The EU Has Taken Another Step Toward Unified AML Supervision; Are Your Processes Ready?

Recent money-laundering busts at high-profile financial institutions show that crime continues to flow — sometimes undetected — through institutions that seemingly tick every regulatory box. Leaked correspondence between Swiss regulator FINMA and Reyl Bank reveals careless due diligence despite technically being compliant, as well as a business model that prized wealthy, politically exposed clients, even when red flags were waving. Reyl insists it has since strengthened its AML framework, but the story is bigger than one bank. Across Europe and the UK, institutions are mistaking audit-passing compliance for actual risk mitigation. 

Meanwhile, regulators are making it clear they’re not fooled. In June, the European Anti-Money Laundering Authority (AMLA) executive board officially took its seats in Frankfurt, part of a new AML regulation that is expected to apply starting in 2027. Implementation of EU AML Regulation (AMLR) and sixth Anti-Money Laundering Directive (6AMLD) will replace a patchwork of national approaches with a harmonized, pan-European framework.

What should financial institutions expect? Stricter due diligence on occasional transactions and high-net-worth individuals, real-time monitoring of high-risk payments (especially crypto and instant channels), clear explainability of automated decisions with greater human oversight and increased accountability for senior management.

These changes hint at a large-scale shift from procedural compliance to continuous, behavior-based monitoring. Regulators want to see not just that firms have policies in place but that those policies work at scale and in real time. And they’re prepared to come down hard on those that don’t comply.

The trouble with check-box compliance

Despite these changes (and the tough consequences of noncompliance), many financial institutions still optimize for audit readiness rather than criminal resilience. This is especially true in private banking. If a politically exposed person submits pristine paperwork and passes onboarding, the assumption is often: job done. But real risk doesn’t reveal itself in forms; it reveals itself in behavior.

Legacy systems reinforce this mindset. When investigators are trained to document rather than challenge, risk scoring is static. Ongoing monitoring becomes a formality if it’s carried out at all. However, banks that focus on form over substance may pass the audit today but then find themselves at the center of tomorrow’s scandal.

Historically, compliance teams have been trained on rules-based transaction monitoring systems, flagging activity based on static thresholds, like large transfers or certain geographies. But criminals know this. They are constantly testing systems and working out ways to exploit the gaps.

One common tactic is smurfing, or breaking up large illicit transfers into smaller amounts and spreading them across accounts at different times and time zones. In legacy systems, each transaction looks harmless and by the time a human sees the bigger picture, the money’s long gone.

Since regulators are getting tougher, firms need to get smarter about how they protect themselves from these kinds of tactics. This means training compliance teams to spot suspicious behaviors, rather than purely solely on thresholds. 

Suspicious behaviors that don’t technically break the rules can take many forms — multiple cash deposits that fall just below thresholds, sudden changes in behavior that don’t fit the individual’s profile (e.g., a jump in transaction size or frequency), involvement of unnecessary middlemen or high-risk jurisdictions, etc.

These behaviors can easily slip through the cracks in a purely rules-based system. However, ironically, rules-based systems also tend to be overwhelmed with false positives alerts while real risks avoid detection. 

But if teams know what to keep an eye out for, it is possible to stop criminals in their tracks. It requires a strategic and proactive approach to combatting financial crime. Your compliance teams should regularly schedule research sessions to learn about the latest criminal tactics. Training should be ongoing to reflect evolving threats. 

Financial Services

Why a Sophisticated Criminal Network Stayed Hidden Until Someone Connected the Dots

by Anurag Jain

July 11, 2025

Foiling coordinated TBML schemes requires real-time, automated capabilities

Read moreDetails

What effective surveillance looks like in 2025

Let’s bring this all together. To keep pace with both regulators and criminals in 2025, banks operating in the EU must reframe their approach:

• From threshold-based alerts to behavioral anomalies. Look for deviations in patterns (subtle as they may be), not just rule violations.
• From after-the-fact batch reviews to real-time responsiveness, especially for high-risk sectors like crypto and instant payments.
• From black-box AI to explainable tools. AMLA now requires “meaningful human intervention” in onboarding decisions. Automation must be auditable.
• From siloed departments to cross-functional collaboration. Fighting financial crime is a team sport involving data scientists, compliance, ops and legal.

Importantly, this shift also demands a cultural change. Investigators need support, not just to close cases but to ask uncomfortable questions. They must be incentivized to find risk in all its forms.

AMLA’s creation is a sign of what’s ahead for the fight against financial crime. The EU is moving toward unified supervision and real accountability; superficial compliance won’t cut it anymore. For banks, this means developing robust compliance programs that adapt to constantly evolving criminal tactics. It means updating KYC continuously, not just at onboarding. And it means understanding that the “clean” client you onboarded in 2022 might not still be clean in 2025.