EU AMLR: What It Requires and Who It Applies To

What is EU AMLR?

Regulation (EU) 2024/1624, known as the EU Anti-Money Laundering Regulation, is a directly applicable EU law issued by the European Parliament and Council. It was published in the Official Journal on June 19, 2024, entered into force on July 9, 2024, and most substantive obligations apply from July 10, 2027. The full text is available at EUR-Lex.

The regulation exists because directive-based AML law failed. The predecessor framework, built through 4AMLD, 5AMLD, and 6AMLD, required each member state to transpose EU AML rules into national law. That produced 27 different national versions. Germany's beneficial ownership reporting differed from Italy's. Ireland's suspicious transaction thresholds diverged from those in the Netherlands. Firms structured cross-border operations to exploit those gaps, and financial intelligence units lost information at every border crossing.

A regulation applies directly, without national transposition. Every bank in Amsterdam and every payment institution in Warsaw now operates under identical rules.

The 2024 package introduced four structural changes. First, it replaced directive-based national law with a directly binding rulebook. Second, it formally included virtual asset service providers and crypto-asset service providers under the AML framework, aligning their obligations with MiCA licensing requirements. Third, it tightened beneficial ownership disclosure obligations and removed ambiguity around ownership chain verification. Fourth, it created the legal basis for the new EU Anti-Money Laundering Authority (AMLA), which will directly supervise the highest-risk obliged entities from 2028.

The regulation's technical standards codify FATF recommendations at EU level, making FATF-level AML expectations directly enforceable across all 27 member states for the first time.

Who does EU AMLR apply to?

EU AMLR applies to "obliged entities," a defined category spanning financial businesses and certain non-financial sectors operating anywhere in the EU.

Financial sector obliged entities:

• Credit institutions: All EU-licensed banks, savings banks, and credit unions.
• Payment institutions: Firms providing payment initiation, account information, or money transfer services under PSD2 / PSD3.
• Electronic money institutions (EMIs): Prepaid card issuers and digital wallet providers.
• Crypto-asset service providers (CASPs): Exchanges, custody providers, and brokers authorized under MiCA, plus VASPs operating under transitional arrangements.
• Investment firms and fund managers: Including UCITS management companies and alternative investment fund managers.
• Insurance companies and intermediaries: For life insurance and investment-related products.
• Mortgage credit intermediaries.
• Currency exchange offices.
• Crowdfunding service providers.

Non-financial sector obliged entities:

• Auditors, accountants, and tax advisors.
• Lawyers and notaries for specific transactions: real estate, company formation, and trust administration.
• Real estate agents and property developers for transactions above €10,000.
• High-value goods dealers for cash transactions above €10,000.
• Trust and company service providers.

The regulation applies to EU-licensed entities and to third-country branches operating in the EU. Group-level entities must ensure AML policies cover all subsidiaries, including those outside the EU, to the extent local law permits.

There's no size exemption. A two-person currency exchange and a globally systemic bank face the same obligations. The difference is in proportional calibration of procedures, not the rules themselves.

What does EU AMLR require?

The regulation builds around a risk-based approach. Entities must assess, document, and address ML/TF risk across customers, products, geographies, and delivery channels.

1. Customer due diligence (CDD). Verify every customer's identity before establishing a business relationship. CDD covers identity verification, beneficial ownership identification, and understanding the relationship's purpose and intended nature. Verification must be complete before business commences, with limited exceptions for low-risk, low-value products.

2. Beneficial ownership identification. Identify the ultimate beneficial owner (UBO) for every corporate customer. The ownership or control threshold is 25%. Where no natural person meets that threshold, the senior managing official must be recorded as the UBO. Firms can't rely on national beneficial ownership registers alone; independent verification is required.

3. Enhanced due diligence (EDD). Mandatory for high-risk customers, politically exposed persons (PEPs), correspondent banking relationships, and transactions involving high-risk third countries listed by the European Commission. For PEPs, EDD continues for at least 12 months after they leave public office, with risk-based extension beyond that period.

4. Simplified due diligence. Permitted only where a documented risk assessment supports it. The regulation removes automatic simplified CDD for listed companies and government bodies; firms must demonstrate the low-risk basis.

5. Ongoing transaction monitoring. Monitoring must be continuous, not periodic. CDD files must be reviewed when circumstances change or when transactions fall outside the customer's established risk profile.

6. Suspicious transaction reporting. File a suspicious transaction report (STR) with the national FIU when there are reasonable grounds to suspect ML or TF. Reports should be filed before executing the transaction where possible. The tipping-off prohibition applies: firms can't inform customers that an STR has been filed or is under consideration.

7. Record retention. Keep all CDD records, transaction records, and supporting documentation for five years from the end of the business relationship. Competent authorities can order a one-off extension to ten years.

8. Internal controls. Appoint a compliance officer at management level, maintain a written AML policy, train all relevant staff at least annually, and run independent AML program audits.

9. Cash transaction limit. €10,000 cap on cash payments for high-value goods, replacing the patchwork of national limits that previously ranged from €1,000 in Greece to no cap at all in some member states.

What evidence do regulators expect?

Examiners from national competent authorities or AMLA look for proof that your program runs, not just that it exists on paper. These are the documents that get pulled on audit day.

Governance and policies:

• Board-approved AML policy with version history and dated amendments
• Board or senior management minutes that reference AML reporting
• Written mandate for the compliance officer, with defined scope and escalation authority
• Risk appetite statement covering ML and TF

CDD and beneficial ownership:

• Customer files containing identity documents, UBO records, and purpose-of-relationship documentation
• Evidence that beneficial ownership was independently verified, not copied from a register
• Documented rationale for any simplified CDD applied, with the risk assessment that supported it
• EDD files for all PEPs, showing source of wealth and source of funds checks with dated refresh records

Transaction monitoring:

• System configuration records: current alert rules, thresholds, and tuning history
• Audit trails for all alert dispositions, including analyst notes on closed alerts
• Evidence of rule review or model validation, dated within the last 12 months
• STR filing logs with timestamps, confirming pre-transaction filing where required

Training:

• Completion records for all customer-facing and compliance staff
• Training content covering current typologies, including virtual asset risks and cross-border ML patterns

Technology controls:

• Sanctions screening configuration and test results
• PEP database provider documentation
• Evidence of regular screening against the EU consolidated sanctions list

Examiners consistently cite the same gaps: customers onboarded before the regulation took effect with no retrospective review, and transaction monitoring rules unchanged since the prior supervisory cycle.

Common failure modes

The patterns that get firms cited under EU AML law are consistent. We've seen these across institution types and jurisdictions.

• Beneficial ownership gaps. Firms capture the 25% shareholder and stop. Complex holding structures, nominee arrangements, and trust layers go unexplored. The EBA's 2022 peer review of AML/CFT supervisory practices found incomplete beneficial ownership verification to be one of the most frequent CDD deficiencies across member states. (EBA Peer Review Report, November 2022)

• PEP misclassification. Compliance teams apply PEP screening only to heads of state and senior ministers, missing domestic PEPs, regional officials, and immediate family members. The regulation covers all of them.

• Stale CDD files. Customers onboarded years ago under different risk profiles, with no retrospective review after their transaction volume, product use, or country of residence changed.

• Alert closures without documentation. Transaction monitoring fires, an analyst closes the alert, no rationale is recorded. Examiners can't distinguish a legitimate disposition from an ignored red flag.

• Tipping-off failures. Staff inform customers that a report has been filed or is under consideration. ING Netherlands' €775 million settlement with Dutch prosecutors in 2018 cited systematic failures in detecting unusual transaction patterns and in controlling customer communication during active investigations. (Dutch Public Prosecution Service, September 4, 2018)

• Crypto travel rule gaps. CASPs and VASPs accepting transfers without verifying originator and beneficiary data, in direct violation of EU Travel Rule requirements that run alongside AMLR's CDD obligations.

Penalties for non-compliance

EU AMLR sets minimum penalty thresholds that member states must implement. For most institutions, these are higher than pre-2024 national frameworks.

For legal persons, maximum administrative penalties are:

• Credit institutions and financial institutions: €10 million or 10% of total annual group turnover, whichever is higher.
• Other obliged entities: €5 million or 10% of annual turnover.

For natural persons (individual officers, compliance staff, board members): up to €1 million per violation.

Beyond monetary penalties, competent authorities can impose:

• Public statements naming the entity and describing the breach
• Temporary bans on conducting regulated business
• Suspension or removal of the management responsible for the failure

ABN AMRO's 2021 settlement illustrates what systemic failure costs: €480 million for a decade of inadequate monitoring, incomplete client files, and delayed STR filings. (Dutch Public Prosecution Service, April 9, 2021) That settlement came under 4AMLD-era Dutch law. AMLR raises the floor.

AMLA adds a new enforcement layer from 2028. For entities under its direct supervision, AMLA can apply EU-level fines directly and coordinate cross-border cases where multiple member states are involved.

Recidivism is an aggravating factor. A second systemic failure within five years will face enhanced penalties. Member states retain discretion to impose amounts above the AMLR minimums, and several are expected to do so.

Related regulations and frameworks

EU AMLR doesn't operate in isolation. It sits at the center of a cluster of EU and international obligations.

Direct EU complements:

• EU AMLA Regulation: Creates the Anti-Money Laundering Authority, which directly supervises high-risk obliged entities from 2028 and coordinates national AML supervisors. AMLR sets the rules; AMLA enforces them at EU level.
• EU Travel Rule (TFR): Regulation (EU) 2023/1113 requires payer and payee data to travel with fund transfers. For CASPs and payment institutions, TFR obligations run directly alongside AMLR's CDD requirements.
• 6AMLD: The Sixth Anti-Money Laundering Directive remains relevant for criminal law harmonization, covering 22 predicate offenses and corporate criminal liability. AMLR supersedes it for most administrative CDD and monitoring obligations.
• GDPR: AMLR's five-year retention requirement creates direct tension with GDPR's storage limitation principle. Firms need documented legal bases for holding personal data beyond the end of a relationship.

International framework:

• FATF Rec 20: AMLR's STR obligations directly implement this recommendation at EU level, making FATF expectations enforceable without national discretion.
• FATF Rec 24: The beneficial ownership identification rules in AMLR track this recommendation, including the 25% threshold and verification requirements.

Equivalent national regimes:

• UK Money Laundering Regulations 2017: The UK's equivalent framework for UK-regulated firms. Structurally similar post-Brexit, though technical detail is diverging.
• US Bank Secrecy Act: The US AML framework shares core obligations (SAR filing, record retention, CDD) but uses a different supervisory structure organized around FinCEN and prudential regulators.

How FluxForce supports EU AMLR compliance

FluxForce's AI agents automate the CDD, transaction monitoring, and STR workflows that EU AMLR mandates. Aiden Flux handles ongoing monitoring and alert triage. It flags transactions that exceed risk thresholds and routes them for analyst review. Nova Sentinel screens customers and counterparties for sanctions and PEP status in real time. Every decision comes with full audit evidence, which satisfies examiner requests for alert disposition rationale. The platform's configurable autonomy settings give your compliance team control over when agents act and when humans decide. For a walkthrough of how FluxForce maps to AMLR obligations, request a demo.