In the European Union (EU), preventing money laundering and terrorist financing is a major focus. Banks and other financial institutions have to take active steps to stop these activities, and knowing where money comes from and where it goes is central to that. The EU watches for new risks and updates its rules as they appear.
Since the first anti-money laundering rule in 1991, the EU has kept its regulations in step with new threats, from the rise of virtual assets to crowdfunding. That work sped up in the 2020s. The EU adopted a major AML Package in 2024, and from 30 December 2024 it extended its "travel rule" on tracing fund transfers to cover crypto-asset transfers too. The older approach relied on separate national laws; the new one moves toward a single set of obligations that reads the same in every member state.
KYC and AML Regulators in the EU
Keeping the financial system safe from money laundering and terrorist financing is a shared job across several EU bodies. The European Commission runs the risk assessments that identify threats in the internal market, and it enforces AML law by overseeing how member states transpose it and by working with national authorities.
The European Supervisory Authorities (ESAs) play a part too. Through a joint committee with the Commission, they issue guidelines and opinions that help national regulators understand what is expected, which keeps practice consistent across the EU.
One of the biggest changes is the Anti-Money Laundering Authority (AMLA). When it was first announced, AMLA existed only on paper as the EU's future central supervisor. That has changed. It became operational on 1 July 2025 and is based in Frankfurt, Germany. Its job is to improve cooperation among financial intelligence units (FIUs) and coordinate national authorities so the rules are applied the same way everywhere. From 1 January 2028 it will go further than coordination and directly supervise a first group of around 40 high-risk obliged entities operating in at least six member states.
The European Banking Authority (EBA), set up in 2011, works to protect the stability of the EU banking sector. It assesses risk, develops harmonised rules, and works with the Commission and national regulators. The EBA used to lead the EU's AML/CFT coordination, but that central role is moving to AMLA, while the EBA continues its wider banking and prudential supervision from its base in France.
Current KYC and AML Regulations in the EU
The last few years have brought stricter rules and stronger enforcement powers across the EU. This push for stronger regulation was set out in the European Commission's Action Plan of May 2020, and it led to the 2024 AML Package described below. The current framework mixes long-standing directives with a new rulebook that applies directly in every member state.
The 2024 EU AML Package (AMLR, AMLD6 and AMLA)
The most important recent change is the EU AML Package, adopted on 24 April 2024. It moves away from directives that each member state implemented in its own way and toward a directly applicable single rulebook that reads the same in all 27 member states. It has three parts:
- The Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) is the single rulebook. It applies directly in all member states from 10 July 2027, harmonises customer due diligence and beneficial ownership and reporting duties, sets an EU-wide cash payment limit of €10,000, and fixes the beneficial ownership threshold at 25% or more.
- The Sixth Anti-Money Laundering Directive (AMLD6, Directive (EU) 2024/1640) has to be transposed into national law by 10 July 2027, with some registry-access provisions running to 2029. It covers supervisors, FIUs, and registry access.
- The AMLA Regulation (Regulation (EU) 2024/1620) created the new authority described above.
A note on naming: the "6AMLD" section below is about the earlier Directive (EU) 2018/1673, a criminal-law directive active since 2020. The 2024 package's directive is a separate, newer law. Both still matter, because the 2018 directive keeps applying until the new package takes effect in 2027.

Sixth Anti-Money Laundering Directive (6AMLD)
The 6AMLD was a major step in the EU's work against money laundering and terrorist financing. It was enacted in October 2018 and activated on 3 December 2020. Building on the Fourth and Fifth AML Directives, it brought in criminal legislation to sharpen the EU's response to financial crime.
Its provisions include standard definitions of money laundering offences, criminal liability for legal entities, and tougher penalties, including possible exclusion from public aid and judicial procedure. It also began to address virtual currencies by setting uniform rules for investigative tools and jurisdiction, an area the EU has since taken much further through the dedicated crypto rules below.
Crypto-Asset Rules: MiCA and the Travel Rule (TFR)
When this article was first written, virtual assets were covered only indirectly. That is no longer true. On 30 December 2024, the licensing rules of the Markets in Crypto-Assets Regulation (MiCA) came into force for crypto-asset service providers (CASPs). On the same day, the recast Transfer of Funds Regulation (TFR, Regulation (EU) 2023/1113) made the "Travel Rule" fully apply to crypto transfers, with no grace period. CASPs now have to collect and pass on originator and beneficiary information for crypto transfers of any amount, with extra checks on self-hosted wallet transfers above €1,000. Since the rule turns on knowing who sits on the other side of a transfer, confirming a counterparty's bank details is part of the job, and our free SWIFT/BIC Checker does exactly that across 200+ countries. Firms that operated under earlier national regimes can rely on a MiCA transitional period until 1 July 2026 at the latest, which matters for any business handling crypto and digital assets.
Market Abuse Directive/Regulation (MAD/MAR)
The MAD and the later MAR protect the integrity of European financial markets and support investor trust. Market abuse, which covers insider dealing, unauthorised disclosure of inside information, and market manipulation, is banned under these rules.
MAR keeps European markets efficient and transparent and gives operators across member states a level playing field. Unlike MAD, it reaches trading platforms such as Multilateral Trading Facilities (MTFs) and Organised Trading Facilities (OTFs), as well as emission allowances, and it gives national authorities real investigatory and sanctioning powers. MAD, published in 2003, laid the groundwork; MAR is the broader update that reflects how markets have changed since.
Payment Services Directive 2 (PSD2), and the incoming PSD3/PSR
PSD2 was proposed in 2013 as an update to the original PSD. It set out to improve consumer protection, open up competition, and make the payments market more secure, and it opened banks' payment services to Third Party Payment Services Providers (TPPs). It harmonised two key services, Payment Initiation Services (PIS) and Account Information Services (AIS), so customers can see their finances in one place and pay online through banking interfaces. PSD2 also brought in Strong Customer Authentication (SCA), which requires two-factor authentication for online banking.
PSD2 is not the last word. In June 2023 the Commission proposed a successor, the third Payment Services Directive (PSD3) and a new Payment Services Regulation (PSR), and EU legislators reached a provisional political agreement on 27 November 2025. After formal adoption in 2026, the PSR is expected to apply directly while PSD3 is transposed nationally, with most rules likely to take effect around 2028. The reforms strengthen fraud prevention, including reimbursement rules for some scams, tighten SCA, and bring the rules further into line across member states.
General Data Protection Regulation (GDPR)
The GDPR protects the personal data of people in the EU. It gives individuals control over their information and puts strict duties on the organisations that handle it. A firm needs a lawful basis to collect, process, and store personal data, and it has to be clear about why it uses that data.
For AML and KYC programs this creates a balancing act. A firm has to keep the data it needs to meet its AML duties while respecting the GDPR's rules on data minimisation and retention. Getting it wrong carries heavy penalties.
Considerations for EU Regulations: Due Diligence
Meeting the rules of the 6AMLD, and from 2027 the AMLR single rulebook, matters for every company operating in the EU. MAD/MAR compliance means staying alert to market abuse and reporting it, while PSD2, the coming PSD3/PSR, and the GDPR shape how payments and personal data have to be handled.
In practice it comes down to strong AML and Know Your Customer (KYC) measures, built on Customer Due Diligence (CDD) and, for higher-risk cases, Enhanced Due Diligence (EDD).
Innovative Solutions for CDD and EDD Measures
A strong CDD process moves through a handful of stages, and each one is easier to picture by trying it. It begins with confirming who the customer is and checking them against sanctions and watchlists, which is the core of any AML screening program. To see what that check actually returns, our free Sanction Check searches OFAC, UK, and EU lists against a name in seconds, with no login.
The next question is how much risk the customer brings. Part of the answer is whether they are a politically exposed person, which the free PEP Check settles against Class 1 and Class 2 lists, and part is putting a number on their overall exposure before you move to a full Customer Risk Assessment.
Customers linked to high-risk third countries call for a closer look, and negative news is often where the first warning sign appears. The free Adverse Media Check scans a name for negative coverage, and in a live program that runs continuously rather than as a one-off. From there the picture is completed by watching transactions over time and, for company customers, tracing the people who really own and control the business.
Sanction Scanner brings these steps together in one platform, built to keep up with how fast the EU framework is changing. You can request a demo to see it in practice.
Sources
- European Commission, Anti-Money Laundering and Countering the Financing of Terrorism (EU level)
- EUR-Lex, Regulation (EU) 2024/1624 (AMLR)
- EUR-Lex, Directive (EU) 2024/1640 (AMLD6)
- EUR-Lex, Regulation (EU) 2024/1620 (establishing AMLA)
- EUR-Lex, Regulation (EU) 2023/1113 (Transfer of Funds / Travel Rule)
- European Parliament, Payment services deal (PSD3/PSR), 27 November 2025
- AMLA, Anti-Money Laundering Authority
