AML 2027: what the EU’s new anti-money laundering rulebook means for compliance teams
- 01 What is the EU AML package for 2027?
- 02 What changes on 10 July 2027?
- 03 How will AMLA supervise anti-money laundering across the EU?
- 04 What does AMLR change for customer due diligence and onboarding?
- 05 What does the AMLR change for beneficial ownership?
- 06 How does AML 2027 connect to eIDAS 2.0 and digital identity?
- 07 What does AML 2027 mean for crypto and fintech firms?
- 08 How should compliance teams prepare for AML 2027?
- 09 How Shufti helps compliance teams prepare for AML 2027
Key Takeaways:
- The EU’s AML package centralises the rules under one directly applicable regulation from 10 July 2027.
- The AMLR replaces national AML directives with a single EU-wide rulebook for obliged entities.
- A new authority, AMLA, will directly supervise around 40 high-risk groups from 2028.
- The technical standards that define compliant onboarding are being finalised across 2026.
- Firms have roughly a year to align onboarding before the rules apply.
Europol estimates that suspicious transactions in the European Union are worth around 1.3% of EU GDP every year, and that just shy of 70% of the criminal networks active in the bloc rely on some form of money laundering. For two decades, the EU tried to close that gap with directives, each one transposed into national law a little differently in every member state. In 2027 that approach ends. A single, directly applicable rulebook takes its place, backed by a new central authority and a fixed application date.
The change matters now because the detailed rules that define compliant onboarding are being written through 2026, ahead of the 2027 application date. Compliance teams that wait for every standard to be adopted before acting will face a compressed migration. This guide explains what the AML 2027 reform actually is, what changes on 10 July 2027, how the new authority will supervise it, and what your compliance function should be doing over the next twelve months.
What is the EU AML package for 2027?
The EU AML package is a set of three linked instruments that together replace the old directive-only approach to anti-money laundering. The Anti-Money Laundering Regulation (AMLR) holds the rules obliged entities follow, the sixth Anti-Money Laundering Directive (AMLD6) governs how national authorities supervise them, and the Anti-Money Laundering Authority (AMLA) is the new EU body that writes the detail and enforces consistency. Understanding which instrument does what is the first step to preparing for it.
The AMLR is the rulebook
The AMLR, formally Regulation (EU) 2024/1624, is the core of the reform. As a regulation rather than a directive, it applies directly and identically in every member state without national transposition. It carries the substantive obligations that firms deal with day to day, including customer due diligence, beneficial ownership, and internal controls. When people talk about “AML 2027,” the AMLR is usually what they mean.
AMLD6 is the supervision layer
AMLD6, Directive (EU) 2024/1640, sits alongside the regulation and covers the parts that still need national implementation. That includes beneficial ownership registers, the powers of Financial Intelligence Units (FIUs), and the structure of national supervision. Because it is a directive, member states transpose it into national law, so some variation between countries remains on the supervisory side even as the core rules harmonise.
AMLA is the authority
The Anti-Money Laundering Authority is the institutional backbone of the package. Based in Frankfurt and chaired by Bruna Szego, it became operational on 1 July 2025 and took over the anti-money laundering technical work previously held by the European Banking Authority at the end of 2025. AMLA writes the technical standards that flesh out the AMLR, and from 2028 it will supervise a set of high-risk firms directly.
Here is how the three instruments compare.
| Instrument | Legal form | What it governs | Timing |
| AMLR (Regulation (EU) 2024/1624) | Regulation, directly applicable | CDD, beneficial ownership, internal controls | Applies 10 July 2027 |
| AMLD6 (Directive (EU) 2024/1640) | Directive, transposed nationally | Supervision, FIUs, beneficial ownership registers | Transposed into national law by member states |
| AMLA | EU authority | Technical standards, direct and indirect supervision | Operational since 1 July 2025, direct supervision from 2028 |
What changes on 10 July 2027?
The headline change is that one binding rulebook replaces the patchwork of national AML regimes on 10 July 2027. For twenty years, obliged entities operating across borders had to reconcile the different ways each member state interpreted EU directives. From the application date, the same text applies everywhere, and firms are measured against a single EU standard rather than a local one.
One binding rulebook
Because the AMLR is a regulation, there is no national transposition step and far less room for divergent interpretation. The rules on customer due diligence, beneficial ownership thresholds, and internal governance read the same in Dublin, Frankfurt, and Tallinn. For a multi-market firm, this removes the reconciliation burden but raises the bar, because a process that satisfied one national regulator will now be assessed against the harmonised standard.
Expanded scope of obliged entities
The package also widens who has to comply. The AMLR applies to obliged entities across the financial sector and beyond, and the list has grown. The core groups in scope include:
- Credit institutions and banks. The traditional core of AML supervision.
- Financial institutions. This includes investment firms and insurers within scope.
- Payment and e-money providers. A fast-growing segment of regulated onboarding.
- Crypto-asset service providers (CASPs). Brought firmly into the harmonised regime.
- Other regulated sectors. These include designated non-financial businesses and professions phased in over time.
The road to application
The 10 July 2027 date is fixed, but the detailed rules arrive before it. AMLA is producing the regulatory technical standards (RTS), implementing standards, and guidelines that specify how the AMLR works in practice, and those land on a staggered schedule through 2026 and into early 2027. The consultation on the core customer due diligence standards, for example, closed on 8 May 2026. Firms need to track those publications rather than wait for the application date, because they define what compliant onboarding looks like.

How will AMLA supervise anti-money laundering across the EU?
AMLA will supervise the EU’s anti-money laundering framework through a two-tier model, combining direct oversight of the highest-risk firms with coordination of national supervisors. This is the first time a single EU body has held direct AML supervisory authority, and it changes the accountability picture for large cross-border groups.
Direct supervision of high-risk groups
From 1 January 2028, AMLA will directly supervise a first wave of around 40 high-risk groups operating across the EU. Selection is risk-based, and the criteria center on firms that operate in a significant number of member states and carry high residual risk. For those groups, AMLA becomes the lead supervisor, working with national authorities through joint supervisory teams rather than leaving oversight to each country in isolation. In practice, direct supervision means AMLA can request information, run examinations, and take binding supervisory decisions itself rather than waiting for a national regulator to act. For a large cross-border group, that consolidates several national supervisory relationships into one lead relationship with the EU authority.
Indirect supervision everywhere else
Most obliged entities will not be supervised by AMLA directly. Instead, AMLA sets the standards and monitors how national supervisors apply them, driving consistency across the bloc. The practical effect is that even firms outside the direct-supervision wave will feel the harmonisation, because their national regulator is now applying a common EU rulebook and answering to a central authority for how it does so.
Stronger enforcement and penalties
The package also sharpens the consequences of getting AML wrong. AMLD6 sets a harmonised framework for pecuniary sanctions and administrative measures, and AMLA’s technical standards include work on the base amounts of those sanctions relative to a firm’s annual turnover. For groups under direct supervision, enforcement decisions come from a central authority applying a common standard rather than from national regulators working in isolation. That raises the cost of inconsistency, because a control gap that a single supervisor finds in one market is a gap it can act on across the group.
What does AMLR change for customer due diligence and onboarding?
For most compliance teams, the AMLR’s biggest practical effect is on customer due diligence (CDD). The regulation sets one harmonised, risk-based CDD standard for the entire EU, and AMLA’s technical standards spell out the detail, including the information required to identify and verify a customer, the risk factors that trigger enhanced or simplified checks, and how ongoing monitoring should work. Onboarding flows built around separate national interpretations will need to map onto that single benchmark.
The work is less about adding steps and more about consistency. The same customer, onboarding in any member state, should meet the same verification standard, the same screening, and the same record-keeping. For firms that assembled onboarding country by country, that means consolidating a fragmented set of processes into one defensible standard that holds up under a single supervisor. What harmonised CDD asks of onboarding comes down to a few things:
- Consistent identity verification applied the same way in every market.
- Risk-based due diligence with clear triggers for enhanced or simplified checks.
- Ongoing monitoring of the business relationship, not just a one-time check at onboarding.
- Uniform record-keeping that produces an audit trail a central supervisor can follow.
Enhanced due diligence and high-risk customers
Not every customer gets the same level of scrutiny. The AMLR keeps the risk-based principle at the centre, so higher-risk relationships trigger enhanced due diligence and lower-risk ones can follow simplified checks, but it narrows how much discretion firms have in drawing those lines. AMLA’s guidelines on risk variables and risk factors define the triggers, so the treatment of politically exposed persons, high-risk third countries, and complex ownership structures becomes more consistent across the bloc. For compliance teams, the work is documenting why a given customer sits in a given risk band in a way a single supervisor would accept, rather than relying on a rationale that made sense only under a former national regime.
What does the AMLR change for beneficial ownership?
The AMLR tightens how firms identify and verify the ultimate beneficial owner (UBO) behind a corporate customer, and it standardises the definition across the EU. A beneficial owner is generally a natural person who ultimately owns or controls 25% or more of an entity, and the package reduces the room for firms to apply that test differently by country. For any firm onboarding business customers, this is a meaningful change to how know your business checks are run and documented.
Tracing ownership through layered structures
Identifying a UBO is straightforward for a simple company and difficult for a chain of holding entities spread across several jurisdictions. The AMLR expects firms to trace ownership through to the natural persons at the end of that chain, not stop at the first corporate layer. For onboarding teams handling business customers, that raises the bar on both the data sources they use and the speed of the trace, because a manual structure trace on a high-risk file can consume hours of analyst time.
Linking to beneficial ownership registers
AMLD6 governs the beneficial ownership registers that national authorities maintain, and it improves access to them for obliged entities and Financial Intelligence Units. The practical effect is that firms can cross-check declared ownership against an authoritative register rather than relying only on customer-supplied information. That strengthens the audit trail behind a business-onboarding decision, which matters more once a single supervisor is assessing that trail against one EU standard.
How does AML 2027 connect to eIDAS 2.0 and digital identity?
AML 2027 does not sit in isolation. It lands alongside the EU’s digital identity reform under eIDAS 2.0, which introduces the European Digital Identity (EUDI) Wallet. Member states are rolling out EUDI Wallets to citizens, and from December 2027 regulated institutions will be required to accept them as a means of identification. For compliance teams, the two reforms point in the same direction, toward standardised, verifiable digital identity across the bloc.
One onboarding, two frameworks
The practical challenge is meeting the harmonised CDD standard while also being ready to accept wallet-based identity as it rolls out. Firms that treat AML onboarding and digital identity as separate projects risk building the same flow twice. Aligning them means an onboarding process that satisfies the AMLR’s verification standard and can also accept a citizen’s EUDI Wallet credential through the same electronic identity verification integration, rather than bolting the wallet on later as a separate track.
What does AML 2027 mean for crypto and fintech firms?
Crypto-asset service providers and fintechs feel AML 2027 more sharply than most, because the package pulls them fully into the same harmonised regime as banks. Under the AMLR, a CASP faces the same customer due diligence, beneficial ownership, and screening obligations as a traditional financial institution, applied uniformly across every member state it serves. For a sector that grew up under uneven national rules, that is a significant leveling.
From national patchwork to one standard
Many crypto and fintech firms built onboarding to satisfy whichever national regime they launched in, then extended it market by market. The AMLR removes the option of leaning on the most permissive national interpretation, and it does so at the same time as the wider package brings CASPs under AMLA’s supervisory umbrella. Firms scaling across the EU can no longer treat AML as a country-by-country configuration, because the standard they are measured against is now the same everywhere.
Speed without cutting corners
The commercial tension for fintechs is real, because onboarding friction costs conversions, yet the harmonised standard raises the compliance bar. The firms that manage both keep verification fast while making it consistent and auditable, rather than trading one against the other. That is a design problem as much as a compliance one, and it is easier to solve before 2027 than during a supervisory review after it.
How should compliance teams prepare for AML 2027?
The firms that treat 2026 as preparation time will face a far smaller migration than those that wait for the application date. Preparation is less about a single project and more about closing the distance between a fragmented, nationally-tuned onboarding stack and one harmonised standard. Five steps carry most of the weight.
- Run a gap analysis against the harmonised standard. Map your current CDD, screening, and record-keeping against the AMLR and AMLA’s draft standards, and identify where national variations in your process no longer fit a single EU benchmark.
- Consolidate fragmented onboarding. Where onboarding was built market by market, move toward one consistent verification flow, because inconsistency across markets is exactly what a single supervisor is positioned to find.
- Track the technical standards as they publish. The RTS and guidelines define the detail, and they arrive across 2026 and into 2027. Assign someone to monitor AMLA’s publications so requirements do not surprise you late.
- Confirm data residency and deployment fit. Harmonised rules still sit on top of national data-protection regimes, so confirm your verification and screening setup meets residency requirements in the markets you serve.
- Strengthen beneficial ownership and screening. Tighten UBO identification and align sanctions, politically exposed person, and adverse-media screening to a risk-based model you can defend to a central supervisor.
None of these depends on the final text being adopted. They depend on starting early enough that the 2027 date is a checkpoint rather than a cliff.
How Shufti helps compliance teams prepare for AML 2027
If you run compliance for a firm that onboards across several EU markets, the AMLR’s harmonisation is both a relief and a risk. A single rulebook removes the reconciliation burden, but it also means an inconsistent onboarding stack has nowhere to hide once one supervisor is applying one standard. The pressure lands on proving that identity, screening, and record-keeping hold to the same bar in every market you serve.
Shufti helps by covering that risk with one owned stack rather than a patchwork of regional tools. Its AML screening covers sanctions, politically exposed persons, and adverse media through one decisioning layer, alongside document verification and identity verification across 240+ countries and territories, so the same verification standard applies whether a customer onboards in Dublin or Tallinn. Because the models are Shufti’s own, decisions are explainable to an auditor rather than dependent on a third-party subprocessor. One platform. Fully owned technology. Global coverage with real local depth.
Frequently Asked Questions
When does the EU AMLR apply?
The AMLR applies from 10 July 2027 across all EU member states. The technical standards that define compliant onboarding are being finalised through 2026, ahead of that date, so preparation needs to start well before application.
What is the difference between the AMLR and AMLD6?
The AMLR is a regulation that applies directly and identically across the EU, while AMLD6 is a directive that each member state transposes into national law. The AMLR holds the day-to-day rules for obliged entities, and AMLD6 governs supervision, Financial Intelligence Units, and beneficial ownership registers.
Who does the AMLR apply to?
The AMLR applies to obliged entities, including banks and credit institutions, financial institutions, payment and e-money providers, and crypto-asset service providers, along with other regulated sectors phased in over time. Firms operating across several member states feel the change most.
What is AMLA and what will it supervise?
AMLA is the EU's Anti-Money Laundering Authority, based in Frankfurt and operational since 1 July 2025. It writes the technical standards under the AMLR and, from 2028, will directly supervise around 40 high-risk cross-border groups while overseeing how national supervisors apply the rules everywhere else.
When are AMLA's technical standards due?
AMLA's regulatory and implementing standards and guidelines are being submitted to the European Commission on a staggered schedule running from late 2025 into 2027. The core customer due diligence standards went through consultation that closed on 8 May 2026.
