AMLA Wants to Know “Everything” – Can Institutions Deliver?
Right now, around one hundred Swedish financial institutions are in the process of responding to a request from the EU’s new anti-money laundering authority, AMLA: Describe your operations in numbers. How many customers do you have in high-risk segments? Which countries do you transact with? How long does it take from identifying a suspicious transaction to filing a SAR?
It sounds manageable.
-When we sit down with our clients and review AMLA’s reporting framework, with its 32 templates in total, close to 250 data points, of which a typical Swedish bank is affected by around 176, the picture looks different”, says Daniel Bardun Senior Manager Financial Crime Prevention at Advisense.
-Data that should exist in a database is locked inside PDF files. Ownership structures are documented in free text. Case-handling timestamps live in three different systems that were never designed to communicate with one another. Many of the banks we work with cannot produce these figures today without extensive manual effort.
It is clear that this is not a challenge to be addressed sometime in the future. It needs to be solved here and now
What AMLA is Actually Asking For
AMLA’s data collection is separate from the ongoing SAR reporting to the Financial Intelligence Unit. Now, the focus is on structural and statistical information that AMLA needs to assess risks and plan its supervision.
The framework covers broad areas: institutional profile, risk assessment data, customer base, transaction data, KYC and monitoring, as well as reporting and compliance. Credit institutions face approximately 210 data points, payment institutions and e-money institutions around 150, and even life insurers and asset managers are looking at more than 130.
Sweden is participating early. Around 100 Swedish institutions are already included in the Swedish FSA’s pilot program, and the data they are being asked to deliver offers a preview of what full-scale implementation will entail.
Where the challenges emerge
According to Daniel Bardun, in Advisense’ work with banks and financial institutions, there are several data points that are identified as particularly challenging, not because the questions are unclear, but because the answers require connecting information from very different parts of the organization.
-Take complex ownership structures as one example. AMLA asks about beneficial owners based on a model with two levels and four indicators. At many banks, ownership structures are stored as scanned documents or free text in case management systems. You cannot simply run a query against that, says Daniel Bardun.
When attempting to produce the numbers, it often becomes painstaking detective work requiring coordination between compliance, the KYC team, and IT.
The geography template is another area where many struggle. Seventeen data points per country, across more than 100 countries, with data spread across more than ten systems. Add to that the fact that the concept of “country” means different things depending on the column being completed: country of residence, country of function, counterparty country. This requires understanding not only your own data, but also AMLA’s taxonomy.
Daniel Bardun sees similar patterns with SAR processing times, where timestamps exist in transaction monitoring systems, case management systems, and goAML, without a unified timeline. The same applies to third-party payments on mortgage loans, where millions of payments must be matched against borrower registers, even though the identity of the payer is often missing. Many of these payments are harmless, such as a spouse or parent making a payment, but AMLA wants them all counted.
The Problem is Not “Data” – The Problem is Silos
The common pattern in all these challenges is not that data is missing. It almost always exists somewhere. The problem is that it is fragmented across organizational silos that have never needed to speak the same language. Compliance talks about risk. IT talks about data models. The business talks about customers and products. When these three worlds meet in an AMLA reporting requirement, a language barrier arises that becomes the single biggest challenge.
In Daniel Bardun’s experience, this insight often comes as an ‘aha-moment’.
-Once you start mapping data points together across functional boundaries, you suddenly see not only the causes of the problems, but also how much better things could be, he says. A consolidated view of the data points reveals duplicates, gaps, and efficiency opportunities that no single function could have identified on its own.
Another key insight is that you do not need to own all data yourself. Instead of building everything from scratch, the focus should be on securing skills among the users of data, understanding where the data resides, who owns it, and how to connect it correctly. This is a matter of competence and organizational capability, not an IT project.
Three Steps to Take Control
Advisense recommends a structured three-phase approach that we have seen work well with the institutions that we support.
1. Diagnose – Map your data landscape
Match your 170–210 data points against existing systems. Identify an owner for each data point. Test: can you extract it? How quickly? How consistently? Every data point you struggle with represents a real capability gap. For those participating in the pilot with the Swedish FSA and AMLA, the reporting exercise itself is the best diagnostic tool. For everyone else: you can conduct this assessment now – do not wait to be asked.
2. Assess – Score your readiness
Rate each capability on a five-point scale. Assess maturity: board awareness, policy quality, control effectiveness. Assess capacity: staffing, competing priorities, budget, IT backlog. The outcome should be a realistic picture that can be presented to senior management.
3. Build – A prioritized roadmap
Prioritize based on risk, not article numbers. Develop a phased plan: quick wins first, then structural changes, followed by testing. Critically, earmark budget and capacity before starting remediation. A plan without resources is not a plan.
Everyone Must Move Jointly
In the best-case scenario, tech, the business, and the AML function sit around the same table from the start. It sounds obvious, but it rarely happens by itself. It requires someone to take the role as representing the entire company, not just their own function. Our experience is that the institutions that succeed best in this kind of cross-functional initiative are those that early on establish dedicated working groups with decision-making authority, not just reporting responsibilities.
We also see that a certain degree of deadline-driven urgency can be a useful catalyst. Regulatory pressure creates focus and prioritization that would otherwise be consumed by daily operations. The implementation window is very short. AMLR enters into force on 10 July 2027 which is just over 16 months from now, and several critical technical standards are not expected to be finalized until late 2026 or early 2027. Institutions that wait for the final texts before starting will have less than six months. That is not enough time to implement adequate system and process changes.
And Where Does AI Fit In?
There is a strong temptation to believe that AI will solve the data problem. In the long term, AI tools can absolutely play an important role in extracting ownership structures from unstructured documents, matching third-party payments to borrowers, or identifying patterns in transaction flows that humans might miss.
But AI can only deliver if it has something to work with. The principle of “garbage in, garbage out” applies fully also in this context. An institution that does not first fix its data infrastructure will not be able to apply AI in a meaningful way, regardless of how advanced the tools become.
In other words, AMLA’s data requirements are not just a reporting exercise. They are a stress test of your data infrastructure and therefore of your ability to use AI to combat financial crime in the future.
