The EU AML Package is the most significant overhaul of anti-money laundering rules in Europe since the first directive in 1991. It has been years in the making, and as of mid-2024, the legislative process is reaching its conclusion. But the sheer volume of material, across multiple regulations and a new directive, makes it genuinely difficult for compliance teams to understand what is changing, when, and what they need to do about it.
This article breaks down the package into its component parts, explains the practical implications for compliance teams, and provides a timeline that you can actually plan against.
What is the EU AML Package?
The package consists of three legislative instruments, each serving a different purpose.
| Instrument | Type | Purpose |
|---|---|---|
| AML Regulation (AMLR) | Regulation | Single, directly applicable rulebook replacing national transpositions. Applies uniformly across all EU member states without national implementation required. |
| 6th Anti-Money Laundering Directive (6AMLD) | Directive | Addresses areas requiring national implementation, primarily FIU powers and national supervisor responsibilities. Replaces 4AMLD and 5AMLD. |
| AMLA Regulation | Regulation | Creates the Anti-Money Laundering Authority, a new EU-level body for direct supervision of high-risk entities and coordination of national supervisors. Based in Frankfurt. |
The single rulebook: what it covers
The AML Regulation consolidates and standardises rules that previously varied across member states. Here are the areas that matter most for compliance teams.
Customer Due Diligence (CDD). The regulation sets out harmonised CDD requirements, including specific triggers for Enhanced Due Diligence that are consistent across all member states. The beneficial ownership threshold is set at 25%, though the regulation allows member states to apply a lower threshold for higher-risk sectors. Simplified Due Diligence conditions are more tightly defined, reducing the discretion that some member states previously allowed.
Beneficial Ownership. The regulation mandates central beneficial ownership registers in every member state, with rules on access, data quality, and cross-border interconnection. The registries must be accurate, up-to-date, and available to competent authorities and obliged entities. Discrepancies between registry information and information held by obliged entities must be reported.
"The beneficial ownership registry requirements are probably the single most impactful change for firms doing cross-border KYB. Under the old directives, the quality and accessibility of registries varied enormously across member states. Standardisation will help, but the transition period is going to be messy."
PEP screening. The regulation harmonises the definition of Politically Exposed Persons across the EU and requires member states to publish lists of domestic PEP functions. This is a significant change for compliance teams that currently rely on commercial PEP databases with inconsistent domestic coverage across EU jurisdictions.
Third-country policy. The regulation introduces a more structured approach to assessing third-country risk, moving beyond the existing list-based approach. The European Commission will identify high-risk third countries based on a methodology that considers FATF assessments, the country's own AML framework, and specific risk factors. Obliged entities will be required to apply enhanced due diligence to business relationships and transactions involving these countries.
New entities in scope
The AML Package significantly expands the types of entities that are classified as "obliged entities" under the EU AML framework. The most notable additions include:
| Entity type | Obligations |
|---|---|
| Crypto-Asset Service Providers (CASPs) | Full scope as obliged entities. CDD, ongoing monitoring, and suspicious transaction reporting required. Reflects recognition of crypto money laundering risks. |
| Luxury goods dealers | Traders in precious metals, precious stones, and other luxury goods brought into scope with CDD obligations for transactions above specified thresholds. |
| Football clubs and agents | Professional football clubs and transfer agents involved in high-value transfers subject to AML obligations. Addresses money laundering concerns in football transfer market. |
| Mortgage and consumer credit intermediaries | Intermediaries in the credit process now in scope, expanding beyond traditional lenders only. |
AMLA: the new EU supervisor
The creation of AMLA is arguably the most structurally significant element of the package. For the first time, there will be an EU-level authority with direct supervisory powers over certain obliged entities in the AML/CFT space.
AMLA will directly supervise a selection of the highest-risk cross-border obliged entities. The selection methodology is still being finalised, but it will be based on the entity's risk profile, cross-border activity, and the number of member states in which it operates. Estimates suggest AMLA will directly supervise 40 to 60 entities initially.
For entities not directly supervised by AMLA, national supervisors retain primary responsibility. But AMLA will have coordination powers, including the ability to request that national supervisors investigate specific entities or sectors, and to issue guidelines and recommendations that national supervisors must comply with or explain.
AMLA will also host FIU.net, the platform for cross-border FIU cooperation, and will be responsible for developing technical standards that flesh out the details of the AML Regulation.
The timeline: what happens when
This is where practical planning starts. The legislative process is nearing completion, with political agreement reached on the main elements of the package. Here is the expected timeline.
| Period | Key milestones | Compliance actions |
|---|---|---|
| Mid-2024 | Final texts published in Official Journal. AML Regulation enters into force 20 days after publication but does not apply immediately. | Begin detailed review of final texts. Start preliminary gap analysis. |
| 2025 to 2026 | Three-year transitional period begins. AMLA established and staffed. Technical standards drafted. | Complete comprehensive gap analysis. Assess technology readiness. Review PEP screening coverage and beneficial ownership processes. |
| 2027 | AML Regulation becomes directly applicable. 6AMLD must be transposed into national law by member states. New CDD, EDD, beneficial ownership, and monitoring requirements take effect. | Systems upgrades complete. Staff training complete. New processes operationalised. |
| 2028 | AMLA begins direct supervision of selected entities. First supervisory cycle commences. | Full compliance demonstrated. Supervisory readiness confirmed. |
For compliance teams, the key message is this: you have approximately three years from publication to full application. That sounds like a long time. It is not. The firms that used the 5AMLD transposition period effectively were the ones that started their gap analysis in the first six months, not the last six.
What compliance teams should do now
Even before the final texts are published, there is enough certainty about the direction of travel to begin preparing.
Conduct a gap analysis against the draft regulation. The political agreement texts are publicly available. Map your current CDD, EDD, and beneficial ownership processes against the harmonised requirements. Identify where your current approach relies on national discretions that will be removed.
Review your PEP screening coverage. The harmonised PEP definitions will require you to screen against a standardised set of domestic PEP functions across all EU member states. Assess whether your current PEP data sources cover this.
Assess your CASP exposure. If you provide services to crypto-asset service providers, or if you are a CASP yourself, the new obligations are significant. Begin mapping your compliance programme against the regulation's requirements now.
Evaluate your technology readiness. The regulation's requirements for ongoing monitoring frequency, beneficial ownership verification, and cross-border data sharing all have technology implications. Assess whether your current systems can support the new requirements, or whether you need to plan for upgrades.
"We started our 5AMLD preparation 18 months before transposition. Even then, we ran up against the deadline on beneficial ownership register integration. For the AML Package, we are starting our gap analysis now, even though the final text is not yet published. The direction is clear enough to begin planning."
Key takeaways
- The AML Package replaces fragmented national rules with a single, directly applicable regulation across all EU member states, eliminating the discretion that previously allowed inconsistent interpretations.
- Beneficial ownership registers will be standardised and interconnected across member states, requiring firms to verify their beneficial ownership data against central registries or report discrepancies.
- CASPs, luxury goods dealers, football clubs, and credit intermediaries are now obliged entities, expanding the scope of AML compliance significantly beyond traditional financial institutions.
- The new Anti-Money Laundering Authority will directly supervise an estimated 40 to 60 high-risk cross-border entities from 2028, whilst coordinating national supervisors across the EU.
- Compliance teams have approximately three years from mid-2024 to full application in 2027. Gap analysis, technology assessment, and PEP screening updates should begin immediately, not deferred to the final 12 months.
