AML Compliance Checklist for PSPs in the EU
Regulatory updates
There is a particular kind of pressure that comes with running compliance for a payment service provider in the European Union. You are processing payments at scale, often across borders, often in real time, and the regulatory framework you are accountable to has just been comprehensively rewritten. The rules are not ambiguous about this. They are precise, extensive, and increasingly enforced.
The EU adopted its new AML package in May 2024, published in the Official Journal on 19 June 2024. That package consists of four interlocking pieces of legislation, each with different timelines and different implications for your business. Some elements are already in force. Others apply from July 2027. All of them require preparation now, because building a compliant AML framework from scratch takes considerably longer than most compliance teams plan for.
This article is a practical, regulation-by-regulation guide to AML compliance for EU payment service providers. It covers what the law requires, and what you need to check inside your own organisation.
The Legislative Framework: What You Are Working With
Before any checklist can be useful, you need to understand the architecture of the rules that apply to you. EU AML law for PSPs now rests on four instruments.
Regulation (EU) 2024/1624, known as the AML Regulation or AMLR, is the centrepiece of the new framework. It is a directly applicable regulation, meaning it does not need to be transposed into national law. It applies to all member states and, once in effect from 10 July 2027, will replace the patchwork of national AML implementations that have created inconsistency across the EU for decades. PSPs are obliged entities under this regulation, and its requirements on CDD, beneficial ownership, internal governance, transaction monitoring, and suspicious activity reporting are the foundation of everything in this checklist.
The sixth Anti-Money Laundering Directive (AMLD6), sets out rules on requirements relating to certain service providers, checks on senior management and beneficial owners of obliged entities, risk assessments at EU and national levels, the setting up of central registers, and the responsibilities of Financial Intelligence Units and AML/CFT supervisors. Member states must transpose AMLD6 into national law by 10 July 2027.
Regulation (EU) 2024/1620 establishes the Anti-Money Laundering Authority (AMLA), headquartered in Frankfurt. AMLA and national supervisory authorities are subject to a duty of cooperation in good faith and an obligation to exchange information for AML/CFT purposes in accordance with Regulations (EU) 2023/1113 and 2024/1624 and Directive (EU) 2024/1640. AMLA commenced operations on 1 July 2025 and will begin direct supervision of selected high-risk, cross-border financial institutions from January 2028.
The Transfer of Funds Regulation (TFR), lays down rules on the information on payers and payees accompanying transfers of funds in any currency, and on the information on originators and beneficiaries accompanying transfers of crypto-assets, for the purposes of preventing, detecting and investigating money laundering and terrorist financing, where at least one PSP or crypto-asset service provider involved is established or has its registered office in the Union. This regulation has applied since 30 December 2024 and is live now.
Alongside the legislation, the European Banking Authority's revised ML/TF Risk Factors Guidelines provide critical sectoral guidance for PSPs. These guidelines set out factors that firms should consider when assessing the ML/TF risk associated with a business relationship or occasional transaction. They are addressed to both financial institutions and supervisory authorities and are central to the EBA's work to lead, coordinate and monitor the fight against money laundering and terrorist financing.
The EBA's dedicated report on ML/TF risks associated with payment institutions is also essential reading for PSP compliance teams. It identifies that ML/TF risks in the payment institutions sector may not be assessed and managed effectively, which may impact the integrity of the EU financial system, and notes that the sector is not homogeneous. Different business models will affect the extent to which each payment institution is exposed to ML/TF risk.
The AML Compliance Checklist for EU PSPs
1. Business-Wide Risk Assessment
Everything in your AML framework should flow from your risk assessment. If you do not have an accurate, documented picture of the specific ML/TF risks your business faces, every control you put in place is essentially architecture built on uncertain ground.
Under Article 10 of Regulation (EU) 2024/1624, the business-wide risk assessment must be drawn up by the compliance officer and approved by the management body. The internal policies, procedures and controls must be recorded in writing and kept up to date, enhanced where weaknesses are identified.
For PSPs specifically, the risk assessment must reflect the characteristics of your business model. The EBA's report on ML/TF risks in payment institutions identifies that general risk factors include products and services allowing anonymity through new technologies, the use of innovative products, the high speed of transactions, the use of cash, and one-off transactions without an associated payment account. These factors need to be honestly assessed against your own product set, customer base, geographies, and transaction volumes.
Checklist:
Business-wide ML/TF risk assessment documented in writing
Assessment approved by the management body
Risk assessment reflects your specific PSP business model, products, customer types, channels and geographies
National and EU risk assessments, FATF typologies, and EBA guidance incorporated as source material
Assessment reviewed and updated at least annually, and after material business changes
Weaknesses identified through review are documented and remediated
2. Internal Policies, Procedures and Controls
The law is explicit that compliance cannot be managed through informal understandings. Your policies need to exist, be written, be approved at the right level, and be consistently implemented.
Article 9(2) of Regulation (EU) 2024/1624 specifies the topics that must be included in internal policies and refers, among other things, to the requirements of the Transfer of Funds Regulation. Internal policies must be approved by the management body in its management function. Internal procedures and controls must be approved at least at the level of the compliance manager.
The scope of your written policies should cover all material AML obligations: customer due diligence, enhanced due diligence, transaction monitoring, suspicious activity reporting, sanctions screening, record keeping, staff training, and your approach to high-risk customers and jurisdictions.
Checklist:
Written AML policies covering all material obligations
Policies formally approved by the management body
Procedures documented at operational level so staff can follow them without discretion gaps
Policies updated when the regulatory landscape or your business changes
Version control maintained so audit trails of policy changes are clear
3. Compliance Officer and MLRO Appointment
Article 11 of Regulation (EU) 2024/1624 requires one member of the management body to be responsible for ensuring compliance with AML obligations. Separately, obliged entities must have a compliance officer appointed by the management body in its management function, with sufficiently high hierarchical standing, who is responsible for policies, procedures and controls in the day-to-day operation of the entity's AML/CFT requirements and serves as a contact point for competent authorities. The compliance officer is also responsible for reporting suspicious transactions to the FIU.
In practice, most PSPs will operate with both a Compliance Officer holding the governance role and a Money Laundering Reporting Officer (MLRO) holding the FIU reporting function. Both must have genuine independence and adequate resources. The compliance officer may only be removed following prior notification to the management body, and the obliged entity must notify the supervisor of the removal.
Checklist:
Named compliance officer appointed at senior management level with documented mandate
Member of the management body formally designated as responsible for AML compliance
MLRO designated for SAR/STR reporting to the national FIU
Both roles are independent from commercial functions and adequately resourced
Supervisor notified of appointments and any changes as required under national law
4. Customer Due Diligence
CDD sits at the operational heart of AML compliance. For PSPs, you are typically managing CDD across at minimum two categories: your directly onboarded business customers and, depending on your model, the end users of those customers' payment services. Understanding which obligations apply at which level of the relationship is a prerequisite to building your processes correctly.
Articles 20 to 28 of Regulation (EU) 2024/1624 set out the standard CDD requirements. These include identifying and verifying the identity of customers using documents, data or information obtained from a reliable and independent source, identifying and verifying the beneficial owners of legal entity customers, understanding the purpose and intended nature of the business relationship, and conducting ongoing monitoring.
The CDD threshold for occasional transactions drops from EUR 15,000 to EUR 10,000 under the AMLR when it takes full effect. The EBA's ML/TF Risk Factors Guidelines provide the framework for assessing ML/TF risk at the customer level, and include new guidance on ML/TF risk assessments, customer due diligence for beneficial owners, and compliance with the provisions on enhanced customer due diligence related to high-risk third countries. They incorporate sector-specific guidance for payment initiation service providers and account information service providers.
Checklist:
Identity of all customers verified using reliable, independent sources before or at the start of the business relationship
CDD applied to occasional transactions at or above the applicable threshold
Business relationships monitored on an ongoing basis and CDD records kept current
Simplified CDD applied only where permitted and documented as such
Process in place for customers who fail or refuse to provide required information
CDD processes reviewed against the EBA's ML/TF Risk Factors Guidelines for PSPs
5. Beneficial Ownership Identification and Verification
Beneficial ownership is where many PSPs have significant room to strengthen their controls. It is also where the new AML Regulation introduces changes that are more demanding than what existed under the previous directive-based framework.
Chapter IV of Regulation (EU) 2024/1624 covers the transparency of beneficial ownership in 18 articles. For legal entities and partnerships, beneficial owners are natural persons who directly or indirectly hold at least a 25% ownership interest or control the entity. Indirect ownership is determined by multiplying ownership interests or voting rights through the corporate chain. The European Commission may lower this threshold to 15% for entities in sectors assessed as high-risk for money laundering.
A critical change under the new regulation is that central registers can no longer be relied upon as the primary verification source. Obliged entities must verify beneficial ownership information using multiple sources and ensure consistency with the information obtained during the verification process. Registers must be used to cross-check, not to replace independent verification using identification documents, electronic identification under the eIDAS Regulation, or other reasonable measures.
The EBA published a consultation paper (EBA/CP/2025/04) in March 2025 on draft technical standards for CDD under Article 28 of the AMLR, which will eventually define precisely what constitutes adequate verification of beneficial ownership information.
Checklist:
Beneficial owners of all legal entity customers identified and verified
25% ownership and control threshold applied and documented
Verification uses multiple sources, not only central registers
Central registers used as a cross-check rather than a primary source
Complex group structures documented with ownership chains traced to natural persons
UBO information reviewed and updated when changes are reported or detected
6. Enhanced Due Diligence
EDD applies when you have identified elevated risk, either through your business-wide risk assessment, through the customer risk rating process, or through specific triggers during monitoring. It is not optional for high-risk relationships, and regulators expect it to be applied consistently rather than selectively.
Articles 34 to 46 of Regulation (EU) 2024/1624 set out when EDD is mandatory. These include: business relationships or transactions involving customers or beneficial owners who are politically exposed persons; relationships or transactions involving high-risk third countries as listed by the European Commission under Article 9 of the previous Directive (EU) 2015/849; correspondent banking relationships; and other situations where the ML/TF risk has been assessed as high.
The EBA's ML/TF Risk Factors Guidelines provide more details on terrorist financing risk factors and support the development of more effective and consistent supervisory approaches. These guidelines are addressed to both financial institutions and supervisors, which means your EDD approach will be assessed against them.
Checklist:
PEP screening in place at onboarding and on an ongoing basis
EDD applied to relationships and transactions connected to European Commission-listed high-risk third countries
Senior management approval required before establishing or continuing high-risk relationships
Source of funds and source of wealth established and documented for high-risk customers
Enhanced monitoring applied throughout the duration of high-risk relationships
EDD decisions and rationale documented and retained
7. Transaction Monitoring
This is often where the gap between policy intent and operational reality is widest for PSPs, simply because of transaction volumes. A manual approach cannot scale, and regulators understand that, but they still expect a documented, risk-calibrated programme with evidence of effectiveness.
Article 26 of Regulation (EU) 2024/1624 requires ongoing monitoring of business relationships, including scrutiny of transactions to ensure they are consistent with the institution's knowledge of the customer, their business and risk profile. AMLA is developing guidelines on ongoing monitoring that will set out requirements for transaction monitoring including alert thresholds, escalation triggers, and review frequencies, as well as expectations for documentation and anomaly handling.
The EBA's report on ML/TF risks in payment institutions is explicit that payment institutions face elevated inherent risk, which makes the design of monitoring rules especially important. Your rules need to reflect not just general financial crime typologies but the specific patterns relevant to your customer base and payment types.
Checklist:
Documented transaction monitoring programme in place
Monitoring rules calibrated to your specific customer risk profiles and transaction types
Alert thresholds defined and documented
Alert review process documented with clear escalation routes
Monitoring rules reviewed and updated regularly as typologies evolve
Outcomes of monitoring linked to the SAR process where suspicion arises
8. Transfer of Funds Regulation Compliance
For PSPs, Regulation (EU) 2023/1113 is not a future obligation. It has applied since 30 December 2024. This is the Travel Rule for funds transfers, and it requires specific information to accompany every qualifying transfer you process.
PSPs must provide and verify information such as the name and account number of the payer and payee and the former's address and official identity details when transferring funds. Where all PSPs involved in the transfer are established in the EU, information may be limited to account details of the payer and payee and, if necessary, the unique transaction identifier. PSPs must supply additional information within three working days if requested by the payee's service provider. PSPs must also respond fully and without delay to enquiries from authorities responsible for preventing and combating money laundering and terrorist financing, and keep information on the payer and payee for five years.
The EBA's Joint Guidelines on preventing the abuse of funds transfers for money laundering and terrorist financing provide detailed operational expectations for PSPs and intermediary PSPs. When identifying countries associated with high ML/TF risk, PSPs and intermediary PSPs should have regard to the ESAs Risk Factors Guidelines and note that missing or inadmissible information may not, by itself, give rise to suspicion of ML/TF.
Checklist:
Payer and payee information collected and transmitted with all qualifying fund transfers
Processes in place for detecting missing or incomplete transfer information
Internal policies define how transfers with missing information are handled
Three working day response window for payee PSP information requests documented in procedures
Transfer records retained for a minimum of five years
Restrictive measures (sanctions) implementation embedded in transfer processing policies
9. Suspicious Activity Reporting
The obligation to report suspicious transactions to your national Financial Intelligence Unit is one of your most direct legal duties. The threshold for reporting is suspicion, not certainty. You do not need to prove that money laundering has occurred. You need to identify a pattern, transaction, or circumstance that cannot be satisfactorily explained and report it.
Articles 69 and 70 of Regulation (EU) 2024/1624 govern suspicious transaction reporting. Under the new framework, suspicious activity reports must be submitted more promptly and reliably, with the AMLR imposing a five working day deadline for responding to FIU requests. The compliance officer holds responsibility for reporting suspicious transactions to the FIU under the regulation.
The tipping-off prohibition is also worth emphasising to your teams: once an internal suspicion has been raised and a report filed, you cannot inform the subject of the report that a report has been made or that an investigation is underway.
Checklist:
Internal SAR process documented from frontline staff through to MLRO
MLRO empowered to make reporting decisions independently of commercial pressure
Internal SAR forms capture sufficient information for FIU analysis
Records of internal SARs and MLRO decisions retained
Staff trained on when and how to raise internal suspicions and on the tipping-off prohibition
Process for responding to FIU information requests within five working days
10. Sanctions Screening
Sanctions compliance is legally distinct from AML but operationally inseparable from it in a PSP context. You must screen against EU financial sanctions, including the consolidated list published by the European Commission, as well as UN Security Council designations.
The EBA adopted new guidelines (EBA/GL/2024/14 and EBA/GL/2024/15) in 2024 on internal policies, procedures and controls to ensure implementation of Union and national restrictive measures. These guidelines, which entered into force from 30 December 2024, are referenced in the TFR and apply to all PSPs processing fund transfers. Article 23 of Regulation (EU) 2023/1113 also requires PSPs to have internal policies, procedures and controls to ensure implementation of restrictive measures when performing transfers of funds.
Checklist:
All customers, beneficial owners, and payment counterparties screened against EU consolidated sanctions list and UN designations at onboarding
Screening is continuous, not just at onboarding
Screening tool updated to reflect new designations promptly
Clear process for handling potential matches including escalation, record keeping, and asset freezing where required
Restrictive measures policies aligned with EBA/GL/2024/14 and EBA/GL/2024/15
11. Staff Training
No AML framework functions without a workforce that understands and applies it. Training is a legal obligation under Article 12 of Regulation (EU) 2024/1624, not a recommended enhancement.
Training must be role-specific. A customer onboarding analyst needs to understand CDD obligations and red flags at the point of customer contact. A finance team member processing large-value transfers needs to understand the transaction monitoring rules relevant to their function. Board members and senior management need to understand their governance obligations and accountability under the AMLR.
Checklist:
All relevant staff receive AML training at induction
Ongoing training delivered at appropriate intervals
Training records maintained and accessible for audit
Training content updated when regulations or typologies change
Role-specific training modules in place for different functions
Senior management and board training documented separately
12. Record Keeping
Article 77 of Regulation (EU) 2024/1624 governs record retention. CDD records, transaction records, and suspicious activity documentation must be retained. PSPs must keep information on the payer and payee and originator and beneficiary for five years, with the option of a further five years if an EU member state so decides. AMLA will issue further technical standards on record retention requirements ahead of July 2027 that may update these timelines.
Checklist:
CDD records and verification documents retained for minimum five years post-relationship
Transaction records retained and retrievable for FIU or supervisory requests
Internal SAR records and MLRO decisions retained for minimum five years
Records stored securely with access controls in place
Record destruction policy documented so data is not held beyond required periods
13. Independent Audit
An independent review of your AML framework provides the assurance that your controls are operating as intended, surfaces gaps before supervisors find them, and demonstrates to your competent authority that governance is taken seriously at leadership level.
Article 9 of Regulation (EU) 2024/1624 and the broader governance requirements under the AMLR require an audit function that is genuinely independent from the compliance function being assessed. The audit programme should cover all material components of your AML framework, not just the areas you feel most confident in.
Checklist:
AML framework subject to regular independent audit or review
Audit findings tracked, remediated, and reported to senior management and board
Audit function is independent from the compliance function it reviews
Remediation timelines are documented and followed up
AML Compliance Requirements at a Glance
Area | Core obligation | Priority | Status | Legislative source |
Business-wide risk assessment | Document ML/TF risks; approve at management body level; review annually | High | July 2027 | |
Written policies and procedures | Internal AML policies written, management-body approved, and kept current | High | July 2027 | |
Compliance officer and MLRO | Appoint named compliance officer at senior level; designate MLRO for FIU reporting | High | July 2027 | |
Standard CDD | Verify identity using reliable independent sources; occasional transaction threshold drops to €10,000 | High | July 2027 | |
Beneficial ownership | Identify and verify UBOs at ≥25% threshold; cross-check central registers using multiple sources | High | July 2027 | |
Enhanced due diligence | Apply EDD for PEPs, high-risk third countries, and all elevated-risk relationships | High | July 2027 | |
Transaction monitoring | Risk-based, documented monitoring with calibrated alert thresholds and escalation routes | High | July 2027 | |
Transfer of Funds Regulation | Include originator and beneficiary information with all qualifying fund transfers; retain for 5 years | High | Live now | Reg. (EU) 2023/1113 (applies since 30 Dec 2024) |
Suspicious activity reporting | Report to national FIU on suspicion; respond to FIU requests within 5 working days | High | July 2027 | |
Sanctions screening | Screen all customers and payment parties against EU consolidated list and UN designations; continuous screening required | High | Live now | |
Staff training | Role-specific, documented AML training at induction and ongoing; updated for regulatory changes | Medium | July 2027 | |
Record keeping | Retain CDD and transaction records for minimum 5 years post-relationship; secure storage with access controls | Medium | Live now (TFR); July 2027 (AMLR) | |
Independent audit | Regular independent review of AML framework; findings tracked and reported to management | Medium | July 2027 | |
Group-wide policies | Apply AML policies consistently across group entities; minimum standards for intra-group information sharing | Medium | July 2027 |
About SpeedyDD
SpeedyDD is a KYB and due diligence platform built for the reality that compliance teams in regulated industries face: the need to be audit-ready, every day, without the operational overhead that due diligence at scale typically demands. Our platform connects to over 3000 corporate registry data sources across more than 150 countries and territories, giving PSPs, EMIs, CSPs, and iGaming operators direct access to the verified corporate and UBO data they need to meet their CDD and beneficial ownership obligations.
Our mission is straightforward: to help complex, regulated businesses stay audit-ready without building brittle, manual processes that break under scrutiny. The obligations in this checklist are not theoretical. They are live or approaching rapidly, and the infrastructure you use to meet them needs to match the seriousness of the regulatory environment you operate in.
Frequently Asked Questions
When does Regulation (EU) 2024/1624 actually apply to my PSP? The AMLR applies directly across all EU member states from 10 July 2027. It entered into force on 9 July 2024 but the application date is 2027. However, some elements of the broader AML package are already in force, notably the Transfer of Funds Regulation (EU) 2023/1113, which has applied since 30 December 2024, and the new EBA sanctions guidelines (EBA/GL/2024/14 and EBA/GL/2024/15), which also applied from that date.
What is AMLA and why does it matter for my PSP? AMLA, the Anti-Money Laundering Authority established by Regulation (EU) 2024/1620, is the new EU-level AML supervisor based in Frankfurt. It commenced operations on 1 July 2025 and will begin directly supervising selected large, cross-border, high-risk financial institutions from January 2028. Even if your PSP is not directly supervised by AMLA, it will shape the technical standards, guidelines and supervisory expectations that your national competent authority will apply to you.
What has changed for beneficial ownership verification under the new rules? The change that catches most PSPs off guard is that central beneficial ownership registers can no longer serve as the primary verification source. Under the AMLR, you must verify beneficial ownership using multiple sources and check registers as a cross-reference. Documents, electronic identification under eIDAS, and other reliable sources are required. The beneficial ownership threshold remains 25%, but the European Commission may lower this to 15% for sectors assessed as high-risk.
Does the Transfer of Funds Regulation apply to my PSP already? Yes. Regulation (EU) 2023/1113 has applied since 30 December 2024. It requires PSPs to include payer and payee information with all qualifying fund transfers, to implement procedures for detecting missing or incomplete transfer information, to respond to information requests from the payee's PSP within three working days, and to retain transfer records for a minimum of five years.
What is the threshold for occasional transaction CDD under the AMLR? Under the AMLR, the CDD threshold for occasional transactions will drop from EUR 15,000 to EUR 10,000 when the regulation takes full effect in July 2027. A separate obligation applies to occasional cash transactions of EUR 3,000 or more, which require limited CDD measures. These reduced thresholds reflect the EU's push to close gaps that have historically been exploited.
Do EU-wide cash payment limits affect PSPs? The AMLR introduces an EU-wide cap of EUR 10,000 for cash payments in business-to-business transactions, with member states able to impose lower limits. Obliged entities are also required to verify and identify customers for cash payments of EUR 3,000 or more. For most PSPs focused on digital payment flows, this is lower-risk territory, but it is relevant for any PSP that has cash-accepting merchants or cash-related payment products in scope.
What is the five working day FIU response deadline? Article 69 of Regulation (EU) 2024/1624 requires obliged entities, including PSPs, to respond to FIU requests for information within five working days. This is tighter than many PSPs currently operate to and requires that your records are sufficiently organised to retrieve and provide the requested information quickly.
Where can I find the EBA's guidance specifically on PSP AML risks? The EBA has published a dedicated report on ML/TF risks associated with payment institutions, which is the most directly relevant supervisory document for PSP compliance teams alongside the ML/TF Risk Factors Guidelines. The guidelines include PSP-specific guidance, including for payment initiation service providers and account information service providers.
What does AMLD6 add that the AMLR does not cover? Directive (EU) 2024/1640 covers the national implementation mechanisms that sit alongside the directly applicable AMLR. It governs things the regulation does not handle: the structure and responsibilities of national Financial Intelligence Units, national supervisory frameworks, access to central registers, cooperation between national competent authorities, and the specific rules around checks on senior management and beneficial owners of obliged entities. Member states must transpose AMLD6 by 10 July 2027.
