EU AMLA: What US Firms with EU Operations Must Know in 2026

The EU's new Anti-Money Laundering Authority — AMLA — became operational on 1 July 2025, marking the most significant structural shift in European AML/CFT enforcement architecture in a generation. Headquartered at the Messeturm in Frankfurt, AMLA is not merely a rebrand of existing supervisory functions: it introduces direct federal-style supervision over the EU's highest-risk financial institutions and will enforce a directly applicable regulation — the EU AML Regulation (AMLR), Regulation (EU) 2024/1624 — across all 27 member states from 10 July 2027.

For US compliance officers, the reflex reaction may be to file AMLA under "European developments to monitor." That reflex is a compliance liability. Any US bank, broker-dealer, asset manager, or fintech with an EU subsidiary, branch, or significant EU correspondent banking relationship will be subject to AMLR obligations in those EU-based operations — and must begin building compliance programs now to meet the July 2027 effective date. The clock is running.

This guide explains what AMLA is, how it compares to the US FinCEN/BSA framework, what AMLR obligations apply to EU-based operations of US firms, and what practical steps compliance teams should take in 2026.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified compliance professional for specific programme design questions.

What Is AMLA and Does It Apply to US Firms?

AMLA — the Anti-Money Laundering Authority — was established by Regulation (EU) 2024/1620 as a new EU-level supervisory body with both direct and indirect supervisory powers. Its mission is to eliminate the fragmented, jurisdiction-by-jurisdiction AML enforcement landscape that allowed high-profile scandals — Danske Bank, Wirecard, ABLV — to persist for years before decisive action was taken.

The direct answer to whether AMLA governs US-based financial institutions is: no, not directly. AMLA's authority is territorial: it supervises entities operating within the EU. A bank chartered in New York, operating exclusively in the United States, with no EU branches or subsidiaries, is not an AMLA obliged entity and is not subject to AMLR. The primary US AML framework remains the Bank Secrecy Act (BSA, 31 U.S.C. §§ 5311–5336), administered by FinCEN, with OFAC responsible for sanctions screening.

However, three categories of US firms face real AMLR exposure:

1. US banks with EU branches or subsidiaries. Any EU-established legal entity in a US banking group — a German GmbH, a Dutch BV, an Irish DAC — is an obliged entity under AMLR. From 10 July 2027, it must comply with AMLR's unified KYC standards, cash limits, UBO verification requirements, and FIU reporting obligations directly, without the ability to rely on US-equivalent standards as a substitute.

2. US financial institutions with significant EU correspondent relationships. AMLA's supervision of EU correspondent banks will create heightened due diligence expectations for US respondent banks. EU correspondents will be required to conduct enhanced due diligence on their US counterparties and to satisfy themselves that those counterparties meet equivalent AML standards. US banks that cannot demonstrate robust BSA/AML programs may find EU correspondent relationships at risk.

3. US crypto firms and fintechs expanding into the EU. Crypto-asset service providers (CASPs) operating in the EU are covered by AMLR and must be registered under the Markets in Crypto-Assets Regulation (MiCA). A US crypto firm that wants EU market access must build AMLR compliance into its EU operations from day one.

For US firms in categories 1 and 2, the right framing is not "does AMLA apply to us?" but "what does AMLR require of our EU operations, and are we ready?"

AMLA vs FinCEN/BSA: How the EU and US Approaches Compare

Understanding the structural differences between the EU and US frameworks is the starting point for a meaningful gap analysis. The two systems share the same ultimate objective — preventing financial crime — but differ significantly in architecture, legal form, and operational detail.

The most important structural difference for US firms is legal form. The AMLR is a regulation, not a directive — meaning it is directly applicable in all 27 member states without national transposition. This eliminates the variation in national AML rules that previously allowed regulatory arbitrage within the EU. A US bank's German subsidiary and its French subsidiary will face identical KYC obligations from July 2027; there is no longer a German rule and a French rule, only the AMLR.

Timeline: Key AMLA Dates US Compliance Officers Must Track

US compliance teams should treat 10 July 2027 as the hard deadline for EU subsidiary AMLR readiness. With a gap analysis, policy development, technology implementation, and staff training cycle that realistically takes 18–24 months, firms beginning work in mid-2026 are already operating with a compressed timeline.

AMLR Obligations for EU-Based Operations of US Firms

From 10 July 2027, all obliged entities established in the EU — including EU subsidiaries and branches of US financial institutions — must comply with AMLR directly. There are no grandfather clauses, no equivalence determinations that substitute US BSA compliance, and no transition periods beyond the July 2027 effective date.

The core AMLR obligations that EU-based operations of US firms must implement include:

Unified KYC and CDD requirements. AMLR establishes a single, directly applicable set of customer due diligence rules across all member states. Standard CDD applies to all customers; simplified CDD is available in lower-risk scenarios; enhanced CDD is mandatory for high-risk customers including PEPs, high-risk third countries, and correspondent banking relationships. US-trained compliance professionals will find many familiar concepts — risk-based approach, ongoing monitoring, transaction screening — but the specific triggers, thresholds, and documentation requirements are set by AMLR rather than FinCEN guidance.

Beneficial ownership verification. AMLR Article 62 sets the beneficial ownership threshold at 25% or more — identical to the FinCEN CDD Rule (31 CFR §1010.230). "The AMLR's 25% beneficial ownership threshold aligns with FinCEN's existing CDD Rule (31 CFR §1010.230) — but the EU rule applies uniformly across all member states without state-level variations." This alignment is a genuine point of convergence that can simplify global compliance program design for US groups, provided that the underlying documentation and verification processes satisfy AMLR's specific evidentiary requirements. Sources: Regulation (EU) 2024/1624, Art. 62; FinCEN CDD Rule.

Cash payment restrictions. The AMLR imposes a €10,000 cap on cash payments across the EU — a meaningful structural difference from the US framework, which imposes reporting requirements on cash transactions above $10,000 but does not prohibit them. EU-based operations of US firms must build this restriction into their customer onboarding terms and transaction processing systems. Additionally, customer identity verification is required for cash transactions from €3,000.

STR filing and FIU response timelines. EU obliged entities file Suspicious Transaction Reports (STRs) with their national Financial Intelligence Unit (FIU). AMLR requires obliged entities to respond to FIU information requests within 5 business days — a specific operational requirement that US compliance teams accustomed to FinCEN's SAR framework must build into their EU subsidiary procedures.

GDPR data governance. KYC and AML data processed in EU operations is subject to GDPR. Cross-border data transfers to US parent entities — including for group-level transaction monitoring or compliance system processing — require an adequate transfer mechanism (Standard Contractual Clauses, adequacy decision, or equivalent). This creates material friction for US firms that want to run centralized, US-based AML analytics across global operations.

New Obliged Entities: Crypto and Beyond

AMLR significantly expands the universe of obliged entities relative to the previous EU AML directives. For US firms with EU market presence beyond traditional banking, the following new categories are particularly relevant:

Crypto-asset service providers (CASPs). CASPs authorized under MiCA are fully in scope under AMLR from the effective date. A US crypto firm that has obtained or seeks MiCA authorization to offer services in the EU must comply with AMLR's CDD, UBO verification, and STR obligations for its EU operations. This is not optional: MiCA authorization and AMLR compliance are concurrent obligations, not alternatives.

Crowdfunding platforms. EU-authorized crowdfunding service providers under Regulation (EU) 2020/1503 are obliged entities under AMLR. US alternative finance firms operating EU crowdfunding platforms must build AML programs that satisfy AMLR, not just BSA standards.

Sports agents, luxury goods dealers, and high-value asset traders. AMLR extends AML obligations to a broader range of non-financial businesses and professions than many US practitioners expect. Sports agents, dealers in luxury goods, and intermediaries in high-value asset transactions are among the newly covered categories. US groups with EU operations in these sectors should assess whether those operations fall within AMLR's expanded obliged entity perimeter.

Mortgage credit intermediaries. Certain mortgage credit intermediaries operating in the EU fall within AMLR's scope — relevant for US financial groups with EU retail or commercial mortgage operations.

Practical Steps for US Firms with EU Exposure

The window between AMLA's 2025 launch and the July 2027 AMLR effective date is the compliance build window. Firms that use it effectively will avoid the remediation costs — and potential enforcement exposure — of being caught underprepared at the effective date. Practical steps for 2026:

1. Conduct an EU AML gap analysis. Map all EU-established legal entities against the AMLR obliged entity definitions. For each in-scope entity, assess current AML policies against AMLR requirements: CDD triggers, UBO verification standards, cash handling, STR procedures, FIU response capabilities, and GDPR-compliant data flows. Identify gaps against both current national rules and the incoming AMLR.

2. Update EU subsidiary AML policies and procedures. AMLR is directly applicable — national law implementation is not required, and from July 2027 AMLR provisions override inconsistent national rules. EU subsidiary AML manuals and procedures should be updated to reference AMLR directly rather than relying solely on existing national frameworks.

3. Align UBO verification workflows globally where possible. The 25% UBO threshold alignment between FinCEN CDD Rule and AMLR is a genuine opportunity to standardize global beneficial ownership verification workflows. However, AMLR's specific documentation requirements — cross-referencing EU beneficial ownership registers, GDPR-compliant data retention — mean that a US CDD form will not automatically satisfy AMLR requirements without adaptation.

4. Build GDPR-compliant data governance for AML data flows. Review all data flows between EU operations and US-based compliance systems, monitoring platforms, and analytics tools. Ensure adequate transfer mechanisms are in place and documented before July 2027. The intersection of AML data obligations and GDPR is a known operational challenge for US groups.

5. Leverage technology for document compliance. Managing KYC document verification across multiple EU jurisdictions — each with its own identity document types, business registration formats, and beneficial ownership registry structures — is a significant operational challenge. CheckFile supports 3,200+ document types across 32 jurisdictions, enabling US firms to automate EU document compliance as part of their AMLR readiness program. Explore CheckFile's KYC banking solutions or review the document compliance guide for a deeper look at multi-jurisdiction verification best practices.

6. Monitor AMLA technical standards. AMLA is actively developing regulatory technical standards and guidelines that will flesh out AMLR's requirements. US compliance officers should subscribe to AMLA's official communications and track FinCEN guidance on international AML coordination for developments relevant to their EU operations.

See also CheckFile pricing for document verification automation, and our security overview for data handling standards.

Frequently Asked Questions

Does AMLA directly regulate US-based financial institutions?

No. AMLA's supervisory authority is territorial and extends to entities established or operating within the EU. A US-chartered bank or financial institution with no EU presence is not subject to AMLA supervision or AMLR obligations. US domestic AML compliance continues to be governed by the Bank Secrecy Act, administered by FinCEN, with sanctions compliance overseen by OFAC. However, US firms with EU branches, subsidiaries, or CASP authorizations are subject to AMLR in those EU-established operations — and US banks with significant EU correspondent relationships will face heightened scrutiny from their EU counterparties under AMLR's enhanced due diligence requirements.

How does the AMLR beneficial ownership threshold compare to FinCEN's CDD Rule?

Both frameworks set the beneficial ownership threshold at 25% or more ownership or control of a legal entity. FinCEN's CDD Rule (31 CFR §1010.230) requires US banks to identify and verify natural persons who own 25% or more of a covered legal entity customer. AMLR Article 62 applies the same 25% threshold EU-wide. The key difference is uniformity: the AMLR threshold applies identically across all 27 member states, eliminating the national variations that previously existed under the EU's directive-based approach. For US groups designing global beneficial ownership programs, this convergence is operationally significant.

What is the EU cash transaction reporting threshold versus US CTR requirements?

The EU and US frameworks differ both in threshold and in legal effect. Under AMLR, cash payments above €10,000 are prohibited EU-wide — this is a payment cap, not merely a reporting trigger. Additionally, obliged entities must verify customer identity for cash transactions from €3,000. In contrast, the US framework does not prohibit large cash transactions: Currency Transaction Reports (CTRs) must be filed with FinCEN for cash transactions exceeding $10,000 (31 U.S.C. §5313), and Suspicious Activity Reports (SARs) must be filed for transactions of $5,000 or more that involve suspected money laundering at banks, or $2,000 or more at money services businesses (MSBs). US firms operating EU cash-handling operations — retail branches, payment services — must restructure those operations to comply with the EU payment cap, which has no equivalent in US federal law.

Do US crypto firms need to comply with AMLA?

US crypto firms operating exclusively in the United States are not subject to AMLA or AMLR. They remain subject to FinCEN's BSA-based regulations for virtual asset service providers, including money transmission licensing and SAR filing obligations. However, US crypto firms that have obtained or seek MiCA authorization to offer crypto-asset services in the EU are obliged entities under AMLR and must comply with its full CDD, UBO verification, STR filing, and record-keeping requirements for their EU operations. Given that MiCA and AMLR operate on overlapping timelines, any US crypto firm pursuing EU market access should integrate AMLR compliance into its MiCA authorization project rather than treating them as sequential workstreams.

How can CheckFile help US firms manage EU AML document compliance?

EU AML compliance involves verifying identity documents, business registration certificates, beneficial ownership registers, and supporting KYC documentation across 27 member states — each with distinct document types, formats, and authenticity indicators. CheckFile automates this process, supporting 3,200+ document types across 32 jurisdictions, including all EU member states. For US firms building AMLR-compliant KYC processes in their EU operations, CheckFile provides the document verification infrastructure to support onboarding at scale without manual review bottlenecks. Learn more about KYC banking solutions, review the document compliance guide, or view pricing.

---

Regulated disclaimer: This article is provided for general informational and educational purposes only. It does not constitute legal, regulatory, financial, or compliance advice. Regulatory obligations vary by institution type, jurisdiction, and operational profile. US firms with EU operations should seek advice from qualified legal counsel and compliance professionals with expertise in both US BSA/AML law and EU AMLR requirements. Information is current as of the date of publication; readers should verify the latest regulatory developments with official sources including FinCEN, AMLA, and EUR-Lex.