The Eu's New AML Rulebook: AMLA, the AMLR and Harmonised Beneficial Ownership, a Spain Compliance Brief

The EU’s new AML rulebook, anchored by AMLA and the AMLR, represents the most significant overhaul of European anti-money-laundering architecture in two decades. For obliged entities operating in Spain, the changes introduce a centralised EU supervisor with direct enforcement powers, a single AML Regulation that will be directly applicable from 10 July 2027, and a harmonised beneficial-ownership threshold of 25% that replaces the patchwork of national rules. This compliance brief unpacks each pillar of the new framework, maps the critical dates that compliance teams must plan around, and provides a practical readiness checklist tailored to Spain’s regulatory environment and the role of SEPBLAC as the national financial intelligence unit.

What the New EU AML Package Comprises

The legislative package adopted by the European Union replaces the previous directive-led approach with a three-pronged structure designed to close supervisory gaps, eliminate regulatory arbitrage between Member States, and create a genuinely single market for AML/CFT compliance.

The Three Core Components

• The AMLA Regulation. This instrument establishes the Anti-Money Laundering Authority (AMLA) as a new EU agency headquartered in Frankfurt. AMLA serves as the central hub for coordinating national supervisors and, for certain high-risk entities, exercises direct supervisory powers including on-site inspections and the imposition of fines.
• The AML Regulation (AMLR). Unlike the previous Anti-Money Laundering Directives (most recently AMLD5), the AMLR is a directly applicable EU Regulation. It creates a single rulebook of customer due diligence (CDD), enhanced due diligence (EDD), beneficial-ownership identification and group-wide compliance obligations that apply uniformly across all 27 Member States without requiring national transposition.
• The Sixth Anti-Money Laundering Directive (6AMLD). This directive supplements the AMLR by addressing areas where Member States retain discretion, most notably the organisation and powers of national financial intelligence units (FIUs), the framework for beneficial-ownership registers, and certain aspects of supervisory cooperation.

Taken together, these instruments replace the fragmented directive-based model with a harmonised regime underpinned by centralised oversight. For compliance professionals, the practical effect is that policies, procedures, risk assessments and reporting structures that were calibrated to national transpositions will need to be rebuilt to align with the directly applicable AMLR text.

AML Technical Standards 2026: Timeline and Key Dates

Compliance planning requires precise milestones. The table below maps the dates that matter most for obliged entities in Spain preparing for the EU’s new AML rulebook, including AMLA and the AMLR.

Industry observers expect the period between July 2026 and July 2027 to be the most intensive compliance-planning window, as the finalised AML technical standards for 2026 will define the granular requirements that systems, processes and training must satisfy before the AMLR takes direct legal effect.

AMLA: Mandate, Powers and Supervised Population

AMLA’s Supervisory Scope

AMLA does not replace national supervisors. Instead, it operates as a direct supervisor for a defined set of high-risk, cross-border obliged entities while coordinating and overseeing national authorities’ supervision of all other firms. According to the AMLA Regulation, the authority will directly supervise selected credit institutions and financial institutions that meet two cumulative criteria: they are classified as high-risk, and they operate across a minimum number of Member States (the founding regulation references entities active in at least six Member States through establishments or via the freedom to provide services). AMLA will periodically select the entities subject to direct supervision based on a risk-assessment methodology that considers both inherent risk factors and supervisory quality indicators.

AMLA’s Enforcement Tools

For entities falling under its direct supervisory remit, AMLA wields a comprehensive toolkit:

• On-site and off-site inspections conducted directly or jointly with national competent authorities.
• Binding decisions requiring entities to take specific remedial actions, modify internal controls or restrict certain business activities.
• Administrative pecuniary sanctions, fines for serious, repeated or systematic breaches of the AMLR.
• Data collection powers, the authority can require entities to submit transaction data, risk assessments, internal audit reports and beneficial-ownership records.

Even where AMLA does not exercise direct supervision, it retains the power to issue guidelines, recommendations and opinions to national supervisors. If a national authority is found to be insufficiently enforcing the AMLR, AMLA can step in with binding instructions, a mechanism that significantly raises the baseline standard of AML supervisory readiness across Spain and every other Member State.

The AMLR Single Rulebook: Legal Effect and What Changes

Direct Applicability, No National Transposition Required

The AMLR’s status as a Regulation under Article 288 TFEU is the single most consequential change in the EU’s new AML rulebook. Unlike directives, which required each Member State to transpose rules into domestic law, often with divergences, the AMLR will apply directly and uniformly from 10 July 2027. For firms operating across multiple EU jurisdictions, this eliminates the need to maintain parallel compliance frameworks calibrated to different national implementations.

Key Harmonised Rules

The AMLR standardises obligations that previously varied significantly between Member States:

• Customer due diligence (CDD). Uniform requirements for customer identification, verification of identity, and ongoing monitoring, removing the prior ambiguity around when simplified or enhanced measures apply.
• Enhanced due diligence (EDD). Prescriptive rules for high-risk relationships, including politically exposed persons (PEPs), correspondent banking, and transactions involving high-risk third countries.
• Beneficial-ownership identification. A single EU-wide definition and threshold (discussed in detail below), replacing national variations.
• Group-wide obligations. Parent entities must implement group-level AML/CFT policies and procedures, including in third-country branches and subsidiaries, with specific rules where local law prevents full compliance.
• Sanctions compliance integration. The AMLR explicitly links AML/CFT obligations with targeted financial sanctions screening, requiring obliged entities to maintain integrated compliance systems.

Old Framework vs. New: Comparison for Spain

Harmonised Beneficial Ownership: The 25% Threshold and Register Obligations

The 25% Threshold Explained

Under the AMLR, a beneficial owner is defined as any natural person who ultimately owns or controls a legal entity. For corporate entities, the harmonised threshold is set at 25% plus one share (or equivalent ownership interest). This replaces the previous regime where, although 25% was the most common benchmark, some Member States, notably including certain interpretive guidance in Spain and others, applied different thresholds or additional criteria that made cross-border compliance complex.

The harmonised beneficial ownership rules also introduce a layered identification approach: where no natural person meets the 25% ownership threshold, obliged entities must identify those exercising control through other means (voting rights, shareholder agreements, or the right to appoint management). Only where no beneficial owner can be identified through either mechanism should the senior managing official be recorded, and even then, this must be documented and flagged as a risk indicator.

Register Obligations: Who Must Report

The 6AMLD supplements the AMLR by requiring Member States to maintain central beneficial-ownership registers. Key obligations include:

How BO Rules Reach Non-EU Entities

The AMLR’s extraterritorial reach is one of the most significant practical changes for firms operating in Spain. Non-EU entities fall within scope in several scenarios: when they establish a subsidiary or branch in the EU; when they enter into a business relationship with an EU obliged entity (e. g. , opening a bank account in Spain); or when they acquire real estate within the EU. In each case, the non-EU entity must provide beneficial-ownership information meeting the same 25% threshold and verification standards applicable to EU entities.

Obliged entities in Spain that cannot obtain adequate BO information from a non-EU counterpart are required to decline or terminate the business relationship, a material change from the more discretionary approach under the previous directive framework.

Spain AML Obligations: Interaction with Spanish Law and SEPBLAC

SEPBLAC and AMLA: Parallel Supervisory Roles

SEPBLAC, Spain’s Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences, will remain the national FIU and day-to-day AML supervisor for the vast majority of obliged entities in Spain. SEPBLAC has acknowledged the establishment of AMLA and indicated its commitment to cooperating within the new supervisory architecture. For entities not selected for direct AMLA supervision, SEPBLAC will continue to conduct inspections, receive suspicious transaction reports (STRs) and impose national sanctions. However, AMLA’s overarching coordination role means that SEPBLAC’s own supervisory standards and enforcement intensity will be subject to ongoing peer review and, if necessary, binding AMLA instructions.

Practical Differences Firms in Spain Must Address

Spain’s current AML framework, Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing and its implementing Royal Decree, will require amendment to incorporate the 6AMLD provisions and to remove any rules that conflict with the directly applicable AMLR. For compliance teams, the likely practical effects include:

• BO filing processes. Spain’s existing Registro Mercantil (Commercial Registry) and the Titularidad Real database will need to be adapted to align with the harmonised 25% threshold, verification standards, and access rules mandated by the 6AMLD.
• CDD procedures. Firms currently following SEPBLAC’s interpretive guidance on simplified and enhanced due diligence must recalibrate to the prescriptive AMLR rules, which in some areas impose stricter requirements than Spain’s current practice.
• STR reporting. While the mechanics of STR reporting to SEPBLAC will remain national, the AMLR introduces harmonised suspicious-activity indicators and reporting triggers that may lower the threshold for what constitutes a reportable suspicion.
• Third-country branch and subsidiary compliance. Spanish parent companies with operations outside the EU must implement group-wide AMLR-compliant policies, a requirement that is now explicit and uniform rather than subject to national interpretation.
• Staff training. All obliged entities in Spain must update training programmes to reflect the AMLR’s provisions, the harmonised BO identification methodology, and the new supervisory expectations from both SEPBLAC and AMLA.

Immediate Actions: An AML Compliance Checklist for Spain

The window between now and 10 July 2027 is not long for institutions with complex operations. The following AML compliance checklist, grouped by timeframe, provides a structured readiness playbook for obliged entities in Spain.

Now, Within the Next 0 to 3 Months

• Conduct a gap analysis. Map current policies, procedures and systems against the published AMLR text and identify all areas of divergence from the directly applicable rules.
• Update your entity-wide risk assessment. Incorporate the AMLR’s risk-factor taxonomy and ensure it reflects the harmonised BO threshold and the new CDD/EDD triggers.
• Perform a beneficial-ownership data sweep. Verify that BO records for all existing clients meet the 25% threshold standard and that ownership chains are documented to the natural-person level.
• Map cross-border exposures. Identify all business relationships with non-EU entities and assess whether current BO information meets the AMLR’s extraterritorial requirements.

Next, 3 to 9 Months

• Revise KYC and onboarding procedures. Align customer due diligence workflows, including simplified and enhanced due diligence triggers, with the AMLR’s prescriptive rules.
• Procure or upgrade technology. Assess whether existing BO verification tools, transaction-monitoring systems and screening platforms can accommodate the new data fields and reporting formats specified in the Level 2/3 technical standards.
• Update escalation and reporting lines. Ensure that STR filing procedures, internal escalation protocols and board reporting reflect the AMLR’s harmonised suspicious-activity indicators.

By 10 July 2026, Technical Standards Deadline

• Incorporate finalised Level 2/3 standards. Once published, embed the binding technical standards into operational manuals, compliance monitoring checklists and audit programmes.
• Prepare for AMLA data requests. Ensure that data architecture can respond to AMLA questionnaires and information requests within the timelines specified in the technical standards.

By 10 July 2027, AMLR Application Date

• Full operationalisation. All AMLR-compliant policies, procedures, systems and training must be live and audit-ready.
• Conduct a pre-application compliance audit. Engage internal audit or an external advisor to confirm readiness and document the compliance posture for supervisory review.

How to Prepare If You May Be Directly Supervised by AMLA

Financial institutions that operate across six or more EU Member States and that fall within AMLA’s risk-based selection criteria face an additional layer of preparation. If your institution is likely to be directly supervised, early indications suggest the following steps should be prioritised:

• Governance enhancements. Ensure that the board and senior management have clear visibility of AML/CFT risks and that the compliance function reports directly to the highest governance level.
• Independent audit readiness. Commission an independent review of AML/CFT controls specifically benchmarked against the AMLR and AMLA’s published supervisory expectations.
• Data pipeline investment. AMLA will require granular transaction-level and client-level data in standardised formats. Invest in API-enabled data extraction and reporting infrastructure now to avoid bottlenecks under direct supervisory scrutiny.
• Supervisory engagement. Proactively engage with SEPBLAC and, where possible, with AMLA’s preliminary communications to understand the likely scope and timing of the selection process.

Enforcement, Penalties and Supervisory Expectations Under AMLA and the AMLR

The enforcement landscape under the EU’s new AML rulebook is materially more severe than the directive-based model it replaces. AMLA can impose administrative fines on directly supervised entities for serious, repeated or systematic breaches of the AMLR. At the national level, Spain’s sanctioning regime under Law 10/2010 will continue to apply, but it will need to be recalibrated to reflect the AMLR’s uniform provisions and the higher enforcement expectations set by AMLA’s coordination role.

Industry observers expect that the combination of direct AMLA oversight for high-risk entities and coordinated peer review of national supervisors will drive a step-change in enforcement intensity across the EU. For compliance teams in Spain, this means that past tolerance margins, where supervisory practice may have been less stringent than the letter of the law, are unlikely to persist. The practical implication is that AML supervisory readiness must shift from a “reasonable compliance” standard to a demonstrably robust, audit-evidenced posture aligned with the AMLR text and Level 2/3 technical standards.

Conclusion: Navigating the EU’s New AML Rulebook in Spain

The EU’s new AML rulebook, driven by AMLA and the AMLR, marks a structural shift from directive-led fragmentation to centralised, directly applicable compliance standards. For obliged entities in Spain, the 10 July 2027 application date is not an abstract deadline but a hard operational cut-over. The AML technical standards due in 2026 will define the granular requirements, and the window for gap analysis, system upgrades and procedural overhauls is narrowing. Firms that begin the readiness process now, mapping Spain AML obligations against the AMLR, strengthening beneficial-ownership records and engaging proactively with SEPBLAC, will be best positioned to meet the new supervisory expectations.

Those looking for jurisdiction-specific guidance on compliance and regulatory matters can explore expert resources through Global Law Experts’ Spain legal network.

Sources

1. AMLA, Anti-Money Laundering Authority Official Site
2. European Banking Authority (EBA), Technical Standards and Consultations
3. SEPBLAC, European Authority AMLA (Spain FIU Notice)
4. Baker McKenzie, EU AML Framework: Guide to Key Changes for Financial Institutions (2025)
5. Accountancy Europe, New EU AML Rules
6. ComplyAdvantage, A Guide to the EU’s New AML/CFT Framework