Compliance Briefing — AMLD5 transposition deadline arrives

Executive briefing: The Fifth Anti-Money Laundering Directive (AMLD5) required EU member states to transpose its measures by 10 January 2020, tightening rules for banks, fintechs, and virtual asset providers. The law widens the scope of obliged entities, lowers thresholds for prepaid instruments, improves beneficial ownership transparency, and expands information-sharing for financial intelligence units (FIUs) and supervisors. Organisations serving EU clients must confirm that each jurisdiction where they operate has implemented national rules that meet or exceed the directive’s minimum standards and remediate gaps in onboarding, monitoring, and suspicious-activity reporting.

Transposition speed and detail differed by country, creating cross-border inconsistency in registry access, politically exposed person (PEP) checks, and documentation required to verify customers who use anonymous payment instruments or virtual currency services. Firms that built single policies for the bloc now need jurisdiction-by-jurisdiction control mapping, including evidence of how local law treats exemptions, information-sharing permissions, and high-risk-country mitigation.

What changed

AMLD5 amends the Fourth AML Directive to respond to evolving risks, including virtual assets and terrorist financing flows. Key changes include registration and supervision of virtual asset service providers (VASPs), tighter due diligence on prepaid cards, broader access to beneficial ownership registries, and enhanced cooperation between national competent authorities and FIUs. Several provisions require operational changes beyond customer onboarding, including updated suspicious transaction reporting triggers and cross-border information requests.

Because the directive sets minimum harmonisation requirements, national transposition can diverge—Germany, France, the Netherlands, and Ireland added stricter obligations or accelerated implementation, while other states faced infringement warnings for late action.^{Directive (EU) 2018/843European Commission 2020 press release}

Timeline and legislative backdrop

• June 2018: AMLD5 published in the Official Journal with a two-year transposition window ending 10 January 2020.^{Directive (EU) 2018/843}
• January 2020: Deadline hits; the Commission reminds member states that late transposition can trigger infringement proceedings.^{European Commission 2020 press release}
• 2020–2021: Multiple states receive formal notices and reasoned opinions for delays, creating staggered compliance start dates across the bloc.
• 2021 onward: Supervisors embed AMLD5 expectations into risk assessments, thematic reviews, and VASP registration regimes. In parallel, EU legislators drafted the single-rulebook AML package (AMLR, AMLA, and revised Funds Transfer Regulation), signalling future consolidation of these requirements.

Firms cannot assume uniformity: deadlines for national guidance, registry integration, and penalty frameworks differed, meaning transaction monitoring and reporting controls should reference the local rule set for each booking entity and branch.

Compliance obligations by theme

The directive’s operational impact spans customer due diligence (CDD), payment instruments, virtual asset oversight, and information transparency. Controls should be updated in the following areas:

• Virtual asset service providers: VASPs—including exchanges, custodian wallet providers, and certain ICO platforms—must register with a national authority and implement full CDD, suspicious activity reporting (SAR), and ongoing monitoring. Banks onboarding VASPs must apply enhanced due diligence (EDD) and document how they assess governance, travel-rule readiness, and jurisdictional risk.
• Prepaid cards and anonymous payment instruments: The load and redemption threshold for anonymous prepaid cards dropped to EUR 150 (and EUR 50 for remote transactions), and usage is restricted outside the EU. Program managers must update limits, verify identity at lower thresholds, and align fraud/AML scenarios accordingly.
• Beneficial ownership transparency: Corporate and trust registries must be accessible, with interconnection across member states. Firms should embed registry lookups into onboarding workflows, retain evidence of searches, and reconcile discrepancies between customer declarations and registry data.
• Politically exposed persons: Member states must publish functional lists of domestic prominent public functions. Screening vendors should ingest these lists; internal procedures need to define approval authorities, periodic review cycles, and EDD triggers for PEPs and their close associates.
• Correspondent banking and high-risk third countries: AMLD5 codifies stricter EDD for non-EU respondent institutions and obliges enhanced measures for transactions or business relationships involving high-risk jurisdictions identified by the Commission or FATF. Documentation should include risk rationales, senior management sign-off, and ongoing transaction pattern reviews.
• Information sharing for FIUs and supervisors: The directive enables FIUs to obtain payment account data swiftly and authorises supervisors to cooperate across borders. Institutions should map lawful bases for sharing and ensure logging, access controls, and retention policies satisfy both AMLD5 and GDPR expectations.
• E-money and fintech innovations: Electronic money institutions and payment initiation services remain in scope; product teams must evidence design reviews that address money-mule typologies, rapid account opening, and velocity controls.

Documentation should show how group policies incorporate these requirements while allowing stricter local overlays (for example, Germany’s BaFin guidance on crypto custody licences or France’s AMF/ACPR joint instructions for digital asset service providers).

Enforcement implications and supervisory expectations

Non-compliance carries both regulatory and operational risk. The Commission has demonstrated willingness to launch infringement proceedings for late or incomplete transposition, while national supervisors have issued fines for inadequate EDD, poor SAR quality, and failure to register virtual asset activities. Boards should anticipate deeper scrutiny of control effectiveness, not just policy updates.

• Supervisory reviews: Expect thematic inspections on VASP onboarding, prepaid-card controls, and access to beneficial ownership data. Examiners increasingly request evidence of adverse media screening, counterparty provenance checks, and training tailored to new typologies.
• Data quality and registry usage: FIUs and supervisors often compare SAR narratives and registry search logs. Missing registry references or inconsistent beneficial ownership details raise red flags.
• Cross-border cooperation: Institutions with branches in multiple member states must support information requests from any competent authority. Documenting data lineage and decision rationale is critical when sharing across jurisdictions with different secrecy or blocking statutes.
• Travel-rule expectations: While the Transfer of Funds Regulation revision formalises crypto “travel rule” data, AMLD5’s VASP registration and SAR obligations serve as an enforcement baseline. Firms should be ready to demonstrate interoperability with messaging standards such as the Joint Working Group’s IVMS101.
• Board accountability: Senior management approvals for high-risk relationships and VASP onboarding should be minuted. Many supervisors expect boards to receive MI on registry query volumes, SAR filings, and prepaid card threshold breaches.

Regulators also evaluate how firms balance AMLD5 with data protection. Institutions must ensure lawful bases for registry searches and inter-entity data sharing, apply proportional access controls, and maintain audit trails that align with GDPR data minimisation.

Operational actions and implementation tips

Programme leads should refresh jurisdictional risk assessments, update runbooks, and confirm technology support for new data elements. Priority actions include:

1. Gap assessments: Map current policies to AMLD5 articles and the stricter national variants for each operating country. Highlight differences in prepaid thresholds, registry search procedures, or documentation requirements for VASPs.
2. Customer lifecycle controls: Update onboarding questionnaires to capture virtual asset exposure, beneficial ownership identifiers, source of wealth, and PEP/relatives screening. Ensure periodic reviews include registry re-checks and sanctions list updates.
3. Transaction monitoring: Add scenarios for crypto-fiat ramps, rapid prepaid card reloads, cross-border peer-to-peer transfers, and activity involving high-risk jurisdictions. Calibrate alert thresholds with typologies from FIU advisories and FATF reports.
4. Training and accountability: Provide role-based training for onboarding teams, VASP relationship managers, and SAR investigators. Document escalation chains and decision logs, especially when granting exceptions or terminating relationships.
5. Third-party management: Revisit contracts with KYC vendors, screening providers, and programme managers to ensure they support registry integrations, lower prepaid limits, and updated PEP lists. Validate service-level agreements for data accuracy and response times.
6. Board reporting: Establish dashboards that track VASP pipeline status, prepaid card load volumes by threshold, beneficial ownership discrepancies, SAR timeliness, and cross-border information-sharing requests.

Embedding these steps helps demonstrate to supervisors that AMLD5 is operationalised across products and entities, not merely acknowledged in policy documents.

Why it matters

AMLD5 represents a shift from primarily banking-focused AML controls to a broader ecosystem that includes fintechs and virtual asset providers. Firms that treat the directive as a one-time compliance exercise risk misalignment as national rules evolve and as the EU transitions to the forthcoming AML single-rulebook. A disciplined, evidence-driven implementation protects correspondent relationships, reduces enforcement exposure, and positions institutions to meet the next wave of requirements—such as the expanded travel rule and direct supervision by the EU Anti-Money Laundering Authority.