EU AML Regulation 2024/1624: What Cyprus Businesses Must Do Before 2027

The regulatory landscape in Cyprus is undergoing its most significant transformation in decades. At CX Financia, we are increasingly hearing one vital question: “Does the new EU AML Regulation 2024/1624 apply to us?” The answer is overwhelmingly yes. By July 2027, the “Single Rulebook” will replace fragmented directives with a uniform, high-standard framework that leaves no room for ambiguity.

Critical Scope Expansion under EU AML Regulation 2024/1624

The EU AML Regulation 2024/1624 (AMLR) fundamentally changes who is considered an “obliged entity.” Beyond traditional banks and law firms, the regulation now captures high-value lifestyle and emerging tech sectors that were previously loosely regulated. For those transitioning into this new environment, our Regulatory Compliance Advisory provides the specialized guidance necessary to navigate these complex legal shifts.

Regulatory Background: From Directives to a Single Rulebook

Cyprus, like all EU Member States, has historically implemented AML/CFT requirements through national legislation — principally the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (as amended), which transposed successive EU AML Directives into Cypriot law. The result, across the EU, was a patchwork: broadly similar obligations but with meaningful national differences in scope, thresholds, definitions, and supervisory intensity.

The 2024 EU AML Package changes this fundamentally. It is centred on three new instruments:

• Regulation (EU) 2024/1624 — the AML Regulation (AMLR), the ‘Single Rulebook’, which replaces and harmonises much of the private-sector AML/CFT rulebook previously implemented through the AML Directives, applying from 10 July 2027.
• Regulation (EU) 2024/1620 — establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), based in Frankfurt. AMLA has had legal existence since 26 June 2024 and is being built up in phases ahead of its full supervisory role.
• Directive (EU) 2024/1640 — the 6th AML Directive (AMLD6), which governs national supervisory structures and mechanisms and must be transposed by Member States.

Together with the recast Transfer of Funds Regulation (Regulation (EU) 2023/1113), which is particularly relevant for crypto-asset service providers and payment institutions, these instruments form the new EU AML/CFT framework.

Because the AMLR is a regulation — not a directive — it does not require Cypriot implementing legislation to take effect. From 10 July 2027, it applies directly across all EU Member States. This significantly reduces national variation in core scope, definitions, and obligations, although Member States may still retain or introduce certain stricter or local measures where the framework permits.

Entities in Scope: The Expanded List

Article 3 of the AMLR sets out the full list of ‘obliged entities’. While many existing firms are already regulated, the bar for compliance is being raised significantly. Established institutions like CIFs and AIFMs are now seeking specialized CySEC & Financial Licensing support to ensure their operations remain aligned with the evolving expectations of both national supervisors and the new Frankfurt-based AMLA. To understand how these expectations are manifesting in the 2026 supervisory landscape – specifically regarding structured data and the upcoming Regulatory Technical Standards – see our briefing on Preparing for AMLA Regulation in Cyprus.

Sectors Newly Impacted by EU AML Regulation 2024/1624

While the financial sector is well-versed in compliance, the EU AML Regulation 2024/1624 significantly broadens the definition of an “obliged entity.” This expansion targets sectors where high-value assets can be used for layering illicit funds. Specifically, Cyprus-based dealers in high-value motor vehicles (at or above €250,000) and luxury goods like jewelry or precious metals (exceeding €10,000) must now implement formal AML programs.

Furthermore, the digital asset landscape is now fully centralized within this framework; obtaining CASP & Crypto Licensing is a non-negotiable requirement for firms navigating MiCA and the new Single Rulebook. Even the sports industry is not exempt, with professional football clubs and agents scheduled to fall under the scope by July 2029.

The table below provides a detailed breakdown of these newly in-scope categories and their respective enforcement dates:

Note: Thresholds apply whether a transaction is carried out as a single operation or through linked transactions. The AMLR specifically provides that transactions cannot be artificially separated to fall below relevant thresholds. Application dates: most sectors from 10 July 2027; football clubs and agents from 10 July 2029 (Article 90, AMLR).

Mandatory Reporting and Transparency under EU AML Regulation 2024/1624

To manage these transparency requirements and the 2026 “Substance-First” approach, many firms are turning to Corporate & Fiduciary Services to ensure their management structures are robust enough to withstand regulatory scrutiny.

Important: Thresholds do not limit suspicious transaction reporting.

AMLR thresholds determine when CDD or mandatory reporting obligations are triggered. They do not restrict or delay the obligation to report suspicious activity. Where there are reasonable grounds to suspect money laundering or terrorist financing, reporting obligations arise regardless of the transaction amount or whether a threshold has been reached.

A Closer Look: Luxury Goods Dealers and Motor Vehicle Traders

Why These Sectors Are Now in Scope

The inclusion of luxury goods traders — and in particular dealers in high-value motor vehicles — is one of the most practically significant expansions of the AMLR for Cyprus. The EU legislator has been explicit about the rationale: high-value, transportable assets such as luxury cars, yachts, aircraft, and jewellery are inherently attractive to those seeking to place or layer illicit funds, because a single transaction can move significant value and ownership can be difficult to trace — particularly where assets are registered in third countries.

For Cyprus, this matters. The island has a well-established market for premium and ultra-premium vehicles, with a proportion of sales involving buyers from outside the EU. The same applies to the yacht and marine sector. These are not theoretical risks — they are the kind of transactions that financial intelligence units and supervisors across the EU have flagged as requiring closer scrutiny.

Scope, CDD and Reporting: Three Separate Questions for Motor Vehicle Dealers

The AMLR’s treatment of motor vehicle traders involves three distinct layers, and it is important not to conflate them.

First — scope. Traders in high-value motor vehicles are brought within the AMLR’s AML/CFT framework where their activity falls within the relevant AMLR categories. The key value marker for motor vehicles is €250,000.

Second — CDD. Once in scope, motor vehicle dealers must apply customer due diligence when the transaction meets or triggers the applicable CDD threshold. This means identifying and verifying the buyer, understanding the beneficial ownership of any corporate purchaser, assessing the purpose of the transaction, and understanding the source of funds. Where higher-risk indicators are present — such as offshore ownership, politically exposed persons (PEPs), third-party payments, or an inability to explain the source of wealth — enhanced due diligence applies.

Third — mandatory FIU reporting. Under Article 74 of the AMLR, where a motor vehicle is acquired for non-commercial purposes at or above the €250,000 threshold, the dealer must file a specific report with the Financial Intelligence Unit (MOKAS in Cyprus), regardless of whether the transaction appears suspicious. This mandatory threshold-based report sits alongside — and does not replace — the general obligation to file a suspicious transaction report where grounds for suspicion exist at any transaction value.

A Practical Example: Offshore Company Purchasing a €300,000 Vehicle

To make this concrete: a Cyprus car dealership selling a vehicle at €300,000 to an offshore company should not treat the transaction as routine merely because payment arrives by bank transfer.

The dealership should be asking: Who owns and controls the purchasing company? Why is this company buying the vehicle? Is the vehicle for commercial or private use? Who is providing the funds, and do they come from a third party? Can the source of funds be explained and evidenced?

If the beneficial owner is unclear, the payment originates from another offshore entity, or the source of funds cannot be satisfactorily explained, the case should be escalated within the firm’s AML framework. Where suspicion arises, a suspicious transaction report to MOKAS should be considered, irrespective of whether the mandatory Article 74 report has already been filed.

Source of funds should be understood and evidenced in all cases. Source of wealth should be obtained where higher-risk indicators are present — including offshore ownership structures, PEP exposure, third-party payments, or any feature of the transaction that raises a question about the legitimacy of the funds being used.

How the Requirement Is Reaching Dealerships in Practice

One of the most practical observations from our work with clients in Cyprus is that the compliance requirement is not always arriving directly from the regulator — at least not yet. It is arriving through the supply chain.

Several motor vehicle dealerships we work with have been approached by their manufacturers, importers, or commercial counterparts — the entities that source and supply vehicles to them — asking for confirmation that the dealership has an AML compliance framework in place. This is consistent with the direction of group-wide and counterparty due diligence expectations under the AMLR: where a dealer is part of a group, or where a manufacturer or importer operates within a group structure with AML obligations, there is a commercial and regulatory expectation that subsidiary entities and supply-chain partners implement consistent standards.

In practical terms, dealerships in Cyprus are being asked: Do you have a written AML policy? Do you conduct customer due diligence on high-value vehicle purchases? Who is your compliance officer? Do you have a risk assessment in place? For many dealerships, the honest answer is currently no — or at least not to the standard now expected.

The message to motor vehicle dealers is this: you may already be feeling the regulatory pressure, even before MOKAS or the Cyprus supervisory authority formally comes to you. The time to act is now.

Strategic Implementation of EU AML Regulation 2024/1624 Controls

To maintain authority in the Cyprus market, businesses must move beyond “box-ticking” and adopt an evidence-based approach. The EU AML Regulation 2024/1624 mandates several rigorous internal controls that require immediate attention.

For all obliged entities — whether long-established or newly captured — the AMLR sets out a comprehensive set of requirements. Below are the principal obligations that businesses should review against their current arrangements.

1. Business-Wide Risk Assessment

Every obliged entity must conduct and document a business-wide risk assessment (BWRA), identifying the specific money laundering and terrorist financing risks to which it is exposed. For a technical breakdown of how to build this framework, refer to our Firm-Wide Risk Assessment 2026: AML Compliance Guide. To ensure this meets the high standards of the Single Rulebook, firms should utilize professional Risk Management & AML Audits to facilitate a comprehensive analysis of customers, products, and geographic exposure.

2. Written Policies, Procedures and Internal Controls

Obliged entities must have written AML/CFT policies, procedures, and internal controls approved at the appropriate management level. The AMLR is explicit: these must be recorded in writing and kept up to date. Internal policies must be approved by the management body. For newly in-scope entities, this means building these documents from scratch. For existing obliged entities, it means reviewing and updating what is in place to reflect the AMLR’s requirements.

3. Compliance Manager and Compliance Officer

All obliged entities must appoint a compliance manager — a senior individual approved by the management body with sufficient authority to oversee AML/CFT compliance at entity level. A separate compliance officer may be appointed to manage day-to-day implementation. The AMLR distinguishes between these two functions, while allowing proportionality for smaller or lower-risk entities where the roles may be combined. Both must be fit and proper and documented as such.

4. Customer Due Diligence

The AMLR adjusts the thresholds at which CDD must be applied. For occasional transactions, the general threshold is at or above €10,000 (aggregated across linked transactions, reduced from €15,000 under prior rules). For cash occasional transactions, customer identification and verification is required at or above €3,000. Crypto-asset transfers are subject to specific AML and Transfer of Funds Regulation rules, with lower CDD and traceability triggers than the general €10,000 threshold. CDD must cover customer identification and verification, beneficial ownership, the purpose and intended nature of the relationship, and ongoing monitoring.

5. Enhanced Due Diligence

EDD is mandatory in specified circumstances: politically exposed persons (PEPs), high-risk third countries, complex or opaque ownership structures, and other elevated risk scenarios. The AMLR also introduces enhanced requirements for customers or beneficial owners with net assets or wealth indicators above €50 million.

6. Record-Keeping

Records of customer due diligence, transactions, and business relationships must be retained for at least five years from the end of the business relationship or the date of the occasional transaction.

7. Suspicious Transaction Reporting

Obliged entities must file Suspicious Transaction Reports (STRs) with MOKAS in Cyprus where they know, suspect, or have reasonable grounds to suspect that funds are related to money laundering or terrorist financing. This obligation applies regardless of threshold. Reporting timelines and interaction with FIUs are being strengthened under the AMLR.

8. Staff Training and Conflict of Interest Controls

Employees involved in AML/CFT compliance must be appropriately trained, regularly assessed, and kept up to date with the firm’s procedures. The AMLR also introduces conflict-of-interest requirements: employees may not perform AML tasks in relation to customers with whom they have a private or professional relationship that could compromise their objectivity.

9. Group-Wide Compliance

Where an obliged entity is part of a group, the parent undertaking must conduct a group-wide risk assessment and implement group-wide policies, procedures, and controls. Entities within the group must implement those standards, taking account of local specificities. This obligation is directly relevant to motor vehicle dealers and other entities that are part of larger commercial groups or supply chains.

10. Union-Wide Cash Payment Limit

The AMLR introduces a Union-wide limit on large cash payments for goods and services, set at €10,000, with Member States able to impose lower national limits. Entities accepting cash payments must verify customer identity for payments at or approaching this threshold.

Practical Training: Bridging the Gap to 2027

Understanding these 10 core obligations is only the first step. The real challenge for Cyprus firms lies in the technical execution—specifically how to document risk scoring and align with the new Single Rulebook standards.Understanding the core obligations is only the first step. The real challenge for Cyprus firms lies in technical execution—specifically how to align governance and data standards with the new Single Rulebook. To support this transition, our training arm, Center8, provides specialized, HRDA-subsidized programmes designed for compliance professionals:

• AML Firm-Wide & Sanctions Risk Assessments Workshop: A practical, hands-on session focusing on the methodology for building and updating the three core risk assessments (FWRA, CRA, and Sanctions) to meet EU-level expectations.
• EU AML Single Rulebook: AMLR, AMLD6 & AMLA in Practice: A strategic programme that translates the new EU AML package into concrete governance structures, documentation standards, and 2027 readiness plans.

For current availability and to view upcoming session dates, please visit the Center8 Training Portal.

Practical Impact: What This Means for Businesses in Cyprus

What does this change mean in practice for an affected business in Cyprus? Below are some of the questions our clients are working through — and how we approach them.

‘We have never had an AML programme — where do we start?’

This is the most common starting point for newly in-scope entities: luxury goods dealers, car showrooms, mortgage intermediaries, investment migration operators, and crowdfunding platforms. The answer is to begin with a regulatory scoping assessment and gap analysis — confirming whether your entity falls within AMLR scope, and identifying what you need to put in place. From there, the priorities are a written AML policy, a CDD procedure, a business-wide risk assessment, and the appointment of a compliance manager. This does not happen quickly: a realistic implementation timeline for a business starting from scratch runs to twelve months or more.

‘Our existing AML policy refers to national law and old directives — is it still valid?’

Almost certainly not in its current form. Policies built around the Cyprus Prevention and Suppression of Money Laundering Law alone, or referencing AMLD4/5 rather than the AMLR, will need updating to reflect new definitions, expanded scope, revised thresholds, and strengthened requirements. This is something we are currently working through with several regulated entities in Cyprus whose documentation was last reviewed before 2024.

‘A supplier or manufacturer has asked us to confirm our AML compliance — what should we provide?’

This is increasingly common in the motor vehicle and luxury goods sector. Documentation typically requested includes a copy of your AML policy, evidence of a business-wide risk assessment, confirmation of your compliance officer appointment, and a summary of your CDD procedures. Where these documents do not yet exist, this commercial request is a practical prompt to begin building them.

‘Does payment by bank transfer remove AML obligations for luxury goods dealers?’

No. Under the AMLR, AML obligations for high-value goods traders are not limited to cash transactions. A luxury vehicle purchase funded by a foreign company via bank transfer may still require customer due diligence, beneficial ownership checks, source-of-funds assessment, and — where the relevant threshold is met — mandatory FIU reporting. The nature of the goods and the value of the transaction, not the payment method, determine the scope of obligations.

‘Do we need to report every vehicle sale at or above €250,000?’

Yes — under Article 74 of the AMLR, the acquisition of a motor vehicle for non-commercial purposes at or above the €250,000 threshold triggers a mandatory report to MOKAS, regardless of whether the transaction appears suspicious. This threshold-based report is a separate and additional obligation to the general suspicious transaction reporting requirement, which remains in place at any value where grounds for suspicion exist.

‘We are a small business — does all of this apply to us?’

The AMLR takes a proportionate, risk-based approach. The complexity and depth of your AML programme should reflect the nature, scale, and risk profile of your business. However, proportionality does not mean exemption. A sole-trader jeweller and a multi-brand luxury car dealership will have different frameworks — but both must have one.

Why Entities Should Act Now — Not in 2027

July 2027 may seem a reasonable distance away. It is not.

The experience of previous AML Directive implementation cycles — including in Cyprus — shows that compliance projects of this nature consistently take longer than expected. A business-wide risk assessment, a full policy review, the development of CDD and EDD procedures, staff training, and the appointment of a compliance manager cannot be completed in a few weeks. For newly in-scope entities starting from scratch, a realistic implementation timeline runs to twelve months or more.

There are also more immediate pressures to consider:

• AMLA has been building its operational capacity since its legal establishment in June 2024 and is coordinating supervisory expectations across the EU ahead of 2027. National supervisors in Cyprus will be aligning their approaches accordingly.
• The AMLR signals that stricter supervision of existing AML obligations will intensify even before full application — regulators are not waiting for 2027.
• Group and counterparty compliance pressures are already creating practical obligations at entity level, as manufacturers, importers, parent companies, and commercial counterparts request compliance evidence through their supply chains.
• Reputational risk is immediate: an entity that cannot demonstrate a credible AML framework is exposed to loss of business relationships, not just regulatory action.
• AMLA’s technical standards and guidance are being developed progressively and should be monitored before 2027. Businesses that have not started implementation will find themselves trying to catch up against a moving target.

The consequences of non-compliance are not abstract. AMLA’s technical standards on enforcement set out severity categories for breaches, penalty expectations, and supervisory responses. For serious or repeated violations, entities face significant financial penalties, public disclosure of the breach, and potential suspension of activities. The reputational and commercial damage in a market such as Cyprus can be equally severe.

How CX Financia Can Help

At CX Financia, we work with a broad range of regulated and newly in-scope entities across Cyprus — from established financial institutions and trust and company service providers, to luxury goods dealers, motor vehicle showrooms, investment migration operators, and real estate professionals preparing for the AMLR.

The questions we hear most often are: ‘Are we in scope?’, ‘What do we need to have in place?’, and ‘Where do we start?’ Our role is to provide practical, business-focused answers — and to build the frameworks, documents, and procedures that allow clients to demonstrate compliance with confidence.

Our AMLR readiness and compliance advisory services include:

• Regulatory scoping and gap analysis — confirming whether your entity falls within AMLR scope and identifying what is missing from your current arrangements. For businesses receiving compliance requests from manufacturers or suppliers, this is the right starting point.
• AML policy and procedure drafting and updating — preparing or revising written AML/CFT policies, CDD and EDD procedures, record-keeping policies, and suspicious transaction reporting procedures, aligned with the AMLR and Cyprus supervisory expectations.
• Business-wide risk assessment — preparing or reviewing your BWRA to reflect your actual risk exposure, including sector-specific risks relevant to luxury goods, motor vehicles, or other newly in-scope activities.
• Compliance manager and compliance officer support — advising on appointment, duties, and documentation; providing outsourced compliance officer services where appropriate.
• CDD and EDD framework design — building practical, proportionate customer due diligence and enhanced due diligence procedures tailored to your client base, transaction types, and risk profile.
• Staff training — delivering practical AML/CFT training for frontline staff, senior management, and boards, including sector-specific training for luxury goods and motor vehicle traders.
• Board and senior management briefings — preparing board-level briefings on AMLR obligations, supervisory expectations, and governance responsibilities under the Single Rulebook.
• Supplier and group compliance documentation — preparing the policy and procedural documentation required by manufacturers, importers, or parent companies as part of group-wide or counterparty compliance checks.
• Ongoing compliance advisory — acting as your compliance partner on a retainer basis, keeping your framework current as AMLA technical standards and guidance are issued ahead of 2027.

We bring direct, practical experience of Cyprus’s regulatory environment and a clear understanding of how supervisory expectations are evolving across the EU. Our approach is straightforward: we help you understand your obligations, build the framework properly, and make sure it works in practice — not just on paper.

Get in Touch

If your organisation may fall within the scope of the EU AML Regulation — whether as a newly captured entity or as an existing obliged entity facing strengthened obligations — now is the time to review your compliance framework.

Contact CX Financia to arrange a scope assessment, carry out a regulatory gap analysis, and update your procedures ahead of the July 2027 application date. Early preparation is not just good practice — in the current supervisory environment, it is expected.

Reach out to our compliance advisory team to arrange an initial consultation.

Frequently Asked Questions

Which entities are newly in scope under the EU AML Regulation?

The most significant newly captured sectors include: dealers in luxury motor vehicles (sales at or above €250,000 for non-commercial purposes); dealers in jewellery, watches, and precious metals and stones (transactions at or above €10,000); traders in aircraft and watercraft (at or above €7,500,000); crypto-asset service providers; crowdfunding platforms and intermediaries; non-bank mortgage and consumer credit intermediaries; investment migration operators; and professional football clubs and agents (from July 2029). Trust and company service providers, real estate professionals, and the financial sector face strengthened rather than new obligations.

I am a car dealer in Cyprus. Do I need an AML programme?

If you sell motor vehicles at or above €250,000 for non-commercial purposes, you will be an obliged entity under the AMLR from 10 July 2027. This means you will need a written AML policy, a business-wide risk assessment, CDD and EDD procedures, a designated compliance manager, record-keeping systems, and a process for mandatory threshold-based FIU reporting under Article 74, in addition to general suspicious transaction reporting obligations. Even before 2027, you may already be receiving compliance requests from manufacturers or importers as part of group-wide or counterparty compliance checks. We recommend beginning the process now.

Do existing AML policies and procedures need to be updated?

Yes, in most cases. Policies and procedures built around earlier EU Directives or national transpositions will not fully reflect the AMLR’s revised requirements, definitions, or scope. Key areas to review include: scope determinations, CDD thresholds (which have changed), beneficial ownership procedures, EDD triggers and documentation, record-keeping periods, the cash payment limit, compliance manager and officer appointments, and the group-wide obligations. CX Financia provides policy gap analysis and redrafting as part of its AMLR readiness service.

What are the risks of non-compliance?

AMLA’s technical standards on enforcement set out severity categories for breaches and supervisory responses across the EU. For serious or repeated violations, penalties include significant financial sanctions, public disclosure, and potential suspension of activities. Beyond formal penalties, reputational and commercial damage in a market such as Cyprus — where business relationships depend heavily on trust and regulatory standing — can be considerable. Supervisory scrutiny from MOKAS and other Cyprus supervisory authorities is expected to intensify ahead of the July 2027 application date.

Does payment by bank transfer remove AML obligations for luxury goods dealers?

No. Under the AMLR, AML obligations for high-value goods traders are not limited to cash transactions. A luxury vehicle or goods purchase funded via bank transfer may still require customer due diligence, beneficial ownership checks, source-of-funds assessment, and — where the relevant threshold is met — mandatory FIU reporting under Article 74. It is the nature of the goods and the value of the transaction that determines the scope of obligations, not the payment method.

What is the Article 74 reporting obligation for motor vehicle dealers?

Article 74 of the AMLR introduces a mandatory reporting obligation for traders in high-value goods: where a motor vehicle is acquired for non-commercial purposes at or above €250,000 (and similarly for watercraft and aircraft above their respective thresholds), the trader must file a report with the FIU — MOKAS in Cyprus — regardless of whether the transaction appears suspicious. This is a threshold-based report that exists independently of, and in addition to, the general obligation to file a suspicious transaction report where grounds for suspicion arise at any value.

When should businesses start preparing?

Now. A credible AMLR compliance programme for a newly in-scope entity typically requires twelve months or more to implement properly — covering risk assessment, policy drafting, CDD procedure design, compliance manager appointment, and staff training. Waiting until late 2026 or early 2027 is likely to result in rushed, incomplete implementation. Supervisors across the EU, including in Cyprus, are expected to intensify scrutiny of AML frameworks ahead of the July 2027 application date.

How can CX Financia help?

CX Financia provides end-to-end AMLR readiness support for regulated and newly in-scope entities in Cyprus. Services include regulatory scoping and gap analysis (including a dedicated scope assessment for newly captured businesses), AML policy and procedure drafting, business-wide risk assessments, compliance manager and officer support, CDD and EDD framework design, staff training, board briefings, supplier compliance documentation, and ongoing compliance advisory retainers. We work with clients across financial services, TCSPs, real estate, luxury goods, motor vehicle dealerships, investment migration, and other sectors. Contact us to arrange an initial consultation.

EU AML Regulation 2024/1624 FAQ & External Resources

Where can I find the official legal text? You can access the full Direct Regulatory Text for Regulation (EU) 2024/1624 on the official EUR-Lex portal to review specific articles and legal definitions.

How do I report suspicious activity in Cyprus? For detailed instructions on reporting protocols and compliance with national laws, visit the official Cyprus National Reporting (MOKAS) website.

When should our business start preparing? Preparation for the EU AML Regulation 2024/1624 should begin immediately. High-authority implementation typically requires 12 months to properly develop risk assessments, staff training, and policy drafting ahead of the 2027 deadline.