Despite the EU’s ambition to standardize and streamline AML rules, including an increase in cross-border data sharing and tighter due diligence, companies are operating within a fragmented environment. TMF Group’s Aynsley Vaughan looks at how a legacy of directive-based transposition means that AML requirements still vary substantially across the European Union and why companies should prepare early for the new package entering into force next year.
Money laundering poses a significant challenge to global economies, with one study citing annual losses of more than $5 trillion.
Regulators are stepping up efforts to combat the threat. Last summer, the Anti-Money Laundering Authority (AMLA) started its work as the European Commission prepares its latest AML package, consisting of the new European Union AML regulation (AMLR) and sixth anti-money laundering directive (6AMLD).
It enters into force July 10, 2027, strengthening EU AML rules, harmonizing requirements across member states and closing existing legal gaps. It reflects the European Commission’s wider aim of applying a single, simple set of rules that govern European companies, as outlined by President Ursula von der Leyen at the World Economic Forum in Davos in January 2026.
However, years of divergent national transpositions on the back of the fifth anti-money laundering directive (5AMLD) are still shaping companies’ day-to-day AML and ultimate beneficial owner (UBO) reporting obligations, creating complexity even as the EU moves toward a directly applicable regulation.
Multinationals must begin balancing requirements with the upcoming package now, rather than waiting until 2027.
Unpacking the challenges of the current landscape
The first thing for firms to consider is how they keep on top of existing complexities to counter operational risks. Mapping, and then navigating, local AML specifics remains essential in the short term, despite the promise of EU harmonization.
Under 5AMLD, we have seen intensifying scrutiny, particularly for foreign-owned businesses, with UBO filings increasingly implemented across jurisdictions. And we have seen the same EU-level directive interpreted and implemented differently across member states.
While firms wait for the new AML package, they must operate under a patchwork of still-active requirements that vary significantly by jurisdiction in terms of registry ownership, definitions for UBO identification,and reporting routes and frequencies for UBO updates. There are often dual reporting obligations where a company needs to report to the trade register or tax authority that owns the UBO database and also fulfill a reporting requirement to the country’s banks.
For example, in Hungary, the ownership and maintenance of the UBO database sits with the country’s tax authority, but in Bulgaria, it’s the trade register. Both countries prioritize ongoing monitoring with no requirement for an annual filing. In Austria, companies must report on an annual basis, as well as informing the tax authority, which owns the database, within four weeks of any change to UBO information. Belgium mirrors Austria, with mandatory annual reporting as well as a requirement to update the ministry of finance, which maintains the database, whenever there is an update.
As well as operational risks, discrepancies across markets create inconsistent expectations from banks and authorities and more friction for cross-border groups. This adds to administrative burdens, as well as generating higher costs, including financial penalties for noncompliance, which also lead to reputational damage.
How to prepare for integration?
The new AML package will replace the current directive-based system (although 6AMLD will still need to be written into national laws), marking a shift from fragmented national transpositions to a single, harmonized rulebook that improves data-sharing arrangements across borders.
It extends the scope into cybercrime and environmental crime, while also setting a new standard for access to UBO registers, bringing much-needed clarity with access granted to those who can demonstrate legitimate interest, including lawyers, notaries and journalists. Member states are preparing; for example, the Dutch government introduced the Amendment Act on Restricting Access to UBO Registers in July 2025, formalizing a restricted access model that will become fully operational this year.
The EU’s AMLA sits at the heart of the reforms. Starting from Jan. 1, 2028, it will directly supervise 40 high-risk financial institutions and support national authorities in fighting money laundering. It will ensure unified standards and help coordinate cross-border cases by national financial intelligence units (FIUs).
The main provisions that compliance teams should familiarize themselves with include:
- Stricter due diligence. Companies will have to more precisely identify, verify and continuously monitor the UBOs of their business partners. The threshold for customer due diligence (CDD) will be lowered to 10,000 euros. The AMLR will impose a five-day deadline for responding to FIU requests, and suspicious activity reports must be submitted promptly and reliably.
- Limits on cash payments. There will be an upper limit of 10,000 euros for cash payments in the business sector. In addition, obliged entities will have to verify and identify their customers for cash payments of 3,000 euros and above.
- Additional obligated parties. The AMLR widens the list to include crypto-asset providers, crowdfunding platforms, professional football clubs and agents and traders of high-value goods, including precious metals and gemstones, to reflect the changing composition of the global economy.
- A defined definition and threshold for beneficial ownership. A beneficial owner will be anyone with at least 25% ownership, voting rights or other ownership interests in a company.
While the new package seeks to harmonize, it will also increase compliance through its broader scope, uniform standards and centralized supervision.
From MiCA to FATF: How Regional Regulatory Approaches Reflect Domestic Priorities Over Coordination
Financial products and operational processes should be designed to adapt rapidly to new requirements without extensive rebuilding through agile internal processes
Read moreDetailsWhat should companies be doing now?
It’s imperative for compliance teams to familiarize themselves with implementation deadlines. They should review the new rules and prepare early for new requirements by reviewing ownership structures for their EU entities. They should align on who is responsible for maintaining this data, which should be accurate, accessible and up to date so it can inform the design and implementation of a plan to become compliant.
There are a number of steps they can take to ensure they are ready for the new rules:
- Conduct a gap analysis. Compliance teams should conduct a thorough assessment encompassing current local requirements and upcoming requirements, covering both existing locations and any planned European expansion. They should benchmark their current AML policies, procedures and controls against the new AMLR requirements to develop a roadmap of necessary changes for 2027.
- Strengthen internal governance. Covered entities will be required to appoint a specific compliance manager, with the role distinct from existing compliance officers. The compliance manager will be tasked with ensuring that internal policies align with the firm’s risk exposure and that adequate resources are available. As well as designating specific personnel who will be responsible for AMLR compliance, they should consider forming “interpretation councils” or other suitable governance structures to help navigate the detailed and directly applicable new rules.
- Prepare the tech stack. Firms should update their IT systems to be able to collect, manage and report the range of new data points required by the AMLR. One option is to implement automated, real-time screening tools that help to reduce manual errors. If a group is operating across the EU, it should ensure these systems can support information sharing both across entities and with authorities.
- Review CDD and KYC capabilities. Compliance teams should also update their company’s KYC procedures to meet stricter standards, including the more rigorous identification of beneficial owners and digital onboarding capabilities. The AMLR elevates remote, digital onboarding from a peripheral practice to a core element of compliance. This includes mandatory integration with eIDAS 2.0, requiring covered entities to accept the upcoming European digital identity wallet for customer identification and verification.
- Put a greater emphasis on training. Complying with the AMLR requires a shift from annual training to more proactive, role-specific and ongoing efforts. It’s important to train staff to identify emerging money laundering tactics, such as crypto-asset layering, rather than just focusing on transaction thresholds.
Companies should also expect delays. For example, banks will have to adapt from a 5AMLD environment to a new operating environment, which will impact cross-border transactions.
While the EU moves toward simplification, the coming years will be complicated. Multinationals must find the agility to comply with current obligations while preparing for new ones. It will be double the workload and double the focus but ultimately the path to helpful harmonization.
Aynsley Vaughan is global head of the global entity management, accounting and tax service practice at TMF Group. She has over 22 years’ experience in the financial services sector working in both the onshore and offshore markets. 
