The new anti-money laundering authority of the EU, the Authority for Countering Money Laundering and Financing of Terrorism (AMLA), has published an article on a data collection exercise to test risk assessment models for the financial sector.
They announced their ‘Single Programming Document’ and three internetconsultations [*]:

• Consultation on the draft RTS on pecuniary sanctions, administrative measures and periodic penalty payments, until 9 March.
• Consultation on the draft RTS on Customer Due Diligence, until 8 May.
• Consultation on the draft RTS on criteria for identifying business relationships, occasional and linked transactions and lower thresholds, until 8 May.

[*] There is nothing ‘technical’ in ‘Regulatory Technical Standards’ (RTS). RTS contain additional regulations, which are decided unilaterally by AMLA and/or the Commission.

Addition 25 May 2026 – EBF comments
The European Banking Federation (EBF) published its comments in the CDD consultation and in the consultation on occasional transactions.

The CDD comments include verification of the identity (markup by me):

Art. 6 RTS
We propose inserting the following two paragraphs:

7. For the purposes of verifying the identity of the persons referred to in Article 22(6) and Article 22(7), point (a), of Regulation (EU) 2024/1624 pursuant to paragraphs 1-6, obliged entities shall verify the full name, date of birth, and country of residence of these persons.
8. Where doubts arise with regard to the veracity of the information referred to in paragraph 7, obliged entities shall take measures to re-verify it.

Para. 7: The proposal aims to clarify that the verification requirements under Art. 20, 22(6), and 22(7) should cover only those data points which allow for the verification of the identity of the relevant natural person (i.e., full name, date of birth, and country of residence), as opposed to additional secondary information (e.g., all the address fields where collected).

Para. 8: The addition aims at strengthening the risk-based approach and reaffirm the principle of “once identified, always identified”. Once a customer has been duly identified and verified, re-verification would not be necessary unless there is a specific reason to doubt the accuracy of the original information.

From an AML/CFT-risk perspective, obliged entities should not be required to obtain a new identity document solely because the original document has expired, including during reviews under Art. 26 (2) AMLR. Expiry alone does not undermine the validity of prior verification, and such a requirement would be disproportionate and not required per Level 1 legislation. Re-verification should arise only where there are indications that core verified data, such as full name, date of birth or country of residence, has changed or is no longer reliable.

The comment on article 7 RTS includes remarks on the EUDI-wallet:

Art. 7 RTS
We believe that Art. 7 could be changed to make requirements more proportionate, through the following amendments:

– Para. 2.: “In cases where the solution described in paragraph 1 is not available, or cannot reasonably be expected to be provided, obliged entities shall obtain the natural person’s identity document, passport or equivalent using remote solutions that meet the conditions set out in paragraph 3.
– Para. 3: “(e) the information, documents and data verified through the remote solution are valid and copies are retained, time-stamped and stored securely by the obliged entity. The content of stored records, including images, videos, sound and data shall be available in a readable format and allow for ex-post verifications”.

We suggest inserting a new point (f) to para. 3: “(f) Obliged entities shall apply the safeguards referred to in this paragraph in a manner that is proportionate to the ML/TF risk associated with the business relationship or occasional transaction”.

Finally, we propose removing para. 4.

Rationale:

– The safeguards listed in Art. 7(3) are formulated as strict, cumulative requirements, leaving insufficient flexibility for OEs to tailor their approach. This may create a disproportionate burden particularly for people who do not yet have access to eIDAS-based digital identities. The provision should not be interpreted as requiring OEs to steer customers towards obtaining an eIDAS identity where this is neither realistic, nor proportionate considering the existing market implementation. Art. 7(3) should provide that the safeguards are to be applied in a proportionate and risk-based manner, and we hence propose adding 3(f) above.

– Art. 7(4) – We question the requirement in Art. 7(4) whereby obliged entities need to justify why the customer could not be verified through the means referred to in Art. 22(6), which does not establish a hierarchy of verification methods. However, Art. 7(4), particularly when read together with Art. 7(2), risks introducing such a hierarchy in practice by creating a de facto expectation that eIDAS-compliant solutions or qualified trust services should be prioritised wherever available. This makes the Level 2 text more restrictive than the Level 1, creating legal uncertainty and undermining the technology-neutral approach of the AMLR and the draft RTS.

– We recommend that AMLA either removes this justification requirement or clarifies that the choice of verification method remains at the discretion of the OEs, in line with the technology-neutral approach of the AMLR and the Draft RTS (see the 5 guiding principles in Section 3.2 AMLA’s approach).

– The RTS should take into consideration the current status of adoption by MS.
Until qualified and certified eIDAS 2.0 remote identification solutions are widely available and operational, obliged entities should be permitted to continue using existing national and other market-proven remote identification solutions.

– Furthermore, we note that MS apply an inconsistent approach with respect to the interpretation of ‘equivalent’ documentation. We urge AMLA to work with NCAs to ensure consistent application of supervisory expectations.

EBF comments on nationality:

Art. 5 RTS

We suggest the current text of Art. 5 becomes para. 1 and is amended as follows: “1. For the purposes of Article 22 (1), point (a)(iii), of Regulation (EU) 2024/1624 obliged entities shall obtain information on the nationality or, where applicable, the statelessness and refugee or subsidiary protection status of the customer, any natural person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted”.

Proposed new para. 2: “Obliged entities shall request the persons referred to in para. 1 to declare any other nationalities they may hold.”

Art. 5 should state that the requirement is fulfilled where an OE relies on the customer’s self-declared information, rather than leaving this clarification solely to Recital 3. Additional nationalities should be collected only where there is a clear and justified reason, as their routine collection does not add value to the risk assessment. Where an individual has only one nationality, confirming such nationality should be sufficient which is supported by the wording of Art. 22(6) AMLR. Absent any conflicting information, no further verification steps should be necessary.

On understanding ‘the purpose and intended nature of the business relationship‘:

For most natural persons with daily banking products, the purpose and intended nature should be inferable from the product itself without requiring extensive information gathering. In cases where there are no risk indicators and a client poses a non-high risk, requiring additional data does not add value to the risk assessment. Rather, it creates unnecessary friction in business relationships with well-intended clients, negatively impacting client experience and diverting resources from higher risk cases.

EBF is critical on article 26(2) RTS:

Article 26(2) specifies that additional information may consist of information on the client’s key clients, contracts, business partners and associates, including the UBO’s business partners or associates. Even for EDD, this is extensive and risks being interpreted as requiring OEs to perform due diligence on their client’s business relationships, which is beyond the scope of AML obligations. We propose to delete this requirement.

Other comments relate amongst others to place of birth, the definition of ‘complex’ structures, representatives, the obligation to collect detailed information on intermediary entities with which the bank has no business relationship, lack of differentiation between articles 11 and 12 and the collection of data on Senior Managing Officials (SMOs) when there is no ‘regular’ BO.