Skip to content
2,151 standards indexed across 19 jurisdictions View the Atlas
3 hubs live · 3 more in the pipeline See all compliance topics
Daily news + multi-week series Browse all insights
3 tools live · 4 interactive tools in development Roadmap
AMLA · AML 13 min read Jun 29, 2026

EU AML Authority and iGaming: What AMLA Direct Supervision Will Mean in 2027

AMLA's single rulebook and new supervisory architecture take effect from 2027. Discover which EU gambling operators face direct oversight and what compliance teams must prepare now.

Matt Denney

By

Founder, gamingcompliance.io · 15 yrs in iGaming compliance

Published Jun 29, 2026 13 min read Filed Regulatory News & Updates

The European Union’s June 2024 AML/CFT legislative package created three interlocking instruments that will reshape how every EU-licensed gambling operator manages its anti-money laundering obligations. Regulation (EU) 2024/1624 (the AML Regulation, or AMLR) creates a directly applicable single rulebook. Directive (EU) 2024/1640 (AMLD6) harmonises national supervisory frameworks and must be transposed into national law by 10 July 2027. Regulation (EU) 2024/1620 establishes the Anti-Money Laundering Authority (AMLA) in Frankfurt as the EU’s dedicated AML/CFT supervisor. Together, these instruments end the patchwork of 27 separate national AML transpositions that has governed the sector since the Fourth AML Directive, and they place gambling operators squarely within the scope of EU-level oversight for the first time.

What Is AMLA and What Does It Actually Do?

AMLA was established by Regulation (EU) 2024/1620 as a new EU-level agency headquartered in Frankfurt. Its mandate covers two distinct supervisory functions: direct supervision of a defined set of high-risk obliged entities, and indirect supervision through coordinating, peer-reviewing, and enforcing consistent standards across the national competent authorities (NCAs) responsible for supervising everyone else.

For most iGaming operators, AMLA’s influence will arrive through its indirect supervisory role rather than direct engagement with the authority itself. AMLA will issue binding Regulatory Technical Standards (RTS), conduct peer reviews of NCAs, and can step in when a national supervisor fails to act. That last power matters: if the MGA’s Financial Intelligence Analysis Unit (FIAU), Spain’s SEPBLAC, Denmark’s Spillemyndigheden, or any other NCA is found to be applying the single rulebook inconsistently or inadequately, AMLA can issue recommendations and, ultimately, assume supervisory functions directly.

“In 2024, the European Union established the Anti-Money Laundering Authority, an EU-level agency intended to centralize aspects of AML enforcement in the EU and foster better coordination among national financial intelligence units. The 6th Anti-Money Laundering Directive must be incorporated into national law by July 10, 2027.”

Source: Anti-Money Laundering secondary reference, confirming AMLA establishing regulation and AMLD6 transposition deadline, primary instruments are Regulation (EU) 2024/1620 and Directive (EU) 2024/1640.

Where Does the Gambling Sector Sit Within the AMLR?

Gambling operators are classified as non-financial obliged entities under Article 3(3) of Regulation (EU) 2024/1624. This classification is not new in itself, gambling has been an obliged entity since the Third AML Directive, but the legal mechanism has changed fundamentally. The AMLR is a regulation, not a directive. It applies directly in all 27 Member States without national transposition. That means the CDD obligations, risk assessment requirements, record-keeping standards, and transaction monitoring rules it contains apply uniformly from the date of application, regardless of whether a given Member State’s national AML legislation has been updated.

The practical consequence for operators licensed in Malta, Spain, Denmark, the Netherlands, and every other EU jurisdiction is that their existing national AML compliance frameworks will need to be mapped against the AMLR text. Where national rules are less prescriptive, the AMLR raises the floor. Where national rules are more restrictive, operators may still need to comply with both: the AMLR sets a minimum standard, not a ceiling, and Member States retain latitude under AMLD6 to impose additional requirements in their national legislation.

Which Gambling Operators Face AMLA Direct Supervision?

AMLA’s direct supervisory powers over the non-financial sector, including gambling, are deliberately narrower than its direct role in financial services. The AMLA establishing regulation concentrates direct supervision of non-financial obliged entities at the national level through NCAs. AMLA’s direct supervisory portfolio at launch is focused primarily on the most systemically significant cross-border financial institutions.

For gambling operators, AMLA direct supervision under Regulation (EU) 2024/1620 can be triggered when an NCA has demonstrably failed to supervise adequately, or where a request-based mechanism allows AMLA to step in on a case-by-case basis. Operators that are predominantly supervised by a single NCA, such as a Malta-licensed operator supervised by the MGA/FIAU or a Spanish operator supervised by SEPBLAC under DGOJ oversight, will continue to face their existing national supervisor as the primary point of contact. The structural change is that those national supervisors now operate under AMLA peer review and must apply the single rulebook consistently.

Industry observers have noted that AMLA’s indirect supervisory pressure on NCAs may prove more consequential for gambling compliance than any hypothetical direct designation. When AMLA finds that an NCA is applying CDD standards inconsistently, the correction flows downward to every obliged entity that NCA supervises. Operators in jurisdictions where national AML supervision has historically been lighter will feel the greatest adjustment.

The Three Draft RTS Already in Consultation

AMLA is not waiting for July 2027 to start shaping the compliance baseline. As of early 2026, three draft Regulatory Technical Standards are in public consultation, all of which directly affect gambling obliged entities. Both the Malta Gaming Authority and Denmark’s Spillemyndigheden have explicitly encouraged their licensees to engage with these consultations, describing them as a critical legislative stage for the gaming sector.

The first draft RTS, issued under Article 28(1) of the AMLR, covers customer due diligence standards. This will define, at EU level, the minimum content and methodology for CDD across all obliged entities including gambling operators, covering identity verification, beneficial ownership checks, and the conditions under which simplified or enhanced CDD applies.

The second draft RTS, under Article 19(9) of the AMLR, addresses the criteria for identifying business relationships, occasional transactions, and linked transactions, along with the determination of lower thresholds. For gambling operators, this RTS is operationally significant: it will clarify when a series of discrete transactions must be treated as linked and therefore subject to enhanced scrutiny, and it may affect how operators structure their KYC trigger thresholds relative to current national practice.

The third draft RTS, issued under Article 53(10) of AMLD6, covers the reporting of material weaknesses in AML/CFT controls. This instrument creates a structured obligation for obliged entities and their supervisors to report significant control failures upward through the supervisory chain. For gambling compliance teams, it introduces a new reporting obligation that sits alongside, but is conceptually distinct from, suspicious activity reporting to financial intelligence units.

Key RTS under consultation (as of April 2026): Draft RTS under AMLR Article 28(1) on CDD standards, Draft RTS under AMLR Article 19(9) on business relationship and transaction threshold criteria, Draft RTS under AMLD6 Article 53(10) on material weakness reporting. Both the MGA and Spillemyndigheden have actively directed licensees to participate.

Source: Malta Gaming Authority, “AMLA invites stakeholders to participate in AMLA public consultations on draft Regulatory Technical Standards,” citing Regulation (EU) 2024/1624 Articles 28(1) and 19(9), and Directive (EU) 2024/1640 Article 53(10). Spillemyndigheden, news notices dated 11 February 2026 and 20 April 2026.

How the Single Rulebook Changes the Compliance Baseline

The shift from directive-based to regulation-based AML law is the central operational change that compliance teams must internalise. Under the previous directive framework, from the Fourth to Fifth AML Directives, national transposition produced divergence: Denmark’s Spillemyndigheden, the MGA/FIAU in Malta, and Spain’s SEPBLAC each applied their own interpretations of what a gambling operator’s risk assessment, CDD programme, or transaction monitoring system needed to include. Audits, licensing due diligence, and enforcement actions were calibrated to national rules.

The AMLR eliminates that divergence at the floor level. A Malta-licensed online casino and a Spanish-licensed online casino will both be tested against the same Article 28(1) CDD standard when the finalised RTS takes effect. The draft RTS process AMLA is running now gives operators visibility into what that standard will contain, and compliance teams that engage with the consultations will have a material advantage in gap analysis.

Spain’s SEPBLAC has already signalled the direction of travel. In 2025, the authority adopted a stricter interpretation of video identification requirements, clarifying that video-based KYC has been mandatory since 2016 under its official authorisation. According to the Chambers Global Practice Guides Gaming Law 2025 analysis, Spanish gambling operators are navigating this change alongside the broader EU AML/CFT framework adoption. The AMLR’s CDD RTS, once finalised, will provide an EU-level reference that operators can use to defend the adequacy of their KYC methodology, and it will also expose any gaps between current practice and the new standard.

National Competent Authorities: The Supervisory Transition Period

The architecture established by AMLD6 preserves national competent authorities as the primary AML supervisors for gambling operators through the transposition period and beyond. The MGA/FIAU split in Malta, where the MGA handles gambling regulation and the FIAU handles AML supervision, continues to operate. Spain retains its dual supervision model under SEPBLAC and DGOJ. Denmark’s Spillemyndigheden remains the competent authority for Danish-licensed operators.

What changes is the framework within which those NCAs operate. AMLD6 requires Member States to ensure their national supervisory arrangements are AMLA-aligned by July 10, 2027. NCAs will be subject to AMLA peer reviews, and the findings of those reviews are public. For gambling operators, this creates a new indirect risk: if an NCA receives a negative peer review finding from AMLA, it will likely respond with tighter enforcement activity across its licensee base to demonstrate corrective action. Operators in jurisdictions where national AML supervision is under scrutiny should treat AMLA peer review outcomes as a leading indicator of forthcoming supervisory pressure and should begin mapping their current AML policies against the draft RTS now to identify any gaps that could expose them to heightened enforcement once peer review findings are published.

For EU gambling operators, AMLA rewrites the rulebook they are supervised against, and it does so from a single supranational source.

How Does This Interact With Existing National AML Frameworks?

The question most compliance officers are asking is how the AMLR sits alongside frameworks they are already operating under. The answer varies by instrument.

For MGA-licensed operators, the existing Prevention of Money Laundering Act obligations and the MGA/FIAU joint guidance that has evolved since the 2016 AML Directive consultation remain operative until they are superseded or updated to align with the AMLR. MGA has been active in directing licensees to the AMLA RTS consultations precisely because the outcome of those consultations will define the updated baseline. Operators should read the draft RTS alongside the existing MGA/FIAU guidance to identify where the new standard diverges from current practice.

For operators in Spain, SEPBLAC supervision under Law 10/2010 on prevention of money laundering and terrorism financing, as amended, continues. The AMLR does not replace Law 10/2010 for provisions that fall outside the AMLR’s scope, but for CDD, transaction monitoring, and reporting obligations that the AMLR directly addresses, the regulation takes precedence. Spain’s operators face dual scrutiny: SEPBLAC is already tightening enforcement, and the AMLR will provide a new standard against which that enforcement is calibrated.

For operators in Denmark, Spillemyndigheden’s existing online gambling AML obligations sit within the Danish AML Act. The authority has explicitly flagged the AMLA consultations to licensees, signalling that Danish national rules will be reviewed for AMLR alignment ahead of the July 2027 application date.

Jurisdiction National AML Supervisor Current AML Instrument AMLR Impact
Malta (MGA) FIAU (Malta) Prevention of Money Laundering Act + MGA/FIAU Joint Guidance AMLR CDD RTS will supersede guidance provisions within scope, FIAU subject to AMLA peer review
Spain (DGOJ) SEPBLAC Law 10/2010 + Royal Decree 304/2014 AMLR applies directly, SEPBLAC already tightening enforcement ahead of AMLD6 transposition
Denmark (Spillemyndigheden) Spillemyndigheden Danish AML Act National rules under review for AMLR alignment, licensees directed to AMLA consultations
Netherlands (KSA) Bureau Toezicht Wwft (FIU-NL) Wet ter voorkoming van witwassen (WWFT) WWFT provisions within AMLR scope replaced by directly applicable regulation
Gibraltar (GRA) Gibraltar Gambling Commissioner AML Code of Practice for Remote Gambling (2026 update) Outside EU, AMLR does not apply, but operators should monitor UK/EU divergence post-Brexit

What Operators Should Prepare Now

The July 10, 2027 transposition deadline for AMLD6 and the application date of the AMLR function as a single operational target. Waiting for final RTS text before starting gap analysis is not a viable approach: the CDD, threshold, and material-weakness RTS are already in draft form, and the substantive direction they establish is clear enough for compliance teams to begin structural work.

The most immediate action is a gap analysis between current CDD procedures and the draft Article 28(1) AMLR RTS. This means reviewing identity verification methodology, beneficial ownership determination, and the triggers for simplified versus enhanced due diligence against the draft standard. Operators whose KYC infrastructure relies on national guidance that is less prescriptive than the AMLR draft should treat the delta as a compliance risk to be quantified and remediated.

The Article 19(9) RTS on business relationships and linked transactions deserves particular attention for online gambling operators with high transaction volumes. If the finalised RTS defines lower thresholds for when discrete transactions must be aggregated and treated as linked, current monitoring configurations may generate different alert patterns than operators expect. Testing transaction monitoring models against the draft threshold criteria before the RTS is finalised gives compliance teams time to adjust without deadline pressure.

The Article 53(10) AMLD6 RTS on material weakness reporting is a governance obligation as much as an operational one. Once finalised, it will require operators to report significant AML/CFT control failures through a structured process. Compliance teams should begin mapping their current internal escalation and self-reporting procedures against the draft framework to identify whether existing incident response protocols will satisfy the new reporting obligation or require structural change.

Operators holding licences in multiple EU jurisdictions face an additional complexity: the AMLR will harmonise the floor, but AMLD6 permits Member States to maintain stricter national requirements above that floor. A multi-jurisdiction compliance programme that currently applies the strictest single national standard across all markets may find that approach insufficient if different Member States impose different higher-than-AMLR requirements. Mapping jurisdiction-by-jurisdiction AMLD6 transposition outcomes will be necessary as Member States publish their implementation legislation through 2026 and into 2027. Qualified legal counsel in each relevant jurisdiction should be engaged for the transposition analysis.

Finally, operators should engage directly with AMLA’s consultation processes through EU-level trade associations and representative bodies. Article 3(3) of the AMLR explicitly identifies the gambling sector as a non-financial obliged entity, and AMLA has noted that it seeks practical input from the non-financial sector, including gambling, in developing its risk assessment methodology. The MGA’s April 2026 roundtable invitation and the February and April 2026 Spillemyndigheden consultation notices are not routine procedural updates: they represent a direct channel for operators to influence the technical standards they will be audited against.

Compliance deadline: AMLD6 must be transposed into national law by 10 July 2027. The AMLR (Regulation (EU) 2024/1624) applies directly from the same date. Operators should complete gap analysis against draft RTS and begin remediation planning in 2026 to avoid a deadline-compressed implementation in H1 2027.

The UK and Offshore Dimension

AMLA and the AMLR apply only within the European Union. The UK Gambling Commission, which supervises remote gambling under its own LCCP AML provisions, operates outside the EU AML framework following Brexit. Gibraltar’s Gambling Commissioner, which updated its AML Code of Practice in 2026, is similarly outside AMLA’s scope. Operators holding both an MGA licence and a UKGC licence will operate under two distinct AML regimes that will diverge further as the AMLR’s single rulebook takes effect in the EU. Curaçao-licensed operators are outside AMLA’s reach entirely.

The divergence creates practical complexity for group compliance functions. A shared AML policy applied uniformly across an MGA-licensed and UKGC-licensed operation may, after July 2027, satisfy one regulator’s standard while leaving gaps against the other. Compliance teams should document how AMLR obligations map onto UKGC requirements and identify whether a unified policy can still satisfy both, or whether separate jurisdictional frameworks are required. According to iGamingBusiness, June 2026, the UK Gambling Commission issued a formal warning to UK operators about slipping AML standards, citing overreliance on AI tools and inadequate oversight by Personal Management Licence holders, that warning underlines that neither framework will become more permissive in the period ahead.

For operators considering whether MGA licensing remains optimal in the post-AMLR environment, the key consideration is not whether Malta is a higher-risk AML jurisdiction but whether the FIAU, as Malta’s NCA, implements the AMLR framework in a way that is operationally workable. The MGA’s active engagement with AMLA consultations, including the April 2026 roundtable and its standing practice of directing licensees to AMLA consultation notices, suggests the authority is positioning itself as a well-aligned NCA, which is precisely what AMLA’s peer review process will assess.

Operators evaluating their EU licensing position should review the MGA’s full licence requirements and AML supervisory framework alongside the emerging AMLA standards, and should consult the AML and financial compliance hub for jurisdiction-by-jurisdiction coverage of FATF, FIAU, and transaction monitoring obligations.

Key Resources

Regulation (EU) 2024/1624, Anti-Money Laundering Regulation (AMLR): the directly applicable single rulebook governing CDD, transaction monitoring, and reporting for all EU obliged entities including gambling operators, from EUR-Lex.

Directive (EU) 2024/1640, 6th Anti-Money Laundering Directive (AMLD6): the framework directive governing national supervisory arrangements and competent authorities, requiring transposition by 10 July 2027, from EUR-Lex.

Regulation (EU) 2024/1620, AMLA Establishing Regulation: the instrument creating the Anti-Money Laundering Authority and defining its direct and indirect supervisory mandate, from EUR-Lex.

MGA notice on AMLA draft RTS consultations: the Malta Gaming Authority’s guidance to MGA-licensed operators on engaging with the three open AMLA consultations covering CDD (AMLR Article 28(1)), business relationships and thresholds (AMLR Article 19(9)), and material weakness reporting (AMLD6 Article 53(10)), available at mga.org.mt.

Spillemyndigheden AMLA notices (February and April 2026): the Danish Gambling Authority’s advisories directing online casino and betting licensees to the AMLA consultation processes, available at spillemyndigheden.dk.

Matt Denney

Matt Denney

Editorial · gamingcompliance.io

Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.

Related coverage · also tagged Regulatory News & Updates

Browse all →

Regulatory News & Updates

HMRC Raises Remote Gaming Duty to 40%: Budget 2025 Rationale, Operator Impact, and the Black Market Risk

Jun 29 · 15 min read

Regulatory News & Updates

France’s 59.3% Sports Betting Rate: How LFSS 2025 Rebuilt the All-In Tax Architecture

Jun 12 · 12 min read

Licensing Requirements

Q1 2026 Regulatory Roundup: UKGC, MGA, AGCO, and Spelinspektionen Changes

May 6 · 12 min read

The Tuesday brief, every week.

One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.

Unsubscribe with one click. We'll never share your address.