The European Union’s fight against money laundering and terrorist financing has entered a new phase. What was once characterised by fragmented national supervision and uneven enforcement is steadily giving way to a more centralised, data-driven and legally disciplined framework. Two recent developments illustrate this shift with particular clarity: the finalisation of the Regulatory Technical Standards (“RTS”) under Article 12(7) of the Anti-Money Laundering Regulation, establishing how the new EU Anti-Money Laundering Authority (“AMLA”) will exercise direct supervision, and the Financial Intelligence Analysis Unit’s thematic review on the application of Simplified Due Diligence by Collective Investment Schemes in Malta. When read in conjunction, these initiatives tell a coherent story about the direction of AML/CFT regulation, discretion is narrowing, assumptions are being challenged, and risk must be demonstrated rather than presumed.
The establishment of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism marked one of the most consequential reforms in the EU’s financial crime architecture in decades. Regulation (EU) 2024/1620 vested AMLA with direct supervisory powers over selected high-risk, cross-border financial institutions, addressing long-standing concerns about regulatory arbitrage and inconsistent national oversight. Yet these powers required careful operationalisation. The Draft Regulatory Technical Standards under Article 12(7), finalised in December 2025 and now moving towards formal adoption, provide that missing legal mechanism.
Although highly technical, the RTS reflect a fundamental conceptual shift. They replace narrative and largely qualitative supervisory judgements with a structured, quantitative methodology for determining which entities fall within AMLA’s direct supervisory perimeter. Article 12(7) requires AMLA to define what it means for an entity to be “operating” in a Member State under the freedom to provide services and to establish how the money laundering and terrorist financing risk of such entities is to be assessed and classified. The underlying objective is clear: AMLA’s resources must be focused on institutions whose scale, cross-border footprint and risk exposure justify Union-level oversight.
To that end, the RTS introduce materiality thresholds grounded in objective data rather than regulatory intention or formal notifications. Customer numbers and transaction volumes become the primary indicators of whether an institution is materially present in a Member State. This approach resolves a long-standing paradox of the freedom to provide services, whereby firms could technically passport into multiple jurisdictions without ever developing a meaningful operational presence. By requiring numerical evidence of genuine activity, the RTS draw a clear boundary between national and EU supervision and safeguard the legitimacy of AMLA’s mandate.
Once material presence is established, the RTS set out a multi-layered risk assessment methodology distinguishing between inherent and residual risk. Inherent risk reflects exposure arising from products, services, delivery channels and customer profiles, while residual risk captures the effectiveness of an institution’s AML controls, governance and mitigation measures. Crucially, this methodology is aligned with the risk assessment framework that national supervisors will apply under the parallel RTS issued pursuant to Article 40(2) of the new AML Directive. This alignment is not incidental. It ensures that both national authorities and AMLA speak a single, consistent language of risk, reducing supervisory friction and legal uncertainty for obliged entities.
What emerges is a supervisory model where discretion is constrained by data, and judgment is anchored in reproducible scoring rather than subjective impressions. Group structures are assessed through weighted methodologies designed to prevent high-risk entities from being obscured by lower-risk affiliates. For lawyers and compliance professionals, the legal significance is unmistakable. These RTS embody core principles of EU administrative law: foreseeability, transparency and reviewability. Supervisory decisions grounded in quantifiable criteria are less vulnerable to claims of arbitrariness and offer firms a clearer basis on which to structure compliance frameworks.
This evolution at EU level finds a striking parallel in the Financial Intelligence Analysis Unit’s (“FIAU”) thematic review on Simplified Due Diligence (“SDD”) published on 22 December 2025. While operating in a different regulatory space, the review reflects the same underlying philosophy: simplification does not mean relaxation, and risk-based regulation demands evidence, not assumption. The FIAU’s focus on Collective Investment Schemes (“CISs”) is particularly significant given their central role in Malta’s financial services ecosystem and the complexity of their investor and intermediary structures.
The review challenges a persistent tendency within the sector to treat Simplified Due Diligence as a procedural shortcut. While many CISs demonstrate competence in collecting baseline customer information and performing initial profiling, the FIAU identifies recurring weaknesses in articulating expected activity, understanding the nature and purpose of the relationship in sufficient depth, and maintaining meaningful ongoing monitoring once SDD has been applied. In many cases, the deficiency lies not in the absence of information, but in the absence of analysis and documentation capable of justifying why a lower level of due diligence remains appropriate over time.
A recurring theme in the review is the misplaced reliance on regulated status as a proxy for low risk. The FIAU is unequivocal in its position that regulation, whether under MFSA oversight or within a tightly supervised funds framework, does not eliminate ML/TF risk. It merely informs its assessment. The presence of nominee arrangements, omnibus accounts, cross-border investors and complex ownership chains means that CISs may present risk characteristics that require active management, even where SDD is permissible.
From a legal perspective, the message of the FIAU review mirrors that of the AMLA RTS. Risk must be demonstrated, justified and revisited, not inferred. Documentation is not a formality but the foundation upon which supervisory confidence is built. Just as AMLA will rely on transaction volumes and customer metrics to determine supervisory scope, national authorities expect subject persons to evidence why SDD is appropriate and how residual risks are being mitigated through proportionate monitoring.
For Maltese compliance officers and legal advisers, the convergence of these developments is particularly instructive. Malta’s financial services sector is deeply embedded in EU markets, especially in payments, e-money, fintech and funds. Entities that meet AMLA’s materiality and risk thresholds will, from 2028, be subject to both national oversight and direct EU supervision. This dual supervisory environment is not duplicative but harmonised, with both levels relying on structured data, documented assessments and transparent methodologies.
Taken together, the AMLA RTS and the FIAU thematic review point to a single regulatory trajectory. AML/CFT compliance is moving away from informal judgments and towards demonstrable, data-supported reasoning. Simplification is permissible, but only where it is earned through rigorous assessment and sustained by effective controls. Centralisation at EU level does not dilute national expectations; rather, it reinforces them.
At Zerafa Advocates, we regularly advise Collective Investment Schemes, financial institutions, fund managers and service providers on navigating this evolving landscape. Our work spans the review and enhancement of customer risk assessment methodologies, alignment of Simplified Due Diligence frameworks with FIAU and MFSA expectations, and preparation for the operational realities of AMLA supervision. Where thematic reviews or supervisory findings expose vulnerabilities, we assist clients through targeted gap analyses, policy redrafting and hands-on implementation support. Our approach is legally rigorous and commercially grounded, ensuring that compliance frameworks remain proportionate, defensible and resilient in an increasingly integrated European supervisory environment.
In this new regulatory era, the message for the market is clear. Whether under national scrutiny or EU-level supervision, AML/CFT compliance is no longer about labels such as “simplified” or “low risk”. It is about the quality of the reasoning that underpins those labels, and the evidence that sustains them.