6AMLD Explained: Requirements, Who It Affects and How to Comply (2026): The Sixth Anti-Money Laundering Directive tightened criminal liability, expanded predicate offences to 22 and required member state implementation by…
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
The Sixth Anti-Money Laundering Directive (6AMLD, Directive 2018/1673/EU) came into force across the EU in June 2021. It followed rapidly after the Fifth Directive (5AMLD) but focused on a different dimension: while 5AMLD expanded what businesses had to monitor, 6AMLD raised the stakes for failing to comply.
Five years on, many obliged entities are still catching up — particularly smaller law firms, accounting practices and fintechs that relied on informal compliance programmes before 6AMLD hardened the requirements. This guide explains what 6AMLD actually requires, what changed from 5AMLD, and what a defensible compliance programme looks like in 2026.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related AML/KYC and compliance monitoring resources
Continue with AML/KYC monitoring module, compliance workflows, HubSecure for legal teams, HubSecure for finance teams, security and trust center.
Related use case
This guide belongs to the AML and KYC Guides cluster. Continue with the product hub for aml and kyc.
What is 6AMLD?
The Sixth Anti-Money Laundering Directive is an EU directive that standardised the criminal law framework for money laundering across all 27 member states. Before 6AMLD, member states had different definitions of money laundering and different criminal penalties, creating gaps that sophisticated financial criminals could exploit by routing transactions through more permissive jurisdictions.
6AMLD addresses this by:
- Creating a harmonised definition of money laundering applicable in all member states
- Expanding the list of predicate offences — the underlying crimes whose proceeds can constitute money laundering — from 8 categories to 22 specific offences
- Introducing corporate criminal liability — companies, not just individuals, can be prosecuted
- Setting minimum criminal penalties: at least 4 years imprisonment for serious money laundering, rising to 10 years for aggravated cases
- Extending criminal liability to facilitators and enablers — those who help launder money, not just those who commit the predicate offence
Key change from previous directives: Under 6AMLD, companies (not just individual employees) can be prosecuted for money laundering where the offence was committed for the benefit of the company by persons in a leading position. This means inadequate AML programmes are now a corporate criminal liability — not just a regulatory fine risk.
The 22 predicate offences
A predicate offence is a crime whose proceeds can be laundered. Under 6AMLD, any of the following offences can be the source of money laundering — and your AML programme needs to be calibrated to detect them:
Offence 21 — tax crimes — is the most significant new addition for most professional services firms. It means that a client who has committed serious tax fraud is now a potential money laundering case, even if no other criminal activity is involved. Accounting firms, wealth managers and lawyers advising high-net-worth individuals need to factor this into their risk assessments.
Who does 6AMLD apply to?
6AMLD applies to member state governments (requiring them to criminalise money laundering) and to obliged entities under the broader AML Directive framework. Obliged entities include:
- Credit institutions and financial institutions
- Auditors, external accountants and tax advisors
- Notaries and other independent legal professionals
- Trust or company service providers
- Estate agents
- High-value goods dealers (above $10,000 in cash)
- Gambling services
- Virtual asset service providers (VASPs)
- Providers of crowdfunding services
What changed from 5AMLD to 6AMLD?
This is a question we get often, because the two directives came into force in quick succession. The key distinction:
- 5AMLD (2020) focused on transparency and reach — beneficial ownership registers, crypto/virtual currency, prepaid cards, high-risk third countries. It changed what you have to monitor and who you have to screen.
- 6AMLD (2021) focused on criminal consequences — standardising the offence of money laundering, expanding predicate offences, introducing corporate criminal liability, increasing penalties. It changed what happens if your programme fails.
In practical terms: 5AMLD told you to screen for more things; 6AMLD told you that if you fail to, your company (not just your compliance officer) faces criminal prosecution.
Building a 6AMLD-compliant AML programme
A compliant programme in 2026 needs to meet these requirements:
- ✓Customer Due Diligence (CDD) on all clients — identification, verification, UBO mapping for legal entities, and risk assessment at onboarding.
- ✓Enhanced Due Diligence (EDD) for higher-risk clients — PEPs, high-risk third-country clients, complex ownership structures, unusual transaction patterns.
- ✓Sanctions and PEP screening — at onboarding and on an ongoing basis. Covering UN, EU, OFAC and national lists.
- ✓Ongoing monitoring — continuous monitoring of existing clients for changes in risk profile, new adverse information or sanctions list changes.
- ✓Suspicious Activity Reporting (SAR) — documented process for escalating and reporting suspicious transactions or activity to the Financial Intelligence Unit (FIU).
- ✓Record keeping — all CDD documents, screening results and decisions must be retained for at least 5 years after the end of the business relationship.
- ✓Staff training — documented annual AML training for all staff in client-facing or transaction-processing roles.
- ✓Senior management accountability — a nominated senior manager (MLRO or equivalent) responsible for AML compliance, with board-level oversight.
- ✓Written AML policy — a documented risk appetite, procedures and controls that has been reviewed in the past 12 months.
- ✓Risk assessment — a documented business-wide risk assessment, updated at least annually and whenever there are material changes to the business.
What regulators look for in an AML audit
When a supervisor audits your AML programme, they are not just checking whether you have a policy document. They will typically:
- Ask for your business-wide risk assessment and date of last review
- Select a sample of client files and ask to see the CDD and screening records for each
- Ask when the last screening was run on each sampled client (to test ongoing monitoring)
- Ask to see the escalation log for suspicious activity
- Ask for the training records for named staff members
- Ask about the governance structure — who is the MLRO, who has board oversight
The most common failures at inspection are: no evidence of ongoing monitoring (screening was done at onboarding but not since), incomplete UBO records for corporate clients, and no documented risk assessment for individual clients (just a checkbox rather than a reasoned risk classification).
Practical tip: Regulators are increasingly data-driven. If you can show them a live dashboard of your client risk scores, monitoring frequency and screening dates — pulled from your AML software in seconds — it demonstrates a functioning programme. If you have to pull spreadsheets and search through email, it signals a manual process with gaps.
The technology question: when do you need AML software?
If you are an obliged entity with more than 20–30 clients, manual AML compliance is not sustainable. The reasons:
- Sanctions lists change daily. The EU and OFAC update their lists multiple times per week. You cannot manually re-screen existing clients every time a list updates — but you are required to monitor continuously.
- UBO mapping for corporates is complex. Tracing beneficial ownership through multi-layer corporate structures to the natural person above 25% is not a manual task at scale.
- Audit evidence needs to be structured. A regulator who asks for the screening history of 10 clients cannot be answered with "let me search through the emails".
- The tipping point is earlier than most firms think. Most compliance consultants set the threshold at 20 active clients — above that, the probability of a manual process failing in a way a regulator will catch is material.
Frequently asked questions
What is 6AMLD?
The Sixth Anti-Money Laundering Directive (6AMLD) is an EU directive that standardised the criminal law framework for money laundering. It expanded predicate offences to 22, introduced corporate criminal liability, and set minimum imprisonment penalties of 4 years for serious money laundering. Member states were required to implement it by June 2021.
When did 6AMLD come into force?
6AMLD was published in October 2018. Member states had until 3 December 2020 to transpose it into national law. The obligations came into force from 3 June 2021. All 27 EU member states have now implemented it, though some national implementations include additional requirements beyond the minimum standard.
What are the 22 predicate offences under 6AMLD?
The 22 predicate offences include: participation in organised criminal groups, terrorism, human trafficking, sexual exploitation, drug trafficking, arms trafficking, corruption, fraud, counterfeiting, cybercrime, environmental crime, kidnapping, robbery, smuggling, extortion, forgery, piracy, insider trading, market manipulation, and — new under 6AMLD — tax crimes, plus any offence carrying more than one year imprisonment.
What is the difference between 5AMLD and 6AMLD?
5AMLD (implemented 2020) focused on transparency: beneficial ownership registers, crypto/virtual currency rules, high-risk third-country obligations. 6AMLD (implemented 2021) focused on criminal consequences: standardising the offence definition, expanding predicate offences, corporate criminal liability, and higher penalties. 5AMLD changed what you monitor; 6AMLD changed what happens if you fail to.
Does 6AMLD apply to law firms?
Yes. Law firms and other legal professionals are obliged entities under the AML Directive framework when they assist with transactions or activities that could facilitate money laundering — including property transactions, company formations, managing client money, and handling funds in escrow. The specific trigger activities vary by national implementation.
6AMLD-ready AML software
HubSecure AML covers all 22 predicate offence risk categories, continuous monitoring across EU sanctions and PEP databases, full audit trail and 27 European UBO registries. Book a 30-minute demo for your sector.
See AML module → Book a demoRelated reading:
Official sources and further reading
Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.
Credibility notes
This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.
Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.