The New EU Anti-Money Laundering Package – An Introduction

The European Union is currently undertaking a fundamental reform of its money laundering prevention regime (see our earlier blog article).

The so-called EU AML Package (or EU Anti-Money Laundering Package) establishes a single rulebook that will apply directly across all Member States from 10 July 2027, alongside the creation of a new European anti-money laundering supervisor.

What lies behind it? Which legal acts does the package comprise? How will supervision change under the new allocation of regulatory competences, and what does this mean for the businesses affected?

This blog series sets out to answer these questions. We begin with an overview of the package's origins, structure and most important innovations.

Background: Why a New AML Package?

For a long time, money laundering prevention in the EU was largely the preserve of the Member States. While the Fourth and Fifth Anti-Money Laundering Directives (AMLD4 and AMLD5) provided important impetus, national transposition produced a patchwork: divergent supervisory practices, differing thresholds and varying due diligence obligations all encouraged regulatory arbitrage. Criminals deliberately exploited the weaknesses of more lightly regulated Member States.

In July 2021, the European Commission tabled a comprehensive legislative package to reform the EU's anti-money laundering and counter-terrorist financing framework (see the Commission's information here). The package was adopted on 24 April 2024 and will – with a few exceptions – enter into force on 10 July 2027.

The objective is a genuine single market for money laundering prevention as well: the same rules, the same supervision, the same enforcement.

The Three Pillars of the EU AML Package

The package rests on three pillars, which together are intended to form a coherent overall system.

The Sixth Anti-Money Laundering Directive (AMLD6) – Directive (EU) 2024/1640

AMLD6 replaces the directives currently in force (AMLD4 as amended by AMLD5) and governs the areas that – despite the new AML Regulation (more on which below) – continue to require national transposition: national supervisory authorities, Financial Intelligence Units (FIUs) and beneficial ownership registers (RBOs). Member States must transpose the Directive by 10 July 2027; certain provisions even require transposition by 31 December 2025.

Three innovations merit particular attention:

First, the requirements placed on national AML supervisors are being tightened. Supervisors must adopt a risk-based approach, must be able to carry out on-site inspections and thematic reviews, and must impose substantial sanctions for serious, repeated or systematic breaches. The maximum fine for credit and financial institutions rises to EUR 10 million or 10% of total annual turnover – whichever is higher.

Second, the beneficial ownership registers (UBO registers) are being significantly expanded. Member States must maintain central registers containing more detailed information, which will also capture non-EU entities with a connection to a Member State. The national registers will be interconnected via a European Central Platform.

Third, AMLD6 harmonises the legal framework for the Member States' FIUs: uniform rules for the receipt, analysis and dissemination of suspicious activity reports, together with stronger mechanisms for cross-border cooperation.

The EU Anti-Money Laundering Regulation (AMLR) – Regulation (EU) 2024/1624

The AMLR is the centrepiece of the package. For the first time, money laundering prevention law for the entire EU single market is set down in a directly applicable regulation – leaving Member States no scope for transposition. All substantive requirements, such as customer due diligence measures, are now governed by the AMLR and no longer need to be implemented into national law by the Member States.

From 10 July 2027, identical rules will therefore apply across all Member States in respect of due diligence obligations, beneficial owners, internal controls, suspicious activity reporting, record-keeping obligations and so on.

The so-called "single rulebook" brings with it a fundamental change of paradigm: away from formal documentation obligations and towards the actual effectiveness of the compliance system. The mere existence of an AML manual will no longer suffice; what matters is whether the system works in practice.

In substantive terms, the AMLR stands out for several key innovations:

The scope of application is being substantially broadened. New additions to the list of obliged entities include, among others, dealers in luxury goods (jewellery and watches from EUR 10,000), crowdfunding platforms, certain football clubs and their agents (from 2029), non-bank credit intermediaries, investment migration operators and crypto-asset service providers (CASPs).

Customer due diligence (CDD) obligations are becoming more precise and will cover a wider range of situations. Customer data must be updated at least every five years – and annually for high-risk customers.

The threshold for identifying beneficial owners is being lowered from "more than 25%" to "25% or more" of the shares or voting rights. It will in future also apply to all underlying ownership levels, for which a 50% threshold previously governed. Non-EU undertakings are required to register their beneficial ownership in the EU where they do business with EU obliged entities.

For the first time, EU law mandates the appointment of a compliance manager – a member of the management body with overall responsibility for AML compliance. This function is to be distinguished from the operational compliance officer, who is responsible for day-to-day matters.

Money laundering prevention is becoming more data-driven: businesses will be required to collect their data in a structured manner, keep it continuously up to date and analyse it intelligently. The AMLR thereby brings data protection and AML compliance into close alignment – the two disciplines can no longer be considered in isolation.

In addition, the AMLR introduces an EU-wide cash payment ban for business transactions exceeding EUR 10,000. This too is new: a uniform cash ceiling for the entire single market.

It will be especially interesting to see what specific requirements the numerous Regulatory Technical Standards (RTS) and guidelines – currently being developed by the AMLA (see below) – will contain. This will have a decisive bearing on how burdensome the changes prove to be, particularly for the financial industry.

The AMLA Regulation and the New EU Supervisor (AMLAR) – Regulation (EU) 2024/1620

The third pillar, the AMLA Regulation (AMLAR), which has applied since 1 July 2025, has established a new European anti-money laundering supervisor: the Anti-Money Laundering Authority (AMLA), headquartered in Frankfurt am Main.

The AMLA commenced operations back in 2025. Since 1 January 2026, it has taken over responsibility from the EBA for drafting the Level 2 AML texts. Full operations are scheduled for January 2028. From 2027, the AMLA will select 40 entities for direct supervision – above all those presenting a particularly high money laundering risk, including CASPs. Direct supervision of institutions will then begin on 1 January 2028, with one to two Austrian financial institutions expected to fall under direct AMLA supervision.

As noted, the AMLA combines direct and indirect supervisory functions. For directly supervised entities, it can take binding decisions and intervene directly in cases of serious breaches. For all other financial institutions, it acts as an overarching coordinating body vis-à-vis the national supervisors. In the non-financial sector, its role lies primarily in coordination and in fostering supervisory convergence.

The supervisory architecture is rounded out by Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), which the AMLA is developing and which will progressively specify, over the coming years, the operational requirements that obliged entities must meet. The most important relate to the business-wide risk assessment, customer due diligence measures and the ongoing monitoring of business relationships, all of which are currently in draft form (see the AMLA's information here).

What Does This Mean for Businesses in Practice?

Obliged entities that already have a functioning AML compliance system in place are of course not starting from scratch, but they nonetheless face challenges that should not be underestimated. They will need to assess where the new requirements are already met and where gaps remain, because the AMLR refines and tightens the rules in many respects and demands a depth – in areas such as CDD, UBO identification and internal controls – that has not previously been prescribed on a uniform, EU-wide basis.

One difficulty with the analysis at this stage is that not all of the AMLA's Regulatory Technical Standards (RTS) are yet in final form. Certain details may still change. Even so, businesses would be well advised to begin work on an implementation plan as a matter of urgency, since anyone who waits until the full rulebook is settled will most likely be starting too late.

The following approach is generally advisable.

Step 1: Gap Analysis

The first step is a sound gap analysis. It should be neither a purely legal opinion nor a purely operational stocktake – ideally it combines both: the new AMLR requirements, the day-to-day reality as actually practised within the business, and finally the question of which adjustments are both regulatorily required and practically achievable.

This calls for the legal department, the compliance function and the operational units to be closely involved from the outset – with clearly allocated responsibilities.

Step 2: Action Plan

The gap analysis should then give rise to a concrete action plan – not another set of documents, but an implementation plan with clear priorities: what needs to be addressed urgently, what can follow at a second stage, and where there is scope for discretion that should be actively put to use?

The AMLR is not a rulebook that can be worked through as a tick-box exercise. Many of its requirements involve far-reaching matters of principle: How should the KYC process be set up going forward? Are existing outsourcing arrangements still viable under the new regime? On what cycle must data for existing customers be updated? The sooner these strategic decisions are taken, the more coherent and legally robust the subsequent implementation in processes, IT systems and controls will be.

Outlook: What This Blog Series Will Cover

The EU AML Package is complex, and its impact varies considerably depending on sector, corporate structure and the existing maturity of the compliance organisation.

This blog series will guide you through the key topics. Planned articles include, among others:

• The new KYC and CDD requirements in detail

• Beneficial owners: what changes for businesses with complex structures?

• The new obliged entities: crypto, football, luxury goods and more

• The AMLA and its significance for national supervision

• Data protection and AML: two disciplines, one dataset

Do stay with us – the time remaining until July 2027 is shorter than it appears. We will be publishing further instalments of this series in the coming weeks.