Directive (EU) 2024/1640[1] i.e. the 6^th AML Directive will replace (in parallel with the AML Regulation[2]) the currently valid 4^th AML Directive[3], the last directive to be finally repealed with effect as of 10 July 2027 while the 6^th AML Directive will be gradually applicable. In this regard, references to the repealed 4^th AML Directive shall be construed as references to the 6^th AML Directive and to the AML Regulation.

The 6^th AML Directive is addressed to the EU member states which -apart from the mandatory provisions applicable to professionals in the scope of the AML Regulation- are allowed to adopt AML measures in any other sector which consider affected by AML risks.

The 6^th AML Directive is roughly divided into the following titles:

1. Measures applicable to sectors exposed to money laundering and terrorist financing at national level

In this light, the EU member states shall ensure that:

- All currency exchange and cheque cashing offices as well as the trust and corporate service providers are licensed or registered;

- To the extent that the legislation of the EU member states enables the granting of residence rights in exchange for any kind of investment there must be adoption of special provisions on monitoring, the establishment of a risk management process and the adoption of mitigation measures (including the publication of an annual report);

- Measures are taken for the continual verification of good repute and integrity of the senior management in the obliged entities and the beneficial owners of such entities;

- A national risk assessment (to be updated at least every 4 years) is to be carried out to identify, assess, understand and mitigate the risks of money laundering and terrorist financing, and the risks of non-implementation and evasion of targeted financial sanctions;

2. Rules for access to beneficial ownership information and organization of central registers (Note: the majority of the below rules mentioned under this title have already implemented with the Luxembourg law of January 23, 2025 amending the UBO register law)

Each EU member state shall ensure that:

- The beneficial ownership information central registers are empowered to request from legal entities, trustees, persons holding an equivalent position and their legal and beneficial owners, any information necessary to identify and verify their beneficial owners, including resolutions of the board of directors and minutes of their meetings, partnership agreements, trust deeds, or other contractual agreements and documentation;

- Where a verification is carried out at the time of submission of beneficial ownership information, and such verification leads the central register to conclude that there are inconsistencies or errors in the beneficial ownership information, the central register is able to withhold or refuse to issue a valid certificate of proof of registration (art.10 par.13);

- A system of interconnection of the central registers via the European Central Platform is established;

- The persons who can access the information listed in the EU member states’ beneficial ownership registers are defined by adoption of the list in art.12 par.1 while EU member states can also add another category of persons having legitimate interest to access the beneficial ownership information central register;

- Where beneficial owners file a request for information to the central register pursuant to GDPR they must be provided with information on the function or occupation of the persons having consulted their beneficial ownership information (art.12 par.4);

- The granting of access to beneficial ownership information by the central registers lasts for 3 years unless the occupation of the person granted the access changes while a response for granting of access shall be provided within 7 days (ar.14 par.11);

3. Bank account registers and access to real estate information 

EU member states have to:

- Install centralised automated mechanisms, i.e. central bank account registers including central electronic data retrieval systems, which allow the identification, in a timely manner, of any natural or legal person holding or controlling payment accounts, or bank accounts identified by IBAN, including virtual IBANs, securities accounts, crypto-asset accounts and safe-deposit boxes held by a financial institution which info is directly accessible in an immediate and unfiltered manner to FIUs, as well as to AMLA and the supervisory authorities.

- Make the arrangements so that the centralised automated mechanisms providing for different types of access to information be interconnected via the bank account registers interconnection system (‘BARIS’) which is to be developed and operated by the EU Commission by 10 July 2029.

- Provide for a single access point to real estate information.

4. Responsibilities and tasks of Financial Intelligence Units (FIUs)

Each EU member state shall:

- Provide for the establishment of a FIU in which a Fundamental Rights Officer will be designated;

- Make arrangements so that the FIU convey information to the respective AML supervisors in case of potential AML breaches committed by obliged entities;

- Empower its FIU to take urgent action, directly or indirectly, to suspend the use of an account or to suspend a business relationship in order to preserve funds and dissuade AML breaches.

It should be noted at this point that a system of exchange of information between FIUs of Member States (FIU.net) shall be set up and managed by AMLA ensuring the secure communication, producing a written record of all processing activities with the possibility to be used for communications with FIUs’ counterparts in third countries and with other authorities and with EU bodies, offices and agencies.

5. Responsibilities and tasks of the EU member states’ AML supervisors, cooperation between them, with AMLA and with other EU authorities 

The EU member states shall ensure that:

- Supervisors are able to apply administrative measures to an obliged entity where they identify:
- Breaches of the AML Regulation or the Regulation on information accompanying transfer of funds and certain crypto assets, either in combination with pecuniary sanctions for serious, repeated and systematic breaches, or on their own;
- Weaknesses in the internal policies, procedures and controls of the obliged entity that are likely to result in breaches and administrative measures can prevent the occurrence of those breaches or reduce the risk thereof;
- That the obliged entity has internal policies, procedures and controls that are not commensurate with the risks of money laundering, its predicate offences or terrorist financing to which the entity is exposed (ar.56 par.1);

- Supervisors are able, by means of the administrative measures to:
- Require the provision of any data or information necessary for the fulfilment of their tasks without undue delay, to require the submission of any document, or impose additional or more frequent reporting requirements;
- Require the reinforcement of the internal policies, procedures and controls;
    - Require the obliged entity to apply a specific policy or requirements relating to categories of or individual clients, transactions, activities or delivery channels that pose high risks;
    - Require the implementation of measures to bring about the reduction of the money laundering or terrorist financing risks inherent in the activities and products of the obliged entity;
    - Impose a temporary ban against any person discharging managerial responsibilities in an obliged entity, or any other natural person who has been held responsible for the breach from exercising managerial functions in obliged entities;

- Supervisors are able to set up dedicated AML/CFT supervisory colleges led by the financial supervisor in charge of the parent undertaking of a group of financial institutions:
- Where a financial institution has set up establishments in at least two different EU member states other than the where its head office is located;
- Where a third-country financial institution has set up establishments in at least three Member States.

- An EU member state public authority be in charge of the oversight of self-regulatory AML bodies (where they exist), which public authority shall publish an annual report available on its website containing information about:
- The number and nature of breaches detected by each self-regulatory body and the pecuniary sanctions imposed on or administrative measures applied to obliged entities;
- The number of suspicious transactions reported or forwarded by each self-regulatory body to the FIU;
- The number and description of pecuniary sanctions and periodic penalty payments imposed or administrative measures applied by each self-regulatory body;
- The number and description of measures taken by the public authority overseeing self-regulatory bodies and the number of instructions issued to self-regulatory bodies.

6. Common rules with regard to the type of breach and level of pecuniary sanctions or administrative measures (monetary penalties, administrative sanctions and periodic payments)

EU member states shall ensure that:

- AML supervisory authorities upon imposition of sanctions take into account all relevant circumstances, including:
    - The gravity and the duration of the breach;
    - The number of instances the breach was repeated;
    - The degree of responsibility of the natural or legal person held responsible;
    - The financial strength of the natural or legal person held responsible, including in light of its total turnover or annual income;
    - The benefit derived from the breach by the natural or legal person held responsible, insofar as it can be determined;
    - The losses to third parties caused by the breach, insofar as they can be determined;
    - The level of cooperation of the natural or legal person held responsible with the competent authority;
    - Previous breaches by the natural or legal person held responsible.

- AML breaches imposed on legal entities shall reflect on the representatives and controllers of legal persons where the lack of supervision or control has made possible the breaches by a person under their authority;

- Pecuniary sanctions are imposed on obliged entities for serious, repeated or systematic breaches, whether committed intentionally or negligently, of the requirements laid down in the following provisions of the AML Regulation:

    - Chapter II (Internal policies, procedures and controls of obliged entities);
    - Chapter III (Customer due diligence);
    - Chapter V (Reporting obligations);
    - Article 77 (Record retention).

- In the case of a legal person, maximum pecuniary sanctions of at least EUR 10 000 000 or 10 % of the total annual turnover according to the latest available accounts approved by the management body, whichever is higher while in the case of a natural person, maximum pecuniary sanctions of at least EUR 5 000 000.

- When determining the amount of the pecuniary sanction, the ability of the obliged entity to pay the sanction is taken into account where the pecuniary sanction may affect compliance with the prudential regulation;

- Periodic penalty payments shall be effective and proportionate and last for up to 6 months (with possibility to be renewed once) to compel compliance with administrative measures until the obliged entity or person concerned complies with the relevant administrative measures (administrative measure and periodic penalty payment start the same day);

- In the case of legal persons, the amount of the periodic penalty payment shall not exceed 3 % of their average daily turnover in the preceding business year or, in the case of natural persons, that amount shall not exceed 2 % of their average daily income in the preceding calendar year.

[1] Directive (EU) 2024/1640 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Directive (EU) 2019/1937, and amending and repealing Directive (EU) 2015/849.

[2] Regulation (EU) 2024/1624 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. Applicable as of 10 July 2027.

[3] Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.