The EU AML Package Explained: AMLR, AMLD6, and AMLA for Crypto & Finance

The Biggest AML Reform in EU History

The EU's Anti-Money Laundering Package, adopted in 2024, represents the most significant overhaul of European AML rules since the first directive in 1991. For the first time, core AML requirements will be contained in a directly applicable regulation, eliminating the fragmentation that plagued previous directive-based approaches.

If you work in compliance at a bank, payment institution, or crypto-asset service provider, this package fundamentally changes your obligations. This guide breaks down what you need to know.

What's in the Package?

The AML Package consists of three main instruments:

1. AML Regulation (AMLR) - Regulation (EU) 2024/1624

The AMLR creates a single rulebook for AML/CFT requirements across the EU. Unlike directives, regulations apply directly without national transposition, meaning the same rules apply identically in all 27 member states.

Key provisions include:

• Customer due diligence requirements
• Beneficial ownership rules
• Enhanced due diligence for high-risk situations
• Third-country policy
• Internal controls and policies

2. 6th AML Directive (AMLD6) - Directive (EU) 2024/1640

AMLD6 covers matters that require national implementation:

• Powers and tasks of Financial Intelligence Units (FIUs)
• Supervision of obliged entities
• Access to beneficial ownership information
• Cooperation between authorities
• Administrative sanctions

3. AMLA Regulation - Regulation (EU) 2024/1620

Creates a new EU-level Anti-Money Laundering Authority (AMLA) headquartered in Frankfurt. AMLA will:

• Directly supervise the riskiest financial entities
• Coordinate national supervisors
• Support FIUs across the EU
• Develop regulatory technical standards

Timeline: When Does It Apply?

The package has a staggered implementation:

| Instrument | Entry into Force | Application Date |

|------------|------------------|------------------|

| AMLA Regulation | July 2024 | Immediate (authority building) |

| AMLR | July 2024 | July 2027 |

| AMLD6 | July 2024 | July 2027 (transposition deadline) |

Important: While July 2027 is the main application date, AMLA begins operations earlier and will start selecting entities for direct supervision in 2026.

Crypto-Assets: Now Fully In Scope

One of the most significant changes is the comprehensive inclusion of the crypto sector:

All CASPs Are Obliged Entities

Under the AMLR, all crypto-asset service providers authorized under MiCA become "obliged entities" subject to full AML requirements. This includes:

• Custody providers
• Exchange operators
• Trading platforms
• Transfer service providers

No More Thresholds for Crypto

The previous €1,000 threshold for occasional transactions is eliminated for crypto-assets. CASPs must apply customer due diligence to:

• All customer relationships
• All occasional transactions, regardless of amount

Travel Rule Integration

The AMLR works alongside the Transfer of Funds Regulation (TFR) to ensure complete traceability of crypto-asset transfers. CASPs must:

• Collect originator and beneficiary information for all transfers
• Verify self-hosted wallet ownership
• Apply enhanced due diligence for high-risk transfers

Customer Due Diligence: What Changes?

Standard CDD Requirements

The AMLR harmonizes CDD requirements across the EU:

Timing: CDD must be completed before establishing a business relationship or carrying out an occasional transaction.

Measures Required:

• Identify and verify the customer's identity

• Identify beneficial owners and verify their identity

• Assess the purpose and intended nature of the business relationship

• Conduct ongoing monitoring

Verification Sources: Customer identity must be verified using:

• Reliable, independent sources
• Electronic identification means (eIDAS)
• Qualified trust services
• Other secure remote identification processes

Enhanced Due Diligence

Enhanced due diligence is mandatory for:

High-Risk Third Countries: Customers or transactions involving countries identified by the EU as having strategic AML deficiencies.

Politically Exposed Persons (PEPs): Including domestic PEPs, not just foreign ones. The AMLR defines PEPs uniformly across the EU.

Complex Ownership Structures: Where beneficial ownership is difficult to determine or involves multiple layers.

High-Risk Products/Services: As identified in national or EU-level risk assessments.

Correspondent Relationships: For credit institutions and crypto-asset service providers maintaining correspondent relationships.

Beneficial Ownership

The AMLR tightens beneficial ownership requirements:

25% Threshold Maintained: Beneficial owners are natural persons who ultimately own or control more than 25% of shares, voting rights, or ownership interest.

No More Nominee Senior Management: When no beneficial owner can be identified, obliged entities can no longer default to senior management as the "beneficial owner." Instead, they must document why identification wasn't possible and apply enhanced scrutiny.

Central Registers: Member states must maintain beneficial ownership registers accessible to:

• Competent authorities (full access)
• Obliged entities (for CDD purposes)
• Persons with legitimate interest (limited access)

AMLA: The New EU AML Supervisor

The creation of AMLA is perhaps the most significant structural change. Here's what it means in practice:

Direct Supervision

AMLA will directly supervise selected high-risk obliged entities in the financial sector. Selection criteria include:

• Operating in multiple member states
• High inherent ML/TF risk
• Past compliance failures

Initially, AMLA will supervise up to 40 entities. This number may increase over time.

What Direct Supervision Means

Entities under AMLA supervision will:

• Report directly to AMLA, not national supervisors
• Be subject to AMLA inspections and investigations
• Face AMLA-imposed sanctions for violations
• Follow AMLA guidance and requirements

Indirect Supervision

For entities not directly supervised, AMLA will:

• Set supervisory standards and methodologies
• Conduct peer reviews of national supervisors
• Coordinate joint supervisory actions
• Maintain a central AML database

Supporting FIUs

AMLA will coordinate the EU's network of Financial Intelligence Units:

• Developing joint analysis capabilities
• Facilitating information sharing
• Supporting complex cross-border cases
• Providing training and resources

Sanctions and Penalties

The AMLR significantly strengthens the penalty framework:

For Legal Entities

• Maximum fine: At least €10 million or 10% of annual turnover
• Publication of violations (naming and shaming)
• Withdrawal of authorization
• Temporary ban on management functions

For Natural Persons

• Maximum fine: At least €5 million
• Temporary bans from management positions
• Criminal referrals where appropriate

Aggravating Factors

Higher penalties apply when:

• Violations are systematic or repeated
• Senior management was involved
• The entity failed to cooperate with authorities
• The violation generated significant profits

Implementation Checklist for CASPs

If you're a crypto-asset service provider, here's what you need to do:

Immediate (2026)

By July 2027

Ongoing

Implementation Checklist for Banks and Financial Institutions

Policy Updates Required

System Changes

Governance

What About Existing National Rules?

The shift to a regulation-based approach means:

Harmonization: Core AML rules will be identical across the EU. No more variations in beneficial ownership thresholds, CDD requirements, or reporting obligations.

National Additions: Member states can still impose stricter requirements in limited areas, but the baseline is now uniform.

Transition Period: Existing national laws remain in force until July 2027, then must give way to the AMLR where there's overlap.

Common Questions

Does this replace the Travel Rule (TFR)?

No. The TFR and AMLR work together. The TFR covers information accompanying transfers; the AMLR covers broader AML obligations including CDD, monitoring, and reporting.

Will AMLA supervise all CASPs?

No. AMLA will directly supervise only selected high-risk entities. Most CASPs will continue to be supervised by national competent authorities, but following harmonized AMLR rules.

What about existing MiCA AML requirements?

MiCA Article 68 contains AML provisions that align with and complement the AMLR. CASPs must comply with both, though AMLR becomes the primary AML framework.

How does this affect third-country crypto firms?

Third-country firms serving EU customers without EU authorization face increased scrutiny. EU CASPs dealing with third-country counterparties must apply enhanced due diligence.

How FinlexPro Helps

The AML Package spans three major legislative instruments plus numerous technical standards. FinlexPro indexes:

• Complete AMLR text with all articles
• AMLD6 provisions
• AMLA Regulation
• Related ESMA and EBA guidelines
• Cross-references to MiCA and TFR

Search specific AML requirements, understand how they interact with MiCA, and get AI-powered explanations with direct article citations.

Start your AML compliance research with FinlexPro.