The EU AML package and AMLA: what fintech teams should prepare for
What the EU AML package and AMLA mean for fintech, including the AML Regulation, the national-mechanisms directive, supervision and the July 2027 application timeline.
- Pillar
- Financial crime compliance
- Difficulty
- Advanced
- Published
- Last updated
- Legal status reviewed
- Reading time
- 8 min
- Intended audience
- Compliance teamsFintech foundersLegal teams
On this page
The EU AML package overhauls how anti-money-laundering rules are set and supervised across the Union. It combines a directly applicable AML Regulation, a directive on national mechanisms, and a new authority, AMLA. The most important planning point is timing: the AML Regulation will mainly apply from 10 July 2027, so much of the package is something to prepare for rather than something already fully in force. This article helps fintech teams separate preparation from current obligations.
Legal and regulatory status was reviewed on 7 July 2026.
Package components
The package brings together three main instruments: the AML Regulation (Regulation (EU) 2024/1624) 1, the directive on national AML mechanisms (Directive (EU) 2024/1640) 2, and the regulation establishing AMLA (Regulation (EU) 2024/1620) 3. Together they aim to harmonise rules, coordinate national systems and create central supervision. Understanding which instrument does what is the first step to scoping your preparation correctly.
AML Regulation
The AML Regulation is a directly applicable rulebook intended to harmonise core AML requirements across the EU 1. Crucially, it will mainly apply from 10 July 2027 — it is not already fully applicable. That means it should be treated as a preparation obligation for most purposes, distinct from the AML rules that apply to you today. Build a timeline that reflects this rather than acting as if the Regulation is already in force.
National-mechanisms directive
Directive (EU) 2024/1640 addresses national mechanisms — such as the arrangements Member States put in place for supervision, cooperation and access to information — and requires transposition into national law 2. As a directive, its effect depends on national implementation, which can vary in detail and timing between Member States. Watch the national transposition in each market you operate in, not just the EU-level text.
AMLA
Regulation (EU) 2024/1620 establishes the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) 3. AMLA is intended to strengthen and coordinate AML supervision across the EU. Its establishment and the build-out of its role proceed on their own timeline. Treat AMLA as a structural change to the supervisory landscape you will operate within.
Direct and indirect supervision
The framework contemplates that AMLA will have a role in both direct supervision of certain entities and coordination or indirect oversight of national supervisors 3. Whether any given firm would fall under direct supervision is determined under the framework, not assumed. Understand the distinction so you know which supervisory relationships could apply to you.
Harmonisation objective
A core aim of the package is harmonisation — reducing divergence between Member States by setting common rules directly in the Regulation 1. For fintechs operating across borders, harmonisation may reduce some fragmentation over time, but it also means aligning to a common standard. Do not assume harmonisation removes all national variation, particularly where the directive leaves room for it 2.
Customer due diligence
The AML Regulation addresses customer due diligence requirements as part of the harmonised rulebook 1. Because these will mainly apply from 10 July 2027, review how your future CDD approach maps to the Regulation while continuing to meet current obligations. Your KYC, KYB and transaction-monitoring architecture is the natural place to plan for change.
Beneficial ownership
Beneficial-ownership transparency is a recurring theme across the package 12. Expect continued emphasis on identifying and verifying beneficial owners and on the information mechanisms that support this. Ensure your data model can capture and maintain beneficial-ownership information robustly ahead of application.
Internal controls
The Regulation addresses internal policies, controls and procedures that obliged entities are expected to maintain 1. Preparing means reviewing your control framework against the harmonised expectations and identifying gaps early. Controls that are documented, tested and governed will be easier to align than ad hoc practices.
Group-wide requirements
The package addresses group-wide AML arrangements for entities that are part of a group 1. If you operate across entities or borders, consider how group-wide policies, information sharing and oversight will need to work. Group structures often need the longest lead time to adjust, so start mapping them early.
Crypto-sector coverage
The AML framework continues to bring crypto-asset activity within scope of AML obligations 1. Firms handling crypto-assets should plan on the basis that AML requirements apply to that activity and align preparation accordingly. This connects to the Travel Rule data duties discussed in MiCA CASP authorisation and the EU crypto Travel Rule, which are a separate instrument.
Cash-payment limit
The package includes a limit on large cash payments as part of the broader AML measures 1. This is noted here only as brief context; do not overstate its scope or treat it as the centrepiece of the reform. For most fintech models the harmonised due-diligence, controls and supervision changes will matter far more than the cash limit.
Application timeline
Timing is the crux of planning. The AML Regulation will mainly apply from 10 July 2027 1, while the directive depends on national transposition 2 and AMLA builds out on its own schedule 3. Map each instrument to its timeline separately, because they do not all take effect at once.
10 July 2027 main application date
Anchor your programme to 10 July 2027 as the main application date for the AML Regulation 1. Work backwards from it to set milestones for data, policy, control and vendor readiness. Treating this date as the target keeps preparation distinct from your live obligations today.
What applies now versus later
Keep a clear line between what you must do now under current AML law and what you are preparing for under the package. Acting prematurely on the Regulation, or ignoring it until 2027, are both risks. The table below frames the distinction at a high level.
| Aspect | What applies now | What to prepare for later |
|---|---|---|
| Core rulebook | Current national AML rules | AML Regulation, mainly from 10 July 2027 1 |
| National mechanisms | Existing national frameworks | Changes via the directive after transposition 2 |
| Supervision | Current national supervisors | AMLA’s coordinating/direct role 3 |
| Beneficial ownership | Existing obligations | Continued/strengthened emphasis 1 |
| Your action | Meet current obligations | Build data, policy and vendor readiness |
Preparation roadmap
Preparation is a programme, not a single project. Assess current-state against the harmonised rulebook, prioritise gaps, and sequence work toward the application date. Coordinate legal, compliance, data and engineering, and revisit the plan as national transposition and AMLA guidance develop 23.
Data and policy implications
Much of the readiness work is data and policy: can you capture and maintain the customer, beneficial-ownership and transaction data the harmonised rules will expect, and are your policies documented and governed? Address data quality early, since remediating data is slow. Align policies to the Regulation while keeping current policies in force 1.
Vendor implications
Your AML vendors — for identity, screening and monitoring — are part of readiness, but using a vendor does not transfer your AML responsibility. Assess whether providers can support the data, controls and reporting the package will require, and plan changes into your roadmap. The aml and kyc categories and the build-a-kyc-and-aml-stack and build-a-fraud-and-transaction-monitoring-stack stacks are the relevant infrastructure.
Preparation checklist
- The three instruments (Regulation, directive, AMLA regulation) are identified and understood
- Current obligations are documented separately from package preparation
- The 10 July 2027 main application date anchors the programme
- National transposition of the directive is tracked per market
- Beneficial-ownership data capture and maintenance are reviewed
- Internal controls are assessed against harmonised expectations
- Group-wide arrangements are mapped where relevant
- Crypto-activity AML coverage is planned for if applicable
- Data quality gaps are identified and prioritised
- Vendor readiness is assessed without assuming responsibility transfers
Questions to ask providers
- Which of the three package instruments most affects our activities, and how?
- How should we separate current obligations from preparation for the Regulation?
- What does the 10 July 2027 main application date mean for our timeline 1?
- How is the national-mechanisms directive being transposed in our markets 2?
- Could we fall under AMLA’s direct supervision, and what would that involve 3?
- What beneficial-ownership and CDD data changes should we plan for?
- Can our AML vendors support the data, controls and reporting the package expects?
- How do group-wide requirements affect our structure?
Common failure modes
- Treating the AML Regulation as already fully applicable rather than mainly from 10 July 2027 1.
- Failing to separate current obligations from package preparation.
- Overstating the cash-payment limit as the centrepiece of the reform.
- Ignoring national transposition of the directive and assuming uniformity 2.
- Assuming AML vendors absorb your responsibility.
- Leaving beneficial-ownership and data-quality work until close to the deadline.
What this does not cover
This article does not determine whether your firm is an obliged entity, whether you would fall under AMLA’s direct supervision, or how the rules apply to your specific activities. It does not track every date across all instruments and Member States, and it is not legal or compliance advice. Confirm specifics with qualified legal advisers.
FAQ
Is the EU AML Regulation already in force for my firm?
It will mainly apply from 10 July 2027, so for most purposes treat it as preparation rather than a rule that is already fully applicable 1. Continue meeting your current obligations in the meantime.
What are the three main parts of the AML package?
The AML Regulation 1, the national-mechanisms directive 2, and the regulation establishing AMLA 3.
What is AMLA?
AMLA is the Authority for Anti-Money Laundering and Countering the Financing of Terrorism, established to strengthen and coordinate AML supervision across the EU 3.
Does the directive apply the same way everywhere?
Not necessarily. As a directive, its effect depends on national transposition, which can vary between Member States 2. Track it per market.
Does using an AML vendor transfer my responsibility?
No. Vendors can support your programme, but your AML responsibility remains with you. Assess readiness and plan changes into your roadmap.