Vestlane Logo
ic-menu icon

Home

ic-chevron-right icon

Blog

ic-chevron-right icon

One Rulebook, Many Regulators: How the EU AML Package Reshapes National AML Authorities

One Rulebook, Many Regulators: How the EU AML Package Reshapes National AML Authorities

Author:

ic-clock icon
5 minutes
ic-calendar icon

One Rulebook, Many Regulators: How the EU AML Package Reshapes National AML Authorities

For as long as the EU has fought money laundering, it has done so through directives. Successive anti-money laundering directives (4AMLD, 5AMLD, etc.) all shared the same legal mechanic: Brussels set the standard, and each member state transposed it into its own national law in its own way. That is precisely why AML compliance in private markets has, for decades, meant reading your national rulebook and following your national supervisor's reading of it. Divergence between countries wasn't a bug; it was the built-in consequence of regulating by directive.

The 2024 AML package breaks that pattern. For the first time, the centrepiece is not a directive but a regulation, the Anti-Money Laundering Regulation (AMLR), which becomes directly applicable on 10 July 2027. A regulation does not get transposed; it applies word-for-word in every member state. And that single change of instrument is what provokes the question this article is about: do the substantive rules coming straight from Brussels replace national AML laws? What will the national authorities (BaFin in Germany, the CSSF in Luxembourg, and their counterparts across the EU) enforce?

The short version: national supervisors keep their seat, but the rulebook they enforce is increasingly written in Brussels and Frankfurt. The longer version is worth understanding, because the answer is more nuanced than "the EU regulation takes over."

First, the package itself

The reform is not a single law but a set of instruments that work in deliberately different ways. Understanding which is which removes most of the confusion about what happens to national rules.

The AMLR (Regulation 2024/1624) is the "single rulebook." As an EU regulation, it is directly applicable — from 10 July 2027 it applies word-for-word in every member state with no national transposition. It governs the substantive obligations of obliged entities: customer due diligence, beneficial ownership, the risk-based approach, ongoing monitoring, reporting triggers, etc.

The AMLD6 (Directive 2024/1640) does the opposite job. The package keeps a directive precisely where national-level variation is still wanted. A directive is not directly applicable; it must be transposed into national law by 10 July 2027. AMLD6 governs the institutional and supervisory framework — the powers of national supervisors, the structure of FIUs, beneficial ownership registers, and the sanctions regime.

The drafters' choice is deliberate: harmonise the rules via a regulation, but leave the supervisory machinery to national law via a directive.

The AMLAR (Regulation 2024/1620) establishes AMLA, the new Authority for Anti-Money Laundering, based in Frankfurt and operational since 1 July 2025. It took over the European Banking Authority's AML mandate in January 2026 and sits above the national supervisors.

That division of labour is the key to everything that follows:

  • the AMLR carries the rules obliged entities must follow,
  • AMLD6 carries the architecture of who supervises and enforces, and
  • AMLAR carries the new coordinating authority.

If you want to go deeper into these instruments and their timing, refer to this article. [link to other article]

How it is foreseen to fit with national regulation

The instinct is to ask "will our national AML law survive?" ; but that's the wrong unit of analysis. The AMLR doesn't switch national law off as a block. It operates provision by provision, and the right question is what happens to each one. There are really only two fates, plus a piece of housekeeping that's easy to mistake for a third.

Fate one: superseded (but only on conflict). The AMLR is directly applicable, which means that where a national provision conflicts with it, the AMLR prevails and the national provision is disapplied to the extent of that conflict, from 10 July 2027. This is worth stating carefully, because it's tempting to say "national law stops applying" but that overshoots. Primacy bites only where there's an actual conflict or overlap on a harmonised topic. In practice that captures the core substance: CDD and identification duties, the beneficial-owner definition and UBO identification, the PEP definition and enhanced due diligence, business-wide risk assessment, ongoing monitoring, group-wide policies. On those topics the AMLR becomes the operative text and the equivalent national provisions cease to bite. But a national provision that doesn't conflict, because it sits in territory the AMLR leaves open, could be untouched.

Fate two: survives. National law remains the operative instrument in the areas AMLD6 deliberately leaves to member states: the designation and powers of supervisors, the structure of national FIUs, transparency-register access rules and penalties, real-estate transaction registers, sector-specific extensions where the directive permits them, and the machinery of cooperation between authorities. It also survives in the interpretive space the AMLR leaves open: the phrase "risk-sensitive measures" runs throughout the CDD standards, meaning the regulation often sets the what but leaves the how to supervisory judgment.

What is genuinely new in all this is the ceiling. The AMLR is a maximum-harmonisation instrument on most CDD matters, so "gold-plating", meaning adding stricter national requirements, is no longer lawful outside the AMLR's enumerated carve-outs. That's a sharp break from the directive era, when member states routinely layered national specifics on top of the EU baseline.

The honest summary for fund managers and asset managers: national rules on what you must do are largely superseded; national rules on how you are supervised survive in transposed form.

AMLA's role over the national supervisors

The most misunderstood part of the reform is AMLA's relationship to national supervisory authorities (such as, BaFin in Germany and the CSSF in Luxwmbourg). AMLA does not replace them. It holds them accountable.

AMLA operates on two tracks.

Direct supervision begins on 1 July 2028 and covers roughly 40 selected cross-border institutions assessed as highest-risk. The selection process begins in mid-2027, with entities notified by end-2027. Over those entities AMLA has full supervisory, investigatory and sanctioning powers, equivalent to what a national authority holds.

Indirect supervision is where almost everyone in private markets sits, and it has applied since AMLA stood up in mid-2025. Here AMLA supervises the system rather than the entity, and it does so mainly through the instruments it issues. These come in four types, and their legal force is not the same:

  • Regulatory and Implementing Technical Standards (RTS / ITS) are the heavy artillery. AMLA drafts them, the European Commission adopts them as delegated or implementing regulations, and once adopted they are directly binding with the same legal force as the AMLR itself: they bind national authorities and obliged entities alike, with no national transposition. This is where the real detail lives: the RTS under Article 28 AMLR, for example, specify exactly which CDD measures, verification sources and identification methods are acceptable. AMLA will submit the final drafts soon, on July 2026, one year before the entry into force.
  • Guidelines (GL) operate one rung down, on a comply-or-explain basis. They are addressed to national supervisors, who must either follow them or publicly state their reasons for not doing so. In practice, "explain" is the rare exception, while the default is that BaFin, the CSSF and their peers align their own guidance to the AMLA guidelines.
  • Recommendations (REC) are softer still. They are persuasive rather than binding, used to nudge convergence where AMLA isn't yet legislating.

Beyond issuing instruments, AMLA also conducts peer reviews of the national supervisors themselves, can request that a national authority investigate a specific entity, and, as a last resort, can ask the Commission to let it take over direct supervision of an entity if a national authority persistently fails to act.

So the answer to "can BaFin or the CSSF still overrule the AMLR?" is no: they cannot impose a conflicting or lower standard. But they remain the primary, day-to-day AML supervisor for the vast majority of fund and asset managers, they continue to define what satisfies the AMLR's many risk-sensitive standards, and from July 2027 they apply the AMLR and AMLA's standards directly. BaFin has publicly framed its own role as guided by "the European precept of harmonisation."

It helps to picture the instruments as a hierarchy.

AMLA"s relationship to national supervisory authorities

National examples: Germany, Luxembourg and the Netherlands

Germany. BaFin keeps its supervisory functions under AMLD6, including its national and sector risk assessments and the risk classifications it applies to legal forms, however, their methodology will have to converge toward AMLA's harmonised approach and templates. What changes is the substance underneath: the risk-factor catalogues that drive CDD now live in the AMLR's annexes, and the affected GwG provisions on CDD, beneficial ownership and UBO transparency are superseded where they overlap. BaFin's Auslegungs- und Anwendungshinweise (AuA) will therefore need substantial rewriting where the AMLR replaces the underlying GwG sections.

BaFin has already begun steering toward the AMLR. BaFin's February 2025 revision of the AuA tightened periodic KYC review cycles markedly: annual reviews for high-risk customers (previously every two years), a five-year maximum for medium-risk (down from ten) aand risk-adequate intervals for low-risk customers (previously up to fifteen years).

Another example is Digital Identity Act (DIdG), passed by Cabinet on 20 May 2026, which is set to modify the GwG to bring German practice closer to the eIDAS-based digital identification Luxembourg funds already accept, exactly where the AMLR points. (We covered this in detail in our article on how video identification is changing for German fund investing.)

The takeaway: Germany's national layer is being rebuilt in several overlapping pieces at once, but for a fund manager the operative supervisor remains BaFin, now applying the AMLR.

Luxembourg. The pattern is the same, sorted by content. CSSF Regulation 12-02, the detailed Luxembourg CDD regulation, occupies exactly the space the AMLR now harmonises and is likely to need the most significant amendment or repeal. Circular 18/698, the most relevant for fund managers, is a hybrid: its organisational and governance requirements for fund managers derive from the UCITS/AIFMD framework and can survive, while the AML/CFT elements overlapping the AMLR are likely to be superseded; the probable outcome is amendment rather than withdrawal. Circular 19/732 on beneficial ownership sits on a harmonised topic and is expected to be updated or replaced, surviving only where it fills genuine gaps. Luxembourg's recent practice on EU files (CRD VI, AIFMD II) has been faithful transposition without gold-plating, which suggests it won't use AMLD6 to add national extras.

The Netherlands is the clearest live, near-term example, and it centres on beneficial ownership register access, the area where AMLD6 demands the most concrete operational work before 2027. After the 2022 Court of Justice ruling closed public access to UBO registers, AMLD6 rebuilds access on a legitimate-interest basis. The deadline is sharp: from 10 November 2026, registers must respond to legitimate-interest requests within roughly 12 working days, with three-year access certificates and steps toward mutual recognition across member states. The Netherlands has launched its implementation consultation, signalled a minimum-implementation approach (repealing the existing Wwft in favour of a new act), and its Chamber of Commerce is building a UBO data API for institutional access — a useful preview of the interim period many jurisdictions will navigate.

The transition reality: no grace period, plenty of overlap

There is no formal EU-wide transition window. The AMLR applies in full on 10 July 2027. But three practical dynamics matter for anyone planning now.

A coexistence period is unavoidable: the AMLR's CDD provisions apply directly from July 2027 regardless of whether national supervisory law and circulars have been updated to match, so compliance policies must reference the AMLR from that date even while national guidance catches up. Transposition is running late and live across Germany, Luxembourg and beyond. And existing circulars don't auto-expire. Nothing in the AMLR automatically repeals a national circular; authorities must actively amend or withdraw them. Until they do, the legally correct position is that the AMLR prevails over anything inconsistent, but obliged entities will in practice be reading both layers and reconciling them. This is exactly the situation where documenting your interpretation is worth the effort.

What this means for fund managers

The strategic posture that holds up across all of this is straightforward: build to the AMLR and its technical standards as the floor, treat surviving national expectations — registry extracts, ownership documentation, fund-specific due diligence — as configurable layers on top, and plan for a 2027–2028 stretch where both must be satisfied at once. National supervisors aren't going away. But for the first time, what they can ask of you is bounded by a single European rulebook.

For private-market teams, that's less a compliance burden than a planning advantage: the direction of travel is now mandated by EU law, which means the infrastructure decisions you make today can be aligned to a known destination rather than a moving national target.

Building investor onboarding and KYC/AML workflows that can flex across jurisdictions and adapt as the AMLR layer settles is exactly what Vestlane is designed for. Book a demo to see how.

Frequently Asked Questions

Does the AMLR replace national AML laws?

ic-chevron-down icon

Not as a block. The AMLR operates provision by provision: where a national rule conflicts with it, the AMLR prevails from 10 July 2027 - covering core substance like CDD, beneficial ownership and ongoing monitoring. National rules on supervision, FIUs and registers survive under AMLD6. New is the ceiling: stricter national "gold-plating" is no longer lawful outside the AMLR's carve-outs.

Will BaFin and the CSSF still supervise fund managers?

ic-chevron-down icon

Yes. National authorities like BaFin and the CSSF remain the primary, day-to-day AML supervisors for the vast majority of fund and asset managers. What changes is the rulebook they enforce: from July 2027 they apply the AMLR and AMLA's binding technical standards directly, and they can no longer impose conflicting or lower national standards.

What is AMLA and what powers does it have?

ic-chevron-down icon

AMLA is the EU's Anti-Money Laundering Authority, based in Frankfurt and operational since July 2025. It drafts binding technical standards (RTS/ITS), issues comply-or-explain guidelines to national supervisors, and conducts peer reviews. From July 2028 it will directly supervise roughly 40 high-risk cross-border institutions; everyone else stays under national supervision within AMLA's harmonised framework.