Anti–money laundering supervision is shifting from periodic, document-driven reviews to continuous, data-based oversight. The underlying driver is straightforward: illicit finance has become more digital, more cross-border, and more automated – making traditional supervisory approaches too slow to keep up.
Across Europe, the next wave of AML expectations is being built around standardised data, consistent definitions, and automated reporting. The emergence of the EU Anti-Money Laundering Authority (AMLA) accelerates this shift by aiming to harmonise supervisory methods and introduce binding data standards, including a centralised EU data approach for obliged entities.
The strategic implication
For many organisations, the biggest AML gap is no longer policy content – it’s technical availability, data quality, and the ability to produce structured information at scale. That changes the operating model: AML becomes as much a data and technology transformation as a compliance discipline.
What’s changing: from “prove you did the work” to “show the data”
A useful analogy is prudential supervision. In that world, data point models with thousands of fields have become routine, and supervisory requests increasingly assume that institutions can produce granular, consistent, reconciled datasets on demand. A similar pattern is now emerging for AML: supervisors are signalling that structured reporting and data-based monitoring will become the norm.
This doesn’t only affect the largest institutions. While an initial cohort of around 40 higher-risk institutions is expected to be directly supervised by AMLA from 2028, the broader financial sector will feel the effect through new expectations on data management, reporting readiness, and supervisory interactions.
In practice, it means supervisors can ask more detailed questions, more frequently – and organisations will be expected to answer with traceable datasets, not manually curated extracts.
AMLA’s direction of travel: harmonised supervision with binding data standards
AMLA is designed to strengthen AML/CFT monitoring across both financial and non-financial sectors. A core element of that agenda is a move toward consistent, structured data flows supported by standardised interfaces and supervisory-grade definitions.
The direction is clear:
- Centralised data architecture expectations: structured data provided through standardised interfaces into EU-level mechanisms.
- Convergence of supervisory methods: more harmonised approaches with joint analysis involving national supervisors.
- Rising bar for data quality: completeness, consistency, lineage, and auditability become first-order concerns – not “nice to have.”
This trajectory is reinforced by the fact that some countries already operate more data-intensive AML supervision models, creating a blueprint for what “good” can look like at scale.
Where organisations are most likely to struggle: four data domains that matter
In data-based AML supervision, the biggest gaps tend to cluster into four areas. These are not new topics – but the granularity, standardisation, and automation expected are moving sharply upward.
1) Risk data and risk profiles
Many firms can describe risk scoring conceptually, but the underlying attributes often sit in multiple places with inconsistent definitions and varying levels of granularity. The challenge is creating a single, standardised risk dataset that can be flexibly analysed by customer, product, jurisdiction, and channel – without reworking the logic for each new request.
2) Transaction data, especially cross-border and crypto-related activity
Supervisory expectations are expanding toward more detailed classification of complex payment flows, including automated flows and crypto-linked activity. Legacy monitoring stacks and data “budgets” are often not built for this level of detail and explainability.
3) Governance and ownership information (including UBOs)
Identifying ultimate beneficial owners remains an operational bottleneck, particularly where entity data is fragmented across systems and not designed for automated aggregation. When ownership data can’t be reconciled quickly and consistently, risk models and investigations suffer – and supervisory questions become harder to answer.
4) Record retention, histories, and deletion concepts
Retention obligations are becoming more explicit, including expectations for keeping certain AML-related records for defined periods after relationships end. Many institutions still struggle with consistent archiving standards and searchable formats – especially after mergers, migrations, and system changes.
The real root causes: why “manual heroics” won’t scale
When supervisors test data readiness, the pain points are usually predictable:
- Data scattered across too many locations (core banking, KYC tooling, payment platforms, spreadsheets), with no unified structure.
- No shared data definitions for core AML attributes, creating inconsistencies across business units.
- Weak metadata and ownership – unclear accountability for quality, timeliness, and lineage.
- Manual processes everywhere – updates, reconciliations, and supervisory responses that depend on individuals rather than systems.
- Insufficient interfaces to transmit data in an automated, auditable way that can stand up to scrutiny.
These issues are manageable in stable environments. They become acute when obligations shift toward hundreds of structured fields and ongoing submissions – because each new request multiplies the workload, raises operational risk, and increases the chance of inconsistency.
What leading organisations do now: treat AML as a data program, not a documentation program
The most effective response is not to rewrite AML policies. It is to build an AML data backbone that makes compliance repeatable.
A practical approach starts with a gap assessment focused on data readiness: which required fields exist, where they live, how consistent they are, and how easily they can be produced in a structured format. From there, organisations typically move to a target data architecture that centralises and harmonises sources such as KYC, transaction data, and sanctions screening inputs, and then builds reporting and interface layers on top.
Many organisations also find they can reuse patterns from existing data governance initiatives – especially those built for risk data aggregation and regulatory reporting – rather than reinventing the wheel.
A 90-day action plan to get ahead of data-based supervision
1) Define the supervisory “data perimeter”
List the AML-critical datasets and fields your organisation would need to produce under a structured, standardised model. Don’t start with what you have – start with what you’d be asked for.
2) Build an engineering-grade data map
Identify each field’s source system, transformations, owners, and quality rules. This quickly exposes duplication, gaps, and brittle manual steps.
3) Establish data ownership and minimum quality controls
Assign accountable owners for key AML datasets (not just processes). Implement basic controls: completeness thresholds, reconciliation checks, and lineage documentation.
4) Create a scalable reporting and interface design
Move away from one-off extracts. Design reusable pipelines that can produce structured outputs and support audit-proof transmission.
5) Stand up dashboards that serve both AML and the business
Build monitoring that supports investigations, management reporting, and supervisory response readiness – so the same data backbone improves both compliance and operational efficiency.
The upside: compliance that also creates efficiency
Data-based supervision raises the bar. But it also creates an opportunity: organisations that invest early can reduce manual effort, improve investigative effectiveness, and respond faster to supervisory engagement – while lowering the risk of inconsistencies that trigger escalation.
In the next phase of AML oversight, “being compliant” will increasingly mean being able to prove it through data – quickly, consistently, and at scale.
