New gravity of breaches and level of pecuniary sanctions under Article 53(10) of AMLD
Article 53(10) of Directive (EU) 2024/1640 (AMLD) fundamentally changes how AML/CFT breaches are enforced in the European Union. Through the Draft Regulatory Technical Standards (RTS) on pecuniary sanctions, administrative measures and periodic penalty payments, EU lawmakers replace fragmented national enforcement practices with a harmonised, classification-driven enforcement system.
For obliged entities, this is not a marginal regulatory update. It redefines when a breach becomes “serious”, how fines are calculated, when intrusive supervisory measures apply, and how non-compliance is financially enforced over time.
What does Article 53(10) AMLD require?
Article 53(10) AMLD gives AMLA a precise and exhaustive mandate. By 10 July 2026, AMLA must develop RTS specifying only:
- Indicators to classify the level of gravity of breaches
- Criteria for setting pecuniary sanctions and applying administrative measures
- A methodology for periodic penalty payments under Article 57 AMLD, including their frequency
The Commission adopts these RTS as a delegated act. As a result, the RTS is binding in its entirety and directly applicable in all Member States.
Critically, the RTS:
- does not introduce new AML obligations,
- does not change sanction maxima under AMLD,
- operates exclusively at the enforcement layer.
Enforcement logic explained in the recitals
The recitals clarify the regulatory intent behind the RTS:
- Supervisors must apply a common understanding of breach gravity across the EU.
- Enforcement outcomes must be comparable and consistent between Member States.
- Supervisory judgement remains possible, but only within a predefined structure.
- Particular emphasis is placed on:
- conduct of obliged entities and senior management,
- structural AML/CFT failures,
- facilitation of criminal activity.
- Periodic penalty payments are designed as coercive compliance tools, not punishment.
The result is a rule-anchored escalation model replacing discretionary enforcement narratives.
How will the gravity of breaches be classified?
Indicators for assessing breach gravity
Supervisors must assess all applicable indicators, including:
- duration and repetition of the breach,
- conduct of the responsible natural or legal person,
- impact on the obliged entity (including group and cross-border effects),
- impact on AML/CFT systems, controls and policies,
- increase in exposure to money laundering or terrorist financing risk,
- nature of the breach (internal controls, CDD, reporting, record-keeping),
- facilitation of criminal activities,
- structural AML/CFT failures,
- impact on financial viability, market integrity or financial stability,
- systematic nature of deficiencies,
- any additional justified indicator identified by supervisors.
Compliance implication:
Isolated errors remain low-risk only if they are short-lived, non-repetitive and non-structural. Governance and system weaknesses are immediate escalation factors.
Four categories of breach severity
Based on these indicators, supervisors must classify breaches into four categories:
- Category 1: minor impact, short duration, non-repetitive breaches; excluded if any systemic or criminal indicators apply.
- Category 2: moderate impact without criminal facilitation, structural failure or system relevance.
- Category 3: significant impact combined with persistence, repetition or systematic nature.
- Category 4: very significant impact, structural AML failure, significant criminal facilitation, or significant impact on financial viability, markets or system integrity.
Multiple breaches may aggregate into Category 3 or 4 even if assessed individually they would not.
Compliance implication:
Repeated “medium findings” across time or business lines can legally amount to a serious breach.
Legal effect of Category 3 and 4
Any breach classified as Category 3 or 4 is automatically deemed serious, repeated or systematic under Article 55(1) AMLD.
No additional assessment is required.
Compliance implication:
Category 3 is not a warning stage. It is the legal entry point into the highest AML sanctioning regime.
How will the level of pecuniary sanctions be set?
Once gravity is classified, supervisors must set fine levels by considering:
- the general circumstances under Article 53(6) AMLD, and
- the RTS-defined mitigating and aggravating criteria.
Mitigating factors include:
- early and effective cooperation,
- voluntary and complete disclosure,
- timely and effective remediation.
Aggravating factors include:
- non-cooperation or concealment,
- absence of remedial action,
- intentional conduct,
- financial or competitive benefit (actual or potential),
- losses or risk of loss to third parties,
- previous AML/CFT breaches or ignored supervisory measures.
Financial strength matters:
- legal persons: turnover, capital and liquidity,
- natural persons: income and remuneration.
Compliance implication:
Post-breach behaviour directly affects sanction size. Strong balance sheets increase, not reduce, potential fines.
Are there administrative measures beyond fines?
Article 5 of the Draft RTS governs the application of intrusive administrative measures under Article 56(2) AMLD, including:
- restriction or divestment of business activities,
- suspension or withdrawal of authorisation,
- enforced changes to governance structures.
These measures generally require Category 3 or 4 and depend on:
- the ability of the measure to mitigate ML/TF or systemic risk,
- existence of structural AML/CFT failures,
- conduct and cooperation of management,
- ineffectiveness of internal policies, procedures and controls,
- information from FIUs, prudential or judicial authorities,
- customer and stakeholder impact where relevant.
Compliance implication:
AML deficiencies can translate directly into licence risk and governance intervention, not only fines.
How will Periodic Penalty Payments (PPPs) enforce compliance?
Articles 6–10 of the Draft RTS establish a harmonised methodology for Periodic Penalty Payments (PPPs) under Article 57 AMLD:
- PPP applies only where an administrative measure has been imposed and not complied with.
- Procedural safeguards apply: statement of findings, right to be heard, reasoned decision.
- Payments may accrue daily, weekly or monthly.
- Accrual is limited strictly to the period of non-compliance.
- Amounts are based only on factors already determined when the administrative measure was imposed.
- Collection is subject to a five-year limitation period.
Compliance implication:
Delaying compliance with supervisory measures becomes economically irrational, as non-compliance is monetised over time.
When the Draft RTS (most likely) enter into force?
The Draft RTS:
- enters into force 20 days after publication,
- applies from a defined application date,
- does not apply to proceedings initiated before 10 July 2027,
- is binding and directly applicable in all Member States.
Compliance implication:
From the application date onward, AML enforcement will be uniform, predictable and far less negotiable across the EU.
What will be the overall compliance risk for obliged entities?
Read together with Article 53(10) AMLD, the Draft RTS creates a closed, escalation-driven enforcement system:
- Breach gravity is assessed using mandatory indicators.
- Classification determines legal consequences.
- Category 3 automatically equals “serious/systematic”.
- Sanctions scale with conduct, repetition and financial capacity.
- Administrative measures can affect licences and governance.
- Non-compliance with supervisory orders is enforced through accruing penalties.
The central compliance risk is escalation.
Under the new AMLD enforcement framework, supervisory outcomes no longer depend on negotiation or narrative, but on whether predefined classification thresholds are crossed.
Sources: