Facing AMLA Investigations: Key insights for organizations

In its first year of operation, AMLA is laying the legal, operational, and institutional groundwork to implement its broad mandate. The 2025 Work Programme outlines its initial priorities: establishing AMLA’s dual role in both direct AML/CFT supervision and the coordination of Financial Intelligence Units (“FIUs”), developing the AMLA database, and starting preparatory work for risk models and compliance standards. This initial stage is not merely administrative. It will shape the methods and standards by which AMLA will conduct investigations and assess compliance failures in the future. It is essential to understand how AMLA operates for any entity subject to EU AML obligations. This applies in particular to its investigative powers and pecuniary sanction calculation methods. This article explores what institutions can expect and how they can prepare to minimize compliance risks and potential pecuniary sanctions.

AMLA’s investigative and supervisory powers

Under Articles 17 to 21 of Regulation (EU) 2024/1620 (“AMLA Regulation”), AMLA is granted a suite of supervisory powers similar to those held by the European Central Bank (“ECB”). These include the following:

Requests for information (Article 17 AMLA Regulation)

AMLA has the power to request necessary information from selected obliged entities, their employees, affiliated legal persons, and third parties involved in outsourced functions. These entities must provide the requested information promptly. They have to ensure it is clear, accurate, and complete. Once AMLA obtains the information, it will share it with the relevant financial supervisor.

General investigations (Article 18 AMLA Regulation)

Article 18 grants AMLA the power to conduct investigations on selected obliged entities pursuant to Article 3 AMLA Regulation, their employees, and related legal entities within a Member State to fulfil its regulatory duties.

Investigation powers:

• Document Submission: Request relevant documents
• Examination of Records: Review and copy books and records
• Access to IT Systems: Access internal audits, software, and databases
• Decision-Making Information: Obtain documents related to decision-making processes
• Explanations and Interviews: Gather written/oral explanations and conduct interviews

Obligations and assistance:

Entities must comply with investigations

The financial supervisors of the member state where the relevant premises are located must provide the necessary assistance when a person obstructs the conduct of the investigation and ensure the AMLA's access to premises, in compliance with national law.

On-site inspections (Article 19 AMLA Regulation)

AMLA can conduct on-site inspections at business premises of entities such as financial institutions and crypto-asset service providers as outlined in Article 17 AMLA Regulation, with prior notification to the national financial supervisor. Judicial authorization is required for premises that are also private residences. Inspections can be unannounced.

AMLA may form joint or dedicated supervisory teams for inspections. It will coordinate with national financial supervisors to set up such teams.

Authorized staff can enter business premises and, with judicial approval, private residences. They have the powers outlined in Article 21 to conduct inspections, including requesting the immediate submission of all necessary data or information to fulfil the tasks assigned by the regulation (Article 21(3)(a) AMLA Regulation). These tasks are listed in Article 5 (2) AMLA Regulation. Key tasks include that:

AMLA ensures that the selected obliged entities are compliant to all applicable requirements (i.e. Regulation (EU) 2024/1624 (“AML Regulation”) and Regulation (EU) 2023/1113 (“Cryptoasset Transfer Regulation”)).

AMLA conducts reviews and assessments at both individual and group levels to evaluate the adequacy of internal policies and controls. Based on these assessments, AMLA can impose specific requirements, administrative measures, and pecuniary sanctions.

AMLA can actively participate in group-wide supervision, especially in AML/CFT supervisory colleges, even when entities have international branches or headquarters outside the EU.

AMLA maintains a dynamic system to assess risks and vulnerabilities of the entities.

National financial supervisors' staff will assist AMLA’s team during inspections, with the same powers as AMLA’s staff.

If an inspection is opposed, the national financial supervisor assists AMLA, potentially sealing premises and records. If necessary, they can seek help from other national authorities.

Authorisation by a Judicial Authority (Article 20 AMLA Regulation) and administrative measures (Article 21 AMLA Regulation)

Articles 20 and 21 AMLA Regulation outline AMLA's powers to seek judicial authorization for on-site inspections and to impose administrative measures on entities that breach regulations.

Influence on investigations and national cooperation

AMLA's authority extends beyond direct supervision. The structure is set to enhance national regulators' ability to act swiftly and in coordination with broader EU enforcement initiatives:

AMLA is set to increase oversight by creating a central AML/CFT database (Article 11 AMLA Regulation). This database will compile information from national supervisory authorities. It will include details on supervisory actions, authorizations, and “fit and proper” assessments. It will also include statistical data on national supervisory authorities and FIUs. According to the AMLA Work Programme 2025, development of this database is already underway, with early efforts focused on data from the financial sector and crypto-asset service providers (“CASPs”). Non-financial sector data will follow within four years of the regulation's entry into force. The database is designed to improve oversight, identify structural weaknesses, and allow AMLA to monitor high-risk entities across jurisdictions. Legal privilege is protected, and personal data will be retained for no longer than ten years.

In parallel, AMLA is building a FIU Support & Coordination Framework (Article 39 AMLA Regulation). Its purpose is to coordinate FIU activities, ensure the secure exchange of information, and act as a mediator in cases of non-cooperation between national FIUs. The 2025 Work Programme confirms that the first steps include:

• Establishing a FIU Delegates Group (from Q3 2025),
• Launching joint analysis procedures (first pilot cases planned for 2026),
• And conducting a comprehensive mapping of all national FIUs, including their structures, capabilities, and areas for improvement.

AMLA establishes methods to choose and prioritize cases for joint analyses and coordinates with FIUs who can request such analyses. If at least one other FIU agrees to participate, AMLA facilitates the process within 20 days and ensures secure communication and data access (Article 40 AMLA Regulation).

Where cases under joint analysis suggest potential criminal conduct, AMLA is empowered by Article 41 AMLA Regulation to refer such findings to the appropriate bodies:

• To the European Public Prosecutor’s Office (“EPPO”), where the suspected offences fall within its mandate,
• To the European Anti-Fraud Office (“OLAF”), if the matter concerns fraud affecting the EU budget,
• And, with the consent of the involved FIUs, to Europol and Eurojust for the handling of serious cross-border criminal offences.

In addition, AMLA and other EU institutions may exchange strategic or non-operational information under predefined conditions to enhance coordination (also Article 41 AMLA Regulation).

This layered structure not only strengthens centralized insight and risk profiling, but also accelerates responses in complex, multi-jurisdictional investigations. It reinforces the importance of cooperation readiness, especially for entities operating in more than one Member State.

Finally, the Work Programme highlights AMLA’s intention to increase its focus on the non-financial sector, including real estate, luxury goods, legal services, and company service providers. Risk-based questionnaires and thematic reviews are planned as part of early supervisory engagement. AMLA also plans to initiate seminars and technical exchanges with national authorities to align investigative standards and improve capacity-building across the EU.

Procedural rules for supervisory measures and sanctions under Article 27 AMLA Regulation

Investigation initiation and process

When AMLA suspects breaches listed in Annex II to the AMLA Regulation, it appoints an independent investigatory team to examine the alleged breaches. This team operates separately from the AMLA Executive Board. It considers comments from those under investigation, can request information and conduct inspections, and has access to all relevant documents collected by the supervisory team.

Rights and access for the investigated

The investigatory team will allow investigated parties to comment on the facts before finalizing findings. Once the investigation is complete, the findings are submitted to the AMLA Executive Board. The investigated parties are notified and given access to the file. Confidential third-party information is excluded.

Decision, sanctions, and independence

The AMLA Executive Board reviews the findings and can impose pecuniary sanctions or administrative measures. The AMLA investigatory team does not participate in the decision-making process.

Procedural rules and criminal prosecution

The Commission will establish additional rules for sanctions, including rights of defence and limitation periods, by January 2027. AMLA refers potential criminal matters to national authorities and refrains from imposing sanctions if a prior legal decision on the same facts exists.

Pecuniary sanctions: Article 22 AMLA Regulation Overview

Article 22 AMLA Regulation outlines AMLA's power to impose pecuniary sanctions on selected obliged entities for breaches of key regulations. The following is a breakdown of how these sanctions are structured and applied:

Basic amount

AMLA can impose pecuniary sanctions for intentional or negligent breaches of the Cryptoasset Transfer Regulation or the AML Regulation. These sanctions apply to serious, repeated, or systematic breaches, and can be imposed alongside or instead of administrative measures.

Determination of the Basic Amount of Pecuniary Sanctions: For breaches across multiple Member States related to customer due diligence and other key areas, pecuniary sanctions range from EUR 500,000 to EUR 2,000,000 or 1% of the annual turnover, whichever is higher.

For similar breaches within a single Member State, pecuniary sanctions range from EUR 100,000 to EUR 1,000,000 or 0.5% of the annual turnover.

For serious, repeated or systematic breaches of all other requirements that have been identified in two or more Member States where a selected obliged entity operates, pecuniary sanctions range from EUR 100,000 to EUR 2,000,000.

For serious, repeated or systematic breaches of all other requirements that have been identified in one Member State where a selected obliged entity operates, pecuniary sanctions range from EUR 100,000 to EUR 1,000,000.

For serious, repeated, or systematic breaches of decisions by AMLA, which include AMLA's supervisory and investigative powers and its power to impose pecuniary sanctions and periodic penalty payments, pecuniary sanctions range from EUR 100,000 to EUR 1,000,000.

Adjustments for aggravating and mitigating factors:

The base amount of a pecuniary sanction can be adjusted on the basis of aggravating and mitigating factors. These are typically expressed as numerical coefficients in Annex I of the AMLA Regulation.

In Germany, the consideration of compliance management systems in the assessment of corporate sanctions is not yet generally regulated, in contrast to other jurisdictions, such as Great Britain or France. However, the reduction of pecuniary sanctions through compliance measures plays an important role in practice. A groundbreaking ruling by the Federal Court of Justice (Bundesgerichtshof – “BGH”) of 9 May 2017 took compliance measures into account for the first time in the calculation of pecuniary sanctions. The BGH emphasized the importance of preventive measures and an efficient compliance management system in the calculation of the fine.

The German Federal Cartel Office has also used this approach for years. A legal reform in 2021 explicitly codified this methodology in Section 81d Competition Act (Gesetz gegen Wettbewerbsbeschränkungen – “GWB”). The coefficients it applies largely mirror those set out in the AMLA Regulation. Compliance measures introduced after a violation of the law are also taken into account in the award procedure for the so-called self-cleaning pursuant to Section 125 (1) sentence 1 GWB.

At the European level, a similar mechanism exists. Article 65 of Regulation (EU) No 648/2012 (“European Market Infrastructure (“EMI”) Regulation”) outlines how European Securities and Markets Authority (“ESMA”) determines sanction levels. It references Annex II of EMI Regulation for guidance. The coefficients there align closely with the AMLA Regulation. Thus, the AMLA Regulation builds on a well-established practice:

Aggravating factors

• Repeated breach, for every time it has been repeated: Coefficient 1.1
• Duration over six months: Coefficient 1.5
• Systemic weaknesses in procedures or controls: Coefficient 2.2
• Intentional infringement: Coefficient 3
• No remedial action: Coefficient 1.7
• Lack of cooperation of senior management with AMLA: Coefficient 1.5

Mitigating factors

• Preventive measures by the senior management: Coefficient - 0.7
• Prompt reporting: Coefficient - 0.4
• Voluntary future safeguards to prevent future breaches: Coefficient - 0.6

Maximum sanction limits:

• For breaches that are related to customer due diligence, the maximum pecuniary sanction can reach up to 10% of the entity's total annual turnover.
• For other breaches, the cap is set at EUR 10,000,000.

When the entity is part of a larger corporate structure, the total annual turnover is based on consolidated financial statements.

The AMLA Regulation is strongly aligned with existing EU legal instruments such as the General Data Protection Regulation (“GDPR”) and competition law, particularly with regard to turnover-based maximum pecuniary sanctions and pecuniary sanction assessment criteria.

AMLA can also require national financial supervisors to impose pecuniary sanctions under national law. AMLA will consider the entity's ability to pay and consults relevant national supervisory bodies to ensure that these pecuniary sanctions do not interfere with the entity's compliance with prudential regulations. Prudential regulations are rules designed to ensure the financial health and stability of financial institutions, such as banks. They require institutions to maintain sufficient capital reserves and manage risks effectively to prevent financial instability or crises. The aim is to ensure that the enforcement of anti-money laundering laws does not compromise the financial stability and soundness of the institutions.

Illustrative pecuniary sanction calculation

Sanction calculation with intentional and prolonged violation

When aggravating coefficients apply, the AMLA Regulation assumes the base sanction already accounts for a neutral coefficient of 1. Therefore, only the increase beyond the base sanction is added. For example, a coefficient of 3 means the violation is worth three times the base, so the increase is calculated as Base x (3 - 1). This prevents double-counting the base sanction (Article 22 (4) AMLA Regulation).

For Example: An obliged entity committed an intentional violation that lasted more than six months and was related to customer due diligence. The base sanction is assessed at EUR 500,000.

Step 1: Aggravating coefficients

• Intentional infringement (coefficient 3)
  • Increase: EUR 500,000 x (3 - 1) EUR 1,000,000
• Duration over six months (coefficient 1.5)
  • Increase: EUR 500,000 x (1.5 - 1) = EUR 250,000
• Subtotal after aggravating factors:

EUR 500,000 + EUR 1,000,000 + EUR 250,000 = EUR 1,750,000

Step 2: Mitigating coefficients

• Prompt reporting (coefficient: - 0.4)
  • Reduction: EUR 500,000 x 0.4 = EUR 200,000
• Voluntary future safeguards to prevent future breaches (coefficient: - 0.6)
  • Reduction: EUR 500,000 x 0.6 = EUR 300,000
• Total reductions: EUR 500,000

Final calculation

• Final sanction: EUR 1,750,000 - EUR 500,000 = EUR 1,250,000

Small institution with prompt reporting

A small financial institution with an annual turnover of EUR 50 million discovers a breach due to inadequate customer due diligence procedures. The breach was not intentional, lasted under three months, and was promptly reported to authorities.

• Base sanction: EUR 200,000 (based on the nature and scope of the breach)
• Mitigating Factors:
• Prompt reporting (coefficient - 0.4)
  • Reduction: EUR 200,000 x 0.4 = EUR 80,000
• Final sanction Calculation: EUR 200,000 - EUR 80,000 = EUR 120,000

This demonstrates how even with a significant initial base, meaningful compliance action and transparency can lead to substantial pecuniary sanction reductions.

Best practices for risk reduction

Institutions have significant control over their risk exposure under AMLA. To reduce exposure to pecuniary sanctions, institutions may consider adopting a multi-faceted compliance strategy:

• Implement a Compliance Management System that includes risk-based monitoring, real-time transaction screening, and comprehensive documentation protocols.
• Upon the identification of red flags, promptly and independently initiate an internal investigation. Share results with regulators to demonstrate transparency and accountability.
• Stay up to date with AMLA’s upcoming technical and practical rules, known as Level 2 and Level 3 standards. These include:
  • RTS (“Regulatory Technical Standards”): Legally binding technical specifications that define how key regulatory requirements must be implemented in detail.
  • ITS (“Implementing Technical Standards”): Practical and standardized implementation rules, including formats, procedures, and deadlines for regulatory reporting.
  • Guidelines: Non-binding but authoritative interpretations that promote consistent application of AML/CFT rules across the EU.
• These rules are currently being developed in close coordination with national supervisory authorities. In 2025, AMLA will focus in particular on standards for business-wide risk assessments, thresholds for customer due diligence, and rules for transaction monitoring. All of these areas are critical for internal compliance systems and investigations. Companies should ensure their internal controls are aligned with these evolving requirements as early as possible.
• Ensure employees understand their AML obligations and are trained to recognize suspicious behaviour.
• Keep thorough records of all compliance efforts, updates to procedures, and training logs. Documentation and transparency are key to benefit of mitigating factors.
• When breaches occur, report them quickly and completely. This can significantly reduce the final pecuniary sanction.
• Senior management should be able to demonstrate that all necessary measures were in place to prevent breaches. If a breach occurs, institutions should voluntarily implement measures to prevent similar future breaches.

Additionally, institutions should prepare to support joint FIU analyses and cross-border information sharing. AMLA is building a FIU Support & Coordination Framework, with two pilot peer reviews planned between 2025–2027 and a long-term plan for strategic threat assessments. Demonstrating readiness to collaborate with FIUs could enhance an institution’s credibility and mitigate reputational and regulatory risk.

Looking ahead: What to expect

While AMLA’s direct supervision will commence in 2028, its influence will become relevant earlier through guidance issued in 2026. National regulators are expected to align their practices accordingly.

The 2025 Work Programme also sets the timeline for AMLA’s first Single Programming Documents (“SPDs”), covering 2026–2029. These will define AMLA’s strategic direction, operational priorities, and performance indicators. Institutions can expect increasing alignment of national supervision practices with this emerging EU framework.

AMLA is also designing its own digital risk-assessment ecosystem, intended to integrate supervisory and FIU data, support systemic reviews, and inform selection criteria for direct supervision. This reinforces the need for companies to invest in data integrity, traceable audit trails, and internal control reporting standards as early as possible.

Early and comprehensive action not only enables institutions to avoid or mitigate pecuniary sanctions. It also helps to build trust with the supervisory authorities and demonstrate that they take their AML/CTF responsibilities seriously.

For more insights and information on the new AML regime and how it will impact your business please visit our AMLA Hub or get in touch with one of the team listed or your usual Hogan Lovells lawyer.

Authored by Dr. Lukas Ritzenhoff and Annika Guterl.