.svg)
The new Anti-Money Laundering Authority’s (AMLA) data collection exercise is more than a dry run: it is a critical step in calibrating a harmonised, analytical methodology that will shape the regulatory environment for all EU financial institutions.
The exercise will inform AMLA’s selection of up to 40 high-risk, cross-border entities for “direct supervision” – a key part of the new regulator’s mandate.
It also aims to ensure that money laundering and terrorist financing (ML/TF) risks are assessed consistently by national supervisors across the EU.
The exercise will begin in March 2026 and will be conducted in close cooperation with both national supervisors and the private sector.
The two types of firms that will take part are financial institutions that may be eligible for direct supervision, and a “representative sample” of entities that are likely to remain under national supervision.
Entities that operate in at least six member states are eligible for direct supervision, while the representative sample will include about 5% of entities that are likely to remain under national supervision.
National supervisors have already provided AMLA with lists of both groups, and the selected firms have been notified.
In a statement, AMLA said that obtaining high-quality data from the private sector will be “essential” to building a reliable selection model and developing a common EU-wide risk assessment methodology.
“By testing and validating our models, we are taking the next steps towards effective and harmonised risk assessments across the EU,” said Bruna Szego, chair of AMLA.
“We count on the participation of the private sector in order to ensure that the final models are robust and reliable.”
AMLA intends the exercise to serve a dual purpose: to allow participating financial institutions to stress-test their systems for future data collections, and to optimise the authority’s own methodology ahead of direct supervision.
After its models have been tested and calibrated, AMLA will establish a final list of entities that are eligible for direct supervision.
In Q1 2027, national supervisors will collect data points from the identified eligible entities, and from July 2027, AMLA will select up to 40 entities for direct supervision.
The final selection will be communicated by the end of 2027, and the selection process will be repeated every three years.
Inherent risk and residual risk
At the core of AMLA’s approach is a two-stage risk assessment based on firms’ inherent risk and residual risk of exposure to ML/TF.
This distinction is central to AMLA’s draft Regulatory Technical Standards (RTS) on risk assessment, which is expected to be adopted by the European Commission in Q1 2026.
First, inherent risk is calculated based on factors such as business model, customer base, product and service types and geographic exposure.
Inherent risk scores are computed automatically, but the automated stage is followed by a further assessment of firms’ ML/TF controls by national supervisors.
Residual risk is calculated based on the level of ML/TF risk that remains once a firm’s controls and mitigating measures are taken into account.
Rather than focusing solely on the nature of a firm’s activities, AMLA’s methodology is designed to assess the effectiveness of ML/TF controls and how likely they are to reduce risk in practice.
For firms with higher inherent risk profiles, including many payments and cross-border businesses, this is an important signal.
For example, firms with high transaction volumes and significant cross-border activity would score highly on inherent risk, simply due to the scale and complexity of their operations.
However, whether these same firms also score highly on residual risk would depend on how well their controls mitigate these risks.
Firms should consider whether their internal risk data, metrics and documentation would stand up to this type of structured assessment.
AMLA’s approach to residual risk also places a premium on evidence such as monitoring outcomes, testing results and the ability to demonstrate how controls reduce risk in practice.
Although the draft RTS outlines specific areas that supervisors must consider for specific types of firms, calculating residual risk is nonetheless a more subjective process than calculating inherent risk.
However, the draft RTS emphasises that national supervisors should come to an “evidence-based professional judgement”.
Impact for participating firms
For firms selected to participate in the data collection exercise, it should be treated as a supervisory dry run rather than a routine data request.
Although AMLA has made clear that the exercise is not an enforcement action, firms should ensure that submissions are complete, internally consistent and clearly aligned with their existing risk assessments and control frameworks.
In practice, this means involving both compliance and risk functions, validating assumptions embedded in risk models and being prepared to explain how key controls operate in practice.
As noted, the quality, coherence and comparability of the data provided will shape how AMLA calibrates its models, and may influence future supervisory engagement.
Impact beyond participating firms
Although the data collection exercise will involve only a limited number of firms, the announcement is nonetheless significant for the wider market.
It offers one of the clearest practical demonstrations to date of how AMLA intends to assess ML/TF risk, how it will decide which firms to supervise directly, and what it will expect from regulated businesses across the EU.
Following the official launch of the agency on July 1, 2025, AMLA is executing an ambitious mandate to create a “harmonised” and “integrated” AML supervisory system across the EU.
In addition to its authority to place firms under direct supervision, it is also mandated to enhance cooperation between national supervisors and financial intelligence units (FIUs).
To achieve these aims, AMLA needs a common, defensible way of assessing risk across different institutions, sectors and member states, and the data collection exercise is an early step towards that goal.
A window into AMLA’s future role
Taken together, the data collection exercise and the accompanying regulatory framework offer a preview of AMLA’s style of regulation: analytical, risk-driven and focused on comparability.
Even where AMLA is not yet a firm’s direct supervisor, its methodologies will shape the regulatory environment in which all EU financial institutions operate.
In this sense, the data collection exercise is not only a technical test of risk models, but an early indication of how AMLA intends to exercise judgement within a harmonised EU AML framework.
