From action to acceleration – AMLA’s Single Programming Document for 2026-2028 charts the course ahead

RegCORE Client Alert | AML/CTF & AMLA

QuickTake

On 4 February 2026, the EU’s new Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) published its Single Programming Document (SPD) for 2026-2028.Available here.Show Footnote The SPD builds upon AMLA’s first Annual Work Programme (AWP) but sets a longer arc for actioning and accelerating its priorities. The SPD is accompanied by an explainer for stakeholders and a detailed Annex XI planning the sequence and timing of AMLA’s mandates to issue technical standards and guidelines through 2027 ahead of commencing direct supervision of certain obliged entities (OEs) in 2028. OEs are entities subject to AML/CFT obligations under EU law, including credit institutions, financial institutions, payment service providers, crypto-asset service providers (CASPs), and – for the first time at EU level – non-financial sector entities such as legal professionals, accountants, real estate agents, and dealers in precious metals. As set out over 105 pages, the SPD confirms that AMLA plans to:

• Complete core elements of the EU AML/CFT Single Rulebook, with an intensive 2026-2027 pipeline of Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS) and Guidelines (GL) targeting customer due diligence (CDD), business wide risk assessments, group wide policies, sanctions and supervisory cooperation.
• Build and test the risk based selection model and supervisory architecture for direct supervision of 40 high impact financial institutions, with the first selection in 2027 and the first supervisory cycle starting in 2028.
• Operationalise the Financial Intelligence Unit (FIU) pillar. FIUs are national authorities responsible for receiving, analysing, and disseminating suspicious transaction reports (STRs) filed by OEs. AMLA will coordinate FIU cooperation across the EU, including joint analyses, peer reviews, mediation, harmonised STR formats, and the transfer and optimisation of FIU.net (the secure network for cross-border FIU communication) by 2027.
• Design and implement frameworks for indirect supervision of the financial sector and AML/CFT oversight of the non financial sector, including supervisory colleges, convergence reviews, breach of Union law procedures and extensive training.
• Establish an EU wide risk analysis and data ecosystem, built around a new Central AML/CFT Database, the takeover of EuReCA (the European Reporting System for Material Weaknesses, currently operated by the European Banking Authority (EBA)), and a data analytics platform underpinned by AI enabled tools.
• Scale up AMLA’s institutional capacity rapidly – from 120 staff and a EUR 13.6m budget in 2025 to 432 staff and EUR 96m by 2028 – while completing the move into permanent Frankfurt premises and achieving financial autonomy, with fee funding for supervision from 2028 approximately 70% of AMLA’s revenue will be funded by fees levied on directly and indirectly supervised financial sector entities.

This Client Alert should be read together with our earlier coverage of AMLA’s AWP.Available here.Show Footnote Readers should also consult the excellent publications from PwC's Risk Network, our standalone coverage of the EU’s new AML/CFT rules and AMLA’s powersIn particular here, here and hereShow Footnote, as well as Navigating 2026Available here.Show Footnote – PwC Legal's EU RegCORE playbook offering a granular annual outlook on the regulatory policymaking agenda, supervisory cycle and emerging trends.

Whilst this Client Alert provides comprehensive coverage of the items introduced above, certain implications warrant particular attention:

• All financial sector OEs will be affected by the SPD’s actions, not just the top 40: Entities not selected for direct supervision should not assume they are unaffected. Indirect supervision will apply across the entire EU financial sector, national supervisors will be subject to AMLA convergence assessments, supervisory fees will be levied on a population broader than the directly supervised cohort, and breach-of-Union-law procedures may escalate supervisory intensity. The SPD's implications extend to every financial sector OE.
• The CDD and onboarding overhaul is a systems project, not just a policy update: The CDD RTS (Article 28(1) AMLR) will prescribe harmonised data fields and verification standards. This may require fundamental redesign of digital onboarding journeys, KYC questionnaires, and data capture systems – not merely amendments to policy documents. Firms should engage IT, operations, and compliance functions jointly in gap analyses.
• The AML/CFT Community is a strategic opportunity: AMLA's "structured AML/CFT community" is not a soft engagement initiative. It offers a direct channel to influence regulatory development during AMLA's formative years. Early movers will have greater input into how the framework is shaped and implemented.
• Third-country exposure may require contingency planning: The RTS on branches and subsidiaries in non-compliant third countries (Article 17(3) AMLR) may require not only enhanced controls but also contingency planning – including potential exit or wind-down strategies – for jurisdictions where local law renders full AMLR compliance impossible.
• Partnerships for Information Sharing require advance preparation: PfIS under Article 75 AMLR will become applicable from July 2027, but the governance, data protection, and contractual infrastructure required for effective participation cannot be built overnight. Firms considering participation should begin preparation now.
• The timeline is compressed – resource planning should begin now: The delivery of twenty-four regulatory mandates in 2026 alone means consultation periods will be short and final drafts will be delivered in quick succession. The window for gap analysis and implementation will be tight. Firms should allocate resources for regulatory monitoring and implementation planning now, not after final texts are published.
• Non-financial sector OEs: this alert is for you too: (fellow) legal professionals, accountants, real estate agents, and dealers in precious metals are OEs under the AMLR. AMLA's oversight extends to the non-financial sector for the first time at EU level. Non-financial sector readers should pay particular attention to the dedicated section below and should not assume that this alert is addressed only to credit institutions and financial services firms.
• AMLA's external whistleblowing channel creates a new escalation route: The establishment of an internet-accessible confidential reporting channel under Article 90 AMLAR means that employees will have a direct external route to report AML/CFT concerns to AMLA. This has significant implications for internal whistleblowing policies, staff training, and reputation management.

Key takeaways from the SPD

AMLA became operational on 1 July 2025 and is headquartered in Frankfurt, Germany.A stone’s throw away from the PwC TowerShow Footnote Its mission is to safeguard the integrity of the EU's financial system and internal market through a unified, risk-based, and technologically advanced approach to preventing money laundering ("ML") and terrorist financing ("TF"). AMLA acts as a central authority for AML/CFT supervision (both direct and indirect), intelligence coordination, and regulatory standard-setting. At the core of its mandate - derived from the EU's AML Package comprising the Anti-Money Laundering Regulation ("AMLR"), the Anti-Money Laundering Directive ("AMLD"), and the AMLA Regulation ("AMLAR") - are three deliverables: (a) completing the Single Rulebook to ensure regulatory convergence and consistency; (b) developing harmonised supervisory practices for both financial and non-financial sectors; and (c) strengthening the working methods and cooperation of FIUs.

The SPD translates this mission into five interlinked activity clusters: (i) delivering on core regulatory mandates via the Single Rulebook; (ii) advancing direct and indirect supervision (including non-financial oversight and CASPs); (iii) operationalising the FIU framework; (iv) risk analysis and the data ecosystem; and (v) digital, corporate, and governance functions underpinning operational excellence.

Strategic goals

The SPD reinforces AMLA's vision of a Europe in which financial crime is proactively anticipated, effectively deterred, and decisively disrupted through seamless cooperation, cutting-edge technology, harmonised supervision, and highly operational financial intelligence. To translate this into practice, the SPD articulates five long-term strategic goals:

• “Convergence, Consistency and Proportionality” – completing and supporting the establishment of a uniform AML/CFT framework, supported by high standards, best practices, and common methodologies and tools, with a proportionate and risk-based approach that maintains effectiveness while paying attention to compliance costs and without imposing unnecessary burdens, particularly for low-risk activities.
• “Cooperation and Inclusiveness” – fostering a culture of joint responsibility and mutual trust, embedding collaboration among supervisory authorities and FIUs, as well as with prudential authorities, law enforcement, EU institutions and agencies, and private stakeholders, with structured stakeholder engagement to ensure meaningful involvement and strengthened international cooperation.
• “Technology and Innovation” – positioning AMLA as a digital Centre of Excellence by investing in advanced analytical tools, blockchain capabilities, AI, and secure platforms such as the Central AML/CFT Database and FIU.net, while guiding the private sector in the responsible use of AI and promoting a shared understanding of emerging ML/TF risks.
• “Credibility and Accountability” – underpinning AMLA's legitimacy through a strong governance model, ethical safeguards, conflict-of-interest policies, fundamental rights oversight, transparent communication with stakeholders (including EU citizens), and adherence to the highest standards of data protection and financial management.
• “Global Leadership” – promoting the Union's standards abroad, supporting the European Commission in representing the EU in the Financial Action Task Force ("FATF") and Egmont Group initiatives, and contributing to positioning Europe as a global reference point in AML/CFT. FATF is the intergovernmental body that sets international AML/CFT standards; the Egmont Group is the international network of FIUs.

Completing the AML/CFT Single Rulebook

The Single Rulebook is the principal instrument for harmonising AML/CFT rules across the EU, and (unsurprisingly and in keeping with all other EU level authorities) its completion is AMLA's overriding regulatory priority. Different interpretations of rules by OEs and public authorities can lead to loopholes exploited by criminals, as well as unnecessary burdens for entities operating across borders.

Between 2025 and 2027, AMLA will deliver the bulk of the Level 2 and Level 3 mandates under the new AML package, with a particular concentration in 2026 – twenty-four of its forty mandates will be delivered that year alone. The instruments are designed not merely to prescribe measures for high-risk scenarios but also to provide guidance on how the framework can be simplified where risks are low – a welcome signal for firms seeking proportionality in compliance.

Annex XI to the SPD sets out AMLA’s publication plan for consultations and final draft releases of RTS and GL.Available here.Show Footnote These instruments aim to deliver a harmonised, risk-based approach to CDD, risk assessment, and monitoring, with explicit guidance on both intensification of measures for high-risk scenarios and simplification where risks are low. They will directly affect how OEs conduct CDD, assess and monitor risk, structure group-wide compliance frameworks, and file STRs.

Building an “AML/CFT Community”

One of AMLA's notable priorities is the creation of a “structured AML/CFT community” with OEs from both the financial and non-financial sectors. This community will serve as a standing forum for ongoing dialogue, experience-sharing, and feedback on implementation challenges, going well beyond public consultations. Critically, early engagement with this community offers a direct channel to influence how the regulatory framework is shaped and implemented during AMLA's formative years – an opportunity that diminishes as standards become settled. AMLA will also use it to foster synergies between sectors. In 2026, AMLA aims to establish the approach for the community's set-up and take initial implementation steps. Firms should consider prioritising engagement with this community as a strategic – not merely compliance – initiative.

Direct supervision of financial institutions

Scope and timeline

From mid-2028, AMLA will directly supervise forty of the EU's most impactful credit and financial institutions – those with the largest geographical footprint and highest ML/TF risk profile. The selection process is scheduled for 2027, based on a risk-based methodology that AMLA will test and calibrate throughout 2026, building on preliminary work by the EBA.

Selection methodology

The RTS on the direct supervision selection process (Article 12(7) AMLAR), including the methodology for classifying risk profiles and minimum activities for determining cross-border presence, was due in draft by Q4 2025. A targeted data collection exercise contributing to the testing and calibration of the model will be initiated in March 2026. By the end of 2026, AMLA expects to have a tested, transparent, and legally binding methodology endorsed by the European Commission, comprising the RTS under Article 12(7) AMLAR and Article 40(2) AMLD, a calibration note based on 2026 testing, and a summary of engagement with national supervisors and stakeholders.

Supervisory architecture

AMLA will establish Joint Supervisory Teams (JSTs), develop on-site and off-site supervisory procedures, and create JST dashboards, data quality checks, and risk indicator integration. The design of the supervisory cycle covers the main stages from entity selection to the conclusion of supervisory measures, including draft procedures for off-site monitoring, on-site inspections, and follow-up actions. Implementation is rolled out between 2026 and 2028, combining methodological consolidation, validation, operational readiness, pilot activities, and the eventual launch of supervision.

The first “Supervisory Strategy Paper” will be adopted in 2026, setting out AMLA's supervisory objectives, the scope of direct supervision, and guiding principles for resource allocation. It will provide the overarching framework for the subsequent development of the supervisory cycle and off-site supervisory tools.

Information transfer framework

A critical preparatory step is the creation, by end-2026, of a legally robust framework for the transfer of supervisory information and documentation from national competent authorities ("NCAs"). This will encompass the minimum documentation set required to initiate direct supervision, secure communication channels with supervisory authorities, data-protection safeguards (subject to review by AMLA's Data Protection Officer), and governance procedures under Articles 7–10 AMLAR. Standard templates for supervisory inventories will be developed, and permanent transfer channels with NCAs, the European Central Bank (ECB), and the European Supervisory Authorities (ESAs, comprising the EBA, ESMA, and EIOPA) will be established so that by end-2026 the first fully functional framework for supervisory handover is in place.

Exceptional transfers of supervision

AMLA is also developing a framework under Article 14 AMLAR for the temporary transfer of supervisory powers from national authorities in exceptional circumstances. This involves defining objective and measurable criteria for triggering such requests, designing a robust and transparent workflow for their evaluation, and ensuring that AMLA can base its decisions on sufficient data and evidence. In 2026, the building blocks will be established, including a basic workflow, a standard request template, and clear escalation rules to the Executive Board and General Board. More complex elements – such as measurable thresholds for exceptional circumstances, a comprehensive decision tree, detailed legal and governance safeguards, ICT system alignment, and staff training – will be phased into 2027. The full Article 14 Transfer Framework will be completed in 2027, providing immediate operational capacity while building towards a comprehensive and legally robust mechanism.

Enforcement powers

AMLA will develop a credible enforcement framework, including the RTS on indicators for classifying the level and gravity of AML/CFT breaches, pecuniary sanctions, and periodic penalty payments (Article 53(10) AMLD), with final drafts expected by Q3 2026. A separate non-financial sector edition will also be produced. Base amounts for pecuniary sanctions relative to turnover, broken down by type of breach and category of obliged entity, will be set out in guidelines under Article 53(11) AMLD, with the final draft expected by Q4 2026. The framework will also define the governance arrangements for enforcement, including a clear separation from day-to-day supervisory tasks, and will set out safeguards to ensure accountability and due process. By 2028, AMLA will have in place a fully developed enforcement function, aligned with EU and international standards.

Supervisory fees

From 2028, the costs of direct and indirect supervision will be funded by fees, with a Commission delegated act establishing the fee calculation methodology. The list of entities subject to fees will be broader than the list of directly supervised entities. AMLA will set up Activity Based Budgeting and Activity Based Costing systems in 2026–2027 to support fee determination. In parallel, AMLA will engage in structured discussions with the European Commission on the arrangements for supervisory fees, to ensure clarity, alignment, and timely preparation ahead of the first supervisory cycle.

Indirect supervision and oversight

Financial sector

AMLA's indirect supervisory powers extend across the entire EU financial sector. AMLA will develop a strategy and framework for indirect supervision, including a common supervisory model and manual, thematic reviews, and supervisory convergence assessments. AMLA will monitor national supervisors' compliance with supervisory requirements under the current AML/CFT framework until end of June 2027, and thereafter will monitor implementation of the forthcoming framework and identify vulnerabilities in competent authorities' approaches to AML/CFT supervision.

Supervisory convergence assessments

AMLA will develop a methodology for conducting assessments of supervisory activities under Article 30 AMLAR, which will guide the preparation, performance, and reporting on individual assessments. The first cycle of reviews is expected to take seven years and is designed to cover all financial supervisors. Reports will show where further convergence might be warranted and will create incentives to enhance supervisory effectiveness in line with FATF standards and EU requirements.

Colleges and Home/Host Cooperation

Based on a list of colleges in the EU, AMLA will select colleges of relevant OEs in line with a risk-based approach and participate in these colleges. AMLA will ensure the availability of an IT platform for the exchange of information among college members (for both financial and non-financial OEs) and will provide a report on the cooperation of supervisory authorities in AML colleges by end of 2026. The RTS on home/host supervisor duties and cooperation modalities (Article 46(4) AMLD) will be consulted upon in Q2 2026 with a final draft in Q3 2026.

Breach of Union law and deterioration in compliance

Critically, AMLA will develop governance structures and processes for reacting to indications of potential breaches of Union law, where a financial supervisor has not applied measures or has applied measures in a way that constitutes a breach of Union law leading to systematic supervisory failures affecting multiple OEs and undermining the effectiveness of the AML/CFT supervisory system. AMLA will also develop mechanisms to react to indications of serious, repeated, or systematic breaches by non-selected OEs, triggering AMLA action under Articles 32 and 34 AMLAR.

Training and best-practice exchange

AMLA will organise sectoral and cross-sectoral training programmes and seminars for the exchange of supervisory best practices on central AML/CFT supervisory topics. Training in 2026 will focus, among other things, on the information needs of the financial sector regarding colleges and on the exchange of best practices on crypto-asset trading. AMLA will use videoconferencing for this purpose to avoid stressing the resources of national supervisors.

Non-Financial Sector

AMLA will extend AML/CFT oversight to non-financial sector OEs for the first time at EU level. It will prepare and adopt an Oversight Strategy Paper governing the further development of methodologies and the later use of its tools for oversight of the non-financial sector, with the strategy to clarify AMLA's objectives and principles for resource allocation regarding oversight activities. The operational framework will focus on risk analysis and on the criteria for selecting the most appropriate tools to implement the strategy, including the setting up of methodologies for each individual oversight tool.

In 2026, AMLA will conduct a comprehensive mapping of supervisory practices across the large number of different non-financial sectors, integrate supervisory and FIU findings to create a common risk picture, and develop support to raise awareness among non-financial supervisors about their AML/CFT supervisory requirements. Engagement with non-financial sector supervisory authorities will include maintaining and updating the list of authorities, disseminating results of the 2025 comprehensive risk survey, and developing a plan for handling mutual assistance requests in the non-financial sector. Peer reviews and assistance in the functioning of supervisory colleges for the non-financial sector will commence in 2027. The RTS on supervisory colleges for the non-financial sector (Article 50(13) AMLD) will be consulted upon in Q4 2026 with a final draft in Q1 2027, whilst the equivalent for the financial sector (Article 49(14) AMLD) follows a similar timeline.

Crypto-assets and CASPs

Given CASPs' prominence in EU and global AML/CFT risk discussions, AMLA allocates dedicated workstreams to this sector. AMLA will conduct a strategic analysis focusing on market developments following the implementation of the Markets in Crypto-Assets Regulation ("MiCAR"), which establishes the EU's licensing and prudential framework for crypto-asset service providers. The aim is to build a robust knowledge base on the state of the crypto-assets market in the EU from an AML/CFT perspective and promote a shared understanding of emerging ML/TF risks. AMLA will also coordinate a thematic review on compliance of registered and MiCAR-authorised CASPs with AML/CFT law, particularly regarding higher-risk activities and services, and will participate as an observer in CASP supervisory colleges. An FIU expert network on crypto-assets will be established to facilitate training, knowledge sharing, and the exchange of best practices between FIUs.

Building out AMLA’s operations

FIU coordination and intelligence

AMLA will serve as the operational hub for FIU cooperation in the EU. The full team of 27 FIU delegates will be in place in 2026, marking an important milestone in the establishment of AMLA's FIU operational function.

Support and coordination framework

AMLA will launch its support and coordination activities, including mediation, mutual assistance, and peer-review functions. A comprehensive mapping exercise of EU FIUs' functioning – covering areas such as independence and autonomy, IT tooling, and STR volumes – will be completed as a basis for peer reviews and convergence. The first pilot thematic peer review will be carried out in 2026, with a second commencing on 1 January 2027, aiming at improved efficiency and consistency of FIU operations and legal frameworks. These reviews are an opportunity for AMLA to strengthen its leadership within the EU and towards international bodies such as the Egmont Group, FATF, and MONEYVAL (the Council of Europe's monitoring body for AML/CFT standards).

AMLA will also operationalise a mediation process for resolving disagreements between FIUs regarding individual cases related to cooperation, including the exchange of information under the AMLD, leading to non-binding opinions by the General Board in FIU composition and follow-up reporting.

Joint analyses

Methods and criteria for the selection and prioritisation of cases will be established, along with annual lists of priority areas (e.g. emerging typologies, cross-border patterns). At least one joint analysis exercise will be conducted in 2026, in addition to the CASP-specific strategic analysis, with participation from AMLA staff, FIU delegates, and a minimum of five FIUs. Outputs will be routed in a structured manner to national authorities, and to the European Public Prosecutor's Office (EPPO), the European Anti-Fraud Office (OLAF), Europol, and Eurojust where relevant.

Inter-agency working arrangements

AMLA will conclude working arrangements with the EPPO, Europol, Eurojust, and OLAF under Article 94 AMLAR, covering institutional, strategic, and operational cooperation, including the possibility of liaison officers from both sides, with a view to close coordination on cases and strategic intelligence.

FIU.net transfer

Full transfer and optimisation of FIU.net will be completed by July 2027, enabling secure, real-time data exchange across the Union. In 2026, AMLA will conduct legal, operational, and IT gap assessments, negotiate and agree transfer arrangements with the Commission, and develop a detailed technical transfer plan integrating FIU.net into AMLA's digital ecosystem.

Partnerships for Information Sharing (PfIS)

Article 75 AMLR – which becomes applicable on 10 July 2027 – provides a framework for OEs to establish partnerships for information sharing. Additionally, the AMLAR enables AMLA to set up cross-border partnerships. In 2026, AMLA will engage with the private sector via events and workshops to facilitate the successful establishment of these partnerships. This is of significant interest to firms operating in multiple jurisdictions, as it may materially improve the quality and speed of information sharing on ML/TF risks.

Data infrastructure and technology

AMLA intends to position itself as a leader in digital transformation, leveraging AI and machine learning for real-time monitoring, risk assessment, and predictive analytics. AMLA aims to systematically integrate AI in the development of all its operations, accelerating delivery cycles and improving service quality, alongside appropriate AI governance to maintain a strong control framework and reduce AI risks (e.g. model drift and bias). The digital roadmap is anchored in three priorities: building top-of-the-art digital solutions, taking over and modernising mission-critical systems such as EuReCA and FIU.net, and positioning AMLA as a leader in data analytics and innovation.

Key pillars include: The AML/CFT Central Database (Article 11 AMLAR) – a structured repository of data on OEs, risk assessments, supervisory measures, and sanctions, to be rolled out for financial sector authorities from 2026 and for non-financial sector authorities from 2028. Access will be granted on a confidential, need-to-know basis to supervisory and other authorities where necessary. The related RTS will be consulted upon in Q2 2026 with a final draft in Q3 2026. EuReCA transfer – operational transfer from the EBA to AMLA by March 2026, under a bilateral SLA, ensuring continuity of material weakness reporting. Data Analytics Platform – automated data pipelines, a beta risk-scoring engine, and supervisory dashboards to support selection for direct supervision and broader risk monitoring.

Risk analysis framework

AMLA is building a transversal risk analysis framework that will underpin supervisory activities, FIU work, and policy outputs. In 2026 it will map available and expected data sources (supervisory reports, EuReCA, the emerging Central AML/CFT Database, FIU data, other EU agencies), create the infrastructure to collect data at both procedural and IT levels, and begin to produce risk publications such as sectoral and topical risk assessments and ML/TF opinions. The risk analysis unit will continue to test, validate, and calibrate the risk methodologies for the selection of entities for direct supervision (Article 12(7) AMLAR) and for the supervision of the financial sector (Article 40(2) AMLD).

Crisis-management early warning

AMLA will develop an internal crisis-management and early-warning strategy and procedures to identify and respond to potential AML/CFT crises affecting sectors or entities. In 2026, AMLA aims to prepare the strategy for this system and to finalise its internal procedures, contributing to the identification and addressing of potential AML/CFT crises in the sector.

Strategic and operational implications for regulated firms and other OEs

Regulated firms – particularly credit institutions, financial institutions, and CASPs operating cross-border – should assess how the SPD will impact them but many may wish to consider evaluating the following steps that are likely to apply regardless of a firm’s activity:

Immediate priorities (2026)

• CDD and risk assessment overhaul: The CDD RTS (Article 28(1) AMLR) and the GL on business-wide risk assessment (Article 10(4) AMLR) will set new harmonised standards. Critically, this is not merely a policy update exercise – the harmonised data fields and verification standards may require fundamental redesign of digital onboarding journeys, KYC questionnaires, and data capture systems. Firms should begin cross-functional gap analyses (involving IT, operations, and compliance) against anticipated requirements during the consultation phases (Q2–Q3 2026).
• Group-wide compliance: The RTS on minimum requirements for group-wide policies (Article 16(4) AMLR), including minimum standards for information sharing, criteria for identifying the parent undertaking, and conditions under which group-wide requirements apply, will require firms operating in multi-jurisdictional group structures to reassess their compliance architecture.
• Third-country exposure: The RTS on additional measures for branches and subsidiaries in non-compliant third countries (Article 17(3) AMLR) may require enhanced controls and escalation procedures for firms with such exposures. Firms should also prepare contingency documentation – including potential exit or wind-down plans - for scenarios in which local law in a third country renders full AMLR compliance impossible, as the RTS may require supervisory escalation in such cases.
• Ongoing monitoring: The GL on ongoing monitoring of business relationships (Article 26(5) AMLR), expected in final draft by Q4 2026, may facilitate the deployment of advanced technology in transaction monitoring – firms should evaluate how their existing systems align with AMLA's expected guidance.
• Engage with the AML/CFT Community: Firms should consider early engagement with AMLA's AML/CFT Community as a forum for sharing experiences and influencing regulatory development.

Medium-term considerations (2027–2028)

• Direct supervision readiness: The forty entities selected for direct supervision in 2027 will need to prepare for a fundamentally different supervisory relationship, including cooperation with JSTs, submission to AMLA's on-site inspections, providing a minimum documentation set for the information transfer framework, and potential exposure to AMLA's enforcement and sanctioning powers.
• Fee liability and indirect supervision: Even entities not selected for direct supervision will be subject to supervisory fees from 2028, as the fee-paying population will be broader than the directly supervised cohort. Moreover, AMLA's indirect supervisory powers - including convergence assessments of national supervisors, breach-of-Union-law procedures, and thematic reviews – will apply across the entire EU financial sector. Firms should not assume that avoiding direct supervision selection means avoiding AMLA's influence on their supervisory environment.
• Supervisory convergence: All financial sector OEs should anticipate greater consistency in supervisory expectations across Member States, as AMLA's common AML/CFT supervisory methodology (Article 8 AMLAR) takes effect and supervisory convergence assessments commence.
• PfIS participation: Firms should assess whether participation in Partnerships for Information Sharing from July 2027 could enhance their ML/TF detection capabilities. However, the governance, data protection, and contractual infrastructure required for effective participation cannot be established quickly. Firms considering participation should begin preparation now, including drafting partnership agreements, conducting data protection impact assessments, and establishing internal information barriers.
• Whistleblowing channel: AMLA will develop an internet-accessible confidential reporting channel for employees of credit and financial institutions, supervisory authorities, and FIUs, in line with the EU Whistleblowing Directive and Article 90 AMLAR. This creates a new external escalation route for AML/CFT concerns, with significant implications for internal whistleblowing policies, staff training, and reputation management. The documentary implications for internal policies are addressed below.
• Fundamental rights officer: A Fundamental Rights Officer will be appointed in 2026 to ensure all AMLA activities respect the EU Charter of Fundamental Rights – including reviewing supervisory methodologies for fairness, checking data processing for privacy, and flagging risks of discrimination in enforcement actions. This signals AMLA's intent to embed proportionality and rights-based safeguards within its supervisory approach.
• Transfer of Funds Regulation Review: AMLA will be expected to support the European Commission in the upcoming review cycle of the Transfer of Funds Regulation (TFR); the Commission intends to send a call for advice to AMLA by end-2026, with delivery expected by end-2027. The Commission is also preparing for a possible reopening of the Regulation to align with recent and forthcoming changes to FATF Recommendation 16 on Payment Transparency and AMLA anticipates having a role in supporting the Commission's broader legislative review once the FATF process concludes in 2027. Firms active in payments and transfers should monitor these developments closely.

Non-financial sector

Firms in the non-financial sector that are OEs under the AMLR (e.g. legal professionals, accountants, real estate agents, dealers in precious metals) should note that AMLA's oversight will extend to their sector, with an “Oversight Strategy Paper” and operational framework to be developed in 2026, peer reviews and supervisory colleges expected from 2027, and the Central Database accessible to their supervisors from 2028.

Non-financial OEs should engage proactively with AMLA's AML/CFT community, particularly as this form of EU-level engagement may be new to many participants in this sector.

Documentary implications of the SPD for regulated firms and other OEs

While the above details a number of considerations that impact the institutional and strategic outlook, the SPD and its associated regulatory mandates will necessitate a systematic review and amendment of both the internal policy documentation and the market and client-facing documentation used by regulated financial services firms and other OEs. This includes:

1. CDD and customer onboarding

The RTS on information required for performing CDD (Article 28(1) AMLR), due in final draft by Q3 2026, will prescribe harmonised data fields and verification standards that must be captured at the point of establishing a business relationship or conducting an occasional transaction. In parallel, the RTS on lower CDD thresholds (Article 19(9) AMLR) will specify higher-risk sectors, associated occasional transaction thresholds, and measures for identifying occasional transactions and business relationships. Additionally, the GL on risk variables and factors (Article 20(3) AMLR) will set out the risk factors to be assessed when entering into business relationships or carrying out occasional transactions.

• Internal policy implications. Firms will need to review and redraft their CDD policies and procedures manuals to align with the harmonised information requirements, including prescribed data fields and verification standards. CDD and risk-scoring policy documentation will need to formalise the specific risk factors and variables that drive risk classification decisions, and to demonstrate consistency with the GL on risk variables. Threshold matrices and automated triggers will need to be recalibrated in line with the new thresholds and sector-specific risk classifications.
• Client-facing implications. Account opening forms, KYC questionnaires, and digital onboarding workflows will need to be redesigned to capture all mandatory data elements prescribed by the CDD RTS, including revised fields for the identification and verification of natural persons and legal entities, beneficial ownership information, and source-of-funds and source-of-wealth declarations. Forms will need to reflect the harmonised EU standard rather than any divergent national approach currently in use. Client-facing forms for the collection of beneficial ownership information – including corporate structure charts, declaration of trust forms, and nominee arrangement disclosures – will need to align with the standardised requirements of the CDD RTS, which may prescribe specific data fields, formats, and certification requirements that differ from current national practice. Where firms currently disclose to customers the basis on which they are risk-rated, these disclosures will need to be aligned with the harmonised risk variables set out in the GL on risk factors; in particular, the criteria for applying simplified CDD may result in changes to the information communicated to lower-risk customers about the reduced verification requirements that apply to them. Firms providing services on an occasional basis (e.g. currency exchange, wire transfers below existing thresholds) should expect that the threshold at which CDD is triggered may change for higher-risk sectors, necessitating amendments to the terms, conditions, and disclosure materials presented to occasional customers.

2. Business-wide risk assessment

The GL on business-wide risk assessments (Article 10(4) AMLR), expected in final draft by Q4 2026, will define how OEs are expected to identify, assess, and understand their ML/TF risks at an enterprise level, and then design and implement proportionate mitigating measures.

• Internal policy implications. Regulated firms should anticipate a requirement to produce and maintain a single, structured, Board-approved risk assessment document – compliant with the forthcoming harmonised standard – that is demonstrably referenced in, and connected to, all downstream CDD, monitoring, and reporting policies. This document will need to address both high-risk intensification and simplification where risks are assessed as low.

3. Ongoing monitoring

The GL on ongoing monitoring of business relationships (Article 26(5) AMLR), expected in final draft by Q4 2026, will address both the monitoring of business relationships and of transactions within those relationships, and will also provide a basis for AMLA to steer the private sector's use of advanced technology in AML/CFT. 

• Internal policy implications. Firms should prepare to redraft transaction monitoring policies to reflect the new harmonised expectations, including the parameters and frequency of reviews of customer profiles and transaction patterns. Firms should document and evidence the rationale for the technology and methodologies deployed in transaction monitoring, including any use of AI or machine learning, as AMLA's guidance may set expectations on model governance, validation, and explainability. Monitoring policies should clearly articulate the escalation pathways from automated alerts through to STR filing decisions.
• Client-facing implications. Standard terms and conditions should be reviewed to ensure they contain adequate contractual provisions requiring the customer to cooperate with AML/CFT obligations, including the provision of updated information for ongoing monitoring purposes. The firm must retain the contractual right to suspend, restrict, or terminate the business relationship where the customer fails to provide information required under the harmonised CDD standards, or where ongoing monitoring identifies risk factors that cannot be adequately mitigated. These provisions should be aligned with the risk-based approach set out in the forthcoming GL, which will address both intensified measures for high-risk relationships and simplified measures for low-risk relationships. 

4. Compliance function organisation

The GL on internal policies, procedures, and controls (Article 9(4) AMLR), expected in final draft by Q2 2027, will prescribe the elements to be taken into account when determining the extent of a firm's internal controls, having regard to the nature, risks, complexity, and size of the business. Critically, these guidelines will also identify situations where internal controls should be organised at the level of the commercial function, the compliance function, and the audit function, and will address circumstances in which the independent audit function may be carried out by an external expert.

• Internal policy implications. Regulated firms should review their compliance function terms of reference, reporting lines, and staffing mandates in anticipation of this guidance. Firms should prepare to document the rationale for how AML/CFT compliance responsibilities are allocated between the three lines of defence and should assess whether their current internal audit arrangements (including any outsourcing to external providers) will satisfy the forthcoming criteria.

5. Group-wide policies, controls and contractual architecture

The RTS on minimum requirements for group-wide policies and controls (Article 16(4) AMLR), due in final draft by Q3 2026, will prescribe minimum standards for information sharing within groups, the criteria for identifying the parent undertaking, and the conditions under which group-wide requirements apply.

• Internal policy implications. The group-wide AML/CFT policies and procedures manual will need to be structured to comply with the RTS, with clear identification of the parent undertaking, delineation of responsibilities between group and entity-level compliance functions, and documented escalation and reporting channels.
• Contractual implications. Firms will need to review, and likely redraft, intra-group data-sharing agreements, service level agreements, and compliance cooperation arrangements to ensure they meet the minimum standards for information sharing prescribed by the RTS. These agreements will need to be legally enforceable in each jurisdiction in which the group operates, and will need to comply with local data protection regimes whilst enabling the flow of AML/CFT-relevant information mandated by the RTS. The RTS will set criteria for identifying the parent undertaking in the Union – a legal determination that will have contractual consequences for how compliance obligations and supervisory interactions are allocated within the group.
• Client-facing implications. Firms operating in multi-jurisdictional groups should ensure their standard terms authorise the sharing of customer data between group entities for AML/CFT compliance purposes, to the extent permitted by applicable data protection law. This is particularly relevant for groups with branches or subsidiaries in third countries, where the RTS on additional measures (Article 17(3) AMLR) may impose specific documentation and information-flow requirements.

6. Third-country branches and subsidiaries

The RTS on additional measures for branches and subsidiaries in third countries where local law does not permit compliance with the AMLR (Article 17(3) AMLR), due in final draft by Q3 2026, will require enhanced controls and related supervisory actions.

• Internal policy implications. Firms with third-country exposures should review branch and subsidiary compliance mandates, operational agreements, and management agreements to ensure they accommodate the additional measures that the RTS may prescribe, including enhanced reporting obligations to the group parent and to supervisory authorities. Contingency documentation – including potential exit or wind-down plans – should be prepared for scenarios in which local law in a third country renders full AMLR compliance impossible, as the RTS may require escalation to, and decision-making by, supervisory authorities in such cases.
• Contractual implications. Outsourcing and delegation agreements with third-country entities will need to address the flow-down of AML/CFT obligations consistent with the RTS. Agreements with third-country service providers will need to account for the additional measures prescribed, including any restrictions on the types of services that may be provided or data that may be transferred.

7. Supervisory interaction documentation

• Information transfer and supervisory handover. For the forty entities that will be selected for direct supervision, the Information Transfer Framework (to be finalised by end-2026) will prescribe the minimum documentation set to be transferred to AMLA, including supervisory inventories, pending case files, and historical supervisory records. Firms should compile and index their supervisory correspondence, inspection reports, remediation plans, and enforcement actions in a structured, transferable format; prepare supervisory inventory templates that catalogue all AML/CFT documentation held at entity and group level; and review the confidentiality and data protection provisions in existing supervisory cooperation agreements, as the new framework will require secure channels and DPO-reviewed data-protection safeguards for all transfers.
• Home/host cooperation. The RTS on duties of the home and host supervisors and the modalities of cooperation between them (Article 46(4) AMLD), due in final draft by Q3 2026, will formalise the obligations of supervisors in cross-border contexts. This has knock-on implications for the documentation that firms must maintain in each jurisdiction – including local compliance manuals, risk assessment reports, and supervisory reporting – to facilitate seamless cooperation between home and host authorities. Firms operating through branches or subsidiaries in other Member States should review their market-facing agreements and relationship documentation to ensure consistency with the supervisory cooperation expectations that will apply to their supervisors.

8. Reporting and filing documentation

The ITS on formats for STRs and transaction records (Article 69(3) AMLR), expected in final draft by Q4 2026, will harmonise reporting formats across the EU. The GL on indicators of suspicious activity or behaviour (Article 69(5) AMLR), to be issued by July 2027, will provide a common reference point for both FIUs and OEs.

• Internal policy implications. Firms should reconfigure their STR filing systems and templates to comply with the standardised formats, update internal policies on transaction record retention to align with any new requirements as to form, content, and duration, and review their data architecture to ensure they can extract and transmit the required data fields in the prescribed format. Firms should also plan to incorporate the forthcoming indicators of suspicious activity into their transaction monitoring rules, staff training materials, and escalation criteria, and to document how these indicators are embedded in their detection systems.
• Client-facing implications. Whilst STRs are by their nature not disclosed to the customer, terms and conditions and privacy notices should disclose to customers that transaction records will be maintained in the standardised format prescribed by the ITS, and for the duration required by applicable law. Client-facing policies and staff-facing materials should be reviewed to ensure that tipping-off prohibitions are consistently reflected, particularly in the context of ongoing monitoring processes that may become more frequent or more intensive under the harmonised GL.

9. Partnerships for Information Sharing (PfIS)

Article 75 AMLR – applicable from 10 July 2027 – provides a framework for OEs to establish PfIS, and the AMLAR empowers AMLA to facilitate cross-border partnerships.

• Governance and contractual documentation. Firms considering participation in PfIS should prepare partnership agreements setting out the purpose, scope, membership, data-sharing protocols, confidentiality obligations, and data protection safeguards of each PfIS. Data protection impact assessments (DPIAs) will be essential given that PfIS will involve the sharing of personal data between private-sector entities and with public authorities. Documentation establishing appropriate information barriers within the firm should be developed to manage the use of information received through a PfIS, including protocols to prevent its misuse for commercial purposes or in breach of competition law.
• Client-facing implications. Firms should consider whether their standard terms include provisions enabling, or at least not precluding the sharing of customer information with other OEs or public authorities within the framework of a PfIS. Where a firm participates in or intends to participate in a PfIS, the privacy notice will need to disclose the categories of personal data that may be shared with other partnership members and the safeguards applicable to such sharing.

10. Privacy notices and data protection disclosures

The new AML/CFT framework will have material implications for the content of privacy notices provided to customers:

• Purpose limitation and legal basis. Privacy notices will need to be updated to reflect the specific legal bases under the AMLR for the processing of personal data in the context of CDD, ongoing monitoring, and suspicious transaction reporting. The harmonised standards may alter the scope or nature of data processing activities, requiring corresponding amendments to the description of processing purposes and the legal basis relied upon.
• Data sharing with AMLA. For entities that may be selected for direct supervision, privacy notices should disclose the possibility that customer data and supervisory documentation may be transferred to AMLA as part of the information transfer framework, including through secure channels established under Articles 7-10 AMLAR. This disclosure should also cover the Central AML/CFT Database (Article 11 AMLAR), into which supervisory authorities will transmit information about OEs.
• Intra-group transfers. Privacy notices for customers of group entities will need to reflect the mandatory information-sharing flows prescribed by the group-wide policies RTS (Article 16(4) AMLR), including where data is transferred to jurisdictions outside the EU, and especially to third countries that may not permit full compliance with the AMLR.
• Retention periods. To the extent that the ITS on STR formats and transaction records (Article 69(3) AMLR) prescribes standardised record-keeping requirements, privacy notices should reflect any changes to data retention periods applicable to CDD records and transaction data.

11. Enforcement-related documentation

The RTS on indicators for classifying the level and gravity of breaches (Article 53(10) AMLD) and the GL on base amounts of pecuniary sanctions relative to turnover (Article 53(11) AMLD) will be finalised in Q3 and Q4 2026 respectively, with a separate non-financial sector edition also to be produced.

• Internal policy implications. Firms should review their compliance breach registers and internal incident classification frameworks to ensure alignment with AMLA's forthcoming taxonomy of breaches. Compliance risk appetite statements and Board reporting packs should be updated to reflect the new penalty exposure framework. Internal disciplinary and escalation policies should be made consistent with the categories of breach and sanction set out in the RTS and GL.
• Whistleblowing. As noted above, AMLA will establish an internet-accessible confidential reporting channel under Article 90 AMLAR. Internal whistleblowing policies, codes of conduct, and compliance manuals should cross-reference AMLA's external channel alongside existing national and firm-level reporting mechanisms. Firms may also wish to include provisions in agreements with counterparties and service providers acknowledging the availability of external AML/CFT whistleblowing channels, as a further safeguard against compliance failures within the value chain.

12. Product and Service Documentation

• Product terms for higher-risk services. The GL on risk variables and factors (Article 20(3) AMLR) will identify risk factors that should be assessed at the point of entry into a business relationship. For products or services identified as higher-risk – whether by reference to customer type, transaction type, geographical exposure, or delivery channel – the product terms, prospectuses, or service schedules may need to include enhanced AML/CFT disclosures or conditions. This is particularly relevant for CASP products, given AMLA's dedicated workstream on the crypto-assets sector following MiCAR implementation.
• Simplified CDD product terms. The SPD confirms that the regulatory framework will provide guidance on simplification where risks are low. This may enable firms to streamline the client-facing documentation for lower-risk products (e.g. low-value e-money instruments, basic payment accounts), reducing the information burden on customers where the harmonised standards permit simplified measures.
• CASP-specific documentation. Crypto-asset service providers authorised under MiCAR will need to ensure that their client-facing terms and conditions, risk disclosures, and onboarding documentation reflect the AML/CFT-specific requirements that AMLA's thematic review and strategic analysis of the CASP sector may highlight. This includes ensuring that wallets, exchange, and transfer services documentation adequately addresses the CDD and ongoing monitoring obligations applicable to such services.

13. Correspondent Banking, Agency and Outsourcing Agreements

• Correspondent banking agreements. Agreements with respondent banks or payment intermediaries should be reviewed to ensure they contain AML/CFT cooperation provisions aligned with the forthcoming harmonised standards. The RTS on CDD (Article 28(1) AMLR) may prescribe specific due diligence steps to be taken on respondent institutions, and these should be reflected in the contractual obligations imposed on the counterparty.
• Outsourcing and delegation agreements. Where AML/CFT obligations are outsourced or delegated – including to agents, intermediaries, or third-party CDD providers – the contractual documentation governing those arrangements will need to be updated to reflect the harmonised CDD information requirements and the group-wide policies RTS. Agreements with third-country service providers in particular will need to account for the additional measures prescribed by the RTS under Article 17(3) AMLR.

14. Marketing and communications materials

• AML/CFT compliance messaging. Firms that market their services on the basis of compliance robustness or regulatory standing should ensure that their external communications and marketing materials reflect the new EU AML/CFT framework accurately, including AMLA's role and the firm's compliance with harmonised standards. This is particularly relevant for firms marketing to institutional counterparties, correspondent banking partners, and in the context of competitive tenders where AML/CFT compliance is a differentiator.
• Cross-border marketing materials. Firms marketing financial products or services across multiple Member States should anticipate that the harmonisation of AML/CFT standards will progressively eliminate the need for jurisdiction-specific AML/CFT disclosures in marketing materials, enabling a single, EU-standard compliance statement. However, during the transitional period, discrepancies may persist between the incoming harmonised framework and existing national requirements, and marketing materials should be reviewed to avoid inaccurate or misleading representations about applicable AML/CFT obligations.

15. Supervisory fee governance

From 2028, supervisory fees will be levied on a population broader than the directly supervised cohort. Firms should review budgetary and financial planning documentation to accommodate the new fee liability, and establish internal governance procedures for managing the fee notification, calculation, and payment process, particularly for groups with multiple entities that may each be subject to fees.

Outlook

The SPD confirms that the EU AML/CFT landscape is entering a period of fundamental transformation. AMLA's ambition is to replace the fragmented national supervisory model with a centralised, data-driven, risk-based architecture – supported by a comprehensive Single Rulebook, direct and indirect supervision, enhanced FIU coordination, and a robust data ecosystem. For regulated firms, the volume and pace of regulatory change in 2026-2028 will be exceptional, with 2026 as the pivotal year.

The concentrated delivery of twenty-four regulatory mandates in 2026, the commencement of the direct supervision selection process in 2027, and the operationalisation of supervisory fees and enforcement powers from 2028 collectively represent a step change in compliance expectations. Consultation periods will be short and final texts will be published in rapid succession. The window for gap analysis and implementation will be tight. The timetable, if maintained, will give, supervisors, and FIUs a compressed sequence of EU-level standards - firms should allocate resources for regulatory monitoring and implementation planning now, not after final texts are published.

Proactive engagement with AMLA's consultations, the emerging AML/CFT community, and early investment in compliance infrastructure will be essential. Firms that wait for final texts to be published before beginning implementation planning will find themselves under significant time pressure. The AML/CFT community, in particular, offers a strategic opportunity to influence regulatory development during AMLA's formative years - an opportunity that will diminish as standards become settled.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.  

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” as well as the “2025 Regulatory, Governance and Compliance Technology Award”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.