The European Union has finalised the biggest overhaul of its anti-money-laundering regime in years — and two numbers stand out for anyone handling payments or crypto. From 10 July 2027, cash payments for goods and services will be capped at €10,000 across all 27 member states, and crypto-asset service providers will have to run full customer checks on transactions from €1,000.
The changes come from the EU’s new Anti-Money Laundering Regulation, Regulation (EU) 2024/1624 (the “AMLR”), part of a wider package that also creates a new EU supervisor. Here’s what actually changes, who it touches, and why the 2027 date shouldn’t lull anyone into waiting.
One rulebook, applied directly
The headline shift is structural. Until now, EU AML rules came as directives — each country wrote its own version into national law, producing 27 different implementations with real gaps between them. The AMLR is a regulation: it applies directly and identically in every member state, creating a single rulebook. For businesses operating across borders, that means one standard to meet instead of a patchwork to reconcile.
The package also establishes a new EU-level Anti-Money Laundering Authority (AMLA), based in Frankfurt, which will begin directly supervising the highest-risk cross-border firms later this decade and will keep issuing detailed guidance in the run-up to 2027.
A €10,000 cap on cash payments
From 10 July 2027, businesses dealing in goods or services won’t be able to accept or make cash payments above €10,000 — whether in a single payment or several linked ones. The aim is to close a well-worn channel for moving illicit funds and to stop large cash deals migrating to whichever country had the loosest rules.
Two points matter in practice. First, member states can set lower national caps, but none can go higher — so the real limit in your market may be stricter (several countries already cap cash well below €10,000). Second, the cap is aimed at commercial dealing in goods and services, not ordinary private transactions between individuals. Traders accepting significant cash will also face customer-due-diligence triggers at lower thresholds.
Crypto services: KYC from €1,000
For crypto-asset service providers (CASPs) — exchanges, custodial wallet providers, trading platforms, and transfer or execution services as defined under MiCA — the AMLR sets a notably lower bar than for most other businesses. Where the general threshold for checking an occasional transaction sits at €10,000, CASPs must perform customer due diligence on occasional transactions of €1,000 or more.
For a regulated exchange that already verifies every onboarded customer under MiCA and the Travel Rule, this is more an extension of existing practice than a shock. But it raises the floor, and combined with the AMLR’s ban on anonymous crypto-asset accounts and tighter expectations on monitoring, it leaves less room for lightly-checked activity. Firms seeking or holding a CASP authorisation will be expected to show an AML programme built to this standard.
What the rules don’t do
It’s worth being precise, because the headlines tend to overstate. The AMLR does not ban self-custody, and it does not restrict genuine peer-to-peer transfers between private wallets. Non-custodial wallet software and hardware providers generally sit outside its scope. The obligations fall on regulated intermediaries — the businesses that hold customer funds or assets and provide crypto services — not on individuals managing their own keys.
Why “2027” is misleading
Three years can feel like plenty of runway. It isn’t. Building or upgrading an AML programme to this standard — a documented risk assessment, customer-due-diligence and monitoring procedures, governance and reporting, systems, and staff training — takes months of work, not a weekend. AMLA’s guidance is arriving on a rolling basis, so the detail firms need to design against is still landing. And any business pursuing a licence in the meantime — a payment authorisation or a MiCA CASP authorisation — is already expected to have a credible AML framework in place to get approved at all.
In other words, the deadline is for being compliant. The work to get there starts well before it.
What to do now
A sensible first pass for most teams:
- Confirm whether you’re in scope — as a CASP, a payment firm, or a business handling significant cash — and under which national rules.
- Pressure-test your thresholds — make sure your customer checks trigger at the right amounts (€1,000 for CASP occasional transactions; lower local cash caps where they apply).
- Map the gaps between your current AML programme and the AMLR’s single-rulebook standard.
- Plan the build — risk assessment, policies and procedures, monitoring, governance, and training — against a realistic timeline, not the 2027 date alone.
At Licentium, we help fintech and crypto teams build the AML and KYC programmes these rules expect, and prepare the documentation regulators look for — whether that’s a financial-crime programme for a payments business or a digital-asset (MiCA / CASP) authorisation. If you’re not sure where your business stands, that’s a good first conversation.
Source: Regulation (EU) 2024/1624, available via EUR-Lex. This article is general information, not legal or regulatory advice; obligations depend on your specific business and jurisdiction.