From AMLD to AMLR

An overview of the evolution of anti-money laundering legislation, Danish experience in this area, and the forthcoming requirements that undertakings must prepare for.

This article provides a historical perspective on anti-money laundering and introduces our forthcoming series of articles. We review the evolution from the first EU directives to Danish case law and the latest amendments introduced by the AML package – including the consequences of non-compliance. The aim is to provide a solid foundation for understanding the future harmonised AML framework and how it can be effectively implemented in practice.

From the early EU directives to the new AML package: we examine the historical development, selected Danish case law, the new requirements introduced by the AML package, as well as the consequences of non-compliance with the new regulation. The article provides background knowledge and context, enabling a better understanding of how lessons from the past can strengthen compliance with future AML requirements.

Introduction

In the coming months, we will take a closer look at specific Danish cases and legal cases within anti-money laundering and place them in the context of the AMLR. We will, among other things, assess whether the new AML package could have contributed to preventing the situations observed, while also providing input on how undertakings can effectively implement the new requirements in practice. The purpose is to offer a more practice-oriented approach to AMLR, rather than merely a theoretical review of the rules.

This article provides the for the upcoming article series. It outlines the history from the first EU anti-money laundering directives, developments in Danish case law and enforcement practice, as well as the key changes introduced by AMLR. We also take a closer look at the new Regulatory Technical Standards (RTS) under Article 53(10), which establish criteria for sanctions in cases of non-compliance with the AML package, thereby providing an indication of the consequences undertakings may expect if the rules are not complied with.

Experience from the past provides a solid foundation for understanding the more harmonised and systematic AML enforcement across the EU and helps to clarify how the new requirements can be implemented effectively in practice.

Background: From earlier directives to AMLR and case law

To understand and effectively implement the forthcoming AML package, it is essential to be familiar with the development of previous EU anti-money laundering directives, their implementation in Denmark, and the relevant case law and enforcement practice.

The historical development shows how the rules have gradually become more comprehensive, from the first directives, which primarily focused on drug-related crime, to later directives introducing a risk-based approach, requirements for management involvement, transparency regarding beneficial ownership, and the handling of new digital assets.

Danish cases and enforcement actions against financial undertakings also illustrate how non-compliance with AML legislation can lead to significant consequences, both financial and reputational. By reviewing both the development of the directives and relevant case law, one gains not only insight into the formal requirements, but also an understanding of how the rules operate in practice, which risks typically trigger sanctions, and where undertakings have historically faced challenges.

An understanding of this background is essential for compliance and management functions to adapt internal procedures and control frameworks so that they both meet existing requirements and are prepared for the effective implementation of the new AML package. It provides a solid basis for assessing which organisational measures and preventive efforts are effective, and where new rules may potentially prevent previously observed types of breaches.

Development of legislation

1st AML Directive (1991) – the first common EU rules

The first EU anti-money laundering directive was adopted in 1991 (Directive 91/308/EEC) (1) and marked the beginning of a common European regulatory framework in the AML area. The purpose was to prevent the financial system from being used to conceal proceeds from criminal activity, in particular drug-related crime. The directive introduced the fundamental elements that still form the backbone of AML efforts today: customer due diligence (CDD), record-keeping, and reporting of suspicious transactions. In Denmark, the directive was implemented in national law in 1993 (2) and constituted the first step towards a dedicated AML regime, enabling money laundering to be addressed as a separate regulatory area rather than solely as a criminal law issue.

2nd AML Directive (2001) – broader scope and more actors

The second AML directive (2001/97/EC) (3) expanded the scope to include not only drug-related proceeds but all forms of serious crime capable of generating funds for money laundering. The directive also extended the types of undertakings and professions subject to the rules, including lawyers, auditors, real estate agents, and certain traders. The Danish implementation took place over the following years through amendments to AML legislation, and the directive marked an important shift: AML regulation became a broader societal and business concern, no longer limited to the banking sector.

3rd AML Directive (2005) – risk-based approach

The third AML directive (2005/60/EC) (4) aligned EU rules with international standards from FATF and introduced the risk-based approach as a fundamental principle in AML work. The directive focused on differentiating requirements depending on the specific risk of money laundering and terrorist financing – which, with this directive, became a distinct focus area – making the AML rules more operational and relevant for individual undertakings. Key elements included enhanced CDD procedures, ongoing monitoring, and particular attention to politically exposed persons (PEPs). In Denmark, the directive was implemented in the late 2000s and marked a move away from formalistic checklists towards a more targeted and risk-based framework.

4th AML Directive (2015) – governance, risk assessment, and beneficial ownership

The fourth AML directive (2015/849) (5) introduced a significant focus on undertakings’ own risk assessments, governance, and internal controls. It required undertakings to identify beneficial owners, document internal procedures, and anchor AML efforts at management level. Additionally, tax crimes were added to the list of predicate offences. In Denmark, the directive was implemented through the new AML Act of 2017 (Act no. 651 of 8 June 2017) (6). This marked a shift whereby AML was no longer only an operational control area, but a management discipline, with documentation and risk management becoming central elements.

5th AML Directive (2018 – AMLD5) – transparency and digital actors

The fifth AML directive (2018/843) (7) was adopted in response to new risks and gaps in the existing framework revealed by the Panama Papers leaks in 2016 and a series of terrorist attacks in Europe. Key focus areas included virtual currencies and crypto-asset providers, enhanced transparency regarding beneficial ownership, access to registers, and regulation of prepaid instruments. The directive also required Member States to link their beneficial ownership registers and strengthened financial intelligence units’ access to information. In Denmark, the directive was implemented through legislative amendments (Act no. 1563 of 27 December 2019, entered into force on 10 January 2020) (8). The implementation underlined that AML frameworks must now be capable of handling digital business models, complex ownership structures, and new distribution channels. The directive illustrates how AML rules are continuously adapted to address technologically and financially sophisticated risks.

Danish cases: What does practice show?

Danish enforcement practice in the AML area shows a clear development in both supervisory approach and sanction levels over the past decade. In the period from approximately 2017 to 2026, a number of Danish banks have been fined for breaches of anti-money laundering legislation. Sanctions range from smaller administrative fines in the level of approximately DKK 5–25 million to very significant fines of several hundred million kroner and, in certain cases, several billion kroner, particularly in matters involving systemic and prolonged control failures. In addition, there are examples of confiscation of proceeds as well as ongoing criminal proceedings with potentially very high penalty levels.

At the same time, enforcement practice demonstrates that the authorities apply a risk-based and graduated approach. A significant proportion of identified deficiencies are initially addressed through supervisory measures such as orders, reprimands, and requirements for remediation. Fines are typically imposed in cases involving more serious, systemic or prolonged deficiencies, or where prior supervisory measures have not been adequately followed.

Across cases, a number of recurring themes can be identified. Deficiencies in customer due diligence (CDD/KYC) are a central issue, including failures to obtain and update adequate information on customers’ identity, purpose, and risk profile, as well as insufficient understanding of ownership structures and beneficial owners. In addition, weaknesses in ongoing transaction monitoring are frequently observed, including inadequate monitoring systems, failure to follow up on alerts, and insufficient documentation of assessments performed.

Furthermore, enforcement practice highlights shortcomings in internal controls and governance, including inadequate risk management, lack of group-wide oversight, and failures in escalation and handling of internal warnings. These issues appear particularly pronounced in larger and internationally active organisations, where insufficient coordination across entities can create material compliance risks.

Finally, recurring challenges are seen in the management of higher-risk areas, including correspondent banking relationships, foreign customers, and activities in higher-risk jurisdictions. These areas require enhanced due diligence and monitoring, which in several cases have not been sufficiently implemented.

Overall, enforcement practice shows that the level of fines does not solely reflect proven instances of money laundering, but to a significant extent also the quality of the institution’s control framework and governance. Even in the absence of identified money laundering, serious or widespread deficiencies in AML frameworks may result in substantial sanctions.

Lessons from previous directives and practice

The development of AML regulation shows a clear trend towards more comprehensive, detailed, and governance-oriented requirements. From early requirements on CDD and reporting in the 1990s to a later focus on risk-based approaches, management involvement, documentation, and beneficial ownership, this development reflects a recognition that money laundering cannot be effectively addressed through formal minimum requirements alone.

The Danish cases further demonstrate that non-compliance with AML requirements is rarely the result of isolated errors, but often stems from more fundamental weaknesses in undertakings’ control environments, governance, and risk management. Recurring themes include insufficient CDD procedures, inadequate documentation, weak transaction monitoring, and failure to follow up on known risks. This also applies in cases where no concrete instance of money laundering has been established. The historical experience therefore shows that lack of AML compliance in itself may lead to significant consequences.

This is supported by the national risk assessment (9), which indicates that money laundering remains a significant societal issue in Denmark despite an increasingly comprehensive regulatory framework. The assessment estimates that approximately DKK 68 billion may be laundered annually in Denmark.¹ While the figure is subject to uncertainty and should be understood as an order of magnitude rather than a precise estimate, it underlines the scale and seriousness of the issue.

Money laundering is rarely limited to a single undertaking, transaction, or jurisdiction. Rather, it is typically cross-border and involves flows across accounts, entities, ownership structures, and countries. Criminal actors continuously adapt and exploit areas where control environments are weakest or where rules and supervisory practices are not sufficiently aligned.

Against this background, the AML package should be understood as a response to the need for greater harmonisation, not only to align rules formally, but to reduce structural vulnerabilities across Member States.

^{1) The number is based on a UNODC estimate from 2011 (21), which assessed that money laundering globally amounts to 2.7% of a country’s GDP. The numbers from The Danish Financial Intelligence Unit (FIU) in 2022 (9) correspond to Denmark’s GDP at the time multiplied by 0.027, equalling DKK 68 billion. Updated with the 2025 GDP (DKK 3,063 billion) (22), the same calculation yields approximately DKK 83 billion.}

From directives to regulation: Why is AMLR different?

One of the most fundamental changes concerns the legislative form itself. Previously, AML directives had to be implemented into national law, which led to differences in rules and practice across Member States. With AMLR, the core obligations for undertakings are consolidated in a regulation that applies directly and uniformly across the EU. AMLD6 remains a directive and governs areas where national adaptation is still required, including supervisory structures, financial intelligence units, and registers of beneficial ownership. Overall, this means that most undertaking-facing requirements are now harmonised at EU level, while the structures for supervision and financial intelligence are still being defined nationally.

The AML package: regulatory content

The new AML package consists of several key legislative elements, which collectively modernise and harmonise the EU framework for anti-money laundering and counter-terrorist financing. The Level 1 legal acts, the primary legislation, include:

• the Anti-Money Laundering Regulation (AMLR) (10)
• the 6th Anti-Money Laundering Directive (AMLD6) (11)
• the AMLA Regulation (12)
• amendments to the Funds Transfer Regulation (13)

In addition, a comprehensive set of Level 2 measures is being developed, including Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS), and guidelines, which specify how the Level 1 requirements are to be applied in practice. These measures are developed on an ongoing basis and published for consultation with relevant stakeholders.

So far, the following Level 2 measures have been published:

• RTS on customer due diligence (CDD) under Article 28(1) of AMLR (draft) (14)
• RTS on criteria for identifying business relationships, occasional transactions, and linked transactions under Article 19(9) of AMLR (draft) (15)
• RTS on sanctions, administrative measures, and periodic penalty payments under Article 53(10) of AMLD6 (draft) (16)
• ITS on coordination of AML/CFT supervision under Article 15(3) of AMLR (17)
• RTS on assessment of inherent and residual risk profiles under Article 40(2) of AMLD6 (18)
• RTS on risk-based selection of credit institutions, financial institutions, and groups of institutions for direct supervision under Article 12(7) of AMLR (19)

The AML package will apply from 10 July 2027, and both Level 1 and Level 2 measures will be decisive for how undertakings must adapt their internal procedures, governance, and risk management ahead of implementation.

The AML package: practical implications for undertakings

The AML package introduces a number of key changes affecting how undertakings must organise their AML/CFT frameworks in practice:

1. Enhanced customer due diligence and data obligations
   Undertakings must obtain more detailed and structured customer information, including place of birth, residence, nationality, and identification number.
   
   For legal persons, undertakings must identify beneficial owners and collect equivalent detailed information on these individuals. This goes beyond the traditional requirement of name and national identification number alone.
   
   There are also stricter requirements regarding when customer due diligence (CDD) must be performed, including for occasional transactions at lower thresholds, and requirements to update customer data at fixed maximum intervals depending on the risk level.
   
   
2. Strengthened risk assessment and reporting framework
   Undertakings must carry out a systematic risk assessment covering both inherent risk and residual risk (i.e., risk after mitigating controls).
   
   The RTS on risk assessment of inherent and residual risk profiles under Article 40(2) of AMLD6 (18) further supports a more standardised methodology for risk classification across the EU.
   
   The risk assessment must be properly documented and based on a broader set of data and risk factors than previously required, implying significantly more detailed data collection and continuous updates.
   
   This is further supported by AMLA’s development of technical standards and supervisory tools aimed at ensuring a more harmonised approach to risk assessment across both financial and non-financial sectors.
   
   
3. Staff competence and integrity
   New requirements introduce an explicit obligation for undertakings to ensure that employees, agents, and distributors possess the necessary knowledge, skills, and integrity to perform AML-related tasks.
   
   It is no longer sufficient to assume awareness of the requirements; undertakings must be able to demonstrate training, competence assessments, and appropriate knowledge of both legal obligations and internal policies.
   
   
4. Governance, internal controls, and independent review
   The AML package introduces enhanced requirements for governance and internal control frameworks, including:
   
   1. strengthened management responsibility for AML/CFT governance, and
      
   2. a requirement for an independent audit or review function assessing policies, procedures, and controls (where internal independence is not available, external expertise may be used).
      
   This ensures that AML/CFT frameworks are effective in practice and not merely formal compliance structures.
   
   
5. New categories of obliged entities and transaction requirements
   A broader range of undertakings will become subject to AML obligations, including traders in high-value goods, precious metals and stones, crowdfunding service providers, as well as professional football clubs and agents, subject to transitional arrangements. There are also new requirements to report certain transactions involving specific goods (e.g., motor vehicles and luxury goods) to financial intelligence units where thresholds and conditions are met.
   
   
6. 6. EU-wide cash payment cap of €10,000
   AMLR introduces an EU-wide cap of €10,000 for business cash payments, regardless of whether the payment is made in a single amount or through several linked transactions.
   
   For cash payments of €3,000 or more, the customer must be identified and verified. Denmark, however, already applies a lower national cash limit of DKK15,000, which remains in force, as Member States may set stricter thresholds.
   
   
7. Outsourcing, information sharing, and cross-border activities
   The rules on outsourcing to third countries are clarified, requiring that outsourcing is only permitted where adequate AML controls and supervisory standards exist in the third country. The framework also enables enhanced cooperation and information sharing between undertakings and authorities to improve risk-based monitoring and suspicious activity detection.
   
   The ITS on AML/CFT supervisory coordination under Article 15(3) of AMLR (17) further supports structured cooperation between competent authorities across Member States.
   
   New notification requirements also apply in relation to cross-border activities, including prior notification to competent authorities when establishing operations in other Member States.
   
   
8. Sanctions and sanctions compliance
   The AML package introduces requirements for internal policies, procedures, and controls to ensure compliance with financial sanctions. This includes a mandate to ensure that undertakings effectively avoid transactions involving sanctioned persons, entities, undertakings, and jurisdictions. The requirements are further described in EBA guidelines (20).
   
   
9. New supervisory structure: AMLA
   A new EU authority, the Anti-Money Laundering Authority (AMLA), will be established. AMLA will be responsible for direct supervision of selected high-risk financial undertakings and for coordinating AML/CFT supervision across the EU. This includes development and maintenance of risk assessment systems and technical standards, including the RTS on risk-based selection of institutions for direct supervision under Article 12(7) of AMLR (19).

Which sectors are covered?

With the Anti-Money Laundering Regulation, a wider range of undertakings will become subject to AML requirements.

This includes:

• undertakings trading in precious metals and precious stones, whether on a regular basis or where this constitutes their principal business activity
• undertakings trading in high-value goods, whether on a regular basis or where this constitutes their principal business activity
• football agents and professional football clubs
• providers of crowdfunding services and crowdfunding intermediaries

Football agents and professional football clubs will become subject to the regulatory framework from 10 July 2029. Professional football clubs will be covered where transactions involve investors, sponsors, football agents, or other intermediaries, as well as transactions related to the transfer of a football player.

Failure to comply: What can we expect

Experience from previous EU directives and Danish case law clearly demonstrates how deficient controls, insufficient documentation, and failures in governance and management accountability have resulted in significant fines and administrative sanctions. These cases illustrate both the concrete risks associated with non-compliance with AML legislation and the challenges undertakings have faced in translating EU directives into effective operational practice.

With the forthcoming AML package and the associated Regulatory Technical Standards (RTS) under Article 53(10), a more harmonised and structured enforcement framework is introduced across the EU (16).

The RTS, inter alia, establishes:

• Classification of breaches, where severity, repetition, scope, management responsibility, and financial benefit determine the level of sanctions imposed. This creates a more systematic basis for assessing infringements, which both competent authorities and undertakings can use to evaluate risk and regulatory exposure.
  
  
• Criteria for fines and administrative measures, ensuring proportionality and deterrence. Competent authorities are provided with guidance on assessing cooperation by the undertaking, the underlying cause of the breach, and whether any financial advantage has been obtained through non-compliance.
  
  
• Periodic penalty payments, which may be imposed where undertakings fail to remedy identified deficiencies within a specified timeframe. This represents a clear departure from previous practice, where fines were typically imposed as one-off measures, and provides authorities with a tool to ensure that remedial actions are effectively implemented over time.
  
  
• Inclusion of management accountability, allowing both the undertaking’s governance arrangements and the role of individual persons in the breach to be taken into account in the assessment. This underscores that responsibility no longer rests solely with the legal entity but also extends to those exercising management functions.

Compared with previous Danish practice, the RTS implies that undertakings must expect a more consistent and transparent enforcement approach across the EU, where non-compliance does not only result in fines, but may also lead to repeated financial consequences and requirements for documented remediation. This highlights the necessity for undertakings not only to ensure formal compliance, but also to actively demonstrate that internal controls and risk management frameworks are effective in practice.

This transition from historical cases to the new harmonised framework underscores the importance of timely and robust implementation of the AMLR. Experience from the past thus provides a valuable foundation for understanding how future enforcement and sanctions are likely to materialise – and why undertakings, management bodies, and compliance functions must prepare for a more consistent and systematic supervisory regime.

Will the AMLR make a difference?

In upcoming articles, we will examine how the AMLR is expected to impact undertakings and financial actors in Denmark in practice. The focus will be both on lessons learned from previous cases and on how the new requirements may reshape operational compliance frameworks. The articles are not intended to be exhaustive, but rather to serve as illustrative examples of key themes and issues addressed by the AMLR.

Examples of forthcoming articles and hypotheses include:

• Breaches of EU sanctions regimes: A review of existing case law and enforcement actions, and an assessment of the forthcoming governance requirements under the AMLR relating to financial sanctions.
  
  Hypothesis: Enhanced compliance and documentation requirements will increase accountability among undertakings handling transactions subject to sanctions regimes.
  
  
• The Danske Bank case and new KYC requirements: How could the AMLR requirements on customer due diligence and risk-based monitoring have influenced the handling of the case?
  
  Hypothesis: Stricter documentation and due diligence requirements will reduce the risk of similar large-scale breaches in the future.
  
  
• Insiders and employee integrity: How the AMLR’s new requirements to ensure employee honesty and integrity may mitigate insider-related money laundering risks.
  
  Hypothesis: More explicit requirements for screening and ongoing monitoring of employees will reduce the risk of staff acting as facilitators for criminal activity.

Taken together, these articles will illustrate both the concrete consequences of non-compliance and the preventive mechanisms introduced by the AMLR.

At the same time, it should be noted that several key questions remain open: the full extent of risk exposure, the nature of cross-border transactions, and the complexity of internal control frameworks will only become fully apparent once all Level 2 measures have been finalised and adopted.

The purpose of the series is both to provide insight into concrete cases and to establish a basis for discussion on how undertakings can design and strengthen their compliance strategies in light of the new AMLR requirements