Single Regulation · Obligations of obliged entities
AMLR: The European regulation to be directly applicable from 10 July 2027
Regulation (EU) 2024/1624 establishes a common baseline of AML/CFT rules for obliged entities: governance, risk assessment, KYC due diligence, beneficial ownership, ongoing monitoring, suspicious transaction reports and record keeping.
AMLR represents one of the most significant developments in the European framework for combating money laundering and terrorist financing. By placing many of the obligations of professionals into directly applicable regulation, the European Union seeks to reduce the divergences resulting from national transpositions.
A directly applicable regulation, but not isolated from national law
Regulation (EU) 2024/1624 was published on 19 June 2024. Article 90 provides that it is binding in its entirety and directly applicable in each Member State.
The majority of its provisions will apply from 10 July 2027. The provisions applicable to football agents and professional football clubs falling within the scope of the regulations shall apply from 10 July 2029, subject to the conditions and possibilities of exemption provided for in the text.
A broad and precisely defined scope
Article 3 distinguishes between credit institutions, financial institutions and several categories of non-financial professionals, businesses and activities. The scope covers, in particular, subject to the definitions and conditions of the regulation:
- credit institutions and financial institutions ;
- crypto-asset service providers falling within the targeted categories; ;
- certains types de financement participatif ;
- the auditors, external accountants and certain tax advisors; ;
- certain professional activities carried out by notaries, lawyers and other legal professionals; ;
- service providers to companies or trusts; ;
- property professionals ;
- gambling and betting service providers; ;
- certains négociants de biens de grande valeur et de biens culturels ;
- football agents and certain professional football clubs from 2029.
Subordination must never be determined solely on the basis of a trade name. The actual activity carried out, the definitions, thresholds, conditions and exemptions provided for by the regulation, and, where applicable, national measures must be examined.
Governance, internal controls and risk analysis
Articles 9 to 12 strengthen and harmonise the internal organisation requirements for obliged entities. Policies, procedures and controls must be written, and proportionate to the nature, complexity, size and risk profile of the organisation.
The device must include, among other things:
- enterprise-wide risk assessment ;
- Customer due diligence and ongoing monitoring. ;
- the detection and reporting of suspicious operations or activities; ;
- the conservation of documents and data processing ;
- internal controls and independent review of the system; ;
- the selection, awareness-raising and training of the employees concerned; ;
- outsourcing and recourse to other taxable entities ;
- the correction of identified shortcomings.
The enterprise-wide risk assessment must cover the risks of money laundering and terrorist financing. It must also integrate risks related to the non-implementation or circumvention of targeted financial sanctions.
It must be documented, kept up to date and reviewed when internal or external events significantly alter the organisation's exposure. Risks must also be assessed before the launch of new products, services, channels, technologies or business practices.
Customer vigilance and ongoing monitoring
The AMLR requires the implementation of vigilance measures in situations provided for by its Article 19, particularly when establishing a business relationship and when carrying out an occasional transaction reaching the general threshold of 10,000 euros, in a single transaction or through related transactions.
Vigilance is also required in the event of suspected money laundering or terrorism financing, regardless of any threshold, as well as in the presence of doubts about the accuracy or relevance of previously obtained identification information.
Initial measurements
Identify and verify the client, identify the beneficial owner, understand the ownership and control structure, as well as the intended object and nature of the relationship.
Tracking over time
Review operations throughout the relationship and verify their consistency with the client's knowledge, activities, and risk profile.
Measures must be proportionate to the risk. Situations presenting a higher risk require enhanced measures. Simplified measures may only be applied when the legal conditions are met and a lower risk level has been established.
Where the entity cannot fulfil its due diligence obligations, it must apply the consequences provided for by the regulations, particularly regarding the refusal or termination of the relationship, and consider whether a report to the CRF is required.
Beneficial owners: ownership and control must be examined
The beneficial owner is a natural person who owns or controls, directly or indirectly, a legal entity or legal arrangement falling within the scope of the Regulation.
For legal entities, the analysis must examine both the property and the control exercised by other means.Article 52, for the general ownership criterion, provides for a holding of 25 % or more in shares, voting rights or other property rights.
When, after exhausting all possible means, no beneficial owner can be identified or doubt remains, the obliged entity must document this situation and apply the procedure for identifying senior managing officials. This procedure does not automatically transform the senior managing officials concerned into beneficial owners.
The information contained in a central register is a useful source, but it does not replace the obligation to understand and verify the client's ownership and control structure.
Suspicious activity reports and document retention
Article 69 requires the reporting entity to promptly transmit a report to the competent FIU when it knows, suspects, or has reasonable grounds to suspect that funds or activities are linked to criminal activity or terrorist financing.
The obligation does not depend on the amount of the transaction. It may concern executed transactions, attempted transactions, or suspicions resulting from the inability to carry out due diligence measures.
Article 77 sets at Five years the standard retention period for vigilance information, documents and items necessary for the identification and reconstruction of operations.
A competent authority may, on a case-by-case basis, impose an additional period where it is necessary for the prevention, detection, investigation or prosecution of offences. This extension may not exceed five additional years.
A European limit for large cash payments
Article 80 prohibits persons who market goods or provide services from accepting or making a cash payment of an amount in excess of 10,000 euros. The rule also targets several operations that appear to be related.
Member States may maintain or introduce a lower national limit. A company operating in several countries cannot therefore assume that payments up to €10,000 are permitted everywhere.
The European ban does not apply to payments between private individuals who are not acting in a professional capacity. The regulation also provides for specific conditions for certain transactions carried out with financial institutions; the full text should be consulted when a situation falls under these provisions.
How to prepare for the July 2027 deadline?
The following measures constitute recommended preparatory work. They are not to be presented as obligations applicable before their legal date of entry into force.
- confirm the scope of application for each group entity; ;
- compare the current setup with the AMLR definitive requirements; ;
- review the methods for identifying beneficial owners; ;
- verify the quality, accuracy and availability of KYC data ;
- update the overall risk analysis and classification methodologies; ;
- review the governance, responsibilities and resources of the compliance function; ;
- to test transaction monitoring and alert processing devices; ;
- to adapt procedures related to declarations, retention and cash payments; ;
- Plan the update of employee and management training.
Prepare your device for the AMLR application
ARCAD can assist you with the review of your procedures, risk analyses, KYC files, controls, responsibilities, and remediation plans.
Official sources
- Regulation (EU) 2024/1624 — Official text on EUR-Lex
- Official EUR-Lex summary of Regulation (EU) 2024/1624
Scope of the article Summary of the European Union's legal framework, checked on 15 July 2026. It does not replace the reading of the full provisions, future European implementing acts or applicable national rules where the regulation permits a local measure.