In 2024 the EU adopted its long-awaited AML/CTF package, the biggest overhaul of the bloc's anti-financial-crime regime in a decade. It swaps a patchwork of national rules for a single rulebook and creates a central supervisor. Here's what's in it, and when it starts to bite.
1. The three building blocks
The package is built on three legal instruments that do very different jobs:
- AMLR, the single rulebook. A directly-applicable EU Regulation that harmonises customer due diligence, beneficial ownership, sanctions and reporting rules across every member state. Because it is a Regulation, it applies the same way everywhere, removing much of the national divergence firms have navigated for years.
- AMLD6, the directive. Updates the institutional framework: national supervisors, Financial Intelligence Units, and beneficial-ownership registers. As a Directive, it has to be transposed into each country's national law.
- AMLAR, the AMLA Regulation. Establishes the new Anti-Money Laundering Authority (AMLA), headquartered in Frankfurt.
2. Meet AMLA
AMLA is the EU's new central AML/CFT authority, and it is more than a coordinator:
- Direct supervision. From 2028, AMLA will directly supervise a selected group of the highest-risk cross-border financial institutions, with the first selection expected around 2027.
- Indirect supervision. For everyone else, it sets standards for and oversees the national supervisors, pushing toward consistent application across the bloc.
- Standard-setting. It supports FIUs and can issue binding technical standards and guidelines.
3. What actually changes for firms
- A harmonised rulebook for CDD: more prescriptive customer due diligence, beneficial ownership (with the 25% ownership threshold remaining a key indicator) and clearer enhanced-due-diligence triggers.
- Crypto fully in scope: crypto-asset service providers (CASPs) face the full set of AML obligations.
- An EU-wide cash payment limit of €10,000 for traders in goods.
- Tighter beneficial-ownership transparency and interconnected registers across member states.
- Expanded scope to certain new sectors, including high-value goods dealers and parts of professional football.
4. The dates that matter
- 2024: package adopted and entered into force.
- 2025: AMLA establishment phase begins in Frankfurt.
- 10 July 2027: the AMLR single rulebook applies (most provisions), with AMLD6 national transposition around the same time.
- 2028: AMLA begins direct supervision of selected entities.
Key takeaways
- The EU is moving from 27 national rulebooks to one directly-applicable rulebook (AMLR).
- AMLA is a real central supervisor, not just a coordinator, for the highest-risk cross-border firms from 2028.
- The compliance clock is 2027. Gap assessments against the AMLR should be happening now.
- Crypto, beneficial ownership and EDD see the biggest substantive tightening.
What this means in practice
Firms across the EU should be mapping their current frameworks against the AMLR now, because harmonisation cuts both ways: it removes local interpretation room and raises the floor. In my experience, the institutions that fare best in an examination are the ones that started their gap analysis early, and for the AMLR, early means 2026.