--- title: "AML Compliance for Crypto Firms: What the 6AMLD Requires (2026)" slug: aml-compliance-crypto-6amld publishedAt: 2026-04-22T09:00:00Z author: Finconduit Editorial Team tags: 6AMLD, AML, FATF, MiCA canonicalUrl: https://finconduit.com/resources/aml-compliance-crypto-6amld --- # AML Compliance for Crypto Firms: What the 6AMLD Requires (2026) How the EU's 6AMLD and FATF Recommendation 15 impact CASPs and VASPs — CDD frameworks, Travel Rule obligations, and AML programme design for bank readiness. **Crypto\-Asset Service Provider**s operating in the EEA in 2026 face the most prescriptive **AML** regime in the financial sector. The [Sixth Anti\-Money Laundering Directive](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018L1673) criminalised money laundering with EU\-wide minimum penalties, the [Transfer of Funds Regulation](https://eur-lex.europa.eu/eli/reg/2023/1113/oj) extended the **FATF** **Travel Rule** to crypto transfers above **€1,000**, and the new EU **AML** Package — [Anti\-Money Laundering Regulation](https://eur-lex.europa.eu/eli/reg/2024/1624/oj), [AMLD6](https://eur-lex.europa.eu/eli/dir/2024/1640/oj) recast, and a new [Anti\-Money Laundering Authority](https://eur-lex.europa.eu/eli/reg/2024/1620/oj) — replaces the patchwork of national regimes from July 2027. Every **CASP** that is not building toward this end\-state today is building toward a remediation programme tomorrow.¹[^1]²[^2]³[^3]⁴[^4]⁵[^5] **MiCA** bolts onto this **AML** stack rather than replacing it. A **MiCA CASP** authorisation is contingent on a written **ML/TF risk assessment**, a documented **AML**/**CTF** programme, an **MLRO** approved by the national competent authority, **blockchain analytics** **integration**, sanctions and **PEP screening** at onboarding and ongoing, **transaction monitoring** with documented thresholds, and an **annual independent audit** of the **AML** function. Each component is reviewed line\-by\-line at authorisation and re\-tested at every supervisory inspection. This guide explains what the **6AMLD** actually requires from a **CASP**, what changes under the **AML** Package taking effect in 2027, and the operational stack — risk assessment, **CDD**, **EDD**, **transaction monitoring**, **Travel Rule**, **SAR** filing, sanctions — that every regulated crypto firm must run. Penalties for failure are no longer notional: **6AMLD** imposes minimum maximum sentences of 4 years for individuals and **corporate criminal liability** **up to 10% of annual turnover** under **AMLR**. ## What the **6AMLD** Actually Changed The **Sixth Anti\-Money Laundering Directive** harmonised **criminal liability** for money laundering across all EU member states. Where the [Fifth Anti\-Money Laundering Directive](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018L0843) had brought crypto exchange and wallet services into **AML** scope as **obliged** entities, the **6AMLD** made the criminal consequences of failing those obligations consistent across the bloc.⁸[^6] - Predicate offences. The **6AMLD** lists 22 **predicate offences** whose proceeds count as money laundering when laundered — including cybercrime, tax crimes, market abuse, and environmental crimes. Crypto\-funded ransomware is now an explicit **predicate offence** in every member state. - Corporate **criminal liability**. Legal persons can be held liable for **ML** offences committed for their benefit by anyone in a leadership role. Sanctions include exclusion from public benefits, judicial winding\-up, and fines **up to 10% of annual turnover**. - Extended liability for aiding and abetting. Counselling, inciting, or attempting **ML** is a criminal offence — relevant for **CASP**s whose tooling could be argued to facilitate **layering**. - Self\-laundering. Laundering of one's own criminal proceeds is now a standalone offence in all member states. - Minimum maximum penalty. Member states must provide for at least 4 years' imprisonment as the maximum sentence; aggravated cases reach 10 years. > **Warning:** Corporate criminal liability under 6AMLD applies to the legal entity — not just the individual employee who committed the act. A CASP whose MLRO ignores red flags can face winding\-up proceedings even if the MLRO is the only person prosecuted. Board\-level oversight of AML is now a defensive necessity, not a governance nicety. ## The 2027 **AML** Package — What's Coming The EU **AML** Package replaces the directive\-based **AML** regime with a directly\-applicable regulation plus a centralised supervisor. From **10 July 2027**, every **CASP** in the EEA falls under a single rulebook with no national variations on the core **AML** perimeter. *Table: EU AML Package — three instruments and what they change for CASPs.* | Instrument | Status | Key change for CASPs | | --- | --- | --- | | Anti\-Money Laundering Regulation \(AMLR\) | Applicable 10 July 2027 | Single EU rulebook on CDD, EDD, beneficial ownership, transaction limits — replaces the patchwork of 27 national AML laws | | AMLD6 \(recast directive\) | Applicable 10 July 2027 | Member states retain criminal\-law and FIU rules; harmonised predicate offences and beneficiary\-ownership registers | | AMLA \(Anti\-Money Laundering Authority\) | Operational from 2026; direct supervision from 2028 | Direct supervision of \~40 highest\-risk obliged entities — including major CASPs and EMIs operating across multiple member states | **AMLA** is the structural change. For the first time, a Frankfurt\-based EU agency will directly supervise a select number of **obliged** entities — initially the cross\-border financial groups deemed **highest**\-risk. **CASP**s operating in 6\+ member states with significant volume should expect to come under **AMLA** direct supervision in the first selection round in 2028. ## Obliged Entity Status — Who Is In Scope Under the **AMLR**, every **CASP** authorised under the [Markets in Crypto\-Assets Regulation](https://eur-lex.europa.eu/eli/reg/2023/1114/oj) is automatically an **obliged entity**. The same applies to legacy **VASP**s operating under transitional regimes until their authorisation expires.⁹[^7] Obliged entity status pulls a **CASP** into the full **AML** compliance perimeter: written **ML/TF risk assessment**, **customer due diligence** at onboarding, **ongoing monitoring** of relationships, sanctions and **PEP screening**, **transaction monitoring**, suspicious activity reporting to the national **FIU**, training of all staff, an **MLRO** at board level, and **annual independent audit** of the entire programme. ## Customer Due Diligence — **CDD**, **EDD**, **SDD** The **AMLR** codifies three **CDD** tiers. The base level applies to every customer; **SDD** applies to demonstrably low\-risk customers \(very narrow\); **EDD** is mandatory whenever risk is elevated. Crypto activity is inherently classified as elevated\-risk under the [EBA Guidelines](https://www.eba.europa.eu/) — meaning a **CASP** applies effectively **EDD**\-level diligence to most relationships.⁷[^8] *Table: Customer Due Diligence tiers under the AMLR.* | Tier | When applied | Minimum requirements | | --- | --- | --- | | Standard CDD | Every customer, every relationship | ID verification, UBO identification, purpose of relationship, ongoing monitoring | | Simplified CDD \(SDD\) | Demonstrably low\-risk only — narrow | Reduced verification; still requires monitoring; not available for crypto\-only flows | | Enhanced Due Diligence \(EDD\) | PEPs, high\-risk third countries, complex structures, unusual transactions, EU high\-risk list, crypto \>€1,000 from self\-hosted wallets | Senior management approval, source of funds & source of wealth, enhanced ongoing monitoring, additional ID documents | | Reverse onboarding \(continuous CDD refresh\) | Every customer on a risk\-based cadence | Re\-verify ID, refresh UBO, re\-screen sanctions/PEP — typically annually for medium\-risk, semi\-annually for high\-risk | ## The **Travel Rule** — **€1,000** Threshold and Self\-Hosted Wallets The **Transfer of Funds Regulation** extended [FATF Recommendation 16](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Updated-guidance-rba-virtual-assets.html) to crypto transfers, applicable from 30 December 2024. Every **CASP** must transmit originator and beneficiary information with every crypto\-asset transfer of **€1,000** or more, and must verify that information for inbound transfers from another **CASP**.⁶[^9] Self\-hosted wallets are the operational hard part. The **TFR** requires **CASP**s to identify the wallet holder for transfers to or from self\-hosted addresses ≥ **€1,000** and to verify that the wallet is controlled by the customer. This means **address attribution**, signature challenges, micro\-deposit verification, or third\-party **blockchain analytics** attribution as the standard architecture. - Below **€1,000**: minimum data set \(originator name, originator account, beneficiary name, beneficiary account\). - ≥ **€1,000** inter\-**CASP**: full data set \(originator address, ID number, date of birth, beneficiary address\). Verified before release of funds. - ≥ **€1,000** to/from **self\-hosted wallet**: customer must self\-identify as the wallet controller. **CASP** applies risk\-based **EDD** on the address. - Aggregation: linked transfers below **€1,000** within a 24\-hour window are aggregated. Structuring detection rules in the **transaction monitoring** system are mandatory. > **Note:** Travel Rule capability must be operational at authorisation, not bolted on later. NCAs reject CASP authorisation files that promise 'we will procure on day one' — the application must include a signed contract with a Travel Rule provider \(Notabene, Sumsub, Sygna, Veriscope\) and integration evidence. ## The **AML** Supplier Stack **MiCA** does not mandate vendors but every supervisory inspection effectively does. The minimum operational **AML** stack for a 2026\-vintage **CASP** combines six categories of tooling, integrated with each other and with the core ledger. *Table: AML supplier stack for a regulated CASP — categories and dominant providers \(2026\).* | Function | Dominant providers | Annual cost \(mid\-sized CASP\) | | --- | --- | --- | | Blockchain analytics — wallet screening, source\-of\-funds, sanctions hits on inbound | Chainalysis, Elliptic, TRM Labs | €60,000–€180,000 | | Travel Rule — TFR\-compliant data exchange between CASPs | Notabene, Sumsub Travel Rule, Sygna, Veriscope | €20,000–€60,000 | | KYC / KYB — identity verification, document verification, UBO discovery | Sumsub, Onfido, Veriff, Jumio, Persona | €30,000–€90,000 | | Sanctions / PEP / adverse media — onboarding \+ ongoing | ComplyAdvantage, Refinitiv World\-Check, LexisNexis Bridger | €30,000–€80,000 | | Transaction monitoring — rules engine, structuring detection, SAR generation | Hummingbird, Sardine, Unit21; in\-house for large CASPs | €40,000–€120,000 | | Case management — investigation workflow, audit trail, regulator reporting | Hummingbird, ComplyAdvantage Mesh, in\-house | €20,000–€60,000 | ## The **MLRO** and the Three Lines of Defence Every **CASP** must appoint a **Money Laundering Reporting Officer** with regulatory pre\-approval. The **MLRO** is the natural person legally responsible for the **AML** programme, the **SAR**\-filing decisions, and the relationship with the **FIU**. In **Cyprus**, **Lithuania**, **Ireland** and **Germany** the **MLRO** must be locally resident and approved by the NCA before they can take office. - First line — front\-line operations. **KYC** analysts, **transaction monitoring** analysts, customer\-facing teams. Detect, escalate, document. - Second line — compliance & **MLRO**. Owns the **AML** programme, files **SAR**s, maintains the risk assessment, advises the board. - Third line — internal audit. Independent assurance over the first two lines. Annual independent audit of the **AML** function is mandatory under **EBA Guidelines**. ## **Suspicious Activity Report**s — Filing and Tipping\-Off When a **CASP** forms a suspicion that funds are derived from criminal activity or are linked to terrorist financing, it must file a **Suspicious Activity Report** with the national Financial Intelligence Unit. The threshold is suspicion — not proof, and not preponderance of evidence. Filing on the basis of suspicion is protected from civil liability; failing to file when suspicion is reasonably triggered exposes the **MLRO** and the **CASP** to criminal sanctions. Once a **SAR** is filed, the **tipping\-off offence** applies. The **CASP** must not disclose the existence of the **SAR** or the underlying investigation to the customer or to any third party. Tipping\-off is a criminal offence in every member state and carries imprisonment under **6AMLD**. **CASP**s must train customer\-facing staff to handle frozen accounts and rejected withdrawals without volunteering the **AML** reason. ## Penalties — What Failure Costs **AML** penalties have escalated materially under **6AMLD** and **AMLR**. The combined exposure for a serious failure now includes: - Criminal — up to 10 years' imprisonment for senior managers in aggravated cases. - Corporate — fines **up to 10% of annual turnover** for legal persons; judicial winding\-up in extreme cases. - Regulatory — licence withdrawal, public censure, fitness\-and\-propriety findings against directors barring future appointments. - Civil — direct customer claims plus class actions where **AML** failures led to customer losses. - Reputational — banking de\-risking, correspondent withdrawal, loss of payment processor relationships. ## Frequently Asked Questions ### Does the **6AMLD** apply directly to **CASP**s, or is it a directive that needs national transposition? The **6AMLD** is a directive — it required transposition by 3 December 2020. It applies to **CASP**s through national criminal law in each member state. The recast **AMLD6** \(Directive 2024/1640\) replaces it from July 2027 alongside the directly\-applicable **AMLR**. Until then, you operate under your member state's transposing legislation, which broadly mirrors the **6AMLD** with national variations on penalty quantum. ### What is the **AML** difference between a **5AMLD** **VASP** and a **MiCA CASP**? **5AMLD** brought crypto exchange and custodial wallet services into **AML** scope as **obliged** entities, but the substantive **AML** obligations were transposed inconsistently across member states. A **MiCA CASP** authorisation embeds those obligations into a uniform pan\-EEA licence: the **AML** programme, **MLRO**, **blockchain analytics** **integration**, and **Travel Rule** capability are all assessed at authorisation and passport with the licence. From July 2027, **AMLR** applies the same **AML** rulebook to both legacy **VASP**s and **CASP**s — the difference will dissolve. ### When does the **Travel Rule** apply to my crypto transfers? Always for transfers between two **CASP**s. With a minimum data set below **€1,000** and a full data set at **€1,000** and above. For transfers to or from a **self\-hosted wallet**, the **€1,000** threshold triggers wallet\-controller verification and risk\-based **EDD**. The **Transfer of Funds Regulation** took effect 30 December 2024 and applies regardless of where in the EEA your **CASP** is licensed. ### Do I need to file a **SAR** for every high\-risk hit from **blockchain analytics**? No — but you must investigate every hit and document the rationale for filing or not filing. The standard is suspicion. A direct sanctions match requires immediate freezing and **FIU** report; a high\-risk score on a counterparty address requires investigation and case\-by\-case decision. Document the analyst's reasoning either way — supervisors will sample your case files at inspection and look for cases where high\-risk hits were dismissed without rationale. ### Does the **AMLA** directly supervise my **CASP** from 2027? Probably not in the first selection. **AMLA**'s direct supervision powers, operational from 2028, will initially apply to \~40 **obliged** entities deemed **highest**\-risk based on cross\-border footprint and **AML**/**CTF** risk profile. **CASP**s operating in 6\+ member states with significant volume are candidates for the second\-round selection. All other **CASP**s remain under their home NCA, but with **AMLR** providing the substantive rulebook and **AMLA** setting common standards. ### What does a complete **AML** programme look like at submission? A 30–80 page document covering: business\-wide **ML/TF risk assessment** with named risk factors and ratings; **CDD** policy including **SDD**/**EDD** triggers; sanctions and **PEP screening** procedure with named provider; **transaction monitoring** rules with documented thresholds; suspicious activity reporting workflow into the national **FIU**; record\-keeping policy \(5 years minimum\); training programme covering all staff annually; **MLRO** appointment letter; reporting lines to the board; and the **annual independent audit** plan. Generic templates are flagged on first review and downgrade the file to high\-scrutiny. > **Call to action:** Building or remediating your AML programme? Finconduit connects regulated crypto firms with vetted MLROs, AML specialists, and supplier introductions for blockchain analytics, Travel Rule, and KYC/KYB. Get a free programme assessment scoped to your licence and customer base. ## Related Guides - [MiCA Compliance Guide for CASPs](/resources/mica-compliance-guide-casps): Authorisation walkthrough — capital, governance, supplier stack - [How to Get a Bank Account for a VASP or CASP](/resources/bank-account-vasp-casp): The 2026 banking playbook for regulated crypto firms - [EEA vs UK vs Offshore: Where to Incorporate Your Crypto Business](/resources/eea-uk-offshore-crypto-incorporation): Which **jurisdiction** maximises regulatory access and tax efficiency - [EMI vs PSP vs VASP vs CASP](/resources/emi-psp-vasp-licence-comparison): Which financial licence do you actually need? **AML** compliance for a **CASP** is no longer a documentation exercise — it is the difference between operating and being shut down. The **CASP**s surviving long\-term are the ones that built a serious **AML** function before they needed to: a regulator\-approved **MLRO**, named **blockchain analytics** and **Travel Rule** providers, a written and tested risk assessment, and board\-level oversight that does not delegate accountability. The cost of doing this well is six figures a year. The cost of doing it badly is the entire business. - [Travel Rule Architecture: Building the 2026 Stack](/resources/travel-rule-architecture-build-2026) — the protocol\-by\-protocol comparison for CASP Travel Rule deployment. - [AMLR / AMLA and the CASP](/resources/amlr-amla-casp-2027) — the 2027 supervisory landscape for AML\-regulated crypto firms. - [AMLA Selected\-Entity Diagnostic: Are You at Risk in Q3 2026?](/resources/amla-selected-entity-diagnostic-2026) — the diagnostic for whether your CASP lands on the first AMLA selected\-entity list in Q3 2026. - [The Sanctions\-Edge VASP: CIS Exposure as a Banking Diligence Factor \(2026\)](/resources/sanctions-edge-vasp-cis-exposure) — how CIS\-region counterparty exposure shows up in bank diligence and what to do about it. - [Where AMLR Collides With GDPR](/resources/amlr-gdpr-collision-map-fintech) — the six\-surface collision map between AMLR's transparency mandate and GDPR's purpose limitation. - [DAC8 and CARF: The Crypto\-Asset Tax Reporting Obligation](/resources/dac8-carf-crypto-tax-reporting) — how the OECD CARF and EU DAC8 frameworks impose automatic exchange of crypto account data on reporting service providers. ## Footnotes [^1]: Directive \(EU\) 2018/1673 of the European Parliament and of the Council on combating money laundering by criminal law \(6AMLD\), 23 October 2018; transposition deadline 3 December 2020. [^2]: Regulation \(EU\) 2024/1624 \(AML Regulation — AMLR\), part of the EU AML Package, applicable from 10 July 2027. [^3]: Directive \(EU\) 2024/1640 \(AMLD6 — recast AML Directive\), 31 May 2024. [^4]: Regulation \(EU\) 2024/1620 establishing the Authority for Anti\-Money Laundering and Countering the Financing of Terrorism \(AMLA\), 31 May 2024. [^5]: Regulation \(EU\) 2023/1113 on information accompanying transfers of funds and certain crypto\-assets \(Transfer of Funds Regulation / Travel Rule\), applicable from 30 December 2024. [^6]: Directive \(EU\) 2018/843 \(Fifth Anti\-Money Laundering Directive — 5AMLD\), brought crypto\-asset exchange and wallet services into AML scope. [^7]: Regulation \(EU\) 2023/1114 \(MiCA\), OJ L 150, 9.6.2023. [^8]: EBA Guidelines on the management of money laundering and terrorist financing risks \(EBA/GL/2021/02\), 1 March 2021. [^9]: FATF Recommendation 16 — Wire transfers; extended to virtual asset transfers in October 2018 and clarified in the Updated Guidance for a Risk\-Based Approach to Virtual Assets and VASPs, October 2021. --- Source: https://finconduit.com/resources/aml-compliance-crypto-6amld