AMLR 2027: New KYC Rules for Real Estate, Luxury & Football

The EU's Anti-Money Laundering Regulation has been discussed almost exclusively in the context of banks, payment firms, and crypto exchanges. That framing misses the bigger story. From July 10, 2027, the AMLR will extend full KYC and AML obligations to sectors that have operated without formal identity verification requirements for their entire existence: real estate agents, luxury goods traders, crowdfunding platforms, migration investment operators, and — with a grace period — professional football clubs.

For compliance professionals inside financial services, the word "KYC" describes infrastructure they have spent years building. For a real estate agency in Madrid, a jewellery house in Paris, or a football club in Milan, it describes something they have never had to do at all.

Fourteen months is not much time to close that gap.

Who Gets Caught by the AMLR Net?

The AMLR (Regulation (EU) 2024/1624) replaces the patchwork of EU AML directives with a single, directly applicable regulation. Unlike directives, it requires no national transposition — every obligation applies uniformly across all 27 member states from the date it takes effect.

The regulation expands the scope of "obliged entities" to include the following non-financial sectors:

Sector	Relevant Activity	Threshold	Applies from
Real estate agents	All property transactions	No minimum	10 July 2027
Luxury goods traders	Jewellery and watches	>€10,000	10 July 2027
Luxury goods traders	Vehicles	>€250,000	10 July 2027
Luxury goods traders	Aircraft and watercraft	>€7,500,000	10 July 2027
Crowdfunding platforms	Non-MiCAR platforms	All transactions	10 July 2027
Migration by investment	All operators	All transactions	10 July 2027
Football clubs and agents	Player transfers, sponsorships, investor deals	All transactions	10 July 2029

The two-year grace period for football does not indicate the sector is low priority. Regulators have flagged football as a persistent channel for illicit funds — EUROPOL's analysis of the sector cites transfer pricing opacity and multi-layered ownership structures as recurring vulnerabilities.

What "Obliged Entity" Status Actually Means

Being an obliged entity under the AMLR is not a light commitment. It imposes a complete AML/KYC programme with five core requirements.

Customer Due Diligence (CDD): Every customer must be identified and verified before a business relationship begins or a high-value transaction is executed. For individuals, this means government-issued ID verification plus independent address confirmation. For companies, it means identifying every beneficial owner — any natural person exercising control or holding more than 25% of the entity.

Enhanced Due Diligence (EDD): For higher-risk customers — politically exposed persons, clients connected to high-risk third countries, or transactions with no apparent economic rationale — enhanced scrutiny is mandatory. This is not discretionary; the AMLR specifies that EDD must be triggered automatically when risk indicators are present.

Ongoing monitoring: The AMLR's most operationally demanding requirement is continuous monitoring throughout the customer relationship. Transactions must be checked against the established customer profile. When patterns deviate — a client whose stated income cannot explain a series of high-value purchases — that deviation must trigger review.

Suspicious Transaction Reporting (STR): When a business identifies activity that raises reasonable grounds to suspect money laundering or terrorist financing, it must file a report with the national financial intelligence unit (FIU). Timing obligations vary by member state but generally require reporting within a defined window after suspicion arises.

Record keeping: All CDD records, risk assessments, and transaction documentation must be retained for five years and made available to competent authorities on request.

For a high-street estate agency or a luxury car dealership, this means building — from scratch — the procedures, technology, and internal governance that banks have spent decades refining.

The Compliance Gap: Starting From Zero

The challenge facing non-financial sectors is not simply regulatory complexity. It is that they have no baseline to build on.

Financial institutions have dedicated compliance teams, technology platforms, documented procedures, and years of relationship with supervisory authorities. When UBS was fined €6 million in May 2026 for AML failures — including a failure to file a suspicious transaction report for 253 days and onboarding a client using partially untranslated documents — it served as a reminder that even mature organisations with full compliance infrastructure struggle to meet the standard consistently.

Real estate agencies, luxury retailers, and football clubs face a steeper challenge. Most have:

• No trained AML/KYC staff
• No identity verification technology infrastructure
• No documented risk classification procedures
• No established reporting relationship with their national FIU
• No culture of compliance as a core business function

The AMLR requires all of this. By July 2027.

What Good KYC Looks Like for a Luxury Goods Dealer

Consider a luxury car dealership selling a €320,000 vehicle to a private buyer. Under the AMLR, completing that transaction requires the following:

1. Identity verification: Collect a government-issued ID and verify its authenticity — not photocopy it, but confirm its security features, validate the MRZ or chip data, and confirm the document has not expired or been tampered with.
2. Address confirmation: Verify current residence through an independent source — a utility bill, a bank statement, or a credit bureau query.
3. Sanctions screening: Run the customer against EU consolidated, UN, OFAC, and domestic sanctions lists before proceeding.
4. Source of funds assessment: For high-value transactions, the dealer must understand where the funds originate. A large cash payment, or a wire transfer from a jurisdiction with weak AML controls, triggers enhanced scrutiny.
5. Risk scoring: Assign a formal risk classification to the customer and document the reasoning.
6. Ongoing monitoring: If the customer returns — or refers others — the profile must be updated and the pattern reviewed.

For a corporate buyer — a holding company purchasing vehicles or acquiring property — the chain extends further. Every beneficial owner behind the corporate structure must be identified and verified, including tracing through layers of intermediate entities.

This process, done manually, can take hours per customer. Done with modern AI-powered identity verification, it takes minutes.

The Technical Standards Deadline: July 10, 2026

AMLA is required to submit its final draft Regulatory Technical Standards (RTS) to the European Commission by July 10, 2026 — less than seven weeks from now. These standards will define precisely what CDD measures satisfy the AMLR, which identity documents are acceptable for each risk category, and how ongoing monitoring must be documented.

For a detailed breakdown of what the draft CDD standards currently require from identity verification systems, see our analysis of AMLA's CDD RTS and what identity systems must deliver. The final RTS will shape compliance requirements until the full AMLR applies in July 2027 — and will determine whether automated AI-based identity verification meets the regulatory bar.

Compliance teams in newly obliged sectors who engage with the consultation process now will be better positioned to implement systems that meet the final standard rather than retrofitting them later.

Why AI-Powered KYC Changes the Economics

Traditional compliance approaches — manual document review, paper customer files, periodic spot-checks — are too slow and too expensive for sectors that lack compliance scale. A mid-sized estate agency processing 200 property transactions per year cannot sustain a dedicated compliance team. A jewellery house verifying dozens of high-value customers monthly needs a process that fits within normal commercial operations.

This is where AI-powered identity verification becomes not a luxury but a necessity.

Automated systems handle document authentication, biometric face matching, sanctions screening, beneficial ownership lookup, and risk scoring in minutes, at a fraction of the cost of manual review. For complex cases — corporate structures with multiple layers of beneficial ownership, clients from high-risk jurisdictions — the system flags and routes to human review, but the routine workload is handled automatically.

At Joinble, we have worked with clients across financial services, real estate, and crypto who have reduced manual KYC review time by up to 80% through AI-agent-driven verification workflows. For sectors entering compliance for the first time, this model is not a premium add-on — it is the only approach that makes the economics viable.

Football Clubs: A Special Case

Professional football clubs and agents have until July 10, 2029 — two years after the general AMLR application date. The grace period reflects the complexity of football's transaction structures: player transfers involve multi-jurisdiction intermediaries, image rights agreements, signing bonuses, and agent fees, all of which can create beneficial ownership ambiguity.

But the grace period is not an excuse to defer. Clubs that wait until 2028 to begin compliance preparations will face the same structural challenge as every other sector: building procedures, technology, and trained staff under time pressure. The advantage of beginning now is that football clubs can design compliance programs shaped specifically for their transaction types — rather than retrofitting general-purpose AML procedures to sport-specific deal structures.

The transactions most likely to attract regulatory scrutiny include transfers where the true fee is obscured through installment structures or image rights packages, sponsorship agreements with counterparties whose ownership chains are opaque, and investor relationships where the source of stadium or club acquisition funding is unclear.

Cross-Border Implications

Because the AMLR is a regulation — not a directive — it applies directly and uniformly across the EU. There is no scope for member states to implement lighter-touch national variations. A real estate agent in Lisbon faces identical obligations to one in Warsaw.

For non-EU parties, the obligation falls on the EU-based entity in the transaction. A non-EU buyer acquiring real estate through a Portuguese agency must be subject to that agency's AMLR-compliant KYC. The buyer's own jurisdiction is irrelevant to the EU firm's compliance obligation.

This removes a significant avenue for regulatory arbitrage that existed under directive-based frameworks, where cross-border transactions could be structured to avoid the stricter member state's requirements.

For a broader overview of AMLA's supervisory framework and how it enforces these standards, see AMLA Is Watching: EU's New AML Authority.

The Window Is Narrow

The AMLR's July 2027 application date is closer than it appears. AMLA's technical standards, due in July 2026, will set the exact technical bar that compliance systems must meet. Procurement, implementation, staff training, and regulatory registration — where required — all take time that companies in unprepared sectors do not have in abundance.

The real estate agents, luxury goods dealers, and crowdfunding platforms that will meet the July 2027 deadline are those that treat it as a strategic priority today, not a compliance exercise to be addressed when the deadline arrives. For the real estate sector specifically, our guide to KYC requirements for real estate agents and agencies covers the practical implementation steps in detail.

The sectors that are not prepared in time will face the same fate as the financial institutions that discovered, too late, that AMLA was watching.

---

FAQ

When exactly does the AMLR apply to real estate agents and luxury goods traders?

The AMLR applies from July 10, 2027 for real estate agents, luxury goods traders, crowdfunding platforms, and migration-by-investment operators. Professional football clubs and agents have a grace period until July 10, 2029.

Does a small real estate agency need the same KYC as a bank?

The regulatory obligations are structurally similar — identity verification, beneficial ownership checks, risk assessment, ongoing monitoring, and STR reporting — but the AMLR includes a proportionality principle. Smaller entities with simpler client profiles and lower-risk transactions may apply simplified CDD for lower-risk customers, reserving enhanced due diligence for complex or high-value cases. However, the obligation to have a documented AML programme, train staff, and report suspicious activity applies to all obliged entities regardless of size.

What are the penalties for AMLR non-compliance?

AMLA and national supervisors can impose administrative sanctions including fines of up to €1 million or 10% of annual turnover — whichever is higher — for serious violations. Additional measures include public statements, corrective orders, and temporary activity restrictions. For natural persons, personal liability can also attach.

How much does AMLR-compliant KYC cost a luxury dealer or estate agency?

Manual compliance programmes for a mid-sized firm can cost €50,000–€150,000 per year in staffing and operational overhead. AI-powered platforms that automate document verification, sanctions screening, and risk assessment deliver compliance at a fraction of that cost — typically well below €15,000 annually for typical transaction volumes in real estate or luxury goods.

What happens to football clubs during the grace period until 2029?

Football clubs and agents are not subject to AMLR obligations until July 10, 2029. However, they remain subject to national AML legislation that may already cover certain activities, and their financial counterparties — banks, payment processors, sponsors with their own compliance obligations — will continue to apply due diligence independently. Beginning compliance preparations by 2027 is strongly advisable.

Do companies outside the EU need to comply with AMLR?

Non-EU entities are not directly obligated by the AMLR. However, every EU-based obliged entity they transact with — a real estate agent, a luxury goods dealer, an investment platform — is required to perform AMLR-standard KYC on that non-EU counterparty. In practice, non-EU companies transacting with EU obliged entities will be subject to full CDD regardless of their own jurisdiction's requirements.