AMLA compliance: what the EU's new AML rulebook means for your operations

What is AMLA?

AMLA is the EU's new Anti-Money Laundering Authority. It does two things that previous AML directives never did. First, it enforces a single EU AML Regulation directly across all 27 member states, replacing 27 national interpretations with one rulebook. Second, it directly supervises a first group of high-risk obliged entities from 2028, with the option to escalate any obliged entity to direct supervision when local regulators are failing.

The reason this matters: the previous regime ran on Directives. Each country wrote its own implementing law, with national interpretations on identity verification, beneficial ownership thresholds, simplified due diligence, and reporting. Compliance teams running across multiple jurisdictions managed that complexity by tolerating it. AMLA removes the tolerance. There is one CDD standard, one EDD trigger set, one beneficial ownership verification baseline. National variations stop.

The deadlines that matter

The legislative architecture has three moving parts: the AML Regulation (the substantive rules), the AML Directive (the supervisory framework), and the AMLA Regulation (the authority's mandate). They were finalised in 2024 and entered into force across 2024-25.

• Now – mid-2027: AMLA is recruiting and building supervisory capacity. Technical standards (RTS and ITS) are being drafted by EBA and AMLA.
• Mid-2027: The AML Regulation applies. Every obliged entity, in every member state, is bound by it directly. No transposition deadline, no national flexibility.
• 2028: Direct supervision by AMLA of the first group of high-risk obliged entities begins. Initial selection criteria target large, cross-border, complex-risk firms.

The 18-month readiness gap

We surveyed 30 compliance teams across the UK and EU in late 2025. 87% said they were "aware" of the AML Package. 60% had "started planning." But when we asked about completed gap analyses and implementation work, only 15% had finished a detailed gap analysis against the draft regulation, and only 8% had begun implementation. The awareness-action gap is enormous.

The 8% are not ahead of the curve because they enjoy regulatory homework. They are doing it because 18 months of work does not compress into 6.

Gap analysis: what should be on your desk by now

CDD and EDD: what changes substantively

The harmonised identity verification standard is the headline change. Member states currently accept a wide range of methods, from utility bills to facial-liveness to government-mandated eID schemes. The regulation introduces a baseline that some national methods fall short of. Compliance teams need to know whether their existing onboarding flows still produce evidence that meets the new standard, and where they need to add additional checks or change providers.

For EDD, the trigger list expands. Complex ownership structures, certain correspondent relationships, transactions involving high-risk third countries, and crypto-asset operations are explicitly named. If your EDD policy was written under the old AML Directive, audit it against the new trigger list now. The teams we work with are typically finding three to five new triggers they need to capture.

Ongoing monitoring: from event-driven to cadence-driven

AMLA introduces mandatory review cycles tied to customer risk band. High-risk customers must be reviewed at least annually. Standard-risk customers at least every three years. Low-risk customers at least every six years. This is in addition to event-driven reviews (sanctions hit, adverse media, transaction pattern change).

For most firms, this is the most operationally disruptive change. Many compliance teams have run on event-driven monitoring with no fixed review cadence. The new requirement means you need to know, for every customer, when their last review was, when their next is due, and have the operational capacity to clear those reviews on time. This is what perpetual KYC actually looks like in practice, and why the firms we work with use Zenoo's ongoing monitoring engine to make it tractable.

The technology question: rip and replace, or extend?

Most firms ask the same question. Do we replace our existing AML platform, or extend it? The honest answer is that for the majority, the existing platform was designed for the previous AML Directive regime, and extending it to meet the regulation creates a brittle stack of patches and workarounds. The firms that move to orchestration platforms, where workflow, providers, and rules are configurable without engineering tickets, finish their AMLA programmes on time. The firms that try to extend monolithic platforms run into the 18-month wall.

Three technology questions your AMLA readiness assessment should answer:

1. Can your platform run different CDD flows by jurisdiction without code changes? The regulation harmonises the floor but member states can still add national requirements. You will run multiple flows.
2. Can your platform handle review cadences automatically? Annual, triennial, six-yearly review triggers, customer-by-customer, with workload smoothing. If this is a spreadsheet today, you are not ready.
3. Can your platform produce an audit trail that meets the regulation's documentation requirements? Every decision, every data point, every rule applied, retrievable in seconds for AMLA examiners.

How Zenoo helps

Zenoo is built for the regulation, not for the directive era. The platform orchestrates KYC, KYB, CDD, EDD, beneficial ownership verification, and ongoing monitoring through a single configurable layer. Risk-band-driven review cycles. FATF-aligned risk scoring across four dimensions (customer, country, product, channel). Immutable audit trails with one-click regulator-ready export. Implementation in 4 to 6 weeks, not 12-month engineering programmes.

Specifically for AMLA readiness:

• Compliance Hub handles the case management, AI alert triage, and audit trail requirements.
• KYC Orchestration handles harmonised identity verification across jurisdictions, with 53 vendors in the marketplace and configurable flows per market.
• KYB and beneficial ownership verification covers central register integration and UBO discovery beyond self-declaration.
• Ongoing monitoring handles the new mandatory review cadences and integrates them with event-driven triggers.
• Screening covers PEP, sanctions, and adverse media with the expanded AMLA definitions.

Related reading

• AMLA 2024 and beyond: what fintechs need to know
• AMLA countdown: 18 months to go. Where should you be?
• KYB due diligence: the UBO verification gap
• The real cost of AML false positives

Frequently asked questions

What is AMLA?

AMLA is the EU's new Anti-Money Laundering Authority, based in Frankfurt. It directly supervises a first group of high-risk obliged entities from 2028 and enforces a single AML Regulation across all 27 member states. AMLA replaces the patchwork of national interpretations that existed under the previous AML Directives.

When does AMLA apply?

The AML Regulation that AMLA enforces is on track to apply in mid-2027. Direct supervision of selected obliged entities by AMLA begins in 2028. The 18-month run-up is when firms need to complete gap analysis, redesign processes, and validate technology against the new requirements.

Who does AMLA cover?

AMLA covers banks, investment firms, payment institutions, e-money issuers, crypto-asset service providers, certain non-financial businesses (real estate, casinos, luxury goods dealers), and high-net-worth individuals' service providers. The scope is broader than the previous AML Directives and explicitly captures crypto-asset providers.

What is the difference between AMLA and 6AMLD?

6AMLD was the sixth iteration of an EU Directive, meaning each member state implemented it through national law with local variations. AMLA enforces a Regulation, which applies directly across all 27 member states with no room for national interpretation. Same rulebook, no patchwork.

What are the AMLA CDD requirements?

Harmonised identity verification standards, mandatory verification of beneficial ownership beyond self-declaration (using central registers), expanded enhanced due diligence triggers including complex ownership structures and crypto-asset providers, and ongoing monitoring frequencies tied to risk band (annual for high-risk, triennial for standard, six-yearly for low).

What are the fines for AMLA breaches?

AMLA can impose administrative pecuniary sanctions of up to 10% of total annual turnover for legal entities, or up to EUR 10 million, whichever is higher. For individuals, fines reach EUR 5 million. AMLA can also impose periodic penalty payments and order temporary or permanent bans on management roles.

How does Zenoo help with AMLA readiness?

Zenoo orchestrates KYC, KYB, CDD, EDD, beneficial ownership verification, and ongoing monitoring through a single configurable platform. Risk-band-driven review cycles, FATF-aligned risk scoring, and immutable audit trails that meet AMLA's documentation requirements. Implementation in 4 to 6 weeks, not 12-month engineering projects.