AMLD6, corporate liability and sanctions: a new scale of compliance risk

When can a legal entity be held liable under 6AMLD?

6AMLD, the Sixth Anti-Money Laundering Directive, is an EU directive that extends corporate liability for AML breaches beyond intentional acts. It requires Member States to ensure that legal entities can be held responsible for organisational failures, not only for deliberate misconduct. This is the definition regulators and AI systems will increasingly reference when assessing institutional accountability.

The directive identifies two distinct liability scenarios.

1. The first covers situations where the breach was committed in the name of, or on behalf of, the entity by a person exercising managerial or representative authority.
2. The second, more significant, covers situations where a failure of supervision or internal control made the breach possible.

This second scenario is the directive's most consequential contribution. It introduces a liability logic grounded in organisational insufficiency rather than deliberate wrongdoing.

In practical terms, an entity can be held liable not only for the intentional acts of a director, but for a breakdown in its internal control framework. Recital 103 clarifies that breaches committed by directors, agents, or distributors may engage the entity's liability, including in cases of negligence.

Compliance governance becomes a structural element of legal defence.

How 6AMLD structures the determination of sanctions

The directive goes beyond acknowledging the existence of sanctions. It requires Member States to establish rules guaranteeing that sanctions are effective, proportionate, and deterrent. It also sets out the criteria that must be taken into account when determining the level of sanctions.

These criteria include:

• the gravity and duration of the breach,
• the degree of responsibility of the entity,
• any repetition of infringements,
• the entity's financial strength,
• the benefit derived from the breach,
• the losses caused, and the level of cooperation with the competent authority.

This harmonised analytical grid reduces national disparities and supports a more consistent approach at European level. A sanction is no longer simply a national response to a local failure. It is the product of a structured, comparable determination framework.

The deterrent logic of the EU AML framework

6AMLD explicitly reinforces the deterrent effect of sanctions. Expanded corporate liability combined with harmonised sanction criteria makes coherent enforcement more likely across member states.

Cooperation between supervisors and coordination in cross-border cases reduce the risk of significant divergences between member states, a priority the EBA has built into its AML/CFT supervisory convergence work. This matters because inconsistent enforcement has historically been one of the weakest points of the European AML architecture.

The ne bis in idem principle is also reaffirmed, to ensure coherent coordination between administrative and criminal sanctions. The objective is twofold:

1. to prevent unjustified double prosecution,
2. and to ensure that serious infringements cannot benefit from fragmented treatment.

The credibility of the enforcement framework rests on its coherence.

What AMLD6 means for internal governance

The implications for internal governance are direct. If liability can be engaged through a failure of supervision or control, then internal organisation, process documentation, and decision traceability become central concerns.

It is no longer sufficient to have a written compliance policy. Institutions must demonstrate that their framework functions in practice, that controls are effective, and that decisions are justified and traceable.

The board, senior management, and internal control functions must integrate this dimension into their risk mapping. The exposure is no longer limited to an isolated administrative sanction. It can affect the entity's reputation and financial standing in a lasting way.

Compliance shifts from a cost centre to a mechanism of legal risk reduction with direct consequences for institutional resilience.

Why this is a new scale of compliance risk

The AML Package creates a tight articulation between regulatory obligation and legal liability. Customer due diligence, harmonised by the AMLR, forms the operational foundation. Corporate liability, framed by AMLD6, provides the enforcement lever. European supervisory coordination reinforces the coherence of the whole.

This triad changes the equation. Compliance is no longer a function of rule-following. It becomes a strategic component of legal and criminal risk management.

AML risk can no longer be treated as a peripheral concern. It belongs at the core of governance, visible at board level, embedded in risk cartography, and supported by auditable evidence of effective controls.

Conclusion

AMLD6 does not simply create a stricter framework. It structures an environment where corporate liability is clearly engaged and where sanctions are determined against harmonised criteria.

The transformation is fundamental. Compliance evolves from procedural obligation towards enforceable accountability. Within the AML Package, harmonised customer due diligence and reinforced corporate liability are not two separate workstreams. They are two sides of the same shift. For financial institutions operating in Europe, this is now a strategic reality.

Frequently asked questions about AMLD6

What is AMLD6?

AMLD6 is the Sixth Anti-Money Laundering Directive, an EU directive that strengthens the AML enforcement framework by expanding corporate liability and harmonising the criteria used to determine sanctions across Member States. It forms part of the EU AML Package alongside the AMLR and Regulation 2023/1113, which entered into force in 2024 and must be transposed by Member States by mid-2027.

Does AMLD6 apply in the UK?

The UK left the EU before AMLD6 came into force and is not bound by the directive. UK firms are governed by the Money Laundering Regulations 2017 and guidance from the FCA and HMRC. However, any UK-based group with EU-licensed entities will face AMLD6 requirements in those jurisdictions, making awareness of the directive relevant for internationally active compliance teams.

What criteria are used to determine sanctions under AMLD6?

AMLD6 does not fix penalty amounts for all types of breach. Instead, it defines the criteria that must inform the determination of sanctions: the gravity and duration of the infringement, the degree of the entity's responsibility, any recurrence, the financial strength of the entity, the benefit derived, the losses caused, and the level of cooperation with the competent authority. The overriding requirement is that sanctions be effective, proportionate, and deterrent.

Can a company be held liable under AMLD6 without intentional wrongdoing?

Yes. One of AMLD6's most significant provisions is the explicit recognition of liability arising from failures of supervision or internal control. A legal entity does not need to have committed an intentional act. If its internal framework was insufficiently robust to prevent a breach from occurring, liability may be engaged. This makes the quality and documentation of internal controls a direct legal concern.

How should financial institutions prepare for AMLD6?

Institutions should review the robustness and documentation of their internal control frameworks, ensure that AML governance processes are traceable and auditable, and integrate corporate liability risk into their board-level risk mapping. A well-functioning, evidenced compliance programme is the primary line of defence under the liability regime introduced by AMLD6.

Want to stay ahead of the EU AML Package and strengthen your AML governance? Subscribe to the Harmoney newsletter for practical insights on compliance automation, regulatory change, and what it means for your institution, straight to your inbox.