EU AML Package – a new adventure begins

With the AML Package the European Legislator has in particular intended to:

• improve the ability of the financial system to detect suspicious transactions and activities, closing gaps exploited by criminals to launder illicit proceeds or finance terrorist activities,
• adapt the current regulatory framework of the Union to new and emerging challenges related to technological innovation, the increased integration of financial flows in the single market and the global nature of terrorist organizations.

What legal acts are included in the AML Package?

The AML Package includes:

• Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Directive (EU) 2019/1937, and amending and repealing Directive (EU) 2015/849 (“AMLD 6”),
• Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (“AMLR”),
• Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (“AMLA-R”).

The AML Package initially also included a fourth legal act – the Funds Transfer Regulation (FTR - Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets). This regulation, a recast of the Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds, had been published in the OJ already in June 2023 (together with the Crypto-asset Regulation MiCAR) and will start to apply as of 30 December 2024.

When will the AML Package start to apply?

The AMLD 6 came into force twenty days following its publication in the OJ. EU Member States must transpose the AMLD 6 in their national legislation by 10 July 2027, at which point the current AMLD4, as amended by the AMLD5, will be repealed. As opposed to that, an amendment in relation to the accessibility of central registers of beneficial ownership of corporates and trusts (UBO registers - Article 74 AMLD 6), must be transposed by 10 July 2025; Article 11-13 and 15 AMLD 6, also addressing beneficial owner registers, are to be transposed by 10 July 2026; and provisions on the single access point to real estate information (Article 18 AMLD 6) must be transposed by 10 July 2029.

The AMLR came into force also twenty days following its publication in the OJ. AMLR will start to apply three years after coming into force, i.e. 10 July 2027, except for the provisions which bring football agents and professional football clubs (in relation to certain types of transactions) into the scope of obliged entities, which will start to apply from 10 July 2029.

The AMLA-R came into force seven days following its publication in the OJ and will start to apply as of 1 July 2025 with exception to certain articles that will start to apply already from 26 June 2024 and Article 103 that shall apply from 31 December 2025.

The AML Package overview

1. The AMLD 6

Up until now AML directives have been the main instrument to combat money laundering and terrorism financing, both when it comes to private sector and institutional AML/CTF framework. Each Member State implemented national legal acts transposing AML directives, which will now partially change due to the implementation of the AMLR that instead will encompass the rules applying to private sector. The AMLD 6 will repeal and replace the AMLD 4 and AMLD 5 and instead address the institutional AML/CTF framework at the national and, in some cases, supra-national levels, and will need to be transposed into national legal acts.

Below we have summarized the key changes to be brought by the AMLD 6.

National and supra-national ML/TF risk assessments

At EU level, the AMLD 6 extends the scope of the ML/TF risk assessments to be carried out by the European Commission to also cover the risks that result from non-implementation and evasion of targeted financial sanctions. Following the assessment, the Commission shall draw up a report every fourth year.

In addition, the newly established AML Authority (“AMLA”) shall draw up an opinion addressed to the Commission on ML/TF risks every two years.

At a national level, each Member State will have to carry out a national risk assessment of the ML/TF risks as well as the risks of non-implementation and evasion of targeted financial sanctions affecting it, every four years. The results of the reports shall be made available to the AMLA.

Registers for beneficial ownership, bank accounts and real estate

Central beneficial ownership registers

The AMLD 6 lays down provisions concerning central beneficial ownership information registers that shall be held by each Member State. The AMLD 6 introduces requirements for accuracy and transparency of such registers as well as immediate, unfiltered, direct and free access to information for FIUs, other competent authorities and self-regulatory bodies. Additionally, the AMLD 6 sets out requirements for access to such central registers by obliged entities when carrying out customer due diligence. Member States can choose to make access by obliged entities subject to the payment of a fee on condition that the fees should be strictly limited to what is necessary to cover the costs of ensuring the quality of the information held in those registers and of making the information available and should not undermine the effective access to beneficial ownership information.

Managers of such central register shall be ensured new powers for verification, i.e. powers to carry out checks including on-site inspections to identify the rightful beneficial owners and/or to verify that the information submitted to such central register is accurate.

Specific rules on access to the registers for persons with legitimate interest are set out in AMLD 6 also providing a list of persons who shall be deemed to have such legitimate interest. AMLD 6 specifies what information is covered by the access right. In this context, the AMLD 6 also provides an extensive procedure for the verification and mutual recognition of legitimate interests.

Bank account information registers

The AMLD 6 sets out requirements to establish central registers or central electronic data retrieval systems, allowing the identification of natural or legal persons holding or controlling payment accounts, bank accounts identified by IBAN, including virtual IBANs, securities accounts, crypto-asset accounts and safe-deposit boxes held by a credit institution or financial institution within their territory. Extensive rules are laid down on what information shall be included and retention period for such information. Member States shall ensure that the information is accessible to FIUs in an immediate and unfiltered manner and to AMLA for the purposes of joint analyses supervisory authorities to fulfil their obligations under the AMLD 6.

Single Access Point to Real Estate Information

Member States are required to ensure that competent authorities have immediate and direct access, free of charge, to information that allows identification of real estate property and beneficial owners of that property including information necessary for the identification and analysis of transactions involving real estate. Such access must be provided via a single access point established in each Member State, enabling competent authorities to access information in digital format through electronic means, which should be machine-readable where possible.

Enhanced powers of and cooperation between FIUs

AMLD 6 continues developing rules on FIUs by requiring Member States to establish independent FIUs granting them power of regular access to the financial, administrative and law enforcement information they require to undertake their functions properly, even without a suspicious activities’ or transactions’ reports having been filed. The Member States will have to ensure that FIUs have secure communication channels with authorities and obliged entities, have sufficient resources etc. The AMLD 6 also empowers FIUs to apply monitoring measures on obliged entities. FIUs will now be able to instruct obliged entities to monitor, for a given period of time, transactions or activities that are being carried out through bank, payment or crypto-asset accounts.

Member States shall ensure that Fundamental Rights Officers is appointed in FIUs with the tasks to promote and monitor FIU’s compliance with fundamental rights.

AML supervision

Earlier AML directives required Member States to implement adequate and effective supervision of obliged entities. The AMLD 6 extends the supervisory framework by adding additional requirements. For example, the AMLA is empowered to develop regulatory technical standards setting out the benchmark and methodology for assessing and classifying the inherent and residual risk profile of obliged entities. The list of supervisory tasks is extended, e.g. establishing supervisory colleges in both financial and non-financial sectors in order to allow for an exchange of information, provision of mutual assistance or coordination of the supervisory approach to the relevant group or institution.

Furthermore, the AMLD 6 introduces new provisions on supervision of certain intermediaries (Electronic Money Issuers, Payment Service Providers and Crypto-Asset Service Providers) operating under the freedom to provide services, through agent, distributors or other type of infrastructure. The requirements contain extensive information sharing between host Member State and home Member State.

New provisions on supervision of credit institutions and financial institutions that are a part of a group are introduced meaning that supervisors of the home Member State and those of the host Member State shall cooperate with each other to the greatest extent possible, regardless of their respective nature or status.

Clarifications on administrative measures and pecuniary sanctions

The AMLD 6 builds on the previous AML framework regarding administrative measures and pecuniary sanctions. The AMLD 6 stipulates that the sanctions and measures are to apply to obliged entities for serious, repeated or systematic breaches of certain provisions of AMLR, whether committed intentionally or negligently, and also sets out provisions regarding the circumstances that must be taken into account to determine the type and level of the pecuniary sanction or administrative measure. Where obliged entities fail to comply with administrative measures applied by the supervisors within the applicable deadlines, supervisors are able to impose periodic penalty payments in order to compel compliance with those administrative measures.

2. The AMLR

The main objective of the AMLR is to reduce discrepancies in national implementations of the earlier AML directives as it will be directly applicable in Member States. At a first glance, the AMLR contains a number of provisions that are in line with what Member States should have already implemented following the AMLD 4 and 5. However, the AMLR introduces several new provisions that will require attention of obliged entities. In this section we provide the most relevant highlights.

Extended scope of obliged entities

Compared to obliged entities included in AMLD 4 and 5 (irrespective of whether some Member States already subject them to AML requirements), the AMLR extends the scope of obliged entities to further include:

• persons trading, as their regular or principal professional activity, in precious metals and stones,
• persons trading with other high-value goods,
• certain professional football clubs and football agents,
• investment migration operators defined as offering services to third-country nationals which seek to obtain residence rights in a Member State in exchange for any kind of investment, and
• non-financial mixed holding companies.

Crowdfunding service providers (subject to ECSPR) and intermediaries (not subject to ECSPR) as well as Crypto-Asset Service Providers (“CASPs”) are also included in the list of obliged entities in AMLD 6 (even though these are in some cases already are subject to AML/CTF national regulations ). For further background on Crowdfunding service providers and AML, please see here and here.

Extended Customer Due Diligence requirements

Customer Due Diligence

Stricter requirement to conduct Customer Due Diligence (“CDD”) measures when carrying out occasional transactions are introduced. Obliged entities will have to carry out CDD measures already at 10 000 EUR (or an equivalent in national currency) threshold, while AMLD4 set the threshold at EUR 15 000. Due to the increased ML/TF risks, the corresponding threshold for CASPs where CASPs shall undertake full CDD measures is even lower and amounts to at least 1 000 EUR (or an equivalent in national currency). CASPs will also be required to at least identify the customer and verify the customer’s identity for occasional transactions below 1 000 EUR.

Obliged entities will be required to verify whether the customer or the beneficial owner(s) are subject to targeted financial sanctions (“TFS”). For customers that are legal persons the obliged entities shall verify whether any natural or legal person subject to TFS controls more than 50% of proprietary rights of the entity or a majority interest in it. If such circumstances have been verified, the obliged entities will have certain documentation requirements imposed on them.

Furthermore, the AMLR clarifies with respect to some obliged entity types whom such obliged entities shall consider as customers, for the purposes of conducting CDD measures. For example, long-awaited and welcome clarification regarding who is to be considered a customer of Payment Initiation Service Providers.

Additional enhanced CDD requirements for specific situations and types of customers, e.g. high wealth individuals, have been set out in the AMLR. In this regard the AMLR has introduced new enhanced CDD requirements that credit institutions, financial institutions and trust or company service providers shall apply in the case of handling of assets with a value of at least EUR 5 000 000 through personalised services for a customer holding total assets with a value of at least EUR 50 000 000, whether in financial, investable or real estate assets (or a combination thereof), excluding that customer’s private residence.

Beneficial owner transparency

While the general threshold to be considered as beneficial owner remains the same, 25 % of voting rights or other interest rights, respective Member State may introduce other thresholds for legal entities associated with higher ML/TF risks as per national risk assessments.

Further extensive details on what constitutes beneficial owner for different kinds of legal entities are set out in the AMLR.

A new requirement concerning legal entities domiciling outside the EU is introduced meaning that the legal entities shall submit beneficial ownership information to the central register of the Member State where they (1) enter into business relationships with an obliged entity (under certain conditions set out in the AMLR), (2) directly or indirectly through intermediaries acquire real estate in the EU, (3) directly or indirectly through intermediaries for non-commercial purposes acquire motor vehicles for at least EUR 250 000, watercraft for a price of at least EUR 7 500 000, aircraft for at least EUR 7 500 000, and (iv) are awarded a public contract for goods or services, or concessions by a contracting authority in the EU.

Ongoing monitoring

The AMLR builds on earlier requirement to conduct ongoing monitoring of the business relationships including transactions undertaken by the customer under the course of that business relationship. A new requirement to update customer information is introduced where a five-year period applies to all customers and one year to higher risk customers, in addition to the updates that are to be done at change of circumstances of customer or other specified occasions. The extent of that shall be, as before, defined on the individual risk assessment of each specific business relation.

Internal governance

Internal policies and procedures

The AMLR specifies in greater detail the list of internal policies and procedures to be adopted by obliged entities in order to identify, assess and mitigate the ML/TF risks in their operations.

Outsourcing

Under AMLR obliged entities may continue to outsource certain tasks to third parties. The AMLR provides for a more detailed list for organizing such outsourcing including the list of such tasks that obliged entities are not allowed to outsource, e.g. decisions to assign a customer risk profile, decisions to enter a business relationship or carry out an occasional transaction, reporting to FIUs, except for when such activities are outsourced to another obliged entity in the same group established in the same Member State.

Regulatory Technical Standards supplementing AMLR

AMLA will adopt more detailed rules supplementing AMLR by issuing regulatory technical standards. The rules shall be adopted along 2026-2027.

3. The AMLA-R

One of the most significant changes introduced through the AML Package is the creation of the AMLA, which will establish a unified supervisory approach. Bird & Bird has published an article on the AMLA and its powers, which was prior to AMLA-R’s adoption.

The AMLA’s key tasks will be as follows.

1. Direct Supervision: AMLA will directly supervise a limited number of so called selected financial sector obliged entities (credit institutions, financial institutions, or a group of credit or financial institutions at the highest level of consolidation in the EU), that are exposed to the highest risk of money laundering and terrorism financing. This includes ensuring compliance with AML/CFT requirements and imposing administrative measures and pecuniary sanctions for non-compliance.
2. Coordination and Oversight: AMLA will oversee and coordinate the activities of national AML/CFT supervisors and FIUs, ensuring a harmonized approach across the EU. This includes conducting periodic reviews and facilitating joint analyses of cross-border suspicious transactions.
3. Oversight of non-financial sector: AMLA will have the power to conduct peer reviews of supervisory standards and practices, request to investigate possible breaches and to consider imposing sanctions or remedial actions in respect of such breaches, carry out periodic reviews and provide assistance to supervisors.
4. Support and Coordination Mechanism for FIUs: AMLA will support and coordinate the activities of FIUs, including the conduct of joint analyses and the development of IT and artificial intelligence tools for data analysis and secure information sharing.
5. General powers: AMLA will establish a central AML/CFT database to collect and analyze information from supervisory authorities and FIUs, develop regulatory and implementing technical standards, issue guidelines, recommendations, and opinions.

The AMLA has its seat in Frankfurt am Main, Germany.

The AMLA will assume most of its tasks and powers by July 1, 2025, with direct supervision of selected obliged entities commencing in 2028.

Conclusions

The new AML Package represents a significant step forward in the EU's efforts to combat money laundering and terrorist financing. It introduces stricter measures, enhances transparency, and ensures better coordination and cooperation across Member States. Member States are already in full swing with evaluation of how the national legislative acts need to be amended following the adoption of the AML Package. In the meanwhile, since the AML Package legal acts texts are final, it is possible and advisable to start working on identifying the gaps in your own operations and planning for actions already upcoming fall.