The newly formed Anti-Money Laundering Authority (AMLA) has published one of its first major consultation papers, seeking industry input on draft Regulatory Technical Standards for Customer Due Diligence under the new EU Anti-Money Laundering Regulation. Released on 9 February 2026, this consultation marks a critical step in transitioning from the directive-based framework to directly applicable rules across all Member States.
Key Changes in Customer Due Diligence Requirements
Information Collection Requirements
The draft RTS provide detailed specifications on customer identification data that were previously subject to national interpretation. For natural persons, obliged entities must now collect all names and surnames appearing on identity documents, full place of birth information (minimally the country, but additional details if available), all nationalities or applicable statelessness and refugee status, and detailed residential address information including postal codes and building numbers where available.
For legal entities, the requirements extend beyond basic registration details to include trade names where different from registered names, addresses of both registered offices and principal places of business, and information on nominee shareholders or directors, explicitly noting their nominee status.
These specifications remove ambiguity that previously allowed different Member States to require different levels of detail. Institutions that operated with minimal data collection in certain jurisdictions will need to enhance their onboarding processes.
Understanding Ownership and Control Structures
The draft RTS introduce specific requirements for understanding complex corporate structures, defined as structures with three or more layers between customer and beneficial owner, plus additional risk factors such as legal arrangements, non-EU jurisdictions, nominee involvement, or obfuscation of ownership without legitimate rationale.
When such complexity exists, obliged entities must obtain additional information, potentially including organisational charts, and take risk-based measures to verify accuracy. This represents a significant evolution from the AMLD framework, which provided general principles but left implementation details to national discretion.
The practical impact is substantial. Banks dealing with corporate customers structured through multiple holding companies, offshore trusts, or complex ownership chains will need enhanced procedures to map these structures, identify all intermediate entities relevant to understanding ownership and control, and verify the economic rationale behind the structure.
Beneficial Ownership Verification
The draft RTS clarify that consulting central registers is necessary but not sufficient for beneficial ownership verification. Obliged entities must take reasonable measures beyond registry checks, including consulting other public registers, collecting information from customers or third-party sources such as credit agencies, utility bills, or confirmation from other regulated institutions that have verified the beneficial owner’s identity.
This marks a change from practices in some Member States where central register consultation was treated as sufficient compliance. Institutions will need enhanced verification procedures, potentially increasing operational costs but providing greater assurance on beneficial ownership.
The draft RTS specify when obliged entities may identify senior managing officials instead of beneficial owners: only when all possible means of beneficial owner identification have been exhausted or when there are genuine doubts about identified persons.
Remote Verification Standards
The draft RTS establish clear standards for non-face-to-face customer verification, addressing a gap in the AMLD framework that led to divergent national practices.
The preferred method is electronic identification means meeting eIDAS Regulation requirements at “substantial” or “high” assurance levels, or qualified trust services. Where these are unavailable or cannot reasonably be provided, obliged entities may use remote solutions meeting specific safeguards: controls ensuring the person presenting the document matches the photograph, integrity and confidentiality of communications, sufficient image quality for unambiguous recognition, processes that halt if technical shortcomings or interruptions occur, and secure retention of time-stamped records available for ex-post verification.
Institutions must demonstrate to supervisors both that their remote verification solutions comply with these requirements and why customers could not be verified through eIDAS-compliant means. This creates accountability around remote onboarding processes that were previously subject to minimal harmonised standards.
Simplified and Enhanced Due Diligence
Simplified Measures in Low-Risk Situations
The draft RTS specify minimum information requirements even when applying simplified due diligence. For natural persons, this includes all names and surnames, place and date of birth, and nationality or applicable status. For legal entities, legal form, registered and trade names, registered office address, and available registration or tax identification numbers remain mandatory.
Notably, AMLA determined that Article 33 of the AMLR already provides sufficient flexibility for simplified measures in low-risk scenarios. The draft RTS do not introduce additional simplification beyond existing provisions allowing delayed verification (up to 60 days) or reduced information collection on purpose and intended nature. AMLA concluded that further simplification would create exemptions exceeding its mandate.
One sector-specific simplified measure addresses pooled accounts. Credit institutions opening accounts where the account holder administers client funds may rely on that account holder (itself an obliged entity) to provide end-client information upon request, provided certain conditions are met including effective supervision, low risk assessment, and satisfaction that robust CDD measures apply to the underlying clients.
Enhanced Measures for Higher Risk
The draft RTS elaborate on enhanced due diligence information requirements. When risks are elevated, obliged entities must obtain additional information enabling them to verify authenticity and accuracy of customer and beneficial owner data, assess reputations, and comprehensively identify ML/TF risks including through known or public relationships.
For source of funds and wealth verification in high-risk situations, acceptable information includes tax declarations, recent pay slips, audited accounts, investment documentation, property deeds from land registries, inheritance or gift documentation certified by professionals or public authorities, and contracts of sale. The key requirement is that information must satisfy the obliged entity that sources derive from lawful activities.
These specifications provide clarity absent from the AMLD framework, where enhanced due diligence requirements were principles-based with significant interpretative flexibility. Institutions will need to document their risk assessments and the additional information collected more systematically.
Politically Exposed Persons Screening
The draft RTS establish clear requirements for PEP identification. Obliged entities must determine PEP status for customers, beneficial owners, and persons on whose behalf transactions occur before establishing business relationships or carrying out occasional transactions (except where Article 44 of the AMLR permits delayed verification).
For existing customers, PEP determination must occur with risk-sensitive frequency, without delay when new information emerges affecting PEP status, and without delay when lists of prominent public functions are updated.
Obliged entities shall implement automated screening tools and measures, or a combination of automated tools and manual checks, unless their size, business model, complexity, or nature justifies manual checks only. This effectively mandates technological solutions for most institutions, particularly larger banks and financial institutions.
Targeted Financial Sanctions Screening
Similar technological requirements apply to sanctions screening. The draft RTS require screening through automated tools or solutions, or combinations of automated tools and manual checks, with manual-only approaches permitted only where proportionate to size, business model, complexity, or nature of business.
Screening must cover customers, beneficial owners, and controlling entities or persons. For natural persons, all names and surnames in original and transliterated forms must be screened. For legal persons, registered names and any aliases or trade names require screening. Where available on sanctions lists, digital wallet addresses must also be screened.
When matches occur, obliged entities must check against all available due diligence information to determine whether the person is the intended sanctions target. Regular screening is required during onboarding, when designations change or new designations are made, and when significant changes in due diligence data occur that might impact designation status.
These requirements standardise practices that varied significantly under the AMLD framework, where some Member States had detailed sanctions screening requirements while others relied on general principles.
The Role of Artificial Intelligence in the New Framework
While the draft RTS appear to maintain technological neutrality, the practical requirements they establish create strong drivers for AI adoption in AML compliance.
Automated Screening Requirements
The mandated use of automated screening for PEP identification and sanctions checking represents an obvious application area. Traditional rules-based systems can perform these functions, but modern AI systems offer significant advantages. Machine learning models can handle name variations, transliterations, and fuzzy matching more effectively than deterministic algorithms. They can reduce false positives by learning from historical decisioning, potentially decreasing the compliance burden while improving detection rates.
Natural language processing enables more sophisticated screening of unstructured data sources. When obliged entities must verify information from diverse documents or assess reputations through publicly available information, AI systems can process and analyse these sources more efficiently than manual review.
Complex Ownership Analysis
The requirements for understanding ownership and control structures in complex corporate arrangements present another natural AI application. Graph neural networks and knowledge graph technologies can map multi-layered ownership structures, identify connections between entities, and flag anomalous patterns suggesting obfuscation or lack of economic rationale.
These systems can automatically generate the organisational charts the draft RTS contemplate for complex structures, update them as information changes, and highlight potential red flags requiring enhanced scrutiny. They can cross-reference publicly available data from multiple registers and sources to verify stated ownership structures.
Risk Assessment and Dynamic Monitoring
The draft RTS’ emphasis on risk-based approaches to CDD, with measures scaled to customer risk profiles, aligns well with AI-driven risk scoring. Machine learning models can incorporate diverse risk factors, weight them based on observed patterns, and provide dynamic risk scores that update as new information emerges.
Particularly valuable is AI’s capacity for continuous monitoring. Rather than periodic static reviews, AI systems can analyse ongoing transaction patterns, news and adverse media in real-time, ownership changes, and other dynamic risk factors, triggering alerts when material changes warrant CDD updates or enhanced measures.
Challenges and Considerations
AI adoption in AML compliance is not without challenges. The draft RTS require that obliged entities can demonstrate to supervisors that their verification solutions comply with requirements. For AI systems, this raises explainability questions: can the institution explain why an AI model flagged a particular customer or reached a specific risk assessment?
The General Data Protection Regulation adds another layer of complexity. Automated decision-making with legal effects requires human oversight in many cases. When AI systems screen customers for PEP status or sanctions exposure, institutions must ensure appropriate human review, particularly before rejecting customers or filing suspicious activity reports based substantially on AI outputs.
Data quality and bias present ongoing concerns. AI models trained on historical data may perpetuate biases or be less effective with customer segments underrepresented in training data. Institutions must ensure their AI systems don’t inadvertently create financial exclusion or discrimination.
Nevertheless, the trajectory is clear. The standardised, detailed requirements in the draft RTS create conditions where AI can operate most effectively: clear rules, structured data requirements, and emphasis on consistent application across diverse customer populations. Institutions investing in AI-driven compliance capabilities today are positioning themselves for more efficient, effective AML programmes under the new framework.
Transition Considerations for Obliged Entities
Timing and Implementation
The draft RTS will apply from a date to be specified after Commission adoption. For existing customers onboarded before the AMLR took effect, documents, data, and information must be brought into compliance on a risk-sensitive basis, but in all cases within the periods specified in Article 26(2) of the AMLR, meaning within one year for high-risk relationships and within five years for others.
This creates a significant transition programme for institutions with large existing customer bases. Banks with millions of retail customers or extensive corporate client portfolios will need systematic approaches to remediate customer files, prioritising high-risk relationships while ensuring all customers are updated within required timeframes.
Gap Analysis and Remediation Planning
Institutions should begin gap analysis now, comparing current CDD practices against draft RTS requirements. Key questions include:
- what information is currently collected at onboarding versus what the draft RTS require;
- how beneficial ownership is currently verified beyond central register checks;
- whether remote verification processes meet the specified safeguards;
- how complex ownership structures are currently documented and analysed;
- what capabilities exist for automated PEP and sanctions screening; and
- how frequently customer information is updated relative to risk profiles.
Gap analysis should encompass both onboarding processes for new customers and remediation requirements for existing customer bases. The five-year maximum timeframe for updating existing standard and low-risk customers may seem generous, but for large institutions this represents millions of customer files requiring review and potential enhancement.
Technology and Process Investment
Many institutions will require technology investments to meet draft RTS requirements efficiently. This may include customer onboarding platforms capable of collecting specified information fields, document verification solutions meeting remote verification safeguards, automated PEP and sanctions screening with appropriate match resolution workflows, beneficial ownership verification tools integrating multiple data sources, case management systems for documenting CDD decisions and supervisory demonstrations, and data quality tools ensuring information remains current and accurate.
Process redesign will be equally important. Institutions should map current CDD workflows against draft RTS requirements, identifying where manual processes might be automated, where additional verification steps are needed, and where risk assessment methodologies require enhancement.
Training and Change Management
The shift from directive-based to regulation-based compliance, combined with detailed RTS specifications, requires substantial staff training. Front-line staff conducting customer onboarding must understand new information requirements. Compliance officers need updated knowledge on beneficial ownership verification standards, complex structure analysis, and risk-based application of measures. Technology teams require understanding of technical requirements for remote verification and automated screening. Senior management needs awareness of supervisory expectations and demonstration requirements.
Change management programmes should address not just technical compliance but cultural shifts toward risk-based thinking and proportionate application of measures.
Cross-Border Implications
For institutions operating in multiple Member States, the harmonised framework offers significant benefits but requires centralised coordination. Under the AMLD framework, many institutions maintained jurisdiction-specific CDD procedures reflecting different national implementations. Some banks ran separate onboarding systems for different countries, applied different beneficial ownership verification standards based on local supervisory expectations, and maintained jurisdiction-specific training programmes.
The draft RTS eliminate the justification for such fragmentation. A single CDD standard now applies across the Union, enabling institutions to standardise onboarding platforms, centralise beneficial ownership verification procedures, implement uniform screening protocols, and develop cross-border training curricula.
However, this transition requires careful coordination. Institutions must ensure that processes designed for one jurisdiction don’t inadvertently fail to meet requirements applicable in others, that technology systems deployed across multiple jurisdictions can handle the specified data fields and verification methods, and that compliance monitoring frameworks assess adherence to uniform standards rather than jurisdiction-specific variations.
The centralisation opportunity extends to centres of excellence and shared services. Banks might establish centralised beneficial ownership verification teams, unified PEP and sanctions screening operations, or consolidated customer remediation programmes rather than duplicating these capabilities in each jurisdiction.
Conclusion
These draft RTS represent more than technical compliance requirements: they mark a fundamental evolution in how the EU approaches anti-money laundering regulation. The shift from directives to a directly applicable regulation, supported by detailed technical standards, creates unprecedented harmonisation across the internal market and eliminates the fragmentation that has long characterised EU AML compliance. For obliged entities, this transition demands significant investment in systems, processes, and capabilities, but it also offers strategic opportunities. Institutions that move decisively to implement standardised, technology-enabled CDD processes will gain operational efficiencies, improved risk management capabilities, and competitive advantages in cross-border operations. The emphasis on risk-based approaches, combined with clear specifications on required information and verification methods, creates genuine space for innovation and differentiation through superior customer experience, more sophisticated risk assessment methodologies, and more efficient use of compliance resources.
As artificial intelligence and advanced analytics become increasingly central to AML compliance, the standardised framework these draft RTS establish provides optimal conditions for these technologies to deliver value. Machine learning models for name screening, natural language processing for document verification, and graph analytics for ownership structure analysis all function more effectively within harmonised, structured regulatory requirements. Institutions building these capabilities now, rather than waiting for final adoption, will be better positioned as supervisory expectations continue to evolve and as competitive pressure mounts from more technologically sophisticated peers.
The three-month consultation period offers a critical window to shape these requirements before they become binding. The standards being established will govern customer due diligence across the European Union, fundamentally shaping how obliged entities identify customers, verify beneficial ownership, assess risk, and protect the financial system from criminal abuse.
Leave a Reply