The AMLA Selection Exercise Has Started. Luxembourg Fund Managers Are in the Dataset.

On 1 June 2026, the CSSF published a communiqué addressed specifically to investment fund managers, TCSPs, specialised PFS, and the rest of its supervised universe. The instruction was direct: review the documents AMLA published on 12 May, participate in the webinar on 10 June, and prepare for the data collection exercise that follows.

The data collection it refers to is not the annual AML/CFT questionnaire. It is the structured reporting exercise that will produce the list of the 40 entities AMLA will directly supervise from January 2028. Luxembourg's fund managers and TCSPs are in that dataset. Most of them will not end up on the list. But the template they will be asked to complete reveals something more consequential than the selection itself.

The Selection Clock Is Running

On 12 May 2026, AMLA published a reporting package for the identification of provisionally eligible obliged entities — the first formal step in the process of selecting which institutions it will directly supervise. The package consists of a standardised reporting template and an interpretative note that sets out the data specifications in detail.

The timeline is specific. National supervisors, including the CSSF, will collect data from relevant entities by 15 August 2026. An error correction and alignment phase follows. The provisional list of eligible obliged entities is expected by end-September 2026. AMLA will host a public webinar on 10 June 2026 to walk through the template with relevant stakeholders.

The CSSF published its own communiqué on 1 June 2026, naming investment fund managers, specialised PFS, VASPs, and credit institutions among the entities that must review the documents and prepare. That timing leaves ten weeks to get ready.

Who Gets Directly Supervised — and Why It Matters for Everyone Else

AMLA's direct supervision applies to a narrow category. To be considered for direct supervision, an entity must operate on a cross-border basis in at least six EU member states and carry a high residual ML/TF risk profile. For the first selection cycle, the cap is 40 institutions. In practice, those 40 will be dominated by pan-European banking groups, large payment institutions, and possibly a small number of crypto-asset service providers with significant cross-border footprints.

A Luxembourg management company managing funds that invest across twenty countries is not the same thing as a regulated entity with AML obligations in six EU member states. The cross-border criterion is operational, not investment-portfolio-based. Most Luxembourg TCSPs and fund administrators will not meet it. They will not be selected for direct AMLA supervision.

That conclusion should not produce relief. It should produce a more precise question.

What Being in the Dataset Actually Means

The AMLA selection process does not work from an abstract list. It works from structured data that national supervisors collect and submit across their entire supervised population. The CSSF will produce a dataset that covers every relevant entity under its remit, not just the ones likely to qualify. AMLA uses that dataset to calibrate its risk assessment models, validate its selection methodology, and establish a harmonised baseline for sector-level AML risk across the EU.

For a fund manager or TCSP submitting data under this exercise, the consequences extend beyond the selection cycle. The data AMLA aggregates will inform the sector-wide risk indicators it publishes, the benchmarks it uses in its examination framework, and the thresholds it applies in subsequent selection cycles. An entity whose residual risk profile, control quality indicators, and compliance infrastructure data sit in that baseline will be compared against those benchmarks in future supervisory interactions.

There is a second consequence, more immediate for firms whose counterparties do make the list of 40. The entities that receive direct AMLA supervision will face examinations designed by an authority with EU-wide, structured data on what effective AML compliance looks like across institutional types. Those firms will raise their counterparty KYC standards, their documentation requirements, and their data demands on service providers. The compliance bar AMLA establishes through its first 40 selected entities will not remain within those 40 firms.

What the Template Actually Requires

The AMLA interpretative note makes clear what the reporting template asks for: structured, attribute-level data on risk profiles, cross-border activity metrics, compliance control quality, and remediation patterns. This is not a narrative questionnaire. The template requires fields, not paragraphs. It requires numbers and classifications, not explanations.

For a firm whose AML risk ratings exist in a spreadsheet, whose beneficial owner records live in PDF files, and whose control quality indicators have never been defined as quantifiable data points, completing the template accurately is a data reconstruction exercise, not a reporting task. The format does not accommodate a written narrative explaining why a case was rated low risk. It requires the field value that encodes that assessment in a structured, comparable form.

This gap is not unique to the AMLA template. The same problem surfaces in the CSSF's AML/CFT questionnaire, in the AMLR's business-wide risk assessment requirements, and in the CDD remediation that the Article 28 RTS will require from July 2027. The AMLA selection template makes it visible in a new context, with a harder deadline.

What Management Companies and TCSPs Should Do Before August

The CSSF has until 15 August to collect and submit data to AMLA. That timeline belongs to the CSSF. Entities that need to gather, structure, and validate their own compliance data before submitting to the CSSF have less time than the August deadline suggests.

The practical starting point is a direct question: can the firm produce structured, field-level data on its AML risk profile from its existing compliance system without manual reconstruction? Can it export a distribution of client risk ratings by category? Can it produce control quality metrics — coverage rates, refresh rates, escalation counts — on demand? Can it describe, in structured terms, the cross-border dimension of its client relationships?

For firms that can answer yes, this exercise is an administrative task. For firms that need to compile those answers from multiple disconnected tools, spreadsheets, and narrative case files, the exercise is an early warning signal about the data architecture the AMLR's full implementation will require in thirteen months.

The AMLA webinar on 10 June will walk through the template in detail. The CSSF has specifically asked relevant entities to attend. Attending with a clear view of where the firm's data architecture does and does not support the template's fields is more useful than attending to learn what the template looks like.

The Selection Is Not the Point

AMLA's first direct supervision list will contain 40 entities. The thousands of investment fund managers, TCSPs, and other obliged entities that populate the dataset but do not appear on the list will remain under national supervision. The supervisory relationship stays with the CSSF or the FSC.

But the standard AMLA is establishing through this selection process, the methodology it is calibrating, and the benchmarks it is building from the full supervised population will define what harmonised AML supervision looks like across the EU. Firms that appear in the dataset as outliers in terms of data quality, structural completeness, or control coverage will carry that profile into every subsequent supervisory interaction, whether or not AMLA is directly involved.

The question the AMLA template is asking is the same question the AMLR has always been asking: can the firm produce a structured, accurate, queryable account of its own compliance position? The template just has a deadline attached.

If your firm wants to assess whether its compliance data can answer what the AMLA reporting package requires before the August collection window opens, we should talk now.