09 June 2026
TI ¦ The European Union’s Anti-Money Laundering Framework: The Complete Guide
What financial crime teams need to know
The European Union’s 2024 anti-money laundering package marks one of the most significant changes to the bloc’s financial crime framework in years. After long negotiations between EU institutions, the package is now moving from political agreement to practical implementation. For banks, crypto firms, real estate professionals, corporate service providers, supervisors and Financial Intelligence Units, the next phase will be defined by how these rules are applied in practice across Member States.
The new framework is built around four main legal instruments. The sixth Anti-Money Laundering Directive strengthens the role of national supervisors and Financial Intelligence Units. A directly applicable Anti-Money Laundering Regulation creates more detailed and harmonised requirements for obliged entities. A new EU-level Anti-Money Laundering Authority, known as AMLA, is being established to improve coordination and direct supervision in selected high-risk cases. The revised rules on transfers of funds and crypto-assets extend transparency requirements to the virtual asset sector.
Together, these reforms aim to close gaps that have allowed illicit funds to move through the EU financial system, property markets, corporate structures and professional intermediaries. The focus is now shifting to implementation, enforcement and the ability of Member States to turn legal reforms into effective financial crime prevention.
Why the 2024 AML package matters
The EU has long faced criticism for uneven anti-money laundering standards across Member States. While previous directives created a common legal foundation, implementation often differed from country to country. Criminal networks, corrupt actors and money launderers have been able to exploit these differences, especially where supervision was weak or beneficial ownership information was incomplete.
The 2024 package is designed to reduce those gaps. By introducing a directly applicable regulation, the EU is moving toward more consistent obligations for the private sector. By creating AMLA, it is also adding a central authority with the power to coordinate national supervisors and directly supervise certain high-risk financial entities. This is intended to make the system more consistent, more transparent and less dependent on fragmented national practices.
For financial crime professionals, the message is clear: compliance expectations are becoming more detailed, more harmonised and more closely linked to EU-level oversight.
Jump to: The European Union’s Framework on Virtual Assets: Crypto
Jump to: The European Union’s Framework on Physical Assets: Real Estate
Jump to: The European Union’s Framework on Beneficial Ownership
Jump to: The European Union’s Institutional Framework on FIUs
Jump to: The European Union’s Legislative Framework on Obliged Entities
The European Union’s Framework on Virtual Assets: Crypto
The European Union has built a much broader legal framework for crypto-assets than many market participants expected a few years ago. The 2024 anti-money laundering package did not create these rules on its own, but it brought crypto-assets fully into the EU’s financial crime perimeter. That shift matters because the sector is no longer treated as a side issue. It is now part of the core architecture for AML, supervision, tax transparency and operational resilience.
Crypto-asset service providers, or CASPs, now sit at the intersection of several EU laws. MiCA sets the market rules and licensing framework. The Transfer of Funds Regulation extends traceability requirements to crypto transfers. The AML Regulation makes CASPs obliged entities. AMLD6 adds account access, supervision and FIU cooperation. DORA addresses digital resilience, while DAC8 brings crypto into tax reporting and automatic exchange systems. Together, these measures create a layered framework designed to reduce anonymity, improve traceability and make crypto activity more visible to regulators and tax authorities.
MiCA sets the market framework
MiCA, the Markets in Crypto-Assets Regulation, is the starting point for understanding the EU’s crypto regime. It provides the first EU-wide legal framework for crypto-asset services that are not already covered by existing financial services law. It classifies crypto-assets into asset-referenced tokens, e-money tokens and other crypto-assets, and it creates uniform rules on transparency, disclosure, consumer protection, market integrity and prudential requirements.
Under MiCA, all CASPs operating in the Union must be authorised. In practice, that means they need a MiCA licence, and they are subject to ongoing supervision by national competent authorities. The regime also includes conduct-of-business rules, governance requirements and market abuse controls. For significant asset-referenced tokens and e-money tokens, the European Banking Authority has a direct supervisory role.
This matters for financial crime risk because MiCA is not just a market access regime. It also creates a clearer population of supervised firms that can be brought inside AML, tax and operational resilience frameworks.
Crypto is now fully inside the AML rules
The 2024 AML package brought CASPs fully into the anti-money laundering and counter-terrorist financing system. They are now expressly treated as obliged entities. That means they must apply customer due diligence, monitor transactions, report suspicious activity and apply enhanced controls for higher-risk situations.
A key issue here is self-hosted wallets. These are often used to move crypto outside the direct control of an intermediary, which increases the difficulty of identifying who controls the funds. The EU framework does not ban self-hosted wallets altogether, but it does require more scrutiny where they are involved. In particular, transfers linked to self-hosted wallets trigger enhanced attention under the travel rule and the AML Regulation.
The AML Regulation also classifies crypto-asset service providers as financial institutions for its purposes. That is important because it places them squarely within the same broad preventive structure that applies to banks and other financial actors. The rules also include a prohibition on anonymous crypto-asset accounts and on arrangements that increase the anonymisation or obfuscation of transactions, including through anonymity-enhancing coins.
The travel rule now applies to crypto
The revised Transfer of Funds Regulation is one of the most important pieces of the EU crypto framework. It extends the travel rule, which was originally developed for traditional payments, to crypto-assets. The core idea is simple: transfers should be traceable, and the information on sender and recipient should travel with the transfer.
For crypto-asset service providers, this means transfers must be accompanied by information on the originator and the beneficiary. The beneficiary’s provider must check whether the required information is present and take action where it is missing, incomplete or suspicious. Where the transfer involves a self-hosted address, the beneficiary CASP must also take extra measures, including verifying ownership in certain cases involving higher amounts.
This is a major change for the sector. It reduces the space for anonymous transfers and makes it harder to use crypto-assets for layering or rapid cross-border movement of illicit funds. It also brings EU practice closer to FATF Recommendation 16, which requires payment and value transfer information to be accurate, structured and available throughout the payment chain.
Licensing and supervision are becoming more centralised
The EU is also moving toward stronger supervision of crypto activity. Under MiCA, national competent authorities supervise the day-to-day licensing and conduct requirements. But the new AMLA adds another layer. The Authority will directly supervise a limited number of high-risk, cross-border obliged entities, including CASPs.
This matters because crypto risks often do not stop at national borders. Firms can have customers, counterparties and infrastructure in several Member States at once. That makes fragmented supervision less effective. AMLA is meant to help close those gaps by improving consistency and coordinating oversight across the Union. The Authority’s workplan has already identified crypto-related crime as an immediate priority, reflecting concerns about inconsistent supervision across Member States.
At the same time, AMLD6 gives national authorities stronger tools to access information and cooperate across borders. It creates a centralised EU-wide access point for information on crypto-asset accounts through the Bank Account Register Interconnection System, which should make it easier for FIUs and law enforcement to identify account holders and trace activity.
FIUs will have better access to crypto information
Financial Intelligence Units are a key part of the crypto-control structure. Under AMLD6, FIUs must have direct access to information they need to perform their tasks, including data on transfers of crypto-assets. They can also be empowered to suspend suspicious accounts or business relationships and instruct obliged entities to monitor activity over a defined period.
This is especially relevant for crypto, where transactions can move quickly and where suspicious patterns may not be visible from a single transfer alone. Better access to account information, combined with stronger reporting from CASPs, should improve the ability of FIUs to identify patterns of layering, rapid movement through multiple wallets or connections to other criminal activity.
DORA adds operational resilience rules
Crypto compliance is not only about AML. DORA adds a separate but related layer by requiring crypto-asset service providers authorised under MiCA, and issuers of asset-referenced tokens, to manage ICT risk more effectively. That includes measures for protection, detection, containment, recovery and repair, along with incident reporting and oversight of third-party ICT providers.
This is relevant for financial crime because cyber risk and financial crime risk often overlap. Weak operational controls can create openings for theft, fraud, account takeover, data compromise or system abuse. DORA is designed to make crypto firms more resilient against those threats and to reduce the chance that technology failures or attacks create AML blind spots.
DAC8 brings crypto into tax transparency
The EU’s crypto framework also reaches tax. DAC8 requires reporting crypto-asset service providers to collect and report information on crypto users and transactions, and then enables automatic exchange of that information between tax authorities in Member States.
This is important because crypto has often been used to obscure taxable income, capital gains or cross-border holdings. DAC8 does not itself set tax rates or tax liability, but it gives tax authorities the information they need to cross-check declarations and identify non-compliance. It also expands the use of self-certification and tax identification data, making it easier to link a crypto account to a specific person and tax residence.
What this means in practice
The combined effect of these rules is to make crypto less anonymous, more traceable and more visible to supervisors and authorities. Firms can no longer treat compliance as a narrow licensing question. They need to think about AML, sanctions, tax reporting, operational resilience and supervision together.
For CASPs, the practical challenge will be to build systems that can handle customer due diligence, transfer tracing, wallet risk, suspicious activity reporting and data reporting across different legal regimes. For investigators and supervisors, the new framework offers stronger tools, but it will still depend on enforcement quality and cross-border cooperation.
The EU is clearly moving toward a model in which crypto-assets are treated as part of the regular financial system, not as a separate zone with lighter controls. That shift is likely to shape both market behaviour and enforcement strategy for years to come.
The European Union’s Framework on Physical Assets: Real Estate
Real estate has long been one of the most attractive channels for laundering illicit funds. Property can absorb large amounts of money in a single transaction, help disguise ownership through companies or legal arrangements, and turn criminal proceeds into apparently legitimate assets. For that reason, the EU’s updated anti-money laundering framework gives the sector much more attention than before.
The 2024 AML package changes the legal treatment of real estate in two major ways. First, the AML Regulation creates harmonised obligations for real estate agents, real estate professionals acting as intermediaries, and certain legal professionals involved in property transactions. Second, AMLD6 introduces stronger access to real estate information for Financial Intelligence Units and competent authorities through single digital access points. Together, these measures are meant to make property ownership and transactions harder to hide.
Why real estate remains a high-risk sector
Property is useful for money laundering because it allows criminals to place large sums into a relatively stable asset and often to do so through complex ownership structures. Anonymous companies, trusts and other legal arrangements can be used to conceal the true owner. Once the property is acquired, its value can increase over time, giving illicit wealth a layer of apparent legitimacy.
This is why fast and reliable access to ownership information matters. FIUs and competent authorities need to know who owns the property, how it was acquired, what the transaction price was and whether there are encumbrances or unusual structures behind the purchase. Without that information, it becomes much harder to detect laundering schemes, freeze assets or enforce sanctions.
The AML Regulation brings real estate intermediaries into a common rulebook
Under the new single rulebook, real estate agents and other real estate professionals are explicitly treated as obliged entities when they act as intermediaries in real estate transactions. The same applies to certain legal professionals when they participate in property-related financial or real estate transactions or assist clients in planning or carrying them out.
This is a significant shift because the EU is moving away from a fragmented, directive-based approach toward a directly applicable system. From July 2027, the rules will apply across the Union in a more uniform way. That should reduce the differences between Member States that criminals have historically exploited.
The regulation also covers letting of immovable property when the monthly rent is at least EUR 10,000 or the equivalent in national currency. That reflects the fact that high-value rental arrangements can also be used to move and disguise funds.
Customer due diligence starts at EUR 10,000
For real estate professionals, customer due diligence is required when establishing a business relationship and when carrying out an occasional transaction of at least EUR 10,000, whether that transaction is done in one operation or through linked transactions. The same threshold applies to certain rental transactions.
The regulation also clarifies that in some real estate transactions, the customer is not just the person directly dealing with the obliged entity. For example, where only one notary is involved in a transaction, both the buyer and the seller may need to be treated as customers for AML purposes. That is important because property deals often involve several parties and intermediaries, and risk can sit on either side of the transaction.
Verification must happen before funds or property move
The timing of verification is another key point. In real estate transactions, the identity of the customer and beneficial owner must generally be verified before the business relationship begins or the occasional transaction is carried out. For real estate agents, the verification can take place after an offer is accepted by the seller or lessor, but in all cases it must be completed before any funds or property are transferred.
That rule is practical, but also strict. It prevents property deals from moving forward on the basis of incomplete checks and reduces the risk that the transaction will be used to conceal illicit funds before anyone has verified who is really behind it.
Enhanced due diligence for very high-value assets
The new framework also gives special attention to high-risk, high-value cases. Where a business relationship is identified as higher risk and involves assets with a value of at least EUR 5,000,000, and where the customer holds total assets worth at least EUR 50,000,000, additional enhanced due diligence measures apply. These include more detailed checks on source of funds, measures to mitigate risks linked to personalised services, and steps to prevent conflicts of interest.
This matters in the real estate sector because very high-value properties are often used by wealthy individuals and structures that span several jurisdictions. The new approach is designed to make it harder for opaque wealth to move into property markets without scrutiny.
AMLA will also issue guidance on how to determine whether a customer holds total assets at or above the EUR 50,000,000 threshold, including assets held in real estate.
Foreign companies and trusts can no longer stay hidden
One of the most important reforms for real estate transparency concerns foreign legal entities and legal arrangements. Under the AML Regulation, legal entities created outside the Union, as well as trustees or equivalent persons of foreign legal arrangements, must submit beneficial ownership information when they acquire real estate in the EU. They must keep that information up to date for as long as they own the property.
This is aimed squarely at one of the longest-running transparency problems in European property markets: the use of offshore companies and trusts to conceal who really owns a building, apartment or plot of land. The new rule requires those entities to register beneficial ownership information in the relevant national register, including for property acquired after 2014. Existing foreign owners will also have to comply by July 2027, unless the property was acquired before 1 January 2014.
The point is not just formal disclosure. It is to make it possible for authorities and investigators to connect the asset to the real person behind it.
AMLD6 creates single access points for property information
The Sixth AML Directive complements the regulation by requiring Member States to create single digital access points for real estate information by July 2029. These access points must give FIUs and competent authorities immediate and free access to comprehensive property data.
That information includes property identification details, ownership information, company and tax identifiers, historical ownership records, transaction prices and encumbrances. In other words, the aim is to give authorities a fuller picture of how a property changed hands and who controlled it over time.
This is a major development. Previous EU rules did not require such integrated systems. The new approach should make it easier to spot suspicious patterns, including repeated transfers, use of intermediaries, mismatches between property value and declared income, and ownership structures that rely on foreign entities.
FIUs and supervisors will have better tools
AMLD6 also strengthens access to information for FIUs. They will have direct access to information from the Bank Account Register Interconnection System, national real estate registers and electronic data retrieval systems, as well as land and cadastral registers.
That matters because real estate laundering is rarely visible from property records alone. FIUs need to combine real estate data with financial, company and tax information to see the full picture. The new framework is meant to support that type of joined-up analysis.
It also means suspicious property activity can be identified earlier, before assets are moved, sold or further layered through other structures.
Real estate rules now align more closely with FATF standards
The EU framework is also broadly aligned with the FATF recommendations. Real estate agents are treated as designated non-financial businesses and professions, and they are expected to carry out customer due diligence, implement internal controls, apply enhanced due diligence in higher-risk cases and report suspicious transactions.
This alignment is important because it reduces the gap between international standards and EU law. It also makes it easier for authorities to rely on a more consistent set of obligations when dealing with cross-border property transactions.
What this means in practice
The direction of travel is clear. The EU wants real estate to be more transparent, less anonymous and easier to supervise. That means more pressure on intermediaries, more scrutiny of ownership structures and better access to property data for authorities.
For professionals in the sector, the compliance burden will rise. For investigators and FIUs, the tools should improve. But the real test will be implementation. Member States will need to build or connect digital access systems, enforce beneficial ownership reporting and make sure the new obligations are applied consistently.
Real estate has always been a useful vehicle for laundering money. The EU’s updated framework is designed to make it a much less convenient one.
The European Union’s Framework on Beneficial Ownership
Beneficial ownership transparency sits at the centre of the EU’s updated anti-money laundering framework. The reason is simple: if authorities cannot identify the natural person who ultimately owns or controls a company, trust or similar arrangement, then corporate structures can be used to hide criminal proceeds, avoid sanctions or obscure conflicts of interest. The 2024 AML package strengthens the legal framework on beneficial ownership, even though the question of public access remains more limited than it was before the Court of Justice ruling in 2022.
The new framework has two main parts. The AML Regulation, or single rulebook, defines who counts as a beneficial owner, requires legal entities to obtain and keep beneficial ownership information, and obliges financial institutions and other obliged entities to verify that information during customer due diligence. AMLD6 then sets the rules for central beneficial ownership registers, access rights and cross-border interconnection. Together, they are intended to make ownership structures more transparent, more consistent across Member States and more useful for investigators.
Why beneficial ownership matters
Beneficial ownership registers are a core anti-money laundering tool because they show who really stands behind a legal entity or arrangement. That is crucial in cases where a company appears to own an asset, but the real control lies elsewhere. The same logic applies to trusts, foundations and similar structures.
The EU has tried to improve this area for years. AMLD4 required Member States to create beneficial ownership registers, but public access was originally limited to those with a legitimate interest. AMLD5 later opened access to the general public. That approach was overturned in November 2022, when the Court of Justice of the European Union held that unrestricted public access violated privacy and data protection rights. The 2024 framework responds to that ruling by preserving access, but under a new legitimate-interest model.
The AML Regulation tightens the rules on ownership and control
The single rulebook makes beneficial ownership a formal part of the AML system. It defines a beneficial owner as any natural person who ultimately owns or controls a legal entity, an express trust or a similar legal arrangement. That definition matters because it is not enough to look only at formal shareholders or listed directors. The framework requires an analysis of both ownership and control.
For legal entities, a beneficial owner is generally a natural person with a direct or indirect ownership interest of 25 percent or more in shares, voting rights or other ownership rights. But ownership is not the only test. The regulation also requires identification of control via other means, which can exist even where there is no significant ownership stake. This is important in layered structures, where influence can be exercised through contracts, voting arrangements or indirect control over intermediate entities.
The regulation also applies to express trusts and similar arrangements, including foundations and some types of collective investment undertakings. In those cases, the range of persons who may qualify as beneficial owners is broader and can include founders, trustees, protectors, beneficiaries and other persons exercising ultimate control.
Legal entities must keep beneficial ownership data up to date
Under the AML Regulation, legal entities created in the Union must obtain and hold adequate, accurate and up-to-date beneficial ownership information. They must report that information to the central register without undue delay after creation and report any changes within 28 calendar days. They must also verify the information regularly, at least once a year.
That is an important compliance shift. The responsibility for beneficial ownership information is not left to authorities alone. The entity itself must maintain the data and keep it current. If no beneficial owner can be identified after all reasonable steps have been taken, the entity must keep records of the steps taken and the difficulties encountered.
This should reduce the number of structures that sit in the system with incomplete or stale ownership information.
Obligees must verify ownership, sanctions and PEP status
For obliged entities, beneficial ownership is not just a register issue. It is part of customer due diligence. Article 20 requires firms to identify the beneficial owner and take reasonable measures to verify their identity, so that they understand both who the owner is and how the customer is structured. They must also check whether the customer or beneficial owner is subject to targeted financial sanctions and whether the beneficial owner, or relevant related persons, is a politically exposed person, a family member or a close associate.
That means beneficial ownership checks are now linked to broader AML screening. A weak beneficial ownership process can no longer be treated as a narrow compliance gap. It affects the wider risk assessment and may trigger enhanced due diligence.
Verification must happen before the relationship begins
The new rules also tighten timing. Verification of the customer and beneficial owner must normally take place before a business relationship is established or an occasional transaction is carried out. In lower-risk cases, some verification can be completed during the establishment phase, but only where this does not interrupt normal business and the remaining risk is limited.
This matters because delays in verification have often been used to let customers move ahead while ownership questions remain unresolved. The new framework reduces that room for manoeuvre.
Discrepancies must be reported
The AML Regulation also addresses a familiar problem: the mismatch between what a company claims and what the register says. If an obliged entity concludes that the beneficial ownership information in the central register is incorrect, it must invite the customer to correct the register entry without undue delay and in any case within 14 calendar days.
That creates a feedback loop between private-sector due diligence and official registers. It helps improve the accuracy of the data and increases the chance that inconsistencies are caught early.
The AMLD6 rebuilds the register system
AMLD6 sets out the rules for central beneficial ownership registers. Member States must ensure that the information is held in a central register in the Member State where the entity is created or where the trust or similar arrangement is administered. The information must be in machine-readable format, and the register must have mechanisms to ensure that the data is adequate, accurate and up to date.
This is a major part of the reform. The idea is not only to collect beneficial ownership information, but to make sure it is structured in a way that allows comparison, analysis and cross-border cooperation. Member States must also ensure that changes are recorded and reflected in the register.
The Commission will also issue technical specifications and procedures to standardise how the information is submitted. That should improve consistency across the Union.
Foreign legal entities and arrangements are covered too
A particularly important development concerns foreign legal entities and foreign legal arrangements. Under the AML Regulation, if such an entity enters into a business relationship with an obliged entity, acquires real estate in the Union, acquires certain high-value assets, or wins a public contract, it must submit beneficial ownership information to the central register of the Member State concerned.
This is crucial because foreign structures have often been used to create distance between the asset and the real owner. The new framework makes it harder to bring foreign companies and trusts into the EU market without disclosing who is behind them.
Access is now based on legitimate interest
The biggest change compared with the AMLD5 era is the return to a legitimate-interest model for public access. After the CJEU ruling, unrestricted public access was no longer possible. AMLD6 now allows access for any natural or legal person that can demonstrate a legitimate interest in preventing and combating money laundering, its predicate offences and terrorist financing.
The directive gives examples of information that can be accessed, including the name of the beneficial owner, the month and year of birth, country of residence and nationality, and the nature and extent of the beneficial interest. It also allows access to historical information for legal entities and arrangements that were dissolved or ceased to exist within the previous five years.
Importantly, the directive introduces a presumption that certain actors, such as journalists, civil society organisations and researchers working on anti-money laundering issues, have a legitimate interest. That is a significant recognition of the role played by watchdogs and investigative actors.
Register access must be verified and documented
The new access model is not automatic. Central register authorities must verify whether the applicant has a legitimate interest based on documents and information provided, and where necessary other available data. From November 2026, they must respond within 12 working days, with a possible extension of another 12 working days. If access is granted, the certificate is valid for three years. Repeat requests by the same person must be answered within seven working days.
This creates a more controlled access system than the one that existed under AMLD5. It is more restrictive, but also more legally robust after the 2022 court ruling.
Access must extend to authorities and key EU bodies
While public access is now more limited, access for authorities remains broad. Competent authorities, FIUs, tax authorities, self-regulatory bodies, AMLA, the EPPO, OLAF, Europol and Eurojust all have access rights under the directive. That is important because beneficial ownership information is often most useful when it can be connected to tax data, sanctions data, criminal investigations and supervisory activity.
The directive also requires Member States to connect their central registers, with the Commission empowered to set technical rules for interconnection. That should improve cross-border tracing of ownership chains.
What this means in practice
The EU is clearly trying to strike a balance between transparency and data protection. It has moved away from unrestricted public access, but it has not abandoned beneficial ownership transparency. Instead, it has built a system that keeps access available for those who can demonstrate a proper anti-money laundering purpose, while strengthening the obligations on companies, trustees and obliged entities to maintain accurate data.
For compliance teams, the implications are clear. Beneficial ownership checks need to be more rigorous, better documented and more closely tied to sanctions screening and risk assessments. For investigators and civil society, the new legitimate-interest model should preserve meaningful access, but it will depend on how Member States implement the rules.
The overall direction is toward better data, better verification and better use of beneficial ownership information across the EU. The test now is whether Member States can make the registers accurate, accessible and genuinely useful in practice.
The European Union’s Institutional Framework on FIUs
The EU’s updated anti-money laundering framework gives Financial Intelligence Units a much more central role than before. That matters because FIUs are the point where suspicious activity reports, financial data, tax information and law enforcement intelligence come together. If they are weak, fragmented or too dependent on other bodies, the whole system loses speed and precision.
The 2024 AML package responds to that problem in three ways. The AML Regulation classifies FIUs as competent authorities and strengthens the reporting chain from obliged entities. AMLD6 requires each Member State to have a single, operationally independent national FIU with direct access to key data. The AMLA Regulation then creates a Union-level authority to coordinate FIUs, support joint analysis and manage FIU.net. Together, these instruments create a more connected intelligence system for the EU.
Why FIUs are so important
FIUs are the national hubs for financial intelligence. They receive reports from banks, crypto firms, real estate professionals and other obliged entities, analyse the data, and pass relevant findings to law enforcement or other competent authorities. In practice, that means they sit at the centre of the AML system.
The reason this role matters is that money laundering is often only visible when several fragments of information are put together. A single transaction may not look suspicious on its own. But when a series of transfers, accounts, companies and jurisdictions are connected, a pattern can emerge. FIUs exist to make those connections.
Suspicious reports must reach the FIU promptly and unfiltered
Under the AML Regulation, obliged entities must report suspicious activity to the FIU promptly. The framework is designed to ensure that the report reaches the FIU directly and without distortion. Outsourcing the final reporting decision to a third party is prohibited, with very limited exceptions within the same group and the same Member State.
That is important because the reporting chain must be accountable. The person or team that notices suspicious activity should not be able to hand off the final decision in a way that blurs responsibility. The law also reinforces this by requiring firms to appoint a senior compliance officer who is responsible for ensuring compliance and for reporting suspicious transactions.
In short, the new framework is trying to keep the reporting process close to the firm, while making sure the information is transmitted to the FIU without delay.
There is no threshold for suspicion
One of the clearest features of the new system is that suspicion itself is enough. There is no minimum financial threshold that must be reached before a report is filed. If an obliged entity cannot apply customer due diligence, it must stop the transaction or business relationship and consider reporting the matter to the FIU.
That is a major point for financial crime detection. Criminal transactions do not always start with large sums. Small transfers can be part of a wider laundering pattern. A zero-threshold reporting approach makes it easier to capture suspicious behaviour early.
FIUs must be operationally independent
AMLD6 is particularly strong on FIU independence. Each Member State must establish a single central national unit that is operationally independent and autonomous. That means the FIU must be free from political, government or industry interference, and it must have the authority to make its own decisions on analysis, requests for information and dissemination.
This is not just a formal point. If an FIU depends too much on other parts of the state, sensitive cases can be slowed down or filtered. Operational autonomy gives the FIU more room to act on financial intelligence quickly and professionally.
The directive also requires adequate resources and a designated Fundamental Rights Officer, which shows that the EU is trying to balance stronger intelligence powers with safeguards.
Better access to data
Another major change is access. Under AMLD6, FIUs must have direct and immediate access to a broad range of financial, administrative and law enforcement information. This includes bank account registers, tax data, customs data and relevant law enforcement databases.
The point is to allow FIUs to map networks rather than isolated transactions. If a unit can access multiple sources quickly, it can connect names, accounts, companies and assets without waiting for lengthy procedures or formal requests to move through several authorities.
The directive also requires competent authorities to provide feedback to FIUs on how shared information was used. That creates a loop between analysis and enforcement, so FIUs can improve the quality of their future work.
FIUs can share more, and faster
The new framework also improves cooperation between FIUs themselves. AMLD6 requires Member States to ensure that FIUs cooperate to the greatest extent possible, regardless of organisational status. That is important because some FIUs are administrative, others are judicial, and others are part of law enforcement structures. The law now pushes them toward a more unified model of cooperation.
FIU.net, the secure system for cross-border exchange, is formally recognised and will be managed by AMLA. The system is meant to provide secure, pseudonymised communication and a hit/no-hit mechanism that lets FIUs determine whether another unit holds relevant information without immediately exposing all the data.
This should make cross-border collaboration faster and safer, especially in cases involving shell companies, payment chains and movement of funds across several Member States.
Joint analysis is now built into the system
One of the most practical reforms is the new framework for joint analysis. When a case may involve several Member States, FIUs can work together in a structured joint analysis team. AMLA plays a coordinating role, helping to identify relevant cases, invite participation and facilitate the analysis.
This is a major step because many laundering and fraud schemes are transnational. A single FIU may see only part of the picture. Joint analysis allows units to pool data, compare findings and identify the wider structure behind the transactions. The framework also includes timelines, requests for reasons where an FIU declines to participate, and feedback after the analysis is complete.
The idea is to make cooperation less ad hoc and more routine.
FIUs can alert the private sector
AMLD6 also gives FIUs a more preventive role. They can alert obliged entities to specific high-risk transactions, persons or geographic areas. That means they are not only receiving information from the private sector, but also sending relevant intelligence back to it.
This can improve risk assessments in banks and other firms. If an FIU identifies a new typology or a new high-risk area, firms can adapt their controls more quickly. That makes the system more responsive to emerging threats.
FIUs work with the EPPO and OLAF
The framework also creates a clearer bridge between FIUs and Union bodies such as the European Public Prosecutor’s Office and OLAF. If there are reasonable grounds to suspect offences within their competence, FIUs must transmit relevant results of analysis without undue delay. The same applies in the other direction where information is needed for FIU work.
This matters for corruption, fraud and other crimes affecting the EU’s financial interests. In practice, it should make it easier for intelligence to move from detection to prosecution, especially in cross-border cases.
AMLA becomes the technical hub
The AMLA Regulation places AMLA at the centre of the new system. AMLA will support FIUs, manage FIU.net, organise joint analyses, provide tools and training, conduct peer reviews and develop common methods. It also has a role in cooperation with third countries and international bodies.
This gives the EU a more integrated intelligence architecture. Instead of relying entirely on bilateral relationships between national FIUs, the system now has a central coordinator that can help standardise practice and resolve cooperation problems.
AMLA’s role is not to replace FIUs, but to make the network work better.
What this means in practice
The direction is clear. The EU wants FIUs to be stronger, more independent and better connected. It also wants the private sector to feed them better information and for that information to move more quickly across borders.
For FIUs, that means more data, more coordination and more responsibility. For obliged entities, it means more direct reporting expectations and more scrutiny around suspicious activity. For investigators and prosecutors, it should mean faster access to more complete intelligence.
The test will be whether Member States give FIUs the resources, access and independence they need. The legal framework is stronger now. What remains is to make it work consistently in practice.
The European Union’s Legislative Framework on Obliged Entities
The EU’s 2024 anti-money laundering package makes obliged entities the backbone of the entire preventive system. These are the firms and professionals expected to spot, assess and manage money laundering and terrorist financing risks before criminal proceeds move further into the financial and business system. The new framework matters because it replaces a patchwork of national approaches with a much more unified set of obligations.
At the centre of the reform is the AML Regulation, which sets directly applicable rules across the Union. AMLD6 adds the national supervision and governance layer, including fit and proper checks, risk sharing and enforcement tools. AMLA then adds Union-level coordination and, for a limited number of high-risk firms, direct supervision. Together, these instruments give obliged entities a clearer legal framework but also impose more detailed expectations.
Why obliged entities matter
Obliged entities are the gatekeepers of the EU’s financial system. They include banks, financial institutions, crypto-asset service providers and a range of non-financial actors such as certain legal professionals, real estate intermediaries and other professionals exposed to AML risks. Their role is to identify suspicious patterns early, carry out customer due diligence, and prevent misuse of the services they provide.
The EU’s concern is straightforward. Criminals do not usually need to break into the financial system by force. They use legitimate businesses, often across borders, to move and disguise value. The updated framework therefore focuses heavily on the internal organisation, decision-making and controls of obliged entities.
The new rulebook is directly applicable across the Union
The AML Regulation creates a single rulebook for obliged entities. That is important because it reduces the differences between Member States that have made supervision uneven in the past. The regulation defines key concepts such as establishment, business relationship, management body and parent undertaking, so the legal position of firms operating in different jurisdictions is easier to assess.
It also makes clear that obliged entities are not just passive service providers. They have an active legal duty to identify and manage risk. That duty applies at the level of the individual customer, the business relationship, the group structure and the wider operating environment.
Operating across borders comes with clearer duties
When obliged entities operate in more than one Member State, they must notify their home supervisor before carrying out activities in another country. They also need to comply with the national rules of the Member State where they are established or where they actually provide services. If they have establishments in several Member States, each establishment must apply the rules of the country in which it is located.
This is meant to stop firms from using cross-border structures to avoid stricter AML rules. It also means that local risk factors still matter, even under a harmonised EU regime. A firm cannot rely on a general group policy if local law requires something more specific.
Internal controls must be real, not just written down
Every obliged entity must have internal policies, procedures and controls that match its risk exposure. That includes a business-wide risk assessment, internal controls and, where required, an independent audit function. If no independent audit function exists, an external expert may be used.
This is a significant point for compliance teams. The law is not satisfied by a written policy alone. The framework expects firms to test whether those policies actually work. AMLA will issue further guidance on the expected scope of these controls, which should help standardise practice across the Union.
Senior management must take responsibility
The new rules make senior management directly accountable. One member of the management body must be appointed to ensure compliance, and the entity must also have a compliance officer for day-to-day implementation. Staff involved in compliance must be properly trained, competent and of good repute. They must also disclose close personal or professional relationships that could create conflicts of interest.
This is intended to avoid the old problem where AML compliance sat too low in the organisation to have real influence. Under the new framework, responsibility is pushed upward and made more explicit.
Group-wide controls must work across the whole organisation
For groups, the rules are even stricter. Obliged entities must implement group-wide policies, procedures and controls, and they must exchange information relevant to customer due diligence, risk management and suspicious activity. That matters because many laundering schemes operate through multiple subsidiaries or branches.
If a branch or subsidiary is located in a third country with weaker AML rules, the parent undertaking must ensure that the group still applies the Union’s minimum standards. If local law prevents that, additional measures may be required, including in some cases closing down the relevant activity.
The message is clear: a weak link in one part of the group can no longer be ignored.
Outsourcing does not remove responsibility
The framework allows outsourcing of certain tasks, but it draws a hard line around accountability. An obliged entity remains fully liable for outsourced functions. More importantly, some tasks cannot be outsourced at all, including the approval of the business-wide risk assessment, the approval of internal policies, the decision on the customer’s risk profile, the decision to enter into a business relationship, and the reporting of suspicious activity to the FIU.
This is an important safeguard. It prevents firms from handing over their most sensitive AML decisions to third parties and then distancing themselves from the outcome.
Customer due diligence is now more structured
Customer due diligence remains the core obligation. Obliged entities must apply it when establishing a business relationship, when carrying out high-value occasional transactions, when cash transactions reach certain thresholds, when gambling transactions exceed the relevant threshold, and whenever there is suspicion of money laundering or terrorist financing.
CDD is not just identification. It includes identifying the customer and beneficial owner, understanding the purpose and nature of the relationship, and carrying out ongoing monitoring. If the entity cannot complete CDD, it must not proceed and must consider reporting the case to the FIU.
There are also specific rules for identifying customers, verifying beneficial owners, checking source of funds and source of wealth, and keeping information up to date. The process is designed to be risk-based, but the base requirements are detailed and mandatory.
High-risk situations trigger enhanced due diligence
Where risk is higher, obliged entities must apply enhanced due diligence. The regulation lists several situations where this applies, including complex, unusually large or unusual transactions, relationships involving high-risk third countries, and dealings with politically exposed persons.
PEPs receive particularly strict treatment. Senior management approval is required, the source of wealth and source of funds must be established, and the relationship must be monitored continuously. Similar measures apply to PEP beneficiaries of life insurance policies and, for at least 12 months, to persons who have ceased to hold a prominent public function.
This reflects the obvious corruption risk. Public office can create access to illicit proceeds, and the framework is designed to reduce the chance that those proceeds are hidden through ordinary business relationships.
Reliance on other entities is allowed, but limited
Obliged entities may rely on customer due diligence performed by other obliged entities, but only under strict conditions. The other entity must be properly supervised and must apply equivalent AML requirements. The relying entity remains responsible, must have a written agreement in place, and must be able to obtain the underlying documents quickly.
This makes compliance more efficient, but it does not remove risk. The firm that relies on another must still check that the arrangement is legally and operationally sound.
Reporting suspicions and protecting staff
Reporting obligations remain a core part of the framework. Obliged entities must report suspicions to the FIU when they know, suspect or have reasonable grounds to suspect that funds are the proceeds of crime or linked to terrorist financing. AMLA will issue guidance on suspicious activity indicators, which should help firms identify patterns more consistently.
The framework also protects staff who report concerns. Employees involved in reporting must be protected from retaliation, discrimination and unfair treatment. That is essential if reporting is to work in practice.
At the same time, the prohibition on disclosure remains strict. Firms and their staff cannot tip off customers that a report is being made or that a review is under way. This protects investigations and helps prevent the movement of funds before authorities can react.
Records, access and supervision are tightened
Obliged entities must keep CDD records and transaction data for five years, and they must be able to respond quickly to enquiries from FIUs and other competent authorities. Supervisors also gain stronger powers. They can inspect premises, review internal files and require production of information needed to verify compliance.
Cross-border supervision is strengthened too. Host Member States must supervise certain activities carried out through branches, agents, distributors or other infrastructure. Supervisory colleges must be set up for larger cross-border groups, including in the non-financial sector, so that authorities can coordinate their approach.
This is particularly relevant for firms with operations across several countries. The same group can now face a more unified supervisory front rather than separate, inconsistent national approaches.
AMLA adds a Union-level oversight layer
AMLA is the new Union authority that supports and coordinates the whole system. It will develop the harmonised supervisory methodology, maintain a central AML/CFT database, support information exchange and oversee a selected group of the highest-risk cross-border firms directly.
For selected obliged entities, AMLA will be able to carry out supervisory reviews, apply administrative measures and impose pecuniary sanctions. For non-selected entities, it will still have an indirect but important role in coordination and convergence.
AMLA also levies supervisory fees on selected and certain non-selected obliged entities. That is meant to fund a stable and independent supervisory system.
What this means in practice
The updated framework sends a clear signal. Obliged entities are no longer just required to tick compliance boxes. They are expected to run serious, risk-based control systems, backed by senior management, tested internally, coordinated across groups and monitored by stronger supervisors.
For banks, crypto firms, legal professionals, real estate intermediaries and others covered by the framework, the practical workload will increase. They will need better documentation, stronger governance and more consistent group-wide controls. For supervisors and AMLA, the challenge will be to make sure the rules are enforced evenly across the Union.
The EU’s new framework gives obliged entities a clearer legal structure. It also raises the standard. The firms that fall under it will need to treat AML compliance as a core part of how they do business, not as a side function.
From legal reform to practical enforcement
The adoption of the AML package is not the end of the process. Its impact will depend on implementation at national level, the quality of supervision and the willingness of authorities to enforce the rules consistently. Member States now face the task of adapting their systems to the new requirements while ensuring that supervisors, FIUs and obliged entities have the resources needed to comply.
For the private sector, the reforms signal a need to reassess policies, controls, data quality and reporting processes. Firms should expect closer scrutiny of beneficial ownership information, stronger expectations around risk-based due diligence and greater attention to higher-risk sectors such as crypto-assets and real estate.
The EU’s updated anti-money laundering framework is an important step toward a more consistent system. Its real test will be whether it can reduce the space available for illicit financial flows, organised crime proceeds and opaque ownership structures across the European Union.
Dive deeper
- Transparency International (TI) ¦ The European Union’s anti-money laundering framework: the complete guide ¦ Link