EU AMLA 2027 — CASP Preparation Guide for the New AML Supervisor

What AMLA actually is

AMLA — the Authority for Anti-Money Laundering and Countering the Financing of Terrorism — is the new EU centralised AML supervisor established by Regulation (EU) 2024/1620 alongside the AMLR (2024/1624) and AMLD6 (2024/1640). The package is the most ambitious overhaul of EU AML supervision since the original 1991 Money Laundering Directive.

The headline change: AML supervision moves from member-state-by-member-state fragmentation toward EU-level centralisation, with AMLA directly supervising the largest cross-border obliged entities and coordinating national supervisors for everyone else. The parallel with the SSM (Single Supervisory Mechanism) for banking is intentional — banking-grade EU supervision applied to the AML perimeter.

For CASPs, AMLA matters in three ways:

Direct supervision risk. Up to 40 obliged entities will face direct AMLA supervision in the first selection cycle. The selection criteria favour the largest by cross-border activity and risk profile. Approximately 10-15 CASPs likely make the cohort — the major exchanges and largest cross-border-active operators.

Indirect supervision via national NCAs. All other CASPs continue under national supervisor regime but with substantially heightened EU coordination. National supervisors apply AMLA methodology, share information across borders, and face AMLA quality review of their supervisory work.

Standards harmonisation. Member-state variation in AML supervisory expectations gets compressed. CASPs that have built programmes calibrated to specific national practice (lenient or strict) face a single EU-level benchmark from 2027.

The timeline

The 2024 regulatory package set firm milestones:

• June 2024: AMLR, AMLD6, and AMLA Regulation enter into force
• 2024-2026: Setup phase — AMLA established in Frankfurt, staff recruited, methodologies developed
• 1 July 2027: AMLA becomes operational
• 2027-2028: First selection cycle of directly-supervised obliged entities; supervision starts 2028
• Ongoing: Three-year selection cycles thereafter; substantive supervisory engagement runs continuously

The 2027 operational date is firm in the regulation. Even if implementation slips by 6 months, the substantive direction is locked. CASPs that bet on indefinite delay face material readiness gaps when the supervisor arrives.

Who gets directly supervised

The selection methodology being developed in 2026 will determine which CASPs face direct AMLA supervision. The criteria draw from AMLR Article 13 and EBA Guidelines:

Cross-border activity. Operators serving customers across multiple member states under MiCA passport face higher selection probability. Single-member-state operators are typically supervised by the relevant NCA without AMLA involvement.

Size. Customer count, transaction volume, asset under management. Large operators face higher selection probability.

Risk profile. Operators in higher-risk product categories (privacy coins, DeFi integrations, substantial offshore customer base) face higher selection probability than equivalent-size operators in lower-risk categories.

Designation under Article 85. CASPs designated significant under MiCA Article 85 likely overlap heavily with AMLA selection cohort.

Prior supervisory record. History of AML deficiencies, enforcement actions, or supervisory escalation increases selection probability.

For the first cohort, expect a roster heavily weighted toward the largest cross-border crypto exchanges, custody operators with substantial institutional asset base, and major stablecoin issuers with cross-border activity. CASPs that fit this profile should expect selection.

What direct supervision looks like

For selected CASPs, AMLA direct supervision substantially changes operational reality:

Single supervisor for AML matters. Home-state NCA AML supervision transfers to AMLA. The operator deals with AMLA on AML; the home-state NCA continues on prudential and conduct matters under MiCA.

On-site inspections. AMLA conducts on-site inspections at operator premises. Inspections cover AML programme operation, transaction monitoring, sanctions screening, customer due diligence, MLRO substance, governance.

Information requests. AMLA issues direct information requests to supervised entities. Response timelines are tight; refusal carries Article 109-equivalent sanctions exposure.

Supervisory measures. AMLA can impose supervisory measures — programme upgrades, customer-base restrictions, transaction-volume caps, individual fit-and-proper findings against named staff.

Joint actions with national supervisors. Where multi-jurisdictional issues arise, AMLA coordinates joint actions with relevant NCAs. The operator faces coordinated supervisory engagement rather than parallel uncoordinated streams.

Sanctions. AMLA can impose sanctions up to 10% of annual turnover for material AML breaches. Cumulative with MiCA Article 109 sanctions where the breach engages both frameworks.

What indirect supervision changes for everyone else

CASPs not selected for direct AMLA supervision continue under national AML supervisor regime — but the substantive operational reality changes:

Harmonised methodology. National supervisors apply AMLA-developed methodology rather than purely national approaches. The substantive standard converges across member states.

Cross-border information sharing. AML information flows between national supervisors via AMLA-coordinated channels. CASPs operating in multiple member states face joined-up supervisory view rather than fragmented per-state assessments.

AMLA quality review of national supervisors. AMLA reviews the supervisory work of national supervisors and can require corrections. National supervisors that have been lenient face AMLA pressure to tighten; supervisors that have been arbitrary face AMLA pressure to standardise.

Escalation pathway to direct supervision. Serious AML deficiencies identified by national supervisors can escalate to AMLA direct supervision even outside the regular three-year selection cycle.

The net effect: even CASPs not directly supervised face substantially heightened EU-level coordination and standardised supervisory expectations.

What to do in 2026

Concrete preparation steps for CASPs in 2026:

Map your selection risk. Honestly assess whether your CASP fits the cohort-1 selection profile. Large by EU customer count? Substantial cross-border passport activity? Significant CASP designation candidate? If yes to two or more, plan for selection.

Audit AML programme against AMLA-grade standards. Engage AML counsel to benchmark your programme against the harmonised EU-level standard. Identify gaps where your programme reflects member-state-specific practice that may not survive AMLA review.

Harmonise across passport markets. Where you operate in multiple member states with locally-calibrated practices, identify inconsistencies and resolve toward the higher standard. AMLA will evaluate holistically; inconsistencies face challenge.

Strengthen MLRO substance. AMLA expects MLRO substance equivalent to senior banking-AML compliance officer standards. EEA residency, fit-and-proper review, direct board access, demonstrable operational engagement, evidenced authority over AML decisions. Marginal MLRO arrangements face AMLA pressure.

Upgrade transaction-monitoring infrastructure. AMLA expectations on transaction-monitoring depth substantially exceed historical national-supervisor practice in many member states. Substantive analytics, on-chain monitoring for crypto-specific patterns, integrated sanctions screening, structured suspicious-activity reporting.

Build documentation discipline. AMLA inspections will test documented evidence of programme operation. Strong documentation of AML decisions, training, internal audit, board oversight, supervisory engagement matters more than substantive programme content where documentation is weak.

Engage with AMLA before operational start. AMLA is consulting industry through 2026 on methodology and supervisory approach. Active engagement (industry-association participation, consultation responses, supervisor briefings) provides early visibility into expectations and signals operator seriousness.

Sanctions cumulation modelling

The sanctions exposure under combined AMLR + MiCA frameworks needs honest modelling. For an EUR 200 million annual revenue CASP:

• AMLR sanctions: up to 10% × 200M = EUR 20M
• MiCA Article 109 sanctions: up to 3% × 200M = EUR 6M
• Cumulative exposure for breach engaging both: up to EUR 26M (13% of turnover)
• Individual sanctions on senior management: up to EUR 5M per individual under AMLR + EUR 700k under Article 109

The cumulative figure is real for breaches that engage both AML and MiCA frameworks — AML failures that also breach MiCA conduct rules, customer-protection breaches with AML dimension, suspicious-transaction reporting failures with conduct-rule overlap.

Risk-modelling for cumulative exposure is reasonable for any substantial CASP. The compliance-investment economics work in favour of robust AML investment — EUR 1-3M of compliance build is small against EUR 20M+ sanctions exposure.

The strategic implication

AMLA represents the EU’s commitment to compress member-state variation in AML supervision toward a single EU standard. For CASPs that have built programmes around the most lenient available member-state interpretation, the framework forces upgrade. For CASPs that have built programmes around banking-grade standards from the start, the framework simply formalises what they were already doing.

The strategic choice in 2026 is whether to upgrade proactively or face supervisor pressure later. Operators that view AMLA as opportunity to standardise group-wide AML investment land ahead of the curve. Operators that wait for AMLA to arrive face reactive build under supervisor pressure with worse economics.

For the largest CASPs likely facing direct supervision, the choice is starker. Cohort-1 selection in 2027-2028 means AMLA on-site inspections from 2028 onward. The preparation window closes in 2026. The CASPs that are ready operate without enforcement risk on this dimension; the ones that aren’t face supervisory engagement and the costs that follow.