The European Banking Authority’s (EBA) recent response to the European Commission’s Call for Advice marks a significant step toward operationalising the new EU Anti-Money Laundering Authority (AMLA). While this may sound like another layer of bureaucracy, for compliance professionals across banks, investment firms, and payment institutions, the implications are real and immediate. The document provides technical insights for how AMLA and national supervisors will likely apply the new AML/CFT rulebook in practice, covering important topics from customer due diligence to risk scoring and enforcement.
Building a common AML language
In my view, one of the most important takeaways is EBA’s push for consistency. The advice sets out a unified, risk-based methodology for supervisors to assess the inherent and residual money laundering and terrorist financing risks of obliged entities. In practical terms, this means that a bank’s risk profile should be calculated using the same indicators, weights, and scoring system whether it’s supervised in France, Germany, or Lithuania.
Most AML and Compliance professionals will agree that this harmonisation is long overdue. Under the current framework, cross-border groups face wildly different expectations from national supervisors, leading to duplicated reporting and inconsistent outcomes. AMLA’s centralised methodology (once adopted) should reduce that friction and give firms a clearer sense of what “good” looks like across the EU.
Entities under direct AMLA supervision
The EBA also proposed how AMLA will select which financial institutions fall under its direct supervision. The focus will be on large, cross-border entities operating in at least six Member States, especially those with higher residual risk profiles.
The EBA suggests using materiality thresholds, e.g. 20,000 customers or €50 million in transaction value per Member State, to determine whether a firm’s activity in another country is significant enough to count as “operating there”. This approach aims to balance practicality with AMLA’s goal of focusing its resources where risks are highest.
For compliance teams in multinational groups, this means preparing for a dual “oversight relationship”: one with national supervisors and another (potentially more demanding!) with AMLA itself.
Harmonization in Customer Due Diligence (CDD)
Another key element is the standardization of customer due diligence. The EBA’s proposals align with the new AML Regulation (AMLR), which replaces the patchwork of national rules with a single EU-level regime. The draft Regulatory Technical Standards (RTS) would clarify which data firms must collect and how they can verify identity, including the use of trusted digital IDs and qualified trust services.
The EBA perhaps deliberately avoided an overly prescriptive, document-by-document approach. Instead, it encourages a principles-based framework that focuses on effective outcomes, letting firms adapt to their specific risk environments. Importantly, the advice includes transition provisions: firms won’t need to update every existing customer record by July 2027, but should prioritise high-risk relationships first and complete updates within five years.
Proportionate enforcement and sanctions
Enforcement consistency is another long-standing pain point. The EBA proposes detailed criteria for classifying the severity of breaches, setting penalties, and applying periodic penalty payments. The aim is to ensure that the same type of breach (e.g., a serious CDD failure) leads to comparable sanctions across Member States.
This is particularly relevant for compliance officers and senior managers, as the new framework reinforces individual accountability. National authorities will have clearer guidance for imposing sanctions not only on institutions but also on responsible persons within management or control functions.
Strengthening group-wide AML governance
Lastly, EBA’s advice covers group-wide information sharing, a recurring challenge for cross-border institutions. The EBA recommends that AMLA’s future standards define what data can and should be shared across a group, including personal data and suspicious activity information, with proper data protection safeguards. This would enable truly consolidated AML oversight and a more accurate picture of group-level risk exposure.
What this means of obliged entities
For financial institutions and other obliged entities, the “compliance path” is getting clear:
- Greater standardization means less regulatory fragmentation but also less room for local discretion.
- Risk scoring will be data-driven, so firms should ensure that their systems can produce clean, structured AML data.
- CDD processes must evolve, not only to meet harmonised requirements but to leverage digital identity and automation effectively.
- Accountability is tightening, and firms should expect supervisors to apply the “effective, proportionate, and dissuasive” standard uniformly.
- As AMLA moves toward full operation, EBA’s advice gives the industry an early preview of the compliance expectations ahead. The message is now getting clear: prepare for a more harmonised, data-led, and supervisory-intense AML environment, which very likely will reward preparedness and transparency.
Leave a Reply