July 10, 2027 is not a distant deadline but a fixed compliance transformation date.

The EU’s new Anti-Money Laundering Regulation (Regulation (EU) 2024/1624), referred to as the AMLR, comes into direct effect across all member states on that date. It replaces the fragmented national transpositions built on the 4th and 5th AML Directives with a single, uniform rulebook and no local variations.

If your organisation is a regulated entity, you have until then to ensure your customer identification processes, due diligence workflows, and record-keeping practices are fully aligned. Here is what is actually changing.

From directives to regulation

Previous EU AML rules came in the form of Directives or legal acts that each member state had to transpose into national law. That process produced fragmentation. A bank operating across five EU countries faced five different sets of rules, five supervisory expectations, and five interpretations of the same underlying obligation.

The AMLR resolves this. As a Regulation, it applies directly and uniformly in all EU member states from July 10, 2027. There is no national transposition layer. There is no room for interpretation on core obligations.

This is the single AML rulebook the EU has been working toward since the financial crisis. For compliance teams, it also means that internal policies aligned to one country’s implementation will need to be reviewed against the new pan-European standard.

Who is now a regulated entity?

The AMLR significantly expands the scope of regulated entities. Alongside the traditional categories (banks, insurance companies, payment institutions, auditors, lawyers, accountants, notaries, and real estate agents) the following sectors are now explicitly included:

Crypto-asset service providers (CASPs)

CASPs are fully within scope, with Customer Due Dilligence (CDD) requirements calibrated to the risk profile of crypto transactions. The threshold for performing CDD on occasional transactions is lowered from 15,000 EUR to 10,000 EUR. For CASPs specifically, CDD is required even below 1,000 EUR where specific risk indicators are present.

Crowdfunding platforms and intermediaries

Already regulated under sectoral EU legislation, crowdfunding service providers are now explicitly named as regulated entities under the unified AML framework.

Professional football clubs and agents

High-value cash flows, opaque ownership structures, and cross-border transfers made this sector a logical inclusion. Football clubs and agents enter scope on July 10, 2029, two years after the main implementation date.

High-value goods dealers

Traders of precious metals, gemstones, luxury goods, and other high-value assets join the regulated entity list, reflecting the documented use of physical goods in money laundering schemes.

If your organisation falls into a newly included category, you are starting an AML compliance programme from scratch. Customer due diligence frameworks, onboarding processes, internal controls, and staff training all need to be operational before July 2027.

CDD is no longer a document-based process

This is one of the most consequential shifts in the AMLR for technology and operations teams.

Under the previous directives, Customer Due Diligence (CDD) was largely interpreted as a document-collection exercise: gather a copy of the ID, collect proof of address, file it, review it periodically. The AMLR reframes the CDD entirely. Articles 19–28 of the AMLR establish CDD as a time-stamped, versioned, and auditable dataset, governed by explicit trigger logic, data-age rules, and failure-handling mechanisms. Customer data is not collected once and filed. It is maintained as a living record with defined rules about when it must be refreshed and how changes trigger re-verification.

Concretely, this means:

• Identity data must be tied to a specific, logged verification event with a timestamp.
• Triggers for re-verification must be defined and documented in advance.
• Data age must be tracked; stale data triggers a re-identification obligation.
• Simplified and Enhanced CDD must be applied based on documented risk assessment, not discretion.

For any organisation managing CDD in a document repository or manual workflow, this is a structural change. The regulation calls for auditable, structured data and not scanned PDFs in a shared folder.

Remote identification is explicitly validated

One of the most practically important changes for compliance teams is the explicit recognition of electronic identification under eIDAS as valid for CDD purposes.

The AMLR, together with the draft Regulatory Technical Standards on CDD being developed by the European Banking Authority, confirms that:

• Identification via EUDI Wallet satisfies the identity verification requirement for remote onboarding.
• Qualified Electronic Attestation of Attributes (QEAA) is accepted as valid CDD evidence.
• From 2027, regulated entities must accept EUDI Wallet-based identification when presented by customers.

This is a direct regulatory signal: the future of CDD is digital, remote, and structured around verifiable identity credentials. Organisations that have built or procured onboarding processes around paper-based or semi-manual workflows are not building toward a compliant state, they are building away from one.

For compliance-oriented technology procurement, the practical questions are now straightforward: does your identification provider operate under eIDAS? Is biometric liveness detection in place? Is each verification event timestamped and logged at a data level, not just as a PDF? Can you demonstrate, on request, the specific verification standard applied to each customer?

Beneficial ownership: One definition, everywhere

The AMLR standardises the definition of beneficial ownership across the EU. A beneficial owner is any natural person who ultimately owns or controls at least 25% of a legal entity through ownership shares, voting rights, or other means of control.

This removes the threshold variations that previously existed between member states. For high-risk sectors, the European Commission retains the power to lower this threshold to 15%, requiring even more granular ownership mapping for entities in scope.

The practical implication for regulated entities: your onboarding and periodic review processes must be capable of systematically identifying, verifying, and re-verifying beneficial owners, not just collecting a self-declaration form.

Enhanced Due Dilligence: Clearer triggers, less discretion

The AMLR brings significantly greater precision to the Enhanced Due Diligence regime. EDD is no longer a category left largely to organisational judgment but triggered by defined circumstances, including:

• Business relationships or transactions involving high-risk third countries.
• Politically exposed persons (PEPs) and their close associates.
• Correspondent banking relationships.
• Complex or unusually large transactions without apparent economic purpose.
• Non-face-to-face relationships that do not meet the eIDAS equivalence standard.

Where EDD is triggered, the regulation requires deeper investigation into the source of funds and source of wealth, along with enhanced ongoing monitoring of the relationship.

A new supervisory authority: AMLA

The AMLR is part of a broader legislative package that also establishes the Anti-Money Laundering Authority (AMLA).

AMLA will directly supervise the highest-risk financial institutions operating cross-border in the EU and will coordinate national AML supervisors across all member states. For selected regulated entities, primarily large cross-border financial institutions, supervision will shift from national regulators to a single EU-level authority with directly applicable enforcement powers.

The standards AMLA applies will be uniform, published, and consistent across every jurisdiction in which a supervised entity operates. For compliance teams, this means that regulatory expectations will be increasingly predictable across borders, but also increasingly rigorous and centrally audited.

What this means for your compliance process

The AMLR is not an incremental update. For most regulated entities, it requires a meaningful review of how identification, CDD data management, and ongoing monitoring are structured. Four areas deserve focused attention before July 2027.

• Identification method. Does your current onboarding process produce a timestamped, auditable record of the verification event? Is biometric liveness detection in place? Is the process eIDAS-compliant for remote identification? If the answer to any of these is no, the existing process will not satisfy AMLR requirements.
• CDD data architecture. Is customer data structured as a dataset with defined refresh rules and re-verification triggers? Or is it stored as documents with no systematic expiry or audit logic? The AMLR requires the former.
• Beneficial ownership mapping. Can your system capture, verify, and re-verify ultimate beneficial owners at the 25% threshold? Is the logic adjustable if the European Commission exercises its power to lower the threshold in your sector?
• EDD workflow. Is there a documented, auditable EDD process that can respond to FIU requests within five working days? For organisations still handling EDD manually, the five-day deadline alone justifies a process review.

How Identyum supports AMLR-ready compliance

Identyum’s identity verification service, Identify, is designed to meet the requirements that the AMLR now codifies as mandatory.

Remote identification via Identify produces a legally valid, timestamped, biometrically verified identity record. The process includes document verification, facial biometric comparison with liveness detection, and cross-database checks, generating structured output as a JSON file or PDF report, with each verification event logged with a precise timestamp. This directly addresses the AMLR’s requirement for auditable CDD datasets rather than document archives.

The platform operates in compliance with AML6, GDPR, eIDAS (ETSI EN 119 461), and FATF/EBA guidelines. It supports selective disclosure, meaning that regulated entities collect only the data their specific compliance obligation requires, aligned with the AMLR’s principle of proportionate data collection.

For the financial data component of CDD and source-of-funds verification, Identyum FinCheck service enables automated retrieval of verified bank account data, transaction history, and financial capacity scoring through PSD2 AIS APIs, with explicit user consent and without physical documentation. This supports both the financial monitoring obligations and the source-of-funds analysis required in EDD scenarios.

To support ongoing CDD compliance beyond the initial verification, Identyum also provides a change notification functionality. Once a regulated entity has accessed a user’s identity data through Identyum, it receives automated notifications whenever that user updates their personal data in the Identyum ID Wallet. For example, when they upload a new identity document. Notifications are delivered only for users for whom the entity holds a valid, active Access Token, ensuring that data flows remain consent-bound and proportionate. This allows regulated entities to proactively trigger a re-verification or data refresh on their side, keeping their CDD records current without relying on periodic manual reviews, directly supporting the AMLR’s expectation of continuous, up-to-date customer due diligence.

Both services integrate via API into existing compliance and KYC infrastructure, and Identify is also available as a ready-to-use web portal for organisations that do not require full API integration.

The clock is running

July 10, 2027 is 16 months away. For organisations already built around compliant digital onboarding, the AMLR primarily calls for documentation review and gap analysis against the new standard. For organisations still operating on paper-based or partially manual CDD workflows, the timeline is shorter than it appears.

The regulation is published. The standards are in draft. The implementation date is fixed.

The question is not whether to prepare. The question is how much of the runway you use well.

To learn more about how Identyum supports AMLR-compliant identification and customer due diligence, visit identyum.com/identity-verificationor reach us at [email protected].