EBA ¦ EBA Response to the European Commission's Call for Advice on six AMLA Mandates

EBA’s advice lays groundwork for a harmonised, risk-based EU AML/CFT regime and a smooth launch of AMLA

The European Banking Authority’s October 2025 response to the European Commission’s Call for Advice provides a compact, operational blueprint for multiple technical mandates that will underpin the European Anti‑Money Laundering Authority’s early work. The EBA advances a risk‑based and proportionate approach across four draft regulatory technical standards and offers technical advice on two additional mandates: base amounts for pecuniary fines and minimum standards for group information‑sharing. The package is designed to deliver comparable outputs for supervisors while allowing AMLA time to phase in requirements and for obliged entities to adjust.

A consistent, three‑step scoring model to assess ML/TF risk

At the core of the proposals is a uniform methodology to classify inherent risk, evaluate the quality of AML/CFT controls, and produce a residual risk score that reflects the level of risk remaining after mitigation. The EBA proposes four inherent risk categories (low to high), four control quality categories (very good to poor), and four residual risk levels (low to high). The residual score is capped by the inherent score but should be presented together with the controls classification (for example, “3A” or “2D”) so supervisors can distinguish similar residual ratings driven by different control environments. This structured output supports prioritisation of supervisory activity and cross‑jurisdictional comparability.

Standardised data points, automated scoring and limits on manual adjustments

To achieve comparable outcomes across Member States, the EBA proposes a single set of data points that all supervisors must use to populate the scoring model and an automated scoring system. The draft RTS will be accompanied by interpretative notes clarifying the meaning of each data point. Where national specificities or supervisory findings require adjustments, those changes would be limited, evidenced and subject to defined rules. The EBA recommends quantitative and objective inputs where possible and rejects reliance on obliged entities’ self‑assessments for core ML/TF risk classification.

Proportionate review frequency and transition protections

The RTS adjust the cadence of entity‑level risk reviews to reflect the nature and size of institutions: generally annual reviews for larger entities, and longer intervals (for example, up to three years) for smaller entities or those carrying limited activity. Supervisors retain the ability to update assessments more frequently if risks crystallise. Importantly, the EBA leaves scoring thresholds and weights to AMLA to determine for each review cycle, so the system can be calibrated centrally and updated as experience grows.

Selection methodology for AMLA’s direct supervision

For selecting credit institutions, financial institutions and groups eligible for AMLA direct supervision, the EBA aligns the selection risk assessment with the entity‑level methodology. Eligibility hinges on operating in at least six Member States, but the draft RTS provide practical thresholds to determine when operations under the freedom to provide services are “material”: either at least 20,000 resident customers in the given Member State or EUR 50 million in incoming and outgoing transactions originating from resident customers. These alternative thresholds aim to capture both customer footprint and transaction volume without imposing disproportionate data burdens.

To preserve a level playing field, the EBA excludes the broader national adjustment mechanisms that are available for entity‑level risk scoring when constructing the AMLA selection methodology. The group‑level risk score is an aggregation of entity residual scores with weights reflecting each entity’s importance, ensuring that high‑risk subsidiaries are appropriately influential in group selection.

Bastian Schwind-Wagner_Follow "The EBA’s advice delivers a pragmatic, risk‑based blueprint to harmonise AML/CFT supervision across the EU and support a smooth start for AMLA’s direct supervision. Its common scoring framework, standardised data points and transition safeguards aim to improve comparability, reduce fragmentation and focus supervisory resources on the highest ML/TF risks."

Customer due diligence: principles, outcomes and phased implementation

On CDD, the EBA favours a principles‑based, risk‑sensitive approach that focuses on outcomes rather than overly prescriptive lists of documents. The draft RTS set out what must be collected for standard, simplified and enhanced due diligence, and which reliable, independent sources may be used for verification. The proposals build on existing EBA guidance (for example, remote onboarding guidelines) and include sensible transition provisions: obliged entities should prioritise higher ML/TF risk relationships when bringing existing clients into line with new CDD standards, with a staged completion (a five‑year window for lower‑risk customers unless triggers require earlier action). The RTS will not be enforceable earlier than the AMLR’s application date, preventing premature obligations.

Enforcement: harmonised indicators, severity classes and PePP procedures

The draft RTS on pecuniary sanctions, administrative measures and periodic penalty payments set out common indicators for assessing breach gravity, a four‑tier severity classification, and the criteria supervisors must consider when imposing sanctions or measures. Category three and four breaches are deemed serious and can trigger pecuniary sanctions. The EBA emphasises that judgement remains essential: the indicator lists are non‑exhaustive and must be applied contextually. The RTS also include tailored provisions for natural persons, including senior managers, and align periodic penalty payment (PePP) procedural elements with existing delegated acts and common practices. A transition rule protects ongoing proceedings initiated before 10 July 2027 from immediate RTS‑driven change.

Guidance options for base amounts and group information‑sharing

On base amounts for pecuniary fines, the EBA provides options AMLA can consider when developing guidelines required by Article 53(11) AMLD6. The EBA recommends that any guideline cover both AMLA and national competent authorities, address breaches by legal and natural persons, and be consistent with the RTS on sanctions. The advice recognises the need to define key terms — base amounts, breach types, categories of obliged entities and turnover — to ensure comparability and proportionality across sectors, including non‑financial obliged entities.

For group information‑sharing, the EBA advises setting minimum standards on what information should be shared within groups, acceptable uses of that information, and mechanisms for sharing. The recommended scope is broad: group entities should, where appropriate and lawful, have access to all information held on shared customers, including suspicious activity indicators, aggregated typologies and trends, subject to strict data protection safeguards and limits to prevent unwarranted de‑risking. The EBA flags the importance of consistent interaction with prudential rules and special care where data are shared with third‑country affiliates.

Application to the non‑financial sector and the need for tailored RTS

Throughout the report, the EBA stresses that some elements are primarily designed for financial supervisors but that Article 40(2) AMLD6 and other mandates extend to non‑financial obliged entities. The EBA recommends AMLA consider separate or adapted RTS for non‑financial sectors where data points, review frequencies or enforcement indicators would be disproportionate or operationally inappropriate. Tailored approaches can help ensure effectiveness without imposing unreasonable compliance costs on newly designated or smaller obliged entities.

Practical implications and the path ahead

The EBA’s advice balances harmonisation with operational pragmatism. Using a common dataset and an automated scoring engine will create comparable risk metrics across Member States, reduce duplication for cross‑border firms, and help AMLA and national supervisors prioritise oversight. Transition provisions, phased reporting expectations and limits on manual adjustment for the initial selection round help mitigate disruption during the early years of AMLA’s operation.

AMLA will inherit this work and is responsible for calibrating thresholds and weights, finalising detailed scoring parameters, and developing sector‑specific adaptations — especially for the non‑financial sector. Timelines in the legal framework mean AMLA must act quickly: some instruments need adoption by dates in 2026–2027 to allow the first selection cycle and the operational start of the new supervisory architecture.

Conclusion

The EBA’s advice sets clear, practical building blocks for a unified EU approach to identifying and supervising ML/TF risk across a diverse set of obliged entities. By combining a standardised scoring model, defined datasets, principles‑based CDD rules and harmonised enforcement indicators with proportionate transition measures, the package is designed to make AMLA’s first selection and supervision cycles effective, predictable and data‑driven. Implementation detail and calibration will be critical: AMLA’s next steps should focus on operationalising thresholds, finalising reporting routes, and engaging both financial and non‑financial obliged entities to ensure the new framework is workable from day one.

Dive deeper

• EBA ¦ The EBA advises the European Commission on the foundations of the new anti-money laundering/countering the financing of terrorism regime ¦ Link