AMLA – the EU’s New AML Authority: What Changes for Businesses in Poland

On 26 June 2024, a new central European Union authority came into being — AMLA, the Anti-Money Laundering Authority. Established under Regulation 2024/1620, it is set to fundamentally reshape the supervisory landscape for anti-money laundering across Europe. For Polish businesses — from large banks to small accounting firms — this means adapting AML procedures to new, harmonised standards.

In this guide, we explain what AMLA is, how it will operate, and what will specifically change for obliged entities in Poland.

AMLA at a Glance – the Most Important Changes for Polish Businesses from 2024/2025

AMLA (Anti-Money Laundering Authority) is a new EU body established by Regulation (EU) 2024/1620 of 26 June 2024, headquartered in Frankfurt. The Authority is already building its organisational structure, and its real impact on businesses in Poland will be felt over the next 2–3 years as new technical standards come into force.

What matters most from a practitioner’s perspective?

• Tighter supervision of obliged entities – AMLA introduces direct supervision over approximately 40 high-risk financial groups in the EU, including large cross-border banks and selected crypto-asset service providers.
• Uniform AML/CFT standards across the Union – an end to differing interpretations of rules in individual member states. AMLA is developing Regulatory Technical Standards (RTS) that will apply to all entities.
• Greater emphasis on money laundering and terrorist financing risk assessment – institutions will need to demonstrate that their risk assessments are adequate, documented, and regularly updated.
• Digitalisation and the use of AI tools – AMLA promotes technologies for detecting transaction anomalies, biometrics, and automation of KYC processes.
• Enhanced cooperation with financial intelligence units – better information sharing between FIUs across countries, faster detection of suspicious cross-border transactions.

AMLA does not replace Polish authorities such as the General Inspector of Financial Information (GIIF) or the Polish Financial Supervision Authority (KNF). Instead, it will cooperate and coordinate with them — particularly in supervising high-risk entities and sharing data on suspicious transactions.

Businesses that already use modern RegTech solutions — such as KYC/AML platforms offering automated identity verification, sanctions screening, or biometrics — will be significantly better prepared for AMLA’s upcoming requirements.

What Is AMLA and Why Was It Created?

AMLA is the central EU authority for combating money laundering and terrorist financing, established as a cornerstone of the so-called “AML Package” — a reform package announced by the European Commission in May 2021. Its full name is the Anti-Money Laundering Authority, and Regulation (EU) 2024/1620 of 26 June 2024 forms its legal basis.

Historical Background – Why We Needed a Central Authority

AMLA’s creation is a direct response to a series of high-profile financial scandals that exposed fundamental weaknesses in the EU’s fragmented national supervisory model. In recent years, the following cases were particularly revealing:

• The Danske Bank scandal (2017–2018) – approximately €200 billion in suspicious funds flowed through the Danish bank’s Estonian branch. The case exposed a lack of effective communication between supervisors from different countries.
• The Swedbank affair – €152 billion in suspicious transactions linked to the same cross-border flow scheme.
• The ING Netherlands fine (2018) – a €775 million penalty for AML failures, demonstrating the scale of the problem even at large, ostensibly well-supervised institutions.

These cases proved that the existing model based on directives (AMLD1–6) with varying national implementations was not working. European Commission estimates suggest that money laundering in the EU amounts to 2–5% of GDP annually — roughly €200–400 billion.

AMLA’s Mandate – What the New Authority Is Responsible For

AMLA’s mandate focuses on three key areas:

• Identification and risk assessment in the internal market – AMLA will comprehensively analyse threats related to money laundering and terrorist financing across the entire Union.
• Direct supervision of high-risk entities – selected financial institutions (around 40 cross-border groups) will be subject to direct AMLA supervision.
• Coordination of financial intelligence units – AMLA supports cooperation between national FIUs, streamlining the exchange of information on suspicious transactions.

AMLA as Part of a Broader Reform Package

AMLA does not operate in isolation. It is part of a comprehensive reform of the AML/CFT system in the Union, which includes:

• A new AML Regulation – a single body of rules applied directly in all member states, without the need for transposition into national law.
• The AMLD6 Directive – governing the criminalisation of money laundering and enforcement. This AML directive will replace previous regulations (the Fourth, Fifth, and Sixth Directives).
• Amendments to regulations on transfers of funds and accompanying information.

For Poland, this means the 2018 AML Act will require adaptation to the new EU requirements. An amended consolidated version is already in force (i.e. Journal of Laws 2025.644 of 16 May 2025), but further changes are inevitable.

A note on the name: The abbreviation “AMLA” can be misleading — online it often appears in an entirely different context. Amla, also known as Indian gooseberry (Phyllanthus emblica), is a small green fruit from India and South-East Asia. It is credited with numerous health benefits in Ayurvedic medicine. In this article, however, we focus exclusively on AMLA as the EU authority for combating money laundering and terrorist financing.

AMLA’s Structure and Tasks – What Will Supervision Look Like in Practice?

AMLA is a decentralised EU agency headquartered in Frankfurt (selected on 22 February 2024, ahead of competing cities including Warsaw). It is expected to employ around 400 staff — supervisors, analysts, and IT specialists — resources comparable to the entire Polish GIIF.

AMLA’s Governance Structure

The Authority is headed by Chair Bruna Szego, appointed in January 2025. Her prior regulatory experience strengthens AMLA’s credibility in negotiations with national authorities.

The organisational structure comprises:

Body	Composition	Function
General Board (supervisory composition)	Heads of national AML supervisory authorities	Coordination of supervision over obliged entities
General Board (FIU composition)	Heads of national financial intelligence units	Coordination of financial intelligence
Executive Board	Chair + 5 independent members	Direction of day-to-day operations
Executive Director	One individual	Day-to-day management of the Authority

Direct vs. Indirect Supervision

AMLA introduces a two-tier supervisory system:

Direct AMLA supervision (from 1 January 2028):

• Approximately 40 high-risk cross-border groups/institutions
• Banks operating in at least 6 member states
• Large payment institutions and electronic money institutions
• Selected crypto-asset service providers (CASPs)

Indirect supervision (through national authorities):

• All other obliged entities
• Coordination through Joint Supervisory Teams (JSTs)
• AMLA staff leading national authority representatives during inspections

AMLA’s Key Tasks and Powers

AMLA carries out a broad range of tasks in the financial sector and beyond:

• Developing Regulatory Technical Standards (RTS) – consultations concluded on 6 June 2025, meaning final standards are already in the implementation phase.
• Issuing guidelines and recommendations – AMLA will publish detailed guidance on interpreting AML/CFT rules.
• Coordinating cross-border investigations – where a case spans multiple countries, AMLA organises Investigation Teams to conduct inquiries.
• Settling disputes between national supervisors – acting as arbitrator when authorities from different member states disagree.
• Supporting FIUs in data analysis – AMLA has advanced digital tools, including AI-based systems for detecting transaction patterns.

What AMLA Does NOT Do

It is important to understand the limits of AMLA’s remit:

• It does not contact consumers directly — it will never ask you for transfer details or passwords.
• It does not impose penalties on private individuals — it acts against supervised entities.
• It does not replace national authorities — it cooperates with the GIIF, KNF, and others.
• It does not conduct criminal proceedings — these remain within the remit of prosecutors.

Poland’s Ministry of Finance has confirmed that AMLA avoids direct contact with the general public. If you receive a message purportedly from AMLA asking for personal or financial information — it is a scam.

AMLA’s Impact on Polish Obliged Entities and the AML Act

The Act on Counteracting Money Laundering and Terrorist Financing (Journal of Laws 2018, item 723), known as the AML Act, has been in force since 31 October 2021 and is a key element in combating money laundering and terrorist financing. It currently operates in its consolidated version (Journal of Laws 2025.644, in force inter alia from 16 May 2025), but will inevitably need to be adapted to the new EU regulations overseen by AMLA.

Who Is an Obliged Entity in Poland?

The Polish AML Act lists approximately 20 categories of obliged entities. AMLA may be particularly interested in higher-risk entities:

Financial sector (highest risk):

• Domestic banks and branches of foreign banks
• Investment firms and investment funds
• Payment institutions and electronic money issuers
• Currency exchange bureaus
• Crypto-asset operators and digital asset exchanges

Non-financial sector:

• Accounting firms (including entities providing outsourced bookkeeping services)
• Tax advisers and persons engaged in maintaining tax records
• Real estate agents (including those involved in property sales)
• Notaries and legal counsel in certain circumstances
• Entities engaged in preparing tax returns

How the AML Act Imposes Obligations

The AML Act places a range of detailed obligations on obliged entities aimed at reducing the risk of money laundering and terrorist financing, including a duty to report suspicious transactions to the General Inspector of Financial Information (GIIF).

In Poland, under the AML Act, obliged entities must implement internal procedures covering, among other things, transaction monitoring, customer identity verification, and regular staff training.

What Will AMLA Change in Day-to-Day Compliance?

Expected changes for Polish businesses:

• Harmonised KYC protocols – customer identification procedures will need to meet AMLA standards, not just Polish requirements. This includes identifying the beneficial owner according to common EU criteria.
• Enhanced risk assessments – a requirement to use matrices covering the customer, product, distribution channel, and jurisdiction of origin of funds.
• Continuous transaction monitoring – a one-off verification at onboarding is no longer sufficient. Systems must detect anomalies in real time.
• STR reporting (suspicious transaction reports) – streamlined data exchange with FIUs under AMLA oversight means higher standards for report quality.
• More extensive documentation – mandatory audit trails for alert resolutions, with the ability to demonstrate “why an alert was closed”.
• Heavier administrative penalties – the AML Regulation provides for sanctions of up to 10% of global turnover for serious breaches.

Impact on the GIIF and KNF

AMLA will coordinate the activities of the General Inspector of Financial Information and the KNF, which will translate into:

• More uniform inspections across the EU
• Higher expectations regarding the quality of AML documentation
• Greater pressure on genuine money laundering and terrorist financing risk management
• Standardisation of STR report quality (the GIIF processed over 150,000 such reports in 2024)

AMLA’s New Requirements in Practice: KYC, Risk Assessment, and Suspicious Transactions

This section shows the practical consequences of AMLA’s operation for KYC/AML processes within firms — particularly where the risk of money laundering or terrorist financing is assessed as material.

The Risk-Based Approach

AMLA strongly emphasises a risk-based approach requiring individualised assessment:

Risk Level	Required Measures	Example Situations
Low	Simplified due diligence	Local customer, stable history, standard products
Standard	Full KYC verification	Most retail and corporate customers
High	Enhanced due diligence (EDD)	PEPs (politically exposed persons), FATF-listed jurisdictions, unusual transaction patterns

Customer identity verification (KYC) is a key element for obliged entities, involving establishing the identity of customers and their beneficial owners. Obliged entities must apply KYC procedures to assess the risk associated with the customer and their transactions, which is essential to preventing money laundering.

Monitoring of Business Relationships

AMLA expects more advanced monitoring of business relationships and ongoing transaction monitoring. Key elements include:

• Behavioural analysis – detecting anomalies such as sudden volume spikes or jurisdictional inconsistencies
• Automated rules engines – systems detecting deviations from established patterns
• AI scoring – machine learning models predicting the probability of ML/FT (money laundering/financing of terrorism)
• Rapid reporting – immediate notification of suspicion for a single transaction of ≥€10,000, with shorter analysis windows

Documentation and Audit Trails

Under applicable regulations, institutions must document all actions related to customer identity verification and risk analyses conducted. AMLA raises the bar in this area:

• Every decision to close an alert must be justified and documented
• Audit trails must show who, when, and why a given decision was made
• Documentation must be available to supervisory authorities for a minimum of 5 years
• Systems must enable rapid searching of the history of a given obliged entity

Procedural Elements AMLA Will Tighten or Harmonise

• Identity verification – standards for documents accepted in the KYC process, requirements for scan and photo quality
• Beneficial owner identification – deeper analysis of ownership structures, particularly in complex chains of entities
• PEP and sanctions screening – frequency of list updates, requirements for data sources (including information in public information bulletins)
• Transaction risk assessment – criteria for classifying a transaction as suspicious, thresholds for different customer categories
• Staff training – minimum requirements regarding content and frequency, competency certification

AMLA and Polish Accounting Firms and SMEs – Who Will Really Feel the Impact?

Although AMLA directly supervises mainly large financial institutions, it also indirectly affects smaller entities — including accounting firms, tax advisory practices, and other SMEs classified as obliged entities.

Expanding the List of Obliged Entities

In recent years, the list of obliged entities in Poland has been steadily extended. It currently includes, among others:

• Entities providing outsourced bookkeeping services
• Firms engaged in maintaining tax records
• Persons providing tax advisory services
• Intermediaries in real estate transactions
• Further entities added with each amendment

An estimated 50,000 accounting firms operate in Poland (PARP data). Further amendments to the AML Act — resulting from AMLA’s EU reforms — may continue to refine requirements for these entities.

Typical AML Obligations for Accounting Firms

Even a small accounting firm, if it provides outsourced bookkeeping services, must fulfil the following obligations:

• Customer identification and verification – establishing the identity of the customer and any trust trustee (if applicable) before entering into a business relationship or carrying out a legal transaction
• Customer risk assessment – determining the risk level based on the type of business, ownership structure, and transaction patterns
• Ongoing monitoring – observing customer transactions for unusual patterns (e.g. large cash flows inconsistent with the business profile)
• Reporting suspicious transactions – reporting to the GIIF where money laundering is suspected
• Documenting activities – maintaining a record of verifications and analyses conducted
• Regular staff training – ensuring personnel know the internal procedures and can recognise warning signs

Consequences of Non-Compliance

Failure to fulfil AML obligations may result in:

• A financial penalty of up to PLN 1,000,000 for individuals conducting business
• A penalty of up to 10% of turnover for legal entities
• Publication of information about the breach
• Reputational damage and loss of clients

What SMEs Cannot Afford to Ignore in the Context of AMLA

• Regulatory pressure will increase – harmonisation driven by AMLA will introduce uniform templates, such as standard risk matrices
• Digitalisation of processes is a necessity – moving from paper-based KYC forms to electronic processes is not a luxury but an efficiency requirement
• Manual processes are costly – manual AML procedures are estimated to account for 20–30% of administrative time at small firms
• Inspections will be more frequent – as the GIIF aligns with AMLA standards, an intensification of compliance checks is to be expected
• Client interactions will change – firms handling client funds or transactions must obtain more information from them
• Ignoring the issue is not a strategy – even a small accounting firm can face penalties for criminal activity facilitated by a lack of AML procedures

The Role of Technology and RegTech

AMLA places strong emphasis on the need to use digital solutions for combating money laundering and terrorist financing. The preambles to the AML Package indicate that around 40% of national systems have technological gaps — this must change.

Digital Transformation as a Regulatory Requirement

The Regulatory Technical Standards (RTS) being developed by AMLA mandate the use of:

• AI/ML for anomaly detection – algorithms identifying unusual transaction patterns faster than human analysts
• Blockchain analytics for crypto-assets – tracing flows on decentralised platforms
• Big data for FIU fusion centres – integrating data from multiple sources in real time

For Polish firms, this means modernising from manual controls (often conducted in spreadsheets) to RegTech platforms that reduce onboarding time from days to minutes and cut human error by 70–90% according to consulting firm benchmarks.

Elements of a Modern KYC/AML Platform

Document verification is a key element of the customer identification process, aimed at confirming identity and the authenticity of documents presented. Document verification technologies encompass both visual analysis and the use of artificial intelligence algorithms to automate the verification process.

Modern KYC/AML platforms address AMLA’s challenges through:

Feature	How It Addresses AMLA Requirements
Online document verification	Passport/ID OCR + NFC chip reading, 99% accuracy
Biometric facial verification	Liveness detection (anti-spoofing via 3D depth mapping) countering deepfakes
Remote onboarding	Video KYC process under 5 minutes, compliant with eIDAS 2.0
Proof of address	Geolocation + document verification (bills, statements)
PEP/sanctions/adverse media screening	Real-time API from databases such as World-Check
Continuous risk monitoring	Dynamic assessments updated daily

Document verification should also include checking the origin of documents and their compliance with applicable legal standards, which is important in the context of preventing fraud and criminal activity.

The Benefits of Automation

Deloitte and PwC research points to concrete benefits of implementing RegTech solutions:

• 80% cost savings compared to manual methods
• 95% faster onboarding of new customers
• 50% reduction in false positives in STR alerts thanks to AI
• Better scalability — the system handles growth in customer numbers without a proportional increase in headcount

Risks to Consider

Implementing AML technology requires taking into account:

• Data privacy (GDPR) – AMLA requires a Data Protection Impact Assessment (DPIA) to be carried out
• Potential AI bias – human oversight of algorithmic decisions is necessary
• Implementation costs – these may be a barrier for SMEs, but ROI typically materialises within 12–18 months
• Integration with existing systems – requires planning and testing

Who Should Consider Implementing RegTech Now?

Trends suggest that by 2027, 60% of EU SMEs plan to implement RegTech solutions. Polish fintechs in particular (over 200 payment firms) as well as larger accounting firms that adopt these solutions before 2028 will gain a competitive advantage.

AMLA consultations favour technologically advanced entities — lighter-touch supervision can be expected for firms that demonstrate a modern approach to financial security.

What Next? Key Steps for Businesses in Poland Before AMLA Is Fully Operational

The next 1–2 years will be an adjustment period. The years 2025–2027 represent the implementation phase — finalisation of the RTS took place in June 2025, the establishment of Joint Supervisory Teams is planned for 2026, and direct AMLA supervision begins on 1 January 2028.

Polish businesses should already be reviewing their internal procedures, money laundering and terrorist financing risk assessment policies, and suspicious transaction reporting systems.

Practical Steps to Take

1. Update your AML/CFT risk assessment

• Carry out a comprehensive enterprise-wide risk assessment (EWRAA)
• Incorporate AMLA scenarios and new risk categories
• Update customer/product/channel/jurisdiction matrices based on the articles on specific restrictive measures

2. Review and standardise documentation

• Standardise STR workflows
• Ensure documentation meets the requirements of the scope of both tax law and AML regulations
• Prepare the audit trails required by AMLA

3. Strengthen staff training

• Ensure regular training (mandatory annual sessions on AI tools from 2025 per RTS guidance)
• Train staff in identifying customers’ senior management figures and persons fulfilling equivalent functions
• Incorporate new risk categories into training materials

4. Conduct a technology gap analysis

• Audit current AML systems
• Prepare an RFP for RegTech solutions (target: 90% automation)
• Assess systems’ capability to operate in an AMLA-supervised environment

5. Resilience testing

• Conduct simulated audits to AMLA standards
• Test risk scenarios beyond FATF’s 40 Recommendations
• Verify the system’s ability to identify unusual patterns arising through legal transactions

6. Monitor regulatory communications

• Follow GIIF bulletins (benchmark: 150,000+ STRs per year)
• Track KNF circulars and Ministry of Finance updates
• Subscribe to notifications from AMLA’s website (amla.europa.eu)

Why It Pays to Prepare “Above the Minimum”

Expert opinions from leading law firms (WKB, DZP) and advisory firms (PwC) indicate that proactive compliance delivers a 20–30% improvement in operational efficiency. Firms that prepare early position themselves as EU leaders in the face of tightening supervision.

Going beyond the statutory minimum — for example, testing AI scenarios that exceed standard requirements — reduces the risk of:

• Financial penalties – averaging €5–20 million for large entities in serious breach cases
• Reputational damage – the Danske Bank example shows that AML-related reserves can exceed €4 billion
• Operational difficulties – unprepared firms may struggle to service cross-border clients

Summary

AMLA is not an overnight revolution, but an evolution of the AML/CFT system towards greater harmonisation, digitalisation, and effectiveness. For Polish businesses — from international banks to local accounting firms — it means raising AML procedure standards to the level of EU-wide rules.

Key dates to remember:

• Mid-2025 – AMLA begins operational activity
• 2026 – establishment of Joint Supervisory Teams
• 1 January 2028 – start of direct supervision over high-risk entities

Don’t wait until the last moment. Review your AML procedures, assess your technology gaps, and consider implementing RegTech solutions. Firms that prepare proactively will not only avoid penalties — they will gain a competitive edge in an increasingly regulated EU internal market environment.