AMLA Direct Supervision: How Luxembourg Entities Are Identified for the 2027 Selection

ByOfficer

Last updated: June 2026

If a Luxembourg credit institution or financial institution ends up on AMLA’s list of selected obliged entities, its day-to-day AML/CFT supervisor changes. Its supervisor moves from the CSSF to a Frankfurt-based EU body that reviews policies, runs inspections, and can impose pecuniary sanctions. AMLA direct supervision is that mechanism, and the data that decides who is in scope is being collected right now.

On 1 June 2026 the CSSF told relevant Luxembourg entities to review AMLA’s two documents, participate in the 10 June 2026 webinar, and prepare for the new data collection exercise. It was relaying a reporting package AMLA had published on 12 May 2026 to identify which entities are provisionally eligible for direct supervision. Feed the exercise poor data and a firm can be misclassified: pulled into scope it could have avoided, or left out of remediation it should have started.

This is a change note on what the CSSF announced, what AMLA’s package asks for, and how the criteria in Regulation (EU) 2024/1620 decide which institutions are eligible. What it is not is a published list of named Luxembourg firms, and that distinction runs through the whole exercise.

Related reading: what the AMLR changes in Luxembourg

What the CSSF announced, and what it did not

The CSSF communication of 1 June 2026 does two things. It points relevant Luxembourg entities to two documents AMLA released on 12 May 2026, and it tells them to prepare for a data collection the CSSF will organise. It also flags AMLA’s public webinar of 10 June 2026.

The CSSF has not named any institution and has not published a list of entities that will fall under AMLA. Identifying provisionally eligible entities is a data-gathering step: national supervisors collect standardised figures from the obliged entities in their remit, AMLA aggregates them, and only then does an eligibility picture emerge. The CSSF is running the Luxembourg leg of a Union-wide exercise, not handing down a verdict. Article 12(2) of the AMLA Regulation requires both supervisory authorities and the obliged entities under assessment to supply AMLA with the information needed to carry it out.

The eligibility gate: a cross-border footprint, not size

The first filter is geographic reach, and it is narrower than many compliance teams assume. Article 12(1) of Regulation (EU) 2024/1620 sets the assessment perimeter at credit institutions, financial institutions, and groups that operate in at least six Member States, including the home Member State. Operating counts whether through an establishment or under the freedom to provide services, and whether delivered through local infrastructure or remotely.

That last point trips people up. A Luxembourg firm that passports services into five other Member States without a branch in any of them still operates in six Member States here. The draft regulatory technical standards (RTS) under Article 12(7) tie freedom-to-provide-services activity to materiality thresholds: more than 20,000 customers resident in the Member State as at 31 December of the previous year, or more than EUR 50 million of annual incoming and outgoing transactions generated by those customers. A large domestic-only bank sits outside the perimeter; a mid-sized institution with genuine activity across six Member States sits inside it. That cross-border logic also drives the AMLA home-host supervisory cooperation framework.

How risk classification turns eligibility into selection

Passing the cross-border gate makes a firm eligible for assessment. It does not make it selected. The next step is a risk classification, and the regulation is prescriptive about how it works.

Article 12(3) requires AMLA to classify each assessed entity’s inherent and residual risk profile as low, medium, substantial, or high, using benchmarks fixed in the RTS, and for a group the classification is made at group-wide level. The methodology is built separately for eleven categories of obliged entity under Article 12(4), from credit institutions to crypto-asset service providers. Inherent risk benchmarks under Article 12(5) draw on customers, products, transactions, delivery channels, and geography, with named indicators such as non-resident customers from high-risk third countries, politically exposed persons, and correspondent banking exposure. Residual risk under Article 12(6) then tests the quality of the internal controls used to mitigate inherent risk.

Selection follows mechanically. Article 13(1) provides that any entity whose residual risk profile is classified as high qualifies as a selected obliged entity, with no discretion at this stage. The one moving part is volume: Article 13(2) lets AMLA, in consultation with supervisors, hold the list to a number greater than 40 where more than 40 entities qualify, prioritising those operating in the most Member States, with a tie-break on the ratio of third-country transactions to total transactions.

Eligible, selected, and under AMLA direct supervision

These three words get used interchangeably. The current exercise produces a provisional list of eligible entities. Eligibility means a firm meets the cross-border criterion and will be assessed for risk. Selection is the later decision, taken in 2027, that a firm’s residual risk is high enough to qualify under Article 13(1). Direct supervision is the operational reality that starts once AMLA takes over.

Article 13(4) sets the sequence. AMLA must commence the first selection process by 1 July 2027 and conclude it within six months, then publish the list of selected obliged entities without undue delay, and begin direct supervision six months after that publication. AMLA describes direct supervision as starting in 2028. So a firm eligible in September 2026 may still not be selected in 2027, and a selected firm does not change supervisor on the day the list appears. Nothing here switches off national supervision for everyone else: non-selected entities stay with the CSSF, which continues to run AML reporting in Luxembourg as before. AMLA’s reach over a non-selected firm is the Article 14 exception, available only where a supervisor’s measures have failed to address serious, repeated, or systematic breaches.

The timeline that drives the data work

The dates that matter next are short. AMLA published the reporting package, including the standardised updated reporting template (v1.1) and an interpretative note, on 12 May 2026. AMLA collects the data from national supervisors by 15 August 2026, an error correction and alignment phase follows with home supervisors, and AMLA expects to finalise the provisional list of eligible entities by the end of September 2026.

For a Luxembourg reporting team, the firm-level work has to land in time for the CSSF’s practical arrangements, which the CSSF said it would provide after the webinar. The figures feeding the template are risk-factor data points an institution should already hold, but they have to be cut to AMLA’s definitions, not the firm’s. Read the interpretative note before populating the template, since it defines what counts as operating in a Member State and how to measure the thresholds. This is closer to the CSSF AML/CFT data collection than to a one-off survey: a structured submission with definitions that will be checked. A firm rated medium risk at home can still surface as high on AMLA’s group-wide benchmarks, because the two methodologies are aligned but not identical.

Frequently Asked Questions

Has the CSSF published a list of Luxembourg entities going under AMLA?

No. The CSSF communication of 1 June 2026 points firms to AMLA’s reporting package and asks them to prepare for a data collection. No institution has been named, and no selection list exists yet. The provisional list of eligible entities is expected from AMLA by the end of September 2026.

Which entities are in scope for the assessment?

Article 12(1) of Regulation (EU) 2024/1620 limits the assessment to credit institutions, financial institutions, and groups operating in at least six Member States, including the home Member State, through establishments or under the freedom to provide services. Activity carried out remotely counts.

Does being eligible mean a firm will be directly supervised?

No. Eligibility means a firm meets the cross-border criterion and will be assessed for risk. Only entities whose residual risk profile is classified as high qualify as selected obliged entities under Article 13(1), and selection happens in 2027.

How many entities will AMLA directly supervise?

For the first selection, the transitional Article 106(2) caps the cohort at the 40 entities operating in the most Member States, even where more than 40 would qualify as high residual risk under Article 13(1). AMLA’s public material describes the first cohort as around 40 selected obliged entities across the EU.

When does AMLA actually take over supervision?

Article 13(4) requires the first selection to begin by 1 July 2027 and conclude within six months, with the list published without undue delay and direct supervision starting six months after publication. AMLA describes direct supervision as beginning in 2028.

If a firm is not selected, does the CSSF stop supervising it?

No. Non-selected obliged entities remain under CSSF supervision. AMLA can take over a non-selected entity only in the exceptional circumstances set out in Article 14, where serious, repeated, or systematic breaches are not being addressed at national level.

What is the immediate deadline a Luxembourg firm should track?

AMLA collects the data from national supervisors by 15 August 2026. The CSSF said it would provide the practical arrangements for the local collection after the 10 June 2026 webinar, so firms should confirm those rather than work back from the AMLA date.

Related Articles

Key Takeaways

  • The CSSF communication of 1 June 2026 launches the Luxembourg leg of a data collection, not a published list of named entities.
  • AMLA released the reporting package, including the standardised updated reporting template (v1.1) and an interpretative note, on 12 May 2026. AMLA notes that the updated template corrects an issue where some older Excel releases could wrongly show a green DataQualityDashboard status despite missing freedom-to-provide-services data.
  • The assessment perimeter under Article 12(1) is firms operating in at least six Member States, including the home Member State, by establishment or freedom to provide services, including remotely.
  • Selection is risk-driven, not size-driven: only a high residual-risk classification under Article 13(1) makes an eligible firm a selected obliged entity.
  • Eligible, selected, and directly supervised are three different states reached at three different times.
  • AMLA collects data from national supervisors by 15 August 2026 and expects the provisional eligibility list by end of September 2026.
  • The first selection runs in 2027 under Article 13(4); direct supervision begins in 2028, and non-selected firms stay with the CSSF.

Sources and References

  • CSSF, “Identification of obliged entities that will be eligible for direct supervision by AMLA” (published 1 June 2026): cssf.lu
  • AMLA, “AMLA takes next step toward 2027 selection of entities for direct supervision” (12 May 2026), Updated Template (V1.1) and interpretative note: amla.europa.eu
  • AMLA, “About AMLA” (seat, mandate, direct supervision from 2028): amla.europa.eu/about-amla
  • Regulation (EU) 2024/1620 (AMLA Regulation), Articles 12, 13 and 14, CELEX 32024R1620: eur-lex.europa.eu
  • AMLA, Final report on draft RTS under Article 12(7) AMLAR (16 December 2025), Article 1 materiality thresholds: amla.europa.eu/policy/regulatory-instruments

Where the next decision really sits

The headline reads like a 2028 problem, but the decision that matters is being made on 2026 data. Whether a Luxembourg institution is even eligible for the 2027 selection turns on the cross-border footprint and risk figures it submits this summer. The selection logic is driven by the eligibility and residual-risk inputs, so the place to get it right is the data submitted through the CSSF. Read the interpretative note first, count Member States honestly, and treat the template as a submission that will be reconciled.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts

  • DORA Register of Information – A Practical Guide for Financial Entities

    Last updated: March 2026 Your compliance team has a list of ICT providers. Your procurement team has a different list. Your IT department has a third list that includes vendors nobody told compliance about. You now have until 31 March 2026 to reconcile all three into a single, structured, template-compliant DORA Register of Information and…

  • CSSF AML/CFT Standardised Data Collection – What the New AMLA Template Requires

    Last updated: March 2026 Your compliance team filled out the CSSF Questionnaire on Financial Crime last year. This year, you can forget everything about that format. The CSSF has replaced its annual questionnaire with a standardised template developed by the European Authority for Anti-Money Laundering (AMLA). The data points are different, the structure is different,…

  • AML Reporting in Luxembourg: STRs, GoAML, and Your Obligations

    Last updated: March 2026 Introduction AML reporting in Luxembourg is mandatory for every regulated financial institution and obliged entity – failure to file suspicious transaction reports exposes your firm to regulatory sanctions, reputational damage, and legal liability. For compliance officers, risk managers, and AML practitioners in Luxembourg’s financial sector, understanding when and how to file…