Applications of 6AMLD: What Compliance Teams Need to Know in 2026

Only 1% of criminal proceeds are seized across the EU each year, despite an estimated 2%-5% of global GDP flowing through illicit channels, according to the European Commission. That gap is precisely what the EU’s 6th Anti-Money Laundering Directive was built to narrow. For compliance teams operating across financial services, crypto, legal, and non-financial sectors, understanding where 6AMLD applies in practice is no longer a theoretical exercise. This guide walks through the directive’s reach, the obligations it places on different business types, and what a credible compliance response looks like today.

What 6AMLD is and what changed

Directive (EU) 2018/1673, commonly known as 6AMLD, came into force on 3 December 2020. EU member states were required to transpose it into national law by 3 June 2021. Its mandate covers criminal law harmonisation, standardising how money laundering is defined and prosecuted across all 27 member states, so enforcement gaps cannot be exploited by routing funds through jurisdictions with weaker legal frameworks.

Three shifts define 6AMLD’s practical impact. The directive extended the list of predicate offences, meaning the criminal activities whose proceeds become subject to money laundering rules, to 22 categories. Cybercrime and environmental crime were added alongside traditional categories such as drug trafficking, fraud, and tax evasion. A minimum four-year custodial sentence was set for money laundering convictions across all member states. Most consequential for compliance functions, the directive established corporate criminal liability. Legal persons, not only individuals, can now be prosecuted for money laundering offences committed for their benefit or through inadequate internal oversight.

The EU’s broader AML legislative package, formalised through Directive (EU) 2024/1640, built on this foundation and established the new EU Anti-Money Laundering Authority (AMLA), which began direct supervisory operations in June 2025. Together, these instruments form the most substantial overhaul of EU AML architecture in a generation.

How 6AMLD applies to financial institutions

Banks, payment firms, investment managers, and lenders carry the heaviest obligations under 6AMLD, and the expanded predicate offences create concrete operational consequences.

Detection models built around traditional fraud typologies will miss proceeds from ransomware payments, business email compromise, and crypto-enabled money mule networks. Each now falls within the scope of 6AMLD’s cybercrime predicate. Compliance teams are expected to update typology libraries, retrain analysts on new risk indicators, and review automated monitoring thresholds against the full 22-predicate list. Governance accountability frameworks must also be updated, because the risk to the institution itself has grown alongside the personal liability risk.

Customer due diligence frameworks need the same overhaul. A customer whose risk score was set against older typologies may appear clean while their transactional behaviour reflects proceeds from cybercrime or environmental offences. AML screening that runs continuously, not only at account opening, is the practical answer to this gap.

For crypto exchanges and digital asset service providers, 6AMLD brought a specific shift. Proceeds from exchange hacks, DeFi exploits, and crypto-denominated sanctions evasion all fall under the cybercrime predicate. Firms must screen customers and transactions against these typologies, not simply run a standard sanctions check. Under MiCA, which took full effect in late 2024, crypto-asset service providers operating in the EU are expected to maintain AML programmes that address all 22 predicate categories.

Which non-financial businesses must apply 6AMLD measures

6AMLD does not apply only to regulated financial entities. Designated non-financial businesses and professions (DNFBPs) carry the full compliance obligations.

Law firms must apply 6AMLD requirements when handling real estate transactions, managing client funds, forming companies, or advising on mergers and acquisitions. This means running customer due diligence on each client, screening for politically exposed persons and sanctions exposure, and filing suspicious activity reports when warranted. The expanded predicate list means a law firm handling proceeds from an environmental offence faces the same regulatory exposure as one dealing with drug trafficking proceeds.

Accountants and auditors face equivalent requirements. Advising a corporate client that holds proceeds from cybercrime or tax evasion creates criminal liability exposure under 6AMLD’s corporate prosecution framework, if adequate controls were absent at the time. The standard expected is not perfection, but demonstrable, documented due diligence.

Real estate agents, high-value goods dealers, trust and company service providers, and notaries all fall within scope. The EU’s AML obligated entity framework sets out the full list of covered sectors and aligns EU obligations with FATF standards, providing the reference point compliance officers should use when assessing whether their firm falls under the directive’s requirements.

Corporate criminal liability in practice

This element of 6AMLD carries the greatest exposure for boards and senior leadership.

Under the directive, a corporate entity can be held criminally liable for money laundering offences committed for its benefit by a person in authority, or through the organisation’s failure to supervise that person adequately. The definition of “person in authority” extends beyond directors to anyone with authority to make decisions or exert financial control within the organisation. Sanctions for legal persons include substantial fines, exclusion from public procurement, temporary or permanent prohibition from operating, and in extreme cases, judicial winding-up.

The practical implication is that the absence of an adequate compliance programme is itself a liability. Firms cannot attribute an offence to a rogue employee and close the matter there. Regulators will assess whether governance structures, internal controls, and oversight mechanisms were adequate to prevent or detect the conduct. Where they were not, corporate liability follows.

Third-party vendor relationships carry the same logic. Where an organisation delegates AML compliance processes to a vendor, and that vendor allows a money laundering scheme through or fails to detect it, the primary firm retains exposure. Contractual AML obligations, vendor due diligence, and periodic audit rights are not optional extras under 6AMLD. They are the evidence base a firm would need to demonstrate adequate oversight if the relationship came under scrutiny.

Building a 6AMLD-compliant AML programme

A programme that meets 6AMLD expectations addresses four practical areas.

Customer due diligence must account for all 22 predicate offences. Risk assessments should be updated to cover cybercrime proceeds, environmental crime, and the full scope of current illicit categories. Know Your Business checks for corporate clients, including beneficial ownership identification, reduce exposure to shell-company-based laundering schemes that span multiple predicate categories in a single structure.

Transaction monitoring needs updated detection scenarios. Thresholds calibrated only for bank fraud will miss patterns tied to ransomware proceeds or environmental permit violations. Periodic backtests against the current predicate list identify gaps before they attract enforcement attention.

Staff training must reflect current offence categories. Analysts unfamiliar with crypto-enabled mule indicators or environmental crime typologies represent a compliance gap. Annual updates tied to the evolving predicate list close that gap incrementally.

Continuous transaction monitoring keeps the programme current. How does 6AMLD apply to cryptocurrency exchanges and digital asset platforms?

Higher risk profiles evolve after onboarding. A single onboarding check will miss adverse media hits, new PEP designations, and watchlist additions that occur during the customer relationship. The directive’s expectation is an ongoing programme, not a one-time assessment at account opening.