By Stuart Watkins, CEO, Zenoo
Last month, a mid-stage neobank in the EU got hit with a EUR 4.2 million fine for failing to update customer risk profiles within the new mandatory review window. They had 80,000 customers, a compliance team of three, and a KYC system that was essentially a spreadsheet with a login page. The fine wiped out their Series A runway. That is the world we are operating in now.
The Anti-Money Laundering Authority regulation, widely known as AMLA, formally landed in 2024 and brings the most significant overhaul to European AML/CFT rules in over a decade. But if you are a fintech founder or compliance lead, you have probably noticed something: most of the commentary out there reads like it was written for Tier 1 banks with 500-person compliance departments. The reality for fintechs is very different. You are running lean. You are scaling fast. And the new rules do not care about your headcount.
Here is what actually matters, and what you need to do about it in the next 90 days.
Most fintechs are reading AMLA wrong
The biggest mistake we see is treating AMLA as a minor update to existing AML directives. It is not. The shift from directives to a directly applicable regulation means there is no more room for national interpretation. Every EU member state enforces the same rules, the same thresholds, the same documentation requirements. For fintechs operating across borders, this is both a simplification and a trap: simpler because one rulebook replaces 27, but a trap because there is nowhere to hide behind a lighter local regime.
The regulation introduces a new single EU-level supervisory authority that will directly oversee certain obliged entities and coordinate national supervisors for the rest. If your fintech processes cross-border payments or serves customers in multiple EU jurisdictions, you are squarely in scope.
EDD thresholds have dropped, and the clock is ticking
Under previous directives, Enhanced Due Diligence was triggered mostly by PEP status, high-risk third countries, or correspondent banking relationships. AMLA expands EDD triggers significantly. Crypto-asset service providers are now explicitly included. Complex ownership structures with more than two layers require EDD by default. And the threshold for identifying beneficial owners has tightened: any natural person holding 25% or more must be verified, with a push in several member states to lower this to 15% for higher-risk sectors.
The timeline pressure is real. Existing customers in higher-risk categories must have their EDD profiles updated within 12 months of the regulation taking effect. For new customers, EDD must be completed before the business relationship is established, not within a "reasonable period" as some fintechs have been interpreting the old rules.
The Head of Compliance at a UK challenger bank told us: "We thought we had 18 months. When we actually mapped the transitional provisions against our customer base, we realised we had about six months of real work compressed into the first quarter."
Ongoing monitoring is no longer optional, and "risk-based" does not mean "when we get round to it"
AMLA codifies specific minimum frequencies for ongoing customer risk reviews. High-risk customers must be reviewed at least annually. Medium-risk customers every three years. Even low-risk customers require a documented review every five years. And every review must be recorded with a clear audit trail showing what data was checked, what sources were used, and what risk decision was reached.
This is where most fintechs fall down. We benchmarked 40 onboarding and monitoring workflows last year across EU-licensed fintechs. Only 12% had automated ongoing monitoring that met the new frequency requirements. The rest were relying on manual periodic reviews, or worse, only re-screening customers when a transaction triggered an alert.
The regulation also requires continuous transaction monitoring against the customer's risk profile, not just against static sanctions lists. If a customer rated as low-risk starts making frequent transfers to jurisdictions flagged by the new EU high-risk third country list, your system needs to catch that and escalate it automatically.
If your current setup cannot handle risk-based review scheduling, automated re-screening, and documented audit trails, now is the time to fix it. Zenoo's ongoing monitoring module was built specifically for this kind of workflow, and we are already helping several fintechs close these gaps before the enforcement window opens.
Cross-border payments are under a microscope
AMLA introduces stricter requirements for cross-border wire transfers, extending the travel rule obligations to crypto-asset transfers. Every transfer above EUR 1,000 must carry full originator and beneficiary information. Below EUR 1,000, simplified information is permitted, but only if there is no suspicion of money laundering or terrorist financing.
For fintechs operating payment corridors into or out of the EU, this means your payment infrastructure must be able to capture, validate, and transmit this information in real time. Batch processing or end-of-day reconciliation will not cut it.
The regulation also requires that payment service providers verify the accuracy of originator information before executing a transfer. This is not a "best efforts" standard. If your systems cannot validate beneficiary data against a reliable source at the point of transaction, you are exposed.
What catches many fintechs off guard is the intermediary obligation. If you are acting as an intermediary payment service provider, you must retain all originator and beneficiary information that accompanies the transfer. If information is missing, you are required to reject the transfer or suspend it and request the missing data. We see fintechs that have never had to worry about this suddenly discovering that their payment rails do not even have fields for the required data points.
Your tech stack is now a compliance requirement, not a nice-to-have
One of the most underappreciated aspects of AMLA is how explicitly it addresses technology. The regulation requires obliged entities to have "adequate" systems and controls, and the new supervisory authority will assess technology capability as part of its supervisory methodology. This is not vague guidance. Supervisors will evaluate whether your screening tools are fit for purpose, whether your monitoring systems can handle your transaction volumes, and whether your record-keeping meets the new five-year retention and retrieval standards.
A compliance consultant working with three EU-licensed e-money institutions told us: "The conversation has completely changed. Two years ago, regulators asked if you had a compliance programme. Now they ask to see your system architecture diagrams and your false positive rates."
For fintechs, this means the days of cobbling together compliance from free sanctions screening APIs and manual review queues are over. You need integrated, auditable systems that can demonstrate to a supervisor exactly how a risk decision was made, what data informed it, and when the last review occurred.
The fines are real, and they are getting larger
AMLA harmonises penalties across the EU with maximum fines of at least EUR 10 million or 10% of annual turnover, whichever is higher. For serious, repeated, or systematic breaches, national supervisors can double these amounts.
To put this in context: in 2023, EU national supervisors collectively issued over EUR 200 million in AML-related fines. The trend is accelerating. In the Netherlands alone, DNB fined a payments firm EUR 3.5 million for inadequate transaction monitoring. BaFin in Germany issued penalties to two fintech firms for failing to file suspicious activity reports within the required timeframes. And these were under the old regime, before AMLA's enhanced penalty framework kicks in.
The new authority will also have the power to publish enforcement decisions, meaning a fine does not just cost money. It costs reputation, partnerships, and potentially your banking relationships. We have already seen two fintechs lose their banking-as-a-service partnerships after enforcement actions became public. When your BaaS provider reads about your fine in the Financial Times, the conversation about renewing your contract changes very quickly.
Your 90-day implementation roadmap
The fintechs that come through this well will be the ones that start now, not the ones waiting for final technical standards. Here is what the next 90 days should look like.
In the first 30 days, complete a gap analysis. Map your current KYC, EDD, and ongoing monitoring processes against AMLA requirements. Identify where your customer risk categorisation model needs updating and where your documentation falls short. This is not a theoretical exercise. Pull ten customer files at random and test whether they would survive a supervisory review.
In days 30 to 60, fix your technology. If your screening, monitoring, or case management tools cannot support automated risk-based review scheduling, real-time transaction monitoring against customer profiles, and auditable decision trails, replace them. This is not the time for building in-house. The compliance window is too tight and the stakes are too high.
In days 60 to 90, train your team and test the system. Run tabletop exercises with realistic scenarios. Have your MLRO sign off on the updated policies. And do a dry run of a supervisory information request to make sure you can actually produce the data a regulator would ask for. If that dry run reveals gaps, you still have time to close them. If you wait until the regulator asks, you do not.
