The Fourthline Team
How to Prepare for AMLA Compliance: What Financial Institutions Must Do Before 2027
How to Prepare for AMLA Compliance: What Financial Institutions Must Do Before 2027
Apr 9, 2026
AMLA, Europe's new Anti-Money Laundering Authority, became operational on July 1, 2025, marking a shift from 27 fragmented national approaches to unified EU supervision. The goal is to create harmonised standards across all EU Member States to prevent financial crime, close regulatory loopholes, and make it harder for bad actors to exploit cross-border gaps.
For financial institutions, this represents a substantial change. On the one hand, they will benefit from EU-wide requirements rather than navigating different rules for each country. But it also means higher regulatory expectations, including monitoring of high-risk institutions, more intensive AI-based supervision, and stricter enforcement regarding Customer Due Diligence, KYC systems, and AML screening.
In this guide, we’ll cover what AMLA is, when its key requirements take effect, what types of institutions will be impacted, and actionable steps financial institutions can take to prepare.
AMLA, AMLR, and RTS: Understanding the EU’s new AML framework
Before we dive into AMLA’s role specifically, it’s worth spending some time understanding the interconnected parts of the new AML framework and how they work.
AMLR: The law
AMLR (Anti-Money Laundering Regulation) is Regulation (EU) 2024/1624. It goes live on 10 July2027 across all 27 EU member states. No national variations, no country-by-country implementation, just one uniform set of rules.
AMLR is the “what” of the new compliance landscape, establishing what financial institutions must do at a high level. This includes (among other things) verifying customer identity before onboarding, monitoring transactions for suspicious patterns, reporting suspicious activity to Financial Intelligence Units, and keeping records for at least five years. It also requires risk-based approaches to compliance: applying more stringent checks on politically exposed persons or other high-risk customers.
AMLA: The enforcer
AMLA (Anti-Money Laundering Authority) is the EU's new enforcement body, based in Frankfurt and operational since 1 July 2025. From 2028 on, AMLA will directly supervise around 40 high-risk institutions. For everyone else, it will coordinate with national supervisors to keep enforcement consistent across Europe.
But AMLA does more than supervise. It also writes the regulatory technical standards, or RTS, the detailed rules that explain how to comply.
RTS: The how-to
RTS (regulatory technical standards) are the detailed implementation rules drafted by AMLA, adopted by the European Commission. They detail how financial institutions should comply with AMLR: which identity verification methods to use, what should be collected for Customer Due Diligence, and how to conduct ongoing monitoring.
The RTS will be legally binding from 10 July 2027. Importantly, these standards aren't guidance or best practice. They carry the same legal weight as AMLR itself.
Component | What it is | Status | What it means for financial institutions |
|---|---|---|---|
ALMR | EU Regulation 2024/1624 | Takes effect 10 July 2027 | Core AML obligations apply with no national variations |
ALMA | EU Anti-Money Laundering enforcement authority | Operational since 1 July 2025; full supervisory powers in 2028 | Directly supervises 40 high-risk entities; coordinates national supervisors; drafts RTS |
RTS | Detailed implementation rules by AMLA | Being finalised in 2026; takes effect 10 July 2027 | Legally binding specifications on acceptable identity verification methods, CDD requirements, etc. |
AMLA's implementation timeline
The European AML Authority began recruitment and coordination efforts starting on July 1, 2025. Going forward, the projected implementation plan looks like this:
Q1-Q2 2026: Data collection exercises to test risk assessment models
By July 1, 2027: AMLA commences formal selection process for approximately 40 obliged entities for direct supervision
July 10, 2027: Most provisions of the new Anti-Money Laundering Regulation (AMLR) take effect across EU member states
By the end of 2027: Company selection completed, list of directly supervised entities published
2028: AMLA becomes fully operational with complete supervisory powers
Who will be supervised by AMLA?
Starting in 2028, AMLA will directly supervise approximately 40 high-risk entities. The selected companies must be operational in at least six EU Member States and have high money laundering or terrorist financing risk profiles. Companies under direct supervision can expect intense oversight, regular on-site inspections, enhanced reporting requirements, and increased scrutiny of AML compliance.
Financial institutions not under direct AMLA supervision will be supervised by national authorities (such as BaFin in Germany or AFM in the Netherlands) who in turn enforce AMLR and the RTS. The rules apply uniformly across the EU. This means that even if you’re supervised by a national authority rather than AMLA directly, you must still comply with the standards.
Let’s take a closer look at the regulatory technical standards and what they stipulate.
What’s in the RTS? Key requirements for financial institutions
The RTS fundamentally rewrites the playbook for remote identity verification. The major change is that eIDAS-compliant methods (national electronic IDs, qualified electronic signatures (QES), and EU Digital Identity Wallets) are now the primary verification methods.
Video identification (Video-Ident), on the other hand, has been downgraded to a backup option. For countries like Germany, where Video-Ident has been the go-to method, this represents a seismic shift. Institutions that continue using video verification will need to document why eIDAS-compliant options weren't feasible for each customer.
But the regulatory technical standards don't stop at identity verification. They also govern KYC ongoing monitoring, transaction monitoring thresholds, AML screening protocols, and suspicious activity reporting formats for AMLA's central AML/CFT database.
With a July 2027 implementation deadline, financial institutions should assess their verification systems now to allow time for technology upgrades and process changes.
What AMLA means for AML compliance programs
AMLA stands to fundamentally reshape how financial institutions approach AML compliance, and not just for the companies facing direct oversight.
Under AMLA’s regulatory technical standards, technology becomes central. AMLA will leverage AI and data analytics for anti-financial crime detection, and institutions must report suspicious activity to a central AML/CFT database using standardised formats. Customer Due Diligence documentation faces higher expectations: institutions must apply risk-based approaches and clearly justify each decision. KYC processes must align with new European standards, with little room for national variations.
The transformation requires significant investment. According to EY research, 60% of compliance professionals expect to invest in new technologies to meet AMLR requirements, while 75% anticipate a very competitive market for AML compliance experts and specialised talent.
But there's an upside, particularly for cross-border institutions. Regulatory harmonisation means less complexity navigating different requirements across EU Member States, streamlined operations, and a single supervisory point for high-risk entities, all of which streamline operational efficiency over the long term.
How financial institutions should prepare for AMLA
With regulatory technical standards taking effect July 2027, and supervisory beginning in 2028, financial institutions can take steps now to prepare for the coming compliance changes. Here’s a roadmap for what to prepare, and when.
Step one
Assess your current state. Review Customer Due Diligence and Know Your Customer processes against draft regulatory technical standards. Do your verification systems support eIDAS-compliant methods? Can your AML screening and transaction monitoring meet the new standards?
Map your reporting infrastructure. Understand how your current suspicious activity reporting works and identify what needs to change to integrate with AMLA's central AML/CFT database using standardised formats.
Invest in QES. If you're still using Video-Ident, it's time to move toward a Qualified Electronic Signature-based verification method that meets the RTS requirements. Learn more about Fourthline’s solution here.
Step two
Upgrade technology. Implement systems that support eIDAS-compliant verification, integrate with AMLA's central database, and generate standardised reporting across all EU member states operations. Build audit trail capabilities that document every verification choice and risk assessment.
Redesign or streamline processes. Create clear, documented policies for Customer Due Diligence decisions. Standardise reporting formats across all operations. Train compliance teams on new regulatory technical standards.
Evaluate vendors. Review third-party identity verification providers for AMLA readiness and eIDAS compliance. Consider modular solutions that adapt as requirements evolve. For context on broader KYC obligations, see our guide on whether KYC is mandatory.
Fourthline's eIDAS-compliant systems support automated customer due diligence, generate audit trails for every verification decision, and adapt as regulatory technical standards evolve. Explore Fourthline's AMLR solution →
Step three
Track the selection process. AMLA will publish its list of directly supervised entities by end of 2027. If your company is selected, prepare for Joint Supervisory Team coordination. If not, you’ll still need to follow the RTS.
Demonstrate compliance readiness. Implement continuous monitoring systems that track AML compliance metrics and show regulatory harmonisation progress to national authorities or AMLA.
Secure expertise. Competition for AML compliance talent will intensify. Start resourcing and training talent now.
Prepare for AMLA with Fourthline
As AMLA and AMLR transform the European compliance landscape, financial institutions need adaptable identity verification solutions that meet evolving regulatory technical standards. Fourthline helps institutions streamline Customer Due Diligence, implement automated KYC processes with our QES-based flow, and prepare for AMLA's harmonised framework across EU Member States. Learn how Fourthline can help you prepare for AMLA compliance.
FAQs
When should financial institutions start preparing for AMLA?
Financial institutions should begin preparation immediately. While AMLA won't exercise full supervisory powers until 2028, regulatory technical standards take effect July 10, 2027, and AMLA is already conducting preliminary assessments.
What’s the difference between AMLR and RTS?
AMLR (the Anti-Money Laundering Regulation) is the high-level legal foundation for the EU’s new AML framework. The RTS (regulatory technical standards) fill in the operational details for how companies must comply. Both take effect on 10 July 2027 and are legally binding.
What are the most critical regulatory technical standards to focus on?
Priority areas include Customer Due Diligence verification methods (especially the shift to eIDAS-compliant solutions), Know Your Customer (KYC) ongoing monitoring requirements, AML screening thresholds, and transaction monitoring standards.
How will AMLA affect institutions not directly supervised?
Even institutions supervised by national authorities will be indirectly affected. AMLA sets standards for regulatory harmonisation across all EU Member States, issues guidelines that national supervisors must follow, and can temporarily assume supervision in exceptional circumstances.
What technology investments are necessary for AMLR compliance?
Financial institutions should invest in enhanced reporting systems, transaction monitoring tools, and AI/ML capabilities for anti-financial crime detection. Identity verification systems must support eIDAS-compliant methods. Focus on modular, adaptable solutions that can evolve with regulatory requirements.
AMLA, Europe's new Anti-Money Laundering Authority, became operational on July 1, 2025, marking a shift from 27 fragmented national approaches to unified EU supervision. The goal is to create harmonised standards across all EU Member States to prevent financial crime, close regulatory loopholes, and make it harder for bad actors to exploit cross-border gaps.
For financial institutions, this represents a substantial change. On the one hand, they will benefit from EU-wide requirements rather than navigating different rules for each country. But it also means higher regulatory expectations, including monitoring of high-risk institutions, more intensive AI-based supervision, and stricter enforcement regarding Customer Due Diligence, KYC systems, and AML screening.
In this guide, we’ll cover what AMLA is, when its key requirements take effect, what types of institutions will be impacted, and actionable steps financial institutions can take to prepare.
AMLA, AMLR, and RTS: Understanding the EU’s new AML framework
Before we dive into AMLA’s role specifically, it’s worth spending some time understanding the interconnected parts of the new AML framework and how they work.
AMLR: The law
AMLR (Anti-Money Laundering Regulation) is Regulation (EU) 2024/1624. It goes live on 10 July2027 across all 27 EU member states. No national variations, no country-by-country implementation, just one uniform set of rules.
AMLR is the “what” of the new compliance landscape, establishing what financial institutions must do at a high level. This includes (among other things) verifying customer identity before onboarding, monitoring transactions for suspicious patterns, reporting suspicious activity to Financial Intelligence Units, and keeping records for at least five years. It also requires risk-based approaches to compliance: applying more stringent checks on politically exposed persons or other high-risk customers.
AMLA: The enforcer
AMLA (Anti-Money Laundering Authority) is the EU's new enforcement body, based in Frankfurt and operational since 1 July 2025. From 2028 on, AMLA will directly supervise around 40 high-risk institutions. For everyone else, it will coordinate with national supervisors to keep enforcement consistent across Europe.
But AMLA does more than supervise. It also writes the regulatory technical standards, or RTS, the detailed rules that explain how to comply.
RTS: The how-to
RTS (regulatory technical standards) are the detailed implementation rules drafted by AMLA, adopted by the European Commission. They detail how financial institutions should comply with AMLR: which identity verification methods to use, what should be collected for Customer Due Diligence, and how to conduct ongoing monitoring.
The RTS will be legally binding from 10 July 2027. Importantly, these standards aren't guidance or best practice. They carry the same legal weight as AMLR itself.
Component | What it is | Status | What it means for financial institutions |
|---|---|---|---|
ALMR | EU Regulation 2024/1624 | Takes effect 10 July 2027 | Core AML obligations apply with no national variations |
ALMA | EU Anti-Money Laundering enforcement authority | Operational since 1 July 2025; full supervisory powers in 2028 | Directly supervises 40 high-risk entities; coordinates national supervisors; drafts RTS |
RTS | Detailed implementation rules by AMLA | Being finalised in 2026; takes effect 10 July 2027 | Legally binding specifications on acceptable identity verification methods, CDD requirements, etc. |
AMLA's implementation timeline
The European AML Authority began recruitment and coordination efforts starting on July 1, 2025. Going forward, the projected implementation plan looks like this:
Q1-Q2 2026: Data collection exercises to test risk assessment models
By July 1, 2027: AMLA commences formal selection process for approximately 40 obliged entities for direct supervision
July 10, 2027: Most provisions of the new Anti-Money Laundering Regulation (AMLR) take effect across EU member states
By the end of 2027: Company selection completed, list of directly supervised entities published
2028: AMLA becomes fully operational with complete supervisory powers
Who will be supervised by AMLA?
Starting in 2028, AMLA will directly supervise approximately 40 high-risk entities. The selected companies must be operational in at least six EU Member States and have high money laundering or terrorist financing risk profiles. Companies under direct supervision can expect intense oversight, regular on-site inspections, enhanced reporting requirements, and increased scrutiny of AML compliance.
Financial institutions not under direct AMLA supervision will be supervised by national authorities (such as BaFin in Germany or AFM in the Netherlands) who in turn enforce AMLR and the RTS. The rules apply uniformly across the EU. This means that even if you’re supervised by a national authority rather than AMLA directly, you must still comply with the standards.
Let’s take a closer look at the regulatory technical standards and what they stipulate.
What’s in the RTS? Key requirements for financial institutions
The RTS fundamentally rewrites the playbook for remote identity verification. The major change is that eIDAS-compliant methods (national electronic IDs, qualified electronic signatures (QES), and EU Digital Identity Wallets) are now the primary verification methods.
Video identification (Video-Ident), on the other hand, has been downgraded to a backup option. For countries like Germany, where Video-Ident has been the go-to method, this represents a seismic shift. Institutions that continue using video verification will need to document why eIDAS-compliant options weren't feasible for each customer.
But the regulatory technical standards don't stop at identity verification. They also govern KYC ongoing monitoring, transaction monitoring thresholds, AML screening protocols, and suspicious activity reporting formats for AMLA's central AML/CFT database.
With a July 2027 implementation deadline, financial institutions should assess their verification systems now to allow time for technology upgrades and process changes.
What AMLA means for AML compliance programs
AMLA stands to fundamentally reshape how financial institutions approach AML compliance, and not just for the companies facing direct oversight.
Under AMLA’s regulatory technical standards, technology becomes central. AMLA will leverage AI and data analytics for anti-financial crime detection, and institutions must report suspicious activity to a central AML/CFT database using standardised formats. Customer Due Diligence documentation faces higher expectations: institutions must apply risk-based approaches and clearly justify each decision. KYC processes must align with new European standards, with little room for national variations.
The transformation requires significant investment. According to EY research, 60% of compliance professionals expect to invest in new technologies to meet AMLR requirements, while 75% anticipate a very competitive market for AML compliance experts and specialised talent.
But there's an upside, particularly for cross-border institutions. Regulatory harmonisation means less complexity navigating different requirements across EU Member States, streamlined operations, and a single supervisory point for high-risk entities, all of which streamline operational efficiency over the long term.
How financial institutions should prepare for AMLA
With regulatory technical standards taking effect July 2027, and supervisory beginning in 2028, financial institutions can take steps now to prepare for the coming compliance changes. Here’s a roadmap for what to prepare, and when.
Step one
Assess your current state. Review Customer Due Diligence and Know Your Customer processes against draft regulatory technical standards. Do your verification systems support eIDAS-compliant methods? Can your AML screening and transaction monitoring meet the new standards?
Map your reporting infrastructure. Understand how your current suspicious activity reporting works and identify what needs to change to integrate with AMLA's central AML/CFT database using standardised formats.
Invest in QES. If you're still using Video-Ident, it's time to move toward a Qualified Electronic Signature-based verification method that meets the RTS requirements. Learn more about Fourthline’s solution here.
Step two
Upgrade technology. Implement systems that support eIDAS-compliant verification, integrate with AMLA's central database, and generate standardised reporting across all EU member states operations. Build audit trail capabilities that document every verification choice and risk assessment.
Redesign or streamline processes. Create clear, documented policies for Customer Due Diligence decisions. Standardise reporting formats across all operations. Train compliance teams on new regulatory technical standards.
Evaluate vendors. Review third-party identity verification providers for AMLA readiness and eIDAS compliance. Consider modular solutions that adapt as requirements evolve. For context on broader KYC obligations, see our guide on whether KYC is mandatory.
Fourthline's eIDAS-compliant systems support automated customer due diligence, generate audit trails for every verification decision, and adapt as regulatory technical standards evolve. Explore Fourthline's AMLR solution →
Step three
Track the selection process. AMLA will publish its list of directly supervised entities by end of 2027. If your company is selected, prepare for Joint Supervisory Team coordination. If not, you’ll still need to follow the RTS.
Demonstrate compliance readiness. Implement continuous monitoring systems that track AML compliance metrics and show regulatory harmonisation progress to national authorities or AMLA.
Secure expertise. Competition for AML compliance talent will intensify. Start resourcing and training talent now.
Prepare for AMLA with Fourthline
As AMLA and AMLR transform the European compliance landscape, financial institutions need adaptable identity verification solutions that meet evolving regulatory technical standards. Fourthline helps institutions streamline Customer Due Diligence, implement automated KYC processes with our QES-based flow, and prepare for AMLA's harmonised framework across EU Member States. Learn how Fourthline can help you prepare for AMLA compliance.
FAQs
When should financial institutions start preparing for AMLA?
Financial institutions should begin preparation immediately. While AMLA won't exercise full supervisory powers until 2028, regulatory technical standards take effect July 10, 2027, and AMLA is already conducting preliminary assessments.
What’s the difference between AMLR and RTS?
AMLR (the Anti-Money Laundering Regulation) is the high-level legal foundation for the EU’s new AML framework. The RTS (regulatory technical standards) fill in the operational details for how companies must comply. Both take effect on 10 July 2027 and are legally binding.
What are the most critical regulatory technical standards to focus on?
Priority areas include Customer Due Diligence verification methods (especially the shift to eIDAS-compliant solutions), Know Your Customer (KYC) ongoing monitoring requirements, AML screening thresholds, and transaction monitoring standards.
How will AMLA affect institutions not directly supervised?
Even institutions supervised by national authorities will be indirectly affected. AMLA sets standards for regulatory harmonisation across all EU Member States, issues guidelines that national supervisors must follow, and can temporarily assume supervision in exceptional circumstances.
What technology investments are necessary for AMLR compliance?
Financial institutions should invest in enhanced reporting systems, transaction monitoring tools, and AI/ML capabilities for anti-financial crime detection. Identity verification systems must support eIDAS-compliant methods. Focus on modular, adaptable solutions that can evolve with regulatory requirements.
Solutions
Solutions
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.