AML/CFT – Overview of the new AML/CFT package

AML/CFT – Overview of the new AML/CFT package

1. Introduction:

In July 2021, the European Commission presented a new package of legislative proposals to strengthen the measures against money laundering and financing of terrorism across the European Union. This package consists of a Regulation establishing the new EU Anti-Money Laundering Authority (AMLA), an Anti-Money Laundering Directive 6 (AMLD6), a new Regulation of directly applicable rules on Anti-Money Laundering and Countering the Financing of Terrorism (AMLR) and a revised version of the 2015 Transfers of Funds Regulation (TFR).

2. Objectives:

The package aims to improve the means for detection of suspicious transactions and close loopholes in the financial system that could be exploited by criminals to launder the proceeds of illicit activities or finance terrorism. The main objectives of the proposed instruments are to:

  • Substitute national regimes with a directly applicable EU framework that will facilitate compliance with Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) rules, especially for cross-border financial sector ‘obliged entities’.
  • Create a more rigid and integrated approach to supervision by establishing clear rules on cooperation and coordination between Financial Intelligence Units (FIUs) and a new overseeing Anti-Money Laundering Authority at EU level.
  • Take into account emerging challenges to the financial system posed by technological innovation in the sector and in particular the uptake of crypto-assets.
  • Achieve higher level of global convergence by incorporating international standards in the area of AML/CFT set by the Financial Action Task Force (FATF).


3. Summary of new rules:

The proposal for a Regulation establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism aims to address the current shortcomings of AML and CFT supervision throughout the Union, which arise out of divergent risk assessment methodologies and resource availability across Member States (MS). To achieve this, the AMLA will help coordinate the efforts of financial supervisors and FIUs, improving the information exchange between them as well as taking over direct supervision over some of the riskiest cross-border financial sector ‘obliged entities’. The proposed Regulation specifies how the new AMLA will be funded, its governance structure, tasks and powers. The Regulation envisaged that the AMLA would be established at the beginning of 2023 and become fully functional by early 2026. The establishment of AMLA is now expected to take place in 2024, while it is still expected to be fully functional by 2026.

The new Anti-Money Laundering Regulation proposal attempts to fulfil the objective of establishing a single EU rulebook on AML/CFT. In order to avoid fragmentation and diverging interpretations of the AMLD, which could burden cross-border service providers, the proposed Regulation makes all rules that apply to the private sector directly applicable in Member States’ jurisdictions. However, the Regulation goes further than simply transferring rules from the existing AMLD5, introducing a number of changes. They include increasing the list of ‘obliged entities’ to include crypto-asset service providers and crowdfunding platforms, clarifying the requirements on internal policies, controls and customer due diligence, reinforcing beneficial ownership requirements to mitigate the risk that criminals hide behind intermediaries, prohibiting the provision and custody of anonymous crypto-asset wallets, introducing requirements for the processing of certain categories of personal data in compliance with the General Data Protection Regulation (GDPR) as well as adopting measures to limit the use of large cash transactions and the misuse of bearer instruments.

The Anti-Money Laundering Directive 6 (AMLD6) proposal builds on the current AMLD5, primarily in the area of institutional cooperation within the EU. It establishes a new format for submission of beneficial ownership information, creates a single access point for already existing bank account holder identification registries, puts in place provisions on information exchange between FIUs and other competent authorities and clarifies FIUs’ powers to suspend suspicious transactions and bank accounts. Lastly, the AMLD6 contains cooperation obligations for different Member States’ authorities to work with the new AMLA and to make annual reports regarding their cooperation among each other. Unlike AMLD5, the AMLD6 proposal contains no provisions concerning private entities. Instead, these have been transferred to the complementing AMLR in an attempt to achieve full legislative harmonisation in the field. If the new regime is adopted by the EU Parliament, the recast of the AMLD will address solely Member States as to the results they must achieve regarding the powers and obligations of supervisory bodies. This approach aims to maintain a higher level of MS flexibility when it comes to setting up the organisational aspects of their public administrative bodies.

Finally, the revision of the 2015 Transfer of Funds Regulation will complement its predecessor to improve the traceability of fund transfers within the EU by including crypto-asset transfers within its scope. The amendments are consistent with the latest issue of the FATF’s recommendations and in particular in relation to the extension of the requirements on information accompanying the transfers of funds (also known as the ‘travel rule’) to crypto-asset service providers (CASPs) within the ambit of AML/CFT measures. Essentially, CASPs will have to ensure that their fund transfers, in both fiat currencies and crypto-assets, are accompanied by information identifying the originator and beneficiary, whenever a traditional wire transfer or a crypto-asset transfer between a CASP and another obliged entity takes place. Furthermore, CASPs will need to implement procedures to detect whether the information provided by their corresponding intermediary is correct. The TFR amendments are considered as one of the more controversial parts of the new AML package by the crypto industry, since they are bound to increase compliance costs and could potentially impact the ability of CASPs to interact with self-hosted wallets. A notable addition by the EU Parliament to the definitive version of the revision of the 2015 Transfer of Funds Regulation is an amendment of the currently applicable AMLD, to the effect that the registration requirement for providers of exchange services between virtual currencies and fiat currencies, and custodian wallet providers, no longer applies.

4. Data protection concerns:

Data protection has been identified as a weak spot of the AML package proposal. In that regard, the European Data Protection Board (EDPB), an independent European body tasked with ensuring the consistent application of the General Data Protection Regulation (GDPR), sent letters to the European Commission, Council and Parliament, on the 20th of May 2022 and on the 28th of March 2023.

The letter from the EDPB on the 20th of May 2022 suggests amendments to the AML proposals designed to bring them in line with the principles of data accuracy and minimisation. Specifically, the EDPB addressed the limits and conditions on processing special categories of personal data[1] and data relating to the criminal convictions of individuals.

According to the EDPB, the current version of the AMLR proposal contains certain omissions that put the privacy rights of individuals in jeopardy. For example, the AMLR proposal does not specify the types of special categories of personal data that can be processed by ‘obliged entities’ for the purpose of preventing money laundering. This is not in line with the GDPR’s data minimisation principle, since it would allow ‘obliged entities’ to process all special categories of personal data, even those that are not necessary for the purposes pursued, such as information on trade union membership, personal health or even sexual orientation.

Similarly, with regard to the processing of information relating to the criminal record of individuals, the EDPB expressed serious concerns that the AMLR allows ‘obliged entities’ to process not only convictions but also allegations. It considered that this approach raises significant risks for individuals, since it would potentially permit banks and other vital financial institutions to cease dealings with people on the basis of claims that may or may not be properly substantiated. Moreover, the EDPB turned its attention to the fact that the AMLR does not specify the sources from which information regarding allegations should be collected. Therefore, the EDPB advised that the proposal should be amended so as to require ‘obliged entities’ to make a distinction between allegations and judicial proceedings, taking into consideration the right to a fair trial and the presumption of innocence. Furthermore, the EDPB expressed the opinion that ‘obliged entities’ should be required to adopt strict internal measures for safeguarding the privacy of their clients, including access restrictions, encryption and disassociation, which would avoid unauthorised leaks of personal information.

The letter from the EDPB on the 28th of March 2023 addresses concerns related to the proportionality, the necessity and the quality of certain provisions in the AML proposals. The EDPB states in its letter that legislative measures that limit the fundamental rights to privacy and to the protection of personal data should not constitute a disproportionate interference to the exercise of these rights, and that the impact of some provisions on the fundamental rights to privacy and to the protection of personal data would be particularly high. Additionally, legislative measures that limit these fundamental rights must be necessary. The effectiveness of the proposed measures in comparison with less intrusive measures must be reviewed. However, the EDPB notes that no impact assessment was made. Lastly, the EDPB has some concerns related to the quality of provisions limiting these fundamental rights. The EDPB considers in that regard that the provisions on data sharing in the AML proposals do not provide adequate safeguards for data subjects. In consideration of these concerns, the EDPB urges the legislators not to include articles 54(3a), 55(5), and 55(7) in the final text of the AMLR.

5. Legislative procedure:

The revised version of the TFR is being discussed separately from the AMLA Regulation, AMLR and AMLD6. According to the rapporteurs of the proposal, the procedure has been decoupled from the rest in order to ensure CASPs’ speedier compliance with the ‘travel rule’. This fact reflects the perceived seriousness of the threat identified by legislators and their strong desire to align with international FATF recommendations promptly. On the 29th of June 2022, negotiators from the Council presidency and the EU Parliament reached a provisional agreement on the proposal. On the 5th of October 2022, the provisional agreement was endorsed by the Council of the EU and on the 10th of October 2022, the committees of the EU Parliament voted overwhelmingly in favour of the agreed text. On the 20th of April 2023, the official text of the revised version of the TFR was adopted.

On the 28th of March 2023, amendments to the proposals for AMLA Regulation, AMLR and AMLD6 have been suggested by the EU Parliament. Next, the EU Parliament and the Commission will seek the approval of the Council, possibly by undergoing trilogue [2] first. If the Council accepts the position of the EU Parliament as it is, the legislative acts will be adopted; if, on the other hand, the Council introduces amendments to a proposal, the proposal will return to the EU Parliament for a second reading and another round of voting.

Series of blogs AML/CFT

In July 2021, the European Commission presented a new package of legislative proposals to tighten measures against money laundering and terrorist financing across the European Union. The new EU anti-money laundering and counter-terrorist financing (AML/CFT) rules will be extended to the entire crypto sector. In this blog series, we will therefore discuss in detail various topics that may be of interest.

The following topics are covered:

  • Overview of the new AML/CFT package
  • Transfer of Funds Regulation Amendments
  • Anti-Money Laundering Regulation & Directive 6
  • Anti-Money Laundering Authority Regulation



If you have any questions about the AML/CFT package, please contact Willem-Jan Smits or Rens Kattenbelt. Our team is ready to help you.


[1] According to the GDPR, special categories of personal data are considered all information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
[2] A trilogue is an informal negotiation attended by representatives of the European Parliament, the Council of the European Union and the European Commission, in which the aim is to reach a provisional agreement on a legislative proposal that is acceptable to both the Parliament and the Council, the co-legislators.