EU AMLR + AMLA · CASP readiness for July 2027
EU AMLR + AMLA 2027 — What CASPs Must Do Now to Prepare
The new EU AML package shifts the rulebook from a directive (which member states transposed differently) to a regulation (which applies directly and identically). For CASPs, the consequence is a real reset — beneficial-ownership thresholds tighten, customer due-diligence rules harmonise, and AMLA takes direct supervisory responsibility for the largest cross-border operators. The 18 months to July 2027 are the runway, not the deadline.
The EU Anti-Money Laundering Regulation (AMLR) is Regulation (EU) 2024/1624, which applies directly from 10 July 2027 to all obliged entities including CASPs, replacing the national transpositions of the 4th, 5th, and 6th AMLD with a single EU-wide rulebook; AMLA is the European Anti-Money Laundering Authority established by Regulation (EU) 2024/1620, headquartered in Frankfurt, taking direct supervisory responsibility for the highest-risk cross-border obliged entities from 2028.
Quick facts
| Parameter | Value |
|---|---|
| Legal basis | Regulation (EU) 2024/1624 (AMLR) — single rulebook; Regulation (EU) 2024/1620 (AMLA establishment); Directive (EU) 2024/1640 (AMLD6) — national infrastructure |
| AMLR application date | 10 July 2027 — directly applicable, no national transposition required |
| AMLA selection date | AMLA selects its first group of directly-supervised obliged entities by 1 July 2027 from credit institutions, payment institutions, EMIs, and CASPs operating cross-border in at least six member states |
| Direct supervision threshold for CASPs | CASPs with at least 20,000 customers in the relevant member state OR more than EUR 50 million in annual transaction value in that state, in at least six member states — captures the largest pan-EU platforms |
| EUR 1,000 / EUR 3,000 thresholds | Crypto-asset transfers above EUR 1,000 to or from a self-hosted wallet require full customer due-diligence; aggregated transactions above EUR 3,000 in 6 months for occasional customers also trigger CDD |
| Beneficial ownership threshold | Direct or indirect holding of more than 25% — same as 5AMLD — but with stricter verification standards and a mandatory cross-border register linkage |
| Cash payment cap | EUR 10,000 EU-wide cap on cash payments — does not apply to crypto-asset payments but affects fiat on/off-ramps |
| Sanctions | Up to 10% of total annual turnover or EUR 10 million for legal persons; up to EUR 5 million for natural persons; daily penalty payments for ongoing non-compliance |
The package and what it changes
The EU’s new AML package consists of three legal instruments adopted together in May 2024:
- AMLR (Regulation (EU) 2024/1624) — the single rulebook. Applies directly from 10 July 2027. Covers customer due diligence, beneficial-ownership identification, reporting, internal controls.
- AMLA Regulation (Regulation (EU) 2024/1620) — establishes the European Anti-Money Laundering Authority. Headquarters in Frankfurt. Direct supervision of the highest-risk cross-border obliged entities from 2028; indirect supervisory coordination of national supervisors for the rest.
- AMLD6 (Directive (EU) 2024/1640) — the national infrastructure piece. Requires member states to upgrade their FIU capabilities, interconnect their beneficial-ownership registers, and align administrative cooperation. Transposition deadline 10 July 2027.
The substantive shift is from directive to regulation. Under the 4th, 5th, and 6th AMLDs, each member state transposed the rules into national law — with the predictable result that the rules diverged across the bloc on enforcement detail, beneficial-ownership thresholds, PEP definitions, and exempted activities. AMLR closes that divergence by applying directly and identically.
For CASPs that operate in multiple EU member states — which is most of the larger ones now that MiCA passporting works — the practical consequence is a single AML programme rather than 27 jurisdiction-specific variants of the same programme.
What changes for the customer due-diligence programme
Several CDD areas tighten meaningfully:
PEP definitions. AMLR harmonises the definition of politically exposed persons across the EU and removes member-state discretion on the domestic-PEP scope. The result is a slightly broader PEP universe than the old domestic-only national lists.
Enhanced due diligence triggers. AMLR sets common triggers — high-risk third countries from the single EU list, anonymous transactions over EUR 10,000, transactions involving correspondent relationships with non-EU institutions, and a residual high-risk-business-activity trigger. The EU list of high-risk third countries replaces parallel national lists.
Beneficial-ownership verification standards. The 25% threshold for direct or indirect ownership is unchanged. What changes is the verification — AMLR requires the CASP to obtain independent supporting documentation, not just a customer self-declaration, and to verify the beneficial owner against the national BO register. The interconnected EU BO platform is the verification source.
Crypto-specific thresholds. The EUR 1,000 threshold for transfers to or from self-hosted wallets triggers full CDD. Aggregated transactions above EUR 3,000 in a 6-month period for occasional customers also trigger CDD. These are tighter than the comparable thresholds for fiat transfers.
What AMLA direct supervision means
AMLA selects its first set of directly-supervised obliged entities by 1 July 2027. The criteria for CASPs:
- The CASP operates in at least six EU member states (via Article 60 notification, Article 63 authorisation, or Article 65 passport)
- In at least six of those member states, the CASP has either at least 20,000 customers OR more than EUR 50 million in annual transaction value
These are designed to capture the largest cross-border platforms — perhaps 8-15 CASPs across the EU. For the directly-supervised entities, AMLA is the AML supervisor. National authorities cooperate but the engagement is with AMLA directly.
For the other 95% of CASPs the national AML supervisor remains the counterparty. AMLA’s role is to coordinate national supervisors, publish guidance, and intervene in indirect supervision cases that need EU-level attention. A small-to-mid-size CASP authorised in Lithuania continues to engage with the Lithuanian FCIS (Financial Crime Investigation Service) for AML supervision — the same supervisor that has been there since 5AMLD.
The runway timeline
From mid-2026 to July 2027 is 12-15 months of preparation runway. A realistic work plan:
Q3-Q4 2026 — Gap analysis. Map the current 5AMLD/6AMLD-based programme against AMLR’s substantive rules. Identify divergences in PEP screening, enhanced due-diligence triggers, beneficial-ownership verification, and reporting.
Q1 2027 — Policy and procedure updates. Rewrite the AML manual against AMLR articles. Update the customer onboarding flow for the new CDD triggers. Reconfigure transaction monitoring rules for the new self-hosted-wallet threshold logic.
Q2 2027 — Systems and training. Update KYC vendor configurations. Re-train compliance staff on the new rulebook. Migrate beneficial-ownership verification to the interconnected EU register platform. Run a parallel-run exercise on a sample of new and existing customers.
July 2027 — Live operation under AMLR. The old national rules cease to apply. The new rulebook is the sole authority.
The harmonisation upside
CASPs that have so far run jurisdiction-by-jurisdiction AML programmes inherit a meaningful simplification. The compliance overhead of maintaining a 5AMLD policy for Lithuania, a 5AMLD policy for Cyprus, a 5AMLD policy for Estonia, and a 5AMLD policy for Germany — each subtly different — collapses to a single AMLR programme. The supervisor that engages with the programme may be national, but the rules being supervised are EU-wide.
The harmonisation will not be perfect on day one — national supervisors will continue to interpret AMLR slightly differently, AMLA’s coordination function will iterate over its first years, and the interaction with national administrative law will produce small divergences. But the order-of-magnitude reduction in programme complexity is real.
Practical recommendations for mid-size CASPs
Three priorities for a CASP in the EUR 10-50 million annual revenue range:
- Start the gap analysis now. The 5AMLD-to-AMLR delta is meaningful but tractable. Twelve months of policy and systems work is enough; six months is not.
- Do not over-build for AMLA direct supervision. Mid-size CASPs will not meet the cross-border thresholds. The national AML supervisor stays the engagement counterparty.
- Plan the beneficial-ownership register migration early. Moving from national-register lookups to the EU-interconnected platform is a vendor and systems project that benefits from a long lead time.
The July 2027 application date is firm and the Commission has not signalled willingness to delay. The runway is the planning horizon.
Pitfalls and nuances
1 Treating AMLR as a re-papering exercise
The temptation in any harmonisation move is to re-paper the existing policies under the new article numbers. AMLR contains substantive changes that re-papering will miss — most importantly the harmonised PEP definition, the EU-level verification standards for beneficial ownership, the enhanced due diligence triggers for high-risk third countries (which now use a single EU list rather than national lists), and the operational independence requirements for compliance officers.
2 Assuming AMLA direct supervision will catch your CASP
The selection criteria — operating in at least six member states with material customer or transaction volume in each — capture only the largest pan-EU platforms. For most CASPs the national AML supervisor remains the engagement counterparty. Building an operating model around AMLA direct supervision is over-engineering for the wrong threat model.
3 Underestimating the AMLR/MiCA conduct overlap
MiCA Article 66 imposes conduct obligations that overlap with AMLR's customer due-diligence and ongoing monitoring obligations. The two operate on parallel tracks — the MiCA supervisor and the AML supervisor are often the same NCA but apply different rulebooks. Coordinated programmes are cheaper than parallel ones.
4 Self-hosted wallet rules read as a ban
The EUR 1,000 self-hosted wallet rule triggers customer due-diligence, not service refusal. A CASP can serve self-hosted-wallet transfers above the threshold; it must apply full CDD on the recipient or originator. Reading the rule as a transfer ban produces a customer-experience problem that is not legally required.
5 Late beneficial-ownership register integration
AMLD6 requires national BO registers to interconnect via the EU central platform. CASPs that built BO verification on national-register lookups need to migrate to the centralised query infrastructure. The Commission's implementing acts on register interconnection set the technical specification — most national registers expect to be on the central platform by mid-2027.
Frequently asked questions
When does the EU AMLR apply to CASPs?
10 July 2027 — direct application across all 27 EU member states, no national transposition. CASPs already authorised under MiCA must align their AML programmes to the AMLR rulebook by that date.
Will AMLA supervise every CASP directly?
No. AMLA's direct supervision captures only the largest cross-border CASPs — operating in at least six member states with above-threshold customer or transaction volume. The other 95% remain supervised by national AML authorities.
Do CASPs need to change AML programmes if they already comply with 5AMLD?
Yes. AMLR is a regulation, not a directive — the substantive rules harmonise upward. Areas that change meaningfully include enhanced due diligence triggers, PEP definitions, beneficial-ownership verification, and the self-hosted-wallet transfer thresholds.
Does the EUR 1,000 self-hosted-wallet rule replace the TFR?
No — it supplements it. The TFR sets the data accompanying transfers; AMLR sets the customer due-diligence trigger. Both apply to transfers above EUR 1,000 involving self-hosted wallets.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →Sources cited
- Regulation (EU) 2024/1624 (AMLR) — regulation
- Regulation (EU) 2024/1620 (AMLA establishment) — regulation
- Directive (EU) 2024/1640 (AMLD6) — national infrastructure — regulation
- AMLA — official authority page (Frankfurt) — regulator
- EBA — Final AML/CFT Guidelines for CASPs — regulator