The Decentralized AML Paradox, Part 2: AMLA, the Single Rulebook, and Smart Compliance

The Decentralized AML Paradox, Part 2: AMLA, the Single Rulebook, and Smart Compliance

Introduction: From Fragmentation to Centralization

The first part of this series examined the failure of Europe's decentralized AML model. Directives, national transposition, divergent supervisory expectations, and subjective institutional risk appetites created a compliance environment that was expensive, inconsistent, and often hostile to legitimate payment activity.

The European Union's answer is centralization. The 2024 AML Package moves the bloc away from a fragmented directive-led framework and toward a directly applicable Single Rulebook under the Anti-Money Laundering Regulation, supported by a new Anti-Money Laundering Authority headquartered in Frankfurt.

This second post examines the promise and risk of that shift. AMLA may reduce jurisdictional arbitrage and standardize supervisory expectations, but it will also introduce a dense new wave of technical standards, timelines, governance obligations, and operational pressure. Centralization will not automatically solve false positives, talent shortages, over-compliance, or onboarding friction. Those problems require a different operating model: evidence-based, technology-enabled, and embedded into product architecture from the start.

The crucial question is whether Europe can move from fragmented discretion to consistent proportionality. A Single Rulebook can make obligations clearer, but clarity alone does not make compliance operationally sustainable. If payment firms respond to harmonization by applying rigid rules across all customers, all corridors, and all products, the result may be a more uniform version of the same over-compliance problem.

The AMLA era therefore has two dimensions. The first is institutional: who writes the standards, who supervises the highest-risk entities, and how national authorities converge. The second is operational: whether firms can actually implement those standards in high-volume digital payment environments without drowning in alerts, documentation requests, manual reviews, and defensive de-risking.

This second dimension will determine whether the reform succeeds in practice.

AMLA and the Single Rulebook

The EU adopted its AML Package in 2024 to end the structural weaknesses of the old regime. The package creates a directly applicable Anti-Money Laundering Regulation, a revised Sixth Anti-Money Laundering Directive, and the Anti-Money Laundering Authority.

AMLA was legally established in June 2024. Its purpose is to become the EU's first central AML/CFT supervisor, coordinate Financial Intelligence Units, develop technical standards, and directly supervise selected high-risk cross-border financial entities.

The AMLR introduces several significant changes. It lowers the standard beneficial ownership threshold from "25% plus one" to "25% or more" and allows the threshold to fall to 15% for certain high-risk entities. It brings crypto-asset service providers fully into scope, bans anonymous accounts, extends travel rule obligations, and strengthens governance expectations.

One important governance change is the requirement for a dedicated compliance manager in addition to the traditional compliance officer function. This pushes AML accountability closer to senior management and the board, making financial crime controls a core governance issue rather than a back-office function.

The direct supervision model is especially important. AMLA is expected to directly supervise a limited set of high-risk cross-border financial groups, while indirectly supervising the broader market through coordination with national authorities. This hybrid structure is designed to prevent the weakest supervisory link from defining the effective standard for the entire Single Market.

For payment companies, the implications are significant even if they are not directly supervised by AMLA. Technical standards, supervisory methodologies, and expectations developed for the largest or riskiest entities will influence national regulators, sponsor banks, auditors, and market practice. In other words, AMLA's impact will radiate beyond the entities formally inside its direct supervisory perimeter.

The Single Rulebook also narrows the interpretive space that previously existed under directives. A directly applicable regulation reduces the need for national transposition and should make core obligations more consistent. That consistency is valuable. It can reduce duplicative legal analysis, make cross-border product design easier, and limit the ability of firms to exploit weaker national regimes.

But harmonization also removes some local flexibility. A small payment institution with a narrow domestic customer base may face obligations shaped by concerns about much larger, more complex, cross-border groups. This is why proportionality will remain central. AMLA must reduce divergence without forcing every firm into a control model designed for the most systemic institutions.

The Transition Problem

Centralization solves one problem while creating another. The old model produced divergent interpretation. The new model risks centralized rigidity.

Industry analysts describe the AMLA transition as a regulatory wave with dozens of deadlines, technical standards, guidelines, and implementation milestones between 2025 and 2029. In March 2025, the EBA published draft Regulatory Technical Standards covering risk assessments, sanctions, and customer due diligence under the AMLR and AMLAR.

Industry feedback was critical. Banks, insurers, and payment firms warned that some draft thresholds were too rigid, too prescriptive, and insufficiently risk-based. Smaller and lower-risk payment firms argued that uniform requirements could impose disproportionate operational burdens. Others warned that strict identity verification requirements could worsen financial exclusion by making digital onboarding harder for vulnerable or underserved users.

That criticism reveals the unresolved paradox. Europe is trying to cure fragmentation by imposing harmonization. But if harmonization becomes excessively mechanical, it may reproduce the same over-compliance problem at EU scale.

The transition period is difficult because firms must manage old and new frameworks simultaneously. Existing national rules, current supervisory expectations, sponsor-bank requirements, and legacy policies do not vanish the moment AMLA begins operating. Firms must continue to run today's program while preparing for tomorrow's standards.

That creates a planning burden across legal, compliance, product, engineering, operations, data, and governance teams. Customer due diligence procedures must be remapped. Beneficial ownership thresholds must be reviewed. Crypto exposure must be reassessed. Outsourcing arrangements may need new controls. Transaction monitoring scenarios must be tested against new typologies. Risk assessments must become more data-driven and more defensible.

The most exposed firms are those whose compliance architecture is heavily manual. A firm that still relies on spreadsheets, email approvals, static customer risk labels, loosely documented exception handling, and manual registry checks will struggle to absorb the new regime. The issue is not merely regulatory workload. It is evidence. AMLA-era supervision will require firms to prove how decisions were made, which data was used, who approved exceptions, how alerts were resolved, and why risk appetite choices were defensible.

Industry pushback should therefore not be read as resistance to AML itself. Much of it reflects concern that rigid standards may create disproportionate burdens without improving detection. A rule can be clear and still be inefficient. A threshold can be harmonized and still generate poor risk discrimination. A documentation requirement can be strict and still exclude legitimate customers.

Why Centralization Is Not Enough

AMLA can reduce regulatory arbitrage. It can clarify expectations, improve supervisory convergence, and prevent weaker national regimes from becoming gateways into the Single Market.

But AMLA cannot, by itself, solve the operational mechanics of compliance. Payment companies still face rising transaction volumes, legacy monitoring systems, false positive overload, talent shortages, and sponsor-bank conservatism. If firms respond to the Single Rulebook with manual processes and more analyst headcount, they will fail. The analysts are too expensive, too scarce, and too overwhelmed by low-quality alerts.

The industry therefore needs a shift from manual defensive compliance to smart compliance: a model that uses better data, behavioral analytics, automation, explainable AI, and strong governance to reduce subjectivity without eliminating human judgment.

This distinction is critical. Centralization changes the supervisory architecture. Smart compliance changes the operating architecture. The first is a legal and institutional reform. The second is a redesign of how firms collect data, score risk, monitor behavior, investigate alerts, document decisions, and refresh customer profiles.

Without the second, the first may increase pressure on already strained teams. A Single Rulebook can specify what must be done, but it cannot magically create experienced analysts, clean customer data, integrated systems, or effective alert prioritization. Firms that try to comply by adding more people to broken workflows will face rising cost, inconsistent decisions, and slow customer experiences.

The more sustainable model is to make compliance evidence-based. That means risk decisions should be connected to observable data, documented logic, tested models, and measurable outcomes. Compliance leadership should be able to answer practical questions: which rules generate the most false positives, which customer segments create the highest conversion friction, which typologies are under-covered, which alerts age beyond policy, which analysts are overloaded, and which sponsor-bank requirements drive the most manual work.

That kind of management information is essential because AMLA-era supervision will likely focus not only on whether a policy exists, but whether the policy works.

Centralization changes the supervisory architecture. Smart compliance changes the operating architecture.

Eradicating False Positives With Behavioral Analytics

Traditional transaction monitoring relies on static rules: thresholds, keywords, name similarity, country flags, and hard-coded typologies. These rules are easy to explain but poor at context. They generate large volumes of false positives and miss more complex behavior.

AI and machine learning systems offer a different approach. Instead of asking whether a transaction crosses a fixed threshold, behavioral analytics asks whether the activity is unusual for that customer, segment, product, corridor, or peer group.

For example, a transfer above EUR10,000 may be normal for a marketplace seller but unusual for a recently onboarded retail customer. A series of smaller transfers may be benign for a payroll platform but suspicious for a dormant personal account. Behavioral models can detect statistical deviation rather than relying only on rigid triggers.

Advanced systems use model validation, feedback loops, and performance measures such as ROC curves to balance sensitivity and specificity. Some implementations report false positive reductions of up to 45%, with major cost savings from reduced manual review.

The goal is not to replace compliance officers. The goal is to stop wasting their time. Humans should decide hard cases, assess emerging typologies, liaise with regulators, and govern risk appetite. They should not spend most of their time gathering public registry data or clearing obviously benign alerts.

Behavioral analytics also helps reduce the subjectivity described in Part 1. A compliance officer still needs to define risk appetite, but the decision is supported by observed behavior rather than intuition alone. If a customer segment consistently shows low-risk patterns, low alert conversion, and stable counterparties, controls can be calibrated accordingly. If a corridor shows rapid changes in activity, unusual counterparties, or typologies associated with layering, monitoring can intensify.

This does not mean every firm needs the most complex AI system on the market. Poorly governed models can create their own risks: opacity, bias, unstable outputs, weak validation, or regulatory skepticism. The point is that static rules alone are no longer enough for high-volume payments. Firms need monitoring that can distinguish between unusual and suspicious, between high volume and high risk, and between a name similarity and a meaningful match.

A mature behavioral program requires several components. Data must be accurate and accessible. Customer segmentation must be meaningful. Typologies must be mapped to products and payment rails. Models must be tested before deployment. Outputs must be explainable enough for analysts, auditors, and regulators. Feedback from investigations must improve future performance. Governance must define when automated recommendations can close a low-risk case and when human review is mandatory.

The best use of AI in AML is therefore not theatrical. It is operational. It reduces mechanical noise, improves prioritization, and gives human experts better case files.

Agentic AI and Human-in-the-Loop Compliance

Agentic AI is especially relevant to AML because investigations are often repetitive, evidence-heavy, and context-dependent. An agentic system can gather corporate registry information, review historical transaction patterns, cross-reference sanctions and adverse media data, identify ownership links, and produce an explainable case narrative.

That changes the role of the compliance officer. Instead of acting as a manual data collector, the officer becomes a reviewer and decision-maker. This matters because the talent shortage is structural. Payment firms cannot hire their way out of alert overload. They need to redesign the operating model so scarce human expertise is used only where it adds real judgment.

Human-in-the-loop architecture is essential. AML decisions must remain auditable, explainable, and accountable. Automated systems can triage, enrich, and recommend, but final decisions on suspicious activity reporting, customer exits, and risk appetite should remain governed by human-approved policies and documented review.

Agentic AI is particularly useful in the parts of AML work that are repetitive but evidence-intensive. For example, an analyst investigating a possible sanctions hit may need to compare names, dates of birth, nationalities, addresses, aliases, corporate affiliations, ownership records, and transaction context. Much of that work is data assembly. An AI agent can prepare the evidence bundle, highlight conflicts, summarize adverse media, and present a recommended disposition with supporting rationale.

For KYB, the same logic applies. A business customer may require registry extraction, UBO mapping, director screening, adverse media review, sanctions checks, website review, merchant category assessment, and risk scoring. These tasks often happen across several tools. Agentic workflows can reduce the manual switching cost and create a more complete audit trail.

However, agentic AI must be bounded by policy. It should not silently change risk appetite, suppress alerts, or make irreversible customer-exit decisions without controlled approval. The strongest architecture is not "AI instead of compliance." It is AI operating inside a compliance policy framework, with clear permissions, logging, validation, and escalation.

This is also how firms can address regulator concerns. The question is not whether AI was used. The question is whether the firm can explain how it was used, how it was tested, what decisions it supported, what humans approved, and how errors were identified and corrected.

Solving Onboarding Friction

The tension between smooth onboarding and rigorous KYC/KYB is especially acute in European fintech. Corporate clients, freelancers, digital nomads, marketplaces, and embedded finance users often have complex profiles that do not fit old bank onboarding templates.

The eIDAS 2.0 framework is a major development because it creates a legal foundation for mutually recognized electronic identities across the EU. If implemented effectively, it can support secure digital onboarding that is recognized under AML rules and reduces the need for duplicative document collection.

KYB automation can also reduce friction. API-first onboarding systems can check commercial registries, identify beneficial owners, screen sanctions and adverse media, detect synthetic identities, and continuously refresh risk profiles. This makes it possible to onboard legitimate customers faster while applying stronger controls to genuinely higher-risk entities.

For payment companies, this is not just a defensive necessity. It is a competitive advantage. Sponsor banks and enterprise clients increasingly want proof that compliance is embedded in the product and data architecture, not bolted on after growth. Firms that can show explainable controls, continuous monitoring, and strong governance will be more credible partners.

Onboarding is where AML friction is most visible to customers. If the process is too light, the institution risks weak CDD. If it is too heavy, legitimate users abandon the flow or are excluded. The challenge is to collect enough information to understand risk without turning every customer into an enhanced due diligence case.

The eIDAS 2.0 framework could help because reusable, high-assurance digital identity can reduce duplicative verification. A customer who can present a recognized digital identity should not have to repeatedly submit the same documents to different firms. For businesses, interoperable identity and registry data could make ownership verification faster and more reliable.

But eIDAS will not solve KYB by itself. Corporate structures remain complex. Beneficial ownership can be layered across jurisdictions. Registries vary in quality. Nominee structures, trusts, shell companies, and rapidly changing directorships can still require expert review. Automation can accelerate the process, but high-risk structures will continue to need human judgment.

The competitive advantage comes from designing onboarding as a risk engine rather than a document checklist. Low-risk customers should move quickly. Medium-risk customers should receive targeted requests. High-risk customers should be escalated with clear evidence. The same principle applies to ongoing monitoring: risk should be refreshed when meaningful events occur, not merely on arbitrary calendar cycles.

Strategic Implications for Payment Companies

The AMLA era changes what good compliance looks like. Firms should not treat the Single Rulebook as a paperwork exercise. They should use it as a forcing function to redesign the compliance operating model.

The practical agenda is clear:

1. Map AMLR obligations to product, customer, and transaction flows.
2. Replace static rules where behavioral analytics can produce better risk discrimination.
3. Build human-in-the-loop workflows with documented accountability.
4. Automate evidence gathering for investigations and KYB refreshes.
5. Measure false positive rates, review times, backlog age, SAR quality, and escalation outcomes.
6. Align compliance leadership, product leadership, and board governance around a documented risk appetite.
7. Treat sponsor-bank expectations as a design constraint early, not as a late-stage launch blocker.

The firms that fail will likely do so in familiar ways: underfunded compliance teams, outdated monitoring scenarios, unmanaged alert backlogs, unclear ownership, and growth targets that exceed control capacity. The firms that succeed will make compliance measurable, automated where appropriate, and visible at board level.

Several strategic shifts follow from this.

First, compliance must be involved in product design early. A payments product is not complete until the firm understands its customer risk, transaction risk, geography risk, sanctions exposure, fraud overlap, evidence requirements, and monitoring strategy. Launching first and retrofitting controls later is the pattern regulators increasingly punish.

Second, firms need explicit risk appetite statements that are operational, not decorative. A useful risk appetite defines the customers, corridors, products, volumes, typologies, and control conditions the firm is willing to accept. It should also identify what the firm will not do. Without that clarity, individual officers will continue to make inconsistent decisions under pressure.

Third, data governance is now an AML control. Poor data quality creates false positives, missed matches, weak segmentation, broken monitoring, and indefensible decisions. Firms need to know where customer data comes from, how it is normalized, how it is updated, and how conflicts are resolved.

Fourth, sponsor-bank management must become a formal compliance discipline for fintechs and PSPs. A firm should not wait for a banking partner to discover gaps. It should proactively demonstrate control coverage, monitoring performance, alert governance, regulatory mapping, and remediation discipline.

Fifth, boards need better metrics. A board cannot govern AML effectively with generic statements that compliance is "on track." It needs visibility into alert volumes, false positive trends, investigation timeliness, aged cases, suspicious activity reporting, high-risk customer concentrations, model performance, staffing gaps, policy exceptions, and audit findings.

Conclusion

Europe's decentralized AML era is ending. AMLA and the Single Rulebook will reduce some of the fragmentation that allowed regulatory arbitrage and inconsistent supervision to persist for years.

But centralization is not a complete cure. Without better technology and governance, the new regime could simply transform national inconsistency into continent-wide rigidity. Payment firms already face high costs, scarce compliance talent, sponsor-bank caution, and false positive overload. AMLA will raise the bar, but it will not remove those operational constraints.

The winning model is smart compliance: behavioral analytics instead of static rules, agentic case preparation instead of manual data gathering, eIDAS-enabled onboarding instead of duplicative document checks, and human-in-the-loop governance instead of either unchecked automation or subjective gatekeeping.

The objective is not weaker AML. It is more precise AML. The European payment sector can only support both innovation and financial crime resilience if it reduces mechanical noise, narrows human discretion where data can help, and reserves expert judgment for the decisions that genuinely require it.

The deeper lesson of the AML paradox is that compliance quality and commercial efficiency are not opposites. Bad compliance is expensive because it produces noise, delays, rework, defensive exits, and enforcement exposure. Good compliance is precise. It blocks what should be blocked, escalates what should be escalated, and lets legitimate activity proceed with evidence-backed confidence.

AMLA can help create the conditions for that precision by reducing fragmentation and supervisory arbitrage. But the responsibility for operational precision remains with firms. Payment companies that continue to rely on manual processes, vague risk appetite, and static rules will struggle under the new regime. Payment companies that embed compliance into data architecture, product design, AI-assisted investigation, and board governance will be better positioned to scale.

The end of decentralized AML will not automatically produce a frictionless European payment market. It will produce a higher, more consistent supervisory floor. What firms build on top of that floor will determine whether the next era is defined by smarter compliance or by a more sophisticated version of the same bottlenecks.

Works Cited

• European Central Bank, "AMLA and ECB Banking Supervision: strengthening cooperation."
• Institute of International Finance, "The Evolution of the AML/CFT Landscape Under the New European Anti-Money Laundering Authority."
• FIAU, "AMLA: A New Chapter for Europe's AML/CFT Framework."
• Taylor & Francis, "The New EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism."
• European Banking Authority, "Opinion of the European Banking Authority on money laundering and terrorist financing risks affecting the EU's financial sector."
• EY, "Navigating the next wave of AML regulation to drive strategic innovation."
• Moody's, "EU AML Framework Update: AMLA and AMLR Explained (2026)."
• Baker McKenzie, "EU AML Framework Guide to Key Changes for Financial Institutions."
• MyComplianceOffice, "AML Compliance and Regulatory Enforcement Across the European Union."
• Freshfields, "Unveiling AMLA's Blueprint: A Snapshot of the 2026-2028 Work Programme and Key Regulatory Instruments."
• AMLA, "About AMLA."
• KPMG, "AML/CFT RegRadar."
• Deloitte, "The EU AML Package."
• EY, "How the EU AML package is transforming compliance for financial firms."
• Central Bank of Ireland, "EU and International."
• Deloitte, "Collaborating toward a more effective AML/CFT regulation."
• McKinsey, "The new frontier in anti-money laundering."
• Fenergo, "Automated KYC Reviews: 40% Operating Efficiency Gains for Investment Bank."
• Moody's, "Risk and compliance in the age of AI: 10 key findings."
• GARP, "AI Adoption in Risk and Compliance: Revolution or Evolution?"
• ResearchGate, "The Use of Behavioral Analytics in AML."
• SpeedyDD, "Best KYB Onboarding Software for Fintech Companies in Europe."
• IOM Denmark, "Overview: Digital Nomad Policies in the European Context."
• EY, "EU AML readiness: CDD and onboarding."
• GBG, "What KYC solutions support international onboarding across Europe and North America."
• Thinslices, "AI, capital, and compliance: mapping Fintech startup momentum."