AMLA 2026: EU Anti-Money Laundering Authority Rules, Timeline, and Impact

Roughly $750 billion in dirty money moved through Europe’s financial system in 2023. Nearly $195 billion of it crossed national borders. The enforcement apparatus meant to stop it consisted of 27 separate national supervisors, each applying its own interpretation of EU directives, each guarding its own turf. That arrangement is now being dismantled. AMLA 2026 is the year the EU’s new Anti-Money Laundering Authority, based in Frankfurt and led by former Bank of Italy official Bruna Szego, starts building the replacement: a single supervisory regime designed to do what fragmented national oversight could not.

Why the EU Needed a New Agency

The case for AMLA was built by scandal. Latvia’s ABLV Bank collapsed in 2018 after US authorities flagged it for facilitating illicit transactions that Latvian regulators had missed. Danske Bank’s Estonian branch processed an estimated €200 billion in suspicious flows while Danish and Estonian supervisors pointed fingers at each other. Wirecard imploded in Germany under BaFin’s watch. In each case, the problem was the same: criminals exploited the gaps between jurisdictions, and no single authority had the mandate or the tools to follow the money across borders.

The European Commission proposed AMLA in July 2021. Parliament and the Council approved the package in 2024. The legislation replaced the EU’s old directive-based approach, where each member state transposed AML rules into its own law, with a regulation that applies uniformly across all 27 countries. The authority has had a legal existence since June 2024 and opened its Frankfurt offices in early 2025. But AMLA 2026 is when the real work begins: writing the rules, testing the risk models, and identifying which institutions will face direct EU-level oversight for the first time.

What AMLA 2026 Looks Like on the Ground

On 1 January 2026, AMLA formally took over all AML mandates from the European Banking Authority. In February, it published a three-year work programme laying out how it intends to become fully operational by 2028.

The AMLA 2026 workload breaks into three tracks. The first is writing the Single Rulebook: binding technical standards on customer due diligence, risk assessments, enforcement procedures, and supervisory cooperation that will apply identically across the bloc from July 2027. The second is building convergence, ensuring national supervisors apply these standards consistently rather than reverting to old habits. The third is constructing the data systems and analytical infrastructure needed for direct supervision.

The institutional build is moving fast, perhaps faster than the talent pipeline can support. AMLA had around 120 staff at the end of 2025. It needs approximately 430 by late 2027. That means tripling headcount in two years, in Frankfurt, competing for regulatory and compliance specialists against the ECB, BaFin, and the private sector. The budget scales from EUR 13.6 million to EUR 96 million over the same period. Whether the authority can hire at that pace without diluting quality is an open question nobody at AMLA is keen to answer publicly.

One Rulebook for 27 Countries

The Anti-Money Laundering Regulation takes effect on 10 July 2027 and applies directly in every member state. No transposition, no national variation. It mandates risk-based due diligence, beneficial ownership transparency, and standardised reporting formats. The technical standards AMLA is drafting now, covering everything from identity verification methods to transaction monitoring thresholds, will be legally binding, not optional guidance.

The scope of who must comply has also widened. Crypto-asset service providers, football agents and professional clubs, credit intermediaries, and investment migration operators are all newly captured. Legal professionals, accountants, real estate agents, and dealers in precious metals fall under AMLA’s indirect oversight at EU level for the first time.

The AMLA 2026 Path to Direct Supervision

The 2026 groundwork for direct supervision is already well advanced. In March, the authority published final draft standards for how it will assess risk profiles and select entities. A data collection exercise followed, with participating institutions submitting information by late April. A separate reporting package went to national supervisors in May, with returns due by mid-August. AMLA expects a provisional list of eligible entities by the end of September 2026. The formal selection begins in July 2027, with results published by year-end.

Who Qualifies for Direct Supervision

From January 2028, AMLA will directly supervise up to 40 of the highest-risk financial institutions operating across the bloc. Forty sounds significant until you consider the denominator. There are more than 6,000 credit institutions in the eurozone. AMLA’s direct oversight will cover less than 1% of them. The theory is that supervising the largest, most cross-border entities raises the floor for everyone and creates deterrent effects. The risk is that illicit flows simply reroute through the thousands of mid-tier banks and payment firms that remain under the same national supervisors whose performance created the need for AMLA in the first place.

How AMLA 2026 Reshapes Compliance

If you work in financial crime compliance at a European institution, the practical implications of AMLA 2026 are already arriving. The Single Rulebook applies from July 2027. Direct supervision starts six months later. The preparation window is closing.

Your due diligence and KYC processes need benchmarking against the draft technical standards now. If your identity verification still relies on video-based methods, the shift toward qualified electronic signatures under eIDAS requires lead time. Your reporting systems need to integrate with AMLA’s new central database, which will consolidate information on obliged entities, risk assessments, supervisory actions, and sanctions across the entire EU. Draft standards for that database are being finalised this year, with the system expected to go live in 2027.

Cross-border institutions face particular urgency. If you operate in six or more member states, you may already be in the pool of provisionally eligible entities being mapped through the current data collection exercises. Even institutions well below that threshold should expect their national supervisors to tighten expectations in line with the new standards.

The indirect effects matter as much as the direct ones. National supervisors will be held to AMLA standards through convergence reviews and peer assessments. The authority can initiate breach-of-Union-law proceedings against supervisors it deems insufficiently rigorous. In practice, your national regulator’s expectations are about to be shaped by Frankfurt, whether or not your institution appears on the list of 40.

The Gap Between Architecture and Execution

AMLA held its first conference on 9 June 2026 in Frankfurt. The AMLA 2026 timeline from here is set: rulebook finalised this year, selection in 2027, supervision in 2028. The institutional architecture exists.

What remains unproven is execution. AMLA is asking 27 national regulators, some of which spent decades cultivating autonomy, to defer to a new authority that did not exist two years ago. It is building a data ecosystem from scratch while the illicit flows it was created to address run at three-quarters of a trillion dollars annually. And it is staking its credibility on a model where supervising 40 institutions out of thousands is supposed to transform enforcement across a continent.

The regulatory framework underpinning AMLA 2026 is the most ambitious the EU has attempted in financial crime. The ambition is the right scale. Whether the capacity matches it is the question that will define every year after this one.