top of page

AMLA Drops Its First Real Playbook As Agentic AI Eats the Compliance Stack

AMLA Drops Its First Real Playbook As Agentic AI Eats the Compliance Stack

Europe's new anti-money laundering authority issued live guidelines this week. Australia widened the AML perimeter. And the compliance industry got a very serious reminder that "agentic" is no longer a slide-deck word.

Compliance officers who spent the first half of 2026 asking "when does the new EU regime actually start?" got their answer this week. As of this week, the Authority for Anti-Money Laundering and Countering the Financing of Terrorism has issued its first substantive guidelines, on July 10, per AMLA's Single Programming Document milestones, covering risk variables, risk factors, and the internal-controls calibration that obliged entities are expected to run against them.


Add in Australia's Tranche 2 reforms going live on July 1, the EU AI Act's classification of financial-crime AI as high-risk, and a wave of agentic AI product launches, and you have the busiest RegTech week of the year. Here is what changed.


AMLA Is No Longer Theoretical


Since the EU's Anti-Money Laundering Authority was established, the industry has treated it a bit like weather in the forecast, inevitable, but not yet raining. That framing ended this week.


According to AMLA's own regulatory timeline and reporting from Norton Rose Fulbright and KPMG's AMLA Advisory series, on July 2, 2026 AMLA held a public hearing on its draft guidelines for ongoing monitoring of business relationships, the operational heart of any AML program. By July 10, the authority is due to publish two sets of guidelines that will directly reshape day-to-day compliance work: one on the risk variables and risk factors obliged entities must consider when entering relationships or handling occasional transactions, and one on the elements those entities must weigh when calibrating internal policies, procedures, and controls.


AMLA's February 2026 Single Programming Document commits the authority to delivering 24 of its 40 statutory mandates within the calendar year, a genuinely aggressive schedule for a new EU agency, and one that will accelerate the shift from patchwork national supervision to something closer to a Single Rulebook in practice.


The Practical Read

For compliance leaders, this changes the roadmap. Guidance on ongoing monitoring is the single most consequential piece of guidance a compliance team receives, it defines what "good" looks like for transaction surveillance, sanctions screening, and periodic review cycles. Firms operating in multiple EU jurisdictions have been living with divergent national interpretations. As of July 10, the ambiguity is thinning fast.


Protiviti's March 2026 readiness note, "Ten Practical Moves for AMLA," flagged that firms without a governance-mapping exercise underway would find themselves scrambling. Six weeks later, that assessment looks conservative.


Agentic AI Is Officially Live in Compliance


If AMLA is the regulatory story, agentic AI is the technology story, and it is no longer speculative.


Per RegTech Analyst's June coverage and multiple product launches this quarter, agentic AI systems, capable of coordinating multi-step processes autonomously under defined guardrails, are now shipping inside live AML and KYC workflows. Bretton AI's agentic platform, for instance, executes transaction analysis, KYB reviews, sanctions investigations, and ongoing monitoring as a coordinated loop rather than a series of siloed queries. Napier AI, which raised £45 million from Crestline Investors in February 2026 per Fintech Global reporting, has similarly moved from rules-based screening to model-based, agent-orchestrated detection.


Perpetual KYC Is the Sleeper Story

Buried inside the shift is a change nobody has quite marketed correctly yet: the industry is quietly abandoning periodic KYC refreshes. As RegTech Analyst noted in its "2026 KYC/AML outlook," the operating model is now perpetual KYC, a trigger-based system that reacts to ownership changes, sanctions updates, and behavioral signals in near-real time, rather than dragging clients through a 12-month re-onboarding ritual.


The commercial implication is enormous. Firms that made a five-year investment in periodic-refresh infrastructure are now watching their competitors reduce refresh workloads by 60% to 80% and reallocate compliance headcount to investigation rather than paperwork. If your board is still budgeting KYC in annual cycles, that conversation is due for an update.


The EU AI Act Has Teeth for Compliance Software


The other quiet development: the EU AI Act, now fully in force, classifies AI systems used in financial-crime compliance as high-risk. Per the RegTech Analyst 2026 outlook, that classification brings a specific stack of obligations, transparency, human oversight, data quality, model documentation, and bias testing, that vendors have to demonstrate, not just claim.


For compliance leaders selecting a next-generation platform, this is the new procurement checklist. "It uses AI" is no longer an answer to any RFP question. Model cards, retraining cadence, adversarial-testing evidence, and human-review pathways are.


There is a real risk of a two-tier vendor market emerging: incumbents who have invested in AI Act documentation and can sell into the EU without a compliance blocker, and everyone else. The market is starting to reflect it, mid-market RegTech valuations have compressed around Model Risk Management readiness in a way they did not 12 months ago.


Australia Widens the Perimeter


Not everything this week was European. On July 1, 2026, Australia's Tranche 2 AML/CTF reforms took effect, extending anti-money laundering obligations to lawyers, accountants, real estate agents, and other designated non-financial businesses and professions. Coverage from RegTech Analyst and Australian legal press indicates this brings roughly 90,000 additional entities into the regulated perimeter.


For international RegTech vendors, this is a genuine addressable-market shift. The historical AML tooling economics have skewed toward financial institutions with large compliance budgets; the Tranche 2 population skews heavily toward SMEs with neither the appetite nor the capacity to run a Fenergo-style stack. Expect a wave of lighter, verticalized offerings pitched at law firms and real estate agents, and a wave of enforcement pain from firms that ignored the memo.


What to Watch Next


Three items are worth monitoring over the balance of Q3:


The remaining AMLA mandates due in 2026, including the customer due diligence Regulatory Technical Standards, will determine whether the Single Rulebook becomes real by January 2027 or slips a further year. Given the July milestone, the current base case is on-schedule delivery.


Model Risk Management guidance for AI-in-compliance, expected from both the European Banking Authority and the UK Financial Conduct Authority in the second half of 2026, will crystalize what "human oversight" actually means in production. The market has been drafting its own answer for a year; the regulators are about to have theirs.


And keep an eye on the second cohort of agentic AI compliance products landing in Q3. The first wave, launched in Q1 and Q2, was mostly enterprise-priced. The next wave targets mid-market banks and payments firms, which is where genuine adoption inflection points historically live.


The Bigger Picture


Compliance has spent a decade being characterized as a cost center that grows in defiance of technology. What is happening in July 2026 is a rare inversion: guidelines are consolidating, tooling is agentic, and headcount is being reallocated from checklist work to genuine investigation. That is not the compliance industry's usual weather.


The firms that emerge best-positioned from this quarter are not the ones spending the most on RegTech; they are the ones treating AMLA's guidelines, the AI Act's obligations, and their vendor stack as a single, integrated procurement question.

The rest are about to run a very expensive fire drill.

 
 
bottom of page