Navigating the EU’s evolving anti-money laundering regulatory landscape

The European Union is reforming its legal framework to combat money laundering and terrorist financing in 2027. Meanwhile, financial institutions and designated nonfinancial businesses and professions must consider how these changes will affect their current compliance programs. The author details the new framework and proposes a four-pronged approach to align existing processes to new rules.

In the late 2010s, European Union countries grappled with a string of major money laundering cases that revealed significant weaknesses within their regulatory framework. Cases like the 2018 Danske Bank scandal in Estonia, the Swedbank investigations in the Baltic States in 2019, the Netherlands ING fine, and the closure of Pilatus Bank in Malta by the European Central Bank, prompted the EU to scrutinize the region’s anti-money laundering (AML) and countering the financing of terrorism (CFT) regime. Despite successive EU legislation designed to reinforce regulations, member states continue to interpret and apply the rules differently, creating a fragmented regulatory landscape for criminals to exploit.  

A 2019 assessment exposed other shortcomings in the legislative and regulatory framework. According to the report, national supervisors often only intervened after significant risks materialized or there were repeated compliance and governance failures that occurred. The timeliness and effectiveness of subsequent supervisory measures imposed on organizations varied greatly. Group supervision was largely deficient, while regulatory and supervisory fragmentation prevented effective cooperation.

The EU’s executive branch, the European Commission (EC), responded with an action plan in May 2020 and formulated six objectives to strengthen the integrity of the internal market and address deficiencies in rules enforcement. In July 2021, the commission presented draft legislation for a uniform set of rules, establishing EU-level supervision and strengthening cooperation among member states’ financial intelligence units (FIUs). After extensive negotiations between the EC, the European Council and the European Parliament, the final acts were published in the Official Journal of the European Union on June 19, 2024, and introduced a Single European Rulebook for AML/CFT to replace the current system of 27 national frameworks. While the rules don’t go into effect until July 10, 2027, now’s the time for organizations to assess their readiness for these upcoming regulatory changes and ensure that their financial, technical and human resources comply with the new rules ahead of that date.

The EU AML/CFT package

The new EU AML/CFT package comprises four legal acts: the AMLA Regulation (AMLAR), the AML Regulation (AMLR), the Sixth AML Directive (AMLD6), and the Fund and Crypto-Asset Transfer Regulation.

The AMLA Regulation establishes a new EU agency, the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA). This authority, headquartered in Frankfurt, Germany, will directly supervise selected financial-sector organizations, coordinate the work of national competent authorities (NCA) and FIUs, and further clarify the requirements under the Single European Rulebook. NCAs include FIUs, supervisory authorities and public authorities that can investigate or prosecute money laundering or terrorist financing and trace, seize or freeze criminal assets. AMLA commenced operations on July 1, 2025, but won’t reach its full scale until 2028. 

The AML Regulation forms the core of the legislative package and contains the substantive legal provisions for obliged entities (e.g., on establishing sound AML/CFT risk management and performing customer due diligence). The regulation will, with limited exceptions (e.g., regulations for professional football clubs), apply directly in all EU member states and will replace the current system of diverging national AML acts.

The Sixth AML Directive is primarily directed at the member states and includes, among others, national measures for high-risk sectors, requirements for establishing national registers (e.g., information on ultimate beneficial owners or real estate ownership) and standards for national supervisors. Member states must implement the directive by adopting national legislation by July 10, 2027.

Under the Fund and Crypto-Asset Transfer Regulation, crypto-asset service providers (those who provide crypto-asset services, including custody, trading or exchange of crypto-assets, to clients on a professional basis), in addition to payment service providers, must now apply the Financial Action Task Force (FATF) travel rule, which provides transparency about the originator and the beneficiary of a transfer along the entire transaction chain.

AMLA regulations

AMLA will work with national supervisors to harmonize their approaches to AML/CFT rules by conducting joint thematic reviews and providing guidance on how to assess risk in regulated entities. To achieve its mission, AMLA will draft 13 regulatory technical standards (RTS), six implementing technical standards (ITS) and 20 guidelines. 

RTS in the EU are legally binding delegated acts that supplement high-level financial legislation with detailed technical rules, and ITS ensure that EU law is uniformly applied. EU legislative bodies agree on high-level rules and empower the EC to adopt a regulatory standard to clarify details, which helps achieve political agreement and speeds up the legislative process. For example, the draft RTS on criteria and thresholds includes criteria that businesses must consider to identify a business relationship under AML legislation. RTS and ITS are drafted by AMLA with public consultation and adopted by the EC as delegated acts, making them directly applicable in all member states.

AMLA issues guidelines following the public consultation and outlines minimum requirements for organizations to comply with their obligations under EU AML/CFT legislation. For example, the draft guidelines on business-wide risk assessment describe the components of an organization’s risk assessment document and expectations for their risk assessment process.

New rulebook requirements

The EU’s revised AML/CFT framework sets out several new and amended requirements. 

New regulated entities

The AMLR widens the circle of organizations subject to AML/CFT requirements. They now include crowdfunding service providers (which use a platform to issue project owners with loans or transferable securities from investors), holding companies and companies that advise non-EU nationals who seek residence rights through approved investment schemes (e.g., “golden visas”). These organizations must comply with the regulations by July 10, 2027. Additionally, football agents and professional football clubs will be subject to AML/CFT legislation starting in July 2029.

The AMLR also introduces a significant change to how business owners may trade goods. Under the previous framework, any business that made or received payments of more than 10,000 euros in cash trading in goods had to comply with AML/CFT regulations. Under the new regulations, only businesses trading in precious metals and stones, jewelry and watches, or high-value goods, such as luxury automobiles, must comply with AML/CFT requirements.

Finally, the AMLR alters how the fine arts sector is regulated. Previously, any person trading high-value works of art had to comply with AML/CFT requirements. Under the Single European Rulebook, the term “works of art” is now replaced by “cultural goods,” as defined in the regulation on the export of cultural goods. Any business trading in cultural goods valued at 10,000 euros or more, including archaeological objects, paintings and vintage vehicles, must comply with the new rules.

Organizations covered by these changes must assess how the new EU regulations will affect their business models and reorganize their programs accordingly to comply with the new rules.

Compliance with targeted financial sanctions

The AMLR integrates compliance with targeted financial sanctions into AML/CFT regulations, and money laundering reporting officers will now oversee compliance with targeted financial sanctions.

Targeted financial sanctions are EU restrictive measures that prohibit making funds available to or freezing assets of states, organizations or individuals. Organizations had to comply with restrictive measures in the past, but the previous legislative framework didn’t specify which measures were required for compliance. Rather, it’s been the responsibility of each organization’s management to implement appropriate procedures to comply with the existing prohibitions.

Under the new rulebook, organizations should perform risk assessments and implement policies, procedures and controls to manage and mitigate their exposure to sanctions risks. This includes screening all customers and their beneficial owners to identify sanctioned individuals and entities. Organizations that fail to carry out these tasks may be fined, regardless of whether they’ve made funds available to sanctioned individuals, which would violate restrictive measures.

Politically exposed persons

Under the current framework, organizations are required to verify whether their customers or beneficial owners are politically exposed persons (PEP) — people in public positions representing a state or international organization, their family members and close associates. In such cases, they must apply enhanced due diligence measures to the business relationship. In November 2023, the European Commission published a list of prominent public functions, whose holders are now PEPs.

While prominent public functions were previously restricted to the national level (e.g., cabinet ministers or members of the national legislative body), the AMLR extends the list to include members of regional or local executive or legislative bodies that represent constituencies of at least 50,000 people, and members of the management body of medium-sized or large undertakings controlled by these authorities. Further, the siblings of the heads of state, heads of government, ministers and deputy or assistant ministers are now included in the PEP rules. 

Ongoing business relationships

Entities must continuously monitor business relationships, including transactions, and must ensure that customers’ documents, data and information are kept up to date.

According to the AMLR, the time between customer reviews can’t exceed a year for high-risk customers and five years for all other customers. Some member states already provide for statutory timelines under their domestic laws, but these are inconsistent across the EU and, in some cases, allow for significantly longer review cycles (e.g., in Germany, where low-risk customers may be reviewed every 15 years). Additionally, some countries, including Ireland, permit organizations to define review frequencies without providing for statutory upper limits.

Limits to large cash payments

The Fourth AML Directive attempted to mitigate money laundering and terrorist financing risks from large cash payments by subjecting businesses that trade in goods and transact with cash payments to AML/CFT regulation. But in the past this approach was ineffective as many businesses misunderstood and misapplied the requirements and lacked appropriate supervision by NCAs.

To adequately mitigate risks from the misuse of cash, the AMLR now includes an EU-wide limit to large cash payments. When the regulations go into effect, businesses trading in goods or providing services will no longer be able to accept or make cash payments above 10,000 euros. This limit doesn’t apply to payments between individuals who act outside their professional capacity, or to payments or deposits made at financial institutions. EU member states may adopt lower limits or retain already existing limits if they don’t exceed the EU’s limit.

According to the European Consumer Centre Germany, 17 of 27 member states had established cash limits by 2024, and most of them were well below the proposed EU limit. Implementing the new EU limit now falls to the remaining 10 member states to update their cash-use limits.  

All businesses trading in goods or services, even if they don’t have to comply with AML regulations, must implement policies, procedures and controls to ensure that they and their branches or authorized dealers comply with the restriction on large cash payments.

Establishing a new supervisory regime

The Single European Rulebook establishes a new EU-level authority with a broad supervisory and regulatory mandate to ensure that the reform package is consistently applied across member states. AMLA will be governed by a general board, consisting of representatives from the member states, as well as an executive board, made up of a chair and five independent members. The executive director manages the authority and reports to the executive board.

 
In the financial sector, AMLA will directly supervise nearly 40 higher-risk cross-border institutions, and the authority will form joint supervisory teams with NCAs to supervise selected institutions across jurisdictions. National supervisors will remain responsible for all other institutions; however, AMLA may take over supervisory duties of financial institutions if a national supervisor can’t fulfill its mandate. 

Additionally, AMLA will coordinate thematic reviews across member states and peer reviews of national supervisors in the nonfinancial sector. The authority will be responsible for the supervisory colleges framework established by the European Banking Authority and maintain a central database with information about the supervisory system’s functions.

AMLA will also play an important role in coordinating the work of national FIUs. The authority will prepare and coordinate threat assessments, facilitate joint analysis of cross-border cases, provide support and mediation to national FIUs, and conduct peer reviews of their activities. AMLA will also host and manage national FIUs’ central communication network.

Four-pronged approach to AMLR readiness

With the Single European Rulebook application date only a year away, organizations will need to accelerate their preparations to avoid falling behind and failing to meet supervisory expectations.

To be AMLR-ready, organizations must explore the new rules, prepare for the required changes, implement measures to update their compliance programs and execute the new requirements. Each step must be completed fully before moving to the next phase. While it might be tempting to bypass early preparatory steps in favor of the implementation phase, doing so runs the risk of misinterpreting or misunderstanding the new requirements. Getting the basics correct ensures efficient implementation of the new framework.

The following four phases outline the key activities of the regulatory change process. This model may serve as a blueprint for organizations just beginning their transformation journey. For organizations that have already started making changes, the model can help benchmark their progress. 

Exploration phase

During the exploration phase, organizations perform a gap and impact assessment, draft a high-level action plan and organize internal knowledge-sharing sessions. The objectives of this phase include understanding the new requirements, the company’s current position and the scale of change for its business model. Compliance departments generally lead this phase, with some involvement from other departments that contribute data required for the gap assessment and receive high-level updates on the regulatory changes.

To inform subsequent phases, the gap assessment must go beyond identifying discrepancies in an organization’s current policies to describing their impact on operations. For example, moving from a two-year to a one-year review cycle for high-risk customers requires updating the company’s policy and determining whether review teams require additional resources or technical capabilities, such as process automation or artificial intelligence agent support, to process higher volumes that comply with stricter timelines.

Preparation

During the preparation phase, companies should actively engage relevant stakeholders from across the business, including IT and data management teams. They’ll organize the project and governance, advance a high-level action plan, and involve the board and senior management of the company for required approvals of resources and budgets.

This phase is a joint effort by compliance departments and risk owners as the first line of defense in implementing controls that protect businesses. The organization must ensure it has a clear target model in place for the following implementation phase and has achieved the required level of awareness and buy-in from those affected by the changes.

Implementation

Companies update their policies and procedures, enhance processes and controls, deploy tools and systems, and make required changes to their governance arrangements to comply with the new rules during the implementation phase. Organizations should also review the availability, completeness and quality of the data to ensure they can meet evolving supervisory expectations.  

Risk owners oversee the implementation phase, with the compliance department serving an advisory function. They’ll also monitor implementation activities, ensuring they’re on track and proceeding along the organization’s transformation roadmap.

Execution

Organizations reach the execution phase when they’ve implemented the updated policies, procedures and controls, transitioned from project-based to business-as-usual processes and governance, and trained their staff on the new standards and systems. The objective during execution is to perform business operations in the most efficient manner possible while being fully aligned with the applicable legal and regulatory requirements. [See “Readiness journey model” at the end of this article.”]

As part of the execution phase, internal audit informs the board and senior management that risk owners and compliance have made the required changes. Ideally, this role starts during the implementation phase and is performed in stages as major milestones are achieved and concludes with a full operational effectiveness audit.

Staying ahead of the regulatory tidal wave

Organizations need to move quickly through the regulatory change phases to ensure compliance with the Single European Rulebook by July 2027. But this isn’t a one-off exercise. Companies should expect additional standards and guidelines over the next three years, requiring companies to carefully monitor the evolving regulatory landscape and retain a level of flexibility in their policies, systems and operations to implement subsequent requirements without widespread disruption to their business. 

Having a flexible, customizable operating model can help organizations tailor individual processes and system components. Additionally, scenario analysis to consider future events and possible outcomes can help organizations account for potential policy changes and ensure that current design decisions don’t prevent companies from complying with future regulatory instruments. The compliance department must lead this effort, remaining vigilant, responding quickly to new regulations and ensuring their business stays ahead of this fast-approaching regulatory tidal wave.

Niclas-Andreas Mueller, CFE, is a director in the risk consulting practice of KPMG in Ireland and president of the ACFE Ireland Chapter. Contact him at niclasandreas.mueller@gmail.com.

Readiness journey model

To comply with the European Union’s updated Single Rulebook by July 10, 2027, organizations will need to update their compliance programs. This model details four phases to guide organizations as they update their AML/CFT programs. 

Exploration phase

Key activities:

• Perform a gap assessment.
• Perform an impact assessment.
• Draft a high-level action plan, including roles and responsibilities.
• Organize internal knowledge-sharing sessions.

Preparation phase

Key activities:

• Involve relevant stakeholders (compliance, business, IT).
• Identify risks that could jeopardize timely readiness.
• Connect the change to the firm’s strategic objectives.
• Advance the high-level action plan.
• Involve the executive board and ensure decision-making.

Implementation phase

Key activities:

• Update policies and standards.
• Update processes and controls.
• Execute governance (re)arrangements.
• Update IT and tooling.
• Improve data management and data quality

Execution phase

Key activities:

• Policies, standards, processes and controls are implemented.
• Governance is in place.
• IT and tooling are ready.
• New requirements have been applied to the existing client base.
• New requirements are ready to be applied to new business relationships.