AMLA — the Anti-Money Laundering Authority — is the EU's new AML supervisory body. Established under Regulation (EU) 2024/1620 (AMLAR) as part of the 2024 AML Package, AMLA was sited in Frankfurt in February 2024. It will be operational from mid-2025 and, starting 2028, will directly supervise around 40 of the highest-risk obliged entities EU-wide. This article reads AMLA from an operator's perspective: its mandate, how the selected entity list will be drawn, the relationship with national competent authorities, and how all obliged entities should prepare.
Why AMLA Was Created
Pre-2024, the EU AML regime sat on a fragmented architecture: AMLD directives required national transposition, Member States interpreted them differently, and supervision was carried out by 27 different competent authorities at varying intensities. A handful of large-scale scandals (notably Danske Bank Estonia in 2018-2019, Pilatus Bank Malta) exposed the limits.
The Commission's answer: a centralised EU AML authority with direct supervisory powers. Proposed in 2021 as part of the AML Package, it was adopted in 2024; AMLA is one of three parts of the Package (the other two: AMLR and AMLD6-new).
AMLA's Three Roles
1. Direct Supervision
The most radical innovation: AMLA directly supervises around 40 "selected obliged entities" EU-wide. These entities are:
- Credit institutions (banks) operating in at least 6 Member States.
- Payment institutions, EMIs and CASPs operating in at least 6 Member States.
- With the highest risk score.
The risk score is calculated per AMLAR Article 12 criteria: customer profile exposure, products and services, distribution channels, jurisdictional profile. The list is announced in 2027 and direct supervision starts in 2028.
What direct supervision means in practice: AMLA conducts on-site inspections, requests documentation, evaluates AML governance decisions, and may impose administrative fines (maximum: 10% of legal entity turnover or €10M, whichever is greater).
2. Coordination
All obliged entities outside the direct supervision list continue to be supervised by national competent authorities (NCAs). AMLA plays a coordination role between NCAs:
- Develops a common supervisory methodology.
- Organises joint supervision teams for cross-border cases.
- Collects data from NCAs and assesses their performance.
Similar coordination for national FIUs (Financial Intelligence Units): AMLA takes over management of FIU.net (the existing EU-wide information sharing platform) and raises the standard of inter-FIU information sharing.
3. Standard-Setting
AMLA develops Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) for the application of AMLR and AMLD6-new. These standards are directly binding in the EU. The first wave of RTS/ITS is expected between 2025 and 2027; topics include customer risk scoring methodology, beneficial owner verification, enhanced due diligence procedures, and reporting formats.
Mandate Map: AMLA vs NCA
AMLA does not take over all AML supervision — only direct supervision of "selected obliged entities." Thousands of other banks, EMIs, PSPs and CASPs remain under NCA jurisdiction.
| Activity | AMLA | NCA |
|---|---|---|
| Selected obliged entity (~40) supervision | Primary | Support |
| Other obliged entity supervision | Coordination | Primary |
| Licensing | None | Primary (under MiCA, EMD2/PSR, PSD2/PSD3) |
| FIU information sharing | Coordination (FIU.net) | National FIU operations |
| RTS/ITS preparation | Primary | Consultation |
| Administrative fines (selected entity) | Primary | None |
| Administrative fines (other entity) | None | Primary |
Timeline
| Date | Event |
|---|---|
| June 2024 | AMLAR published in the Official Journal |
| February 2024 | Frankfurt selected as HQ |
| Mid-2025 | AMLA operational — staffing, governance, RTS/ITS preparation begins |
| 2026 | First RTS/ITS drafts |
| 2027 | Selected obliged entity list announced |
| 10 July 2027 | AMLR and AMLD6-new apply |
| 2028 | AMLA direct supervision starts (for selected entities) |
Who Might Be on the Selected Obliged Entity List?
The AMLAR risk scoring methodology is not yet fully specified (an RTS is pending), but indicators:
Banks:
- HSBC, Deutsche Bank, BNP Paribas, ING, UniCredit, Société Générale, Santander, BBVA and other large cross-border EU banks.
- Retail/wholesale activity in 6+ Member States.
Payment institutions / EMIs:
- Worldline, post-Wirecard successors, Stripe Europe, Adyen, Revolut, N26, Wise.
- Multi-jurisdiction operations + high volume.
CASPs:
- MiCA-authorised exchanges operating in at least 6 Member States (Bitstamp, Bitpanda, MEXC EU, Kraken EU, Coinbase Europe — final composition depends on AMLA selection).
Practical expectation: the first ~40 list is likely to be ~70% banks + ~20% PSP/EMI + ~10% CASP. Typical refresh cycle is three years; entities may move on and off the list.
Practical Impact for a Selected Entity
New workload for a listed entity:
- Direct communication with AMLA's supervisory team — the home NCA continues a supporting role but AMLA becomes the primary point of contact.
- AMLA-specific reporting formats — templates defined by RTS.
- On-site inspection preparation — AMLA dispatches inspection teams from Frankfurt; documentation, key-person interviews and system demonstrations become standard format.
- Higher penalty ceiling — administrative fines up to 10% of turnover are typically higher than NCA ceilings.
Practical Impact for Non-Selected Entities
For the thousands of entities not on AMLA's direct supervision list, direct impact is limited but indirect impact is large:
- Rising NCA standard. AMLA coordination lifts NCA supervisory methodology. Cross-Member-State "supervisory arbitrage" narrows.
- RTS/ITS compliance. All obliged entities are subject to AMLA-drafted RTS (bindingness flows through the national NCA).
- Cross-border case coordination. Mid-to-large entities operating across multiple Member States may face AMLA-led joint supervision teams.
Frequently Asked Questions
What will AMLA's staffing look like?
AMLAR plan: ~430 staff at full operational capacity; the structure will firm up over 2026-2027. Core teams: direct supervision teams (one per selected entity), common methodology team, FIU coordination team, RTS/ITS preparation team, IT and data analytics. AMLA senior management (chair + executive board) appointments were made over 2024-2025.
Will AMLA's selected obliged entity list be updated annually?
No — AMLAR provides for a three-year cycle. Exceptional updates are possible in case of material risk changes. A Member State NCA may propose adding a specific entity.
Could a Turkish bank end up on the list via its EU subsidiary?
Theoretically yes — if the subsidiary operates in at least 6 Member States and crosses the risk threshold. In practice, inclusion of Turkish-headquartered groups in the first 2028 list is unlikely (most large Turkish banks do not have retail operations in 6+ Member States), but EU-expanding Turkish fintechs may plan for it medium term.
Does AMLA also supervise TFR compliance?
Yes — AMLA's supervisory scope covers general AML obligations and TFR is part of that. For selected CASPs, Travel Rule infrastructure, sunrise problem policy and IVMS 101 message quality will be supervisory topics.
How does AMLA relate to ESMA and EBA?
ESMA (European Securities and Markets Authority) covers capital markets, EBA (European Banking Authority) covers banking. AMLA is dedicated to AML/CFT supervision — without sectoral split. The three authorities work together: e.g. MiCA Level 2 RTS preparation is led by ESMA + EBA, with AMLA in a consultative role on AML-related technical standards.
How Legichain Helps with AMLA Readiness
Regardless of whether you end up on AMLA's direct supervision list, the application of AMLR + AMLD6-new from 2027 will affect every EU obliged entity — tighter CDD, more homogeneous reporting, stricter beneficial ownership verification. The Legichain AML screening API satisfies AMLR screening requirements (PEP, sanctions, adverse media) using EU consolidated lists. Match-grouping and risk-scoring layers automate false-positive management at high volume. Our crypto exchange, PSP and banks solution pages cover AMLA-ready architecture for different obliged entity types.