What is the new EU AML regime?

The EU already has legislation relating to AML and CTF, in particular under the Fourth Money Laundering Directive, which was enacted in the EU in 2017. However, as the legislation took the form of a Directive, which requires member states to enact the legislation rather than the rules applying directly, this has resulted in the current rules being implemented in a fragmented way. There are also significant differences in the approach to enforcement and inadequate co-operation across supervisory authorities. 

Europol has estimated that around 1% of the EU’s annual Gross Domestic Product is ‘detected as being involved in suspect financial activity' so the EU has decided that it is necessary to improve the prevention, detection and enforcement of money laundering and terrorist financing. 

The aim of the new regime is to produce a greater level of harmonisation and convergence across the EU in relation to AML and CTF. To achieve this, the new regime provides for: 

1. the changes to be made primarily in the form of EU Regulations, which will apply directly in member states (reducing the scope for local variations and inconsistencies); and 
2. a new supervisory body which will (amongst other things) be responsible for issuing common guidelines and drafting technical standards to apply across all EU member states. 

New primary legislation 

The main new items of primary legislation are as follows: 

1. The AML Regulation (Regulation (EU) 2024/1624). This sets out the main requirements AML and CTF requirements that will apply to financial institutions and will be the primary source for the Single Rulebook, supplemented by further regulatory and implementing technical standards. 
2. The Cryptoasset Transfer Regulation (Regulation (EU) 2023/1113). This sets out requirements that apply to payment service providers and cryptoasset service providers to ensure that transfers of funds and cryptoassets can be traced for AML and CTF purposes. 
3. A new Money Laundering Directive (Directive (EU) 2024/1640, known as MLD6), which introduces requirements that will apply at a national level, and includes provisions regarding the powers and responsibilities of national supervisors. 
4. The AMLA Regulation (Regulation (EU) 2024/1620). This is the instrument that establishes the AMLA and sets out its powers and responsibilities. 

New secondary legislation and guidelines 

The new regime will also feature a large volume of delegated acts, implementing acts, technical standards and guidelines. 

The primary legislation listed above identifies over 60 separate areas where new EU-wide legislation and standards will apply, ranging from guidance for supervisors and firms through to granular requirements about how regulated firms should undertake customer due diligence. Many of the new EU-wide requirements will take the form of technical standards and guidelines developed and issued by the AMLA. 

Harmonisation and new standards 

As a result of the approach described above, the new AML/CTF regime will be harmonised across the EU to a higher level than is the case under the current regime – and, given the 60 new mandates, it is expected that the regime will be harmonised to a significantly higher level of granularity. 

Financial institutions and other obliged entities may find that the new standards are different to those that currently apply to them at a national level and may need to conduct a gap analysis to determine whether they need to amend or update their systems and processes to meet the new standards. 

What types of entity will the new regime apply to? 

The new AML Regulation applies to the concept of “obliged entities” – see the box below for the list of obliged entities. 

Obliged entities under the new AML Regulation 

1. Credit institutions. 
2. Financial institutions – which includes: insurance undertakings; insurance intermediaries; investment firms; collective investment undertakings; CSDs; creditors; credit intermediaries; crypto-asset service providers (“CASPs”); and undertakings (other than credit institutions) who carry certain activities listed in the Capital Requirements Directive. The terms also includes a branch of any of the above when located in the EU. 
3. The following natural or legal persons acting in the exercise of their professional activities: 
   • auditors, external accountants and tax advisors; 
   • notaries, lawyers and other independent legal professionals, where they participate in certain activities; 
   • trust or company service providers;
   • estate agents and other real estate professionals, to the extent they act as intermediaries in real estate transactions; 
   • traders in precious metals and stones or in high-value goods (and certain other activities relating to the trading of high-value goods and cultural goods, including when carried out by art galleries and auction houses); 
   • providers of gambling services; 
   • crowdfunding service providers and crowdfunding intermediaries; 
   • credit intermediaries for mortgage and consumer credits, other than credit institutions and financial institutions, with the exception of the credit intermediaries carrying out activities under the responsibility of one or more creditors or credit intermediaries; •investment migration operators; 
   • non-financial mixed activity holding companies; and •football agents and (in respect of certain transactions) professional football clubs. 

The above list expands the scope of the existing regime to include the following types of entity: 

1. all types of cryptoasset service provider (“CASP”) (only some CASPs are subject to the existing regime); 
2. crowdfunding service providers and crowdfunding intermediaries; and 
3. creditors (that is, mortgage lenders and consumer credit providers) and credit intermediaries that are not already caught by the new regime. 

In addition, CASPs, creditors and credit intermediaries will come within the definition of “financial institution”, which means that they will be subject to those aspects of the new regime that apply specifically to financial institutions. 

Member states will also be able to exempt certain persons who engage in financial activity on an occasional or very limited basis where there is little risk of money laundering or terrorist financing – provided that certain criteria are met. Any exemption that a member state wishes to grant will be subject to approval by the European Commission.

Where will the new regime apply? 

The AML Regulation will apply to obliged entities who are established in the EU. In respect of financial institutions, the AML Regulation will also apply to any EU branch of an entity that is established in the EU. 

Application outside the EU

In respect of groups whose head office is located in the EU, the group-wide requirements of the AML Regulations will also apply to the branches and subsidiaries of the group in countries outside the EU. 

Broadly speaking, however, the new regime does not apply extra-territorially, and will not apply directly to non-EU parent companies of obliged entities. 

The Single Rulebook is intended to be a single source of AML/CTF regulation that will be applied uniformly in all member states across the EU. This will be achieved primarily through the new AML Regulation, which will be supplemented by other secondary legislation and AMLA guidelines that will apply across the whole of the EU. 

The Single Rulebook does not mean that there will be no national AML legislation. There will still be some national rules to implement MLD6 and there could also be additional rules at the national level, but firms will need to know whether, or to what extent, national law or harmonised EU law is relevant.

What are the main changes under the Single Rulebook? 

The main features of the AML Regulation will be as follows:

 1.Internal policies, procedures and controls 

The AML Regulation specifies what internal policies, procedures and controls obliged entities will have to have in place. The AML Regulation contains provisions relating to: 

1. the scope of the internal policies, procedures and controls that obliged entities must have; 
2. the need for obliged entities to carry out business-wide risk assessments relating to AML and CTF, including when launching new products, services or business practices (including the use of new delivery channels and new or existing technologies) or before starting to provide an existing service or product to anew new customer segment or in a new geographical area; 
3. the compliance functions of obliged entities (and includes a requirement that one member of an obliged entity’s management body must be made responsible for ensuring compliance with the new regime); 
4. the need for obliged entities to make their staff aware of the requirements of the new regime, including through ongoing training programmes; 
5. the need for obliged entities to make assessments of the skills, expertise and integrity of their employees (and of those in comparable positions, including agents and distributors); and 
6. group-wide arrangements – including the need for policies, procedures and controls to be established on a group-wide basis and for group-wide risk assessments to be undertaken 

These provisions will be supplemented by detailed technical standards and guidelines – leading to a more harmonised approach across the EU. On 6 March the EBA, which is assisting AMLA to build capability before it fully assumes responsibility, issued a 91 page Consultation Paper containing proposals for four draft Regulatory Technical Standards including in relation to business wide risk assessments and internal policies and controls. These new harmonised requirements could therefore entail significant changes in policies and procedures across a group. 

2. Outsourcing 

Obliged entities will be permitted to outsource tasks resulting from the AML Regulation to service providers, but: 

1. there will be certain tasks that cannot be outsourced under any circumstances (including the task of deciding whether to do business with a customer); 
2. obliged entities will have to assure themselves that the service provider is sufficiently qualified to carry out those tasks and ensure that the service provider follows the policies and procedures of the obliged entity; 
3. obliged entities will only be permitted to outsource to service providers outside the EU if certain conditions are met; and 
4. the obliged entity must notify its supervisor of the outsourcing before the services start to be provided. 

The new requirements could have a particular impact on cross-border outsourcings. 

3. Customer due diligence (“CDD”) and beneficial ownership 

The AML Regulation contains detailed provisions regarding: 

1. the arrangements for identifying customers and verifying their identity; 
2. the conditions on which obliged entities can rely on CDD performed by another bliged entity; and 
3. the identification of beneficial owners. There will be a new overseas entities register for corporates and trusts, as well as enhanced requirements for EU entities. 

There will also be enhanced due diligence requirements for customers with personal wealth above €50m (excluding their main residence). 

In each case, these provisions will be supplemented by technical standards and/or AMLA guidelines. The EBA has issued a Consultation Paper ( EBA CP/2025/04) setting out draft technical standards relating to customer due diligence; these requirements are very granular eg in relation to names place of address and nationality. One of the aims of the new regime will be to produce a uniformly high standard of CDD across the EU, and in some EU member states this could mean significant changes from the current CDD standards. 

4. Third country policy 

The new regime will contain a more consistent approach to the question of third countries that pose a money laundering or terrorist threat. 

5. Suspicious activity reporting

The AMLA will introduce a common template for obliged entities to use when reporting on suspicious transactions or activities. 

6. Information sharing 

The AML Regulation will allow obliged entities to share information with each other in the framework of a “partnership for information sharing”. This will only be allowed where it is strictly necessary for the purposes of CDD or the reporting of suspicious transactions or activities, and will be subject to a number of procedural safeguards. 

Interconnected registers 

Under the existing regime, member states are required to put in place centralised automated mechanisms to enable the timely identification of natural or legal persons holding or controlling bank or payment accounts and safe-deposit boxes. 

Under the new regime, the same mechanisms will apply to securities accounts and cryptoasset accounts. In addition, all of the registers will be connected centrally using the Bank Account Registers Interconnection System (“BARIS”), which will be established and operated by the European Commission.