When does the EU AML Regulation (AMLR) apply?

The AMLR (Regulation (EU) 2024/1624) applies from 10 July 2027. However, AMLA is publishing 23 regulatory and implementing technical standards throughout 2026 — most due by 10 July 2026. These standards define detailed CDD procedures, reporting formats, and risk factor guidelines that obliged entities must implement before the 2027 application date. Compliance programmes must therefore start in 2026, not 2027.

What is the new beneficial ownership threshold under the AMLR?

The AMLR changes the UBO identification threshold from 'more than 25%' (under AMLD4/5) to '25% or more' of shares, voting rights, or other ownership interests. This means a shareholder holding exactly 25% must now be identified and verified as a UBO. The European Commission retains discretion to lower the threshold to 15% or below for specific high-risk corporate structures or sectors. Obliged entities must update their onboarding and monitoring systems to capture this changed threshold.

Which new entity types are brought into AML scope by the AMLR?

The AMLR expands the list of obliged entities to include: crypto-asset service providers (CASPs) authorised under MiCAR, crowdfunding platforms and intermediaries authorised under the EU Crowdfunding Regulation, consumer credit providers and mortgage credit intermediaries that are not credit institutions, professional football clubs and agents, and traders in high-value goods including luxury goods, precious metals, gemstones, and artworks where payments exceed €10,000. Financial institutions already subject to AMLD4/5 face expanded and harmonised obligations rather than wholly new requirements.

EU AML Package Explained: AMLA, AMLR, and AMLD6 — What Financial Institutions Must Do in 2026 and 2027

The EU's Anti-Money Laundering (AML) landscape is undergoing its most significant transformation in two decades. Three interlocking instruments — the Anti-Money Laundering Authority (AMLA), the Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624), and the Sixth Anti-Money Laundering Directive (AMLD6, Directive (EU) 2024/1640) — together replace the patchwork of five previous directives with a single harmonised EU-wide rulebook and a central supervisory authority.

AMLA became operational on 1 July 2025. The AMLR and AMLD6 fully apply from 10 July 2027. Between now and 2027, AMLA must publish 23 Level 2 and Level 3 measures — regulatory technical standards, implementing technical standards, and guidelines — most of them due by 10 July 2026. That makes 2026 the year compliance teams must act, not wait.

Try asking this question on Financial Regulations EU

Ask now — free →

The Three Pillars of the EU AML Package

1. AMLA — The New Central AML Supervisor

The Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) is headquartered in Frankfurt, Germany. Its mandate has two parts: direct supervision of the highest-risk obliged entities and coordination of national Financial Intelligence Units (FIUs) and competent authorities across the EU.

Direct supervision: AMLA will directly supervise up to 40 selected obliged entities — primarily credit institutions and financial institutions with cross-border operations and the highest money laundering risk profiles. Selection criteria (to be published via regulatory technical standards) will focus on the number of member states in which an entity operates, transaction volumes, and assessed ML/TF risk. Direct supervision starts once AMLA assumes full operational supervisory powers.

Coordination role: For all other obliged entities, AMLA coordinates national supervisors, sets binding standards through regulatory and implementing technical standards, conducts peer reviews of national supervisors, and builds the single EU AML/CFT supervisory culture.

FIU coordination: AMLA will also coordinate Financial Intelligence Units across member states through a joint analysis mechanism, enabling cross-border suspicious transaction pattern detection that was previously fragmented across 27 national databases.

Enforcement powers: AMLA can impose administrative sanctions of up to €10 million or 10% of annual group turnover, whichever is higher, for the most serious violations.

2. AMLR — The Single AML Rulebook

The AMLR (Regulation (EU) 2024/1624) creates directly applicable, uniform AML/CFT rules across all EU member states. Unlike previous directives, the AMLR does not require transposition — it applies automatically and identically in all 27 member states from 10 July 2027.

The AMLR's primary goal is to eliminate the regulatory arbitrage that allowed obliged entities to "forum shop" for jurisdictions with lighter AML enforcement. The same Customer Due Diligence (CDD) rules, the same beneficial ownership thresholds, and the same suspicious transaction reporting requirements will apply from Frankfurt to Valletta.

3. AMLD6 — The National Framework Directive

The Sixth AML Directive (Directive (EU) 2024/1640) sits alongside the AMLR. Where the AMLR sets the substantive obligations for obliged entities, AMLD6 defines the institutional, supervisory, and enforcement frameworks at national level — the powers of national competent authorities, the structure of national FIUs, and cross-border supervisory cooperation. Member states must transpose AMLD6 by 10 July 2027.

What Changes for Financial Institutions

Expanded Scope: New Obliged Entities

The AMLR significantly broadens the list of obliged entities compared to AMLD4 and AMLD5. New additions include:

Crypto-asset service providers (CASPs) — all CASPs authorised under MiCAR are now fully within AML scope. This closes the gap where some crypto businesses operated under national exemptions.
Crowdfunding platforms and intermediaries — platforms authorised under the EU Crowdfunding Regulation (Regulation (EU) 2020/1503)
Consumer credit providers that are not credit institutions
Mortgage credit intermediaries and creditors not regulated as banks
Professional football clubs and their agents — covering transfers involving significant funds
Traders of high-value goods — including luxury goods, precious metals, gemstones, and works of art where payments exceed €10,000

For financial institutions already subject to AMLD4/5, the AMLR expands and harmonises existing obligations rather than creating entirely new ones.

Customer Due Diligence: Uniform Standards

The AMLR sets out uniform CDD requirements that replace the patchwork of national implementations. Key changes:

Standard CDD elements (Articles 20-24):

Identity verification using reliable, independent sources
Verification of legal entity status, ownership structure, and representative authority
Understanding of the business relationship's purpose and nature
Ongoing monitoring calibrated to ML/TF risk profile

Simplified CDD is available for lower-risk relationships (as identified in risk assessments) but cannot be applied in higher-risk third countries or where specific risk factors are present. The list of factors triggering enhanced CDD is harmonised.

Enhanced CDD (Articles 29-34) is mandatory for:

Business relationships and transactions with natural or legal persons from high-risk third countries (as listed by the European Commission)
Politically Exposed Persons (PEPs) — the definition is harmonised EU-wide, ending member-state divergence on who counts as a PEP
Correspondent banking relationships — specific additional requirements apply
Complex, unusual, or large transactions with no apparent economic purpose

Beneficial Ownership: The 25% Threshold Change

The most operationally significant change for compliance teams is the beneficial ownership (UBO) threshold.

Under AMLD4 and AMLD5, the threshold was "more than 25%" of shares, voting rights, or other ownership interests. The AMLR changes this to "25% or more" (Articles 62-63). This is not a drafting nuance — it means that an individual holding exactly 25% of a company's shares must now be identified and verified as a UBO, whereas under current rules they would not be.

Additionally, the European Commission can lower the threshold to 15% or even lower for specific corporate structures or sectors deemed high-risk for money laundering. This discretion is not yet exercised, but compliance systems must be designed to accommodate it.

For legal entities: The AMLR requires identification of all natural persons who hold or control, directly or indirectly, 25% or more of shares, voting rights, or other ownership interests. Where no natural person meets the threshold, the senior managing official is the UBO of last resort.

For trusts and similar structures: All parties must be identified — settlor, trustee(s), protector (if any), beneficiaries, and any natural person exercising ultimate effective control. Trust structures in the EU face significantly enhanced transparency obligations.

Transaction Monitoring and Suspicious Transaction Reporting

The AMLR harmonises the obligation to report suspicious transactions to national FIUs. Key requirements:

Obliged entities must report any transaction where they know, suspect, or have reasonable grounds to suspect money laundering or terrorist financing
Reports must be made promptly — before executing the transaction where feasible
A harmonised reporting format will be set by AMLA's implementing technical standards
A "tipping off" prohibition prevents entities from disclosing to the customer that a report has been or is being filed

Record-Keeping

Standard record retention is five years from the end of the business relationship or the date of the transaction. AMLA may issue guidelines on what records must be maintained and in what format, establishing minimum data standards for the first time.

Group-Wide AML Policies

For financial groups, the AMLR requires parent undertakings to implement group-wide AML/CFT policies and procedures. Group-level requirements include:

A consolidated group risk assessment
Group-wide internal policies, controls, and procedures
Information sharing within the group for AML/CFT purposes, even across borders
Ensuring branches and majority-owned subsidiaries in third countries apply AML measures at least equivalent to EU standards

AMLA's 23 Level 2/3 Mandates: What's Due in 2026

AMLA is tasked with preparing regulatory technical standards (RTS), implementing technical standards (ITS), and guidelines across 23 mandates. Most are due by 10 July 2026 — the deadline that makes 2026 the action year, not 2027.

The 23 mandates fall into three clusters:

Cluster 1: Supervisory processes (10 mandates)

Standards on AML/CFT supervisory reviews and evaluations
Peer review methodology for national supervisors
Standards for the AML/CFT database maintained by AMLA
Selection criteria for AMLA's direct supervision (which entities fall under AMLA vs. national supervisors)
Standards for colleges of supervisors for cross-border groups

Cluster 2: Risk and mitigating measures for obliged entities (8 mandates)

Guidelines on risk factors for CDD — what triggers enhanced vs. simplified CDD
Standards on internal controls, governance, and compliance function requirements
Standards on ongoing monitoring systems
Guidelines on how to identify UBOs in complex ownership structures
Sector-specific guidelines for crypto-asset service providers, crowdfunding platforms, and other new obliged entities

Cluster 3: FIU processes (5 mandates)

Common reporting format for suspicious transaction reports
Standards for FIU information exchange
Guidelines on joint analysis mechanisms between FIUs

The publication timeline for these standards means that many substantive CDD and reporting requirements will not be finalised until mid-2026. Obliged entities should monitor AMLA's consultation publications throughout 2026 and be prepared to update policies and procedures before the 2027 application date.

Key Timelines

Date	Event
16 June 2024	AML package published in Official Journal (AMLR + AMLD6)
1 July 2025	AMLA operational (Frankfurt)
10 July 2026	AMLA must publish most Level 2/3 technical standards
10 July 2027	AMLR fully applies; AMLD6 transposition deadline
2027–2029	AMLA beneficial ownership and account registers operational

How the AML Package Intersects with Other EU Regulations

MiCAR and AML

For crypto-asset service providers, the AML package and MiCAR create parallel but complementary obligations. MiCAR authorisation is a prerequisite — only MiCAR-authorised CASPs can operate in the EU. The AMLR then imposes full AML/CFT obligations on those CASPs, including CDD, UBO identification, transaction monitoring, and suspicious transaction reporting. There is no AML carve-out for crypto.

The CASP transitional period under MiCAR expires 1 July 2026. CASPs that are not authorised by that date are operating illegally. CASPs should therefore complete MiCAR authorisation before they face the full weight of AMLR obligations in 2027.

DORA and AML

DORA and the AML package are operationally connected. Transaction monitoring systems, suspicious transaction report (STR) filing systems, and customer screening tools all qualify as critical ICT systems under DORA. These systems must meet DORA's ICT risk management, incident reporting, and third-party risk requirements. A cyberattack that compromises your transaction monitoring system triggers both DORA incident reporting obligations and potentially AML/CFT concerns if the attack impairs suspicious transaction detection.

SFDR and AML

Asset managers subject to SFDR must also comply with AML obligations. The AMLR's group-wide policy requirements extend to AIFMD-authorised fund managers when they are part of a financial group. Investor onboarding processes must satisfy both SFDR product disclosure requirements and AMLR CDD requirements — particularly for natural persons investing in Article 8 or Article 9 funds.

Practical Compliance Checklist for 2026–2027

Immediate (Q1–Q2 2026)

Scope assessment: Confirm whether your entity type falls within the AMLR's expanded list of obliged entities (particularly for CASPs, crowdfunding platforms, consumer lenders)
UBO threshold gap analysis: Identify any beneficial owners who hold exactly 25% — update identification and verification procedures to capture them under the new threshold
Monitor AMLA consultations: Register for AMLA consultation notifications; the 2026 RTS/ITS publications will set binding standards you must implement before July 2027
Systems review: Assess whether your transaction monitoring and STR reporting systems can accommodate harmonised reporting formats once AMLA ITS are published

Before 10 July 2026 (when AMLA standards publish)

Review AMLA's CDD risk factor guidelines (Cluster 2 standards) and update your risk-based CDD procedures
Update internal AML policies to align with AMLA's internal controls standards
Assess group-wide implications: If you are part of a financial group, confirm parent-level group-wide AML policies are being prepared

Before 10 July 2027 (AMLR application date)

Complete full AMLR gap analysis against published technical standards
Update customer onboarding procedures — CDD, UBO identification, enhanced CDD triggers
Update transaction monitoring rules to new harmonised standards
Implement harmonised STR reporting format per AMLA implementing technical standards
Staff training on the new rulebook, particularly for new entity types newly brought into scope
Third-country equivalence review: Identify business relationships with entities in third countries and assess against the updated high-risk third country list

Frequently Asked Questions

Does the AMLR apply immediately or only from 2027?

The AMLR as a whole applies from 10 July 2027. However, obliged entities must monitor AMLA's technical standards publications throughout 2026, as these will define many of the detailed obligations (CDD procedures, reporting formats, risk factor guidelines) that entities will need to have implemented by the 2027 date. Waiting until 2027 to start the compliance programme is too late.

What is the difference between AMLA direct supervision and national supervisor oversight?

AMLA will directly supervise up to 40 selected obliged entities — those with the highest cross-border risk profiles. All other obliged entities remain supervised by their national competent authority, with AMLA providing coordination, binding standards, and peer review oversight. AMLA selection criteria will be published in regulatory technical standards; most financial institutions will remain under national supervision.

How does the AMLR interact with existing national AML laws?

The AMLR is directly applicable EU law — it overrides any inconsistent national provisions on the matters it covers. National laws remain relevant for matters not covered by the AMLR (e.g., the structure of national FIUs, supervisory powers, and penalties, which are addressed by AMLD6 requiring national transposition). Compliance teams will need to track both the AMLR directly and their home-state transposition of AMLD6.