AMLR 27: What the EU’s New AML Regulation Means for Customer Due Diligence

10 July 2027 is closer than most compliance teams have planned for. The EU Anti-Money Laundering Regulation (AMLR 27) doesn’t just update existing AML rules; it replaces the directive-based framework entirely. For the first time, a single rulebook applies directly across every Member State, with no national transposition buffer and a new supervisory authority, AMLA, to enforce it. This is not a routine policy update. Here is what obliged entities need to act on before the deadline.

Regulation (EU) 2024/1624, known as AMLR 27, replaces the directly applicable provisions within the 4th and 5th AML Directives. It is supported by the 6th Anti-Money Laundering Directive (AMLD6) that regulates the areas to be implemented at the national level, such as Financial Intelligence Unit (FIU) cooperation and supervisory authorities. Together, they form the new EU AML framework.

For compliance officers, legal teams, and senior leadership, this is not a routine policy update. It is a structural reset that redefines who must comply, how customer due diligence is conducted, and what regulators will demand in evidence.

This article breaks down the core changes under AMLR 27 and explains what obliged entities need to act on before the deadline.

Why AMLR Replaces the Directive-Based Approach

Since 1991, the EU’s AML framework has been based on directives. Each Member State has the obligation of translating requirements into national law, and that process, over the past 30 years, has created considerable variation in how rules were written, interpreted, and enforced.

Certain Member States tightened thresholds while others left grey areas unaddressed . What arose was a compliance environment that worked neither for the cross-border institutions nor the  regulators trying to oversee them consistently.

AMLR 27 is not a directive, but rather a regulation. It comes into force directly on all Member States as of 10 July 2027 without the necessity of national transposition. There is no longer room for local interpretations to distort or soften the foundational requirements. The rules will be identical in Frankfurt, Warsaw, and Lisbon.

The New Supervisory Architecture: Enter AMLA

A standard rulebook demands uniform enforcement. That is the logic behind the Anti-Money Laundering Authority (AMLA), established under Regulation (EU) 2024/1620, which became operational on 1 July 2025 and is headquartered in Frankfurt.

AMLA has a direct supervisory authority over the highest-risk financial entities operating across borders. For entities below that threshold, AMLA liaises with national supervisors to ensure consistent rule application across the block. It is also able to make binding guidelines and technical standards, as well as cross-border investigations where necessary.

In practice, compliance teams can no longer assume that complying with local regulatory expectations is sufficient. The standard is now set at the EU level, and AMLA has the power to implement it.

Who Becomes an Obliged Entity Under AMLR 27?

The scope of AMLR 27 extends well beyond the conventional financial services. Organizations already subject to AML directives, such as banks, insurers, payment institutions, and investment firms, remain covered. However, the regulation expressly introduces a number of new categories:

Crypto-asset service providers (CASPs), such as exchanges, wallets, and trading platforms, are brought under the same regulations as banks.

• Crowdfunding service companies and intermediaries.
• Traders of high-value goods such as jewellery, watches, luxury vehicles, yachts, aircraft, art, and cultural goods that are above EUR 10,000 in terms of transaction value.
• Professional football clubs and agents, whose application date is 10 July 2029.
• Non-EU-based companies that have branch offices in the EU, subsidiaries, or that establish business relationships with EU obliged entities.

If an organisation falls into any of these newly added categories and has not previously been subject to EU AML rules, July 2027 means building a compliance framework from scratch, not adapting an existing one. Risk assessments, MLRO appointments, CDD policies, and audit-ready documentation all take time. Organisations in scope that have not yet started should treat this as a 2026 priority, not a 2027 one.

Key Compliance Changes Under AMLR 27

• Customer Due Diligence: Lower Thresholds, Stricter Verification

The CDD threshold for occasional transactions drops from EUR 15,000 to EUR 10,000 under AMLR 27. A separate obligation applies to occasional cash transactions of EUR 3,000 or more, which now require limited CDD measures. For crypto-asset service providers, limited CDD applies to transactions below EUR 1,000 as well.

Standard CDD requires verification of name, nationality, and address for natural persons. Article 22.1 of the AMLR requires that this data be verifiable against authoritative sources, not merely self-reported. Article 22.3 adds a specific mandate for credit institutions to verify identities linked to virtual IBANs they issue.

For Politically Exposed Persons (PEPs), EDD obligations now extend at least 12 months after an individual leaves a prominent public function. The same measures apply to PEP family members and known close associates.

• Beneficial Ownership: A Harmonised Standard

The beneficial ownership threshold is standardised EU-wide at 25% ownership, voting rights, or other ownership interests in a corporate entity. For high-risk sectors, the European Commission may lower this threshold to 15%. This removes the ambiguity that existed previously across Member States where different pass-through principles applied.

Obliged entities must also apply enhanced EDD for business relationships involving assets of EUR 5 million or more, or where a customer’s net worth exceeds EUR 50 million. AMLA will issue guidelines on how to determine whether a customer crosses the EUR 50 million threshold by 10 July 2027.

• EU-Wide Cash Payment Cap

AMLR 27 introduces a Union-wide limit of EUR 10,000 for cash payments in commercial transactions, whether made in a single operation or across several linked operations. This cap applies directly with no transposition required.

• FIU Response Timelines and Reporting

AMLR 27 sets a deadline of five working days for obliged entities to respond to Financial Intelligence Unit (FIU) requests. This is a strict legal requirement, not a guideline, and internal escalation processes and data access protocols must be built to meet it consistently.

The Digital Identity Dimension

AMLR 27 does not mandate any specific technology for identity verification. However, it aligns closely with the EU’s eIDAS 2 framework and the future European Digital Identity (EUDI) Wallet. In effect, this supports a shift away from manual, document-intensive onboarding toward electronic verification methods.

The new framework places the position of Notified eIDs with substantial or high assurance, Qualified Electronic Signatures (QES), and EUDI Wallet as preferred verification paths. Document-based identification can still be used as a fallback, especially when it is aligned with identity proofing standards recommended by ETSI 119 461.

Adoption rates for digital identity wallets will vary across member states. Organisations must prepare for this and maintain consistent fallback plans for customers not yet using eIDs.

What Obliged Entities Should Be Doing Now

10 July 2027 is closer than it appears. The AMLR package is detailed, and AMLA is continuing to issue additional guidelines and technical regulatory requirements, which will bring additional specificity to the core requirements. Waiting for complete regulatory clarity before taking action is itself a compliance risk.

Organizations should begin with a systematic gap analysis that maps the current CDD processes, PEP and UBO practices, Suspicious Activity Report workflows, and data verification methods against the AMLR requirements. The gaps identified now allow time to remediate in a more gradual manner. The same gaps in 2026 will cause operational emergencies.

For newly in-scope entities such as crypto companies, luxury goods merchants, or even crowdfunding platforms, the initial step will be to develop the compliance infrastructure from the ground up: appointing a compliance officer, establishing a risk assessment framework, and putting in place the policies, procedures, and internal audit functions under AMLR.

For institutions already under AML directives, the focus is on alignment. This implies that current processes should meet the higher and more reliable standard established by AMLR, and evidence trails should be clearly documented and audit-ready for AMLA and the national supervisors.

Stay Ahead of AMLR 27 with AML Watcher

AMLR 27 means your screening has to be accurate, current, and consistent across every jurisdiction you operate in.

AML Watcher provides continuously updated screening data across PEPs, sanctions lists, adverse media, and UBO records, each mapped directly to AMLR 27’s core obligations. Real-time updates ensure your risk profiles reflect overnight changes, not last week’s batch. Global coverage (200+ jurisdictions) provides the uniformity that AMLR 27 requires, whether your teams are based in Frankfurt or Singapore. And where the regulation tightens enhanced due diligence in the case of PEPs and high-risk third countries, our layered data and audit trail can enable compliance teams to make and evidence those calls with comfort.

No matter which version of your first gap assessment you are executing, or whether you are updating an existing compliance stack, our platform is designed to meet the accuracy and consistency this regulation requires. Book a demo with AML Watcher today and see how your organization can be AMLR-ready before July 2027.