The European Banking Authority’s 2025 response to the European Commission’s Call for Advice on six key Anti-Money Laundering Authority (AMLA) mandates is both a roadmap and a reality check. Presented in October 2025, the report sets out the technical foundation for the European Union’s new AML framework while quietly acknowledging the challenge ahead: AMLA’s capacity to execute may not yet match its sweeping mandate.

Behind the formal language lies a pragmatic message. The EBA fully endorses AMLA’s mission to harmonize anti-money-laundering supervision across Member States, yet its tone reveals measured trust. The report offers a detailed rulebook designed to prevent early missteps and ensure operational continuity, effectively building the framework that AMLA will inherit rather than invent.

EBA AML Advice 2025: The Six Mandates That Will Shape AMLA

The report covers six interlocking mandates that together define AMLA’s technical and supervisory architecture.

1. Assessment of inherent and residual risk under Article 40(2) of AMLD6, introducing a harmonized scoring methodology.
2. Selection criteria for direct supervision under Article 12(7) of AMLAR, setting measurable thresholds for cross-border operations.
3. Customer due diligence framework under Article 28(1) of AMLR, standardizing identification and verification requirements.
4. Regulatory technical standards for sanctions and penalty payments under Article 53(10) of AMLD6, aligning enforcement principles.
5. Technical advice on base amounts for fines under Article 53(11) of AMLD6, guiding future AMLA calculations.
6. Group-wide policies and information-sharing guidance under Article 16(4) of AMLR, defining data-sharing safeguards and minimum standards.

Collectively, these mandates will form the operational DNA of AMLA’s supervisory regime. Yet the EBA’s language shows it views AMLA less as an independent successor and more as a cautious custodian of a pre-built system. The agency designed these standards to be self-executing and to limit discretionary interpretation, ensuring that even a newly formed authority can function without destabilizing the existing supervisory network.

A Unified Scoring System Built to Prevent Fragmentation

The EBA’s proposal for assessing inherent and residual risk marks a decisive step toward a data-driven European AML system. Each obliged entity will be classified using a three-step process: an inherent risk assessment, an evaluation of control quality, and the calculation of residual exposure.

The model yields a transparent four-level scale, low to high risk, combined with control ratings, A to D. This creates a matrix that reveals not only exposure but also the effectiveness of mitigation, for example distinguishing an entity with high exposure and excellent controls from one with moderate exposure and weak governance.

The scoring mechanism is explicitly automated. All supervisors will use a common dataset of quantitative indicators, from transaction volumes and customer risk distribution to geographic exposure and governance testing. Adjustments will be allowed only by one level and only with documented evidence, ensuring consistent interpretation across jurisdictions.

The EBA’s insistence on automation signals a dual intent: to eliminate subjectivity and to protect the system from operational inconsistency once AMLA assumes control. By designing the methodology this precisely, the EBA effectively constrains AMLA’s freedom to reinterpret risk, reinforcing its trust in structure more than in the new authority’s early judgment.

Risk reviews will occur annually for most institutions and every three years for low-risk or small entities. The AMLA will recalibrate thresholds and weighting factors each cycle, providing technical maintenance rather than conceptual reinvention.

For non-financial sectors, the EBA recommends AMLA develop a tailored variant of the model with sector-specific data points. This ensures proportionality but keeps the fundamental methodology intact.

Supervision and Sanctions: A Framework of Controlled Trust

The EBA’s advice under Article 12(7) of AMLAR sets the rules for AMLA’s direct supervision, but the fine print reveals limited faith in the authority’s readiness. Only institutions operating in at least six Member States qualify for direct oversight, and even then, they must meet materiality thresholds: 20,000 resident customers or 50 million euros in annual transactions per Member State.

These thresholds serve not just as technical filters but as guardrails, ensuring AMLA’s early supervision targets are substantial, measurable, and politically defensible. By defining eligibility in numbers rather than narrative, the EBA protects AMLA from both overreach and ambiguity.

The selection methodology mirrors the risk-scoring system used at national level. This mirror structure minimizes room for discretionary adaptation. Adjustments based on national specificities, a long-standing source of fragmentation, are deliberately excluded to prevent supervisory arbitrage.

Perhaps the clearest evidence of conditional trust lies in the transition design. The EBA explicitly recommends reproducing its risk-assessment provisions across both Article 40(2) AMLD6 and Article 12(7) AMLAR so that AMLA’s selection process can begin even if its own RTS are delayed. The duplication ensures continuity in case AMLA is not yet ready, a phrase that speaks volumes about the EBA’s expectations.

The same tone carries through to the enforcement section. Under Article 53(10) AMLD6, the EBA outlines a harmonized sanctions framework, the first of its kind at EU level. Breaches will be classified by severity, with serious or repeated violations triggering automatic pecuniary sanctions. Supervisors will apply proportionality tests and contextual factors, but within strictly defined parameters.

Periodic penalty payments are presented as a corrective measure rather than punitive sanction, again reflecting the EBA’s desire to systematize discipline rather than rely on subjective decision-making. Proceedings initiated before July 2027 remain under national rules, afterward, all enforcement transitions to the unified EU regime.

This structured, almost algorithmic design shows that the EBA trusts AMLA’s mission but not yet its instincts. By codifying every procedural step, the EBA minimizes the risk of divergent interpretations during AMLA’s early operational phase.

Due Diligence, Data, and the Human Factor

The third major pillar, customer due diligence under Article 28(1) of AMLR, is where the EBA balances flexibility and control most visibly. The CDD RTS establish uniform standards for customer identification, verification, and ongoing monitoring, replacing divergent national transpositions.

Rather than prescribing exact document types, the EBA opts for a principles-based standard anchored in reliability, independence, and proportionality. This allows for digital verification methods, biometric onboarding, and eIDAS-compliant trust services, aligning AML regulation with technological innovation.

Yet even here, the EBA builds in restraint. Existing clients must be re-verified using a risk-based sequence, high-risk customers first, others within five years. This staggered approach reduces compliance strain while preserving focus on major exposures.

The EBA’s section on group-wide information-sharing under Article 16(4) AMLR underscores how carefully it wants AMLA to tread. The guidance supports intra-group data exchange, including suspicious activity information, but only under clearly defined safeguards. Parent entities must control data flows and ensure that personal information transferred to third countries remains legally protected.

The message is clear: AMLA’s future guidance must reconcile transparency with restraint. The EBA supports information-sharing as a compliance necessity but warns that indiscriminate exchange could trigger privacy violations or fuel over-de-risking, a concern that reflects deep institutional memory of past missteps in EU data governance.

Sanctions Consistency and the Limits of Delegated Confidence

The EBA’s technical advice on base amounts for fines under Article 53(11) AMLD6 and group-wide policies under Article 16(4) AMLR completes the circle. Both sections translate legislative ambition into procedural mechanics designed to withstand inconsistent implementation.

Base amounts for fines will be tied to turnover, standardized by breach category and entity type. The EBA advises AMLA to define key terms precisely, base amount, type of breach, category of obliged entity, and turnover, to prevent interpretative drift. Application will begin in July 2027, synchronized with AMLD6 transposition.

The group-policy advice extends beyond compliance, it reflects the EBA’s expectation that AMLA may initially struggle to balance prudential logic with cross-border enforcement. By specifying how personal and transactional information should be shared within corporate groups, the EBA anchors AMLA’s discretion within measurable boundaries.

Its repeated insistence on data protection compliance and acceptable use shows lingering concern about AMLA’s ability to coordinate complex legal regimes. The EBA thus designs the RTS to be fail-safe, robust even under imperfect execution.

A Framework Built on Trust, Boundaries, and Backstops

Taken together, the EBA’s 2025 package reads less like a handover and more like a controlled delegation. The authority is giving AMLA the tools to act but surrounding them with procedural guardrails.

This balance of confidence and caution is not unfounded. The EBA knows AMLA will inherit immense political visibility but limited institutional memory. Its advice therefore builds redundancies into the system, annual reviews, fixed thresholds, shared data definitions, and transitional overlaps.

For compliance officers and financial institutions, the implication is clear. The future of EU AML supervision will be technocratic, data-driven, and centrally coordinated, but it will also be rigid during AMLA’s formative years. The room for interpretation, once wide under national regimes, will narrow sharply as quantitative models replace narrative justifications.

Over time, as AMLA matures and builds its own supervisory intelligence, the framework may loosen. But for now, the EBA’s cautious trust ensures that Europe’s AML transformation proceeds methodically, not experimentally.

By 2027, AMLA will stand at the center of a harmonized AML ecosystem, but the architecture will remain unmistakably EBA-engineered, precise, procedural, and designed to protect the Union from both financial crime and institutional overreach.

---

Related Links

• European Banking Authority
• European Commission – AMLA Regulation
• ECB and AMLA sign agreement on cooperation
• European Parliament – AMLD6 Directive 2024/1640
• Financial Action Task Force (FATF)

Other FinCrime Central Articles About EBA, AMLA, and Some Legitimate Concerns

• EBA’s Final Report Hints Concerns of Stalled AML Coordination With AMLA
• The EBA’s 2025 Final Report Shows Progress but Reveals Deep AML Gaps
• High Hopes for AMLA Face Early Scrutiny from Professionals and Lawmakers

Source: EBA

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.