Harmonisation of European money laundering prevention: New compliance obligations and associated challenges

Introduction and background

With the aim of resolutely combating money laundering and terrorist financing, the European Parliament and the European Council implemented new legal regulations on 30 May 2024 that strengthen the protection of citizens and the European financial system. The AML package includes:

• the AML Regulation (EU) 2024/1624 on the prevention of the use of the financial system for money laundering and terrorist financing ("AML-Reg"),
• the AMLA Regulation (EU) 2024/1620 establishing a new EU authority to combat money laundering ("AMLA Reg"),
• the AML Directive (EU) 2024/1640 on the national implementation of supplementary mechanisms ("AML Directive"), and
• amendments to the Regulation (EU) 2023/1113 on transfers of funds ("Money Transfer Reg").

A key component of the AML package is the AML-Reg, which will enter into force on 10 July 2027. The AML-Reg will replace the five money laundering directives currently in force and harmonise the obligations of the private sector within the EU to combat money laundering.

According to the recitals of the AML-Reg, the background to the implementation of an EU-wide AML regulation is to harmonise the anti-money laundering requirements for the private sector. Given that provisions laid down in directives are not directly applicable in EU Member States, but must first be implemented in the national law of EU countries, considerable differences in the implementation of the directives have been identified within the EU Member States. As a result, the EU considered it necessary to regulate the issues uniformly and ensure direct application in order to achieve the desired EU-wide uniformity of application. Furthermore, the harmonisation of the requirements is intended to create a level playing field in the internal market. 

The AML Regulation therefore replaces the patchwork of national AML laws with a uniform, directly applicable set of rules. These include, in particular, uniform customer due diligence (Customer Due Diligence – "CDD") requirements, transparency with regard to beneficial ownership and reporting requirements for suspicious transactions, as well as standardisation of sanctions for violations of the AML-Reg. The most important aspects of the AML-Reg and the current regulations in Germany are presented below. Finally, potential implications for companies based and operating in Germany are outlined.

Current regulatory system in Germany

In Germany, money laundering law is currently regulated in particular by the Act on the Detection of Profits from Serious Crimes (Geldwäschegesetz – GwG) and the German Criminal Code (Strafgesetzbuch – StGB). Sec. 261 StGB defines the criminal offence of money laundering. The GwG transposes the previously applicable EU directives into German law and contains in Sec. 56 GwG a catalogue of administrative offences for violations of the provisions of the GwG. The competent supervisory authorities of the obliged entities are regulated in Sec. 50 GwG and are to be regarded as administrative authorities. 

The supervisory authorities are obliged to regularly provide the obliged entities with interpretation and application guidelines for the implementation of due diligence obligations and internal security measures in accordance with the statutory provisions.

Selected regulatory content

Expansion of the group of obliged companies

In addition to the group of obliged entities that already existed under the applicable directives, the AML-Reg expands the group of obliged companies. The newly obliged companies include:

• Crypto-asset service providers (CASPs),
• luxury goods traders,
• real estate professionals and corporate service providers, and
• professional football clubs.

Internal strategies and procedures

The AML-Reg contains clear guidelines for the first time on the extent to which obliged entities must design their internal guidelines, procedures and controls. Art. 9 para. 2 AML-Reg stipulates which topics must be included by the obliged entities and refers, among other things, to the requirements of the Money Transfer Reg.

According to Art. 11 AML-Reg, obliged entities must also appoint a member of the management body as compliance manager, whose tasks include ensuring that the internal guidelines, procedures and controls of the obliged entities are consistent with the level of risk and are implemented accordingly. The compliance manager is responsible for identifying information about significant or material weaknesses in internal guidelines, procedures and controls, as well as for corresponding reporting obligations. In addition to a compliance manager, the money laundering officer is responsible for the guidelines, procedures and controls in day-to-day business and for the implementation of targeted financial sanctions. The money laundering officer serves as a point of contact for authorities and is responsible for reporting suspicious transactions.

The AML-Reg now also specifies group-wide requirements. According to this, parent companies must ensure that subsidiaries comply with internal procedures. Group companies are obliged to establish group-wide strategies, procedures and controls and to carry out group-wide risk assessments. Furthermore, group companies must appoint a compliance manager and, if justified by their activities, a group-wide money laundering officer. 

Stricter requirements for beneficial owners

Another key component of the AML-Reg is the harmonisation of the identification of beneficial owners within the framework of CDD. In principle, companies are obliged to verify and keep up to date information about their beneficial owners. While the threshold for identifying beneficial owners was previously set at over 25%, the AML-Reg lowers the threshold to 25% or more. In addition, a lower threshold of at least 15% may apply in certain high-risk cases in future.

The EU also sets standards for determining beneficial ownership within the framework of the AML-Reg. Until now, the method of calculating beneficial ownership has been a matter for the Member States, with the result that different calculation methods have been used across the EU. According to Art. 52 para.1 sentence 2 AML-Reg, indirect participation in multi-level participation structures is to be determined by multiplying the capital shares or voting rights. This means that the so-called calculation principle has become established. It should be noted that, according to Art. 52 para. 1 sentence 2 AML-Reg, the calculated shares from different chains of participation must be added together.

Another important requirement is the obligation to obtain extensive information about the beneficial owner. Previous legal requirements only stipulated that the beneficial owner had to be identified and that further information had to be obtained on a risk-based basis. In contrast, the AML-Reg requires from the obliged entities all first and last names, place and full date of birth, residential address, country of residence and nationality(ies) of the beneficial owner, the number of an identity document (e.g. passport or identity card) and, if available, the unique personal identification number assigned to the person by the country of their habitual residence, as well as a general description of the sources of these numbers.

Revised CDD and retention requirements

As in the AML directives, the cornerstone of the anti-money laundering requirements continues to be the application of the risk-based principle. The risk-based approach is not an option that gives the obliged entities excessive freedom but rather leads to fact-based decision-making on their part. In addition, the principle of proportionality continues to apply. One new feature of the CDD measures is the obligation to check the customers concerned or their beneficial owners with regard to targeted financial sanctions, thus combining money laundering obligations with obligations under financial sanctions.

The AML-Reg also stipulates that companies must retain records for at least five years. Companies must also ensure that the documentation is accessible to the competent authorities.

Sanctions and enforcement

As part of the AML package, a new decentralised EU AML Authority ("AMLA") has been established to introduce technical standards and guidelines for the requirements set out in the AML-Reg and to act as a supervisory authority. The AMLA, based in Frankfurt am Main, works closely with other European supervisory authorities, such as the European Banking Authority ("EBA").

As part of its activities, the AMLA will in particular be empowered to impose administrative sanctions, some of which may be significant, in the event of breaches of the applicable regulations, including fines of up to 10% of annual turnover or 10 million euros, whichever is higher. In addition, the AMLA will publish any decision imposing fines or penalty payments or applying administrative measures, including information on the nature and character of the violation, the identity of the person responsible and, in the case of fines or penalty payments, their amount. 

National authorities also retain the power to impose fines and sanctions in accordance with their respective local laws in the event of violations of the AML Regulation. The sanctions should be effective, proportionate and dissuasive. By 10 July 2026, the Commission will publish supplementary delegated acts that further specify the requirements for sanctions. Penalties for infringements will therefore be based on a harmonised European regulatory framework in future.

Outlook and practical advice

The AML-Reg significantly tightens the responsibilities of obliged entities in the context of money laundering prevention. Obliged entities are therefore required to review their current compliance processes in relation to money laundering prevention and bring them into line with the new requirements before the AML-Reg comes into force on 10 July 2027. 

Due to the expansion of the group of obliged entities, companies that were not previously covered by money laundering compliance obligations should also check whether they will fall within the scope of the AML-Reg in the future. In some cases, obliged entities in EU Member States where the determination of beneficial ownership is not based on the pass-through principle will now be forced to adapt their practices, even if this was previously the common practice of the EU Member State and its respective supervisory authorities. The AML-Reg continues to require companies to create the position of compliance manager, who has additional supervisory and control duties, in addition to the money laundering officers already in place. 

Under the AML Regulation, the AMLA was mandated to issue guidelines for obliged entities to serve as guidance for them to implement the requirements of the AML Regulation appropriately, particularly with regard to the implementation of CDD obligations. As the AMLA did not commence operations until 1 July 2025, the EBA has temporarily taken on tasks that will fall to the AMLA in future. On 6 March 2025, the EBA published a consultation paper containing four draft technical standards, including the future requirements for CDD under Article 28 of the AML Regulation.  Ultimately, however, it remains to be seen to what extent the guidelines developed by the EBA and AMLA will be published in their final form, so that obliged entities can adapt their systems accordingly.