Most compliance coverage about the EU’s Sixth Anti-Money Laundering Directive focuses on banks. That is understandable; the big institutions have the most to lose and the loudest lobbyists. But it creates a blind spot.
For startups operating in fintech, payments, crypto, lending or any sector that touches regulated activity, the new AML framework is not somebody else’s problem. If you onboard business clients, the 2024 AML Package, which includes what the industry calls AMLD6 or the Sixth Directive; changes what you are required to know, verify and document before you let a company through your front door.
Meaning Of “6AMLD”
The terminology around EU AML law is genuinely confusing, and it is worth getting straight to before anything else.
When people in the compliance industry say “6AMLD” today, they are often talking about two different things. There is the 2018 criminal law directive (Directive 2018/1673), which harmonised the definition of money laundering offenses across member states and toughened penalties. That came into force in December 2020.
Then there is the 2024 AML Package, adopted in May 2024, published in June 2024, which is the more significant development for businesses. It consists of three parts:
- AMLD6 (Directive 2024/1640) – rules for national supervisors, beneficial ownership registers, and Financial Intelligence Units that member states must transpose by July 2027
- The AML Regulation (AMLR) – a directly applicable single rulebook covering KYC and KYB obligations, applying simultaneously across all EU member states
- AMLA – the new Anti-Money Laundering Authority, based in Frankfurt, which began operating in 2025 and directly supervises the highest-risk institutions
For startups, the AMLR is where the immediate obligations live. It eliminates the patchwork of national implementations that previously allowed companies to effectively arbitrage across member states. The same rules now apply everywhere, simultaneously.
Who Is Caught By These Rules?
Not every startup is an “obliged entity” under the AML framework. But the net is broader than many founders assume.
The AMLR applies to financial institutions, crypto-asset service providers under MiCA, payment institutions, e-money firms, crowdfunding service providers, and a range of designated non-financial businesses and professions. If your startup falls into any of these categories or if you are building infrastructure that regulated entities rely on, you are either directly subject to the rules or will be scrutinised closely by those who are.
Critically, the 2024 package brings crypto-asset service providers fully into scope under a unified framework for the first time. If you are a CASP operating under MiCA, your KYB obligations for business clients are now aligned with those of traditional financial institutions. There is no lighter-touch regime for being newer or smaller.
The question is not just “are we an obliged entity?” It is also “Are we onboarding clients who are?” Because if you provide services to regulated businesses, they will run you through due diligence that reflects their own obligations. Your KYB readiness affects whether they can work with you at all.
Changes For Business Client Onboarding
For startups that do fall within scope, the practical changes to onboarding business clients are substantial.
Beneficial Ownership Thresholds Are Tightening
The 2024 rules push beyond formal shareholding percentages toward a focus on ultimate control. If someone controls a company through means other than direct ownership such as voting rights, veto powers, or contractual arrangements, they must now be identified as a UBO. The framework is increasingly skeptical of clean corporate structures that happen to fall just below the threshold.
UBO Register Access Is Changing
AMLD6 overhauls how beneficial ownership information is accessed across the EU. As of July 2025, access to UBO register data must be available electronically, and from November 2026, registers must respond to legitimate interest requests within 12 working days.
The BORIS system will interconnect national registers, enabling faster cross-border verification. For startups onboarding business clients across multiple EU markets, this is a meaningful operational improvement – but it also raises the bar for what a reasonable due diligence process should look like.
Aiding And Abetting Is Now Explicit
The 2018 directive criminalised not just money laundering but also aiding, abetting, inciting and attempting it. This matters for how compliance teams should think about onboarding decisions. Waving through a business client with obvious red flags is not just a regulatory failure, it can expose the company and the individuals who made the decision to criminal liability.
Corporate Liability Is Extended
If an employee facilitates financial crime due to inadequate controls or a lack of supervision by a leadership position, the company can be held criminally liable. For startups with lean compliance functions, this is a direct argument for investing in proper onboarding infrastructure before you scale, not after.
The UBO Problem Is The Real Compliance Challenge
A lot of attention goes to sanctions screening and PEP checks; important, but relatively tractable with the right tools. The harder problem for startups onboarding business clients is beneficial ownership.
Ownership chains that run through multiple jurisdictions, trusts rather than companies, and nominee arrangements are designed specifically to obscure who ultimately controls an entity. The 2024 package is a direct response to the Panama Papers, Pandora Papers, and the systematic failure of earlier frameworks to pierce these structures.
What this means for your onboarding process: confirming that a business exists and that its registered director is not on a sanctions list is no longer enough. You need to trace the ownership chain to a natural person, document what you found and how you found it, and keep that information up to date.
Doing this manually for every business client at scale is not viable. And it is exactly the operational pressure that is driving the growth of automated KYB platforms. A proper AML assessment, one that covers entity verification, UBO mapping, sanctions and PEP screening and adverse media needs to be embedded into the onboarding flow, not bolted on afterward as a checklist.
What About Ongoing Monitoring?
One area where startups consistently underinvest is post-onboarding monitoring. Verification at the point of onboarding satisfies a regulatory requirement, but does not reflect how business relationships actually evolve.
Ownership structures change. Sanctions get added. A company that was clean when you onboarded them can look very different 18 months later.
The 2024 AML framework is explicit that customer due diligence is not a one-time exercise. Obliged entities must continuously monitor business relationships and update their records when relevant changes occur. For startups growing quickly across multiple markets, this is a real operational challenge – and one that manual processes can not solve at scale.
The AMLA Effect On Enforcement
The creation of AMLA is worth paying attention to, even if you are not one of the 40-or-so institutions it directly supervises in its first phase of operation.
AMLA’s role is to ensure consistent enforcement across member states. One of the persistent failures of earlier AML directives was that national transposition varied so much that companies could effectively choose which regime to operate under. That arbitrage is closing.
AMLA can also expand its direct supervisory perimeter over time. And its existence creates pressure on national supervisors to enforce more consistently, because AMLA can step in where national authorities are seen to be falling short.
For startups, the practical implication is that the “we are based in a lenient jurisdiction” logic is running out of road. The direction of travel is clear: harmonised, centrally coordinated enforcement, with an expectation that technology is used to operationalise compliance rather than paper over gaps with manual processes.
There is no universal compliance programme. What the framework requires is a risk-based approach – proportionate, documented, and demonstrably implemented.
That means confirming whether you are an obliged entity, building UBO mapping into onboarding from day one, automating screening where possible, and documenting the reasoning behind your risk decisions. Regulators want evidence that you thought about the risk – not just that you ran a check and moved on.
The compliance bar has risen. The good news is that the tools available to startups have risen with it. But that only helps if you treat it as a business-critical investment rather than something to sort out after the next funding round.
