AMLA Selects Its First 40: Direct Supervision Begins for Cross-Border Firms

How the selection criteria work

AMLA's selection methodology, established under Regulation (EU) 2024/1620, prioritizes two factors. First, cross-border activity. A firm must operate in at least six EU Member States to be eligible for direct supervision. The threshold filters out the long tail of single-jurisdiction operators and focuses AMLA capacity on institutions whose risks span borders.

Second, inherent risk exposure to financial crime. AMLA's methodology evaluates firms against quantitative and qualitative risk factors, including customer base composition, product and service risk, geographic exposure to high-risk jurisdictions, and historical AML enforcement record. Firms with higher inherent risk scores rise on the selection list.

The combination is not symmetric. A bank with operations in 20 Member States but a low-risk customer base and clean enforcement history can rank below a fintech with operations in seven Member States, a high proportion of crypto-on-ramp customers, and historical thematic supervisory criticism. AMLA has signalled that the inherent risk weighting is meaningful.

Selection is not a public process in real time. AMLA coordinates with national competent authorities, conducts the risk assessment, and publishes the resulting list. Firms learn their status through formal notification rather than market disclosure. Most firms operating cross-border at scale already know whether they are likely to make the list.

What direct supervision actually changes

Direct AMLA supervision differs from current national supervision in three operational ways. The first is examination methodology. AMLA will apply its own supervisory approach, which prioritizes outcome-effectiveness over process-compliance. Firms will need to demonstrate that AML controls work in practice, not just that the controls exist on paper. This mirrors the FinCEN proposal in the United States to shift from technical-compliance assessment to effectiveness-based assessment, and the convergence is not coincidental.

The second is data integration. AMLA will require directly supervised firms to provide standardized data feeds for ongoing supervision. The data standards are still being finalized through Regulatory Technical Standards, with approximately 23 Level 2 and Level 3 measures due by July 10, 2026. Firms with fragmented data architectures, where customer due diligence sits in one system, transaction monitoring in another, sanctions screening in a third, and case management somewhere else, will face material remediation costs to meet the integration requirements.

The third is the cross-border consolidation. AMLA supervision is consolidated. A firm operating in seven Member States is supervised once, by AMLA, against a single rulebook. The current model, where the same firm faces seven national supervisors with seven implementations of the AML directive, ends. The consolidation is administratively simpler but raises the bar on consistency. A control that worked in Member State A but failed an examination in Member State B used to be a national problem. Under AMLA, it is a single supervisory finding with EU-wide consequences.

Why the timeline matters more than the list

The list of 40 firms matters, but the supervisory methodology matters more. AMLA's approach will set the operational standard for cross-border AML supervision regardless of whether a firm is on the list. National competent authorities are required to coordinate with AMLA and, in practice, will adopt AMLA's expectations as their own.

That has practical implications for the roughly 8,000 EU-obligated firms that will not be directly supervised. The single rulebook under the Anti-Money Laundering Regulation applies to all of them from July 10, 2027. The supervisory approach that AMLA is developing now will be the lens through which national supervisors examine those firms in 2027, 2028, and beyond.

For US, UK, Canadian, and Asian firms operating into the EU through subsidiaries, branches, or freedom-of-services passporting, the same standard applies. Cross-border activity into the EU triggers EU AML obligations regardless of head-office location. The AMLA effect reaches well beyond the 40-firm list.

What to do this quarter

For firms that expect to be on the AMLA direct-supervision list, the practical work is data integration and outcome-effectiveness documentation. Data integration is the harder of the two for firms with vendor patchwork architectures. The supervisory data feeds AMLA will require span the full AML lifecycle, and the data needs to be reconcilable across systems. Firms running KYC in one vendor, transaction monitoring in another, sanctions in a third, and case management in a fourth face an integration project of meaningful scale before the 2028 supervision start.

Outcome-effectiveness documentation is conceptually different from process-compliance documentation. Process compliance asks: did you do the customer due diligence? Outcome effectiveness asks: did the customer due diligence catch the customers you should have caught? Demonstrating outcome effectiveness requires retrospective analysis of cases the firm did and did not catch, with traceability back to the controls that should have surfaced them. Firms that have not yet started this kind of retrospective analysis should start now. The data lookbacks alone take months.

For firms that do not expect to be on the AMLA list but operate cross-border into the EU, the same supervisory methodology will apply through national competent authorities by 2028. The remediation timeline is identical. The work is the same.

For firms operating into the EU from third countries, the threshold question is whether the firm's EU-facing structure should be reconsidered. Some firms will conclude that consolidating EU activity into a single regulated entity simplifies AMLA-aligned supervision. Others will conclude that the costs of consolidation exceed the costs of distributed compliance. The answer turns on volume, customer mix, and corporate structure, but the question itself is now on the table for any firm with meaningful EU activity.

The AMLA direct-supervision list of 40 is significant. The AMLA supervisory methodology applied to the rest of the obligated population is more significant. Firms preparing for one without preparing for the other are preparing for the wrong thing.