EU AML Package: The New Regulatory Landscape

The European Union's AML legislative package, finalised in 2024 and entering implementation across 2025–2027, represents the most fundamental structural overhaul of EU anti-money laundering law since the first AMLD in 1991. Previous generations of AMLD directives required member state implementation and resulted in significant variation across the EU's 27 jurisdictions — variation that created regulatory arbitrage opportunities and inconsistent protection against financial crime. The new package addresses this fragmentation head-on by introducing a directly applicable regulation alongside a revised directive, establishing a new supervisory authority, and dramatically extending the scope of AML obligations to new sectors including crypto asset service providers.

The Architecture of the Package

The EU AML Package comprises four interconnected legislative instruments:

• The AML Regulation (AMLR): A directly applicable EU regulation that replaces the substance of the previous AMLDs for obliged entities. Unlike a directive, the AMLR does not require member state transposition — it applies identically across all 27 EU member states from its application date. This is the centrepiece of the harmonisation effort.
• The Sixth Anti-Money Laundering Directive (6AMLD): A revised directive covering the institutional and supervisory architecture — the powers of supervisors, the national FIU framework, beneficial ownership registers, and access rules. Member states must transpose 6AMLD within 36 months of its entry into force.
• The AMLA Regulation: Establishing the new Anti-Money Laundering Authority (AMLA), based in Frankfurt, which will directly supervise a select group of the highest-risk financial institutions and coordinate AML supervision across the EU. (Covered separately in our AMLA article.)
• Transfers of Funds Regulation (TFR) amendments: Extending the Travel Rule to crypto asset transfers, already in force from 2023 under the revised TFR.

The AML Regulation: Key Substantive Changes

Expanded Scope of Obliged Entities

The AMLR significantly expands the range of entities subject to AML obligations. New obliged entities include: crypto-asset service providers (CASPs) as defined under MiCA; crowdfunding service providers; mortgage creditors and credit intermediaries not already covered; all persons trading in goods where cash transactions exceed €3,000 (reduced from €10,000); and professional football clubs and agents where these meet activity thresholds. The expansion to CASPs is particularly significant and aligns EU AML obligations with the FATF's revised Recommendation 15.

Harmonised CDD Requirements

The AMLR establishes uniform, directly applicable CDD requirements across the EU, replacing the member state implementations that have historically differed in important details. Key harmonisation provisions include:

• A single EU-wide definition of beneficial owner, set at the 25% threshold with explicit provisions for control through other means
• Standardised lists of enhanced due diligence factors and simplified due diligence conditions, removing member state discretion in these areas
• Uniform requirements for identifying PEPs, including a harmonised definition of which positions qualify as PEP status
• Standardised ongoing monitoring requirements, including minimum review frequency for different customer risk categories
• A single framework for reliance on third parties for CDD, replacing the current patchwork of national rules

Cash Payment Limits

One of the most commercially visible changes in the AMLR is the introduction of an EU-wide cash payment limit of €10,000. While many member states already have national cash limits, these vary considerably — from €1,000 in France to €15,000 in Hungary. The AMLR imposes a harmonised ceiling. Importantly, member states can maintain stricter national limits but cannot permit cash transactions above €10,000. This provision has significant implications for luxury goods retailers, car dealers, and other sectors that historically handled large cash transactions.

PSP Obligations

Payment service providers face specific new obligations under the AMLR, going beyond the general CDD requirements. PSPs must maintain detailed records of payment transactions sufficient to allow reconstruction of individual payment chains in response to FIU requests. The information retention requirements are extended, and the format in which records must be maintained is standardised to facilitate cross-border information sharing between FIUs via the FIU.net system. PSPs offering payment initiation or account information services under PSD3/PSR will be subject to the same AML obligations as other payment service providers, closing a previous gap for certain fintech activities.

Crypto Asset Provisions

The AMLR brings crypto-asset service providers fully into the EU AML framework. CASPs authorised under the Markets in Crypto-Assets Regulation (MiCA) become obliged entities under the AMLR. The specific obligations include:

• Full KYC/CDD requirements for all customers, with no de minimis exemptions for small transactions (unlike previous guidance in some member states)
• Enhanced due diligence for transactions involving unhosted wallets (wallets not held at a regulated VASP)
• Travel Rule compliance for all crypto transfers, building on the revised TFR which requires CASPs to collect and transmit originator and beneficiary information
• Specific record-keeping requirements for crypto transaction data, including on-chain transaction identifiers
• Monitoring of transactions involving mixing services, anonymity-enhancing technologies, or high-risk wallet addresses as identified by blockchain analytics

CASPs that were operating without AML obligations under legacy frameworks — particularly those relying on light-touch national regimes — face a material compliance step-up. The AMLR's direct applicability means there is no scope to rely on softer national transpositions.

Implementation Timeline

The AMLR entered into force in mid-2024 and applies to obliged entities from 1 July 2027. The 6AMLD must be transposed by member states within 36 months of entry into force. AMLA is being established with its first supervisory cycle beginning in 2028. For firms that currently operate under EU AML requirements, the 2027 AMLR application date provides a compliance window — but the structural changes in CDD methodology, expanded entity scope, and crypto-specific requirements are significant enough to warrant early gap analysis and programme preparation rather than last-minute compliance.