verified_user
Standardful
EU Compliance

EU AMLA and AMLD6: What the 2026 Anti-Money Laundering Reset Actually Means

The EU's 2024 AML package created a new supervisor (AMLA), a single AML rulebook, and a beneficial ownership regime that starts biting in mid-2026. Here's what changes.

calendar_today May 14, 2026schedule 11 min readperson Standardful Team

The EU has tried to fix its fragmented anti-money laundering regime four times in the last 15 years. The 2024 AML package — three legal instruments adopted together — is the fifth attempt, and it's the most serious so far. AMLA (the new Anti-Money Laundering Authority) opened its doors on 1 July 2025. The substantive obligations start landing through 2026 and 2027. By 2028, AMLA will directly supervise the 40 largest, riskiest financial institutions across the EU.

If you're a bank, a fintech, a crypto exchange, a payment institution, an obliged non-financial business (lawyer, notary, accountant, real estate agent, art dealer over the thresholds), or even a holding company sitting on a corporate structure that touches the EU — this affects you. The honest summary: you don't have to do everything by mid-2026, but you have to be moving.

Here's what actually changes and what you need on the punch list this year.

The Three Pieces of the Package

The 2024 reform isn't one law — it's three, designed to work together.

Regulation (EU) 2024/1624 (AMLR) — the new "single AML rulebook." Replaces patchworky national transpositions of the old AMLDs with directly applicable EU rules. Defines obliged entities, customer due diligence, ultimate beneficial ownership (UBO) thresholds, suspicious transaction reporting. It applies from 10 July 2027.

Directive (EU) 2024/1640 (AMLD6) — the "machinery" piece. Sets up Financial Intelligence Unit (FIU) powers, AML supervision at national level, and — crucially — the new rules for beneficial ownership registers. Some parts must be transposed by 10 July 2027. The beneficial ownership register articles (Articles 11–13, 15) must be transposed by 10 July 2026.

Regulation (EU) 2024/1620 (AMLAR) — the AMLA Regulation. Creates AMLA, defines its powers, and gives it a phased ramp-up: data collection starting 2026, direct supervision of the highest-risk firms from 2028.

That sequencing matters. The substance (rulebook) and the supervisor (AMLA) come online together in 2027–2028. The data and transparency infrastructure (beneficial ownership) comes earlier, in 2026. The 2026 work is mostly about getting your house in order so you survive the substantive transition.

What AMLA Is and How Much Power It Has

AMLA is headquartered in Frankfurt and reports to a Board of Supervisors comprising national AML authorities plus the European Banking Authority and ECB observers. It has three main functions.

Direct supervision. From 1 January 2028, AMLA directly supervises ~40 selected obliged entities — large cross-border banks, payment institutions, crypto-asset service providers (CASPs), and similar — that meet the EU-level risk and scale criteria. For these firms, AMLA is the home supervisor: it runs supervisory examinations, can require remediation, and can impose administrative penalties up to 10% of annual turnover.

Indirect supervision and convergence. AMLA sets supervisory standards, runs peer reviews of national supervisors, and intervenes when a national authority is failing. Even if you're not directly supervised, AMLA's standards flow down through your national regulator.

FIU support and coordination. AMLA runs a central mechanism for FIU cooperation. Suspicious transaction reports remain at national FIUs, but cross-border information flow and joint analysis run through AMLA.

By 10 July 2026, AMLA is expected to issue a long list of regulatory technical standards, guidelines on risk factors, and supervisory expectations. These will shape what "good AML" looks like in practice for the next decade. If your compliance team isn't tracking AMLA consultations, they will be reading about decisions that already happened.

The 6AMLD Beneficial Ownership Rules: The 2026 Bite

This is the part of the package that hits in 2026, regardless of where you are on the AMLR transition.

Member States must transpose Articles 11–13 and 15 of AMLD6 by 10 July 2026. By 10 October 2026, they must notify the Commission which categories of authorities and obliged entities can access central beneficial ownership registers. By 10 November 2026, register entities must respond to access requests within 12 working days.

What changes in practice:

  • Universal access for "legitimate interest" — journalists, civil society organisations, and academia investigating AML topics get a presumption of legitimate interest. They no longer need case-by-case approval. After the CJEU's 2022 ruling closed off public access to UBO registers, this rebuilds a transparency layer through a managed access regime.
  • Tighter UBO data quality — Member States must verify identity data, flag discrepancies between filings and downstream KYC checks, and resolve them.
  • Interconnection — national UBO registers must be properly interconnected through BORIS, so a UK bank doing KYC on a German holding company with Maltese subsidiaries can get a consolidated picture.

For obliged entities, the practical effect is: your KYC processes can rely on UBO register data more confidently, but you also have to file discrepancies when what you find conflicts with the register. That last piece often catches firms off guard. It's not just a "we'll consult the register" change — it's a "we have to report what's wrong" change.

How This Sits Next to MiCA, DORA, and the Rest

The AML package doesn't replace existing EU financial regulation — it slots in alongside it. The interactions worth understanding:

  • MiCA brings crypto-asset service providers into the regulated perimeter from 2024. The AML package then classifies CASPs as obliged entities under AMLR, brings them under AMLA's potential direct supervision (the largest ones), and gives them detailed CDD obligations.
  • FATF Travel Rule information-sharing requirements for VASP transfers are already binding via the EU's Transfer of Funds Regulation (Regulation (EU) 2023/1113). AMLR layers on additional CDD requirements above and beyond that.
  • DORA governs ICT operational resilience for financial entities. AML controls increasingly depend on ICT systems (transaction monitoring, screening, KYC platforms), so DORA's third-party risk and incident reporting requirements interlock with AML systems.
  • NIS2 doesn't directly apply to most financial entities (DORA takes precedence), but it does apply to many of their ICT suppliers — so the providers you use for AML tooling are likely caught.
  • National AML laws — these will be largely replaced by AMLR for in-scope topics from July 2027. Until then, your national framework is what enforcement runs on. Don't assume the existing law is obsolete.

For more on how DORA and NIS2 interlock for SaaS providers serving regulated financial customers, see our NIS2 vs DORA comparison.

The Big Operational Changes

A few obligations under AMLR are bigger lifts than firms realize.

€10,000 cash payment cap. AMLR introduces a binding EU-wide limit of €10,000 on cash payments to professional dealers (jewellers, art dealers, luxury goods, real estate, etc.). Member States can set lower limits. Combined with UBO transparency, this is the EU's structural push to remove anonymity from large transactions.

Wider definition of obliged entities. AMLR extends obliged entity status to all CASPs, crowdfunding intermediaries, persons trading luxury goods above thresholds (precious metals, gemstones, watches), professional football clubs and agents (with phase-in), and high-value goods dealers across more categories.

Group-wide AML programs. Banks and other groups must run consistent AML programs across all EU subsidiaries — including data sharing where lawful, common policies, and group-wide screening. This is harmonisation in the operational sense, not just legal.

Direct AMLA penalties. For directly supervised entities, AMLA can impose administrative penalties up to 10% of total annual turnover or twice the profits gained, whichever is higher. For natural persons, up to €5M. National supervisors retain similar powers under AMLD6 transposition for everyone else.

Whistleblower protections and protected reporting — required for all obliged entities. If you haven't formalised internal reporting channels for AML concerns, that's a 2026 to-do.

What "Good Enough" Looks Like for 2026

If you're a financial entity or fintech, the practical 2026 checklist:

  1. Map your AMLR scope. Confirm whether you're an obliged entity, what categories apply, and whether you might fall into the population AMLA could directly supervise. Most large cross-border banks, the largest CASPs, and several payment institutions will.
  2. Refresh your UBO process. By mid-2026, you need a documented process for: pulling beneficial ownership data from EU registers, comparing it to your own KYC findings, and filing discrepancies when they diverge. This is new work for many firms.
  3. Strengthen your transaction monitoring and screening tooling. AMLA will set technical standards on monitoring expectations. Your existing tooling may need recalibration — particularly the EU-wide sanctions and PEP coverage.
  4. Tighten your group AML program. If you operate across multiple Member States, you need consistent policies, common training, group-wide screening, and data-sharing arrangements that survive both GDPR and AMLR scrutiny.
  5. Engage with AMLA consultations. Through 2026, AMLA will consult on guidelines and RTS. Don't ignore these — they shape what your supervisor will expect in 2027.
  6. Inventory your third parties. Your AML systems depend on vendors (screening data, transaction monitoring, KYC orchestration, identity verification). Under DORA, these are critical ICT third-party arrangements. Make sure they're documented properly.
  7. Plan for higher fines and personal liability. AMLR and AMLD6 give supervisors stronger tools. Boards and senior management need refresher training on AML — not just the team in the basement.

The Bigger Picture

For 15 years, the EU has been fighting AML failure by issuing another directive every few years, each transposed differently in each Member State, with weak supervision and weaker cross-border enforcement. The 2024 package is the EU finally admitting that directives aren't enough — you need a single rulebook, a single supervisor, and a working transparency infrastructure underneath.

It's also part of a wider pattern: the EU is rebuilding financial regulation around centralized supervisors for the categories where national variation has been a vulnerability. DORA centralizes operational resilience oversight for critical ICT providers. The AML package centralizes supervision for the largest cross-border firms. The CRA (cyber) and the ESG ratings regime do the same in their domains.

The firms that come out of this transition well are the ones treating AML as a core operating discipline, not a periodic audit response. The ones that treat it as a checkbox exercise are going to discover their fines have a comma in them.

References

  1. Regulation (EU) 2024/1620 (AMLAR) — Official Journal of the EU
  2. Regulation (EU) 2024/1624 (AMLR) — Official Journal of the EU
  3. Directive (EU) 2024/1640 (AMLD6) — Official Journal of the EU
  4. European Anti-Money Laundering Authority (AMLA) — Official AMLA website
  5. The New EU AML Package — DLA Piper — Practitioner overview

Related Topics

EU AMLAAMLD6AML packagemoney launderingfinancial crimebeneficial ownershipFATFEU compliance

Related Standards

verified

EU AMLA & AML Package

Regulations (EU) 2024/1620, 2024/1624 and Directive (EU) 2024/1640

verified

FATF Travel Rule

Recommendation 16 for VASP information sharing

verified

DORA

Digital Operational Resilience Act

verified

MiCA

Markets in Crypto-Assets Regulation

arrow_back Back to Blog