For years, EU anti-money laundering supervision has rested almost entirely with national competent authorities. That model is now being fundamentally reshaped. The final report on AMLA’s draft Regulatory Technical Standards marks the point at which EU-level supervision becomes operational.
At its core, the RTS answers a single question: which financial institutions pose the greatest cross-border money laundering and terrorist financing risk and therefore warrant direct EU oversight.
This report sets out how the EU’s new anti-money laundering authority, AMLA, will decide which financial institutions it supervises directly. Only credit and financial institutions operating at scale in at least six EU Member States are eligible, with cross-border activity counting only where it is genuinely material, measured by customer numbers or transaction volumes. From that pool, AMLA will select firms with a high money laundering or terrorist financing risk using a standardised, data-driven methodology that scores inherent risk, the quality of AML controls, and the resulting residual risk. The first firms selected in 2027 and direct AMLA supervision beginning in 2028.
Eligibility is not solely about presence
Operating across borders is not enough on its own to attract EU-level attention. AMLA introduces materiality thresholds to distinguish between firms that merely passport services and those that genuinely operate at scale across Member States.
An institution will be treated as operating in a Member State under freedom to provide services only if it exceeds clear thresholds. These are either customer-based or transaction-based, capturing both high-volume retail models and lower-volume, high-value activity. This closes a long-standing loophole where firms notified regulators of cross-border intentions that never translated into meaningful activity.
Geographic footprint is now a measurable risk factor. Customer residency data and transaction volumes by Member State move from operational metrics to regulatory triggers. Group structures matter as well, since activity is aggregated across entities within the same group.
Risk assessment becomes fully standardised
Once eligibility is established, the RTS introduces a second and more consequential change. AMLA will assess risk using the same underlying methodology applied at entity level across the EU. This alignment removes the possibility that firms can benefit from softer national interpretations or inconsistent supervisory scoring.
Inherent risk is calculated through a structured scoring model covering customers, products, services, geographies, and delivery channels. The methodology relies on predefined thresholds rather than judgement calls. The quality of controls is assessed separately by examining governance, AML resources, outsourcing, customer due diligence, transaction monitoring, sanctions screening, and group oversight.
Residual risk emerges from the interaction of these two scores. Strong controls can mitigate inherent risk, though only within defined limits. Importantly, AMLA has removed the ability to adjust inherent risk scores based on national specificities. This ensures comparability across the Union.
It will be harder for group risk to mask weak links
One of the most significant implications sits at group level. AMLA’s group-wide risk scoring weights higher-risk and more significant entities more heavily. What this means in practice is that groups can no longer rely on their strongest or lowest-risk entities to offset weaknesses elsewhere. AMLA does not simply average risk across a group. It gives extra weight to entities that are larger, more active, or higher risk. If a subsidiary has weak controls, operates in higher-risk markets, or handles risky products, that subsidiary will have a disproportionate impact on the group’s overall risk score.
A single poorly controlled business in one country can push the whole group into AMLA’s direct supervision, even if the rest of the group performs well. This makes effective central oversight essential. Group functions need reliable, comparable data from all entities, clear lines for escalating issues, and the ability to intervene when local controls fall short. In short, group AML frameworks must work in day-to-day operations, not just exist as policies or organisational charts.
Transitional relief is a temporary protection
The RTS includes transitional provisions for the first selection round, acknowledging that some data points may not yet be available. This relief is narrow and time-limited. Future rounds will apply the full methodology.
Compliance teams should not treat this as breathing space. It is a short runway to build the data infrastructure, reporting accuracy, and internal governance required under the new regime. Firms that wait for AMLA engagement before acting risk discovering too late that their risk profile has already been set.
What RTS means in practice
The focus moves away from reacting to supervisory visits and toward managing how the institution is scored before selection even occurs. Data quality, consistency across jurisdictions, and alignment between business-wide risk assessments and operational controls now have direct supervisory consequences.
This is also a cultural shift. AMLA’s methodology rewards clarity, transparency, and demonstrable control effectiveness. It penalises fragmentation, opaque group structures, and informal governance arrangements.
Direct supervision by AMLA will apply to a limited number of firms. The methodology, however, applies to all. Even institutions that remain under national supervision will be assessed using the same risk logic. In that sense, AMLA’s RTS does not merely identify who will be supervised at EU level. It defines what good AML looks like across the European financial system.
VinciWorks helps compliance teams stay ahead of regulatory change by translating complex EU and UK AML developments into practical, usable guidance. Through expert-led training, risk assessment tools, and continuously updated AML and financial crime solutions, VinciWorks supports firms of all sizes in strengthening governance, improving data quality, and preparing for heightened supervisory scrutiny. As AMLA supervision approaches, VinciWorks provides the insight and infrastructure compliance professionals need to respond with confidence rather than reaction.