6AMLD: What It Requires and Who It Applies To

What is 6AMLD?

The Sixth Anti-Money Laundering Directive (Directive 2018/1673) is the EU's primary criminal law instrument for harmonizing money laundering offences across all 27 member states. The European Commission published it in the Official Journal on 12 November 2018, with transposition required by 3 December 2020. It's not a compliance directive. It's a criminal law directive. That distinction matters.

Earlier directives (4AMLD, 5AMLD) focused on the compliance layer: KYC programs, beneficial ownership registers, PEP screening. They told regulated firms what controls to run. 6AMLD tells member states what conduct to criminalize, how severe the minimum penalties must be, and who can face prosecution. The compliance layer and the criminal law layer now run in parallel across every EU jurisdiction.

The directive's core purpose was closing three gaps. First, the predicate offence list was inconsistent: some member states included cybercrime, some didn't; some treated tax crimes as predicates, others excluded them. 6AMLD standardizes the list at 22 categories. Second, criminal penalties varied too widely, creating a patchwork of criminal risk inside the internal market. The directive sets floors. Third, corporate liability for money laundering was poorly defined in many jurisdictions. 6AMLD codifies it.

The directive draws directly on the FATF Recommendations, the international standard for predicate offence lists and criminalization requirements. The 22 EU categories map closely to the FATF list, with tax crimes across EU jurisdictions as a notable addition. The official text is at EUR-Lex, Directive 2018/1673.

Who does 6AMLD apply to?

6AMLD is a directive addressed to member states, but its obligations flow directly to every regulated entity operating inside the EU. Any firm subject to the EU AML regime faces the criminal law exposure that national implementing legislation creates.

Covered entity types:

• Banks and credit institutions. Universal banks, savings banks, credit cooperatives. No size threshold: a local cooperative faces the same criminal exposure as a global tier-one.
• Electronic money institutions (EMIs). Fintechs issuing e-money or operating payment accounts, including neobanks and B2B payments platforms.
• Virtual asset service providers (VASPs). Crypto exchanges, custodians, and wallet providers. In the EU, VASPs now operate under both 6AMLD's criminal framework and the crypto-specific rules introduced by MiCA and the EU Transfer of Funds Regulation.
• Designated non-financial businesses and professions (DNFBPs). Accountants, lawyers, notaries, real estate agents, and trust and company service providers (TCSPs).
• Life insurance companies and investment-related insurers.
• Investment firms and fund managers. MiFID-regulated entities, UCITS managers, and AIFMs.
• Senior management and employees. Individuals within covered firms carry personal criminal exposure for aiding, abetting, or inciting money laundering.

Non-EU firms with branches or subsidiaries in EU member states must comply with national implementing law. A US bank operating in Frankfurt faces German 6AMLD-transposed law. A Singapore EMI operating in Amsterdam faces Dutch law. Geographic presence is the trigger, not jurisdiction of incorporation. There's no de minimis threshold by asset size.

What does 6AMLD require?

6AMLD operates at two levels: what member states must embed in national criminal codes, and what those codes then require from firms and individuals.

1. Criminalize 22 predicate offences. All member states must treat money laundering as a criminal offence when the upstream criminal activity falls into one of 22 categories listed in Article 2. These include terrorism, human trafficking, sexual exploitation, drug trafficking, arms trafficking, corruption, fraud, cybercrime, environmental crime, tax crimes with a cross-border element, participation in criminal organisations, piracy, insider trading, forgery, counterfeiting, kidnapping, robbery, and several others. Cybercrime and environmental crime are additions not explicitly mandated under 5AMLD.

2. Set minimum prison terms. Standard money laundering carries a maximum sentence of at least one year. Aggravated money laundering (committed within a criminal organisation, committed repeatedly, or involving substantial sums) carries a minimum of four years. Member states can set higher maxima.

3. Hold legal persons criminally liable. Article 7 requires member states to ensure companies face liability where a money laundering offence was committed by a person with decision-making authority, acting for the company's benefit, or enabled by inadequate supervision. This is direct corporate criminal exposure, not vicarious liability.

4. Criminalize ancillary conduct. Inciting, aiding, abetting, and attempting to launder money are all separately criminal. This catches relationship managers who identify suspicious patterns and do nothing.

5. Enforce customer due diligence and record retention. KYC records must be retained for five years from the end of a business relationship or the date of the transaction. This follows the 4AMLD/5AMLD standard and now carries criminal weight under 6AMLD.

6. Criminalize self-laundering. The person who committed the predicate offence can be separately prosecuted for laundering their own proceeds. Prior law left this ambiguous in several member states.

7. Require suspicious activity reporting. Regulated firms must file suspicious transaction reports (STRs) with national Financial Intelligence Units. 6AMLD establishes the criminal framework within which those reports operate and against which decisions are judged.

What evidence do regulators expect?

National AML supervisors conducting examinations want to see that your firm has translated 6AMLD's criminal law requirements into working operational controls. On an audit day, examiners typically look for:

• Updated AML/CFT policy. A policy that explicitly references the 22 predicate offences and the firm's applicable national implementing legislation. Policies last reviewed before December 2020 without a documented update are an immediate red flag.
• Current business-wide risk assessment. A BWRA covering cybercrime-adjacent customer sectors and environmental crime industries. Most firms updated their risk models for 5AMLD but didn't rerun them for 6AMLD's expanded list.
• Staff training records. Completion logs with dates, pass rates, and topic coverage. Examiners want evidence that frontline staff understand that cybercrime proceeds are now explicitly predicate. Generic annual AML training without a 6AMLD-specific module is not sufficient.
• Transaction monitoring documentation. Alert parameter logs, tuning rationale, hit rates, and peer benchmarking data. Supervisors compare alert volumes against comparable institutions. A suspiciously low alert rate draws scrutiny.
• Enhanced due diligence (EDD) evidence. Customer files for PEPs, high-risk jurisdictions, and complex corporate structures must show documented enhanced scrutiny, not a checkbox.
• SAR/STR decision trails. Internal records showing who escalated an alert, when they made the decision, and why. A 90-day decision cycle on a flagged transaction is very hard to defend.
• Board and senior management minutes. Evidence that AML risk is reported upward and acted on. Personal liability under 6AMLD makes board-level engagement a supervisory expectation, not a best practice.
• Third-party CDD records. For firms relying on introduced business or third-party CDD, examiners expect contracts and periodic review documentation.

Common failure modes

Supervisory reviews across Germany, the Netherlands, and Ireland have consistently identified the same structural failures in 6AMLD environments:

• Outdated predicate offence taxonomies. Firms updated their AML programs for 5AMLD without revisiting them for 6AMLD. Cybercrime-related customers (crypto platforms, tech-enabled fraud networks) and environmental sector clients remained outside risk assessments. The European Commission's 2021 AML Package analysis identified this as a persistent gap across member states.

• Rules-based monitoring with stale thresholds. Static rule sets designed for traditional banking miss layering through digital platforms and intra-group structures. Post-event reviews of several EU bank collapses showed that unusual intra-company flows evaded monitoring because they didn't match existing rule patterns.

• Underestimated corporate liability. Management boards treated Article 7 as a legislative abstraction. It isn't. Dutch and German prosecutors have pursued board-level cases precisely because senior officers failed to demonstrate adequate oversight.

• Beneficial ownership verification gaps. Corporate customer ownership data was often based on self-certification without independent verification. FATF Recommendation 24 sets the baseline standard; 6AMLD's criminal framework makes the shortfall costly.

• Missing STR documentation. Firms filed reports but kept no internal audit trail covering decision timelines and rationale. Without that record, the defensibility of a filing collapses under examination.

• Weak DNFBP coverage. Law firms and real estate agents across multiple member states consistently under-reported. The 2021 Commission AML Package directly cited DNFBP compliance as a structural weak point, a finding that has driven the centralized supervisory approach in EU AMLR 2024.

Penalties for non-compliance

6AMLD sets the criminal law floor. Supervisory and civil penalties derive from national implementing laws and the broader EU AML directive framework.

Criminal penalties under 6AMLD:

• Standard money laundering: maximum of at least one year's imprisonment
• Aggravated money laundering (criminal organisation involvement, substantial sums, repeat offending): minimum four years, with member states free to set higher maxima
• Legal persons: fines, exclusion from public procurement and subsidies, disqualification from commercial activities, temporary or permanent closure, judicial supervision, winding up

Supervisory fines (under 4AMLD/5AMLD, now reinforced by EU AMLR 2024):

• Credit institutions: up to EUR 5 million or 10% of total annual turnover, whichever is higher
• Natural persons: up to EUR 5 million

Real enforcement actions:

ING settled with the Dutch Public Prosecution Service in September 2018 for EUR 775 million, the largest AML settlement in Dutch history, covering persistent CDD and STR failures across a decade. The case was a direct political driver behind 6AMLD's corporate liability provisions.

ABN AMRO paid EUR 480 million to Dutch authorities in April 2021 for AML failures spanning customer onboarding, transaction monitoring, and STR filing across multiple business lines. Source: Dutch Public Prosecution Service.

From 2025, the EU Anti-Money Laundering Authority (AMLA) begins direct supervisory work, with full enforcement powers over selected high-risk cross-border entities from 2026. That materially changes the enforcement landscape for institutions operating across multiple EU jurisdictions.

Related regulations and frameworks

6AMLD is the criminal law foundation of the EU's AML architecture. The compliance program obligations come from separate, parallel instruments.

FATF Recommendations. 6AMLD's 22 predicate offences derive directly from FATF Recommendation 3 on money laundering offences. Any jurisdiction using a FATF-compliant framework (the UK, US, Singapore, UAE, Australia) operates under a structurally similar predicate offence list. Divergences are mostly at the margins.

4AMLD and 5AMLD. These directives established the compliance program layer: Know Your Customer (KYC) obligations, EDD requirements, beneficial ownership registers, and PEP screening. 6AMLD adds the criminal backbone. Both regimes operate simultaneously.

EU AMLR 2024. The 2024 AML Regulation replaces the directive-based compliance layer with directly applicable EU law, tightening compliance obligations across the board. 6AMLD's criminal framework remains embedded in national law alongside it.

MiCA and the EU Transfer of Funds Regulation. VASPs in the EU now operate under both the crypto-specific MiCA compliance regime and 6AMLD's criminal law framework. This is the tightest regulatory combination digital asset firms have faced in any major jurisdiction.

UK Money Laundering Regulations 2017. Post-Brexit, the UK did not implement 6AMLD. UK criminal AML law runs through the Proceeds of Crime Act 2002, which uses a broad "all crimes" predicate offence approach rather than the EU's enumerated 22. UK firms with EU branches must comply with 6AMLD-transposed national law in each EU jurisdiction where they operate, regardless of UK-level requirements.

EU AMLA. The Anti-Money Laundering Authority, operational from 2025, creates a central EU supervisor with direct enforcement powers over selected high-risk cross-border institutions. It operates within the criminal law framework that 6AMLD established, adding a supranational enforcement tier above national supervisors.

How FluxForce supports 6AMLD compliance

FluxForce AI agents automate the customer due diligence and ultimate beneficial owner verification workflows that 6AMLD's expanded liability framework demands. Nova Sentinel monitors transactions against all 22 predicate offence typologies and produces auditable decision trails; it cuts average decision cycle times without weakening defensibility. Aiden Flux manages policy documentation and training records, so compliance teams have a complete evidence pack ready for examiners. Every decision carries a full audit log. Senior management can point to that log as documented evidence of the oversight that 6AMLD's legal person liability provisions require. See how it works on the regulatory compliance automation page.