The EU has spent years patching a fragmented AML framework. Six successive directives — AMLD1 through AMLD6 — each tried to fix gaps left by the last. The result: 27 different national AML regimes, each with its own interpretation, creating exactly the kind of regulatory arbitrage that money launderers exploit. The AML Package ends this patchwork approach with a three-part structure that shifts from harmonised minimum standards to genuinely uniform rules.
This guide breaks down what each component means for compliance teams in financial services, fintech, and crypto — not the legal theory, but the operational changes that require action now.
The Three Components of the EU AML Package
The EU AML Package is not a single regulation. It is a legislative trio, each serving a distinct function:
- AMLR (Regulation 2024/1624): A directly applicable regulation that sets uniform AML/CFT rules across all 27 Member States. No national transposition required — it applies as-is from the application date. This is the substantive compliance framework.
- AMLD6 (Directive 2024/1640): A directive covering institutional and supervisory elements that must be transposed into national law. This includes supervisory powers, penalties, and certain structural provisions where EU-wide uniformity requires local implementation.
- AMLA Regulation (Regulation 2024/1620): Establishes the Anti-Money Laundering Authority — a new EU agency headquartered in Frankfurt, Germany, with direct supervisory powers over high-risk obliged entities.
Understanding the distinction matters because it determines compliance strategy. AMLR rules apply identically in every Member State — your compliance programme in Germany must match your programme in France. AMLD6 provisions may still vary between Member States depending on how each country transposes the directive.
Implementation Timeline
The AML Package entered into force on July 9, 2024, with a phased implementation extending through 2029. Compliance teams should track these dates:
| Date | Milestone | What Applies |
|---|---|---|
| 9 July 2024 | Entry into force | AMLR, AMLD6, and AMLA Regulation published in Official Journal |
| 1 July 2025 | AMLA operational launch | AMLA begins operations in Frankfurt; EBA transfers AML/CFT mandates to AMLA |
| 10 July 2025 | AMLD6 first transposition | Article 74 — FIU access to information must be transposed |
| 10 July 2026 | AMLD6 second transposition | Articles 11, 12, 13, 15 — Beneficial ownership register provisions must be transposed |
| 10 July 2027 | AMLR full application | All AMLR provisions apply directly across EU; remaining AMLD6 provisions must be transposed |
| 10 July 2029 | AMLD6 final transposition | Article 18 — Single access point to real estate information must be transposed |
| January 2028 | AMLA direct supervision | AMLA begins direct supervision of selected high-risk obliged entities |
Track every AML Package deadline, delegated act, and national transposition measure — automatically.
Start free trial →AMLR: The Directly Applicable Rules
The AMLR replaces the directive-based approach with directly applicable regulation. This is the most significant structural change in EU AML history — for the first time, banks, fintechs, and crypto firms face identical rules in every Member State without national variation.
Expanded Scope of Obliged Entities
Article 2 of the AMLR significantly broadens who qualifies as an "obliged entity." Key additions relevant to financial services and crypto:
- Crypto-asset service providers (CASPs): Explicitly included as obliged entities for the first time under EU AML law. Any entity holding a MiCA CASP licence automatically falls under AMLR obligations. This closes the gap where some Member States had extended AML obligations to crypto entities while others had not.
- New types of financial entities: The AMLR extends obligations to certain crowdfunding service providers, persons trading in goods above specific cash thresholds, and landlords and real estate agents involved in high-value transactions.
- Electronic money issuers: E-money institutions already covered under prior directives remain covered, with enhanced due diligence requirements.
Customer Due Diligence (CDD) Requirements
The AMLR introduces stricter and more detailed CDD requirements that replace the more flexible framework of previous directives:
- Mandatory CDD threshold: Customer due diligence is mandatory for all transactions equal to or exceeding €1,000 for occasional transactions, and for all business relationships. The previous €10,000 threshold under AMLD5 is effectively eliminated for many transaction types.
- Enhanced due diligence (EDD): Required for high-risk third countries, politically exposed persons (PEPs), and complex or unusually large transactions. The AMLR provides more specific criteria for when EDD applies, reducing national discretion.
- Simplified due diligence (SDD): Available only in narrowly defined circumstances — low-value transactions (below €200 for occasional transactions), publicly listed companies with transparent ownership, and certain public authorities. The bar for applying SDD has been raised significantly.
Beneficial Ownership
Beneficial ownership rules are tightened across the AMLR and AMLD6:
- Ownership threshold: The threshold for declaring beneficial ownership is lowered from 25% to a more granular approach. Entities must identify natural persons who ultimately own or control 25% or more of the entity (maintained from AMLD5), but must apply additional verification measures and consider ownership interests below 25% where relevant.
- Register access: Under AMLR, beneficial ownership registers must be accessible to obliged entities, competent authorities, and — under AMLD6 Articles 11-13 — persons who can demonstrate a legitimate interest. The exact access rules vary by transposition deadline.
- Interconnected registers: The AMLR requires Member States to establish interconnected beneficial ownership registers, enabling cross-border searches across the EU. This replaces the current fragmented system where each Member State maintains its own opaque register.
Travel Rule and Crypto-Asset Transfers
The Transfer of Funds Regulation (TFR), which became applicable in December 2024, extends the Travel Rule to crypto-asset transfers. The AMLR builds on this foundation:
- Zero-threshold Travel Rule for inter-CASP transfers: All transfers between CASPs must include originator and beneficiary information regardless of amount. This matches the FATF Recommendation 16 standard.
- Transfers from CASP to unhosted wallet: Information must be collected and transferred when funds move from a CASP to an unhosted (self-custody) wallet, with specific thresholds.
- Prohibition of anonymous accounts: The AMLR prohibits CASPs from maintaining anonymous accounts or accounts where beneficial ownership is not established. Privacy-preserving tokens (such as Monero, Zcash, and similar privacy coins) cannot be held or transacted by CASPs.
For crypto compliance teams, the intersection of the AMLR with MiCA is critical. MiCA governs the licensing and operational framework for CASPs, while the AMLR governs their AML/CFT obligations. A firm cannot be a compliant CASP without satisfying both regimes. See our crypto Travel Rule compliance guide for implementation details.
Transaction Monitoring and Suspicious Transaction Reports
The AMLR requires obliged entities to establish and maintain adequate transaction monitoring systems. For financial services firms, this means:
- Risk-based monitoring: Transaction monitoring must be risk-based, not rules-based alone. The AMLR explicitly requires that monitoring systems consider customer risk profiles, transaction patterns, and geographic risk factors.
- AI and automated detection: The AMLR does not prohibit AI-driven transaction monitoring — in fact, it implicitly supports it by requiring proportionate and risk-based approaches. However, such systems must be explainable and auditable. See our guide on AML transaction monitoring in 2026.
- STR filing obligations: Suspicious transaction reports must be filed without delay when obliged entities know, suspect, or have reasonable grounds to suspect that funds are the proceeds of criminal activity. The AMLR removes national variation in STR filing thresholds and procedures.
Cash Payment Limits
The AMLR introduces a uniform €10,000 cash payment limit across the EU. This is one of the most operationally visible changes for businesses that handle physical cash:
- €10,000 limit: All payments in cash (or crypto-assets acquired in exchange for cash) exceeding €10,000 are prohibited. This limit applies to payments made by a single natural person or by multiple persons who appear to be acting together.
- €3,000 for high-risk third countries: Payments connected to high-risk third countries are limited to €3,000 in cash.
- Exemptions: Financial institutions and obliged entities are exempt when acting in their professional capacity (e.g., bank deposits). The limit targets commercial transactions, not banking operations.
AMLD6: National Transposition Requirements
While the AMLR provides directly applicable rules, AMLD6 covers the institutional framework that requires national implementation. This creates a compliance challenge: AMLD6 provisions may still vary between Member States depending on how each country transposes the directive.
Staggered Transposition Deadlines
AMLD6 uses a staggered transposition timeline, with some provisions required earlier than others:
- By 10 July 2025 (already passed): Article 74 — Financial Intelligence Units must have comprehensive access to information held by obliged entities, public authorities, and central registers. This was the first transposition deadline and should already be implemented in most Member States.
- By 10 July 2026 (approaching): Articles 11, 12, 13, and 15 — Beneficial ownership register provisions. Article 11 requires that obliged entities take adequate measures to verify beneficial ownership information. Article 12 deals with the registration of beneficial ownership information. Article 13 covers the duty of entities to hold beneficial ownership information. Article 15 addresses the conditions for access to beneficial ownership registers by persons demonstrating a legitimate interest. This is the next critical deadline for compliance teams.
- By 10 July 2027: Remaining AMLD6 provisions, including enhanced supervisory powers, cooperation obligations between competent authorities, and penalty frameworks.
- By 10 July 2029: Article 18 — Single access point to real estate information, allowing authorities to access real estate ownership data across borders.
Supervisory Powers and Penalties
AMLD6 significantly expands the supervisory toolkit available to national competent authorities:
- Enhanced penalty thresholds: The maximum pecuniary penalties for serious, repeated, or systematic breaches have been increased to up to €10 million or 10% of the obliged entity's total annual worldwide turnover, whichever is higher. For individual breaches, penalties can reach €5 million or 5% of annual turnover.
- Natural person liability: AMLD6 introduces personal liability for natural persons who are responsible for AML/CFT compliance within obliged entities. This includes board members, compliance officers, and senior management who fail to implement adequate controls.
- Supervisory measures: National authorities gain expanded powers including the ability to impose remediation plans, restrict or suspend business activities, withdraw licences, and require the appointment of external compliance experts.
Financial Intelligence Unit Coordination
AMLD6 strengthens FIU operations across the EU:
- FIU.net integration: All FIUs must be connected to the FIU.net system, enabling real-time cross-border information exchange for financial crime investigations.
- Joint analysis: FIUs are empowered to conduct joint analyses of suspicious transactions that span multiple jurisdictions — critical for crypto-related investigations where funds move rapidly across borders.
- Feedback mechanism: FIUs must provide feedback to obliged entities that file STRs, enabling compliance teams to improve their detection systems based on investigation outcomes.
AMLA: The New EU Supervisory Authority
The Anti-Money Laundering Authority is the institutional centrepiece of the AML Package. Headquartered in Frankfurt, Germany, AMLA began operations on July 1, 2025, and will progressively assume supervisory powers through 2028.
AMLA's Mandate
AMLA's mission is to transform AML/CFT supervision in the EU by ensuring consistent application of rules and closing the enforcement gaps that have allowed money laundering to persist. On January 1, 2026, the European Banking Authority transferred all AML/CFT-related mandates to AMLA, consolidating EU-level AML supervision under a single authority.
Direct Supervision (From January 2028)
AMLA's most significant power is direct supervision of high-risk obliged entities:
- Selection criteria: AMLA will directly supervise approximately 40 obliged entities that operate across at least six Member States and present elevated money laundering or terrorism financing risk. The selection process begins in 2027.
- Sector coverage: Direct supervision covers banks, payment institutions, crypto-asset service providers, and other financial entities meeting the cross-border and risk criteria. Crypto companies with operations across multiple EU Member States are prime candidates for AMLA direct supervision.
- Enforcement powers: AMLA can conduct on-site and off-site inspections through Joint Supervisory Teams (comprising AMLA and national supervisory staff), issue binding decisions, impose pecuniary sanctions, and require remediation actions.
Indirect Supervision
For obliged entities not selected for direct supervision, AMLA exercises indirect oversight by coordinating national competent authorities:
- Coordination role: AMLA can require national authorities to initiate specific supervisory actions or investigations.
- Standardisation: AMLA develops regulatory and technical standards, issues guidelines, and establishes a "Single Rulebook" for AML/CFT supervision.
- Mediation: AMLA mediates disputes between national authorities and resolves cross-border supervisory conflicts.
What This Means for Crypto and Fintech
The AML Package's impact on the crypto and fintech sector is disproportionate to its size. These are the specific operational changes that crypto compliance teams must address:
For CASPs
- Dual regulatory framework: CASPs must comply with both MiCA (licensing and operations) and the AMLR (AML/CFT obligations). The two regimes are complementary but have separate compliance requirements, separate supervisory authorities, and separate penalty frameworks.
- No more anonymous onboarding: The prohibition of anonymous accounts eliminates the grey zone where some crypto platforms allowed non-KYC'd accounts for small transactions. Every user must be identified before accessing services.
- Privacy coin ban: CASPs cannot hold, transact, or facilitate transactions involving privacy-preserving tokens. This requires technical changes to asset listing processes and transaction screening systems.
- Travel Rule implementation: The TFR's zero-threshold Travel Rule for inter-CASP transfers is already in effect (since December 2024). The AMLR reinforces this and adds requirements for CASP-to-unhosted wallet transfers.
For Fintechs
- Uniform KYC requirements: The €1,000 mandatory CDD threshold for occasional transactions affects fintechs offering payment services, remittances, or money transmission. The previous flexibility of setting higher thresholds based on risk assessment is curtailed.
- AI-driven compliance tools: Fintechs using AI for transaction monitoring or customer screening must ensure these tools are auditable and explainable. While the AMLR does not directly regulate AI (that falls under the EU AI Act), AMLA's supervisory expectations will increasingly include scrutiny of automated compliance systems.
- Cross-border operations: Fintechs operating across multiple EU Member States benefit from the AMLR's uniform rules — a single compliance programme can serve all jurisdictions. But they also face higher scrutiny from AMLA, which will prioritise cross-border obliged entities for direct supervision.
Compliance Checklist: What to Do Now
Based on the implementation timeline, here is what compliance teams should prioritise:
Immediate (Q2 2026)
- Assess AMLD6 Article 11-13 transposition readiness: Verify that your beneficial ownership verification processes meet the requirements that Member States must implement by July 10, 2026. Check whether your national authority has published transposition measures.
- Audit current CDD processes against AMLR requirements: Even though the AMLR does not fully apply until July 2027, starting the gap analysis now avoids a scramble. Focus on the €1,000 CDD threshold, enhanced due diligence criteria, and simplified due diligence narrowing.
- Review crypto-specific compliance: If your firm handles crypto-assets, verify Travel Rule compliance (already in effect under TFR), assess privacy coin exposure, and plan for the anonymous account prohibition.
Medium-Term (H2 2026 – H1 2027)
- Prepare AMLR operational changes: Update compliance policies, training materials, and systems to reflect AMLR requirements. The uniform rules mean a single programme can serve all EU markets — but only if it is comprehensive.
- Monitor AMLA selection process: AMLA will begin selecting entities for direct supervision in 2027. If your firm operates across six or more Member States, assess your likelihood of selection and prepare for Joint Supervisory Team inspections.
- Coordinate with national authorities: Track AMLD6 transposition in your key operating jurisdictions. The quality and timing of national implementation varies — some Member States will act early, others will wait until the deadline.
Long-Term (2027–2028)
- Implement full AMLR compliance: All AMLR provisions apply from July 10, 2027. Your compliance programme must be fully operational by this date.
- Prepare for AMLA direct supervision: If selected, ensure your organisation can respond to AMLA inspection requests, provide documentation in required formats, and cooperate with Joint Supervisory Teams.
- Integrate AMLR with other EU regulations: The AMLR operates alongside the EU AI Act, DORA, GDPR, and MiCA. Compliance teams must ensure these frameworks are addressed in an integrated manner, not in silos.
RegPulse monitors AMLR, AMLD6, and AMLA developments across all 27 Member States — national transposition, delegated acts, and supervisory guidance, delivered to your dashboard.
Start free trial →Interaction with Other EU Regulations
The AML Package does not exist in isolation. Financial services compliance teams must navigate its interaction with several other EU regulatory frameworks:
- EU AI Act (August 2026): AI systems used for AML transaction monitoring, fraud detection, and customer risk scoring may be classified as high-risk under the AI Act's Annex III. This creates a dual compliance obligation — AMLR requires risk-based monitoring, while the AI Act requires conformity assessment, human oversight, and technical documentation for the same systems. See our EU AI Act compliance guide.
- MiCA (July 2026): CASPs must satisfy both MiCA licensing requirements and AMLR AML/CFT obligations. The two regimes are enforced by different authorities in most Member States. See our MiCA compliance checklist.
- DORA (January 2025): Digital operational resilience requirements under DORA apply to the same ICT systems that support AMLR compliance (transaction monitoring platforms, screening tools, reporting systems). See our DORA compliance guide.
- GDPR: AMLR processing of personal data for CDD, beneficial ownership verification, and transaction monitoring must comply with GDPR. The AMLR provides some derogations (e.g., processing special category data for AML purposes), but the general GDPR framework applies. See our GDPR fintech compliance guide.
Frequently Asked Questions
What is the difference between AMLR and AMLD6?
The AMLR (Anti-Money Laundering Regulation, Regulation 2024/1624) is a directly applicable EU regulation that sets uniform AML/CFT rules across all 27 Member States without requiring national transposition. AMLD6 (Anti-Money Laundering Directive, Directive 2024/1640) is a directive that requires Member States to transpose specific provisions into national law — primarily covering supervisory powers, penalties, and institutional AML/CFT framework elements.
When does the EU AML Package apply to crypto companies?
CASPs (Crypto-Asset Service Providers) are explicitly classified as obliged entities under the AMLR. The AMLR will apply in full from July 10, 2027. Key obligations include enhanced KYC requirements for transactions above €1,000, prohibition of anonymous accounts and privacy coins, and mandatory Travel Rule compliance. CASPs should begin compliance preparation now given the 2027 deadline.
What powers does AMLA have?
AMLA (Anti-Money Laundering Authority) is headquartered in Frankfurt and began operations on July 1, 2025. From January 2028, AMLA will directly supervise approximately 40 high-risk financial institutions operating across six or more Member States — including banks, payment providers, and crypto companies. AMLA can conduct on-site and off-site inspections, impose pecuniary sanctions, and coordinate Financial Intelligence Units across the EU.
What are the key AMLD6 transposition deadlines?
Article 74 (FIU access to information) must be transposed by July 10, 2025. Articles 11, 12, 13, and 15 (beneficial ownership register provisions) must be transposed by July 10, 2026. Article 18 (single access point to real estate information) must be transposed by July 10, 2029. The remaining AMLD6 provisions must be transposed by July 10, 2027.
How does the AML Package interact with the EU AI Act?
AI systems used for AML transaction monitoring and customer risk scoring may qualify as high-risk under the EU AI Act (Annex III). This creates overlapping compliance obligations: the AMLR requires risk-based monitoring, while the AI Act requires conformity assessment, human oversight, bias testing, and technical documentation. Compliance teams should address both frameworks in an integrated compliance programme rather than treating them as separate workstreams.
What happens if our Member State does not transpose AMLD6 on time?
If a Member State fails to transpose AMLD6 by the applicable deadline, the directly applicable AMLR provisions still apply. However, the supervisory and penalty provisions of AMLD6 may be delayed or incomplete. Compliance teams should monitor transposition progress in their key operating jurisdictions and prepare for both scenarios — full transposition and delayed implementation. AMLA may also take enforcement action against Member States that fail to transpose.