EU's 6th Anti-Money Laundering Package: How Crypto Gets Swept Into TradFi Rules

Crypto companies operating in the EU must comply not only with MiCA but with a comprehensive anti-money laundering framework that has been progressively tightened since 2020. The EU’s AML legislative package — a cluster of interlocking regulations and directives — brings crypto asset service providers squarely within the same AML and counter-terrorism financing requirements that apply to banks, payment institutions, and other regulated financial entities.

For tokenization businesses — platforms that issue, distribute, or provide infrastructure for tokenized real-world assets — this matters enormously. Tokenized bonds, equities, and real estate are typically designed for institutional investors, but they traverse infrastructure layers — wallets, blockchains, settlement systems — that are subject to AML scrutiny. Understanding the EU’s AML framework is not optional for any serious participant in the EU tokenized asset market.

The Legislative Package: 6AMLD, AMLR, and AMLA

The EU’s AML legislative package consists of three main instruments that work together.

The Sixth Anti-Money Laundering Directive (6AMLD) replaced the Fifth Directive and extended the scope of criminal AML offenses. More importantly for the crypto sector, it updated the definition of obliged entities — those required to comply with AML law — to explicitly include crypto asset service providers as defined by MiCA. The 6AMLD creates criminal liability for money laundering that applies uniformly across EU member states, closing the jurisdictional gaps that had allowed some activities to be structured to avoid the most demanding national AML regimes.

The Anti-Money Laundering Regulation (AMLR) is the more operationally significant instrument. Unlike a directive, which requires member state implementation, the AMLR is a directly applicable regulation — it takes effect simultaneously in all EU member states without transposition. This harmonization is significant because previous AML frameworks, structured as directives, produced inconsistent implementation across member states. A CASP authorized in one member state could face materially different AML requirements when passporting into another. The AMLR eliminates this inconsistency.

The Anti-Money Laundering Authority (AMLA) is the institutional innovation. The EU’s new dedicated AML supervisor, AMLA is headquartered in Frankfurt and began operations in 2025. It has direct supervisory authority over the highest-risk obliged entities — the largest CASPs, the major financial institutions, and the entities operating in jurisdictions with the most significant AML risk. For entities not under direct AMLA supervision, it coordinates with national competent authorities and can require them to take action.

What the Framework Requires of CASPs

The operational requirements for CASPs under the EU AML package are comprehensive.

Customer due diligence (CDD) must be conducted for all customers before establishing a business relationship and for occasional transactions above €1,000. CDD includes identifying the customer, verifying their identity through documentary or electronic means, identifying any beneficial owners (for corporate customers, anyone holding more than 25 percent ownership or control), and understanding the purpose and nature of the business relationship.

Enhanced due diligence (EDD) applies to higher-risk customers and relationships. Politically exposed persons (PEPs) — senior politicians, judges, central bank governors, their family members and close associates — require enhanced measures regardless of transaction amount. Customers from high-risk third countries identified by the European Commission require EDD. Unusual or complex transactions without apparent legitimate purpose trigger EDD requirements.

Ongoing monitoring requires CASPs to monitor transactions and business relationships continuously, update customer information periodically, and flag transactions that are inconsistent with the customer’s profile or apparent purpose.

Suspicious activity reporting (SAR) requires CASPs to file reports with the national Financial Intelligence Unit (FIU) when they know, suspect, or have reasonable grounds to suspect that funds are the proceeds of crime or are connected to terrorism financing. The obligation is triggered by suspicion — waiting for certainty would make the AML framework useless.

Internal controls require CASPs to maintain an AML compliance function, appoint a compliance officer responsible for AML, train staff on AML obligations, conduct regular risk assessments, and document their risk management procedures.

The Travel Rule: The Operational Challenge

The FATF Recommendation 16 — the “Travel Rule” — requires financial institutions to obtain and transmit information about the originator and beneficiary of wire transfers. The EU has extended this requirement to crypto asset transfers through the Transfer of Funds Regulation, which applies to CASPs.

For crypto transfers, the Travel Rule requires that: when a CASP sends crypto assets on behalf of a customer, it must transmit to the receiving CASP the sender’s name, account number, and address (or equivalent identifier), plus the recipient’s name and account number. Transactions above €1,000 require this information to accompany the transfer.

The Travel Rule creates significant technical challenges for crypto asset transfers. In traditional banking, wire transfer information flows within messaging systems (SWIFT, SEPA) that are designed to carry it. In crypto, the blockchain transaction itself carries no personal information — the pseudonymous addresses give no indication of the natural persons behind them.

Several industry solutions have been developed: VASP-to-VASP protocols like the IVMS101 standard (InterVASP Messaging Standard) allow Travel Rule information to be transmitted off-chain in a standardized format alongside on-chain transactions. Solutions including Veriscope, Sygna, and TRISA implement the protocol for participating institutions.

But the Travel Rule’s application to unhosted wallets — crypto addresses not held at a regulated custodian — remains deeply contested. If a customer sends crypto from a CASP to their own hardware wallet, the CASP cannot obtain Travel Rule information from the wallet’s “receiving institution” because there is none. The European Banking Authority issued guidance in 2024 requiring CASPs to assess the risk of transfers to unhosted wallets and apply enhanced due diligence to higher-risk transfers — a pragmatic compromise that satisfied neither privacy advocates nor AML maximalists.

AMLA: The New Supervisor

The Anti-Money Laundering Authority’s establishment in Frankfurt in 2025 marks a significant shift in EU financial regulatory architecture. For the first time, the EU has a federal-level AML supervisor — one that can exercise authority directly rather than through national competent authorities.

AMLA’s direct supervisory mandate covers a selected list of the highest-risk obliged entities in each EU member state, including the largest cross-border financial institutions and CASPs. For entities under direct supervision, AMLA conducts its own examinations, issues orders, and can impose sanctions.

For the broader population of obliged entities supervised by national authorities, AMLA coordinates through a joint supervisory mechanism, issues guidelines and standards, and has a mediation role when national supervisors disagree. AMLA also has a role in maintaining the list of high-risk third countries that trigger enhanced due diligence requirements.

Implications for Tokenization Platforms

The intersection of MiCA and the EU AML package creates a layered compliance environment for tokenization businesses.

A platform that issues tokenized bonds must, under MiCA, be authorized as a CASP or work with an authorized CASP. Under the AML package, the CASP must conduct customer due diligence on all investors, implement ongoing monitoring of token transfers, and apply the Travel Rule to transfers between wallets. The compliance infrastructure required is substantial.

For institutional-only tokenization platforms — where all investors are regulated entities with their own AML programs — some of this burden is reduced by the ability to rely on the AML compliance of institutional counterparties. But the obligation to conduct at least initial verification remains.

The EU’s AML framework creates a compliance baseline that is actually helpful for the tokenization industry’s long-term development: it establishes clear rules under which legitimate tokenized asset markets can operate, and it differentiates compliant platforms from unregulated alternatives. The short-term cost of AML compliance is real. The long-term value of operating within a framework that institutional investors can accept is greater.