AML in the EU: From Fragmentation to Full Harmonization in 2027
Some regulations arrive and genuinely transform the landscape—something the European Union has accustomed us to. Regulation (EU) 2024/1624, known as the Anti-Money Laundering Regulation (AMLR), is one of them. This is not a directive that Member States can interpret as they see fit, adapting its transposition with the creativity typical of each jurisdiction. It is a directly applicable regulation. In the language of European compliance, that means the room for interpretation and improvisation is coming to an end.
And 2027—the date when the regulation will become fully applicable for most sectors—is much closer than many organizations would like to admit.
The Growing Challenge of Money Laundering
The European AML framework has, until now, been a patchwork. Each Member State transposed AML/CFT Directives in its own way, with its nuances, timelines, and its own interpretations of key concepts such as ‘due diligence’, ‘beneficial ownership’, or ‘high risk’. The result was a fragmented compliance ecosystem where the same transaction could be treated radically differently in Madrid, Amsterdam, or Warsaw.
This fragmentation was not only a technical or legal issue. It was, and still is, a systemic vulnerability. Financial crime actors have no problem with borders; on the contrary, regulated entities do, and plenty.
“Regulatory arbitrage is not just a compliance issue: it is a business for those who launder money.”
The new regulation does not eliminate all complexity, but it does introduce a common and directly applicable threshold. The aim is to put an end to the idea of “some of us are more lenient here and stricter there”.
One of the developments with the greatest practical impact is the expansion of the scope of obliged entities. If the debate previously focused on banks, insurance companies and payment institutions, it now explicitly includes the full range of crypto-asset service providers, luxury goods operators, real estate agents with certain commission structures, and even football, which is gaining relevance ahead of the next World Cup.
Professional football? Exactly. There it is. Because money laundering does not distinguish between teams, entertainment, or less glamorous or boring sectors.
Sports corruption, according to a Europol report, launders assets worth €1.69 trillion annually. The sector, along with fraud-as-a-service, is also reflected in these money laundering cases. As an example, a couple of years ago, in a joint operation between authorities in Italy, Latvia, and Lithuania, a business offering online money laundering as a service to other criminals across the EU was dismantled. It carried out fictitious financial transactions through straw men and a network of companies, laundering approximately €2 billion, and resulting in 18 arrests.
The Risk-Based Approach, Simplified Due Diligence, and the Cost of Sanctions
The Risk-Based Approach (RBA) is not new. It has been part of the compliance vocabulary for years. What changes with this regulation is its real enforceability. It is no longer enough to state in an internal manual that a risk-proportionate approach is applied. It must be demonstrated, documented, and audited.
This has concrete operational implications. The RBA requires three things that many organizations still manage in a rather unsystematic way:
Assessment: identifying and categorizing the entity’s actual risks, not those that look good on paper.
Prioritization: allocating resources proportionally. Clients with documented low risk do not require the same level of scrutiny as a complex corporate structure in a high-risk third country.
Traceability: every risk classification decision, every application or adjustment of measures, must be justifiable to the supervisor. Evidence is not optional.
At Facephi, we work precisely at this intersection: the one that connects regulatory obligation with the operational capacity to execute it efficiently. Verifying identities during onboarding, monitoring risk signals in periodic reviews, or generating auditable trails for each decision are capabilities that the new framework does not merely suggest: it requires them.
Here we must be very clear, because there is a misconception that can be very costly: Simplified Due Diligence (SDD) is not the absence of due diligence. It is not an exemption regime nor an exit door to reduce compliance costs by reducing controls. It is, as its name indicates, a reduced-intensity regime that only applies when the risk of the client and the transaction justifies it, and when that justification is documented. What the regulation allows in genuinely low-risk contexts is adjusting the frequency and depth of reviews, not eliminating them.
Organizations that interpret SDD as a way of doing less compliance will face a serious problem when the first supervisory inspection arrives. The framework does not distinguish between those who misapplied SDD out of ignorance and those who did so out of convenience. Neither do the sanctions.
The sanctioning regime of the new AML framework is not cosmetic. Monetary fines can reach significant percentages of annual turnover. But the economic cost is, paradoxically, the most manageable. The following costs will have a greater impact on the sanctioned entity.
Operational cost: a severe sanction is usually accompanied by improvement requirements with deadlines, enhanced supervision, and, in extreme cases, suspension of activities. Restoring operational normality after a significant sanction can take years and disproportionate resources.
Reputational cost: in a sector where trust is the fundamental asset, a public AML sanction has an impact that no communication campaign can fully neutralize. Institutional clients, investors, and regulators in other markets see it, register it, and remember it.
Regulatory compliance is not a compliance cost. It is an investment in business continuity.
What 2027 will bring
The question organizations should be asking today is: ‘Are we operationally ready to comply when it comes into effect?’
The difference between both questions is the difference between reading the regulation and being prepared to execute it. And being prepared means reviewing onboarding and customer review processes under the new standard; updating risk assessment and categorization systems; ensuring that documentary evidence is sufficient for a supervisory audit; and, crucially, training the teams that will make day-to-day decisions.
Organizations that reach 2027 without having done this work will face a dual pressure: adapting under fire while supervision is already active, and doing so while competing for the same external resources across the entire sector.
The technological solution exists. Platforms with identity verification and digital onboarding, such as those we develop at Facephi, make it possible to integrate the RBA into the operational process from the very first customer interaction, automatically generating the evidence required by the framework. But no technology replaces the strategic decision to start.logía sustituye la decisión estratégica de empezar.
Regulation (EU) 2024/1624 will level the playing field across the EU. That is a threat to those who have built their competitive advantage on opacity or on creative interpretation of the rules. And it is an opportunity for those who have invested in doing compliance properly.
Organizations with robust processes, real traceability, and a genuine RBA will compete in better conditions. Those that arrive late will pay in friction, in accelerated adaptation costs, and, in the most extreme cases, in sanctions.
2027 is not a distant horizon. It is the next stop.
