Online Identity Verification Services

EU AML Package: What Fintech and Crypto SMBs Need to Do to Stay Compliant

For many small fintech and crypto businesses, compliance used to be something you dealt with later, once you had traction and resources. But that’s no longer an option.

According to the United Nations Office on Drugs and Crime (UNODC), between EUR 715 billion and 1.87 trillion is laundered globally each year. In response, the European Union has introduced the strictest Anti-Money Laundering (AML) Package since 1991, reshaping how every regulated business must handle KYC and AML from the first day of their operation.

The new framework was adopted in 2024, with a transition period until July 2027. It may seem like there’s plenty of time left. In reality, regulators already expect new applicants and obliged entities to prove they’re prepared.

The AML rules are detailed, demanding, and will require many businesses to rethink their approach to KYC — from policies and people to the technology that keeps them compliant. So what exactly is changing, who does it affect, and what should your business do next? Let’s break it down.

What’s Inside the EU AML Package?

The EU AML Package is a set of four regulations and directives designed to rebuild how Europe fights money laundering and terrorist financing. It defines how obliged entities verify customers, handle transactions, and report suspicious activity over the next few years. Let’s break them down.

1. AMLR – Regulation (EU) 2024/1624

Adopted: May 31, 2024 · Applies from: July 10, 2027

This is the heart of the new AML framework. Unlike older directives, AMLR is a regulation, meaning it will apply directly in all EU Member States. It sets a single, harmonized rulebook for KYC, customer due diligence, and monitoring obligations. It also lowers the threshold for who must comply: crypto businesses, payment startups, and even certain non-financial service providers will now fall under AML rules. AMLR will make KYC and AML procedures consistent across Europe — so whether you onboard a customer from Spain or Germany, you’ll follow the same rules.

2. AMLD6 – Directive (EU) 2024/1640

Adopted: May 31, 2024 · Implementation deadline: July 10, 2027

If AMLR sets the rules, the 6th AML Directive ensures every EU country has the same tools and institutions to enforce AMLR efficiently. It focuses on how Financial Intelligence Units (FIUs) operate, how supervisors cooperate across borders, and how beneficial ownership information is shared. It also introduces tougher penalties for compliance failures.

3. AMLA Regulation – Regulation (EU) 2024/1620

Adopted: June 26, 2024 · Applies from: July 1, 2025 (gradually)

The AMLA is the EU’s new central authority for money laundering prevention. It will oversee large cross-border institutions directly, coordinate supervision among national regulators, and issue guidelines and technical standards. It will also play a major role in crypto and high-risk financial sectors, ensuring consistent supervision across borders. Regulated businesses can expect more unified audits, common reporting standards, and better cross-border enforcement.

4. Wire Transfer Regulation II – Regulation (EU) 2023/1113 (WTR2)

Effective: December 30, 2024

This regulation is relevant for payment processors and crypto exchanges. It requires that all transfers of funds include verified information about both the sender and the recipient. Wallet providers and exchanges must ensure “travel rule” compliance, keeping transaction data transparent and traceable.

Who Does the AML Package Apply To?

The EU AML Package applies to a broad set of businesses, regardless of their size, known as “obliged entities” — companies that are required to follow AML (anti-money laundering) and CFT (counter-terrorist financing) rules. Here’s who falls under the rules:

1. Financial institutions and payment providers

This includes banks, neobanks, payment apps, e-money providers, and other companies that handle money transfers. Any business that takes deposits, processes payments, or provides digital wallets must comply with KYC/AML obligations.

2. Crypto and virtual asset service providers (VASPs)

Exchanges, custodial wallets, brokers, and token issuers are now explicitly included. Even smaller crypto startups offering wallet services or token trading are obliged to verify customers, monitor transactions, and report suspicious activity.

3. Accountants, auditors, and legal professionals

Businesses that provide financial advice, manage client funds, or help set up companies and trusts also fall under AML rules. This ensures that professional services can’t be used to move illicit funds undetected.

4. Real estate and high-value goods dealers

Dealers in real estate, luxury goods, art, or precious metals must now perform due diligence on clients and report suspicious transactions, particularly if deals involve large sums of money.

What This Means for Fintech and Crypto SMBs

One of the most significant changes in the EU AML Package is that obliged entities must formalize who is responsible for AML within the company. Accountability is moved from “someone does KYC” to designated employees. The law now requires two linked roles: a senior compliance manager at the board/management level and a compliance officer responsible for day-to-day AML controls.

The good news is that the scale and complexity of those controls should match your size and risk profile. In practice, that means a crypto startup won’t need the same organization as a major bank, but it still needs documented policies, a designated compliance officer, and demonstrable processes.

To comply with the new AML rules, businesses will need to make several operational updates:

• Strengthen your compliance function. Every obliged entity must have a designated compliance officer, either an internal senior employee or an external service provider. This will likely become one of your key fixed costs.

• Build your AML framework. You’ll need clear, documented policies and procedures: AML policy, customer due diligence (CDD) rules, escalation paths, suspicious activity report (SAR) templates, sanctions procedures, and an internal audit plan. These require legal and compliance expertise, whether in-house or outsourced.

• Implement automation and monitoring tools. Under AMLR, regulators expect complete audit trails, clear accountability, and consistent CDD. Allpass.ai was designed around these very principles — automating verification, monitoring, and record keeping in one platform

• Train your team and manage records. All relevant staff must receive AML training, with regular refreshers. You’ll also need secure record-keeping for all compliance activities over legally defined retention periods.

• Ensure independent oversight. The AML Regulation requires independent audit functions and clear escalation routes for compliance officers, including protection from retaliation. This improves governance but adds some administrative overhead.

How Technology Can Help

Modern KYC/AML technology can automate 70–80% of routine compliance tasks, cutting the time spent on onboarding and monitoring by hours per customer. Automation can handle such tasks as:

• Identity verification - capturing and validating IDs in seconds, including document authenticity checks.

• Liveness and biometric verification - confirming that the person behind the screen is real and matches their document.

• Sanctions and PEP screening. - continuously checking customer data against updated global watchlists.

• Transaction and behavior monitoring. - detecting unusual patterns or high-risk activities automatically.

• Audit-ready reporting - generating detailed compliance records without manual data entry.

With an automated KYC solution, you can reduce human error, compliance fatigue, and lower operational costs — often by 40–60% compared to fully manual processes. For fast-moving fintech or crypto startups, that can mean faster customer onboarding, fewer false positives, and a leaner compliance function that scales with growth.

Final Thoughts

The EU’s new AML framework raises the bar for compliance across many sectors. For small and medium businesses, this poses some challenges. But it’s also an opportunity for establishing the necessary processes that strengthen regulators’ and customers’ trust in your business.

Modern compliance technology can help you with that. Run your entire compliance process in one platform with Allpass.ai. No need to pay for and juggle separate tools. All customer data and verifications are securely stored in one system, making reporting simple.

There’s no need for complex training or technical setup: your compliance officer can log in and start working immediately.

“We have a team of 23 people, and it literally took just one 30-minute demo for us to get started with Allpass.ai. With other solutions, you usually need extra onboarding sessions and technical support, which, for a small company, just drives KYC costs up. Allpass.ai was different. The interface is intuitive; everything makes sense right away. After 12 years in AML and compliance, I can tell when a tool truly saves time instead of adding more work — and this one really does.”

— Maksym Kurgatenko, COO at Complywiser

Whether you’re preparing for licensing or expanding in the EU, Allpass.ai helps you stay fully AMLR-compliant from day one — without the enterprise overhead. Book a 30 minutes demo and see how it works for your business.