AMLA Selected-Entity Diagnostic: Are You at Risk in Q3 2026?

The single most expensive miscalculation a CASP, EMI or PI board can make over the next six months is assuming that AMLA direct supervision is somebody else's problem. The Authority for Anti-Money Laundering and Countering the Financing of Terrorism — AMLA, headquartered in Frankfurt — publishes its first selected-entity list in Q3 2026. The firms on that list move out of NCA-only supervision and into a hybrid regime led by AMLA joint supervisory teams. The firms that misread their exposure are the ones who arrive at that supervisory transition unprepared.

The selection criteria are not opaque. They are codified at framework level in the AMLA Regulation (EU) 2024/1620 and elaborated in the EBA risk-tier methodology that AMLA inherits. What no public document gives you, however, is the diagnostic — the internal scoring exercise a firm can run today to estimate, with reasonable confidence, whether it is in the selection cohort or outside it. That is what this article provides.

We call it the AMLA selection scorecard — a six-dimension diagnostic CASPs, EMIs and PIs run internally to score their selection probability before the supervisory letter arrives. Six dimensions: size, geographic footprint, residual risk profile, cross-border activity intensity, ML/TF risk score, and governance maturity. The article maps each dimension, gives a 1–5 scoring rubric, and explains what a high composite score actually means for the supervisory regime you will live under from late 2026.

The legal basis sits in Regulation (EU) 2024/1620¹^[1], which establishes AMLA as the EU's first dedicated anti-money laundering authority with both direct supervisory powers over a defined population of selected obliged entities and indirect coordination powers over the wider NCA network. The architecture mirrors the ECB Single Supervisory Mechanism model used for significant credit institutions — direct supervision of the riskiest cohort, supervisory coordination of the rest.

The substantive AML rules selected entities must comply with sit in the AMLR — Regulation (EU) 2024/1624 — and in the parallel AMLD6. AMLA does not write the substantive rules; it enforces them, directly, against the selected cohort. The selection event is therefore not a rule-change for the firm — the AMLR obligations apply equally to selected and non-selected entities — it is a supervisor-change. The intensity, frequency, and consequence-of-failure of supervision shift fundamentally for selected firms.

The first selected-entity list is expected in Q3 2026. AMLA's direct supervisory mandate over those entities is then phased in across the remainder of 2026 and into 2027, with joint supervisory teams — JSTs — staffed jointly by AMLA Frankfurt and home-state NCA personnel. The list will be capped at approximately 40 obliged entities in the first cohort, drawn from across the EEA, with material representation from CASPs, EMIs, PIs, and credit institutions running cross-border AML-sensitive franchises.

AMLA's selection methodology — partially codified in the AMLA Regulation and supplemented by inherited EBA technical work — converges on six scoring dimensions. Each dimension is independently scored on a 1–5 scale, then weighted into a composite. The dimensions are not equal weights — size and cross-border intensity carry materially more weight than governance maturity — but a high score on any dimension can pull the composite into the selection band.

Size is the gating dimension. AMLA's first cohort is small by design — roughly 40 entities — so the population is filtered at the top of the size distribution before risk scoring even begins. Three sub-metrics: total assets (for balance-sheet firms), customer base (active relationships), and annual transaction volume. A CASP with €5 billion+ of annual flows, an EMI with 5 million+ active customers, or a PI with €10 billion+ annual transaction volume scores 5 on size. A regional PI with under €500 million of flows scores 1 — and is, on size alone, almost certainly out of the first cohort.

The size dimension is also where the materiality threshold implicitly sits. AMLA cannot run a JST for a €50m balance-sheet firm — the supervisor cost would exceed the firm's own AML budget. Selection is structurally biased toward firms large enough that direct supervision is operationally feasible. Mid-market firms below the size threshold remain at NCA-only supervision, which is not the same as no supervision — it is just not direct AMLA supervision.

The geographic dimension is not about how many Member States you are passported into — that is the cross-border intensity dimension. Geographic footprint scores inherent ML/TF risk exposure of the jurisdictions in your customer / counterparty / transaction map. A firm with material exposure to FATF grey-list or high-risk third countries on the EU list scores high; a firm whose flows are predominantly intra-EEA with developed-market counterparties scores low.

The practical scoring exercise is to map the top 20 jurisdictions by transaction value or customer count and overlay the EU high-risk-third-country list plus the FATF lists. A firm with 25%+ of flows touching listed jurisdictions scores 5; under 5% scores 1. CASPs running non-EEA-resident customer books tend to score materially higher on this dimension than EEA-only EMIs.

Residual risk is the supervisor's view of inherent risk net of controls. A firm with a 4-out-of-5 inherent risk profile but exemplary control effectiveness can land at a residual 2; the same inherent risk with weak controls lands at a residual 5. The scoring input is the home NCA's most recent supervisory risk assessment — the ML/TF rating the NCA holds on the firm in its internal supervisory file.

A firm that has had an open NCA enforcement action in the past 36 months, or a known supervisory concern flagged in a Pillar 2 letter, will carry an elevated residual score that AMLA inherits directly. This is the one dimension where firms cannot self-score reliably — they should ask their NCA for the current rating during routine supervisory dialogue.

Cross-border intensity is the dimension where AMLA's mandate is at its sharpest. The political case for an EU-level AML supervisor — long argued by the European Banking Authority²^[2] — was that firms with material cross-border activity were under-supervised by home-state NCAs lacking visibility into host-state risk. AMLA is the structural answer. Firms active in 6+ Member States with material flows in each score 5; firms operating in a single home state score 1.

Materiality is measured by the lesser of two thresholds: €100 million of annual transactions originating from or terminating in a non-home Member State, or 20,000 active customers resident in that Member State. Passporting alone does not count — the firm must actually be doing business in the host state at material scale. This is the dimension where Lithuanian-licensed EMIs and Cypriot-licensed CASPs running pan-European customer books are most likely to land in the selection cohort.

The ML/TF risk score is a composite of business-model, product, channel, and customer-segment risk. CASPs intrinsically score higher than retail-only EMIs because crypto-asset transmission carries higher inherent ML/TF risk under the EU's supranational risk assessment. Within CASPs, firms offering non-custodial wallets, privacy-enhanced services, or high-cash-on-ramp volumes score higher than custodial exchanges restricted to fiat-on-ramp via SEPA.

For EMIs, the ML/TF risk-score modifiers are prepaid card programmes, agent / distributor networks, and cross-border remittance corridors into FATF grey-list jurisdictions. For PIs, account-information-service models score lower than open-banking-enabled payment-initiation models with merchant-acquiring overlays.

Governance maturity is the dimension a firm can move fastest. The supervisor is looking for: a board-level AML committee with a documented quarterly cadence, an MLRO at executive-committee level with direct board access, three-lines-of-defence separation that survives organisational stress, and independent AML audit on a tested annual cycle. A firm with all four scores 1; a firm where the MLRO reports two levels below the board and AML audit is delivered by the same external firm doing the statutory audit scores 5.

Governance maturity is the lowest-weight of the six dimensions in the selection formula, but it is the one most likely to determine how a JST treats the firm after selection. A firm with strong governance maturity but a high composite size / cross-border score will be selected — but it will live in a different supervisory tone than a firm of the same size with weak governance.

The scoring is deliberately conservative. AMLA's first cohort is capped at roughly 40 entities across the entire EEA — so a composite of 23+ does not guarantee selection, it puts the firm into the candidate pool from which the final list is drawn. The candidate pool is materially larger than 40; the supervisor's final selection within the pool is influenced by sectoral balance (AMLA wants representation across credit institutions, EMIs, PIs, CASPs) and geographic balance across home Member States.

Selection is not a sanction. It is a supervisory transition. The substantive rules — the AMLR, AMLD6, the Travel Rule under Regulation (EU) 2023/1113 — apply equally to selected and non-selected entities. What changes is who supervises compliance, how often, and with what consequence.

For a selected entity, the supervisor is a joint supervisory team — JST — led by an AMLA Frankfurt supervisor with seconded NCA staff. The JST runs a continuous supervisory cycle: an annual Supervisory Examination Programme (SEP), thematic deep-dives, on-site inspections at a cadence reflecting the firm's risk profile, and a year-end Supervisory Review and Evaluation Process (SREP-equivalent) producing a composite ML/TF risk score.

The enforcement powers are material. AMLA can impose administrative fines up to 10% of annual turnover — comparable to GDPR's headline ceiling — for serious, systematic AML breaches by selected entities. It can require management changes, restrict business activities, and (in coordination with the home NCA) withdraw authorisation. None of this is operationally similar to the typical NCA enforcement track, which is slower, less interventionist, and capped at lower numbers.

The most underappreciated row in the table is the cadence row. NCA supervision is typically punctuated — a thematic review every few years, a periodic visit, then quiet stretches. JST supervision is continuous. The supervisor is in the firm's life every quarter, with rolling reporting, rolling questions, and rolling expectations. Firms that have not built a supervisory-relations function staffed for that intensity find the first 12 months exhausting.

A firm scoring 23+ on the scorecard should be running a structured pre-selection readiness programme over the 12 months before the Q3 2026 list. Our companion piece on the AMLR readiness 12-month roadmap sets out the substantive AMLR build; the selection-readiness overlay is narrower — it focuses on the artefacts the JST will demand in the first 90 days of supervisory contact.

Four artefacts matter most: a current firm-wide ML/TF risk assessment no older than 12 months and signed off at board level; a control-effectiveness assessment mapping each material AML control to a testing cadence and last-test date; a governance pack with MLRO appointment, board AML committee terms of reference, and minutes for the last 24 months; and a data-readiness package capable of supplying transaction-level data extracts to JST templates within agreed SLAs.

The data-readiness package is where most firms underbuild. AMLA-wide standardised reporting templates land on selected entities in late 2026; firms that have not pre-built the data lineage from front-office systems through to a structured reporting layer find themselves running quarterly fire drills to assemble JST returns by hand. That work is far cheaper before selection than after.

For firms scoring on the borderline (19–22), there is a narrow but real pre-selection window in which scorecard movement matters. Three dimensions can be moved materially inside 12 months: residual risk (by remediating open NCA findings before the supervisor closes the assessment window), ML/TF risk score (by exiting the riskiest customer / product segments where commercial logic supports it), and governance maturity (by upgrading the MLRO seat, board AML committee, and AML audit).

Three dimensions cannot be moved meaningfully in 12 months: size, geographic footprint, and cross-border intensity. A firm that is large, EEA-wide, and AML-sensitive in product mix is structurally a selection candidate and cannot scorecard its way out without contracting its commercial footprint — which is rarely the right answer. For those firms, the strategic move is not de-selection; it is selection-readiness.

A second consideration: selection lists refresh. The AMLA Regulation contemplates a periodic re-selection cycle — typically three-yearly — at which entities can move into or out of the cohort. A firm not selected in 2026 but tracking toward the thresholds will see selection in 2029. Firms selected in 2026 that subsequently downsize or de-risk can in principle exit the cohort at the next refresh, though the supervisor will move conservatively on de-selection.

The expected window is Q3 2026. AMLA itself became operational in mid-2025 in Frankfurt; the selection methodology has been refined through 2025–2026, and the first list is timed to align with the AMLR full-application date and AMLA's full supervisory staffing build-out.

Approximately 40 obliged entities across the EEA, spread across credit institutions, EMIs, PIs and CASPs. The cap is operational — AMLA's first-year staffing supports a JST footprint of around that size — and is expected to expand at subsequent refreshes.

Yes — through the AMLA Administrative Board of Review with onward appeal to the Court of Justice of the European Union. In practice, the selection criteria are quantitative enough that a firm meeting the size and cross-border thresholds will struggle to argue against inclusion. Appeals are more useful for disputing methodology application than the underlying score.

The home NCA remains the firm's prudential supervisor for non-AML matters (capital, liquidity, conduct), and seconds staff to the AMLA JST for AML supervision. The firm now has two supervisors — AMLA for AML, NCA for everything else — coordinating through the JST structure. Firms generally find the NCA's prudential relationship continues largely unchanged; the AML relationship is the one that transforms.

Yes — the AMLA RTS deadline of July 2026 lands ahead of the Q3 selection event. Selected entities are expected to be compliant with the relevant RTS from selection day; the technical standards are not phased in for the cohort. Firms scoring on the selection scorecard should treat July 2026 as the de-facto compliance deadline rather than the AMLR's broader application timetable.

• AMLR Readiness 12-Month Roadmap — substantive AMLR build for CASPs, EMIs and PIs ahead of full application.

• AMLA RTS Deadline July 2026 — technical standards calendar and what selected entities must have evidenced.

• AML Compliance for Crypto Firms — 6AMLD — the substantive AML obligations the AMLA JST will be supervising against.

• AML Compliance Retainer for CASPs — how firms structure ongoing AML capacity for sustained supervisory engagement.

• Compliance Advisory — Finconduit's regulatory and AML advisory engagements for regulated fintechs.

The Q3 2026 selected-entity list is a once-in-a-generation supervisory event for the EU fintech sector. The firms that approach it with a scored, board-ratified view of their own exposure — built around the AMLR³^[3] rulebook the AMLA JSTs will enforce and the EBA work programme⁴^[4] feeding the methodology — will be the ones who arrive at the supervisory transition with options rather than improvisation. The diagnostic is cheap; the surprise is expensive.