EU Anti-Money Laundering Regulation 2024 (EU AMLR)

What is EU AMLR?

Regulation (EU) 2024/1624, commonly called the EU Anti-Money Laundering Regulation, is the first AML instrument the European Union has issued as a directly applicable regulation rather than a directive. That distinction matters. Previous AML rules were directives: 6AMLD and its predecessors required member states to transpose them into national law, producing 27 different implementations with material gaps in quality and scope. EU AMLR changes that. It applies uniformly across all member states without transposition, creating a single rulebook for the entire bloc.

The regulation was published in the Official Journal of the European Union on 19 June 2024 and entered into force on 9 July 2024. Most substantive provisions apply from 10 July 2027, giving obliged entities three years to adapt their programs. Provisions supporting the new EU Anti-Money Laundering Authority (AMLA) take effect on an earlier rolling schedule, with AMLA beginning direct supervision of the highest-risk cross-border entities by 2028.

The regulation was introduced because the fragmented, directive-based system was consistently exploited. Moneyval mutual evaluation reports documented significant variance in CDD quality, beneficial ownership verification, and suspicious transaction reporting across member states. The European Banking Authority's AML supervisory peer reviews flagged systemic gaps in how national competent authorities oversaw obliged entities. FATF grey-listed Malta in 2021, a sharp signal that EU-level controls weren't working. EU AMLR is the legislative response: remove national discretion on core obligations, raise the floor for everyone.

It works alongside the recast AML Directive (AMLD6), which governs institutional structures: Financial Intelligence Unit cooperation, supervisory architecture, and access to beneficial ownership registries. EU AMLR is the substantive rulebook. AMLD6 handles governance. The two instruments together form the core of the 2024 EU AML package.

Who does EU AMLR apply to?

EU AMLR covers what the regulation calls "obliged entities," a category that goes well beyond traditional banking.

Financial sector:

• Credit institutions: banks, building societies, credit unions
• Payment institutions and electronic money institutions (EMIs), including neobanks and fintech payment providers
• Crypto-asset service providers (CASPs): exchanges, custody providers, issuers. These were called VASPs under FATF guidance; EU AMLR uses CASP terminology consistent with MiCA
• Life insurance companies and insurance intermediaries for investment-related products
• Investment firms and collective investment undertakings
• Currency exchange offices and money transfer operators
• Crowdfunding service providers authorized under EU Regulation 2020/1503

Non-financial sector:

• Auditors, accountants, and tax advisors
• Notaries and independent legal professionals when involved in financial or real property transactions
• Real estate agents, including letting agents for monthly rents above €10,000
• Dealers in high-value goods for cash transactions above €10,000
• Gambling service providers, including online gambling platforms
• Trust and company service providers (TCSPs)

The jurisdictional scope covers all EU member states. Third-country branches or subsidiaries operating in the EU are also covered.

One significant expansion compared to previous directives: CASPs are now directly covered with no implementation ambiguity. Under 5AMLD, crypto coverage was partial and inconsistently applied. EU AMLR closes that gap entirely. CASPs must apply full Customer Due Diligence (CDD) procedures, including verification of Ultimate Beneficial Owners (UBOs).

There are no revenue or asset thresholds for financial institutions. If you're authorized as a bank, EMI, or payment institution in the EU, you're covered from day one.

What does EU AMLR require?

1. Risk-based approach. Obliged entities must conduct an enterprise-wide ML/TF risk assessment and calibrate controls accordingly. The FATF risk-based approach (Rec 1) has been the global standard for years, but EU AMLR codifies specific methodology requirements, including documentation of the risk factors considered, the weighting applied, and board sign-off. This assessment must be kept current, not filed once and forgotten.

2. Standard Customer Due Diligence. CDD applies to all new customers before a business relationship is established and to existing customers when risk triggers arise. It requires identity verification, verification of legal structure and purpose of the relationship, and identification of the UBO at a 25% ownership or control threshold. For occasional transactions above €15,000 (lower for certain sectors), CDD must be completed before execution.

3. Enhanced Due Diligence. EDD applies to high-risk situations: Politically Exposed Persons (PEPs), customers from high-risk third countries on the EU's list, and correspondent banking relationships. EDD requires senior management approval before establishing or continuing high-risk relationships, more frequent and deeper ongoing monitoring, and documented rationale for each decision.

4. Simplified Due Diligence. SDD is permitted for demonstrably low-risk customers and relationships where the regulation specifies the conditions. It's a calibrated reduction in the scope of measures, not a full exemption. Firms must still document why SDD applies.

5. Ongoing monitoring. Transactions must be screened continuously for consistency with customer risk profiles. Patterns inconsistent with declared purpose, geography, or typical behavior must trigger review. The monitoring frequency must be proportional to risk: high-risk customers require more frequent review than low-risk ones.

6. Suspicious activity reporting. Any knowledge, suspicion, or reasonable grounds for suspicion of ML or TF must result in a Suspicious Activity Report (SAR) filed with the relevant national Financial Intelligence Unit. Filing is mandatory. There's no monetary threshold.

7. Record retention. All CDD documents, transaction records, and reports must be retained for five years from the end of the business relationship or the date of the occasional transaction. Competent authorities may extend this to seven years in specific circumstances.

8. Cash transaction limits. The regulation caps cash payments for goods and services at €10,000 across the EU. Member states may set lower limits under national law.

9. Travel Rule compliance for CASPs. Crypto-asset transfers must carry originator and beneficiary information, consistent with FATF Rec 16 and the EU Transfer of Funds Regulation (TFR).

10. Internal controls. Obliged entities must maintain documented AML policies and procedures, appoint a dedicated compliance officer at management level for entities above specific thresholds, and run annual AML training with records of completion.

What evidence do regulators expect?

When examiners arrive, they're looking for proof that your program is real and working, not just that policies exist on paper.

Governance documentation:

• Board-approved AML policy, reviewed within the last 12 months
• Designated compliance officer appointment letter, CV, and evidence of sufficient seniority
• Board or senior management meeting minutes showing AML risk was discussed (at least annually)
• Signed enterprise-wide risk assessment with board approval date and last review date

CDD files:

• Identity verification documents for each customer, including the verification method (documentary, electronic, or biometric)
• UBO verification: corporate registry extracts, ownership structure charts, declarations signed by the customer
• Evidence that EDD was applied for PEPs and high-risk third-country customers, with senior management sign-off documented per customer
• CDD refresh records showing when existing customer files were last reviewed and what triggered the review

Transaction monitoring:

• Alert logs showing each alert generated, the analyst who reviewed it, the decision reached, and the time taken
• Threshold tuning records: what rule parameters were changed, when, and who approved the change
• SAR filing register with dates and outcomes (not counterparty names, which are subject to tipping-off rules)

Training:

• Completion records by employee and date, with topic detail
• Role-specific training evidence for high-risk desks: private banking, correspondent banking, crypto operations

Independent audit:

• AML audit reports from the last two years, with findings rated by severity
• Management responses with remediation deadlines and evidence of closure

Regulators increasingly expect system-generated audit trails. Spreadsheets get scrutinized. Timestamped, user-attributed system logs are more defensible and harder to dispute.

Common failure modes

Most enforcement actions don't trace to sophisticated evasion. They trace to basic execution failures left unaddressed for years.

• Static risk assessments. The enterprise-wide risk assessment is completed once, approved by the board, and never updated. EU AMLR requires it to reflect current business activities, customer mix, and product set. A 2022 assessment for a firm that added CASP services in 2024 is an exam finding waiting to happen.

• UBO verification gaps. Firms accept customer declarations of beneficial ownership without cross-checking against corporate registries or commercial databases. Examiners routinely find mismatches between declared UBOs and actual ownership structures. The FinCEN CDD Rule in the US flagged this exact pattern repeatedly; EU supervisors are seeing the same thing.

• PEP screening false negatives. Screening systems miss PEPs because of name variants, transliterations, or outdated screening lists. The European Banking Authority's 2022 peer review on AML/CFT supervisory convergence identified PEP screening failures as one of the most common weaknesses across EU competent authorities.

• SAR filing delays. The suspicion exists but the SAR is filed weeks or months later because the escalation path is unclear or the reviewer doesn't want to act without certainty. EU AMLR doesn't mandate a specific filing deadline, but supervisors treat material delays as a control failure.

• Correspondent banking gaps. Due diligence on respondent banks misses those institutions' own exposure to high-risk jurisdictions or their own CDD deficiencies. EU AMLR, consistent with FATF Rec 13, requires a full assessment of each respondent bank's AML controls.

• Training records not available. Firms train staff but can't produce role-specific completion evidence for specific periods. This is an easy finding for an examiner to make and a hard one to explain away.

Penalties for non-compliance

EU AMLR is a regulation, but penalty levels are still set at member state level under AMLD6 and national implementing legislation. AMLA will have direct enforcement powers over the most significant cross-border entities from 2028, but until then, national competent authorities handle enforcement.

The penalty framework under AMLD6 and most national laws sets maximum administrative fines at:

• At least twice the benefit gained from the breach, where that amount can be determined, or
• For credit institutions and financial institutions: up to €5 million or 10% of total annual turnover, whichever is higher
• For individuals: up to €5 million

These are statutory floors. Member states may and do set higher maxima.

Recent enforcement illustrates actual outcomes. In 2023, De Nederlandsche Bank (DNB) fined Binance for operating crypto services in the Netherlands without required registration under AML rules. The Dutch Authority for the Financial Markets and DNB have consistently used administrative fines as a first-response tool. In 2018, Dutch prosecutors reached a €775 million settlement with ING Bank for systematic AML failures spanning multiple years: failing to perform CDD, failing to monitor transactions, and failing to file SARs on time. It remains the largest AML enforcement action in EU banking history.

Beyond fines, regulators can impose license restrictions or revocation, require removal of senior management, mandate independent monitors, and publish findings publicly. Public naming is a significant deterrent for institutions that depend on correspondent banking relationships.

AMLA's enforcement handbook, expected ahead of its 2028 operational date, will set a higher baseline for what adequate controls mean at the EU level.

Related regulations and frameworks

EU AMLR sits within a larger body of interlocking rules.

The 2024 EU AML Package: EU AMLR is the substantive rulebook. AMLD6 (recast) handles institutional governance: FIU structures, supervisory coordination, and access to beneficial ownership registries. The AMLA Regulation (EU 2024/1620) establishes the authority itself, its powers, and its budget.

Crypto-specific overlay: MiCA governs crypto-asset market conduct and licensing. CASPs authorized under MiCA are automatically obliged entities under EU AMLR. The EU Transfer of Funds Regulation (TFR) governs information requirements for crypto transfers, consistent with FATF Rec 16 and FATF Virtual Assets Guidance. MiCA + EU AMLR + TFR together give CASPs a comprehensive compliance framework.

FATF Recommendations: EU AMLR is largely consistent with FATF Recommendations, particularly Rec 10 (CDD), Rec 11 (Record Keeping), and Rec 20 (Suspicious Transactions). Where FATF sets a floor, EU AMLR sets a higher ceiling in several areas, particularly UBO verification and CASP coverage.

Adjacent EU regulations: DORA governs operational resilience for financial entities, including the systems that run AML monitoring. Failures in those systems could simultaneously breach DORA and EU AMLR. GDPR governs how CDD data is stored and accessed, creating tension with AML record retention requirements that compliance teams must actively manage.

UK alignment: Post-Brexit, UK MLR 2017 governs UK firms. The frameworks share FATF ancestry but diverge in specifics. EU subsidiaries of UK-headquartered groups must comply with EU AMLR separately from their UK parent's obligations. There's no equivalence shortcut.

How FluxForce supports EU AMLR compliance

FluxForce AI agents automate CDD workflows, run continuous transaction monitoring, and generate audit-ready evidence for every decision. Aiden Flux handles customer risk scoring and UBO verification chains. Nova Sentinel monitors transaction patterns against current risk profiles and flags anomalies for analyst review. Both agents produce documented reasoning that satisfies EU AMLR's record-keeping requirements without manual logging. For compliance teams preparing for the July 2027 deadline, FluxForce's regulatory compliance automation platform accelerates program build-out. Request a demo to see how it maps to your specific obligations.