AMLA ¦ AMLA Sets Strategic Priorities with 2026-28 Single Programming Document

AMLA’s SPD 2026–2028: building a unified, data‑driven EU response to financial crime

AMLA sets out how it will move from start‑up to full operational capacity over 2026–2028. The Authority’s first Single Programming Document (SPD) makes clear that the next three years will be focused on completing essential regulatory work, standing up both supervisory and FIU functions, and creating the data and IT backbone to make an EU‑level AML/CFT system operational and evidence‑driven.

Jump to: Luxembourg-specific considerations

A focused multi‑year plan to deliver the Single Rulebook and core mandates

The SPD frames AMLA’s work as the delivery arm of the new EU AML/CFT architecture. At the regulatory level AMLA’s priority is to complete and implement the EU AML/CFT Single Rulebook through regulatory technical standards (RTS), implementing technical standards (ITS) and guidelines. In 2026 AMLA intends to deliver a concentrated set of high‑impact instruments for the private sector – including RTS on customer due diligence (CDD), RTS on lower thresholds for CDD, RTS on group‑wide policies and controls, and guidance on business‑wide risk assessments, risk variables on onboarding, and ongoing monitoring. Those deliverables aim to reduce fragmentation of interpretation and practice across Member States, while building proportionality into the rules so lower‑risk relationships face simpler procedures.

The SPD makes explicit that AMLA will design many instruments in close cooperation with national supervisors and the private sector, and will prioritise tools that both ease cross‑border compliance and enable AMLA’s future supervisory and FIU responsibilities. For regulated entities and their advisors, the SPD signals a tightening and harmonisation of expectations: common templates, common risk categorisations and clearer obligations will be the baseline – but the documents also commit to guidance on simplifying requirements where risks are low.

Bastian Schwind-Wagner _Follow

"AMLA’s 2026–2028 Single Programming Document sets a clear, realistic path from start‑up to a fully operational European AML/CFT authority by combining regulatory delivery, supervisory build‑out, and FIU operationalisation. Its success will depend on timely data integration, robust IT and AI governance, and close cooperation with national supervisors and FIUs.

If implemented as planned, the SPD should reduce fragmentation across Member States, improve cross‑border intelligence sharing, and raise the overall effectiveness of the EU’s response to money laundering and terrorist financing. Continued transparency on milestones and active stakeholder engagement will be essential to maintain trust and deliver measurable results."

Standing up direct supervision: methodology, selection and handovers

AMLA’s roadmap to begin direct supervision in 2028 is one of the SPD’s central threads. The Authority plans to directly supervise 40 of the EU’s most impactful financial institutions; the first selection round will be prepared in 2026–2027 with the selection process taking place in 2027 and the supervisory cycle starting in 2028. Key 2026 deliverables are finalising the risk analysis and selection methodology (based on EBA work), initiating a data collection exercise to test and calibrate the model from March 2026, and defining the procedures for receiving supervisory information from national competent authorities.

Operational readiness for direct supervision covers more than an algorithm. AMLA will develop the supervisory strategy, joint supervisory team (JST) arrangements, off‑site monitoring tools and governance arrangements for enforcement and sanctions. The SPD also sets out a separate plan to be able to accept exceptional transfers of supervision from national authorities under Article 14 AMLAR: AMLA will build trigger criteria, legal safeguards and operational processes so transfers can be executed in a timely and legally robust way.

Indirect supervision and supervisory convergence across sectors

AMLA’s remit extends beyond the handful of directly supervised entities. The SPD describes a planned indirect supervision and oversight framework covering the rest of the financial sector and selected non‑financial sectors. AMLA will map national supervisory capacity, develop common supervisory models and manuals, initiate thematic reviews and a seven‑year cycle of supervisory convergence reviews, and provide training and mutual assistance to national authorities. For non‑financial sectors, AMLA will undertake a comprehensive mapping, integrate FIU and supervisory findings into sectoral risk pictures, and begin peer reviews and college participation to raise supervisory quality and consistency.

Operationalising the FIU pillar: joint analysis, standards and FIU.net

A strengthened, practical FIU cooperation pillar is at the heart of AMLA’s intent to make financial intelligence usable at EU level. The SPD sets out actions to operationalise joint analyses, standardise reporting formats, embed mediation procedures and start regular peer reviews. AMLA expects its FIU team of delegates to be fully staffed in 2026; these delegates will help run joint analyses and provide the operational link with national FIUs.

Key technical objectives are detailed. AMLA will take ownership of FIU.net by July 2027 (per the legislative timetable), complete the transfer and optimisation, and ensure interoperability with national systems. The Authority will draft ITS on FIU‑to‑FIU exchange formats and on STR/transaction reporting formats, and issue guidelines on indicators of suspicious activity. The expected result is more consistent, timely and actionable cross‑border intelligence and a stronger, trust‑based FIU network.

Building a central AML/CFT data ecosystem and analytics capability

Across supervision and FIU activities the SPD is explicit: data and analytics are AMLA’s analytic backbone. For supervision AMLA will create a Central AML/CFT Database (Article 11 AMLAR) to collect structured supervisory information – obliged entities’ profiles, supervisory measures, risk assessments, sanctions – with access on a need‑to‑know basis. Work in 2026 will focus on the RTS to define scope, formats and procedures for data transmission; the database should be fully operational in 2027.

Alongside the database AMLA will develop a data analysis platform and automated data pipelines, integrate EuReCA (the EBA database) and design risk scoring engines to support entity selection for direct supervision and ongoing monitoring. The SPD places heavy emphasis on secure, resilient IT, on AI/ML capabilities for anomaly detection and predictive analytics, and on governance to control model drift and bias. AMLA’s digital roadmap also foresees the transfer and modernisation of mission‑critical systems and the adoption of safe AI governance.

Organisational build‑out: people, premises and finances

The SPD is explicit on the size and timing of the institutional build‑out. Staffing will rise from roughly 120 at the end of 2025 to 432 by end‑2027. AMLA will recruit a diverse, skilled workforce and onboard FIU delegates to operationalise the FIU pillar. The Authority will take occupation of phased long‑term office floors in Frankfurt’s MesseTurm and will share conference facilities with EIOPA to avoid duplication. IT infrastructure, secure systems and internal governance will be scaled in parallel.

Financially, AMLA has reached financial autonomy on 1 January 2026. The SPD sets out budgets and forecasts through 2028: EU contributions for 2026–2027, the host state (Germany) contribution across 2024–2028, and from 2028 the expectation that fees for supervised entities will finance a substantial share of the Authority (projected ~70% of revenue). AMLA will therefore set up activity‑based costing and budgeting systems to operationalise fee calculations and collections.

Risk and compliance: building a risk analysis unit and controls

Risk analysis is presented as transversal. AMLA will create a risk analysis framework that integrates FIU intelligence, supervisory information and other EU agency outputs (Europol, Eurojust, EPPO) to inform both micro‑ and macro‑risk perspectives. The SPD also emphasises internal controls: data protection, conflict of interest frameworks, anti‑fraud strategy, and a Fundamental Rights Officer appointed in 2026 to safeguard respect for the Charter of Fundamental Rights in supervisory methodologies and data processing.

Practical implications for the industry, supervisors and FIUs

For private sector gatekeepers, the SPD signals a transition to more harmonised and evidence‑based expectations: common CDD rules, harmonised transaction reporting formats, clearer guidance on risk assessments and monitoring, and the emergence of EU‑level partnerships for information sharing (PfIS). Entities operating across borders should expect stronger convergence in supervisory expectations and reporting formats over 2026–2028.

For national supervisors, the message is twofold: cooperate, because AMLA will progressively build indirect and direct supervisory instruments that will require shared data and joint processes; and prepare, because peer reviews, thematic assessments and a new supervisory methodology will raise the bar for convergence and demonstrable supervisory capacity.

For FIUs the SPD promises improved tools and processes to make cross‑border analysis actionable: standardised reporting formats, FIU.net modernisation, a cycle of joint analyses and peer reviews, and a mediation mechanism to settle disagreements between FIUs.

What to watch next

Near‑term milestones to monitor include the RTS/ITS and guidelines that AMLA wants to deliver in 2026 (notably for CDD, group policies, the central AML/CFT database, and formats for FIU exchanges), the March 2026 data collection campaign to calibrate the selection model for direct supervision, the development of the supervisory and indirect supervision strategies, and the FIU.net transfer schedule leading to July 2027. How AMLA implements AI governance, secures data sharing, and operationalises the Central AML/CFT Database will be decisive for the Authority’s credibility and operational success.

Luxembourg-specific considerations

In Luxembourg, AMLA’s SPD will operate alongside a mature national framework administered by the Commission de Surveillance du Secteur Financier (CSSF). Given Luxembourg’s concentration of banks, investment funds, payment service providers (PSFs) and an active FinTech ecosystem, EU‑level convergence and the central AML/CFT database will interact directly with domestic supervisory practice and cross‑border group oversight. Firms should view AMLA’s work as a complementary layer that reinforces EU consistency while co‑existing with CSSF rules and national reporting channels.

Typical CSSF focus areas or supervisory expectations

The CSSF typically emphasizes robust governance, demonstrable senior management oversight, and granular documentation of risk assessments and CDD measures. Supervisory attention frequently covers the adequacy of transaction monitoring, quality and timeliness of suspicious activity reporting, outsourcing governance (including cloud and analytics providers), and the effectiveness of internal audit and compliance testing. For cross‑border groups based in Luxembourg, the CSSF also expects clear allocation of responsibilities and evidence of group‑level control effectiveness.

Practical implications for in‑scope institutions

Luxembourg institutions should prepare for tighter data interoperability and standardised templates that facilitate both national and AMLA requests. Expect the CSSF to scrutinize documentation that evidences alignment with any new RTS/ITS adopted by AMLA, including updated CDD records, business‑wide risk assessments and evidence of periodic model validation for monitoring tools. PSFs and FinTechs must ensure governance records capture technology‑driven controls, model governance and vendor due diligence. Investment fund managers should review subscription and transaction controls to ensure timely escalation pathways to both the CSSF and FIUs where applicable.

Conclusion

AMLA’s SPD 2026–2028 is an ambitious, practical plan to translate the new EU AML/CFT legal framework into operational capacity. The document balances regulatory delivery with institution‑building: harmonised rules, supervisory selection methodologies, FIU operationalisation, and a strong data and digital backbone. The institutional shift from fragmented national systems towards a coordinated EU approach will not be seamless; success will depend on sustained cooperation with national supervisors, FIUs and the private sector, robust IT and data governance, and careful calibration of resources and fees. If AMLA implements the SPD as planned, the European AML/CFT architecture will have the regulatory tools, supervisory structures and intelligence processes needed to improve detection, disruption and deterrence of money laundering and terrorist financing across the Union.

Dive deeper

• AMLA ¦ AMLA sets strategic priorities with 2026-28 Single Programming Document ¦ Link