How Anti-Money Laundering Directive (AMLD) Works
The AMLD operates through a risk-based approach, requiring obliged entities to assess the money laundering and terrorist financing risk presented by each customer, product, geography, and delivery channel — and then calibrate controls proportionally. National legislators transpose each directive into domestic law within the required deadline, and national supervisors — financial intelligence units (FIUs) and prudential regulators — enforce compliance through examinations, enforcement actions, and sanctions.
The six steps below represent the core compliance lifecycle every obliged payment entity must operate.
Enterprise-Wide Risk Assessment
Obliged entities must produce a written, enterprise-wide money laundering and terrorist financing risk assessment covering customer types, geographies, payment channels, and products. This assessment drives the design of the entire AML programme and must be reviewed at least annually or whenever material business changes occur. Regulators expect documentary evidence of how identified risks were prioritised and mitigated.
Customer Due Diligence (CDD)
Before onboarding any customer, firms must verify identity using reliable, independent documentation. Customer due diligence under AMLD includes identifying beneficial owners who ultimately hold or control ≥25% of a legal entity, understanding the purpose and intended nature of the business relationship, and screening against sanctions and PEP lists. Simplified CDD is permitted for lower-risk customers when the rationale is documented.
Enhanced Due Diligence (EDD)
Customers presenting higher risk — politically exposed persons, customers from FATF high-risk third countries, or those with complex ownership structures — trigger EDD. This requires senior management approval before onboarding, independent source-of-wealth and source-of-funds verification, and materially more frequent ongoing review cycles. EDD is not optional; the directive specifies it as mandatory for defined categories of risk.
Ongoing Transaction Monitoring
AMLD mandates continuous monitoring of customer transactions against the expected behaviour profile established at onboarding. Unusual patterns — velocity spikes, structuring below reporting thresholds, mismatches with stated business activity, or unusual counterparty geographies — must be automatically flagged and reviewed by trained analysts before being closed or escalated.
Suspicious Activity Reporting (SAR)
When an obliged entity suspects that funds are proceeds of crime, it must file a SAR with its national FIU — typically within 24–48 hours of the suspicion crystallising. Filing a SAR does not constitute an accusation; it is an intelligence disclosure. The tipping-off prohibition means staff must never inform the subject of a report that one has been filed — doing so is itself a criminal offence under AMLD.
Record-Keeping and Audit Trail
All CDD records, transaction data, internal investigation notes, and SAR filing evidence must be retained for a minimum of five years after the end of the business relationship. Records must be retrievable within a short timeframe on regulator request. Inadequate record retention is one of the most common findings in supervisory examinations across EU member states.
Why Anti-Money Laundering Directive (AMLD) Matters
Money laundering corrodes the financial system, distorts legitimate competition, and provides the financial infrastructure that enables serious organised crime and terrorism. For payment businesses operating in the EU, AMLD is not an optional compliance exercise — it is a licence condition, and enforcement has intensified dramatically over the past five years.
The European Commission estimates that between €715 billion and €1.87 trillion is laundered through the EU financial system annually, representing 1–5% of GDP. Despite this scale, a 2021 FATF mutual evaluation of the EU found that financial intelligence generated by SAR filings was significantly underutilised in prosecution, pointing to a systemic need for higher-quality reporting rather than higher volume. The European Banking Authority has separately identified anti-money-laundering compliance weaknesses at supervised institutions in 13 out of 27 EU member states, demonstrating that consistent transposition and enforcement remain structural challenges. Against this backdrop, aggregate fines issued under AMLD frameworks across the EU exceeded €1.5 billion between 2019 and 2023, a figure that signals supervisors are increasingly willing to deploy their maximum sanctioning powers against both banks and non-bank payment providers.
The Move to AMLR
The EU's forthcoming Anti-Money Laundering Regulation (AMLR) will replace the directive framework with a single, directly applicable law — eliminating transposition gaps that allow some member states to maintain lighter implementation standards. It is expected to enter application from 2027.
Anti-Money Laundering Directive (AMLD) vs. FATF Recommendations
Both the AMLD and the Financial Action Task Force Recommendations target money laundering and terrorist financing, but they operate at fundamentally different levels. AMLD is binding EU law; FATF Recommendations are non-binding international standards that influence how governments design domestic legislation. Understanding the distinction matters because businesses operating globally must satisfy FATF-aligned regimes outside the EU that may differ from AMLD in important ways.
| Dimension | AMLD | FATF Recommendations |
|---|---|---|
| Legal force | Binding EU law transposed into national statutes | Non-binding international standards |
| Geographic scope | EU member states only | 200+ jurisdictions globally |
| Enforcement mechanism | National supervisors + EBA oversight board | Mutual evaluation and grey/black listing |
| Update cadence | New directive every 3–7 years | Revised 2012; targeted updates ongoing |
| Crypto coverage | AMLD5 (January 2020) onward | Updated 2019 (Recommendation 15) |
| Beneficial ownership | Mandatory public registers from AMLD5 | Required but implementation varies widely |
| Predicate offences | 22 harmonised categories under AMLD6 | 21 designated categories (baseline) |
| Criminal liability | Extended to legal persons under AMLD6 | Recommended but not mandatory |
The AMLD is explicitly designed to implement FATF Recommendations within the EU legal order. Where FATF sets the international floor, AMLD frequently exceeds it — particularly on beneficial ownership transparency, crypto provider registration, and criminal penalties for individuals.
Types of Anti-Money Laundering Directive (AMLD)
The directive has evolved through six versions, each responding to new criminal typologies, gaps exposed by mutual evaluations, and the expansion of the financial services sector into new asset classes and technologies.
AMLD1 (1991): Established the EU's foundational AML framework following the Basel Committee's 1988 statement on criminal misuse of the banking system. Scope was limited primarily to drug trafficking proceeds and bank-sector controls.
AMLD2 (2001): Extended the predicate offence list to all serious crimes and brought additional professional categories — notaries, accountants, real estate agents, and casinos — within the obliged entity framework.
AMLD3 (2005): Aligned EU law with the revised 2003 FATF Recommendations. Introduced the risk-based approach as the primary compliance methodology and mandated enhanced due diligence for politically exposed persons for the first time.
AMLD4 (2017): Strengthened beneficial ownership registers for companies and trusts, required member states to create central registers and link them across the EU, and aligned with the FATF 2012 Recommendations. The first directive to explicitly classify tax crimes as predicate offences.
AMLD5 (2020): Brought crypto-asset exchanges and custodian wallet providers into scope. Required beneficial ownership registers to be publicly accessible. Lowered the anonymous threshold for prepaid cards from €250 to €150 and reduced the remote payment threshold to €50.
AMLD6 (2021): The current operative directive. Harmonised the list of 22 predicate offences across member states, extended criminal liability to legal persons for the first time, raised minimum custodial sentences for natural persons to four years, and introduced accomplice liability and aiding and abetting as standalone criminal offences.
Best Practices
Effective AMLD compliance requires coordinated effort across business operations and technical infrastructure. Gaps in either domain create both regulatory exposure and operational risk.
For Merchants
- Produce a written AML risk assessment before launching new products or entering new markets. Regulators expect contemporaneous documentation that you identified risks and designed controls proactively — retrospective risk assessments carry little credibility in enforcement proceedings.
- Implement risk-tiered CDD, not one-size-fits-all onboarding. Low-risk customers may qualify for simplified due diligence, but the rationale must be documented. Applying maximum scrutiny to every customer wastes compliance resources and can mask genuinely high-risk cases by creating alert fatigue.
- Train all customer-facing and finance staff annually on AML red flags, internal escalation procedures, and — critically — the tipping-off prohibition. An inadvertent disclosure to a customer that they are under investigation is a criminal offence regardless of intent.
- Screen against sanctions and PEP lists in real time at the point of transaction, not only at onboarding. European regulation requires that obliged entities do not process funds involving sanctioned persons, and sanctions lists are updated without notice.
- Maintain a retrievable five-year audit trail. Store CDD documentation, transaction records, monitoring alerts, and investigation notes in a structured, searchable format. Regulators regularly demand complete case files within 48 hours during themed examinations.
For Developers
- Embed CDD and identity verification workflows into onboarding flows from day one. Retrofitting identity verification after product launch creates irrecoverable data quality gaps and forces expensive re-verification campaigns that generate customer friction and regulatory scrutiny simultaneously.
- Adopt event-driven transaction monitoring architectures. Batch-only monitoring introduces material lag between suspicious activity and detection. Streaming pipelines enable near-real-time alerting on structuring patterns, velocity abuse, and unusual counterparty geographies.
- Capture full payment metadata aligned with PSD2 data requirements. Originator IBAN, beneficiary details, and purpose codes must travel with the transaction record. Aligning your data model with the EU Funds Transfer Regulation fields ensures that AML screening systems receive the complete data set they require.
- Implement idempotent SAR submission logic. Internal alerts that generate retry loops must not produce duplicate SAR filings — national FIUs treat duplicate reports as a data quality failure and may deprioritise the institution's intelligence submissions.
- Version-control all screening rule sets. When FATF updates its high-risk country list or the EU amends sanctions designations, you need auditable evidence of exactly when each rule changed and which transactions were evaluated under which rule version.
Common Mistakes
Even well-resourced compliance teams make predictable implementation errors when operationalising AMLD requirements across complex payment stacks.
1. Treating CDD as a one-time onboarding event. AMLD mandates ongoing monitoring of the business relationship throughout its lifetime. A customer who cleared KYC in 2022 may become a PEP by 2024, exhibit transaction volumes inconsistent with their stated business, or appear on a newly updated sanctions list. Periodic CDD refresh cycles — risk-tiered rather than calendar-based — are a mandatory feature of any compliant programme.
2. Over-relying on automated screening without analyst oversight. Automated name-matching against sanctions and PEP lists generates substantial false positives. Without a trained analyst reviewing and rationally closing alerts, firms either allow genuine matches to process undetected or freeze legitimate customer accounts at scale — both outcomes attract regulatory attention and operational complaints.
3. Failing to apply AMLD controls across all product lines. Payment service providers that also offer currency exchange, lending, or crypto-conversion must apply AMLD controls across every product, not only the primary payment service. Regulators apply scope requirements at the entity level, not the product level.
4. Accepting beneficial ownership self-declaration without independent corroboration. AMLD4 and AMLD5 require firms to take reasonable measures to verify beneficial ownership independently. Relying solely on customer-submitted declarations or uncorroborated company registry data is a documented pattern in supervisory findings across multiple EU jurisdictions.
5. Inadequate controls on high-volume low-value transactions. Structuring — splitting large amounts into smaller transactions to avoid reporting thresholds — is a AMLD-defined red flag. Systems that monitor only high-value individual transactions while ignoring cumulative patterns within a defined time window routinely miss structuring activity.
Anti-Money Laundering Directive (AMLD) and Tagada
Payment orchestration platforms occupy a clear position within the AMLD's obliged entity framework as payment service providers. When routing transactions across multiple acquirers, payment methods, and geographies, a platform like Tagada must ensure that AML screening, sanctions checks, and transaction metadata capture are applied consistently — and are not inadvertently bypassed when switching between payment rails or fallback routes.
Tagada's orchestration layer can centralise the capture of transaction metadata required for AML monitoring — originator account details, beneficiary identifiers, and purpose codes — across all connected payment providers. This eliminates the data gaps that arise when different acquirers return inconsistent or incomplete transaction records, and gives compliance teams a single structured, normalised dataset to feed into their transaction monitoring system. When routing logic changes, the compliance data model stays consistent.