By Stuart Watkins, CEO, Zenoo
The EU AML Package is the most significant overhaul of anti-money laundering rules in Europe since the first directive in 1991. It has been years in the making, and as of mid-2024, the legislative process is reaching its conclusion. But the sheer volume of material, across multiple regulations and a new directive, makes it genuinely difficult for compliance teams to understand what is changing, when, and what they need to do about it.
This article breaks down the package into its component parts, explains the practical implications for compliance teams, and provides a timeline that you can actually plan against.
What is the EU AML Package?
The package consists of three legislative instruments, each serving a different purpose.
The AML Regulation (AMLR): A single, directly applicable rulebook that replaces the patchwork of national transpositions of previous AML directives. This is the big one. Because it is a regulation rather than a directive, it applies uniformly across all EU member states without the need for national transposition. No more shopping for the jurisdiction with the lightest interpretation.
The 6th Anti-Money Laundering Directive (6AMLD or AMLD6): Despite the shift toward regulation, a directive is still needed for areas that require national implementation, primarily relating to the powers and responsibilities of Financial Intelligence Units (FIUs) and national supervisors. This directive replaces 4AMLD and 5AMLD.
The AMLA Regulation: This creates the Anti-Money Laundering Authority, a new EU-level body that will directly supervise certain high-risk obliged entities and coordinate national supervisors. AMLA will be based in Frankfurt and is expected to begin direct supervision in 2028.
The single rulebook: what it covers
The AML Regulation consolidates and standardises rules that previously varied across member states. Here are the areas that matter most for compliance teams.
Customer Due Diligence (CDD). The regulation sets out harmonised CDD requirements, including specific triggers for Enhanced Due Diligence that are consistent across all member states. The beneficial ownership threshold is set at 25%, though the regulation allows member states to apply a lower threshold for higher-risk sectors. Simplified Due Diligence conditions are more tightly defined, reducing the discretion that some member states previously allowed.
Beneficial Ownership. The regulation mandates central beneficial ownership registers in every member state, with rules on access, data quality, and cross-border interconnection. The registries must be accurate, up-to-date, and available to competent authorities and obliged entities. Discrepancies between registry information and information held by obliged entities must be reported.
"The beneficial ownership registry requirements are probably the single most impactful change for firms doing cross-border KYB. Under the old directives, the quality and accessibility of registries varied enormously across member states. Standardisation will help, but the transition period is going to be messy."
PEP screening. The regulation harmonises the definition of Politically Exposed Persons across the EU and requires member states to publish lists of domestic PEP functions. This is a significant change for compliance teams that currently rely on commercial PEP databases with inconsistent domestic coverage across EU jurisdictions.
Third-country policy. The regulation introduces a more structured approach to assessing third-country risk, moving beyond the existing list-based approach. The European Commission will identify high-risk third countries based on a methodology that considers FATF assessments, the country's own AML framework, and specific risk factors. Obliged entities will be required to apply enhanced due diligence to business relationships and transactions involving these countries.
New entities in scope
The AML Package significantly expands the types of entities that are classified as "obliged entities" under the EU AML framework. The most notable additions include:
Crypto-Asset Service Providers (CASPs). CASPs are now fully in scope as obliged entities, required to apply the same CDD, ongoing monitoring, and suspicious transaction reporting obligations as traditional financial institutions. This reflects the growing recognition that crypto assets present money laundering risks that were not adequately addressed by previous directives.
Luxury goods dealers. Traders in precious metals, precious stones, and other luxury goods are brought into scope with CDD obligations for transactions above certain thresholds.
Football clubs and agents. In a move that reflects concerns about money laundering through the football transfer market, professional football clubs and agents involved in high-value transfers will be subject to AML obligations.
Mortgage and consumer credit intermediaries. Expanding beyond traditional lenders to include intermediaries in the credit process.
AMLA: the new EU supervisor
The creation of AMLA is arguably the most structurally significant element of the package. For the first time, there will be an EU-level authority with direct supervisory powers over certain obliged entities in the AML/CFT space.
AMLA will directly supervise a selection of the highest-risk cross-border obliged entities. The selection methodology is still being finalised, but it will be based on the entity's risk profile, cross-border activity, and the number of member states in which it operates. Estimates suggest AMLA will directly supervise 40 to 60 entities initially.
For entities not directly supervised by AMLA, national supervisors retain primary responsibility. But AMLA will have coordination powers, including the ability to request that national supervisors investigate specific entities or sectors, and to issue guidelines and recommendations that national supervisors must comply with or explain.
AMLA will also host FIU.net, the platform for cross-border FIU cooperation, and will be responsible for developing technical standards that flesh out the details of the AML Regulation.
The timeline: what happens when
This is where practical planning starts. The legislative process is nearing completion, with political agreement reached on the main elements of the package. Here is the expected timeline.
Mid-2024: Final texts published in the Official Journal of the EU. The AML Regulation enters into force 20 days after publication but does not apply immediately.
2025-2026: Transitional period. The AML Regulation has a three-year implementation period from entry into force, meaning most provisions will apply from mid-2027. During this period, AMLA will be established, staff recruited, and technical standards drafted.
2027: The AML Regulation becomes directly applicable. Obliged entities must comply with the new CDD, EDD, beneficial ownership, and ongoing monitoring requirements. The 6AMLD must be transposed into national law by member states.
2028: AMLA begins direct supervision of selected entities. The first supervisory cycle commences.
For compliance teams, the key message is this: you have approximately three years from publication to full application. That sounds like a long time. It is not. The firms that used the 5AMLD transposition period effectively were the ones that started their gap analysis in the first six months, not the last six.
What compliance teams should do now
Even before the final texts are published, there is enough certainty about the direction of travel to begin preparing.
Conduct a gap analysis against the draft regulation. The political agreement texts are publicly available. Map your current CDD, EDD, and beneficial ownership processes against the harmonised requirements. Identify where your current approach relies on national discretions that will be removed.
Review your PEP screening coverage. The harmonised PEP definitions will require you to screen against a standardised set of domestic PEP functions across all EU member states. Assess whether your current PEP data sources cover this.
Assess your CASP exposure. If you provide services to crypto-asset service providers, or if you are a CASP yourself, the new obligations are significant. Begin mapping your compliance programme against the regulation's requirements now.
Evaluate your technology readiness. The regulation's requirements for ongoing monitoring frequency, beneficial ownership verification, and cross-border data sharing all have technology implications. Assess whether your current systems can support the new requirements, or whether you need to plan for upgrades.
"We started our 5AMLD preparation 18 months before transposition. Even then, we ran up against the deadline on beneficial ownership register integration. For the AML Package, we are starting our gap analysis now, even though the final text is not yet published. The direction is clear enough to begin planning."
