AMLA Is Watching: EU's New AML Authority

In July 2025, a new enforcement body quietly took its seat at the table of European financial regulation. The Anti-Money Laundering Authority (AMLA) — the EU's centralized AML supervisory agency — became operational. Since then, it has been watching.

As of April 2026, AMLA has made its expectations unmistakable: crypto-asset service providers (CASPs) operating in the EU must meet rigorous AML and KYC standards or face direct enforcement action. With the MiCA transitional window closing on July 1, 2026 — exactly 70 days away — and the full AMLR rulebook applying from July 2027, the compliance window is narrowing fast.

This article breaks down what AMLA is, what it demands of CASPs, and what identity verification infrastructure firms need to have in place before the clock runs out.

What Is AMLA and Why Does It Matter?

The Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) is a decentralized EU agency established under Regulation 2024/1620. It represents the most significant structural shift in EU financial crime enforcement in a generation.

Prior to AMLA, AML supervision across the EU was fragmented. National financial intelligence units (FIUs) operated under different interpretations of the same directives, creating regulatory arbitrage opportunities that sophisticated money launderers readily exploited.

AMLA ends that fragmentation. Its mandate includes:

• Direct supervision of up to 40 of the largest, highest-risk cross-border financial entities by 2027 — including CASPs
• Coordination of national supervisors to ensure consistent application of the AMLR
• Enforcement authority to impose administrative sanctions, including fines of up to 10% of annual turnover or €10 million, whichever is higher
• Guidance publication on high-risk crypto activities, including mixers, privacy coins, and anonymity-enhancing tools

In a statement published on the AMLA website, the authority stated clearly: "AMLA expects high standards against financial crime in the crypto sector." This is not a suggestion. It is a declaration of intent from an authority with real teeth.

The July 2026 Deadline: What Changes

The Markets in Crypto-Assets Regulation (MiCA) has been enforceable since December 30, 2024. However, a transitional clause allowed CASPs that were already legally operating in a member state under national law to continue operating — temporarily — without a MiCA license.

That transitional period ends on July 1, 2026.

After that date:

Status	Consequence
MiCA-licensed CASP	Can operate freely across the EU
Unlicensed CASP with transitional status	Must cease EU operations
Non-EU CASP without registration	Subject to immediate enforcement

Seventeen EU member states have already closed their transitional windows early. In France, Germany, and the Netherlands, enforcement began well before mid-2026. CASPs that assumed they had until July 1 may already be out of compliance in their primary markets.

What AMLA Requires of CASPs

AMLA's requirements for crypto firms are grounded in the AMLR, which will apply uniformly from July 2027 but which CASPs should treat as the standard today. The core obligations fall into five areas.

1. Customer Due Diligence (CDD)

MiCA and the AMLR mandate full CDD for all customers. This means:

• Government-issued identity verification (live liveness check, document authentication)
• Proof of address for higher-risk customers
• Source of funds documentation for deposits above €10,000
• Ongoing monitoring for changes in customer risk profile

The era of simplified, checkbox KYC is over. AMLA expects firms to demonstrate not just that they collected data, but how they assessed it, what risk conclusions they drew, and how consistently those conclusions apply across customer segments.

2. The Travel Rule

Every crypto-asset transfer — with no minimum threshold — must be accompanied by originator and beneficiary information. This requirement, which has been operational since MiCA's enforcement began, remains one of the most technically challenging elements for smaller CASPs.

Firms must maintain the infrastructure to capture, transmit, and store Travel Rule data in a format compatible with receiving VASPs — including those outside the EU operating under FATF standards.

3. Anonymous Wallets and Privacy Coins: Prohibited

This is the regulatory line that has generated the most discussion in the industry.

Under Article 79 of the AMLR, CASPs are prohibited from:

• Maintaining anonymous crypto-asset accounts — any account that does not have a verified, identified owner
• Transacting in anonymity-enhancing cryptocurrencies — including Monero (XMR), Zcash (ZEC) in shielded mode, and any asset designed to obscure transaction trails

AMLA has signaled it will publish additional guidance in 2026 specifically targeting crypto mixers, stealth addresses, and other privacy-enhancing techniques used to circumvent monitoring.

For CASPs currently offering privacy coin trading or non-custodial wallet interactions without identity verification, delisting or restricting these products is no longer optional — it is a prerequisite for continued operation.

4. Suspicious Transaction Reporting (STR)

CASPs must maintain active transaction monitoring systems and report suspicious activity to their national FIU. AMLA's expectation is that monitoring is automated, risk-calibrated, and documented — not a manual process relying on individual analyst judgment.

This is where the gap between legacy compliance systems and modern AI-powered approaches becomes most visible. Manual STR processes simply cannot keep pace with transaction volumes on major platforms.

5. Direct Access for Authorities

Under the AMLR, CASPs must provide "direct, immediate, and unfiltered access" to crypto-asset account data upon request from competent authorities. This has implications for data architecture — firms cannot structure their systems in ways that would delay or complicate regulatory access.

The 40 CASPs Under Direct AMLA Supervision

By July 2027, AMLA will directly supervise up to 40 CASPs — those operating cross-border in at least six EU member states and meeting a threshold for transaction volume or customer base. The selection criteria are still being finalized, but the implication is significant.

Being selected for direct AMLA supervision means:

• Regular inspections and information requests from AMLA itself (not just national authorities)
• Obligation to maintain a dedicated compliance interface with AMLA
• Heightened scrutiny of AML program effectiveness, including KYC processes

For large exchanges and multi-jurisdiction CASPs, the question is not whether they will be selected — it is whether their compliance infrastructure will survive the inspection.

What Compliant KYC Infrastructure Looks Like in 2026

Firms that will meet AMLA's standards in 2026 share common characteristics. They have moved away from static, document-only verification toward dynamic, continuous identity management.

Real-Time Identity Verification

Liveness detection that can distinguish genuine users from deepfake attacks has become a baseline requirement — not a premium feature. JINKUSU CAM and similar darknet tools capable of generating real-time synthetic video have demonstrated that passive liveness checks are no longer sufficient.

Effective KYC in 2026 requires multi-layer biometric assessment combined with behavioral signals — device fingerprinting, typing patterns, session anomalies — that static deepfakes cannot replicate.

Autonomous Risk Assessment

The volume and complexity of AMLA's requirements make human-only compliance review economically unsustainable. Firms deploying autonomous AI agents for KYC review achieve compliance at scale — processing identity checks, flagging anomalies, and generating documented audit trails automatically.

This is not about replacing compliance officers. It is about giving them the tools to manage thousands of customer risk profiles simultaneously rather than hundreds.

Documented, Auditable Decision Trails

AMLA's audit standard demands that firms show their work. Every KYC decision — approval, enhanced due diligence trigger, rejection — must be documented with evidence, reasoning, and timestamps. Systems that cannot produce this trail on demand will fail AMLA inspections.

Cross-Border Consistency

For CASPs operating across multiple EU jurisdictions, AMLA expects the same KYC standard applied consistently regardless of which country the customer onboards in. This rules out the common practice of applying stricter KYC in high-scrutiny markets while relaxing standards in newer or lower-volume jurisdictions.

The Penalty Landscape

AMLA's enforcement powers are not symbolic. Under the framework:

• Administrative fines of up to 10% of annual group turnover or €10 million (whichever is higher)
• Prohibition orders against senior management
• Public reprimands (reputational damage in a sector where trust is currency)
• Referral to national criminal authorities for serious breaches

The first significant AMLA enforcement action against a CASP will be a marker event for the industry — a signal of what direct EU-level supervision actually means in practice.

Building AMLA Readiness Before July 2026

For CASPs currently assessing their compliance posture, the following checklist reflects AMLA's stated expectations:

Requirement	Status Check
MiCA license or active application filed	Yes / In progress / No
Full CDD implemented for all customers	Yes / Partial / No
Travel Rule infrastructure operational	Yes / In progress / No
Anonymous accounts eliminated	Yes / In progress / No
Privacy coin listings reviewed and restricted	Yes / In progress / No
Automated STR monitoring deployed	Yes / Partial / No
Audit trail for every KYC decision	Yes / Partial / No
Direct authority access architecture ready	Yes / In progress / No

Any "No" on this checklist represents a material compliance gap — one that national supervisors and eventually AMLA itself will be positioned to identify.

What This Means for AI-Powered KYC

The AMLA framework effectively mandates what AI-first compliance vendors have been arguing for years: that KYC cannot be a one-time check. It must be a continuous, documented, risk-calibrated process that adapts as customer behavior and regulatory expectations evolve.

Platforms like Joinble that deploy autonomous AI agents for identity verification and compliance monitoring are structurally better positioned to meet AMLA's requirements than firms relying on manual workflows or static SaaS KYC tools.

The regulatory direction is clear. Identity verification in the EU is moving toward a model where the burden of proof is continuous — not satisfied by a single onboarding check conducted years ago.

Related Reading

• Agentic KYC: How Autonomous AI Agents Are Replacing Manual Compliance Reviews
• State of KYC in Crypto 2026: The Year Identity Became Autonomous
• EUDI Wallet: What the Dec 2026 Deadline Means for KYC

---

FAQ

What is AMLA and when did it start operating?

AMLA — the EU's Anti-Money Laundering Authority — became operational in July 2025. It is a centralized EU agency responsible for coordinating national AML supervisors and directly supervising high-risk financial entities, including major crypto-asset service providers.

What happens to crypto firms without a MiCA license after July 1, 2026?

CASPs that were operating under national transitional provisions but have not obtained a MiCA license by July 1, 2026 must cease EU operations. Continued operation without authorization will expose the firm to enforcement action by national regulators and, in major cases, AMLA itself.

Will AMLA directly supervise all crypto companies in the EU?

No. AMLA will directly supervise up to 40 CASPs that operate cross-border in at least six EU member states and meet volume or customer base thresholds. Other CASPs remain under national supervisory authority but must comply with the same AMLR standards.

Are privacy coins like Monero now banned in the EU?

Under Article 79 of the AMLR, CASPs are prohibited from maintaining anonymous crypto accounts or transacting in anonymity-enhancing cryptocurrencies. This effectively bans privacy coins from regulated EU CASP platforms. The prohibition will be fully enforceable from July 2027, but AMLA is signaling enforcement intent ahead of that date.

What does AMLA consider adequate KYC?

AMLA expects documented, consistent, and defensible KYC processes. This means firms must demonstrate how they assessed each customer's risk, what evidence supported their CDD conclusions, and how consistently those methods apply across customer segments and jurisdictions. Manual, undocumented processes will not satisfy this standard.

How can AI agents help meet AMLA's compliance requirements?

Autonomous AI agents can process identity verification, assess customer risk profiles, monitor transactions for suspicious activity, and generate documented audit trails — all at the scale and speed that AMLA's requirements demand. Firms using AI-powered compliance systems can demonstrate consistent, evidence-based decision-making across their entire customer base, which is precisely what AMLA audits will look for.