AMLD6 Compliance: What Changes in 2026-2027
AMLD6: new obligations, 2026-2027 timeline, penalties. Practical compliance guide for obliged entities under the new anti-money laundering framework.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokThe 6th Anti-Money Laundering Directive is not a minor update. Adopted as Directive (EU) 2024/1640 alongside the Anti-Money Laundering Regulation (EU) 2024/1624 and the AMLA Regulation (EU) 2024/1620, this legislative package creates a centralized EU authority (AMLA), expands the list of obliged entities to sectors never previously covered, and introduces harmonized penalties that can reach 10% of annual turnover. Here is what actually changes for your organization -- and what you need to do about it.
AMLD6 vs AMLD5 -- What Changed
The previous framework under AMLD5 relied on national transposition with significant room for interpretation. The 2024 AML package replaces that patchwork with a directly applicable regulation (AMLR) and a directive (AMLD6) that together standardize obligations across all 27 member states. The differences are structural, not incremental.
| Area | AMLD5 (Previous) | AMLD6 / AMLR (New) |
|---|---|---|
| Supervisory authority | National FIUs only, no EU-level body | AMLA created in Frankfurt -- direct supervision of 40+ high-risk entities, coordination of all national FIUs |
| Obliged entities scope | Banks, insurers, lawyers, accountants, real estate agents | Extended to crypto-asset service providers, high-value goods dealers, professional football clubs, football agents |
| Sanctions harmonization | National discretion on penalty levels | EU-wide maximum: EUR 10 million or 10% of annual turnover (whichever is higher) |
| Beneficial ownership registers | National registers, limited access | Interconnected EU-wide registers via European Central Platform, broader access rights |
| Cash payment ceiling | No EU-wide limit (national rules varied) | Union-wide ceiling of EUR 10,000 for cash payments; member states may adopt lower limits |
| Predicate offenses | Partial harmonization (22 categories) | Full harmonization including cybercrime, environmental crime, and sanctions evasion |
| Customer due diligence | Risk-based, national thresholds | Harmonized CDD triggers; EUR 1,000 threshold for crypto transactions |
| Regulatory instruments | Directive only (requires national transposition) | Regulation (directly applicable) + Directive (transposition by July 2027) |
The shift from directive-only to a regulation-plus-directive model is the most consequential change. The AMLR applies directly -- obliged entities cannot wait for national transposition to begin compliance work. The rules are the rules, across all member states, on the same date.
Who Is Now an Obliged Entity?
AMLD6 and the AMLR dramatically expand the universe of businesses subject to anti-money laundering obligations. If your organization falls into any of the categories below, you are an obliged entity and must comply with the full CDD, record-keeping, and suspicious activity reporting framework.
| Category | Examples | Key Obligation Triggers |
|---|---|---|
| Credit and financial institutions | Banks, payment institutions, electronic money institutions, investment firms | All client relationships and transactions |
| Insurance undertakings | Life insurance providers, insurance intermediaries | Policies with investment components, high-value payouts |
| Crypto-asset service providers (CASPs) | Exchanges, custodial wallets, transfer services | Transactions of EUR 1,000 or more; all occasional transactions |
| Legal professionals | Lawyers, notaries, external accountants, tax advisors | When assisting with real estate, company formation, trust management, or financial transactions |
| Real estate agents | Agencies, brokers, property managers | Transactions exceeding EUR 10,000 |
| High-value goods dealers | Art dealers, precious metals dealers, luxury goods traders | Cash transactions of EUR 10,000 or more; all transactions for dealers in precious metals/stones |
| Trust and company service providers | Registered office providers, nominee directors, company formation agents | All services provided |
| Crowdfunding platforms | Platforms licensed under ECSPR | All investor and project owner onboarding |
| Professional football clubs | Clubs in the top professional divisions | Player transfers, agent transactions, sponsorship deals exceeding defined thresholds |
| Football agents | Licensed intermediaries in player transfers | All transfer-related financial transactions |
The inclusion of professional football clubs and agents is entirely new. These entities will start applying AML rules from 10 July 2029 -- a later date than most other obliged entities, but the compliance preparation window is already open. Clubs should begin mapping their transaction flows and establishing CDD procedures now.
For crypto-asset service providers, the EUR 1,000 transaction threshold is significantly lower than the EUR 10,000 threshold applied to most other sectors. This reflects the elevated risk assessment that regulators assign to virtual asset transactions and aligns with the MiCA Regulation framework.
New Documentary Obligations
The AMLR does not simply require more paperwork. It requires a fundamentally different approach to how obliged entities collect, verify, and retain documentary evidence. The four pillars of the new documentary framework are:
1. Enhanced UBO Identification
Obliged entities must identify the ultimate beneficial owner (UBO) of every client entity using reliable and independent sources. The 25% ownership threshold is maintained, but the AMLR adds a parallel control test: individuals with decisive influence over the entity -- through veto powers, the right to appoint or remove directors, or other means of control -- must also be identified, even if they hold no direct ownership interest.
For opaque structures such as trusts, foundations, and multi-layered corporate vehicles, the identification requirements become more granular. You must document the full chain of ownership, identify every natural person who exercises ultimate control, and verify this information against national or EU-wide beneficial ownership registers where available.
Where client-provided information and register data do not match, the discrepancy must be resolved and documented. You cannot simply record both versions -- you must investigate, reach a conclusion, and create an audit trail showing how the discrepancy was resolved.
2. Reliable Identity Verification
Identity verification must be performed using methods that provide a high degree of confidence. The AMLR and AMLA's forthcoming Regulatory Technical Standards (expected by mid-2026) will specify the acceptable verification methods. In practice, this means:
- Automated document authentication is now the baseline for remote onboarding. Visual inspection alone is no longer considered sufficient by regulators.
- Cross-referencing against official databases (national registers, sanctions lists, PEP registries) is mandatory, not recommended.
- Biometric verification is required for all remote customer onboarding where the client is not physically present.
- Ongoing monitoring of client identity throughout the business relationship, not just at onboarding.
3. Verification Evidence Retention
All evidence supporting the identification and verification of clients and UBOs must be retained for a minimum of five years after the end of the business relationship. Under the new framework, this retention obligation extends to:
- The complete audit trail of the verification process (which tools were used, which databases were queried, what results were returned).
- All documents submitted by the client, with metadata showing when they were received and verified.
- Records of any discrepancies identified and how they were resolved.
- The rationale for all risk classification decisions.
This is not a filing obligation -- it is a forensic evidence obligation. Regulators expect to be able to reconstruct the entire document validation decision chain during an inspection.
4. Automated Suspicious Activity Reporting
The AMLR strengthens suspicious activity reporting obligations and introduces new requirements for automated detection. Obliged entities must maintain systems capable of detecting:
- Unusual transaction patterns inconsistent with the client's risk profile.
- Large or rapid transfers to high-risk jurisdictions.
- Structuring or layering activity designed to conceal the origin of funds.
- Sudden changes in transaction behavior following onboarding or due diligence updates.
- Linked accounts or counterparties sharing identifiers across entities.
Reports must be submitted to the relevant Financial Intelligence Unit (FIU) in a timely and traceable manner. AMLA will issue guidelines on reporting formats and timelines, which national FIUs will implement. The trend is clear: manual suspicious activity detection will not meet the standard expected by supervisors.
Compliance Timeline 2026-2027
The implementation timeline is staggered. Not all provisions take effect on the same date, and some deadlines have already passed. Here is the complete schedule that obliged entities must track:
| Date | Milestone | Who Is Affected |
|---|---|---|
| 9 July 2024 | AMLR and AMLD6 enter into force | All -- legislative clock starts |
| 1 July 2025 | AMLA becomes operational in Frankfurt | Supervisory authorities; high-risk financial entities |
| 10 July 2025 | Member states must transpose provisions on central register accessibility | National governments |
| 1 January 2026 | EBA transfers all AML/CFT mandates and functions to AMLA | Financial sector supervisors |
| 10 July 2026 | Member states must transpose Articles 11-13 and 15 (beneficial ownership registers) | National governments; entities with UBO register obligations |
| Mid-2026 | AMLA publishes draft Regulatory Technical Standards on supervision of groups and AML/CFT colleges | All obliged entities (prepare for upcoming RTS requirements) |
| H2 2026 | Commission publishes delegated acts specifying sanctions requirements | All obliged entities |
| 10 July 2027 | AMLR applies to all obliged entities; AMLD6 must be fully transposed; AMLD4/AMLD5 repealed | All obliged entities (except football) |
| H2 2027 | AMLA selects first cohort of 40+ entities for direct supervision | High-risk cross-border financial groups |
| 10 July 2029 | AMLR applies to professional football clubs and football agents; real estate single access point provisions transposed | Football clubs, agents; real estate sector |
The critical date for most businesses is 10 July 2027. On that date, the AMLR becomes directly applicable, and your organization must be fully compliant. There is no grace period. With 17 months remaining, the compliance window is closing.
Penalties for Non-Compliance
The penalty framework under the new AML package is substantially harsher than under AMLD5. The maximum thresholds have doubled, publication of sanctions is mandatory, and AMLA adds a supranational enforcement layer.
| Penalty Type | Maximum Amount / Consequence | Notes |
|---|---|---|
| Administrative fine (legal entity) | EUR 10 million or 10% of total annual turnover (whichever is higher) | Doubled from AMLD5 thresholds of EUR 5 million / 5% |
| Administrative fine (natural person) | Up to EUR 5 million | Applies to responsible officers and compliance managers |
| Periodic penalty payments | Variable, compounding | Imposed when obliged entities fail to comply with supervisory measures within set deadlines |
| Criminal penalties | Up to 4 years imprisonment (varies by member state) | For facilitating money laundering; harmonized minimum sentences across EU |
| Publication of sanctions | Mandatory, named, on supervisor's website | Minimum 5-year publication period; reputational damage is deliberate |
| License revocation | Possible from first serious breach | Regulators can withdraw authorization without prior warning for egregious failures |
| AMLA direct intervention | AMLA can override national supervisors | If national authority fails to act, AMLA can investigate and sanction directly |
Recent enforcement actions illustrate that regulators are already applying these elevated thresholds. In 2025, several European financial institutions received fines exceeding EUR 50 million for systemic CDD failures. The message from supervisors is unambiguous: under-investment in AML compliance is a business-ending risk.
How Automation Helps Comply
Meeting AMLD6 compliance requirements through manual processes alone is no longer viable. The volume of checks, the speed of reporting, and the depth of audit trails required by the new framework exceed what human teams can deliver consistently. Automation is not a shortcut -- it is the mechanism through which compliance becomes achievable.
Automatic Audit Trail
Every document validation decision, every database query, and every risk assessment must be logged, timestamped, and linked to the underlying evidence. Automated systems generate this audit trail as a byproduct of the verification process. Manual processes require a separate documentation effort that is error-prone, time-consuming, and frequently incomplete during regulatory inspections.
Systematic Verifiable Checks
Automated verification applies the same set of controls to every document, every time. There is no variance due to fatigue, workload pressure, or individual judgment. When a regulator asks whether a specific check was performed on a specific document, the system provides a definitive, timestamped answer.
Cross-Document Validation
The AMLR requires obliged entities to verify the consistency of information across multiple documents and data sources. Automated cross-referencing -- comparing identity document data against corporate registrations, UBO declarations, and external databases -- is the only practical way to perform this validation at scale. See our KYC article for a detailed analysis of how AI-powered cross-referencing works in practice.
Real-Time Alerts
Suspicious activity detection requires continuous monitoring, not periodic batch reviews. Automated systems flag anomalies in real time, allowing compliance teams to focus their expertise on investigating genuine alerts rather than sifting through transaction logs. This directly addresses the regulatory expectation that suspicious activity reports are submitted "in a timely manner" -- a standard that manual workflows consistently fail to meet.
Explore our pricing to understand how automated document validation fits into your compliance budget.
AMLD6 FAQ
What is AMLD6? AMLD6, formally Directive (EU) 2024/1640, is the 6th Anti-Money Laundering Directive adopted by the European Union in 2024. It is part of a broader legislative package that includes the Anti-Money Laundering Regulation (AMLR) and the regulation establishing the Anti-Money Laundering Authority (AMLA). Together, these instruments replace AMLD4 and AMLD5 and create the most comprehensive AML/CFT framework in EU history.
When does AMLD6 apply? The AMLR applies directly to all obliged entities from 10 July 2027. Member states must transpose AMLD6 into national law by the same date. Professional football clubs and agents have a later application date of 10 July 2029. However, certain provisions -- particularly those relating to beneficial ownership registers -- have earlier transposition deadlines in 2025 and 2026. Obliged entities should be preparing now, not waiting for national transposition.
Who is an obliged entity under AMLD6? The list has expanded significantly. It includes credit institutions, payment institutions, investment firms, insurance companies, crypto-asset service providers, lawyers, notaries, accountants, tax advisors, real estate agents, high-value goods dealers, trust and company service providers, crowdfunding platforms, professional football clubs, and football agents. If your business handles financial transactions, manages client assets, or facilitates the creation of legal entities, you should verify whether you are now covered.
What is AMLA and how does it affect my business? AMLA (the Authority for Anti-Money Laundering and Countering the Financing of Terrorism) is a new EU agency headquartered in Frankfurt. It became operational on 1 July 2025 and will directly supervise approximately 40 high-risk cross-border financial entities starting in late 2027. For all other obliged entities, AMLA coordinates national supervisors and can intervene when it identifies supervisory failures. AMLA also issues Regulatory Technical Standards that define the operational details of compliance obligations. Even if your business is not in the directly supervised cohort, AMLA's standards will shape what your national regulator expects from you.
What are the penalties for non-compliance? Administrative fines can reach EUR 10 million or 10% of total annual turnover, whichever is higher. Natural persons (including compliance officers) can be fined up to EUR 5 million. Sanctions are published with names on the supervisor's website for a minimum of five years. Criminal penalties of up to four years imprisonment apply for facilitating money laundering. License revocation is possible from the first serious breach.
How does the EUR 10,000 cash payment ceiling work? The AMLR introduces a Union-wide limit of EUR 10,000 for cash payments. This applies whether the payment is made in a single transaction or in several operations that appear to be linked. Member states may adopt lower limits. This ceiling applies to all purchases of goods and services, regardless of whether the seller is an obliged entity. Obliged entities that accept cash payments must implement procedures to enforce this limit and report any attempted breaches.
Next Steps: Start Your Compliance Assessment
The 10 July 2027 deadline leaves approximately 17 months for obliged entities to achieve full compliance with the AMLR. For organizations that have not yet begun their compliance gap analysis, the window is narrowing. The documentary obligations alone -- UBO verification, audit trail generation, cross-referencing, and suspicious activity detection -- require system-level changes that cannot be implemented in the final weeks before the deadline.
CheckFile provides automated document validation that generates the audit trails, cross-document consistency checks, and verification evidence that AMLD6 requires. Our platform processes identity documents, corporate registrations, and supporting evidence in seconds, with every step logged and traceable. Request a demo to assess where your current processes stand against the 2027 requirements -- and close the gap before the deadline closes it for you.
Related reading: For the operational resilience dimension of compliance in financial services, see our guide on DORA 2026 and document verification. For a detailed methodology on KYB verification that satisfies AMLD6's enhanced UBO identification requirements, read our KYB business document verification guide.