under construction. At this stage, the Authority has not yet fixed the precise data points, indicators or thresholds that will ultimately define supervisory expectations; nor has it formally established where the supervisory “marker” will be set in terms of acceptable residual risk, intensity of controls, or escalation triggers. 

This uncertainty is not accidental. AMLA has deliberately sequenced its work programme to allow its risk assessment methodology to be built, tested and calibrated before being finalised. The 2026 EUwide data collection and testing exercise is a key part of this approach. It is explicitly methodological, not supervisory and does not result in entityspecific scores or judgements. 

That said, this data-collection exercise already provides a clear indication of the future supervisory logic. The templates reveal the level of granularity, standardisation and segmentation AMLA is likely to rely on: sololevel reporting, disaggregation by Member State, structured indicators covering customer bases, transaction flows, and business models. It requires institutions to provide information on the different products and services, ask information on geographical distribution, requests on the different distribution channels and interrogates on the existing AML/CFT control system. Even if the final model is not yet defined, the direction is unmistakable — supervision anchored in comparable, quantifiable and reproducible data rather than narrative risk assessments. 

For banks, the message is therefore less about immediate compliance with a fixed standard, and more about readiness. The institutions best positioned for the AMLA era will not be those that guess the final thresholds correctly, but those capable of producing highquality, traceable and structured data once the model is ultimately stabilised. 

FIU 2.0 and the rise of systemic trust 

Even if AMLA’s supervisory model continues to be refined, one of its most structural impacts is already clear: the acceleration of European convergence in financial‑crime intelligence and cooperation. The evolution of FIU‑Net under AMLA’s authority marks a decisive shift away from nationally fragmented intelligence towards a genuinely integrated European framework. 

This does not mean that all operational questions have been resolved. The modalities of information sharing, the depth of analytical integration and the practical interaction between AMLA, national FIUs and supervisors will continue to evolve. However, the strategic trajectory is no longer in doubt. Financial‑crime risk which is by nature cross‑border, will no longer be addressed through loosely connected national lenses, but through a shared European intelligence architecture. 

This convergence matters even more in a context where supervisory models are still under construction. Common intelligence, shared typologies and comparable risk signals provide the foundation on which supervisory judgement can eventually stabilise. In this sense, FIU cooperation is not a parallel track to supervision, but a prerequisite for its credibility and effectiveness at EU level. 

Over time, this intelligence‑driven convergence is likely to become one of AMLA’s most lasting contributions. It strengthens Europe’s collective capacity to detect, analyse and respond to financial crime, reduces asymmetries between Member States and anchors trust not in national discretion but in shared information and coordinated action. Even before supervisory thresholds are fully defined, this shift already reshapes how Europe approaches financial integrity. 

As 2028 approaches, the focus will move from design to performance. Banks will be judged on their ability to embed AMLA’s standards, supervisors on their capacity to deliver convergence without rigidity and EU institutions on whether the Authority truly closes the structural weaknesses that prompted its creation.  

What is already clear, is that the direction is set: AMLA is not simply a new authority but the foundation of an integrated European architecture for financial integrity, replacing fragmentation with coherence, national divergence with systemic trust, and reactive oversight with intelligence‑driven supervision. In a Union defined by interdependence, this evolution is not only desirable; it is essential. 

Frequently asked questions