Revolut Fine Raises Prospect of Direct Supervision by New EU Anti-Money Laundering Authority

The €3.5 million fine issued this week by the Lithuanian Central Bank against Revolut over failings related to financial crime compliance may have significantly increased the odds of the fintech being placed under direct supervision by the European Union’s new Anti-Money Laundering Authority (AMLA).

AMLA, which will be headquartered in Frankfurt, is preparing to take direct supervisory control of the EU’s 40 most high-risk obliged entities. With its global reach and now a regulatory penalty for continued AML deficiencies, Revolut—founded by Nik Storonsky—has quickly emerged as a strong candidate for the list. The company's situation is made more complex by its status as a UK-based firm operating under a banking licence issued in Lithuania, a structure that invites increased scrutiny under the bloc’s anti-money laundering regime.

Once selected, entities under AMLA's direct supervision will be subject to heightened oversight, as the EU seeks to bolster enforcement against financial crime across the region.

The criteria for choosing these 40 “high risk” institutions are laid out in Articles 12 through 14 of the relevant EU legislation. The process is rooted in a multifactor risk assessment that integrates internal benchmarks, sector-wide data, and indicators gathered at the national level.

Only those entities whose residual risk is classified as “high” will qualify for possible inclusion. If more than 40 meet the threshold, AMLA will work with national supervisors to narrow the field, factoring in capacity and resourcing constraints. Entities active in jurisdictions with the highest volume of transactions involving third countries will receive priority consideration. Additional criteria will include cross-border operations and overall systemic relevance.

The 40 supervised institutions can come from a broad range of sectors, including credit institutions (banks), crypto-asset service providers, payment institutions, collective investment undertakings, life insurers and intermediaries, investment firms, bureaux de change, and other financial entities.

Article 12 establishes that AMLA will conduct periodic assessments—at least across six EU Member States—regardless of whether an entity operates remotely or via a physical presence.

The risk assessment methodology relies on a dual-dimension model, distinguishing between “inherent risk” and “residual risk.” Inherent risk reflects exposure tied to clients, products, services, transaction types, and delivery channels. Residual risk, on the other hand, measures the effectiveness of internal controls and risk mitigation mechanisms.

Benchmarks guiding AMLA’s classification include the proportion of non-resident or high-risk third-country clients (including politically exposed persons), the volume of high-risk transactions or services, the degree of anonymity or privacy provided (such as in crypto offerings), geographical exposure, offshore activity, and involvement in correspondent banking or crypto-asset services.

In line with Article 14, AMLA may also take over direct supervision of an entity not originally selected, but only under exceptional circumstances. This would require a national financial supervisor to submit a formal request, justifying the move with evidence of a specific AML/CFT failure, elevated shadow banking or sanctions evasion risk, and a complete data and transfer timeline.

The first list of entities under AMLA’s direct oversight is scheduled for release by July 1, 2027. From then on, the list will be reviewed and updated periodically. All selected entities, along with the relevant national authorities, will receive advance notice from AMLA.

This evolving supervisory framework marks a significant shift in the EU’s approach to financial crime enforcement, signaling a move toward a more intelligence-led, risk-based system. The legislation underscores that supervisory intensity must match the scale and nature of the threat.

As the centralisation of AML enforcement continues, industry stakeholders are now awaiting the draft regulatory technical standards—due by January 2026—which will further clarify how AMLA intends to apply its risk benchmarks in practice, particularly in high-risk sectors like banking and crypto.

By fLEXI tEAM