EU AML Regulation (AMLR)

What is the EU AML Regulation (AMLR)?

The EU Anti-Money Laundering Regulation (AMLR) — formally Regulation (EU) 2024/1624 — is the directly applicable EU instrument that creates a single AML/CFT rulebook for obliged entities across the European Union. Adopted in 2024 as the centrepiece of the EU AML Package, it replaces the patchwork of national transpositions that previously applied under successive AML Directives (AMLD4, AMLD5) and harmonises the substantive obligations every obliged entity must satisfy — customer due diligence, beneficial ownership, sanctions screening, recordkeeping, and suspicious-transaction reporting.

Unlike a directive, AMLR does not need to be transposed into national law. It applies directly in every member state, in the same words, on the same date — eliminating the cross-border inconsistencies that previously allowed regulatory arbitrage and uneven supervision. AMLR sits alongside Directive (EU) 2024/1640 (which governs supervision and FIU architecture), the new EU AML Authority Regulation (which establishes AMLA), and the existing criminal-law AMLD6 (Directive 2018/1673).

Why AMLR matters

AMLR is the most significant overhaul of EU AML rules since the framework was first established. By converting the core substantive rules from a directive into a regulation, the EU has materially reduced the room for national divergence and tightened the alignment between supervisory expectations across member states. For obliged entities, this means a single set of CDD, beneficial-ownership, and reporting obligations to comply with — but also a higher baseline, since AMLR raises the bar on several rules previously left to member-state discretion. Cross-border groups in particular benefit from a coherent rulebook; smaller firms may face heavier upstream investment as the new requirements take effect.

Who must comply with AMLR

AMLR applies to a broad and expanded set of obliged entities. Financial institutions are the core constituency — banks, credit institutions, e-money and payment service providers, investment firms, asset managers, insurance intermediaries selling life products, and crowdfunding service providers. The regulation also reaches crypto-asset service providers (CASPs) authorised under the MiCA framework, including crypto exchanges, custodial wallet providers, and transfer service providers. DNFBPs continue to be covered: lawyers, notaries, accountants, auditors, tax advisors, real-estate intermediaries, trust and corporate service providers, and dealers in high-value goods. AMLR newly extends the perimeter to professional football clubs and football agents (subject to risk-based application) and traders in luxury goods above defined thresholds. National regulators may also designate additional sectors where they identify elevated ML/TF risk.

Core obligations under AMLR

AMLR codifies a risk-based approach as the operating model for every obliged entity. Each entity must perform a documented business-wide risk assessment covering customers, products, services, geographies, and delivery channels, layered on standard Know Your Customer (KYC) processes. CDD must be applied before establishing a business relationship — verifying customer identity using independent and reliable sources, identifying beneficial owners (the regulation lowers the threshold to 25% with clearer rules on indirect ownership and control), and understanding the nature and purpose of the relationship. Enhanced Due Diligence applies to higher-risk situations, including PEPs, customers from EU-listed high-risk third countries, complex ownership structures, and unusually large or unusual transactions.

Sanctions screening, transaction monitoring, suspicious-transaction reporting to national FIUs, and at least five years of recordkeeping (extendable on supervisor request) round out the core obligations. AMLR also introduces a EUR 10,000 EU-wide cap on cash payments for goods and services, with member states retaining the right to impose lower national caps. Many EU obliged entities operationalise these checks through a unified AML screening platform that combines sanctions, PEP, and adverse-media coverage with continuous monitoring.

Beneficial ownership and transparency

A defining feature of AMLR is its tighter beneficial-ownership regime. The regulation harmonises the definition of beneficial owner (25% ownership or control), introduces clearer rules for layered ownership chains and trusts, and requires beneficial-ownership data to be verified and kept accurate and up to date, not merely registered. Member states must operate interconnected beneficial-ownership registers populated with verified data; obliged entities must consult those registers as part of CDD and report any discrepancies. This is the same transparency push reflected in the EU's response to the Court of Justice ruling on public access — AMLR rebuilds the access framework around a "legitimate interest" model with defined categories of access.

CASPs and crypto-asset coverage

AMLR brings crypto-asset service providers fully into the EU AML perimeter. CASPs authorised under MiCA must apply the same CDD, beneficial-ownership, sanctions, and reporting obligations as banks, including specific rules for transfers of crypto-assets implementing the FATF Travel Rule. The regulation explicitly addresses self-hosted wallet transactions, anonymity-enhancing services, and high-risk counterparties — closing exposures that earlier directives did not adequately cover.

PEPs and high-risk third countries

AMLR standardises the procedures for politically exposed persons across the EU. Senior-management approval is required to establish or continue a relationship with a PEP, source-of-funds and source-of-wealth checks are mandatory, and enhanced ongoing monitoring applies for at least 12 months after the individual ceases to hold a prominent public function. EDD also applies automatically to customers established or operating in jurisdictions identified by the European Commission as high-risk third countries, with specific defensive measures (such as restrictions on correspondent relationships) where a country is subject to a call to action.

Timeline and application

AMLR was published in the Official Journal on 19 June 2024 and applies generally from 10 July 2027, with the Commission empowered to phase certain provisions sooner. Specific obligations affecting football clubs and agents apply from 10 July 2029. Until AMLR's general application date, the existing AMLD framework — as transposed nationally — continues to apply. Obliged entities should treat the period between now and 2027 as an active programme window: gap-assessing current CDD, beneficial-ownership, screening, and reporting controls against AMLR requirements; rebuilding policies, procedures, and customer-facing flows; and preparing for the parallel transition to AMLA-led supervision for the largest cross-border groups.

AMLR vs the AML directives

AMLR replaces the substantive parts of AMLD4 and AMLD5 with directly applicable rules. Directive (EU) 2024/1640 — sometimes informally referenced as the "new AML Directive" — replaces the procedural and supervisory aspects (FIU architecture, supervisory cooperation, beneficial-ownership register operations). The criminal-law AMLD6 (Directive 2018/1673) remains in force separately and is not replaced by the 2024 package. Reading the architecture together: AMLR is the substantive rulebook, the new Directive is the supervisory framework, the EU AML Authority (AMLA) is the central supervisor, and AMLD6 is the criminal-law overlay.