Anti-Money Laundering Regulation (EU) 2024/1624 — Preventio

Does my business need a full KYC programme by July 2027 — and what happens if we are caught without one?

Every credit institution, financial institution, crypto-asset service provider, real-estate agent, lawyer and auditor in the EU must apply directly binding customer due diligence, beneficial-ownership and suspicious-transaction rules from 10 July 2027 — with administrative sanctions under the companion Directive (EU) 2024/1640 reaching up to EUR 10 million or 10 % of annual turnover for the most serious breaches.

Short Answer

Regulation (EU) 2024/1624 replaces the patchwork of national transpositions under the former Anti-Money Laundering Directives with a single, directly applicable rulebook [Art. 1]. It prescribes harmonised customer due diligence (CDD) obligations, including identification and verification of beneficial owners at a 25 % threshold [Art. 52], enhanced due diligence for high-risk third countries [Art. 29] and complex transactions [Art. 34], and an EU-wide cash payment ceiling at EUR 10 000 [Art. 80]. The Regulation also brings crypto-asset service providers squarely within scope [Art. 3] and establishes a new EU authority (AMLA) to coordinate supervision across Member States [Recital 3].

Who is affected

Obliged entities listed in Art. 3 include: credit institutions, financial institutions, insurance intermediaries handling funds, crypto-asset service providers, auditors, external accountants, tax advisors, notaries, lawyers (when acting in specified financial or real-estate transactions), trust and company service providers, real-estate agents (transactions of EUR 10 000 or more), dealers in precious metals, stones and cultural goods (EUR 10 000+), gambling service providers, crowdfunding platforms, and mixed-activity holding companies with at least one obliged-entity subsidiary.

Deadline

General application date: 10 July 2027. For obliged entities under Art. 3(3)(n) and (o) (certain professional football clubs and agents), application is deferred to 10 July 2029 [Art. 90]. AMLA guidelines on risk variables and regulatory technical standards are due by 10 July 2026 [Art. 20(3), Art. 28(1)]. Commission review of the 25 % beneficial-ownership threshold and other calibrations due by 10 July 2030 [Art. 88].

Risk

Administrative sanctions are governed by companion Directive (EU) 2024/1640. For the most serious infringements, supervisory authorities may impose fines of up to EUR 10 million or 10 % of total annual turnover, whichever is higher. Natural persons face fines of up to EUR 5 million. Non-compliance also exposes obliged entities to criminal liability under Member State law implementing Directive (EU) 2018/1673 on money laundering offences.

Proof

Legal status

• In force
• as of 2026-04-17
• Original version as published in OJ L, 19.6.2024

Primary sources

• EUR-Lex — Full text of the legal act
• European Commission — Anti-money laundering — EU AML policy framework

What to do now

Legal / DPO

•Map every business unit against the obliged-entity categories in Art. 3 to determine which teams, subsidiaries and service lines fall within scope — including crypto-asset operations and mixed-activity holding structures.
•Review all customer and beneficial-ownership records against the 25 % ownership threshold in Art. 52 and the control-via-other-means criteria in Art. 53 to close identification gaps before 10 July 2027.
•Assess existing third-country relationships against the high-risk country lists under Art. 29 and the compliance-weakness designations under Art. 30 to determine where enhanced due diligence is mandatory.

Compliance

•Build or update the internal CDD programme to cover all trigger events in Art. 19 — business-relationship onboarding, occasional transactions above EUR 10 000, and cash transactions above EUR 3 000 [Art. 19(4)].
•Implement enhanced due diligence procedures for complex, unusually large or patternless transactions as required by Art. 34, including senior-management approval and source-of-wealth verification for high-value accounts above EUR 5 000 000 [Art. 34(5)].
•Establish a 14-calendar-day discrepancy-reporting workflow to notify the central beneficial-ownership register whenever CDD findings diverge from registry data [Art. 24].

IT / Security

•Deploy identity-verification systems that support the CDD and EDD data-collection requirements of Art. 20, including automated sanctions screening [Art. 20(1)(d)] and PEP identification [Art. 20(1)(g)].
•Implement access controls and audit logging for all AML/CFT data processing to satisfy the data-protection safeguards in Art. 76, including meaningful human intervention for automated risk-scoring decisions.
•Build secure interfaces for self-hosted crypto-asset address transfers, applying the identification, verification and enhanced-monitoring controls mandated by Art. 40.

Product / Engineering

•Integrate real-time CDD checks into customer onboarding flows so that no business relationship or occasional transaction above EUR 10 000 proceeds without completed identity verification [Art. 19].
•Enforce the EU-wide cash payment limit of EUR 10 000 in all point-of-sale and invoicing systems, with Member State overrides down to EUR 3 000 where applicable [Art. 80].
•Add beneficial-ownership collection screens and ongoing-monitoring dashboards that track the 25 % ownership threshold [Art. 52] and flag changes in control structures [Art. 53].

Key Terms

Obliged entity: Any natural or legal person listed in Art. 3 — including credit and financial institutions, lawyers, notaries, auditors, real-estate agents, crypto-asset service providers — required to apply AML/CFT due diligence and reporting obligations.
Customer Due Diligence (CDD): The mandatory set of identification, verification and ongoing-monitoring measures that obliged entities must apply to customers and their beneficial owners under Art. 19-20 before or during a business relationship.
Enhanced Due Diligence (EDD): Intensified CDD measures required for higher-risk situations — complex transactions, high-risk third countries or high-value accounts — including source-of-wealth checks and senior management approval [Art. 29, Art. 34].
Beneficial owner: Any natural person who ultimately owns or controls a legal entity, identified through a 25 % ownership-interest threshold or control via other means [Art. 51-53].
Politically Exposed Person (PEP): A natural person who is or has been entrusted with a prominent public function, requiring obliged entities to apply additional risk-mitigation measures during CDD [Art. 20(1)(g)].
AMLA: The Authority for Anti-Money Laundering and Countering the Financing of Terrorism, established by Regulation (EU) 2024/1620 to coordinate EU-wide AML/CFT supervision and issue guidelines and standards.
Financial Intelligence Unit (FIU): A national unit responsible for receiving, analysing and disseminating suspicious transaction reports from obliged entities to combat money laundering and terrorist financing.
Self-hosted address: A crypto-asset address not managed by a crypto-asset service provider, subject to specific identification, verification and monitoring requirements under Art. 40.

Frequently Asked Questions

When does Regulation (EU) 2024/1624 apply?

The Regulation enters into force 20 days after publication (9 July 2024) but applies from 10 July 2027 for most obliged entities. Obliged entities under Art. 3(3)(n) and (o) have until 10 July 2029 [Art. 90].

Are crypto-asset service providers covered?

Yes. Art. 3 explicitly includes crypto-asset service providers as obliged entities. They must apply the full CDD, EDD and reporting framework. Art. 40 adds specific requirements for self-hosted address transfers.

What is the beneficial ownership threshold?

A natural person holding — directly or indirectly — 25 % or more of shares, voting rights or other ownership interest qualifies as a beneficial owner [Art. 52(1)]. The Commission may lower this to 15 % for higher-risk entities by 10 July 2029 [Art. 52].

Is there an EU-wide cash payment limit?

Art. 80 establishes a ceiling of EUR 10 000 for cash payments. Member States that already apply a lower limit (down to EUR 3 000) may retain it [Art. 80(2)-(3)]. CDD obligations for cash transactions kick in at EUR 3 000 [Art. 19(4)].

What is AMLA and what role does it play?

The Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) is established by companion Regulation (EU) 2024/1620. It coordinates cross-border AML/CFT supervision, issues binding guidelines and regulatory technical standards, and can directly supervise the highest-risk obliged entities [Recital 3].

What enhanced due diligence is required for high-risk third countries?

When the Commission identifies a country with significant strategic AML/CFT deficiencies under Art. 29, obliged entities must apply the EDD measures listed in Art. 34(4): additional information on customer and beneficial owners, source of funds and wealth verification, senior management approval, and enhanced monitoring.

How does this Regulation differ from the former Anti-Money Laundering Directives?

Unlike the former Directives (EU) 2015/849 and 2018/843, Regulation 2024/1624 is directly applicable in all Member States without national transposition. This eliminates the fragmented national approaches that hampered enforcement under the previous framework [Recital 2].

Assessment Factors & Checklist

Premium

Start 7-day free trial

Questions for Your Lawyer

Premium

Start 7-day free trial

Conclusion & Summary

Premium

Start 7-day free trial

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. 7 Tage kostenlos testen.

Start 7-day free trial →

Keine Kreditkarte heute. Kündigung jederzeit.