What Non‑EU Head Offices Need to Understand about Governing AML in an Era of Coordinated Supervision
“Our parent company isn’t European, so AMLA isn’t really our regulator.”
That assumption remains common among non‑EU headquartered groups. It is also increasingly misaligned with how anti-money laundering (AML) supervision in Europe is being designed and with what head offices are now expected to demonstrate about AML governance, accountability and operating models across borders.
Even where the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) – the EU agency designated to coordinate National Competent Authorities (NCAs) to ensure the correct and consistent application of EU rules – is not the named supervisor for an entity, it will set the supervisory baseline. NCAs will continue to supervise most firms, but they will increasingly do so within an AMLA‑defined framework and under AMLA’s oversight. For affected entities, this means supervision is becoming more consistent, more coordinated, and more focused on execution and outcomes. For head offices, it means that decisions previously treated as structural or operational choices, such as where AML authority sits, how models are governed and how evidence is accessed, are now directly shaping supervisory credibility – and risk – at the entity level.
Why AMLA Changes the Head Office Agenda
Entity‑Level Supervision Requires Intentional Operating Model Design
AMLA sharpens the expectation that entities can be supervised on a stand‑alone basis, with the ability to evidence how AML decisions are made, escalated and resolved locally. Group frameworks, shared platforms and central expertise remain important, but supervisors will increasingly test how controls actually operate at the entity level, not how responsibility is described on paper.
As a result, operating model choices become supervisory signals. Centralised and decentralised models alike will be examined for how onboarding, beneficial ownership analysis, transaction monitoring, investigations and escalation function in practice. For non‑EU-headquartered groups, this places pressure on any model that assumes that accountability can be satisfied through group affiliation rather than through clearly defined local authority and decision ownership.
Evidence as the Credibility Test
AMLA reinforces a decisive shift in AML supervision away from assessing the existence of frameworks toward testing whether AML outcomes can be demonstrated and defended. Supervisors are increasingly focused on whether suspicious activity is identified promptly, whether alerts are investigated to a consistent standard, and how decisions – to escalate or not escalate, to file or not – are reached and documented. This brings heightened scrutiny to the full AML lifecycle. Credibility now rests on the ability to evidence decision‑making logic, data inputs, escalation paths and ownership of outcomes at the level where supervision sits. Static policies, group‑approved risk assessments or centrally produced management information summaries are no longer sufficient if the affected entity cannot explain why a specific AML judgement was made. As firms prepare for AMLA-influenced supervision, senior management should keep an eye on existing and emerging gaps between design and execution, as this is increasingly where supervisory findings are likely to arise.
The Data Privacy Challenge
Data privacy is where many global AML operating models begin to strain under supervisory scrutiny. AMLA’s supervisory direction is toward more data‑enabled, granular testing of AML effectiveness, including how alerts are generated, investigated, escalated and resolved over time. In parallel, EU data protection requirements can limit how personal, transactional and investigative data can be accessed, transferred and reused across borders. This can create a tension that is particularly acute for non‑EU-headquartered groups.
Many global AML programmes rely on centralised platforms, shared investigative teams or group‑level analytics located outside the EU. While efficient, these arrangements can leave EU entities accountable for AML outcomes they cannot independently evidence or reconstruct during supervisory review. Where alert rationale, investigative records or decision logic sit elsewhere, affected entities may face delays or limitations when asked to explain specific judgments. For head offices, this creates a structural risk: central decisions about platforms, data flows and access rights can undermine local defensibility if accountability, authority and lawful access are not aligned.
The Bottom Line
In summary, here are five considerations boards and senior management of a non‑EU bank should actively take into account as AMLA supervision comes into force:
- Supervisory Exposure Is Expanding – Even Without Direct AMLA Oversight: Even if your EU entity is not subject to direct AMLA supervision, AMLA will define the supervisory standard that NCAs apply. This effectively raises the bar for all in‑scope EU entities.
- Entity‑Level Accountability Will Be Scrutinized More Rigorously: AMLA reinforces a shift toward stand‑alone, entity‑level supervision, even within global groups. Supervisors will test whether EU entities can independently demonstrate who makes AML decisions, how issues are escalated and resolved, and whether local senior management has real authority, not just responsibility.
- Operating Models Become Supervisory Signals: Centralized platforms, shared service centers and group‑level controls can no longer be solely efficiency choices. Under AMLA‑influenced supervision, supervisors will ask how these models affect local authority and decision-making.
- Evidence, Not Frameworks, Will Determine Credibility: AMLA accelerates the move from examining whether controls exist to whether outcomes can be defended. Supervisors will expect EU entities to reconstruct and evidence AML judgments.
- Data Privacy and Data Access Tensions Must Be Resolved Proactively: Many non‑EU banks rely on global platforms and teams located outside the EU. AMLA’s push for more granular, data‑driven supervision collides directly with EU data protection constraints on cross‑border access. Data architecture is now a supervisory risk, and boards and management will need to consider whether structural changes are needed. AMLA does not prohibit centralised or shared-service models but does require these models to be supported by robust group-wide risk assessment, governance, data-protection and information-sharing arrangements, while remaining locally explainable and defensible.
For non‑EU-headquartered groups, the real risk rests in continuing to treat AMLA as someone else’s supervisor rather than recognising it as a signal of how global AML supervision is evolving, and testing whether existing global operating models can stand up to increasingly outcome‑focused scrutiny.
Protiviti provides a wide variety of consultative services designed to assist organizations in all aspects of AML compliance. For more information, please visit Protiviti’s AML Consulting page.
