The EU Anti-Money Laundering Authority (AMLA) is set to begin directly supervising up to 40 financial institutions with the highest residual ML/TF risk from 2028. To prepare for this shift, the European Banking Authority (EBA) has released its technical package for the DPM 4.3.1 reporting framework. It provides a harmonized path for the first AMLA risk-assessment data collection in 2027, setting the stage for a new era under the EU single rulebook AML package.

For financial institutions, this is a critical readiness exercise. While the package, with a reference date of 31 December 2026, is for preparation only and not for production filing, it provides a clear blueprint of the data and structures that will soon be required.

What is AMLA risk-assessment data collection, and why now?

Until now, large, cross-border institutions navigated a complex web of fragmented national requirements for AML/CFT risk reporting, making it difficult to create a consistent, EU-wide view of systemic risk.

With AMLA stepping in to provide direct supervision, a common standard is essential. The new data collection exercise is the mechanism to gather this standardized data. The collaboration between the EBA and AMLA on the technical package, codified in the EBA AMLA Service Level Agreement, ensures that both supervisors and institutions work from the same playbook. It harmonizes the AMLA direct supervision selection methodology, templates, and data definitions via the EBA taxonomy 4.3 AMLA to conduct a calibrated EU-wide risk assessment, enabling a fair and consistent selection of institutions for direct supervision.

For financial institutions, this is a critical readiness exercise. While the package, with a reference date of 31 December 2026, is for preparation only and not for production filing, it provides a clear blueprint of the data and structures that will soon be required.

AMLA risk-assessment reporting and EBA DPM 4.3.1 framework

Who is in scope for AMLA supervision?

An institution is considered part of the initial eligibility pool for AMLA direct supervision if it is a credit or financial institution (or group) that is:

  • Active in at least six EU Member States, including its home country.
  • This presence can be through physical establishments or by providing services on a material cross-border basis (the "freedom-to-provide-services" or FPS).
  • Material FPS is defined per host country as having over 20,000 resident customers or more than €50 million in annual incoming and outgoing transactions in the relevant host Member State.

From this pool, AMLA will ultimately select up to 40 high-risk financial institutions with the highest residual ML/TF risk for direct supervision beginning in 2028. Crucially, the operational trigger is a direct notification from a National Competent Authority (NCA) confirming that an institution is required to report for a specific collection exercise. By 2030, the "one-per-country" AMLA rule will also ensure that at least one institution from every EU state falls under this direct oversight.

Who is impacted by the framework?

Beyond the institutions that meet the technical scope, this preparatory regime impacts the broader financial ecosystem. The key groups who need to pay close attention are:

  • Large, cross-border banking and payment groups that are potentially in the eligibility pool and need to assess their readiness.
  • Compliance and regulatory reporting functions within these institutions, as they are responsible for bridging the gap between operational AML systems and the new regulatory data hubs.
  • National Competent Authorities (NCAs) who are tasked with coordinating the notification process and national sampling for calibration exercises.
  • Any financial entity explicitly included by an NCA for a given risk-assessment collection, even if it falls below the six-country threshold.

The required data spanning KYC platforms, transaction monitoring systems, and compliance dashboards often resides in disconnected silos. Integrating these sources into a coherent AMLA data reporting package is a major data architecture challenge.

AMLA risk-assessment reporting and EBA DPM 4.3.1 framework

Understanding the changes and challenges

The EBA DPM 4.3.1 package introduces 31 reporting worksheets covering customer types, products, services, geographies, internal controls, and governance. However, not all worksheets apply to every institution: product and service flags determine which reporting blocks must be completed.

While comprehensive, it presents several challenges for institutions:

  • Fragmented data sources

    The required data spanning KYC platforms, transaction monitoring systems, and compliance dashboards often resides in disconnected silos. Integrating these sources into a coherent AMLA data reporting package is a major data architecture challenge.

  • Conditional reporting logic

    The applicability of many templates is driven by product and service flags. Incorrectly setting these flags can lead to significant over- or under-reporting, requiring close collaboration between business and IT teams.

  • Complex template structures

    The framework includes "open-row" templates for reporting on geographies and distribution channels, which require a more dynamic reporting capability than traditional fixed-row formats.

  • A two-speed process

    Institutions must build their reporting solution based on the current EBA reporting framework v4.3.1 for preparation, while knowing it will be superseded by DPM 4.4 for the official submission. A flexible architecture is key to managing this transition smoothly.

Key dates and milestones

Navigating the transition to AMLA supervision and data collection requires a clear understanding of the timeline.

  • Now

    Begin mapping internal data to the DPM 4.3.1 framework. This is a critical period for gap analysis and data remediation.

  • 31 December 2026

    This is the first AMLA reporting reference date for the preparatory data package. Institutions potentially in scope should be able to map and test the relevant data by this date.

  • Throughout 2027

    This is the first AMLA reporting reference date for the preparatory data package. Institutions potentially in scope should be able to map and test the relevant data by this date.

  • From 2028

    AMLA begins direct supervision of the selected high-risk institutions.

Regnology solutions for AMLA risk-assessment readiness

The shift to EU-level AMLA risk assessment rewards institutions that industrialize AML data before selection pressure intensifies. Regnology Reporting Hub (RRH)  reduces manual reconciliation across 31 worksheets, conditional product blocks, and open-row geographies. With RRH, your team can:

  • Master the new framework with out-of-the-box support for the EBA AMLA risk-assessment templates under DPM 4.3.1.
  • Enable flexible data capture, validation of fixed and row-dynamic templates, and compliant XBRL submission.
  • Build with confidence on a platform that separates preparation (4.3.1) from submission (4.4), ensuring a smooth transition without costly rebuilds.
  • Stay ahead of regulatory changes with integrated intelligence that tracks all DPM and validation rule updates from the EBA and AMLA.

Use our preparation checklist to guide your institution’s readiness efforts for the December 2026 reference date.

AMLA Reporting Checklist

  • Confirm your obligation: Verify your institution's participation status for the data collection exercise with your National Competent Authority (NCA).
  • Assign data ownership: Designate clear business ownership for the accuracy of product and service flags, as these drive the scope of your report.
  • Map your data sources: Systematically map all required data points from your disparate AML, KYC, and transaction systems to the new EBA templates.
  • Handle dynamic templates: Ensure your reporting solution can manage the "open-row" templates required for geographic and distribution channel data.
  • Validate in a Sandbox: Test and validate your reporting outputs against the EBA 4.3.1 XBRL taxonomies in a non-production environment to ensure accuracy before the DPM 4.4 framework is released.

Related resources

  • IReF timeline is here: From roadmap to implementation reality

    Insight

    IReF timeline is here: From roadmap to implementation reality

    The ECB’s IReF timeline is officially here, moving the industry from roadmap to implementation reality.

    Read more
  • The next era of Regulatory Risk and Reporting powered by Agentic AI

    Insight

    The next era of Regulatory Risk and Reporting powered by Agentic AI

    The future of regulatory risk and reporting isn’t just automation: it’s intelligent orchestration. In our new whitepaper with Chartis, we detail how financial institutions can build a true strategic capability.

    Read more
  • EU Supervisory Reporting: Why the EBA’s simplification agenda is really a data architecture story

    Insight

    EU Supervisory Reporting: Why the EBA’s simplification agenda is really a data architecture story

    The EBA’s simplification package is not a reduction exercise; it is a structural shift. Our new discussion paper analyzes the move from fragmented reports to an integrated data architecture.

    Read more

Contact us