Countdown starts for Amla supervision in EU

Ted Datta is head of the financial crime and compliance practice for Europe and Africa at Moody’s

Banks and other large organisations may adjust the way they monitor, assess and report risks to ensure consistency and compliance as the EU’s Authority for Anti-Money Laundering and Countering the Financing of Terrorism advances to assume direct supervision of 40 financial institutions.

Amla, based in Frankfurt, is set to directly supervise the 40 “obliged entities” from January 2028. The process for selection is now live and based on factors including cross-border activity, with operations in at least six EU states, and risk exposure to financial crime.

Amla aims to reduce the regulatory patchwork that has caused cross-border compliance issues for organisations operating across the EU, not just the entities that it supervises directly. It will also raise expectations on how risk assessments are evidenced, reviewed and documented by businesses.

Amla is the EU’s first central supervisor for anti-money laundering and countering the financing of terrorism. Its mandate is broad: to support consistent application of AML/CFT rules, coordinate and reinforce the work of national financial intelligence units, develop technical standards and address gaps created by previously divergent national approaches.

Together with the Anti-Money Laundering Regulation, which will apply from 10 July 2027, this moves the EU towards a unified regime across the single market.

The AMLR requires firms to demonstrate how they reached conclusions, what evidence supported them and how consistently those methods work across borders.

Institutions handling high-volume cross-border transactions, especially those with significant exposure to high-risk jurisdictions, or that are offering complex financial instruments that are more susceptible to abuse, are more likely to be chosen for direct oversight by Amla.

Larger financial institutions in the EU are also more likely to be directly supervised, to address systemic risks. Entities with a history of AML/CFT deficiencies or previously flagged for non-compliance by national supervisory authorities may similarly face tighter scrutiny.

AMLA’s consultation draft on customer due diligence largely keeps the overall structure for AML/CFT mandates that it inherited from the European Banking Authority, although there are differences. For the 40 obliged entities these include:

EU-wide standardisation of customer due diligence data fields and verification logic

less national discretion on simplified due diligence and enhanced due diligence triggers

stronger expectation of explainability: firms must show why CDD intensity is appropriate, not just that it was applied

much tighter linkage between CDD, sanctions and ongoing monitoring

Know what your customer owns

Amla’s consultation draft Article 11 emphasises the need for directly supervised institutions to understand the ownership and control structures of their customers.

This may include the legal form of such entities and/or arrangements, and reference to the existence of any nominee shareholders; the jurisdiction of incorporation or registration of the legal person or legal arrangement; in the case of a trust, the jurisdiction of its governing law; and, where applicable, the shares of interest held by each legal entity or legal arrangement, its subdivision, by class or type of shares and/or voting rights expressed as a percentage of the respective total.

Where the customer’s ownership and control structure contains more than one legal entity or legal arrangement, obliged entities shall take measures to obtain the following information:

a description of the ownership and control structure, including the legal entities and/or legal arrangements that constitute intermediate entities between the customer and its beneficial owners and are relevant for understanding the ownership and control structure; and, where applicable:

where beneficial ownership is determined on the basis of control, information on how this is expressed and exercised; or

information on the regulated market on which the securities are listed, in case a legal entity at an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the number and percentage of shares listed if not all the legal entity’s securities are listed

Supervised institutions must also understand the ownership and control structures of customers with complex corporate structures, according to Article 12 of the consultation draft. This may require obtaining additional information, such as an organigram.

Complex corporate structures are defined as those having three or more layers between the customer and the beneficial owner and, in addition, where more than one of the following conditions is met:

there is a legal arrangement or a similar legal entity such as a foundation in any of the layers

the customer and any legal entities present at any of these layers are registered in jurisdictions outside the EU

there are nominee shareholders or nominee directors involved in the structure

the structure obfuscates or diminishes transparency of ownership with no legitimate economic rationale or justification

Organisations are more likely to be compliant — and avoid potential sanctions — if they make systems interoperable using structured, machine-readable and consistently formatted data.

If all data uses the same formats, fields and IDs, it will facilitate faster CDD checks and make it easier to keep clean records. Even those organisations not directly supervised by Amla may benefit from this approach as the standards may shape supervisory expectations that affect them. Pressure-testing existing workflows for assessing beneficial ownership may also be helpful.

Ultimately, it is important to understand that Amla and AMLR are not just about policy — they are about how quickly and reliably firms can trace ownership and control, analyse risk and document decisions across jurisdictions.