EU AMLA Regulation: A Compliance Preparation Guide for Obliged Entities

Article 32 of the EU Anti-Money Laundering Authority (AMLA) Regulation takes direct effect on 10 July 2027, and it removes the national-option carve-out that let member states define simplified due diligence on their own terms. For compliance teams that built their AML workflows around whatever their national regulator permitted, 2027 is a hard reset. Money laundering cases registered at Eurojust doubled over the past six years, and EU enforcement coordination is now moving from recommendation to mandate. The infrastructure gap between current AML programmes and single-rulebook readiness is the compliance problem 2026 is for. This guide maps the four milestones between now and 2028, the specific obligations the new single rulebook introduces, and the infrastructure steps your compliance team needs to take now.

The EU Anti-Money Laundering Authority (AMLA) is a new supranational supervisor established by Regulation (EU) 2024/1620, operational since July 2025 and headquartered in Frankfurt. AMLA sits atop a three-instrument package that includes the AML Regulation or AMLR (EU 2024/1624), which creates the single rulebook, and the Sixth Anti-Money Laundering Directive (6AMLD) (EU 2024/1640), which governs national Financial Intelligence Units and supervisory cooperation between member states.

What is the EU AMLA and why does it matter now?

The Anti-Money Laundering Authority is not a replacement for national supervisors. AMLA sits above them as the EU’s first AML body with direct enforcement powers over private firms, and its fine structure is set at EU level rather than varying by jurisdiction. That structural difference is what makes the July 2027 deadline material for any firm with EU customers or operations, regardless of whether it falls in the first wave of directly supervised entities.

Three instruments, one framework

The AMLA package adopted in June 2024 has three components. The AMLA Regulation (EU) 2024/1620 establishes the authority itself, its governance structure, and its supervisory methodology. The AML Regulation (AMLR) (EU) 2024/1624 is the single rulebook, a directly applicable regulation that replaces the previous patchwork of national AML implementations derived from the Fourth and Fifth Anti-Money Laundering Directives. The 6AMLD (EU) 2024/1640 governs how national Financial Intelligence Units (FIUs) cooperate and share intelligence. Understanding what AML screening looks like under this new architecture is the starting point for any gap analysis.

What AMLA’s enforcement powers mean for your firm

AMLA can impose fines of up to 10% of annual turnover or €10 million on directly supervised entities for serious breaches, per the AMLA official framework. That ceiling applies to approximately 40 high-risk obliged entities under direct supervision from 2028. For firms outside that first wave, the change is still material: the single rulebook makes substantive compliance obligations identical across EU member states from July 2027, and national supervisors apply AMLA guidelines. UNODC estimates that 2 to 5% of global GDP, roughly €1.87 trillion, flows through money laundering channels each year (Eurojust). The scale of the problem is why the three instruments were designed to function as a unified system rather than another incremental directive update.

What are the key AMLA milestones between now and 2028?

The AMLA timeline has four fixed points through 2028, and each carries a different type of compliance obligation. Treating them as equally urgent is a planning mistake. July 2027 is the hard deadline for operational readiness. The preparatory work needs to happen in 2026, while the final Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) are still being finalised.

July 2025. The authority opened in Frankfurt and began building its supervisory methodology, risk classification systems, and the RTS and ITS that will give the single rulebook its operational detail. Understanding the full scope of global AML sanction list regimes covered under the framework matters here, since the AMLR draws on 215+ sanction regimes.

2026. AMLA is currently finalising its RTS and ITS. This is the right moment to run a gap analysis against the draft rules. Most of the substantive requirements are already visible in the AMLR text. Firms that wait for the final technical standards in 2027 will have no implementation runway, and the gap between current screening infrastructure and single-rulebook requirements will be the most expensive gap to close under time pressure.

July 2027. The AMLR takes direct effect in all EU member states. National-level differences in AML implementation disappear. Simplified due diligence carve-outs narrow. Risk-based approach requirements become uniform. Ongoing monitoring and adverse media screening become formal CDD obligations across the board. Firms not ready by this date will be out of compliance from day one. See what is changing on AML screening in 2026.

2028. Approximately 40 high-risk obliged entities operating in six or more EU member states move under direct AMLA oversight per the European Commission’s AML framework. The rest remain under national supervisors applying the same single rulebook.

What does the AMLA single rulebook require from obliged entities?

The AMLR (EU 2024/1624) replaces the directive-transposition model with a directly applicable regulation, ending the situation where French, Dutch, and German banks operate under meaningfully different CDD rules because their national regulator chose a different implementation path. Two areas demand the most operational change for most compliance teams.

Risk-based approach and CDD obligations under the AMLR

As of the AMLR’s July 2027 application date, obliged entities must maintain written, documented risk policies calibrated to their specific product mix, customer base, and geographic exposure per Article 8 of the AML Regulation. Customer due diligence (CDD) triggers, enhanced due diligence (EDD) thresholds, and simplified due diligence scope are now defined at EU level rather than by member-state discretion. For firms that have relied on national simplified-due-diligence carve-outs to reduce screening intensity on lower-risk segments, the AMLR will narrow that headroom measurably. An effective sanctions screening program that documents each screening decision against a risk-classification framework will be the baseline expectation of AMLA supervisors, not a mark of maturity above the norm. Compliance teams that lack this documentation layer should treat closing it as their first 2026 priority, ahead of any tooling decisions.

Ongoing monitoring and adverse media under the AMLR

The AMLR formalises what many compliance teams have applied inconsistently. Customers must be screened against sanctions registers, PEP lists, and adverse media on a continuous basis, not only at onboarding. The regulation formally includes adverse media screening within the scope of CDD for the first time, covering recognised risk categories across international news sources. For teams currently running periodic, batch-based screening, the shift to real-time or near-real-time monitoring is the primary infrastructure gap to close before July 2027. The distinction between transaction screening and monitoring also sharpens under the AMLR, since both now carry formal documentation requirements and the obligation to act on identified risks within a defined timeframe.

How Shufti helps compliance teams meet AMLA requirements

The operational shift AMLA demands, including real-time ongoing monitoring, documented risk-based approach policies, and continuous adverse media coverage, is infrastructure-heavy for compliance teams currently running manual or batch-based screening.

Shufti’s AML screening runs real-time checks across 100,000+ AML data sources, 3,500+ global watchlists, and 2.6 million PEP profiles, all refreshed every 15 minutes. The AMLR’s continuous monitoring obligation is met by the same workflow used at onboarding rather than requiring a separate ongoing-monitoring system bolted on afterward. Adverse media coverage spans 50,000+ news sources across 415+ risk categories, addressing the breadth the single rulebook’s adverse media requirements point toward.

For the documented risk-based approach obligation, Shufti’s configurable risk workflows allow compliance teams to define their own risk classification thresholds, screening cascades per customer segment, and escalation triggers. That configuration produces the audit trail that AMLA’s supervisory reviews will expect to find. Both capabilities are accessible through a single API, with cloud, on-premises, and hybrid deployment options to fit the data-residency requirements that vary across EU member states.

When legacy screening systems meet a single rulebook that applies uniformly across 27 member states, the gaps that national supervisors tolerated become the gaps AMLA will act on. Shufti’s AML screening platform combines real-time sanctions, PEP, and adverse media checks with configurable risk workflows through a single API, so you can demonstrate the documented risk-based approach AMLA supervisors will expect. Request a demo to map your current AML workflow against the single rulebook requirements.