AMLA Readiness: The Regulatory Shift Has Already Started

The easiest mistake firms can make with Anti-Money Laundering Authority (AMLA) and the wider Anti-Money Laundering Regulations (AMLR) package is to treat it as a future implementation exercise that starts once the final guidance is published.

On paper, that sounds sensible. Wait for clarity. Wait for the final Regulatory Technical Standards (RTS). Wait for the supervisory approach to settle. However, that approach risks leaving firms exposed to compressed delivery timelines and weak answers whenboards or regulators ask what has been done to prepare. Because the regulatory shift has already started.

AMLA has been operational since July 2025. It is already developing the methodology, reporting framework and data collection process that will determine which institutions fall into its direct supervisory perimeter from 2028 onwards. That work includes risk assessment methodologies, harmonised reporting templates, supervisory data collection, and testing the operational readiness of the wider framework.

This is important as AMLA is not building a traditional supervision model based primarily on policy reviews and periodic inspections. It is building infrastructure for ongoing, centralised, comparative supervisory data collection and analysis across the EU.

That changes the burden on firms. The future supervisory question is no longer: ‘Does this firm have controls? It is increasingly: ‘Can this firm produce reliable, explainable and comparable evidence showing how its controls operate in practice?’  

Critically, firms do not need to fall inside AMLA's direct supervisory perimeter to feel the impact. National competent authorities are already aligning their methodologies to AMLA's standards. Firms outside the direct cohort will still feel the shift, through their existing regulator, applying an increasingly harmonised standard.

But the operational challenge for many firms is not deciding if they are one of the top 40. It is if their current anti-financial crime (AFC) operating model can reliably produce supervisory-grade data at all. Once a regulator builds a centralised risk analysis framework, firms effectively inherit responsibility for producing data capable of feeding it.

This is why AMLA readiness is also a data governance and operating model question rather than simply a compliance interpretation exercise of the AMLR and RTS.  

This post maps out immediate implications for three areas of most AFC programmes: data lineage, control mapping and management information.

Data lineage: Can you trace your data from source to output?

AMLA’s supervisory model assumes firms can produce structured, traceable and quality-assured data on demand, not reconstruct it after the event.  Firms sitting outside the direct supervisory population may still need to provide structured risk, governance and exposure data capable of feeding into AMLA's wider supervisory model.

For many firms, that assumption exposes an uncomfortable gap. Transaction monitoring rules may be running on customer due diligence (CDD) data that has not been refreshed to reflect current customer behaviour. Customer risk assessment scores may not be feeding back into monitoring parameters. Quality Assurance (QA) sampling may be performed on a population that cannot be clearly defined or reproduced.

None of this is unusual. But none of it is defensible under a data-driven supervisory lens.

The practical work is a lineage mapping exercise across each key AFC process: CDD, PEP and sanctions screening, customer risk assessment, transaction monitoring, and QA.  

For each, document the data sources feeding the process, the logic or rules applied, the output generated, and what that output feeds into downstream. Map it end to end.

This exercise almost always surfaces untested assumptions, but it also provides the foundation for data quality metrics that AMLA's framework will expect - completeness, accuracy and timeliness at each stage of the chain, not just an assertion that data quality is adequate.

Data lineage is not a technology project. It is a governance and documentation discipline first. Systems matter, but they cannot substitute for clear ownership, accountable decision-making and evidence that the firm understands how its AFC data supports the controls it relies on.

Control Mapping: AMLA has now set out exactly what it expects from your BWRA

In April 2026, AMLA published its Consultation Paper on draft Guidelines for the Business-Wide Risk Assessment (BWRA) under Article 10(4) of the AMLR¹. For firms still treating the BWRA as a document refreshed periodically for governance purposes, this consultation should prompt a more immediate reassessment.

AMLA's draft guidelines establish a common minimum framework built around four minimum requirements:  

• business and operational overview;  

• identification, assessment, and classification of inherent risks;  

• assessment of the quality of AML/CFT controls;  

• assessment and classification of residual risks.  

The control quality and residual risk sections are where many firms will face the greatest scrutiny.

AMLA expects firms to clearly link controls to the risks they mitigate and explain how those controls operate in practice, including both design and implementation effectiveness. A control described in a framework document but unsupported by testing evidence is unlikely to satisfy that expectation. The consultation is equally explicit that inherently high-risk exposures cannot simply be ‘neutralised’ through optimistic control scoring. Residual risk must be justified, evidenced and acknowledged.

Firms should already be asking:

1. Can we explicitly connect risks to controls?

2. Are control owners clearly documented?

3. Is effectiveness evidenced through testing, QA and audit outcomes?

4. Do BWRA findings formally trigger control review and governance action?

The final guidelines land in Q4 2026. The window to assess your current BWRA against AMLA's four minimum requirements, and close the gaps, is now.

MI framework: Volume reporting will not survive the effectiveness question

Reporting the number of suspicious activity reports (SARs) filed, alerts reviewed, or CDD records refreshed tells a supervisor what the programme did. It does not tell them if the programme worked.  

Under AMLA's harmonised supervisory framework, the question that matters is  - is the AFC programme is operationally effective at detecting and disrupting financial crime. Volume metrics are evidence of activity. They are not evidence of effectiveness.  

The distinction is already showing up in how national regulators approach thematic reviews, and it will become more pronounced as AMLA's supervisory methodology beds in.

The shift is from activity metrics to outcome metrics, across each process area. Some examples of the translation:

• Transaction monitoring: alert-to-SAR conversion rate, not just total alerts reviewed.

• SAR quality: proportion of SARs with an identifiable typology, not just total SARs filed.

• CDD refresh: completion rate against a defined, risk-tiered schedule, not just total records updated.

• QA: defect rates by process area, and - critically - remediation closure times and root cause analysis, not just a pass/fail count.

Beyond the metrics themselves, the management information (MI) framework needs to demonstrate a governance narrative. Who reviews these outputs? At what level? What decisions are documented as a result? Supervisors will look for evidence that MI reaches appropriate governance forums and generates visible management action - not that it is produced and filed.

There is also a timing consideration that is easy to underestimate. Effectiveness metrics only become meaningful over time. Starting data collection now means having a credible trend by 2028. Starting in 2027 means presenting a single data point and calling it a framework. That will not be a convincing position.

A useful test is simple - if a supervisor asked, ‘how do you know your transaction monitoring is effective?’ could you answer from what is already there?  

If the answer requires pulling data from outside the standard pack, the framework needs redesigning.  

The Window Is Narrowing  

EU harmonisation is closing the supervisory arbitrage window that many firms have historically relied upon across member states.

AMLA’s Single Rulebook, data frameworks and supervisory convergence work are moving the market towards a common European standard for AFC governance, controls and evidence.

The firms that will be best placed in 2027 and 2028 are the ones that begin building that credibility now, through disciplined lineage documentation, an EWRA that visibly connects to real controls, and an MI framework that can answer the effectiveness question, not just the activity question.

The evidence test – 10 questions to ask before 2027

1. Which material risks apply to each entity, product, customer segment and corridor?

2. Which specific controls mitigate each risk?

3. Who owns each control and how it operates in practice?

4. What testing, QA, audit or monitoring evidence proves the control is working?

5. How residual risk is assessed after controls are applied?

6. Which governance forum reviews the results and what decisions are documented?

7. What issues, remediation actions or control changes were triggered?

8. Can your MI show trends in effectiveness, not just activity?

9. Can key AFC data be traced from source system to output?

10. If supervisory-grade data can be produced consistently across the group?

Waiting until 2027 to work through that list is a choice. But it is rapidly becoming a much riskier one.

‍