EBA’s 2025 AML Advice: A Framework of Trust, Boundaries, and Controlled Delegation

The European Banking Authority’s 2025 response to the European Commission’s Call for Advice on six key Anti-Money Laundering Authority (AMLA) mandates reads as both a roadmap and a reality check. Released in October 2025, the report lays the technical foundation for the European Union’s new AML regime while quietly acknowledging the central challenge: AMLA’s operational capacity may not yet measure up to its sweeping mandate. Behind the EBA’s formal prose lies a pragmatic undercurrent. The Authority fully supports AMLA’s mission to harmonize anti-money-laundering supervision across Member States, but its tone suggests measured trust rather than blind confidence. The document functions as a detailed rulebook designed to avert early missteps and preserve continuity, effectively building the framework AMLA will inherit rather than invent.

The report focuses on six interlinked mandates that together define AMLA’s technical and supervisory structure: the assessment of inherent and residual risk under Article 40(2) of AMLD6 through a harmonized scoring system; selection criteria for direct supervision under Article 12(7) of AMLAR based on measurable cross-border thresholds; a customer due diligence framework under Article 28(1) of AMLR to standardize identification and verification; regulatory technical standards for sanctions and penalty payments under Article 53(10) of AMLD6 to align enforcement principles; technical advice on base amounts for fines under Article 53(11) of AMLD6 guiding AMLA’s calculations; and group-wide policies and information-sharing guidance under Article 16(4) of AMLR defining data safeguards and minimum standards. Collectively, these mandates will form the operational DNA of AMLA’s supervisory regime. Yet the EBA’s tone makes clear that it views AMLA less as an independent successor than as a cautious custodian of a system already built. These standards are crafted to be self-executing and to limit discretionary interpretation, ensuring even a nascent authority can function without destabilizing the current supervisory network.

The EBA’s proposal for assessing inherent and residual risk marks a pivotal move toward a data-driven European AML framework. Every obliged entity will be evaluated through a three-step process: identifying inherent risk, evaluating control quality, and calculating residual exposure. The result is a transparent four-tier risk scale—low to high—combined with control ratings from A to D, producing a matrix that differentiates between exposure and mitigation. For example, the model distinguishes an entity with high exposure but excellent controls from one with moderate exposure and weak governance. The system is explicitly automated, relying on a shared dataset of quantitative indicators such as transaction volumes, customer risk profiles, geographic exposure, and governance testing. Adjustments can only deviate by one level, and only with documented evidence, ensuring uniform interpretation across jurisdictions. This emphasis on automation reveals a dual intention: to eliminate subjectivity and to shield the system from inconsistency once AMLA takes charge. By defining the methodology so precisely, the EBA effectively limits AMLA’s scope to reinterpret risk, showing its preference for structure over the new authority’s early judgment. Annual risk reviews will be mandatory for most institutions, with a three-year cycle for low-risk or smaller entities. AMLA will recalibrate thresholds and weighting factors annually, maintaining the model technically rather than conceptually. For non-financial sectors, the EBA recommends a tailored variant of the model, preserving proportionality without altering the core framework.

In its guidance under Article 12(7) of AMLAR, the EBA sets out AMLA’s direct supervision parameters with an unmistakable note of caution. Only institutions active in at least six Member States will fall under AMLA’s direct oversight, provided they meet materiality thresholds of 20,000 resident customers or 50 million euros in annual transactions per Member State. These criteria act not only as filters but as political guardrails, ensuring AMLA’s early supervisory reach is both substantial and defensible. By grounding eligibility in quantitative terms, the EBA shields the authority from overreach and interpretative ambiguity. The selection process mirrors the national-level risk-scoring model, deliberately excluding adjustments for national specificities to prevent supervisory arbitrage.

The EBA’s conditional trust is clearest in its transition provisions. It explicitly recommends duplicating its risk-assessment standards across Article 40(2) AMLD6 and Article 12(7) AMLAR so that AMLA’s supervisory selection can proceed even if its own RTS are delayed. “The duplication ensures continuity in case AMLA is not yet ready,” the EBA notes—a line that speaks volumes about its expectations. The same philosophy guides the enforcement framework under Article 53(10) AMLD6, introducing the EU’s first harmonized sanctions regime. Breaches will be categorized by severity, with serious or repeated violations triggering automatic pecuniary penalties. Supervisors may apply proportionality and contextual factors, but within strict parameters. Periodic penalty payments are described as corrective rather than punitive, emphasizing systemic discipline over subjective enforcement. National rules will continue to apply to proceedings initiated before July 2027, after which all enforcement shifts to the unified EU framework. This structured, almost algorithmic approach shows that while the EBA supports AMLA’s mission, it trusts procedure more than instinct, codifying each step to prevent divergence during AMLA’s formative years.

Under Article 28(1) of AMLR, the EBA’s customer due diligence standards reveal its careful balancing act between flexibility and control. The new RTS replace fragmented national rules with uniform EU-wide standards for identification, verification, and monitoring. Rather than dictating document types, the EBA opts for a principles-based approach grounded in reliability, independence, and proportionality, allowing digital verification, biometric onboarding, and eIDAS-compliant trust services. Existing clients must be re-verified in risk-based order—high-risk customers first, others within five years—reducing compliance burdens while preserving focus on major risks.

The EBA’s guidance on group-wide information-sharing under Article 16(4) AMLR underscores its cautious optimism. It supports intra-group data exchange, including suspicious activity information, but only within stringent safeguards. Parent entities must oversee all data flows and ensure personal data sent to third countries remains protected. The underlying message is unmistakable: AMLA must reconcile transparency with restraint. The EBA endorses information-sharing as a compliance necessity but warns that “indiscriminate exchange could trigger privacy violations or fuel over-de-risking,” echoing lessons from past EU data governance missteps.

The EBA’s technical advice on base amounts for fines under Article 53(11) AMLD6 and its guidance on group-wide policies under Article 16(4) AMLR close the circle. Both sections translate legislative ambition into procedural mechanics built to withstand uneven implementation. Base fine amounts will depend on turnover, standardized by breach type and entity category. The EBA urges AMLA to define “base amount,” “type of breach,” “category of obliged entity,” and “turnover” precisely to prevent interpretive drift. Implementation begins in July 2027, aligning with AMLD6 transposition. Meanwhile, the group-policy guidance reflects the EBA’s concern that AMLA may initially struggle to balance prudential oversight with cross-border enforcement. By prescribing how personal and transactional data should circulate within corporate groups, the EBA places AMLA’s discretion within measurable limits. Its repeated insistence on data protection and lawful use underscores lingering doubt about AMLA’s ability to navigate overlapping legal frameworks. The resulting RTS are designed to be fail-safe—resilient even under imperfect execution.

Taken together, the EBA’s 2025 advice package reads less as a handover than as a tightly managed delegation. The Authority grants AMLA the instruments to act but surrounds them with procedural guardrails. This blend of confidence and caution is deliberate. The EBA knows AMLA will inherit enormous political visibility but little institutional memory, and its framework is designed accordingly—with built-in redundancies, annual recalibrations, fixed thresholds, standardized data, and transitional overlaps.

For compliance officers and financial institutions, the implications are unmistakable. The future of EU AML supervision will be technocratic, data-driven, and centrally orchestrated—but rigid during AMLA’s early years. Discretion, once prevalent in national regimes, will narrow as quantitative models replace narrative justification. Over time, as AMLA matures and develops its own supervisory intelligence, the structure may relax. But for now, the EBA’s cautious trust ensures Europe’s AML transformation proceeds methodically, not experimentally. By 2027, AMLA will sit at the core of a harmonized EU AML ecosystem, though its architecture will remain unmistakably EBA-engineered—precise, procedural, and designed to safeguard the Union from both financial crime and institutional overreach.

By fLEXI tEAM