.webp)
Listen To Our Podcast🎧
The arrival of amla direct supervision banks reshapes EU anti-money laundering enforcement at the structural level. For the first time, a single supranational authority will directly supervise the highest-risk credit and financial institutions operating across EU member states, replacing the fragmented national approach that let major scandals go undetected for years. If you run compliance at a large bank, cross-border fintech, or payment institution with EU operations, the AMLA selection list is the regulatory event you cannot afford to misread.
This post covers which institutions fall under AMLA direct supervision first, the exact selection criteria, what the phased rollout means for your aml compliance posture, and the technology investments that will separate institutions that pass AMLA's scrutiny from those that don't.
What Is AMLA and Why Does Direct Supervision Matter for Banks?
The Anti-Money Laundering Authority (AMLA) was established by Regulation (EU) 2024/1620, published in June 2024. Its mandate is twofold: direct supervision of the highest-risk obliged entities, and coordination of national financial intelligence units through a network called AMLA's FIU Cooperation framework. AMLA is headquartered in Frankfurt and is expected to be fully operational by 2025, with direct supervision commencing in 2028.
The practical implication is this: amla direct supervision banks will no longer be accountable only to their home country supervisor. AMLA will conduct its own risk assessments, demand its own data, and impose sanctions directly. For institutions used to a single-regulator relationship, the addition of a supranational layer changes the accountability architecture entirely.
How AMLA Differs from Existing EU AML Frameworks
Before AMLA, EU AML enforcement was notionally harmonized through Anti-Money Laundering Directives (AMLD4, AMLD5, AMLD6) but practically fragmented. Each member state transposed the directives differently, and national supervisors varied dramatically in their enforcement intensity. The FATF's mutual evaluation reports repeatedly flagged supervision gaps in individual EU countries, particularly around cross-border group structures where no single supervisor had full visibility.
AMLA changes the equation by creating a consistent supervisory standard applied by one body across all 27 member states. National supervisors don't disappear; they continue overseeing the broader obliged entity population. But AMLA sets binding supervisory methodologies that national authorities must follow. In practice, the standards applied to amla direct supervision banks will ripple down to every institution in the EU over time.
The AMLA Regulation Timeline
The key milestones compliance teams should track:
- 2024: AMLA Regulation published; AMLA begins establishing governance and hiring
- 2025: AMLA becomes fully operational; Single Rulebook development begins
- 2026-2027: First selection process for directly supervised obliged entities
- 2028: AMLA begins direct supervision of up to 40 selected entities
- Rolling basis: Re-selection every three years thereafter
The 2026-2027 selection window is when compliance investments made today will be evaluated. Institutions that wait for the Single Rulebook to be finalized before starting their gap analysis will be too late.
Which Banks Fall Under AMLA Direct Supervision First?
AMLA will directly supervise up to 40 obliged entities in its first selection cycle. These are drawn from credit institutions and financial institutions operating across the EU, and selection follows a two-stage process defined in the regulation.
The Criteria for Priority Obliged Entity Selection
To be eligible for direct supervision, an institution must meet the cross-border threshold: operations in at least six EU member states, either through branches, subsidiaries, or active provision of services. This immediately narrows the pool to large pan-European banking groups, major payment institutions, and cross-border fintechs with significant EU footprints.
Within that eligible pool, AMLA applies a risk-based ranking. The risk score incorporates:
- Residual ML/TF risk rating assigned by the home country supervisor
- Volume of cross-border activity relative to total business
- Number of member states in which the entity operates
- Nature of products and services (correspondent banking, crypto-asset services, and payment processing score higher)
- Past supervisory findings including enforcement actions and sar filing deficiencies
Institutions scoring highest on this composite ranking are selected first. AMLA will publish its methodology through the Single Rulebook, but draft regulatory technical standards already signal that transaction volume, geographic spread, and aml compliance history are the dominant factors.
Cross-Border Operations and Selection Thresholds
The six-member-state threshold is a minimum, not a target. Institutions operating in 15 or more EU countries face significantly higher selection probability regardless of their risk ratings, because the cross-border supervision gap is largest for them. Large banking groups with operations across all 27 EU member states should treat amla direct supervision as near-certain rather than merely probable.
For payment institutions and e-money institutions, the threshold works slightly differently. Institutions providing services across borders without establishing branches count each member state where they actively have customers. A cross-border fintech with 500,000 customers spread across eight EU countries will likely qualify for the selection pool even with limited physical presence.
The exact selection thresholds in the regulatory technical standards were still being finalized as of early 2026. Institutions should monitor the European Banking Authority's AML publications for updates to the draft RTS on selection criteria.
AML Compliance Requirements Under AMLA Direct Supervision
Being selected for amla direct supervision banks doesn't just mean more oversight. It means operating under a materially different compliance standard. AMLA will apply its own supervisory methodology, conduct direct on-site inspections, and impose fines of up to €10 million or 10% of annual turnover for serious violations.
BSA AML Compliance Checklist for AMLA Readiness
For institutions assessing their gap to AMLA-ready compliance, this bsa aml compliance checklist covers the core program requirements:
- Risk assessment documentation: A comprehensive, board-approved aml risk assessment guide covering all products, services, geographies, and customer segments with quantitative scoring
- Customer due diligence: Full kyc cdd requirements banks must meet, including beneficial ownership verification to the 25% threshold (or lower for high-risk customers)
- Enhanced due diligence: A documented enhanced due diligence guide for all high-risk relationships, covering PEPs, correspondent banking, and high-risk jurisdiction customers
- Transaction monitoring: Rule-based and AI-supported systems with documented tuning rationale and alert disposition rates
- SAR filing: Timely sar filing with documented escalation procedures and sar filing efficiency metrics tracked against benchmarks
- CTR filing: Compliance with ctr filing rules, including currency transaction thresholds applicable in each member state where the institution operates
- Training: Annual AML training with role-specific modules and documented completion records for all relevant staff
- Governance: Board-level accountability with a designated MLRO holding sufficient seniority and independence from business lines
AMLA's Joint Supervisory Teams will review all of these during inspections. Gaps in documentation are treated as compliance failures even where the underlying processes are sound.
Enhanced Due Diligence Guide for High-Risk Relationships
The enhanced due diligence guide becomes critical for AMLA-supervised entities because AMLA's Single Rulebook will standardize EDD requirements across all 27 member states for the first time. Currently, EDD thresholds vary significantly. What triggers EDD in one country may not trigger it in another, creating inconsistencies for groups operating across borders.
Under AMLA standards, EDD is mandatory for:
- Customers from high-risk third countries listed by the European Commission
- Politically exposed persons (PEPs) and their immediate associates
- Correspondent banking relationships with non-EU institutions
- Customers using anonymity-enhancing products or services
- Business relationships where source of wealth cannot be verified through standard means
Documenting EDD decisions with full audit trails is non-negotiable. AMLA inspectors will test whether EDD decisions are proportionate, documented, and reviewed at appropriate intervals, not just whether an EDD policy exists on paper.
How Fintechs Prepare for AML Compliance Under AMLA
The fintech sector deserves specific attention because many fast-growing payment institutions and crypto-asset service providers will find themselves in AMLA's selection pool sooner than expected. aml compliance fintech isn't a smaller version of bank compliance. It has distinct challenges around customer volume, onboarding speed, and the technical architecture of compliance systems.
Fintech BSA AML Small Team Challenges
The fintech bsa aml small team challenge is real. A fintech operating in eight EU countries with one million active customers might have a compliance team of 15 people. Under AMLA direct supervision, that team needs to produce the same quality of documentation, risk assessments, and supervisory responses as a large bank with a compliance department of 200.
The answer isn't hiring at the same ratio. It's building compliance operations that use anti money laundering technology to multiply the effectiveness of each compliance professional. That means automated customer risk scoring, AI-assisted transaction monitoring, and workflow tools that route alerts to the right analyst without manual triage.
For aml compliance fintech operations specifically, gaps tend to cluster around three areas: SAR filing consistency (inconsistent narrative quality across jurisdictions), EDD documentation (incomplete or unstandardized records), and governance trails (decisions made in messaging tools rather than documented workflows). Each of these is fixable with the right tooling before AMLA selection begins.
KYC Automation 2026 Priorities
kyc automation is the most immediate technology lever for AMLA readiness. kyc automation 2026 priorities for institutions entering the selection pool should focus on:
- Perpetual KYC: Moving from periodic refresh cycles to continuous monitoring of customer data changes, so risk profiles update in real time rather than at annual review
- Beneficial ownership verification: Automated registry lookups across EU member states, reducing manual research from hours to minutes per case
- Document verification: AI-assisted identity document checks that flag anomalies without requiring human review for every case
- Risk scoring integration: KYC outputs feeding directly into transaction monitoring thresholds, so higher-risk customers receive tighter monitoring automatically
Institutions that have already invested in regulatory compliance automation platforms report that combining perpetual KYC with automated risk scoring reduces compliance team workload by 40-60% for routine cases, freeing analysts to focus on complex alerts that require genuine human judgment.
SAR Filing Requirements and CTR Filing Rules Under AMLA
sar filing is where AMLA will apply the most visible scrutiny in its first inspection cycle. Poor SAR narratives, late filings, and inconsistent escalation criteria are easy for supervisors to identify and quantify, which makes SAR quality a reliable early signal of overall compliance program maturity.
SAR Filing Best Practices for Directly Supervised Entities
sar filing best practices for AMLA-supervised institutions require more rigor than most national standards currently demand. The suspicious activity report guide expected as part of the Single Rulebook will set minimum content requirements for SAR narratives. Based on draft standards circulating through 2025, sar filing requirements 2026 are expected to include:
- Who, what, when, where, why: Every SAR must clearly identify the subject, describe the suspicious activity with specific transaction details, provide date ranges, identify the jurisdiction, and explain the basis for suspicion
- Source of information: Documents reviewed, systems queried, and analyst conclusions documented
- Related parties: Links to other accounts, entities, or transactions flagged in the same investigation
- Escalation timeline: Documentation showing when the alert was generated, when it was reviewed, and when the SAR was filed
sar filing efficiency is also under scrutiny. AMLA will measure average time-to-file against industry benchmarks, and institutions with systemic delays will be flagged during inspections. aml compliance software that automates SAR drafting from alert data can reduce filing time from several days to hours while improving narrative consistency across jurisdictions.
What Changes in CTR Filing Under AMLA
ctr filing rules vary significantly across EU member states today. Some jurisdictions require currency transaction reports above €10,000, others use different thresholds, and a few have no CTR equivalent at all. AMLA's Single Rulebook will introduce harmonized thresholds and filing formats across all member states, removing the need for institution-specific CTR workflows in each country.
For institutions currently managing different CTR processes across multiple countries, this harmonization is operationally welcome but requires a technology transition. Legacy aml compliance software built around country-specific hardcoded rules will need reconfiguration. Institutions running modern platforms with configurable rule engines will adapt faster than those relying on vendor-managed threshold logic.
Anti-Money Laundering Technology 2026 Priorities
anti money laundering technology is evolving faster than the regulatory requirements it supports, which creates both opportunity and risk. The opportunity: institutions can deploy anti money laundering technology 2026 capabilities that make AMLA supervision significantly easier to manage. The risk: institutions that continue investing in legacy rule-only systems will find AMLA inspectors questioning why their monitoring is less sophisticated than peer institutions operating in the same jurisdictions.
AML Compliance Software Selection Criteria
When evaluating aml compliance software for AMLA readiness, prioritize these capabilities:
- Explainability: AMLA inspectors will want to understand why the system generates specific alerts. Black-box models without explainability outputs create supervisory risk even when model performance is strong
- Configurability: The ability to adjust transaction monitoring rules, risk thresholds, and KYC parameters without vendor involvement, so compliance teams can respond to AMLA guidance within days rather than months
- Audit trails: Every alert decision, SAR filing, and risk assessment change logged with timestamps, user IDs, and documented rationale
- Cross-border data handling: For institutions operating across multiple EU member states, the software must handle data residency requirements under GDPR while still enabling group-level AML oversight
The eu ai act financial services intersection is also relevant here. AI-based transaction monitoring systems may classify as high-risk AI systems under the EU AI Act, imposing additional obligations around model documentation, bias testing, and human oversight. Compliance teams should evaluate this intersection before making technology commitments, since both frameworks apply simultaneously from 2026 onward.
AML Risk Assessment Guide for AMLA Supervisory Standards
The aml risk assessment guide requirements under AMLA go beyond what most institutions currently produce. AMLA expects a comprehensive enterprise-wide risk assessment that:
- Covers inherent risk before controls, with quantitative scoring where possible
- Quantifies residual risk after control effectiveness assessment
- Maps controls to specific risk categories with evidence of control testing
- Includes product-level, customer-segment-level, and geography-level risk breakdowns
- Is reviewed and approved at board level, not just senior management
For institutions currently producing narrative-only risk assessments without quantitative scoring, moving to a structured, scored framework is a significant operational investment. Starting that process in 2026 gives institutions two years to mature the methodology before AMLA selection decisions are made.
Community Banks and the AMLA Supervision Cascade
bsa aml compliance community banks face a different challenge than their larger peers. Community banks are unlikely to meet the six-member-state threshold for direct AMLA supervision. But the AMLA framework still matters to them through what compliance professionals call the supervision cascade: AMLA sets methodologies that national supervisors adopt, and national supervisors then apply those methodologies to all institutions they oversee.
How AMLA Standards Flow to Indirectly Supervised Institutions
bsa aml compliance community banks should expect their national supervisors to begin adopting AMLA's risk assessment methodologies, SAR quality standards, and KYC documentation requirements within two to three years of AMLA's first supervisory cycle. This pattern has repeated with every previous EU regulatory harmonization effort. The AMLA-supervised tier sets the reference standard, and national supervisors align to it.
For community banks, compliance investments made for AMLA-adjacent reasons, better documented risk assessments, more structured SAR narratives, automated KYC refresh, will also satisfy increasingly demanding national supervisory expectations. The investment case isn't just about AMLA; it's about staying ahead of standards that will eventually apply across the board.
The parallel in non-bank financial services is instructive. As documented in the AML risk checks in policy issuance strategy for compliance officers in insurance, even insurers are seeing AML supervisory standards tighten well beyond what their direct regulatory relationship would suggest. The same dynamic is playing out in fintech, as the AML screening in digital lending strategy for payments risk officers illustrates. For institutions looking at the automation path, the sanctions screening automation strategy for CISOs provides a practical model for building automated compliance infrastructure that scales regardless of supervisory tier.
Onboard Customers in Seconds
Conclusion
amla direct supervision banks isn't a distant regulatory event. The selection process begins in 2026, giving institutions barely two years to demonstrate that their aml compliance programs meet AMLA standards. The institutions selected first are those with the broadest EU footprints and the highest inherent risk profiles, but the supervisory standards AMLA establishes will eventually apply across the entire EU financial sector.
The priorities for compliance teams are clear: complete a gap analysis against AMLA's expected Single Rulebook requirements, invest in kyc automation 2026 to replace manual processes that won't scale under direct supervision, and build sar filing efficiency into compliance workflows before the first inspection cycle begins. Institutions that treat AMLA as a 2028 problem rather than a 2026 preparation challenge will find themselves reactive when selection decisions are announced.
For a broader view of how leading institutions are structuring their compliance automation programs ahead of AMLA, see the DORA compliance automation strategy for risk heads in banking and the analysis of agentic AI approaches to false positive reduction. The time to build that foundation is now.
Share this article