Whistleblowing | Workplace Compliance
EU Anti-Money Laundering (AML) Framework
A consolidated set of anti-money laundering rules for the EU, introducing harmonized due diligence, beneficial ownership, and expanded reporting standards under the EU Whistleblower Directive.
Table of contents
What Is the EU Anti-Money Laundering Framework?
The EU's primary anti-money laundering framework consists of three legislative acts introduced in 2024: the Anti-Money Laundering Regulation (AMLR), the Sixth AML Directive (AMLD6), and the Anti-Money Laundering Authority Regulation (AMLAR). Most obligations under the framework apply from 10 July 2027.
Key EU AML Framework Provisions | |
AMLR | The directly applicable Single Rulebook that establishes harmonized customer due diligence, beneficial ownership, and internal control obligations. |
AMLD6 | Sets the national supervisory and institutional framework, including financial intelligence unit powers and beneficial ownership registers, and amends the EU Whistleblower Directive. |
AMLA Regulation | Establishes the EU Authority for Anti-Money Laundering, headquartered in Frankfurt, with direct supervisory powers over up to 40 high-risk cross-border entities from 2028. |
Harmonized Beneficial Ownership Threshold | A beneficial owner is defined EU-wide as anyone holding at least 25% of ownership interest or voting rights, with a lower threshold of 15% possible in high-risk sectors. |
EU-Wide Cash Payment Limit | A single cap of €10,000 on cash payments, with member states free to set a lower national threshold. |
The Framework builds on and replaces the Fourth AML Directive (AMLD4), as amended by the Fifth AML Directive (AMLD5), both of which are consolidated in Directive (EU) 2015/849. A separate criminal-law instrument, Directive (EU) 2018/1673, addresses money laundering as a criminal offense and remains in force alongside the new framework rather than being replaced.
Unlike the directives it replaced, the AMLR is a directly applicable EU law. This means the same core obligations apply uniformly to covered organizations, known as Obliged Entities, across all member states rather than being implemented through separate national laws.
Obliged Entities include:
- Credit and financial institutions
- Crypto-asset service providers
- Crowdfunding platforms
- Consumer credit providers
- Traders in high-value goods
- Professional football clubs and agents
- Non-financial businesses and professions
Who Is Responsible for the EU AML Framework?
The Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) will directly supervise up to 40 selected high-risk, cross-border financial institutions starting in 2028, and coordinate national supervisors and financial intelligence units (FIUs) across the EU.
National competent authorities in each member state will continue to oversee Obliged Entities outside the AMLA’s direct remit, with AMLD6 setting the minimum powers and structure that national authorities must have.
What Are the Possible Penalties Under the EU AML Framework?
AMLD6 requires member states to set penalties for breaches, with national laws expected to combine existing sanction regimes with new thresholds introduced by the framework for serious, repeated, or systematic violations. Because penalties are set through national transposition, rather than directly in the AMLR, exact fine amounts vary by member state.
Separately, AMLA will be able to take direct supervisory and enforcement action against the highest-risk entities under its remit once its direct supervision powers begin in 2028.
What Does the EU Anti-Money Laundering Framework Require?
Under the Framework, Obliged Entities must appoint a compliance manager at the management-body level who is responsible for ensuring the organization’s AML/CFT policies, procedures, and controls align with its risk exposure, and who has sufficient human and material resources to perform that role.
Customer due diligence obligations are harmonized across the EU, including a standardized approach to identifying and verifying beneficial owners at the 25% threshold, enhanced due diligence for politically exposed persons and high-risk third-country relationships, and a five-working-day deadline to respond to FIU information requests once AMLR fully applies.
Organizations should also expect business-wide risk assessment obligations to evolve. AMLA's guidelines on minimum risk assessment content and risk factors were due by 10 July 2026. However, AMLA opened its public consultation on the draft guidelines in April 2026, with the consultation period running until 15 July 2026.
As a result, the final guidelines are now expected in Q4 2026. Obliged Entities should treat the current EBA guidance as the interim standard until AMLA's guidelines are finalized.
If an organization falls into one of the newly obliged sectors, such as crypto-asset service providers already authorized under the EU’s Markets in Crypto-Assets Regulation, crowdfunding platforms, or high-value goods dealers, it should not assume continuity with any prior national exemption, because the AMLR’s scope is set centrally, rather than at the national level.
Why Is the EU Anti-Money Laundering Framework Important?
The shift from a directive-based anti-money laundering patchwork to a directly applicable regulation removes the inconsistency that previously allowed Obliged Entities to benefit from weaker implementation in some member states.
With AMLA now operational and gaining direct supervisory powers over the highest-risk institutions as of 2028, organizations that treat this as a distant deadline rather than an active preparation window risk being caught unprepared when technical standards change in 2026.
Since AMLD6 explicitly integrates AML/CFT whistleblowing obligations into the EU Whistleblower Directive’s protections, internal reporting channels designed for general compliance concerns now need to account for specific escalation paths and the heightened confidentiality associated with financial crime reporting.
How FaceUp Helps Comply with the EU AML Framework
Because AMLD6 extends the EU Whistleblower Directive's protections to AML/CFT reporting, Obliged Entities need a confidential reporting channel that supports anonymous reporting, end-to-end encryption, and role-based case routing for reports related to money laundering and terrorist financing.
FaceUp helps organizations meet these requirements with an easy-to-use platform that can be deployed in as little as two hours, with multi-channel intake via web forms, 24/7 hotlines, and iOS/Android mobile apps in 113 languages.
Centralized case management with a full audit trail supports the documented internal control environment that your compliance manager needs to demonstrate to supervisors, whether a national competent authority today or AMLA after 2028.
Quick Facts
Full legislation
Applies to
Financial institutions, crypto-asset service providers, and a broadening range of non-financial obliged entities across the EU.
Penalties
Established through national transposition of AMLD6, with new EU-wide minimum sanction thresholds for serious, repeated, or systematic violations.
The FaceUp Solution
FaceUp is an anonymous reporting and compliance platform designed to help businesses meet whistleblowing regulations worldwide, including those in the US, EU, UK, and UAE.

Fully Anonymous Reporting
Give staff multiple secure channels to report their concerns, complete with an anonymous two-way chat.
Mobile-First Accessibility
No IP storage, no device IDs, encrypted submissions
Customizable forms, categories, routing rules, and more

Customizable Case Management
Create an easily verifiable audit trail through a customizable case management system with automatic routing.
Supports multiple locations, subsidiaries, or units
Entity-specific routing and access permissions
Optional notifications via email, Teams, or Slack

Real-Time Data Analytics
Identify trends, repeated issues, and escalation risks early with customizable visual real-time dashboards.
Filter by category, region, channel, and more
Share without revealing sensitive information
ISO 27001 and SOC 2-certified local servers