The AML Package was adopted on April 24, 2024, and will come into force on July 10, 2027 (with the exception of certain provisions which have already come into force and others which will come into force at an earlier or later date).
The objective of the AML Package is mainly to harmonise the AML/CTF framework across the EU, by ensuring that the same AML/CTF obligations apply across member states, without divergences in implementation of the relevant rules or divergences in supervisory practices between regulators. To achieve these objectives, the AML Package is structured around three pillars1.
(a) The Anti-Money Laundering Directive (AMLD 6)—which will replace the existing AMLD 4 as amended by AMLD 5
(b) The EU AML Single Rulebook Regulation (AMLR)—which notably contains the customer due diligence (CDD) measures to be carried out by professionals subject to AML/CTF obligations
(c) The Anti-Money Laundering Authority Regulation (AMLAR)—setting up an EU anti-money laundering authority (AMLA)
Over the next months, our EU AML/CTF practice will be issuing a series of alerts detailing each of the main changes brought to the AML/CTF framework by the AML Package. This first e-alert aims to set out the main changes to be expected in the months following the application of the AML Package.
1. Key provisions of AMLD 6
AMLD 6 replaces earlier AML/CTF directives (AMLD 4 and AMLD 5), and addresses matters requiring national transposition, including rules on national supervisors, Financial Intelligence Units (FIUs), and beneficial ownership registers (RBOs). These changes must be implemented by member states before July 10, 2027 (with some changes that already need implementation by December 31, 2025).
The following three changes are of particular interest:
AML/CTF supervision by competent authorities
AMLD 6 imposes more detailed and harmonised requirements on national AML/CTF supervisors, and in particular member states must ensure that supervisors adopt a risk-based approach to oversight, have the power to conduct on-site inspections and thematic reviews, and can impose effective pecuniary penalties for non-compliance. The directive also extends centralised bank account mechanisms to cover securities and crypto-asset accounts, giving FIUs more comprehensive access to financial data for their analyses.
The most significant change from the perspective of penalties is the increase in the maximum pecuniary sanctions that competent authorities can impose for serious, repeated or systematic breaches of AML/CTF requirements to EUR10 million or 10% of total annual turnover, whichever is higher, for credit and financial institutions.
AMLD 6 also introduces a clearer framework distinguishing between pecuniary penalties and administrative measures. Pecuniary penalties are to be imposed for serious, repeated or systematic breaches, whether committed intentionally or negligently. Administrative measures include powers such as ordering specific corrective actions, restricting or limiting the obliged entity's business, and, where the entity is subject to authorisation, withdrawing or suspending that authorisation.
The directive specifies the minimum administrative measures that must be available to all supervisors across member states. Authorities can impose recurring fines to ensure compliance with administrative obligations.
RBOs
AMLD 6 significantly strengthens the framework for beneficial ownership transparency at the national level. Member states must maintain central registers with more detailed beneficial ownership information, covering a wider range of legal entities and arrangements, including non-EU entities with links to a member state. These registers will be interconnected across the EU via the European Central Platform, enabling cross-border verification. Access is extended to national competent authorities, AMLA, and persons with a demonstrable legitimate interest, such as journalists and civil society organisations. AMLD 6 also lowers the beneficial ownership identification threshold from “more than 25%” to “25% or more” of shares or voting rights.
FIUs
AMLD 6 establishes a more uniform framework governing the powers and responsibilities of national FIUs. AMLD 6 in particular harmonises the rules on how FIUs receive, analyse, and disseminate suspicious activities/transaction reports, and strengthens mechanisms for cross-border cooperation between FIUs across member states. It also introduces clearer standards for FIU access to financial, administrative, and law enforcement information, aiming to reduce the disparities in FIU capabilities that have been considered to hinder effective EU-wide intelligence sharing.
2. Key provisions of the AMLR
AMLR replaces a directive-based framework with a directly applicable regulation
The most fundamental change is the replacement of a directive-based framework with a directly applicable regulation, eliminating the need for national implementation and removing much of the member state discretion that existed under AMLD 4. The AMLR establishes harmonised rules on customer due diligence, beneficial ownership, internal controls, suspicious transaction reporting, and record-keeping that apply uniformly across all EU member states from July 10, 2027. This ends the fragmentation that arose from 27 separate national transpositions and aims to create a level playing field across the internal market.
AMLR broadens the list of entities subject to AML rules
Newly included are traders in high-value goods (jewellery and watches over EUR 10,000), crowdfunding platforms, certain professional football clubs and their agents (from July 2029), non-bank credit intermediaries, investment migration operators, and certain holding companies of obliged entities. Crypto-asset service providers (CASPs) are also explicitly covered. We will be issuing a second e-alert in the coming weeks providing more information on the changes to the list of entities across the EU, with a deep dive into each jurisdiction on an interactive map—stay tuned!
Customer due diligence (CDD) requirements are more detailed and apply to a broader range of situations, including low-threshold transactions
Key changes in this field will include the following:
- The definition of beneficial owner is clarified, especially for complex structures and investment funds.
- Foreign entities must register beneficial ownership in the EU when doing business with EU-based obliged entities.
- Specific enhanced due diligence (EDD) measures now apply to wealth management services and correspondent relationships, with more detailed rules on what enhanced measures must entail.
- Customer information must be updated at least every five years (and every year for high-risk customers), replacing the less prescriptive ongoing monitoring requirements under the previous regime.
AMLR introduces a compliance manager requirement
The AMLR introduces a requirement to appoint a compliance manager, a member of the management body with overall responsibility for AML compliance, as distinct from, and in addition to, the compliance officer who handles day-to-day operational AML obligations.
AMLR details the internal policies and controls obliged entities must have, including group-wide standards and data protection
Outsourcing is permitted but strictly regulated—key decisions and suspicious activity reporting cannot be outsourced outside the group and country. The AMLR also introduces a mandatory obligation to implement a targeted financial sanctions (TFS) compliance programme as part of a firm’s internal controls framework.
3. Key provisions for the AMLA Regulation (AMLAR)
The key feature of the AMLAR is the creation of the new AML authority, AMLA, headquartered in Frankfurt am Main, Germany. It has started its operations as of 2025 but will be fully operational in 2028. Its mission is to strengthen the EU’s AML/CTF system by enhancing supervisory standards, driving greater harmonisation, and improving information sharing between FIUs and other relevant authorities across the EU.
Although AMLA began assuming most of its tasks and powers as of mid-2025, some steps remain ahead. In 2026, AMLA will start its IT services and in 2027, 40 obliged entities will be selected to be directly supervised. Finally, by January 1, 2028, AMLA will be fully staffed and fully operational. Direct supervision of the selected entities will commence at the same time.
AMLA exercises both direct and indirect oversight over financial institutions
It takes on direct supervisory responsibilities for entities considered to pose a high risk of money laundering or terrorist financing, including CASPs. For other financial institutions, AMLA works in partnership with national financial regulators, providing indirect supervision.
In the non-financial sector, AMLA’s role is primarily to coordinate with national authorities and encourage alignment in supervisory practices. AMLA may impose binding decisions on directly supervised entities and, where necessary, apply administrative sanctions for serious, repeated, or systematic breaches of AML/CTF requirements. It can also intervene directly and take immediate measures as a last resort in the event of acute danger. The AMLA may additionally be called upon by a financial supervisor to issue binding decisions in cross-jurisdictional cases that fall outside of supervisory colleges.
AMLA is tasked with applying a unified supervisory approach
Recognising the cross-border challenges of AML/CTF, AMLA will establish a collaborative framework with national supervisors to ensure that relevant entities in the financial sector meet their AML/CTF obligations, while also supporting non-financial sector supervisors.
AMLA is mandated to develop regulatory technical standards (RTS)
This includes implementing technical standards (ITS), guidelines, and recommendations that specify and clarify AML/CTF requirements and promote supervisory convergence. It may also issue opinions and provide technical advice on its own initiative or upon request from the European Parliament, the Council of the EU, or the European Commission. Certain EBA guidelines continue to apply until AMLA’s new instruments on the same subject enter into force. AMLA is also responsible for developing and maintaining a central database to support AML/CTF supervisory work to track relevant AML/CTF information and support coordination between national authorities.
Footnotes
1 Prior to the adoption of this AML Package, the recast of the Transfer of Funds Regulation (which was part of the initial AML Package) was adopted in June 2023, uncoupled from the rest of the AML Package.
