The EU has had a problem for years: money laundering legislation is harmonised across Member States, but only on paper. In practice, national legislators have implemented, interpreted and enforced EU directives differently. The result is a patchwork quilt that cross-border institutions are familiar with and that structurally favours regulatory arbitrage.
This will change fundamentally from 2027 onwards. On 31 May 2024, the European Parliament adopted the most ambitious AML reform package since the introduction of the first Money Laundering Directive in 1991. The key difference to the past is that the new Anti-Money Laundering Regulation (AMLR) is a regulation, not a directive. It will apply directly in all Member States from 10 July 2027 – without national implementation, without room for interpretation, without the usual patchwork of implementations. Anyone who currently operates in several EU countries and juggles different national requirements will have a uniform set of rules from 2027 onwards. This simplifies a lot of things – but at the same time raises the bar, because the toughest standard now applies everywhere.
The package consists of three legal acts with clearly separate functions.
AMLR (Regulation EU 2024/1624) is the operational core: it defines who is obliged, which KYC and CDD obligations apply, how UBOs are to be dealt with and what to do in case of suspicion. Directly applicable from July 2027 — for football clubs and agents only from July 2029.
AMLD6 (Directive EU 2024/1640) regulates what Member States must implement at national level: supervisory architecture, UBO registers, FIU powers and sanctions frameworks. Implementation deadline is July 2027, with individual articles coming into force earlier.
AMLAR (Regulation EU 2024/1620) establishes the new European supervisory authority AMLA, based in Frankfurt. Operational since 1 July 2025. From January 2028, AMLA will take over direct supervision of up to 40 selected financial institutions and coordinate all national AML supervisory authorities.
|
Timeline: July 2025: AMLA operational. | July 2026: First RTS on CDD and group supervision. | July 2027: AMLR applicable, AMLD6 implemented. | January 2028: AMLA direct supervision begins. | July 2029: CASPs, football, BORIS networking. |
The scope of application of the AMLR goes significantly further than that of the AMLD4. In addition to the familiar financial players, several sectors are newly covered or covered to a greater extent.
UBO threshold: "25% or more" instead of "more than 25%"
It may sound like a technical detail, but it has practical consequences: previously, the UBO identification requirement only applied to holdings of more than 25%. Art. 52 para. 1 AMLR changes this to 25% or more. This means that anyone holding exactly 25% must now be identified, verified and documented as a UBO. For certain high-risk categories of companies, the Commission may lower the threshold to up to 15% by means of a delegated regulation.
In practice, this means that existing customer files must be systematically reviewed. In shareholding structures where no one with exactly 25% has been reported as a UBO to date, there may be a need to catch up.
Perpetual KYC: ongoing review instead of periodic spot checks
Art. 26 AMLR introduces binding maximum intervals for updating customer files. High-risk customers must be reviewed at least annually, normal-risk customers at least every five years. In addition, there are event-driven reviews – known as trigger-based pKYC – in the event of UBO changes, unusual transactions or risk class changes, regardless of the regular cycle. Details will be specified by AMLA-RTS by July 2026.
Digital onboarding and eIDAS
The AMLR explicitly recognises eIDAS-compliant electronic identification as equivalent to physical verification. From July 2027, obliged entities must accept the EU Digital Identity Wallet (EUDI Wallet) as an onboarding method. This enables fully digital, paperless onboarding for low-risk customers.
Key measures:
Extension of scope for obliged entities: AMLR broadens the definition of obligated entities to encompass crowdfunding platforms, Crypto-Asset Service Providers (also known as "CASPs"), and other high-risk industries. The area of application now includes virtual IBANs for the first time.
Enhanced Due Diligence (EDD): For certain deals, enhanced due diligence responsibilities have been added. For cross-border correspondent connections, CASPs will be required to fulfill these EDD duties. Second, for commercial dealings with high net worth persons whose total wealth exceeds EUR 50,000,000 and who handle assets under control surpassing EUR 5,000,000, credit and financial institutions will be required to implement EDD measures. Additionally, based on an evaluation that takes into account the lists created by the Financial Action Task Force (FATF), all required businesses will be required to carry out EDD measures for sporadic transactions and commercial partnerships with high-risk third nations.
Limit and restrictions on cash payments: Cash payments are subject to a maximum limit of EUR 10,000 within the EU. Depending on particular national hazards, member states will be free to set a lower maximum level.
|
Type of Transaction |
Threshold Value |
|
General threshold (all sectors) (Art. 19(1)(b)) |
EUR 10'000 |
|
Crypto-asset providers (CASPs) |
EUR 1'000 |
|
Enhanced threshold for cash payments |
EUR 3'000 |
|
Cap on cash payments (Art. 80) |
EUR 10'000 |
Sanctions screening as a separate obligation
A new requirement is the explicit obligation to check in every CDD whether the customer or their beneficial owner is subject to targeted financial sanctions (TFS). This was previously considered good practice; from July 2027, it will be a separate AMLR requirement that must be documented.
14-day reporting obligation for register discrepancies
If an "obliged entity" discovers a discrepancy between its own customer data and the national UBO register as part of its CDD, it must report this discrepancy to the register within 14 calendar days, together with its own assessment of who it considers to be the beneficial owner. This requires a defined internal detection and escalation process.
AMLA has been active in Frankfurt since July 2025 and will grow to around 430 employees by the end of 2027. From January 2028, it will take over direct supervision of up to 40 selected financial institutions — selected according to risk criteria such as scope of activity in at least six Member States and provisional materiality thresholds of over 20,000 customers or EUR 50 million in transaction volume per Member State. The list will be updated every three years.
The AMLA has extensive powers over directly supervised institutions: information requests, investigations, on-site inspections with or without prior notice. In the event of systemic violations by a non-directly supervised entity, the Commission may, at the request of the AMLA, order temporary direct supervision if the competent national authority does not respond adequately.
Relevant for all obliged entities: AMLA will publish a series of binding technical standards (RTS/ITS) on CDD, outsourcing, risk assessment and suspicious activity reports by 2026/2027. These will define the actual compliance framework from 2027 onwards. Those who do not actively follow the development of these standards risk discovering gaps shortly before go-live.
AMLD6 raises the maximum penalty for serious, repeated or systematic violations to EUR 10 million or 10% of annual turnover – double the previous AMLD4 limit (EUR 5 million / 5%). Another new feature is the introduction of ongoing penalty payments, which will be due until an official order is complied with. AMLA can impose sanctions independently on directly supervised entities; these sanctions can be challenged before the ECJ.
In addition, administrative measures remain possible: temporary professional bans for responsible persons, withdrawal of authorisation, public disclosure of violations. AMLA will publish guidelines on sanctioning practices by July 2026.
The AMLR will apply from July 2027 – that may sound a long way off, but it isn't. Adapting KYC processes, IT systems and internal guidelines takes time, and AMLA will publish numerous technical standards between now and then that will define the exact compliance framework. Anyone who waits until all RTS are available will have too little lead time.
Immediately: Determine whether you fall within the new scope of application (CASP, credit intermediaries, luxury goods dealers, etc.). Check existing customer files against the new 25% threshold. Determine whether activities in six or more Member States could trigger AMLA direct supervision.
By the end of 2026: Conduct a gap analysis of the existing KYC/AML programme against AMLR. Plan processes for trigger-based pKYC (perpetual KYC). Adjust CDD thresholds and cash payment controls. Design an internal 14-day reporting process for register discrepancies. Integrate TFS screening as a separate audit step.
By July 2027: Deploy systems for digital onboarding and EUDI wallet compatibility. Train staff. Implement AMLA-RTS as soon as it is published.
Contact us at support@kyc.ch for a customised Reg-Tech solution.
This article is for general information purposes only and does not constitute legal or compliance advice.