The EU 6AMLD Restructure: What the 2024 AML Package Means for iGaming Operators

The EU’s sixth Anti-Money Laundering Directive, formally Directive 2024/1640, represents the most consequential restructuring of European AML supervision in over a decade. Adopted alongside the directly-applicable AML Regulation and the regulation establishing the new Anti-Money Laundering Authority, the directive shifts the centre of gravity in EU AML compliance away from individual member-state transposition and toward harmonised supervision under a centralised authority. For iGaming operators serving EU markets, the implications stretch well beyond the technical changes in obligation and touch the operational structure of compliance functions themselves.

What the Directive Actually Restructures

The previous AML directives operated through transposition, with member states adapting EU-level principles to their national legal frameworks. The result was a regime that nominally harmonised AML supervision across the EU but in practice produced substantial divergence in how rules were applied, what evidence regulators expected, and how operators serving multiple markets needed to structure their compliance operations. The 2024 package responds to that divergence by placing the core obligations in a directly-applicable Regulation that does not require national transposition, while reserving the Directive for the institutional and procedural elements that necessarily vary by member state.

The text of Directive 2024/1640 defines the institutional architecture for member-state supervision, the mechanisms for cooperation between national Financial Intelligence Units, the structure of beneficial-ownership registers, the access regime for those registers, and the procedural framework within which national supervisors operate. The substantive AML obligations on operators themselves, including customer due diligence, ongoing monitoring, reporting, and record-keeping, sit in the Regulation rather than the Directive, which means they apply uniformly across member states without national variation.

The AML Authority and the Direct-Supervision Tier

The most structurally significant change in the 2024 package is the establishment of AMLA, the Anti-Money Laundering Authority, with direct supervisory powers over selected high-risk obliged entities from 2027. The authority’s role replaces the previous model in which EU-level coordination operated through the European Banking Authority but actual supervision remained entirely at the national level. AMLA selects a subset of obliged entities for direct supervision based on cross-border activity and risk profile, while the remaining majority continue to be supervised by their national competent authorities under AMLA’s coordination.

Hierarchical regulatory network around an EU twelve-star motif

For iGaming operators serving multiple EU markets, the question of whether their group will fall within AMLA’s direct-supervision tier is operationally significant. Direct supervision means a single supervisor with cross-jurisdictional view, removing the historical pattern in which an operator could face inconsistent expectations from supervisors in each of its licensed markets. It also means a supervisor with substantial technical capacity and access to the cooperation networks of national FIUs, which raises the practical bar for compliance posture. Operators outside the direct-supervision tier remain under national supervision, but with AMLA setting harmonised methodology and conducting peer reviews that constrain how much national supervisors can diverge.

The Risk-Based Approach in the New Framework

The risk-based approach has been the central organising principle of EU AML regulation since the third directive, and the 2024 package both reaffirms and operationalises it more rigorously. Obliged entities continue to assess and respond to money-laundering and terrorist-financing risks proportionate to their business activity, customer base, and geographical exposure. What changes is the level of detail in the supervisory expectation around how those risk assessments are conducted, documented, and acted upon.

The supervisory guidance that AMLA inherits and extends from the predecessor European Banking Authority workstream sets out the technical expectations for risk assessment methodology. The guidance covers the factors that need to be weighed in customer risk scoring, the triggers that elevate a customer to enhanced due diligence, the patterns that warrant transaction monitoring escalation, and the documentation that must support each of those decisions in an audit trail. For iGaming operators, the granularity of this guidance has direct implications for compliance system design, particularly around the automation of risk scoring and the maintenance of audit-ready evidence trails.

Beneficial Ownership and the Transparency Push

One of the more contested elements of the 2024 package is the treatment of beneficial-ownership registers and public access to them. The Court of Justice of the EU ruling in 2022 restricted public access to beneficial-ownership data on data-protection grounds, and the new directive responds by establishing a more structured access regime that distinguishes between competent authorities, obliged entities with a legitimate compliance purpose, and other categories with potentially more limited access. The registers themselves are harmonised across member states in terms of data captured and update obligations, with the European Central Platform interconnecting them.

For iGaming operators, beneficial-ownership data is most relevant in two contexts. The first is the verification of corporate customers, such as affiliate companies, payment processors, and white-label arrangements, where understanding the ultimate beneficial owner is essential to risk assessment. The second is operator self-reporting, where the operator’s own beneficial ownership and that of its corporate group must be accurately registered and kept current. The directive tightens the obligations in both contexts, with enhanced penalties for inaccurate or out-of-date filings and clearer procedural mechanisms for cross-border verification.

Transition Timing and What Operators Need to Be Doing Now

The application date for the Regulation is July 2027, with member states required to transpose the Directive by the same date. The intervening period is not slack time. The operational implications of the new framework are sufficiently substantial that operators relying on a last-minute compliance scramble will find themselves with systems that pass initial inspection but fail under sustained supervisory scrutiny. The operators making serious progress in 2026 are working through gap analyses against the new requirements, scoping changes to their KYC orchestration, monitoring methodology, and reporting infrastructure, and planning the data-migration work that supports the new beneficial-ownership reporting structure.

The compliance officer role itself is also expected to receive more granular regulatory definition, with the directive specifying responsibilities, governance position, and qualification expectations more concretely than the previous regime. For iGaming operators, this means that the compliance function needs to be positioned within the corporate governance structure in a way that supports the regulatory expectations, with reporting lines, independence safeguards, and resource allocation visible to supervisors. Operators that have historically run lean compliance functions, with limited senior representation, will find the new expectations more demanding to satisfy.

The Cross-Border Dimension

The harmonisation of substantive obligations across EU markets reduces but does not eliminate the cross-border complexity of operating across multiple jurisdictions. Member states retain discretion over how they organise their national supervisory authorities, how those authorities cooperate with other national agencies such as gambling regulators, and how enforcement actions are structured. Operators serving multiple EU markets still face multiple supervisory relationships, but the substantive content of what those supervisors expect should converge substantially under the new framework.

The interaction between AML supervision and gambling regulation is one of the areas where convergence will be less complete. AMLA and the gambling regulators in each member state operate under different mandates, and the coordination between them is not yet fully developed. Operators with mature compliance functions are increasingly building integrated AML and gambling-compliance teams to address overlapping requirements coherently, but the underlying regulatory architecture continues to treat them as separate streams. How that interaction matures over the next several years will shape the operational compliance burden in EU markets meaningfully, and the operators that participate constructively in the developing supervisory dialogue will be better positioned than those that wait for prescriptive guidance. The broader licensing context that interacts with AML obligations is something we have examined in our comparison of major iGaming licensing frameworks.

Similar Posts

  • MGA vs Curaçao vs Isle of Man: 2026 iGaming Licensing Comparison

    The choice of iGaming licensing jurisdiction has become one of the most consequential decisions an operator makes during platform launch. Three frameworks dominate the conversation in 2026: the Malta Gaming Authority, the Curaçao Gaming Control Board, and the Isle of Man Gambling Supervision Commission. Each has evolved substantially over the past three years, and the comparative landscape today looks markedly different from the regulatory map operators navigated even in 2023.

    Three abstract architectural pillars symbolizing major iGaming licensing jurisdictions and their respective regulatory frameworks
    Figure 1. Comparative structure of three principal iGaming licensing frameworks.

    Read More “MGA vs Curaçao vs Isle of Man: 2026 iGaming Licensing Comparison”

  • KYC and AML Automation in iGaming: Pipelines, Pitfalls, and the Data Quality Bottleneck

    The automation of know-your-customer and anti-money-laundering workflows has become one of the more revealing fault lines in iGaming compliance operations. The volume and complexity of identity verification, ongoing monitoring, and suspicious activity reporting have grown faster than headcount budgets, and the operators that have invested in mature automation pipelines have pulled ahead on both compliance posture and operational cost per active player. The ones that have not are increasingly visible in regulatory enforcement actions, in failed market entries, and in the spread of unit economics across competing operators in the same jurisdiction.

    What KYC Automation Actually Replaces

    A decade ago, customer onboarding in most licensed jurisdictions involved a substantial manual review layer. Documents submitted by players were inspected by compliance analysts, identity claims were cross-referenced against sanctions and politically-exposed-persons lists by hand or through rudimentary screening tools, and source-of-funds documentation was reviewed for plausibility on a case-by-case basis. The model worked when registration volumes were measured in hundreds per day and the compliance bar set by regulators was less granular than it is today.

    Modern KYC automation collapses much of that manual layer into orchestrated pipelines. A document upload triggers automated authenticity checks against issuing-authority specifications, with image-based detection of physical security features, holograms, and microprint patterns specific to each document type. The biometric capture from a selfie is compared against the document photograph using face-matching models trained for liveness detection, blocking the most common categories of impersonation fraud. Address verification, when required, is cross-referenced against electoral or utility datasets in jurisdictions where such data is licensed, and the entire decision is logged with sufficient provenance to satisfy a regulator’s request for evidence of the verification path months later.

    The Layer That Catches the Hard Cases

    Pure machine-learning models handle the bulk of straightforward verifications well, but they perform unevenly on edge cases that involve document variants from less-represented jurisdictions, unusual name structures, or genuine ambiguity in the submitted evidence. The operators with the most mature pipelines treat automation as a triage layer that routes confident cases through immediate approval while escalating ambiguous cases to human review with all the upstream signals already attached. This pattern, often called human-in-the-loop verification, preserves the speed advantages of automation for the high-confidence majority of cases while ensuring that the operator’s compliance officers spend their time on the cases that genuinely require judgement.

    The compliance framework that defines what those judgements need to account for in the EU shifted substantially with the AML Regulation adopted in 2024. The EU Anti-Money Laundering Regulation 2024/1624 harmonised customer due diligence obligations across member states with a degree of granularity that earlier directives left to national transposition. Operators serving multiple EU markets now face a single set of directly-applicable rules covering risk assessment, enhanced due diligence triggers, and beneficial-ownership identification, replacing the previous patchwork that required jurisdiction-specific compliance interpretation.

    Ongoing Monitoring and the Pattern Layer

    Onboarding is only the first phase of the customer lifecycle that needs automation. Ongoing monitoring of player activity for patterns consistent with money laundering, structured deposits, or unauthorised third-party use of accounts is where the operational volume now lives. A mid-sized operator may process millions of transactions per day, and the manual review of even a small fraction of those for suspicious patterns is operationally impossible without automated scoring.

    Mature pipelines apply rules-based detection for well-understood patterns, such as deposits structured to fall below reporting thresholds, withdrawal patterns inconsistent with deposit history, or rapid movement of funds across multiple accounts with shared identifiers. Layered on top of those deterministic rules are machine-learning models trained on labelled suspicious-activity cases, which surface patterns that resist easy rule articulation. The US framework that historically defined the baseline for this monitoring is the FinCEN Customer Due Diligence Rule, and the FinCEN guidance on CDD requirements remains a useful reference for operators serving US-licensed markets or operating under correspondent banking relationships with US institutions.

    The Data Quality Problem That Limits Everything

    The performance of automated KYC and AML pipelines is bounded by the quality of the data they ingest, and data quality remains the most consistently underestimated bottleneck. Player-supplied information, even when collected through well-designed flows, contains transcription errors, outdated addresses, name variations across documents, and inconsistencies between what the player enters and what their documents actually say. The reconciliation of those discrepancies is rarely automatable in any sophisticated sense, and the operators with the cleanest automation outcomes are typically the ones that have invested most heavily in front-end data capture design rather than back-end matching algorithms.

    Third-party data sources introduce their own quality problems. Sanctions lists are updated on different cadences across regimes, and the synchronisation gap between an update being published and being reflected in an operator’s screening database can be the difference between a clean match and a missed designation. PEP databases vary substantially in coverage and update frequency depending on the provider, and the operators with the most rigorous compliance postures typically subscribe to multiple sources and run match logic that surfaces disagreements between them as a separate signal worth reviewing.

    The Compliance-Versus-Friction Tension

    Every additional verification step in an onboarding flow reduces fraud and improves compliance posture, and every additional step also increases the proportion of prospective players who abandon registration before completing it. The marginal cost of friction is high in iGaming because the player population is acquisition-sensitive, and a five percent drop in completion rates can compound into a meaningful revenue impact over time. Mature operators have moved toward progressive verification, in which the initial registration captures the minimum information required to allow restricted play, with deeper verification triggered by deposit thresholds, withdrawal requests, or activity patterns that warrant additional scrutiny.

    This pattern keeps friction proportionate to the risk surface presented by each individual player, but it requires sophisticated orchestration to execute correctly. The verification steps triggered by a withdrawal request, for instance, need to complete fast enough that the player does not experience a prohibitive delay, while still being rigorous enough to catch the fraud and laundering patterns that withdrawals frequently surface. The operators that have made this work treat the verification orchestration as a product surface in its own right, with measurement, optimisation, and continuous iteration rather than a static compliance checkbox.

    Layered identity verification pipeline with document and biometric checks

    Where the Next Pressure Will Come From

    The direction of regulatory expectation continues to push toward more automation, faster decisioning, and more granular evidence trails. The EU AML Authority, AMLA, which is taking on direct supervision of selected high-risk obliged entities from 2027, is expected to set technical expectations that go beyond the current directive-and-regulation framework into specific guidance on monitoring methodology, data retention, and audit reproducibility. Operators serving European markets will likely face increasingly detailed scrutiny of their automation pipelines, with attention focused on model explainability, false-negative rates on known-typology cases, and the quality of evidence captured during automated decisioning.

    The broader Asian market presents a different but equally demanding picture, with rapid evolution of national frameworks and substantial variation in expectations across jurisdictions. The compliance overhead of operating across multiple Asian markets has historically been one of the limiting factors on multi-jurisdictional expansion, and the operators that have built genuinely flexible KYC architectures, capable of applying different verification standards to different player segments based on jurisdictional rules, are the ones positioned to capture the growth as those markets continue to mature. The structural picture of how Asian markets are evolving is covered in our broader overview of the Asian iGaming regulatory landscape.