Introduction
The European FinTech Association (EFA) strongly supports AMLA’s objective of harmonising Customer Due Diligence (CDD) requirements under the AMLR. A more consistent EU framework can reduce fragmentation, strengthen supervisory convergence and support a level playing field for firms operating across borders.
However, the draft Regulatory Technical Standards on CDD, as currently drafted, risk introducing requirements that are too rigid and insuff iciently adaptable to digital, cross-border and innovation-driven business models. Several provisions would benefit from greater proportionality, clearer distinctions between data collection and data verification, and stronger recognition of technology-enabled compliance tools. EFA therefore recommends targeted adjustments to ensure that the RTS remain risk-based, operationally workable and future-proof.
Key recommendations
Targeted Amendments to Support Risk-Based Compliance
EFA recommends introducing an explicit horizontal risk-based clause clarifying that obliged entities should determine the extent and depth of CDD measures according to the level of ML/TF risk identified. This would ensure that simplified, standard and enhanced due diligence are applied proportionately, rather than through uniform requirements that may not reflect the actual risk profile of a customer, product or service.
First, the RTS should clarify that obliged entities may rely on reasonable best eff orts when collecting certain customer data, particularly where no reliable source exists to verify completeness. This is especially relevant for Articles 4 and 5 on place of birth and “all nationalities” in identity documents. The requirement to collect “all nationalities” creates ambiguity and operational burden without clear risk-based justification, as no centralised source exists to verify exhaustiveness. EFA therefore recommends clarifying that information provided by customers in good faith may be relied upon, that verification of one declared nationality is suff icient, and that collection of place of birth is satisfied where the information is readily available from identification documents.
Second, Article 7 on non-face-to-face verification should be made more technology-neutral. Digital identity verification is developing rapidly, and firms increasingly rely on trusted third-party data, behavioural and device-based signals, real-time analytics and digital identity solutions. While EFA supports the use of eIDAS-based solutions where available, reliance on specific EU-wide infrastructures should not be required before they are fully operational and consistently accessible across Member States. The RTS should therefore explicitly allow verification through reliable and independent sources, including, but not exclusively digital identity frameworks, trusted third-party data and other technology-enabled methods, provided they are proportionate to the level of risk.
Third, Article 11 should be amended as the standard goes beyond the AMLR requirement to understand ownership and control and introduces a subjective test that may lead to inconsistent supervisory interpretations, particularly in cross-border contexts. The obligation should instead be limited to understanding the customer’s ownership and control structure in line with Article 20(1)(b) AMLR.
Fourth, Articles 18 and 24 should be clarified in relation to the purpose and nature of the business relationship, expected transactions and source of funds. Forward-looking customer-provided information, such as expected turnover or transaction patterns, is often unavailable or unreliable for start-ups, early-stage businesses and rapidly scaling companies. Obliged entities should therefore be allowed to rely on alternative yet equally valid methods, including sectoral benchmarking, external datasets, real-time transaction monitoring and ongoing risk assessment, where these provide an equivalent or more reliable understanding of the customer relationship.
Finally, EFA recommends including an explicit recital confirming that obliged entities may rely on innovative, technology-enabled verification and risk assessment methods where these are reliable, proportionate and risk-sensitive.
Strengthening the Risk-Based Approach
EFA does not consider that the draft RTS, in their current form, fully enable an eff ective risk-based approach. Several provisions impose blanket requirements that are not suff iciently linked to the level of ML/TF risk. For example, Article 21(2), which exempts certain legal and professional advisers from the requirement to cease acting where CDD cannot be completed, appears to require two independent sources even in low-risk scenarios, while Articles 4, 5 and 11 introduce obligations that may apply irrespective of the customer’s actual risk profile.
To address this, EFA recommends replacing prescriptive source requirements with a more flexible standard based on “one or more reliable and independent sources, as appropriate to the risk level”. This would preserve the integrity of CDD while allowing firms to calibrate verification measures to the actual risk presented by the customer or service.
EFA also recommends clarifying that not all collected information requires independent verification. An interpretation requiring verification of every data point would go beyond a risk-based approach, as advocated by Commissioner Albuquerque during her introductory remarks at the AMLA conference, and create significant operational hurdles. Verification eff orts should remain proportionate to the level of risk.
Finally, EFA recommends that the RTS further recognise FATF-equivalent third-country regimes by allowing EU-based groups operating internationally to rely on local requirements where these achieve broadly equivalent AML/CFT outcomes. EFA also welcomes the recognition of virtual IBANs as identifiers rather than accounts and recommends that AMLA reaff irm their risk-based treatment, while discouraging national measures that exceed AMLR requirements and could undermine Single Market integrity, passporting and eff orts to address IBAN discrimination.
Addressing Data Availability and Operational Barriers
EFA notes that certain CDD information may often be unavailable, unreliable or disproportionate to obtain, including reliable turnover estimates for start-ups, complete beneficial ownership data across Member States, verification of all nationalities, consistent place-of-birth or address information in identity documents, and TIN/NIN data in simplified due diligence scenarios. EFA therefore recommends that the RTS include a fallback mechanism allowing obliged entities to rely on alternative risk-based measures, such as: ongoing monitoring, sectoral benchmarking, third-party data aggregation, digital identity solutions and data-driven risk assessment tools, where standard information is not reasonably available or cannot be independently verified. The RTS should also clarify that TINs, NINs, estimated transaction values, source of funds information and address verification should be required only where available, applicable and proportionate to the ML/TF risk identified, and that their absence should not automatically prevent the application of simplified due diligence in demonstrably low-risk cases.
Simplified Due Diligence for Low-Risk Fintech Services
EFA considers that the RTS should explicitly recognise additional simplified due diligence measures for low-risk fintech use cases. This is particularly important for services where funds are traceable, transactions are linked to genuine commercial activity and the underlying risk is mitigated by the structure of the product.
EFA recommends recognising simplified due diligence for low-risk acquiring services provided to micro- or low-volume merchants, where transactions are linked to genuine commercial activity and funds are settled exclusively to accounts in the EU or FATF-equivalent jurisdictions.
EFA also recommends that ancillary wallet services should be eligible for simplified due diligence where they are strictly limited in functionality, serve only to facilitate acquiring services and do not operate as independent financial products.
Finally, EFA recommends allowing reliance on verified public registers as a single source for both identification and verification in low-risk scenarios, provided the register includes identity verification mechanisms and is regularly updated and reliable.
Pooled Accounts
EFA recommends targeted changes to Article 22, Article 22 AMLR sets out the information and verification requirements that obliged entities must follow, to ensure that simplified measures for pooled accounts are usable in practice. In particular, “immediately” should be replaced with “without undue delay” to avoid legal uncertainty and unrealistic expectations of instant access in all operational contexts. The RTS should also replace the undefined concept of “eff ective supervision” with a clearer requirement that the account holder be subject to AMLR supervision, or equivalent third-country supervision. In addition, simplified measures should be available where the ML/TF risk is low or standard, in line with the approach for Collective Investment Undertakings. Finally, the RTS should specify objective evidence that may be used to demonstrate that the account holder applies appropriate CDD measures, such as independent AML audit reports or certifications.
Conclusions
EFA remains fully committed to the EU’s objectives of strengthening AML/CFT compliance, protecting the integrity of the financial system and ensuring eff ective supervision across the Single Market. Adopting these targeted adjustments would preserve the ambition of harmonisation while ensuring that the RTS remain eff ective in their objective of prevention and tacking of money laundering while also being proportionate, risk-based and operationally workable for digital, cross-border and innovation-driven financial services.
About EFA:
The European FinTech Association (EFA) is a not-for-profit organization representing leading FinTech companies of all sizes from across the EU. It brings together a diverse group of 40+ FinTech providers ranging from payments, to lending, banking, robo-advice, investment as well as software-as-a-service for the finance sector, with a clear focus on enabling a single market for digital financial services. For more information, visit www.eufintechs.com
Download the EFA Position Paper on the 28th Regime here.