Breaking

AMLA’s single rulebook splits EU AML from the US and UK

AMLA's single rulebook splits EU AML from the US and UK

From July 10, 2027, the European Union’s Anti-Money Laundering Regulation (AMLR) and the Frankfurt-based Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) replace 27 national rulebooks with one — and, from 2028, hand AMLA direct supervision of roughly 40 of the highest-risk financial firms, crypto-asset service providers (CASPs) among them. That centralising move pulls the EU sharply away from the fragmented, enforcement-led United States model and the United Kingdom’s risk-based supervision.

The AMLR and the Sixth Anti-Money Laundering Directive (AMLD6) apply in full from July 10, 2027, creating a directly applicable “single rulebook” across all EU member states (AMLR, Regulation (EU) 2024/1624). AMLA, operational in Frankfurt since July 1, 2025, must publish around 23 regulatory and implementing technical standards through 2026, most due by July 10, 2026, before it begins directly supervising selected obliged entities in 2028. This analysis walks through what the rulebook requires, how the EU, US, UK and Singapore diverge, the enforcement record that shaped the regime, and what compliance teams at CASPs and brokers must build now.

Key Facts:

• AMLA took up operations in Frankfurt on July 1, 2025, and will directly supervise roughly 40 high-risk obliged entities — including CASPs — from 2028. — AMLA
• The AMLR and AMLD6 apply in full from July 10, 2027, replacing 27 national AML regimes with one directly applicable rulebook. — eucrim
• AMLA must issue around 23 regulatory and implementing technical standards during 2026, most by July 10, 2026. — PwC Legal
• CASPs become obliged entities under the AMLR, owing customer due diligence, 25%-or-more beneficial-ownership identification (AMLD6), transaction monitoring and suspicious-transaction reporting. — financialregulations.eu
• The MiCAR transitional period for legacy CASPs ends July 1, 2026; unauthorised providers operate illegally thereafter. — ESMA
• Binance paid a $4.3 billion settlement on November 21, 2023, including a $3.4 billion penalty that remains the largest in the history of the US Treasury’s Financial Crimes Enforcement Network (FinCEN). — US Treasury

Methodology and sources

This analysis rests on primary instruments and official regulator material: the Anti-Money Laundering Regulation (Regulation (EU) 2024/1624), AMLD6, and the AMLA establishing regulation; AMLA’s own publications and Single Programming Document for 2026–2028; ESMA material on the Markets in Crypto-Assets Regulation (MiCAR) CASP transition; and the US Treasury and FinCEN settlement record. The time window is the implementation runway from AMLA’s July 1, 2025 launch through the AMLR’s July 10, 2027 application date and the 2028 direct-supervision start. The jurisdictional scope is the EU, United States, United Kingdom and Singapore. Penalty figures and effective dates are drawn from the instruments and official enforcement releases; where ceilings depend on facts and circumstances, that is flagged in the text.

What the AMLR single rulebook actually requires

The AMLR’s defining feature is that it is a regulation, not a directive — directly applicable in every member state without national transposition. That alone ends the patchwork in which 27 governments wrote 27 versions of the same EU directive. For obliged entities, the substantive obligations are familiar in kind but tighter in detail: risk-based customer due diligence (CDD), enhanced due diligence for higher-risk relationships, identification of beneficial owners at the 25%-or-more ownership threshold codified in AMLD6, ongoing transaction monitoring, and suspicious-transaction reporting to national Financial Intelligence Units.

The AMLR’s CASP provision is the headline change for digital-asset firms. A crypto-asset service provider’s obligations under the AMLR begin with the same risk-based customer due diligence that applies to banks: verify the customer, identify beneficial owners at the 25% threshold set by AMLD6, screen against sanctions lists, monitor transactions on an ongoing basis, and file suspicious-transaction reports. Crucially, the regime layers onto MiCAR authorisation rather than replacing it: a firm must first be an authorised CASP — the transitional window for legacy providers closes on July 1, 2026 — and then meet AMLR obligations from July 10, 2027. AMLA has signalled its first coordinated cross-border CASP audit for the second quarter of 2026, focused on Travel Rule transfers and beneficial-ownership accuracy.

Layered on top is supervision. From 2028, AMLA will directly supervise around 40 selected obliged entities — the most complex cross-border banking groups, plus a smaller number of payment institutions, e-money issuers and CASPs — while national authorities continue to supervise everyone else under AMLA’s coordination. The selection process began with data collection in January 2026. For the firms picked, the supervisor of record becomes a pan-EU authority in Frankfurt rather than a home-state regulator, a structural shift in who holds the file.

Jurisdiction / Regulator Effective date Supervisory model CASP treatment Penalty / sanction
EU (AMLA + AMLR) AMLR applies July 10, 2027; direct supervision 2028 Single rulebook; AMLA direct supervision of ~40 firms CASPs are obliged entities; full CDD, UBO, monitoring, STRs Administrative pecuniary sanctions up to 10% of annual turnover for serious breaches
US (FinCEN / BSA) Bank Secrecy Act 1970, ongoing Fragmented; FinCEN plus banking agencies and states; enforcement-led Exchanges treated as money services businesses; register and report Binance: $4.3bn total; FinCEN $3.4bn (2023)
UK (FCA) MLRs 2017, as amended Risk-based supervision; crypto registration regime Cryptoasset firms must register with the FCA for AML Final Notice penalties; firm-specific
Singapore (MAS) Payment Services Act 2019, ongoing Risk-based; licensing of digital-payment-token services DPT service providers licensed and AML-supervised Composition penalties and licence action

Sources: AMLR (Regulation (EU) 2024/1624); FinCEN/US Treasury; UK Money Laundering Regulations 2017; MAS Payment Services Act. Last updated: May 30, 2026.

How four jurisdictions diverge

The fault line is preventive harmonisation versus enforcement-led fragmentation. The EU is building an ex-ante machine: one rulebook, one direct supervisor, uniform technical standards, and coordinated cross-border audits. The United States runs the opposite model — a 1970 statute, the Bank Secrecy Act, administered by FinCEN alongside the banking agencies and the states, with deterrence delivered after the fact through very large settlements rather than through a single harmonising supervisor. The contrast with the EU’s Basel-style capital divergence is instructive, and we examined the parallel split in our analysis of how Basel’s crypto capital rules split the EU, UK and US.

The United Kingdom occupies a middle position. The Financial Conduct Authority (FCA) runs risk-based AML supervision under the Money Laundering Regulations 2017 and operates a separate cryptoasset registration regime; it has refused or deterred the majority of crypto applicants, making registration itself a gating control. Singapore’s Monetary Authority of Singapore (MAS) licenses digital-payment-token providers under the Payment Services Act 2019 and supervises them on a risk basis, prioritising a smaller number of well-capitalised licensees. For a CASP operating across all four, the AMLR’s appeal is obvious: one EU standard replaces the cost of reconciling 27 national interpretations, even as it raises the floor. Industry estimates put CASP authorisation alone at nine to 12 months and €350,000 to €500,000, before the recurring cost of AMLR compliance. That divergence creates a regulatory-arbitrage map that the same firms must now navigate alongside the Travel Rule fragmentation we covered in our report on FATF Travel Rule adoption across 85 jurisdictions, and the CASP cliff detailed in our analysis of MiCA’s July 1 transition.

“These instruments mark a significant step toward supervisory convergence.”

Bruna Szego, Chair, Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) (AMLA)

Enforcement context: the Binance benchmark

The case that defines AML expectations for crypto remains the Binance settlement. On November 21, 2023, Binance Holdings agreed to pay $4.3 billion to resolve criminal and civil actions brought by the Department of Justice, FinCEN, the Office of Foreign Assets Control (OFAC) and the Internal Revenue Service Criminal Investigation. FinCEN’s component, $3.4 billion, was the largest penalty in the agency’s history, accompanied by a five-year monitorship and a requirement that Binance exit the US market entirely. Founder Changpeng “CZ” Zhao pleaded guilty to a Bank Secrecy Act violation for failing to maintain an effective AML programme and paid a $50 million personal fine.

The conduct at issue is the template regulators now screen for: investigators found Binance had failed to report more than 100,000 suspicious transactions, including flows linked to designated groups such as Hamas, Al Qaeda and ISIS. The US framed the case as a deterrence message.

“Binance turned a blind eye to its legal obligations in the pursuit of profit. Its willful failures allowed money to flow to terrorists, cybercriminals, and child abusers through its platform.”

Janet Yellen, Secretary, US Department of the Treasury (Nasdaq)

The point for EU-facing firms is that the AMLR is designed to catch the same failures before they reach a $3.4 billion settlement, through mandatory monitoring, harmonised reporting and direct supervision rather than after-the-fact prosecution. The two systems aim at the same risk from opposite ends of the timeline.

What this means for brokers, exchanges and compliance teams

For CASPs and digital-payment-token licensees, the operational to-do list is concrete. First, secure MiCAR authorisation before the July 1, 2026 transitional cliff; a firm that is unauthorised after that date is operating illegally and cannot remediate its way into the AMLR regime. Second, build AMLR-grade systems ahead of July 10, 2027: a single CDD and beneficial-ownership framework calibrated to the 25% threshold, sanctions screening, transaction monitoring tuned to crypto typologies, and Travel Rule data capture for transfers. Third, prepare for AMLA’s Q2 2026 coordinated CASP audit, which targets exactly those Travel Rule and beneficial-ownership controls.

For brokers and payment and e-money institutions, the selection process for direct supervision matters most. Firms with significant cross-border EU activity should assume they may fall within AMLA’s roughly 40-entity perimeter and prepare to be examined by a Frankfurt supervisor applying uniform standards rather than a familiar home-state regulator. For legal and compliance teams across all obliged entities, the shift from 27 national manuals to one rulebook is a one-time re-papering exercise: existing policies must be mapped to AMLR articles and AMLA technical standards as they are published through 2026. The cost is front-loaded; the payoff is a single standard rather than 27.

What’s next — the forward view

The runway is dense with deadlines. AMLA must finalise the bulk of its roughly 23 technical standards and guidelines by July 10, 2026 — the regulatory detail that will determine how prescriptive the single rulebook actually is in practice. The MiCAR CASP transitional period closes on July 1, 2026, forcing a wave of authorisation decisions across national competent authorities. AMLA’s first coordinated cross-border CASP audit is slated for the second quarter of 2026. The AMLR and AMLD6 then apply from July 10, 2027, and direct supervision of the selected entities begins in 2028.

The contested questions are about proportionality and capacity. Industry voices argue that a prescriptive, uniform regime risks raising costs faster than smaller licensees can absorb, and that AMLA must hire and build at speed to be credible by 2028. Supervisors counter that fragmentation is what allowed cases like Binance to fester. The unresolved tension — preventive harmonisation versus the flexibility that lighter-touch hubs such as Singapore and the post-Brexit UK still offer — will shape where CASPs choose to base, and whether the EU’s single rulebook becomes a global benchmark or a high-cost island. Asia’s own positioning, examined in our coverage of Hong Kong’s 2026 virtual-asset dealer and custodian regime, is part of the same competitive calculus.

TL;DR

The EU’s Anti-Money Laundering Regulation (AMLR) and AMLD6 apply from July 10, 2027, replacing 27 national AML regimes with a single rulebook, while the Frankfurt-based AMLA — operational since July 1, 2025 — begins directly supervising roughly 40 high-risk firms, including crypto-asset service providers, in 2028. CASPs owe full customer due diligence, 25% beneficial-ownership identification, monitoring and suspicious-transaction reporting. The model contrasts with the enforcement-led US approach that produced Binance’s $4.3 billion settlement in 2023, of which FinCEN’s $3.4 billion was its largest ever. The MiCAR CASP transitional cliff on July 1, 2026 is the first hard deadline.

FAQ

What is AMLA and when does it start supervising firms directly?

AMLA is the EU’s Authority for Anti-Money Laundering and Countering the Financing of Terrorism, based in Frankfurt and operational since July 1, 2025. It coordinates national supervisors now and will directly supervise roughly 40 selected high-risk obliged entities, including some crypto-asset service providers, from 2028.

When does the AMLR apply?

The Anti-Money Laundering Regulation and AMLD6 apply in full from July 10, 2027. Because the AMLR is a regulation rather than a directive, it is directly applicable in every EU member state without national transposition, creating a single rulebook.

How does the AMLR treat crypto-asset service providers?

CASPs are obliged entities under the AMLR. They must perform risk-based customer due diligence, identify beneficial owners at the 25% threshold, screen sanctions, monitor transactions, apply the Travel Rule and file suspicious-transaction reports — obligations that layer on top of MiCAR authorisation.

How does the EU model differ from the US and UK?

The EU is centralising into one rulebook and one direct supervisor. The US runs a fragmented, enforcement-led system under FinCEN and the Bank Secrecy Act, delivering deterrence through large settlements. The UK’s FCA applies risk-based supervision and a separate crypto registration regime.

What is the first deadline crypto firms must meet?

The MiCAR transitional period for legacy CASPs ends July 1, 2026. A provider that is not authorised by that date is operating illegally and cannot rely on the transition to continue serving EU customers.

Why does the Binance case matter for AML supervision?

Binance’s $4.3 billion settlement in November 2023 — including FinCEN’s record $3.4 billion penalty — set the benchmark for AML failures in crypto. It is the conduct the AMLR’s preventive controls are designed to catch before such losses occur, rather than after.

This article is informational analysis only and does not constitute legal, regulatory, tax, or investment advice. Regulatory frameworks change frequently and interpretation depends on facts and circumstances; primary documents and official regulator guidance always supersede summaries. Firms should consult qualified legal counsel and their relevant supervisory authority before taking any action based on the analysis above.

Rick Steves has seen business and economics through many lenses. He joined the financial services industry in 2009, and has been a financial journalist since 2011. He holds a degree in Business Administration and has experience producing real-time news, from both buy-side and sell-side, as well as for retail traders, brokers and service providers. Steves' work has appeared in a variety of online publications including FX Street, NewsBTC, FinanceFeeds, and The Industry Spread. Rick has great interest in the dynamics of the trading industry. The never-ending clash between technology, economics, regulation, and more importantly, the people.

Most Read

Related Posts

Imdustry insights

Stay Ahead

Get the latest news, insights, and market updates delivered to your inbox every day.

Enter your email address