Select Page

AMLR2027 and the harmonisation of anti-money laundering rules in the EU

by | Identity Verification

amlr 2027

You have almost certainly watched the series Suits. In it, everything revolves around gaining trust quickly and losing it even faster if you cannot back it up.

One main character shows this tension well. He is highly skilled and does excellent work, but everything depends on an identity he cannot prove.

At some point, people stop focusing on what he does and begin asking who he really is.

This shift from appearances to what you can actually prove is central to anti-money laundering (AML) rules.

The European Union has introduced AMLR2027. This regulation does not start from zero but instead strengthens, harmonises, and expands existing requirements. Now, these rules apply not just to the financial sector but also to new types of businesses that previously faced less regulation.

Some context before discussing AMLR2027

For years, Europe has used directives to fight money laundering, with Directive (EU) 2015/849 as the main foundation. Later, more rules were added to increase transparency about beneficial ownership. Still, this system was not enough.

The main problem was how each country put the directives into practice. Every Member State did it differently, leading to inconsistencies. This created a fragmented system that was hard to harmonise and did not fit well with the idea of a single market.

amlr2027

Moving to a single regulation is intentional. It aims to set rules that apply directly and equally across the EU, without needing each country to create its own version.

AMLR (Anti-Money Laundering Regulation) is part of a larger effort to strengthen the European anti-money laundering system. This includes new supervisory bodies and better coordination between countries.

This new framework also follows international standards, especially those set by the FATF (Finantial Action Task Force), and recent changes in European criminal law. These updates now give clearer definitions of money laundering, terrorist financing, and related crimes.

What is AMLR2027?

AMLR2027 is the new European regulation that establishes common rules to prevent money laundering and terrorist financing across the European Union.

It does more than set general principles. It clearly states what obliged entities must do, how to do it, and which standards to follow.

The goal is to reduce differences between countries, make the system more effective, and protect the internal market from illegal activities.

What are we discussing a regulation rather a directive?

The main difference is how much control there is over how the rules are applied.

Directives gave countries some flexibility in how they met the requirements, which led to different levels of enforcement in each country.

A regulation reduces that flexibility and directly establishes what must be done and how.

This changes the approach. The rules are no longer open to interpretation but are now enforced the same way in all Member States.

AMLR2027, what changes compared to AMLD?

AMLR addresses a major weakness in the old system. The directives, especially Directive (EU) 2015/849 and its 2018 update, created a strong framework, but applying them unevenly across countries was a big problem.

The three main changes introduced by AMLR are:

  1. Differences caused by each country making its own version are removed, so all obliged entities now have the same obligations.
  2. Broader scope:  The regulation adds new types of businesses and activities that were not regulated before or were regulated differently. These include:
    • Crypto-asset service providers
    • Crowdfunding platforms
    • Professional football clubs
    • Dealers in high-value goods
  3. Greater operational detail: This is especially noticeable in areas kike risk assessments, internal controls, and customer due diligence.

    What role does AMLA play?

    AMLA is a key organisation set up to support the EU’s system for fighting money laundering and terrorist financing.

    Its main functions and responsabilities include:

    • Drafting technical standards and guidelines: It prepares draft rules and technical standards to make sure the same rules are applied across the EU. This includes:
      • Group-wide policies: specifying minimum requirements for information sharing and internal procedures within corporate groups.
      • Customer due diligence: defining the minimum information required to identify customers and beneficial owners, and the criteria for transaction monitoring.
      • Suspicious activity reporting: developing common templates for obliged entities to report suspicious transactions to Financial Intelligence Units (FIUs).
    • Supervision and recommendations: AMLA can give recommendations to EU entities if organisations in other countries have serious or ongoing problems with their anti-money laundering controls.
    • Risk assessment and guidance: Its responsabilities include:
      • Issuing guidelines on money laundering trends and methods affecting geographical areas outside the Union.
      • Publishing guidance on the level of risk associated with different categories of politically exposed persons (PEPs), their family members and close associates.
      • Giving technical advice to the European Commission about how to respond to high-risk countries.
    • Operational support and transparency: This covers:
      • Outsourcing and reliance: issuing guidance on the conditions under which obliged entities may outsource tasks or rely on due diligence performed by third parties.
      • Indicators of suspicion: publishing guidance on suspicious behaviours and activity indicators to help entities recognise potential offences.
      • High-value assets: publishing guidance on determining whether a customer holds assets worth at least EUR 50 million, which would trigger increased due diligence measures.

    Who will supervise compliance, AMLA or national supervisory authorities?

    The new European framework does not replace national supervisors but reorganises them within a more coordinated system.

    National authorities will continue to supervise most obliged entities within their territories and therefore retain a central role in the practical application of the regulation.

    AMLA will act as a coordinating authority at European level, harmonising criteria between countries and strengthening cooperation among national supervisors.

    Will AMLA replace SEPBLAC in Spain?

    No. The creation of the European Anti-Money Laundering Authority does not mean the disappearance or replacement of SEPBLAC in Spain.

    As Spain’s Financial Intelligence Unit (FIU), SEPBLAC will continue to carry out its supervisory, analytical and reporting functions within the Spanish anti-money laundering framework.

    AMLA

    SEPBLAC will therefore remain the main point of contact for obliged entities in Spain, under the technical coordination and oversight of AMLA.

    Obliged entities: who must comply with AMLR in 2027?

    The regulation redefines the scope of obliged entities in Article 3. It recognises that money laundering risks are not limited to the financial sector and therefore extends its scope to activities and sectors that, by their nature, may be used to channel illicit funds.

    AMLR obliged entities list

    Industry Detail
    Finantial and credit sector
    • Credit institutions (including banks and branches established within the EU).
    • Financial institutions (covering a broad range of companies, from currency exchange businesses and payment institutions to life insurance companies and insurance intermediaries when managing funds).
    • Crypto-asset service providers.
    Legal and accounting professionals
    • Auditors, external accountants and tax advisers (including any person providing material assistance or advice on tax matters).
    • Notaries, lawyers and other legal professionals (when participating in financial or real estate transactions on behalf of clients, such as property purchases, fund management or company formation).
    Real estate sector and high-value goods
    • Estate agents (including property developers and intermediaries involved in real estate transactions, including rentals with a monthly rent exceeding EUR 10,000).
    • Dealers in high-value goods (including dealers in precious stones and metals, motor vehicles priced above EUR 250,000, vessels and aircraft priced above EUR 7.5 million, antiques and works of art in transactions of at least EUR 10,000, as well as operators in free zones storing or trading such goods).
     Other industries and specific activities
    • Casinos and providers of online and land-based gambling services.
    • Crowdfunding platforms.
    • Investment migration operators.
    • Football agents and professional football clubs (in transactions involving investors, sponsors, agents and player transfers).

    You may now be wondering whether you are an obliged entity

    This is likely one of the most relevant questions for many businesses.

    The answer depends less on the sector in which you operate and more on the nature of your activity under Article 3 of the Regulation. If you are involved in the management, intermediation or transfer of value, whether financial or otherwise, AMLR2027 may apply to you.

    This does not mean that all activities automatically fall within the scope of the Regulation. The framework itself provides for certain exemptions and thresholds in Articles 4–6, particularly where the level of risk is low or where the activity does not involve genuine exposure to the financial system.

    What is why, rather than asking whether your industry is included, it is more important to understand the role your activity plays within the flow of value and the level of risk it presents.

    Who is exempt from AMLR2027?

    There are several exemptions from the general obligations. The main categories of exemptions are outlined below.

    Exemption Detail
    Sector-specific exemptions
    • Gambling services: EU countries may fully or partially exempt providers whose services present a low level of risk. Nevertheless, this exemption does not apply to casinos or to most sports betting and online gambling services (except where state-operated or state-regulated).
    • Professional football clubs: Clubs with an annual turnover below EUR 5 million during the previous two years may be exempted. Lower-division clubs may also be exempt where a demonstrably low level of risk can be established.
    • Limited or ancillary financial activities: To qualify, the financial activity must not exceed 5% of the entity’s total turnover, and the amount per transaction must not exceed EUR 1,000.
    • Low-value electronic money: Certain customer due diligence measures, such as customer identification, may be exempted for non-reloadable payment instruments with a maximum value of EUR 150, provided they are used exclusively to purchase goods or services and cannot be redeemed for cash or crypto-assets.
    Professional secrecy
    • Legal and accounting professionals are exempt from reporting information obtained under professional secrecy or in the context of legal defence or representation, unless they are involved in the offence or the client seeks advice for criminal purposes.
    Beneficial ownership transparency
    • Public law bodies of a Member State are not required to identify or register a beneficial owner.
    • Listed companies are also exempt where control is exercised exclusively through the voting rights of natural persons and no other legal entities exist within the ownership structure.
    Other relevant exemptions
    • EUR 10,000 cash payment limit: This limit does not apply to payments between private individuals acting outside a professional capacity, nor to deposits made at the premises of credit or payment institutions.
    • Insurance intermediaries: Intermediaries that neither collect premiums nor manage client funds, and that operate under the full responsibility of another insurance undertaking, are exempt.
    • Intra-group transactions: The Regulation does not apply to financial activities or services carried out exclusively between members of the same corporate group, as these are not conducted with external clients.

      For these national exemptions (such as those relating to gambling services) to be valid, Member States must notify the European Commission in advance and justify them through a risk assessment. The Commission then has two months to confirm whether the exemption is justified through a reasoned decision.

      2027 application date

      The Regulation will become fully applicable on 10 July 2027, at which point obliged entities must comply with the established requirements.

      Exceptions to the application date

      Nevertheless, the framework itself provides for phased implementation in certain areas. Some provisions, particularly those requiring greater adaptation or affecting specific sectors, such as football agents and professional football clubs will benefit from an additional transition period until 10 July 2029.

      What changes regarding identity verification under AMLR 2027?

      Although customer due diligence already formed part of the previous framework, the Regulation significantly raises the level of requirements.

      AMLR turns KYC into a more structured obligation that includes identifying the customer, verifying their identity before establishing a business relationship or carrying out an occasional transaction, and understanding who ultimately stands behind the relationship and its purpose.

      To achieve this, AMLR requires obliged entities to collect sufficient information about both the customer and any person acting on their behalf or for their benefit. Verification must rely on official documents, such as an identity card, passport or equivalent document, and where necessary must be cross-checked against reliable and independent sources.

      identity verification with amlr2027

      For natural persons, the minimum required information includes:

      • Full name
      • Place and full date of birth
      • Nationality, or statelessness, refugee status or subsidiary protection status where applicable, together with the national identification number where available
      • Usual place of residence and, where available, tax identification number

      Identity verification may be outsourced, but ultimate responsibility always remains with the obliged entity.

      Another significant change is the increased promotion of electronic identification (eID) methods and qualified trust services regulated under eIDAS, Regulation (EU) No 910/2014. The Regulation recognises and encourages these mechanisms provided they offer substantial or high assurance levels for identity verification.

      Is continuous customer verification required under AMLR2027?

      Yes. The Regulation requires ongoing monitoring measures throughout the customer relationship. Verification therefore ceases to be a one-off step during digital onboarding and instead becomes a continuous process throughout the entire customer lifecycle.

      To achieve this, obliged entities must implement the following measures:

      Transaction scrutiny

      Entities must analyse transactions carried out throughout the relationship to ensure they are consistent with their knowledge of the customer, the customer’s risk profile and the source of funds.

      Periodic review and updating of customer information

      Documents and data must remain up to date. The maximum interval between updates is:

      • One year for high-risk customers
      • Five years for all other customers
      Event-triggered updates

      Customer information must also be reviewed whenever material changes occur, such as changes in ownership structure, requests for new products involving different risks, or significant changes in transaction volume or value.

      Sanctions screening

      Entities must periodically verify whether customers or beneficial owners are subject to targeted financial sanctions. For financial institutions, these checks must be carried out immediately following any new designation on sanctions lists.

      AMLR 2027 sanctions

      AMLR does not establish a closed list of sanctions. Instead, it states that Member States will define the applicable penalties in cases of non-compliance, provided these are effective, proportionate and dissuasive. Enforcement will therefore continue to retain a national component, at least during this stage.

      Cost of adapting ato AMLR 2027

      There is no exact figure. The impact depends largely on each entity’s starting point, the sector in which it operates and the maturity level of its current processes.

      For obliged entities already subject to AML regulations, the effort mainly relates to adapting and reviewing existing procedures and controls.
      For companies that previously had no formal obligations, adaptation will involve implementing a full compliance framework.

      The main areas requiring investment and resources include:

      • Specialised personnel and expertise: appointment of a compliance director who must be a member of the management body, as well as a compliance officer with sufficient seniority to oversee day-to-day management.
      • Technology and information systems: implementation of suitable technology for continuous transaction monitoring, suspicious pattern detection and identity verification tools, together with systems capable of responding efficiently to requests from authorities.
      • Ongoing training: specialised continuous training programmes for employees, agents and distributors to help them recognise and document suspicious transactions.
      • Data management and record-keeping: robust systems for retaining records (identity documents, transaction records and risk assessments) for a minimum of five years, under strict confidentiality and data protection standards.
      • Audits: establishment of an independent audit function to test the effectiveness of internal policies and procedures. Where this is not feasible due to the size or nature of the entity, the Regulation allows and encourages the use of external experts.

      Key question: What do I need to do to comply with AMLR 2027?

      To comply with Regulation (EU) 2024/1624 (AMLR), whose general application begins on 10 July 2027, obliged entities must transition from a framework based on national directives to one of direct and harmonised application across the European Union.

       AMLR2027 compliance checklist

      1. Determine whether your activity falls within scope (i.e. whether you are an obliged entity) and carry out an initial assessment if necessary.
      2. Define who is responsible for compliance.
      3. Analyse the risks associated with your activity.
      4. Establish internal policies and procedures.
      5. Implement customer identification and verification processes.
      6. Apply a continuous monitoring system.
      7. Check sanctions lists and comply with applicable legal restrictions.
      8. Train your team to detect and manage risks effectively.
      9. Document and retain information in an organised manner within the required timeframes.
      10. Review and update the system regularly in line with the evolution of your activity.

      checklist AMLR2027

      Contact us  if you are looking for a KYC solution compliant with AMLR2027 to perform identity verification for your users within the EU.

      PRODUCT BROCHURE

      Discover our identity verification solution

      Verify your customers’ identities in seconds through ID document scanning and validation, and facial biometric matching with liveness detection.

      Download
      mobbeel
      Cookies policy summary

      We use first-party and third-party cookies to make our website work, analyse how users use the website in order to improve our services and create a profile of your browsing and content viewed in order to show you personalised advertising. Find out more by reading our Cookies policy.

      Reject cookies

      What is a cookie?

      Cookies are files sent from a web server that obtain information from users’ devices, for example, about their preferences and browsing patterns.

      Cookies are essential for the functioning of the Internet, as they offer technical solutions that allow the user to browse the different websites; they cannot damage the user’s equipment/device and can be used to identify and resolve possible errors in the functioning of the Website. They may also be used for advertising or analytical purposes.

      Use of cookies by Mobbeel

      Specifically, MOBBEEL uses its own cookies generated directly by this domain and third-party cookies generated from other websites outside MOBBEEL, belonging to third party companies, for the specific purposes described below. If in the future MOBBEEL uses other cookies for the purpose of providing more and better services, the user will be informed of this.