Add a bookmark to get started

Buildings_P_0097
16 December 20242 minute read

The New Anti-Money Laundering Rules: What You Need to Know

Key takeaways:

  1. On 31 May 2024, the EU Legislature adopted Directive (EU) 2024/1640 (the Sixth Anti-Money Laundering Directive, AMLD6), Regulation (EU) 2024/1624 (the Anti-Money Laundering Regulation, AMLR), Regulation (EU) 2024/1620 (the AML Authority Regulation, AMLAR). Together with Regulation (EU) 2023/1113 (the Revised TOFR), adopted on 31 May 2023, these rules complete the adoption of the revised anti-money laundering and countering the financing of terrorism (AML/CFT) package.
  2. The AML/CFT package overhauls the regime under Directive (EU) 2015/849 (AMLD4). On the one hand, it significantly expands the regime with strengthened and new obligations across key areas such as beneficial ownership transparency, due diligence obligations and supervision. On the other hand, it further harmonises the regime through the use of Regulations, which directly apply in the Member States of the Union and the introduction of a new Europea supervisor, the AML Authority (AMLA).  
  3. The rules will enter into force on a staggered basis, starting with the TOFR next December and some delegated rules under the AMLD6 to apply in July 2029.

 

Background

We published a briefing in October 2021 on the package, setting out the policy background and an overview of the initial proposals, and a briefing on the TOFR in June 2023. This briefing focuses on the key changes introduced by the AMLD6, the AMLR and the AMLAR.

Beneficial ownership registers

Together with the AMLR, the AMLD6 expands the regime on beneficial ownership registers. The AMLR harmonizes beneficial ownership transparency requirements for obliged entities and the AMLD6 sets out more granular rules on the Member States' central registers. These registers must hold more detailed beneficial ownership information (including on non-EU legal entities and arrangements) covering a larger array of arrangements.

The central registers must also be interconnected via the European Central Platform under Directive 2017/1132.  The access to these interconnected registers must be available to, among others, competent authorities, AMLA and people with a demonstrable legitimate interest (e.g. journalists and civil society organisations).

Bank account registers

The AMLD6 extends the AMLD4's obligation to maintain centralized automated mechanisms (registers or data retrieval systems) such that persons holding or controlling bank accounts can be timely identified, to securities accounts and crypto-asset accounts. The information must be accessible to FIUs (see below), the AMLA (for joint analyses) and national AML/CFT authorities. It must also be accessible via the bank account registers interconnection system (‘BARIS’), to be developed and operated by the Commission by 10 July 2029. 

Financial Intelligence Units (FIUs)

The AMLD6 also expands the regime applicable to FIUs. The new rules clarify their financial analysis function, cover the security of their communication channels and lay down rules on the exchange of information with national authorities and obliged entities. AMLA is tasked with issuing guidelines on these matters.

Another novelty is that FIUs must designate a 'Fundamental Rights Officer', which monitors the FIU's compliance on fundamental rights and informs the unit head on possible violations of fundamental rights. The AMLD6 also codifies the FIU's right to the access required to fulfil its tasks, and establishes conditions regarding the FIU's ability to suspend or withhold consent in case of a suspicious transaction. The FIU has 10 working days for analytical work, but Member States can set longer period if the FIUs performs the function of tracing, seizing, freezing or confiscating criminal assets under national law. If the suspicion relates to a bank account or payment account, a crypto-asset account or a business relationship, the maximum period is 5 working days, but Member States can set a longer period for the same reason. In both cases, appropriate national safeguards must be available.

The FIU is also empowered to instruct obliged entities to monitor transactions or activities carried out through bank, payment or crypto-asset accounts, or other business relationships managed by the entity, and to report the results of the monitoring.

Supervision

The AMLD6 also substantially expands the general provisions on supervision. It lays down new rules on the risk-based approach to supervision (on which AMLA shall issue guidelines by 10 July 2028) and regulates the cooperation on the supervision of cross-border activities (in which AMLA plays a conflict-resolving role). It also expands the rules on cooperation on the supervision of groups through the exchange of information that can influence an assessment in another Member State, on which AMLA will prepare draft technical standards by 10 July 2026.

An important novelty are the rules on the establishment of dedicated AML/CFT supervisory colleges, which serve to exchange information, provide mutual assistance or coordinate supervision, among other functions. There are separate rules for financial and non-financial sectors. For example, in the financial sector a supervisory college must be set up if (1) a credit or financial institution (including groups), has set up establishments in at least two Member States other than the one where its head office is located, or (2) a third-country credit or financial institution has set up establishments in at least three Member States. AMLA must develop draft technical standards by 10 July 2026 complementing the regime.

Sanctions and measures

The AMLD6 expands the AMLD4's sanctions regime. It lays down more detailed rules covering pecuniary sanctions and administrative measures for breaches of the AMLR and the TOFR, and. AMLA must develop technical standards by 10 July 2026 on several of these matters. 

The pecuniary sanctions for serious, repeated or systematic breaches have been amended as well. The most important change is that the maximum thresholds have been increased, from EUR 5 EUR mio or 5% of total annual turnover, to EUR 10 mio or 10% of total annual turnover. The AMLD6 also clearly specifies the minimum administrative measures available to national supervisors and allows supervisors to impose periodic penalty payments to compel compliance with certain measures (e.g. ordered implementation of risk-reducing measures).

AML/CFT cooperation

The AMLD6 strengthens the rules on cooperation laid down in the AMLD4. Besides including AMLA in the list of authorities, it obliges Member States to facilitate the sharing of beneficial ownership information and not prohibit or unduly restrict cooperation or assistance. Other important additions are the obligation of a FIU and national authorities to cooperate with AMLA, the specification that professional secrecy requirements do not prevent the exchange of information between supervisors, and specific rules covering the cooperations in relation to credit institutions, financial institutions and auditors.

AMLA shall cooperate with the European Central Bank, the European Supervisory Authorities, Europol, Eurojust and European Public Prosecutor's Office to issue guidelines on these matters, by 10 July 2029.

With the adoption of the AMLR, the EU AML/CFT framework will be more harmonized, as its provisions are directly applicable in the Member States. This harmonisation will benefit obliged entities that operate on a cross-border basis.

Scope

The AMLR extends the scope of the rules as the list of obliged entities to include, among others, crypto-asset service providers as defined in the Markets in Crypto-Assets Regulation, credit intermediaries for mortgage and consumer credits that are not financial institutions, persons that trade in certain high-value goods, and professional football clubs when carrying out certain transactions. The AMLR allows Member States to introduce some exemptions for certain providers of gambling services, certain professional football clubs and certain financial activities. It also contains a notification procedure for cross-border operations.

Internal policies, procedures and controls

The AMLR also significantly expands the AMLD4’s provisions on internal policies, procedures and controls. New provisions include the obligation to subject an employee (or person in a comparable position) who directly participates in the obliged entity’s compliance with the AMLR, the TOFR and any administrative act issued by any supervisor, to an assessment prior to starting his activities and regularly thereafter.

Customer due diligence

The AMLR also strengthens the AMLD4's regime on customer due diligence (CDD). It introduces stricter CDD measures for occasional transactions, lowering the threshold to EUR10000 (or a lower value in case of higher ML/TF risks) and tasking AMLA to prepare technical standards by 10 July 2026. For crypto-asset service providers the corresponding threshold is EUR1000, and for transactions under EUR 1 000, they must identify the customer and verify the identity. The AMLR also provides which persons obliged entities should considered as customers, a list that for payment initiation service providers, includes merchants.  

Other noteworthy introductions are (1) the obligation to verify whether customers and beneficial owners are subject to targeted financial sanctions, (2) enhanced CDD measures for credit institutions, financial institutions and trust or company service providers if personalized services are provided involving handling assets with a value of at least EUR5 mio, for a customer holding at least EUR50 mio in total assets, and (3) a new requirement to update customer information after five years (one year for high risk customers).

Beneficial ownership transparency

As set out above, the AMLR lays down definitions regarding beneficial ownership for a wide range of entities and structural arrangements, which are referred to in the AMLD6. It also details how obliged entities should identify the beneficial owners of these entities and arrangements, as well as obligations to record such information and to share it with the central register. A noteworthy change is the lowered threshold for the identification of ultimate beneficial owners (UBOs), from 'more than 25%' of the shares or voting rights in a company, to '25% of more'. As a result, obliged entities will have to identify more UBOs than under the AMLD4.

Importantly, the AMLR leaves it up to Member States to determine the penalties for breaches of these rules, which must be effective, proportionate and persuasive. The Commission must adopt delegated acts by 10 July 2026 to provide more granular guidelines that Member States must follow.

Reporting obligations and information sharing

The AMLR lays down obligations to report suspicions to FIUs, which will be supplemented by AMLA guidelines and technical standards from the Commission in the course of 2026 and 2027. Those rules are supplemented with an obligation to refrain from carrying out transactions, clarification that disclosure does not constitute a breach of any contractual or statutory restriction on information disclosure, a prohibition to disclose the assessment of suspicions to the customer, and threshold-based reports of transactions in certain high-value goods.

As members of partnerships for information sharing, obliged entities may share information for the purpose of customer due diligence and reporting of suspicions to FIUs.

The AMLAR establishes the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), a new European authority tasked with overseeing AML/CFT supervision in the European Union. The AMLA will be based in Frankfurt, Germany. The AMLAR gives the Authority a broad range of supervisory tasks, organized around four pillars.

The first pillar concerns ML/TF risks in the internal market. Key tasks related to this pillar include monitoring developments, establishing a central information database and facilitating cooperation between obliged entities, supervisory authorities and non-AML/CFT authorities.

The second pillar concerns direct supervision of selected obliged entities. The entities are selected on the basis of a risk assessment process to select entities, together with national supervisors, which must be complemented with technical standards to be prepared by the AMLA by 1 January 2026. For each selected obliged entity, a joint supervisory team with staff from the AMLA and national supervisors shall be established, with staff from the AMLA staff and the national supervisors responsible for its supervision.  

The third pillar concerns FIUs. The AMLA is tasked with various tasks, such as contributing to cooperation, facilitating joint analyses for relevant cross-border cases for joint analyses, providing specific assistance and to provide tools and services to enhance their capabilities.

The fourth pillar is the engagement with financial and non-financial supervisors. Key tasks of the Authority regarding financial supervisors include facilitating the functioning of supervisory colleges, contributing to the convergence of supervisory practices and taking appropriate measures in exceptional circumstances requiring the AMLA's intervention related to non-selected obliged entities compliance or risk exposure.

In summary, the AMLAR allocates a broad portfolio of tasks to the AMLA and its activities are set to significantly impact the supervision of the AML/CFT framework and the conduct of obliged entities.

 

Timeline

The rules will enter into force on a staggered basis, starting from next December until July 2029.

Framework

Timing

AMLD6

Transposition by 10 July 2027, except for Art 74 (10 July 2025), Arts 11, 12, 13 and 15 (10 July 2026) and Art 18 (10 July 2029)

AMLR

Application from 10 July 2027 (except for football agents and professional football clubs, application from 10 July 2029)

AMLAR

Application from 1 July 2025, except for Arts 1, 4, 49, 53, 54, 55, 57 to 66, 68 to 71, 100, 101 and 107 (from 26 June 2024), and Article 103 (31 December 2025).

TOFR

Application from 30 December 2024.

Next steps

Obliged entities will have to wait in order to finalize their compliance strategies, given that the framework provides for technical standards and guidelines that must be prepared over the course of the next three years, and that Member States still have over 18 months to transpose the AMLD6. Until then, the best preparation is to prepare for compliance on the basis of the AMLD6 and the AMLR.

For queries or assistance, please contact our EU Financial Services Regulatory team.

Print