.svg)
On February 4, 2026, the EU’s Anti-Money Laundering Authority (AMLA) published its single programming document (SPD) for 2026-2028, its first multi-year plan. The SPD sets out AMLA’s objectives, planned activities and the resources required to deliver them.
Published at a critical juncture in AMLA’s operation, with the institution seeking to deliver upon its core mandates, this analysis will examine the SPD and look at its implications for impacted firms, as well as provide Vixio’s initial response to AMLA’s plans.
The bigger picture
Established by Regulation (EU) 2024/1620 (Anti-Money Laundering Authority Regulation – AMLAR) (Vixio update), AMLA is the EU’s new central regulator for anti-money laundering (AML). In anticipation of direct supervision of 40 high-risk entities in 2028, this SPD outlines five core objectives:
- To complete and support the establishment of a robust and uniform anti-money laundering/counter-terrorism financing (AML/CTF) framework.
- To strengthen cooperation and inclusiveness.
- To spearhead the use of technology in an evolving landscape.
- To ensure credibility and accountability.
- To contribute to consolidating the EU’s role as a global leader in financial crime prevention.
Set against this backdrop, AMLA has also defined five long-term goals:
- Governance, consistency and proportionality: This involves completing and supporting the establishment of a uniform AML/CTF framework, through the development of regulatory and implementing technical standards (RTS/ITS), supported by high standards, best practices and common methodologies and tools to address national fragmentation.
- Cooperation and inclusiveness: AMLA will foster a culture of joint responsibility and mutual trust among supervisory authorities, financial intelligence units (FIUs), prudential authorities and law enforcement.
- Technology and innovation: AMLA will invest in advanced analytical tools, blockchain capabilities and secure platforms for information exchange.
- Credibility and accountability: This involves a strong governance model, ethical safeguards and transparent communication with stakeholders.
- Global leadership: AMLA will be developing its global leadership by promoting the Union’s standards abroad.
Finally, AMLA plans to deliver its objectives through the following programme of activities:
- Supervision: AMLA will establish direct oversight of the 40 most impactful credit and financial institutions in the EU. Indirect supervision will be carried out through harmonised approaches, close cooperation with supervisory authorities, supervisory colleges and regular peer reviews. This also includes key mandates such as RTSs, ITSs and guidelines.
- Coordination and support framework of FIUs: Joint analyses, peer reviews and mediation mechanisms will strengthen cross-border intelligence exchange. By 2027, the full transfer and optimisation of FIU.net, a decentralised computer network and information exchange system, will be completed.
- Stakeholder engagement: AMLA will enhance this through a comprehensive strategy built on the principles of informing, consulting, involving and collaborating.
- Organisational development: This includes the onboarding of FIU delegates as a key element to facilitate and improve cooperation between FIUs and AMLA.
The SPD further outlines specific priorities within Section III: annual work programme 2026.
However, AMLA’s priorities regarding completing the single rulebook and building towards direct supervision in 2028 will carry the most practical implications for firms.
Completing the single rulebook
The single rulebook aims to harmonise the set of rules applicable to firms, supervisors and FIUs. Being a key pillar within the EU’s new AML landscape, AMLA is focused on the further development of the framework by drafting RTS, ITS and guidelines.
On February 9, 2026, AMLA took a step towards the completion of this goal, launching a consultation on three draft RTSs:
- RTS on pecuniary sanctions, administrative measures and periodic penalty payments under Article 53(10) of the 6th Anti-Money Laundering Directive (6th AMLD) (Vixio update).
- RTS on the criteria for business relationships, occasional transactions, linked transactions and lower thresholds under Article 19(9) of the AML Regulation (AMLR) (Vixio update).
- RTS on customer due diligence under Article 28(1) of AMLR (Vixio update).
Approximately 19 additional RTSs, ITSs and guidelines are planned to be consulted on and published in 2026 and early 2027. The following is a sample of expected consultations to be published in Q2 2026:
- An RTS on minimum requirements of group-wide policies, including minimum standards for information sharing, criteria for identifying the parent undertaking and the conditions under which group-wide requirements apply to entities that are part of structures, and the criteria for identifying the parent undertaking in the Union in those cases.
- An RTS on the central AML/CTF database: procedure, formats and timelines for the transmission of information, scope and level of detail of information, type of information to be disclosed, information requiring prior approval, materiality of breaches for submission of information, conditions for directing additional requests, and types of additional information to be transmitted to AMLA.
- An ITS on the format to be used by AMLA for reporting information, including the results of joint analyses.
- An RTS on additional measures for branches and subsidiaries in a third country where the law of that third country does not permit compliance with AMLR, and related supervisory actions.
- An RTS on the duties of the home and host supervisors and the modalities of cooperation between them.
- A guideline on base amounts of pecuniary sanctions relative to turnover, per type of breach and category of obliged entity.
According to AMLA’s plan, all documents needed to complete the single rulebook will have their final draft published in Q2 2027. From there, final publication is to be expected in H2 2027.
Building towards direct supervision in 2028
Among the priorities promised by the AMLA, direct supervision is poised to exert the greatest influence on affected entities. Drawing parallels from the Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA) experience with critical third-party provider designations, it is highly probable that several financial institutions will face unforeseen regulatory classification. Within the DORA context, the European supervisory authorities selected specialist firms, such as Equinix, not based purely on their scale, but due to their specialist capabilities. Firms should consider similar considerations for direct AMLA supervision.
However, to achieve direct supervision, AMLA has provided a roadmap to 2028:
- A supervisory strategy to set out the vision, priorities and operational principles guiding AMLA’s direct supervision.
- The procedures for the transfer of supervisory information and documentation from national authorities, which includes identifying the minimum documentation set, establishing secure transfer channels and ensuring compliance with data protection requirements.
- The design of AMLA’s direct supervision framework, which covers methodologies, governance structures and supervisory tools.
- The development of off-site supervision tools to enable continuous monitoring, which would involve data quality checks, the integration of risk indicators and structured procedures for following up on on-site inspections.
- The design and implementation of a credible enforcement framework to ensure that supervisory decisions are underpinned by effective, proportionate and transparent sanctioning powers.
Additionally, firms do have some clarity in relation to the selection process. On March 6, 2025, the European Banking Authority (EBA) launched a consultation on several proposed RTSs (Vixio update), one of which being a draft RTS specifying the assessment methodology of credit institutions, financial institutions and groups of credit and financial institutions for the purpose of selection for the direct supervision of AMLA. As provided for in the recital of that draft RTS, the selection of the 40 entities will take place in two stages:
- Stage 1: AMLA will identify all credit institutions, financial institutions or groups of credit and financial institutions that are operating in at least six member states, including the home member state, either via establishment or by conducting relevant operations under the freedom to provide services.
- Stage 2: The ML/TF risk profile of such entities is classified to identify those that present a high residual risk.
The draft RTS further details this process. It provides:
- That the activities of an institution shall be considered material for the purposes of Article 12(1) of the AMLR where:
- The number of its customers that are resident in that member state is above 20,000.
- The total value in euro of incoming and outgoing transactions generated by the customers referred to under the above is above €50m.
- Steps for the assessment and classification of inherent and residual risk as low, medium, substantial or high.
- Steps for the assessment and classification of the quality of AML/CTF controls.
- The methodology for the assessment and classification of the residual risk at the entity level.
Although the RTS is still in a draft stage, final publication is expected to take place in 2026.
Why should you care?
The publication of AMLA’s SPD marks a decisive shift from preparatory work to supervisory execution. For firms, this is the moment where the EU’s new AML framework moves from anticipated to operational, and where positioning over the next 18–24 months will materially shape future outcomes.
First, completion of the single rulebook will define firms’ AML/CTF operating models for the remainder of the decade. Throughout 2026 and early 2027, firms will be presented with an unusually dense pipeline of RTSs, ITSs and guidelines that will translate the AMLR’s high-level obligations into precise, enforceable requirements. Each consultation represents not only a regulatory requirement, but also an opportunity to influence how items such as proportionality and risk sensitivity are reflected in the final standards.
At the same time, the scale and sequencing of the technical standards introduce risk. With approximately 22 additional instruments expected within a compressed timeframe, firms face a steep implementation challenge.
Firms should therefore be prioritising internal gap analyses against anticipated RTSs, rather than waiting for final texts. Those that engage early will be better positioned to avoid costly re-engineering once the standards crystallise in H2 2027.
Second, firms should already be assessing their potential exposure to AMLA’s direct supervision regime in 2028. Although formal selection will only occur in 2027, the SPD confirms that AMLA is actively building the capabilities that will underpin direct oversight.
Institutions operating across multiple member states, with large customer bases or significant transaction volumes, should begin their operations against the draft EBA methodology now; even while the RTS remains under consultation. Being identified as a directly supervised entity will fundamentally alter supervisory intensity, reporting expectations and enforcement risk.
Ultimately, the SPD makes clear that AMLA’s impact will be systemic, not selective.
Whether subject to direct supervision or not, firms will be operating within a harmonised AML ecosystem shaped by AMLA’s standards and expectations.
For firms, the next 18 months are not a holding period, but a small window. Decisions taken now on engagement, governance and supervisory readiness will determine whether AMLA’s plans contained in the SPD are disruptive or manageable.
Vixio’s Verdict
AMLA’s first SPD is a welcome roadmap that replaces regulatory ambiguity with a granular, detailed 105-page execution plan. Beyond the administrative milestones, the document signals a fundamental shift in supervisory expectations, with the EU moving away from fragmented national oversight toward a centralised, data-driven regime that prioritises effectiveness over mere technical compliance.
Several deliverables underscore this shift. These include formalised information-sharing partnerships scheduled for 2027, designed to bridge long-standing gaps between public authorities and private-sector intelligence; the development of AMLA’s own proprietary risk-analysis framework; and a clear strategy for indirect supervision, ensuring that even firms outside AMLA’s direct remit are subject to more rigorous and harmonised standards through their national regulators.
Set against growing calls to reduce regulatory complexity and improve efficiency, AMLA’s direct supervision of 40 financial institutions (at least initially) may also deliver tangible efficiency gains. As selection will be based on operations in at least six member states, a single supervisory authority could significantly ease the communication and implementation burdens inherent in the previous, fragmented system.
Comparable benefits are also likely for institutions indirectly supervised by AMLA. Through supervisory convergence reviews, mutual assistance mechanisms and training initiatives, cross-border firms should experience greater consistency in the practices of national FIUs.
However, a key concern remains. With the AMLR taking effect in mid-2027 and direct supervision commencing only in 2028, there is a real risk that the new regime could be fighting yesterday’s battles. In a landscape shaped by generative AI and cross-border crypto-assets, AMLA’s greatest challenge may be ensuring that its single rulebook remains sufficiently flexible to stay relevant in a rapidly evolving financial and political environment.
Ultimately, the SPD confirms that the preparatory phase is over. Although the formal enforcement dates of 2027 and 2028 may still seem distant, AMLA’s role is now clear, central and firmly established.
Despite timeline and rigidity concerns, the SPD represents a welcomed and robust starting point. It provides a granular, logically structured foundation that aligns well with Europe’s regulatory ambitions for its AML regime at this present junction.
