From vision to action – AMLA publishes its first Annual Work Programme

RegCORE Client Alert | Financial Services

From vision to action – AMLA publishes its first Annual Work Programme

QuickTake

At the start of July 2025, AMLA - the EU’s new “Authority for Anti-Money Laundering and Countering the Financing of Terrorism” published its Annual Work Programme (AWP) for 2025 Available hereShow Footnote. The AWP marks the foundational phase and outlines AMLA's establishment in Frankfurt, its governance structures, its recruitment and digital infrastructure development. AMLA has a dual mandate it is both (i) regulator and (ii) supervisor for anti-money laundering (AML) and countering the financing of terrorism (CFT) in the EU. AMLA’s role is to act as a central authority, co-ordinating all national AML and CTF supervisors, in (a) the regulated (not just those in the financial services sector) Regulated Sector OEs include: Credit institutions, financial institutions, payment institutions, e-money institutions, investment firms, life insurance undertakings and intermediaries, collective investment undertakings, crypto-asset service providers, and certain holding companies. These entities are already subject to prudential regulation and supervision, and the new framework builds on existing obligations, but with enhanced harmonisation and direct applicability.Show Footnote and (b) non-regulated sectors Non-regulated sector OEs include: Auditors, external accountants, tax advisors, notaries, lawyers (when participating in certain transactions), trust and company service providers, estate agents, persons trading in precious metals, stones, high-value goods, cultural goods, providers of gambling and professional football clubs, among others. Many of these entities are newly or more explicitly brought within the scope of AML/CFT obligations, with sector-specific nuances and, in some cases, exemptions or tailored requirements.Show Footnote. This centralisation aims to improve the effectiveness and consistency of AML and CTF supervision of obliged entities (OEs) and enforcement across the EU. Although the AMLA will not replace national AML and CTF supervisors, it will have direct supervisory powers, for AML/CFT purposes, over certain high-risk financial institutions and ultimately also crypto-asset service providers (CASPs) and potentially, over the longer term, much more.

AMLA, in its role as regulator, is tasked with regulatory and supervisory convergence amongst National Competent Authorities (NCAs) and across markets. Accordingly, AMLA shapes how NCAs apply the legislative and regulatory requirements as well as expectations in the supervision of financial market participants within AMLA's regulatory mandate. In this regard, the 2025 AWP is structured around policy and convergence work, risk assessment and data activities, governance, coordination and support tasks.   

AMLA, in its role as supervisor, is tasked in supervising AML/CFT activities and coordinating EU Member States’ Financial Intelligence Units (FIUs), focusing on harmonising supervisory practices, completing the EU’s Single Rulebook and its chapters on AML/CFT and enhancing cooperation among stakeholders (also known as the “FIU Pillar”. AMLA’s key priorities include indirect supervision of high-risk sectors such as crypto-asset service providers, development of regulatory technical standards (RTS) and preparation for AMLA’s direct supervisory engagement starting in 2028.

This Client Alert should be read together with other thematic deep dives on reforms and developments in the EU’s new AML/CFT rules and AMLA’s powers In particular here, here and hereShow Footnote as well as our standalone analysis of all relevant 2025 AWPs from the European Commission, the European Supervisory Authorities (ESAs) as well as those of the Banking Union authorities (ECB-SSM and SRB). Readers should also consult the excellent publications from PwC's Risk Network as well as PwC Legal's "Navigating 2025" Available hereShow Footnote, a comprehensive playbook providing a more granular annual outlook from PwC Legal's EU RegCORE on the regulatory policymaking agenda, the supervisory cycle and assessment of commonalities and trends across plans for 2025 and beyond.

Key takeaways from the AWP 

AMLA’s AWP focuses on several foundational and operational readiness priorities that were advanced during 2025 to date.

These initial milestones include:

1. Establishment in Frankfurt: AMLA's headquarters in Frankfurt became operational in February 2025, with the final lease agreement for its permanent premises in the Messe Tower signed in April 2025. Facility management services were launched, ensuring operational readiness

2. Governance structures: were established, including the appointment of the Chair and the Executive Board. The General Board held its meetings and rules of procedure, including a conflict-of-interest policy were adopted. 

3. Recruitment and onboarding: was commenced, aiming to reach up to 120 staff members by late 2025,  with personnel already onboarded in key functions such as HR, IT, finance and procurement. Service level agreements with the European Commission were concluded to support HR services. The implementation of a performance management cycle and the development of a learning and development framework will be initiated in the second half of 2025. By 2028 AMLA aims to have 430 staff in operation. 

4. Digital infrastructure development: AMLA began building a secure, interoperable IT environment to support its mission, including the digital workplace, the transfer of the EuReCA system from the EBA and the design of the Central AML/CFT Database as well as assumption of responsibility such as FIU.net. Cybersecurity planning is progressing in coordination with CERT-EU. 

5. Institutional cooperation: AMLA signed Memoranda of Understanding (MoU) with the ESAs and the ECB, formalising inter-institutional cooperation. EEA/EFTA States – Iceland, Liechtenstein and Norway - have been welcomed as observers in AMLA's General Board. 

6. Policy mandates in preparation for AML/CFT supervision: AMLA launched several cross-functional and pillar-specific workstreams to prepare the first of the 23 level 2 and level 3 (L2/3) mandates that must be delivered before July 2026. These mandates cover supervisory processes, risk understanding and mitigating measures by OEs as well as the functioning of FIUs. The L2/3 mandates will be delivered through:

a. Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) on risk assessment, customer due diligence (CDD), internal controls and reporting; as well as

b. Supervisory Guidelines on business-wide risk assessments, ongoing monitoring and sector-specific obligations. 

7. Setting the supervisory approach – direct and indirect supervision: the above serves to empower AMLA in its two supervisory roles:

a. Indirect supervision (from July 2025): Oversight of NCAs, with a focus on high-risk sectors such as CASPs and the non-financial sector. Financial institutions that are not directly supervised by the AMLA (defined in the AMLA Regulation as "non-selected obliged entities") will be supervised by their national supervisors. However, they will be subject to AMLA’s indirect supervision, which should be limited to interaction with the relevant national supervisors and should not include direct interaction with financial institutions.  AMLA will also be able to settle disagreements between national supervisors on measures to be taken by financial institutions who are not subject to AMLA's direct supervision. For indirect supervised financial institutions AMLA will ensure that AML and CTF supervisory colleges are established and functioning. AMLA will also coordinate national thematic reviews (including by aligning or synchronising these reviews, and facilitating any activities that national supervisors might wish to carry out, whether jointly or otherwise; and

b. Direct supervision (from 1 January 2028): AMLA will directly supervise a selection of high-risk financial institutions (currently up to 40), including CASPs and possibly, over the longer term, much more based on risk-based criteria and methodologies currently under development. Directly supervised institutions will not have to deal with multiple national supervisors in different EU Member States. Instead, AMLA will supervisor their compliance with the AML/CTF chapters of the Single Rulebook and take enforcement action in the event of breach. AMLA direct supervision will eliminate the need for national supervisors of home and host Member States to coordinate and align measures taken with regard to various parts of the same financial group. Once AMLA is fully operational, around 200 of its anticipated 430 staff members will work on the direct supervision of financial institutions. They will work in joint supervisory teams (JSTs) that include staff of the relevant national supervisors. Each JST will be led by an AMLA JST coordinator. JSTs will be based at the AMLA's seat in Frankfurt, although they will be able to carry on their supervisory activities in any Member State where the selected financial institution has its operations. ITS will be developed specifying, among other things, the conditions under which national supervisors are to assist the AMLA. 

8. Jointly building up inter-institutional coordination and the “FIU Pillar”: AMLA's FIU Pillar started as the facilitator of cross-border financial crime fighting, committed to building a strong, connected and future-proof EU framework for financial intelligence. AMLA aims to establish a robust Support & Coordination Framework, install an effective and operational FIU Delegates Group, enhance information exchange, joint analyses and strategic threat assessments, ensure legal and operational clarity for FIUs across the EU and drive innovation and collaborative impact. AMLA will coordinate and participate in supervisory colleges, thematic reviews and peer assessments, particularly in cross-border and high-risk contexts. Further powers to support the above include AMLA’s operationalisation of intra-institutional powers (including outside of the FIU Pillar) and approach to:

a. Coordination: National supervisors will be coordinated by AMLA to increase their mutual support and co-operation, and ensure the consistent, high-quality application of supervisory standards, approaches and risk assessment methodologies. AMLA will also help national supervisors increase their effectiveness in enforcing the AML/CTF chapters of the Single Rulebook.

b. Mutual assistance: In addition, to benefits from coordination, national supervisors will benefit from the new arrangement when they face specific challenges (for example, a lack of resources), as mutual assistance from AMLA or other national supervisors will be available on request. This could involve the exchange of personnel, secondments, training or sharing best practices.

c. Close cooperation: AMLA will work in close cooperation with relevant national and EU bodies relevant to the financial and non-financial sector including by way of MoUs. AMLA will also have power to enter arrangements with authorities in third countries that have AML and CTF regulatory or supervisory competences and help the Commission with its activities as a member of the Financial Action Task Force (FATF)

AMLA’s Activities for the second half of 2025 include:

9. Strategic framework development: AMLA will initiate the start of a strategic framework development for AMLA's Mission and Vision and the drafting of two Single Programming Documents (SPDs), for the periods 2026–2028 and 2027–2029. This process will develop AMLA's vision, mission strategic objectives and priority actions for the medium term. The SPDs will have a wide-reaching impact on the direction and priorities of supervision and enforcement activity advanced by the NCAs and FIUs. 

10. Laying the foundation for AML/CFT supervision: AMLA's main objective is to commence laying down the rules, processes and requirements for AMLA regarding direct and indirect supervision and oversight and to set standards to enhance convergence of supervisory practices of NCAs based on L2/3 work already done by the ESAs and to strengthen cooperation among supervisors both in the financial and non-financial sector. 

11. Policy work AML/CFT supervision: AMLA considers the RTS on the selection of the 40 financial institutions for direct supervision and the RTS on the risk assessment methodology of financial and non-financial OEs to be of high relevance for AMLA's work. AMLA plans to develop a draft Implementing Technical Standard (ITS) with the Working Group on Cooperation and to conduct a two-month public consultation starting late in 2025. 

12. AMLA Database: AMLA will draft RTS to specify the procedures, formats and timelines for the transmission of information by relevant authorities to AMLA; the scope and level of detail required for the information to be transmitted; the modalities of information sharing, including necessary consents; and the criteria for obligatory transmission, such as the required level of materiality for breaches. 

13. Home/Host Cooperation between supervisors: AMLA will draft RTS to detail the duties of home and host supervisors and the modalities of cooperation between them to ensure that all parties have a clear understanding of their respective roles and responsibilities. 

14. Policy workstream on 'Risk and Measures': AMLA is responsible for delivering mandates aimed at ensuring that OEs clearly understand relevant risks and effectively implement mitigating measures.  AMLA has prioritised three mandates: (i) RTS on lower thresholds and criteria to identify business relationships, (ii) Guidelines on business-wide risk assessment and (iii) Guidelines on ongoing monitoring of a business relationship. 

15. Relevant work by EBA under the 'Call for Advice' AMLA has been participating in the work carried out by the EBA in two dedicated sub-groups. These subgroups are working on mandates in the context of the Call for Advice, including the risk assessment for the purpose of selection for direct supervision, the methodology for assessing the inherent and residual risk profile of OEs in the financial sector, customer due diligence (CDD), pecuniary sanctions, administrative measures and periodic penalty payments, guidance on the base amounts for pecuniary sanctions and minimum requirements for group-wide policies. 

16. Policy workstreams on the FIU Pillar: AMLA will take over the work initiated by the European Commission's Expert Group on FIU matters, including the ITS on templates and formats for suspicious activity and suspicious activity reports (SARs), suspicious transaction reports (STRs) and transaction records. OEs that report may experience changes in the way SARs/STRs and other financial intelligence are handled, with a move towards more standardised formats and processes. Enhanced cooperation between FIUs and law enforcement may lead to more effective follow-up on SARs/STRs and increased feedback to reporting entities. 

17. Operational work on the FIU Pillar: AMLA will Develop and implement peer review processes and mapping of FIU capabilities across the EU. AMLA aims to establish a robust Support & Coordination Framework, install an effective and operational FIU Delegates Group, enhance information exchange, joint analyses and strategic threat assessments, ensure legal and operational clarity for FIUs across the EU and drive innovation and collaborative impact. 

18. Cooperation with law enforcement. AMLA will start up negotiations with EPPO, OLAF, Europol and Eurojust AMLA shall draft and implement working arrangements that enhance strategic, operational and technical collaboration with OLAF, Europol, Eurojust and EPPO. 

19. Building up AMLA: mindful of the capacity constraints, dependence on external timelines, legal uncertainties, IT and data security as well as reputational pressures, AMLA is concentrating in its own accelerated capacity build on:

a. Human resources: AMLA will continue recruiting intensively, manage increasing staff levels, adopt relevant HR policies and implementing rules, introduce formal performance management, develop a learning and development framework, enhance attraction package for staff, boost organisational culture and implement a strategic forward plan for HR.

b. Information and communication technology: AMLA will build an effective, secure, interoperable and future-ready digital infrastructure, including the transfer of existing AML/CFT systems, designing and implementing new platforms and cooperation and exchange of experiences with other ESAs.

c. Budget and finance: AMLA will set up the accounting and budget management system (SUMMA), prepare and adopt financial rules, adopt financial circuits, implement the 2025 budget, adopt the 2026 budget, implement the procurement plan, appoint an accounting officer, manage treasury and analyse associations with interinstitutional Framework Contracts (FWC).

d. Building and logistics: AMLA will ensure the timely delivery of AMLA's permanent operational premises, supervise fit-out works, relocate staff to permanent premises, procure and install long-term furniture, develop facility management services and define and implement "Rules of Behaviour".

e. Communications: AMLA will further develop the Communications Strategy, build off the finalised logo and broader visual identity, engage in media and events, conduct Chair visits to all Member States, manage the website and social media and populate the intranet.

f. Governance: AMLA will adopt an ethical framework, implement further conflict of interest policies, update the rules of procedure of the General Board, finalise AMLA's organisation chart, prepare for hearings of the Chair, reply to questions from the European Parliament and prepare the first annual report.

g. Data protection: AMLA will appoint a Data Protection Officer (DPO), set up the role, prepare necessary rules and texts, release data protection templates and guidelines and conduct training on data protection fundamentals.

All of the above has a number of strategic and operational implications for OEs in the regulated (including beyond financial services) and non-regulated sectors.  

Strategic and operational implications for OEs

With the advent of AMLA’s operationalisation, the transition to a harmonised regime AML/CFT regulatory and supervisory regime transitioning to the EU’s AML Regulation (AMLR), certain OEs may need to carry out significant adjustments to their internal policies, procedures and controls to ensure compliance with new EU-wide standards. Some of these considerations include:

• OEs in high-risk sectors (notably CASPS) should expect early engagement from AMLA, including participation in thematic reviews, peer assessments and potentially requests to inform multi-agency “joint analysis reports”.
• AMLA will promote convergence in national approaches to supervision, addressing risks of jurisdiction shopping and inconsistent controls. OEs should prepare for more rigorous and harmonised AML/CFT requirements and enhanced supervisory engagement.
• OEs operating in multiple Member States will benefit from greater regulatory clarity and predictability, but will also face less opportunity for regulatory arbitrage.
• OEs with cross-border operations should prepare for more coordinated and intrusive supervisory reviews, with less tolerance for local deviations. OEs may face increased requests for information and more frequent engagement with FIUs, especially in cases involving cross-border transactions or typologies. Peer reviews and thematic assessments may result in public identification of best and poor practices, increasing reputational risks for non-compliance.
• Non-financial sector OEs: given the current lack of harmonisation, AMLA’s work will have a significant impact on non-financial OEs, such as lawyers, accountants and real estate agents. These OEs should anticipate new, more prescriptive EU-level requirements and closer oversight.
• All OEs must ensure their (business wide) risk assessments All OEs must conduct a documented, business-wide risk assessment, considering EU, national, and sectoral risk assessments, and update it regularly. Financial sector OEs are expected to have mature risk assessment frameworks; the Regulation codifies and standardises these expectations, with detailed requirements for group-wide assessments and information sharing. Non-Financial sector OEs face a step-change: many will need to develop or significantly enhance their risk assessment processes, often for the first time and align with new EU-level guidance and technical standards.Show Footnote, customer due diligence (CDD) Standard CDD applies for transactions ≥ EUR 10,000, with lower thresholds for higher-risk sectors or transactions (to be specified by AMLA). Financial sector OEs must apply CDD at onboarding, for occasional transactions, and on a risk-sensitive basis throughout the relationship. Enhanced due diligence (EDD) is required for high-risk customers, products, or geographies, with specific rules for politically exposed persons (PEPs), cross-border correspondent relationships, and high-value asset management. Non-Financial sector OEs must apply CDD when participating in specified transactions (e.g., real estate, company formation, high-value goods). The Regulation clarifies when CDD is triggered, especially for intermediaries and professionals and introduces new requirements for ongoing monitoring and beneficial ownership verification.Show Footnote beneficial ownership All OEs must identify and verify the beneficial owners of their customers, using harmonised EU definitions and methodologies. Legal entities must report and update beneficial ownership information to central registers within 28 days of creation or change. Financial sector OEs are already familiar with these requirements, but must now ensure stricter, harmonised compliance and reporting. Non-Financial sector OEs (e.g., lawyers, accountants, real estate agents) must adapt to more rigorous and standardised beneficial ownership checks, with limited exemptions for legal privilege.Show Footnote and ongoing monitoring and reporting processes are robust and adaptable to evolving EU standards including the Central AML/CFT Database as well as outsourcing and reliance arrangements. Financial sector OEs may outsource certain AML/CFT tasks but remain fully responsible for compliance. Critical functions (e.g., risk assessment, CDD decisions, suspicious activity reporting) cannot be outsourced except within the same group and under strict conditions. Non-Financial sector OEs face similar restrictions, with AMLA to issue guidelines on permissible outsourcing and reliance, particularly relevant for smaller firms and professional partnerships.Show Footnote In regards to reporting, OEs will be required to provide data in specified formats and within defined timelines, All OEs must report suspicious activity and transactions to the FIU without delay, using harmonised templates and formats (to be developed by AMLA). Financial sector OEs are required to respond to FIU requests within 5 working days (or 24 hours in urgent cases). Non-Financial sector OEs (notably lawyers and notaries) benefit from exemptions for information obtained in the course of legal advice or judicial proceedings, except where the professional is complicit in, or aware of, money laundering or terrorist financing.Show Footnote increasing transparency and facilitating cross-border supervision.
• The transfer of the EuReCA system and the development of new reporting templates will standardise and potentially increase the volume and granularity of data OEs (notably non-financial entities) must submit. Enhanced data sharing and analytics will likely lead to earlier detection of compliance deficiencies and more targeted supervisory interventions.
• In light of greater data driven supervision, OEs should assess and, where necessary, upgrade their data management, reporting and IT systems to ensure compliance with new technical standards and cybersecurity requirements.
• Enhanced cooperation with law enforcement (Europol, Eurojust, EPPO, OLAF) may lead to faster escalation of SARs/STRs and greater exposure to criminal investigations.

The rapid establishment of AMLA and the ambitious implementation timeline create transitional risks. AMLA’s ability to deliver on its mandate depends on successful recruitment and retention of qualified staff. Delays or capacity constraints may affect the pace of regulatory change and supervisory engagement that OEs should be aware of. Moreover, all OEs are encouraged to maintain close engagement with their national supervisors and industry associations to stay abreast of developments and emerging expectations during the transition over to the AML-R and the operationalisation of AMLA.

Outlook 

The establishment of AMLA in 2025 marks a transformative development in the EU’s regulatory landscape, with profound implications for OEs across both the financial and non-financial sectors as well as CASPs regardless of where they operate. For regulated firms, the most immediate and significant implication is the drive towards a Single Rulebook for AML/CFT. AMLA is tasked with completing this rulebook, which will ensure regulatory convergence and consistency across all Member States. This will have a direct impact on compliance frameworks, as OEs will need to adapt to a more uniform set of requirements, reducing the scope for national divergence but also eliminating the possibility of regulatory arbitrage. The harmonisation effort will extend to both financial and non-financial sectors, including CASPs, which have historically operated under divergent national regimes. OEs operating in multiple jurisdictions will benefit from greater clarity and predictability, but they will also face a period of adjustment as legacy national requirements are replaced or superseded by EU-level standards.

A key operational change for regulated firms will be the shift in supervisory dynamics. AMLA’s initial focus is on indirect supervision—overseeing the activities of NCAs and supporting the convergence of supervisory practices. This will involve the collection of risk information, participation in supervisory colleges and the development of best practices and recommendations. For firms, this means that supervisory expectations will become more consistent across the EU and there will be increased scrutiny of cross-border activities, particularly in high-risk sectors such as crypto-assets. The risk of jurisdiction shopping by high-risk actors will be mitigated, but firms will need to ensure that their internal controls and risk assessments are robust and aligned with the new EU-wide standards.

For OEs in the non-financial sector, the establishment of AMLA also brings significant changes, albeit with some distinct considerations. The harmonisation effort will extend to non-financial sectors, including real estate agents, legal professionals and other service providers, which have historically operated under less stringent and more varied national regimes. Non-financial entities will need to adapt to a more uniform set of requirements, reducing the scope for national divergence but also eliminating the possibility of regulatory arbitrage through much more centralised oversight of the NCAs and FIUs.

In summary, the establishment of AMLA represents a paradigm shift in the EU’s approach to AML/CFT regulation and supervision. Regulated firms will face a more harmonised, risk-based and data-driven regulatory environment, with heightened expectations around compliance, reporting and cross-border cooperation. The transition will require significant investment in compliance infrastructure, proactive engagement with regulatory developments and a commitment to embedding a culture of financial integrity and transparency across all levels of the organisation.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.  

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” as well as the “2025 Regulatory, Governance and Compliance Technology Award”. 

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.