AML Stays on Top of the Board Agenda

This perspective reflects board-level experience from serving on the board of a regulated payment institution and a digital banking organisation, focusing on governance, regulatory oversight and risk supervision.

Board governance and AML/CTF oversight are becoming increasingly central to the role of independent non-executive directors.

Recent developments across the European regulatory landscape confirm a structural shift: financial crime risk management is no longer simply a compliance matter — it is a governance responsibility.

Ultimately, AML governance is built around the risk-based approach, requiring institutions to identify, assess and mitigate financial crime risks proportionately across products, customers, geographies and distribution channels.

The creation of the European Anti-Money Laundering Authority (AMLA), the upcoming Anti-Money Laundering Regulation (AMLR), and new supervisory expectations around AML/CFT data collection and reporting are transforming how financial institutions must organise their controls, data architecture and governance oversight.

A recent CSSF circular letter dated 6 March 2026 illustrates this transition clearly.

A signal from supervisors: AML data matters

The CSSF recently informed Luxembourg financial institutions that the launch of the AML/CFT standardised data collection campaign has been delayed following ongoing developments at the level of AMLA.

The circular letter was addressed broadly to:

• credit institutions

• investment firms

• investment fund managers

• payment institutions and electronic money institutions

• crypto-asset service providers

• virtual asset service providers

• central securities depositories

In other words: almost the entire regulated financial ecosystem.

The reason for the delay is telling.

AMLA received a very high number of comments from industry participants regarding the draft questionnaire template and interpretative guidance currently under consultation. Supervisors are now reviewing these comments and incorporating feedback into a revised reporting framework.

While operationally this may appear as a simple delay, strategically it reveals something more important.

AML supervision is becoming far more data-driven, structured and comparable across institutions.

AML supervision is entering a data-centric era

Historically, AML supervision often relied heavily on:

• policies and procedures

• transaction monitoring frameworks

• on-site inspections and sampling exercises

Those elements remain essential. However, supervisory authorities are increasingly moving toward systematic data-driven supervision.

Standardised data collection initiatives aim to allow supervisors to:

• analyse risk exposure across institutions

• compare AML frameworks at sector level

• detect structural weaknesses in risk models

• prioritise supervisory interventions

This evolution aligns with the broader objective of the EU AML package: creating a more consistent supervisory framework across the Union.

For Boards, this has an important implication.

In practice, many institutions still face challenges ensuring consistent customer and risk data across compliance and operational systems.

Data architecture is becoming a governance issue

A growing number of industry analyses highlight a structural challenge: AML data fragmentation.

In many financial institutions, AML-relevant data remains distributed across multiple systems:

• onboarding platforms

• KYC repositories

• transaction monitoring engines

• payment infrastructures

• customer databases

• legacy compliance tools

While each system may function adequately in isolation, the overall architecture can make it difficult to:

• extract coherent risk data

• demonstrate supervisory defensibility

• respond quickly to regulatory requests

• support new analytical tools such as AI.

Several industry observers now describe AML/CFT data architecture as a strategic vulnerability for financial institutions.

Weak data extractability does not merely create operational inefficiencies. It creates supervisory defensibility risk — the inability to demonstrate clearly to regulators how risks are assessed, mitigated and monitored.

This is why the discussion around AML governance increasingly includes topics such as:

• data integrity and “golden source” structures

• extractability of AML datasets

• traceability of risk decisions

• alignment between risk appetite and data models

Increasingly, supervisors are not only interested in the outputs of AML frameworks, but also in the supervisory defensibility of the underlying data architecture — how risk data is defined, aggregated and traced across systems.

AMLA will amplify the supervisory shift

The establishment of AMLA will further accelerate this evolution.

AMLA will be responsible for:

• coordinating supervisory convergence across Europe

• developing regulatory technical standards

• strengthening cooperation between Financial Intelligence Units

• directly supervising selected high-risk cross-border institutions.

The authority will initially supervise around 40 major financial institutions with significant cross-border exposure.

These institutions will be subject to direct EU-level supervisory scrutiny, marking a significant step toward a unified European AML supervisory framework.

More importantly, AMLA will contribute to standardising supervisory expectations across the EU.

This means institutions will increasingly need to demonstrate that their AML frameworks are:

• structurally robust

• consistently implemented across jurisdictions

• supported by reliable and extractable data.

This will further increase supervisory consistency across jurisdictions and raise expectations regarding the comparability and transparency of AML risk data between institutions.

The questions Boards should start asking

As AML supervision becomes more data-centric, Boards and senior leadership teams should begin asking several fundamental questions.

For example:

• Do we have a coherent AML data architecture across the organisation?

• Can we extract risk data quickly and reliably when supervisors request it?

• Are our transaction monitoring and customer risk models aligned with our risk appetite?

• Can our systems support AI-driven analysis without introducing new compliance vulnerabilities?

• Do we understand the structural limitations of our legacy systems?

These questions go beyond operational compliance. They increasingly form part of the Board’s responsibility to ensure that financial crime risks are properly understood, governed and defensible under supervisory scrutiny.

They relate directly to the institution’s governance resilience in a changing regulatory environment.

Boards must also ensure that AML responsibilities remain clearly structured across the organisation’s three lines of defence, with effective coordination between operational management, compliance oversight and independent internal audit.

Governance clarity in complex regulatory environments

In my experience working with Boards of regulated institutions, AML discussions often become highly technical.

Compliance teams present detailed frameworks, technology providers offer sophisticated tools, and regulatory expectations continue to evolve.

Yet the fundamental governance question remains simple:

Do we truly understand the financial crime risks our institution is taking — and how they are captured in our systems?

The role of independent non-executive directors is not to replicate operational expertise.

It is to bring clarity, challenge and perspective to these discussions.

At Board level, this often means helping organisations:

• connect AML risk with strategic business decisions

• ensure that risk appetite is clearly articulated

• challenge whether data and controls genuinely support supervisory defensibility

• translate regulatory developments into practical governance actions.

Effective AML governance rarely results from adding more policies or controls.

It results from ensuring that the right questions are asked at the right level of the organisation.

Looking ahead

The coming years will reshape AML supervision across Europe.

Between AMLA, AMLR and increasingly data-driven supervisory tools, financial institutions will face higher expectations around:

• governance oversight

• data quality

• structural resilience of AML frameworks.

Institutions that begin addressing these structural questions early will be better positioned to adapt.

Those that treat AML as a purely operational compliance function may find themselves increasingly exposed to supervisory scrutiny.

For Boards, the question is no longer whether AML oversight is operational or strategic. It is how effectively financial crime risk governance is embedded into the institution’s overall decision-making framework.

Author perspective

This reflection builds on my experience working with Boards of regulated financial institutions across banks, payment institutions and electronic money institutions.

As an independent non-executive director and board advisor, I focus on translating regulatory developments into clear governance frameworks and effective boardroom oversight.

Through Linkvalue, I support Boards and Chairs in navigating complex regulatory environments — ensuring that governance remains a strategic enabler rather than a reactive compliance exercise.

Related insights

Recent regulatory developments further illustrate how governance expectations for payment institutions are evolving.

• CSSF Circular 26/906 — Why governance is now a board-level growth issue for payment institutions

• Board Oversight in Payment Institutions & Electronic Money Institutions

By Sonja Hilkhuijsen

Founder & Independent Non-Executive Director

Linkvalue📩 sonja@linkvalue.lu