The AML Authority Accidentally Breaks Compliance
Banks are forced to deliver detailed proof of prevented criminal activity, a structural impossibility that drives them toward defensive offboarding strategies simply to survive scrutiny.
By Nicolas Strömbäck, Compliance & Governance Consultant at Nicolas Strömbäck Consulting AB
In 2026, the newly operational AML Authority (AMLA), eager to prove its relevance, releases a sweeping package of guidance, technical standards, and sector-wide expectations meant to “harmonise AML across the EU.” Instead, it detonates the risk-based approach overnight.
The standards are so prescriptive - down to mandated control configurations, uniform due-diligence cadences, and fixed thresholds for suspicious behaviour - that every financial institution becomes instantly non-compliant. Risk proportionality is effectively outlawed. Flexibility disappears. Firms, regulators, and auditors simultaneously realise they have no idea how to interpret the new requirements, because compliance now has only one setting: absolute.
But AMLA doesn’t stop there.
Under pressure to enforce this new regime, the Authority announces a bold technological leap: its own supervisory AI, trained to perform granular, cross-border scrutiny of every national Financial Supervisory Authority (FSA). What was once a multi-year supervisory cycle collapses into an always-on feedback loop. The AMLA AI demands constant updates (annual, then quarterly, then monthly) to internal risk assessments, typology analyses, and control effectiveness reports.
The AI begins asking for something the industry has never been structurally able to provide: proof, in detail, of prevented crime - not just policies, not just controls, but measurable evidence of what didn’t happen, how it didn’t happen, and why. Firms scramble to reverse-engineer absence.
The unintended consequence arrives fast and brutally: businesses start de-risking at scale. If risk proportionality is gone, and if prevention must be demonstrated with mathematical certainty, then entire customer segments become too dangerous to touch. SMEs, charities, expats, high-mobility workers, gig-economy earners - all quietly offboarded in self-defence.
Within months, financial access across the EU constricts. FSAs panic. AMLA insists the system is “functioning as designed.” And compliance teams realise they are now being supervised not by regulators, but by a machine that cannot comprehend the concept of reasonable risk.
A continental compliance crisis begins, not because firms failed to manage risk, but because the regulator eliminated it as a concept.
