The EBA’s draft regulatory technical standard on customer due diligence - What should firms be worried about?

What should obliged entities be thinking about now?

The EU’s money laundering regulation (Regulations (EU) No 2024/1624 or “AMLR”) left much of the detail to the new Anti-Money Laundering Authority to determine through regulatory technical standards.  After the EBA’s consultation on a draft RTS for customer due diligence closes on 06 June, 2025, the next step will be for the EBA to submit its response to the European Commission’s call for evidence.  The EBA plans to do this on 31 October 2025.  This will in turn inform the draft regulatory standard on customer due diligence that the new Anti-Money Laundering Authority is due to submit to the European Commission by 10 July 2026. But, does the EBA’s draft RTS on customer due diligence provide enough practical guidance to avoid unintended consequences for EU businesses and their customers?

The EBA’s consultation provides an opportunity for firms to help the AMLA better understand how customer onboarding and payments journeys might be adversely affected. This is important because it will help the AMLA to visualise the customer journey, and to understand the impacts on the customer of making certain changes to that journey.  This will enable the EU authorities to provide the kind of technical standards that will mitigate any unintended consequences, for instance to financial inclusion.

Where firms can provide rough cost or impact assessments these will add weight to the points the firm is making in its consultation response.  Impact assessments might include, for example, numbers of affected customers or the potential difference in the time it takes to onboard a customer today compared to the expected time if the technical standards are adopted in their current form.

Four key areas to consider

1. Basic customer due diligence requirements

The EU’s current approach, in the 5^th Money Laundering Directive, gives firms the flexibility to adopt methods of identification and verification that best fit with their business models and customer journey.  Under 5MLD the firm must essentially be able to answer the following questions:

• Does this person exists?
• Is my customer this person?

But the firm can generally make its own choices about how it achieves this.

Many firms will be using technology tools.  These tools might build a picture of the individual or legal entity based on a range of data points, rather than individually verifying each component part of the customer’s identity such as name and address.  For example, address information provided by the customer may be validated using geolocation tools or device and IP address monitoring, rather than specific verification of street name, town, city, county and country.  But this approach may not be sufficient to meet the requirements of the proposed RTS. 

Articles 1-4 of the draft RTS suggests that the new Regulations intend to take a more prescriptive approach to customer due diligence. For example, the RTS makes reference to the name of a natural person needing to match the name on their passport or equivalent.  And suggests that each line of the customer’s address needs to be identified and verified.  There may be some practical challenges here for firms: 

• The proposed RTS is silent on what firms should do if their customer has changed their name but their passport has not yet been updated. It is not uncommon for customers to get married, or divorced, or change their name by deed poll, but not update their passport until it naturally expires. Currently, face-to-face verification for such customers might include a passport together with a marriage certificate, for example.
• As the proposed RTS currently stands, firms would need to assess their technology tools to see if they are configured to look for an exact match to the customer’s passport or equivalent. At the moment technology tools may be using multiple data points and deliver a degree of certainty that the name provided exists and aligns with the other information provided (such as address or date of birth), rather than running a specific comparison to the customer’s passport or equivalent.
• Technology tools are also unlikely to be identifying and verifying each line of the customer’s address. Many tools are now focussing on geolocation, which gives a general sense of where the customer is located so that the firm can assess country of residence and geographical risk. The RTS is silent on whether geolocation or similar tools would be sufficient to meet the address verification expectations in the RTS.

AMLR impose a specific requirement for firms to obtain information that is sufficient to identify all nationalities held by a customer. But no clarity is provided in the RTS on what kinds of information will be “sufficient” for the firm to satisfy itself.  Current methods used by firms to identify the nationalities of its customers may focus more on self-certification and contra-indicators.  For example asking the customer to list their nationalities and then running monitoring controls to identify whether the customer appears to have a nexus to other jurisdictions.  Firms should consider whether they are comfortable relying on their existing approach without clarification in the EBA’s proposed RTS or additional AMLA guidance.

2. Documents and electronic tools that can be used to identify and verify the customer

Articles 5 and 6 of the proposed RTS set the expectations for the types of document that can be used for face-to-face identification and verification.  These expectations may be challenging for firms. 

The RTS suggests that only original, physical documents can be used for face-to-face verification, but not all customers will have these.  In countries without national ID cards there may be some groups of customers that don’t have valid ID (such as a passport).  Such as the elderly or customers recently released from prison.  Customers arriving under refugee schemes such as the recent scheme for Ukrainians may also be impacted, as jurisdictions move towards e-visas rather than paper versions.

Firms should consider:

• What types of customers does the firm currently identify and verify using alternatives to a passport because the customer does not or no longer holds an original, current passport (e.g. elderly customers)?How would these customers be identified and verified under the proposed RTS requirements?
• Is the firm clear about what documents are permitted for the firm to verify the customer’s address?

Firms may also be impacted by the requirements in the proposed RTS Articles 5 and 6 for non-face-to-face identification and verification.  With the rise in online banking, e-wallets and modern methods of delivering cross-border transactions fewer and fewer firms are able to undertake face-to-face identification and verification.

Firms using non-face-to-face identification and verification may be affected by the new Regulation and proposed RTS.  The proposed approach seems to advocate eIDAS-compliant technology tools.  eIDAS is the EU rules for e-identification and verification (e-ID&V) schemes.  These are schemes that are licensed for use in one or more Member States to provide an electronic identity “stamp” that attaches to the customer.  This will allow all customer relationships and transactions to be linked.  Although these schemes are definitely the future of identification and verification, they may not be currently widely available or in common use in each jurisdiction.

In theory firms can use an alternative, but only where no e-IDAS compliant tool is available or where an e-IDAS compliant tool cannot reasonably be expected to be provided.  The draft RTS does not provide guidance on what is meant by “available” or “cannot reasonably be expected to be provided”. So firms (and their regulators) may be unsure about whether an alternative is permissible. This may lead to some inconsistencies in approach across Member States.

The draft RTS contains a list of features that any alternative tools need to have.  Firms will need to review these with their existing providers to make sure they are compliant (or will be compliant by July 2027).  Firms may want to consider:

• Is the firm expected to obtain an uploaded passport or equivalent? If so, what will this mean for the onboarding journeys of customers, particularly those who don’t have a document of this kind?
• Instead of its current expectations for explicit consent in Article 6(3) of the proposed RTS, should the EBA consider a requirement for a clear warning statement from the firm to the customer? This would allow the customer to make an informed decision about using that firm’s services (compared to the services of a competitor firm), without creating any legal uncertainties for the firm and/or the customer that could lead to some customers losing access to essential services. Such legal uncertainties might arise from the firm being unclear as to whether there is any intended interplay between these RTS requirements and the EU’s General Data Protection Regulations, for example.

3. Beneficial ownership and control of corporate customers

For the onboarding (or retention) of corporate customers, firms need to consider the implications of the changes to the definition of ‘beneficial owner’ in Article 2(1)(28) of the AMLR alongside the new AMLR Articles 51-53. Firms that have based their due diligence processes and controls around a 25% ownership and control threshold for determining which persons are beneficial owners may need to adjust their procedures in light of the new Regulations.  For example, Article 52 suggests that due diligence should include an assessment of “all shareholdings on every level of ownership” to determine who owns the corporate customer, and Article 53 defines control as the possibility to exercise significant influence. This change appears to be moving to the broader principles of ownership and control that have previously applied to the EU’s sanctions regime.  But, the draft RTS leaves open the extent of the investigation that obliged entities should undertake to establish ownership and control. 

For sanctions, firms may currently only be undertaking complex analyses of ownership and control if the customer seems to have a nexus to the sanctions regime.  The cost and time this level of investigation takes may make it impractical to adopt for all corporate customers where firms are handling thousands of relationships, for example.

Article 11 of the proposed RTS suggests that group structure charts are only needed in cases of complex ownership structures.  But, the RTS does not stipulate the steps that firms should take to identify beneficial owners in non-complex cases.  This may leave firms uncertain as to whether they should be conducting a level of investigation on all of their corporate customers (including the low risk ones) that goes way beyond obtaining a group structure chart.

Firms need to consider whether they are confident that they understand how much information the firm needs to obtain from its customer and independent, reliable sources to determine who ultimately owns and controls the corporate customer.  Where firms are concerned about the impacts on customers, they should articulate this to the EBA.  Impacts might include costs or the length of time for onboarding or access to services. This will help the EBA and AMLA in due course to deliver pragmatic guidance.

Firms may also wish to ask the AMLA to include examples in the CDD Guidelines of where obliged entities might reasonable conclude that their customer is not owned or controlled by a natural person.

Article 11 of the draft RTS sets the criteria for concluding that a corporate customer has a complex ownership structure. There are two particular parts of Article 11 that we would encourage firms to consider:

1. One RTS criteria is where the customer and any of the legal entities in the layers between the customer and its beneficial owner are registered in different jurisdictions. This includes where the customer and its beneficial owner are registered in different member states within the EU.
2. Article 11 considers complex ownership and control structures but does not provide guidance on what might be “unusual or excessive” for the purposes of Annex III.

Firms may also want to ask the EBA to include some exemptions or contra-indicators in the RTS, or as part of any guidance the EBA or AMLA provides, on what is “unusually or excessively” complex.  For example, customers in groups with an ultimate parent company that is listed on a recognised stock exchange or where the customer or their parent company is equivalently regulated.

4. Virtual IBANs and associated accounts

Article 22(3) of the AMLR requires credit and financial institutions to identify and verify natural or legal persons using any virtual IBAN they issue and the associated bank or payment account.  Article 22(3) also requires credit or financial institutions (Firm A) to ensure that they can obtain identification and verification information on any natural person using a virtual IBAN issued by another institution (Firm B) but which redirects payments to an account serviced by Firm A.  Firm A must be able to obtain the information from Firm B within 5 working days of request.

The proposed RTS appears to expand these legal requirements by placing an obligation on a credit or financial institution to pass through ID&V information where that credit or financial institution is not the issuer of the virtual IBAN or servicer of the related account but which provides the virtual IBAN to a natural or legal person for their use.

Firms need to consider how they will operationalise these principles.  For example, by considering the following questions:

• Do you understand when and how these requirements might apply in the context of your products and services? E.g. Are you completely sure you understand if and when you are an issuer or a servicer?
• Are your existing contracts and monitoring controls sufficient to identify circumstances where you need to obtain customer due diligence information?
• Will you need to consider reducing the number of services you make available using a virtual IBAN, or reducing the number or type of customers to whom you provide those services?
• What will be the potential impacts on your customers, e.g. slower or more limited access to services, slower payments or more expensive services?

For example, if operationalisation will necessitate the sort of payments unbundling that the EBA was keen to avoid in its recent guidance on the EU’s funds transfer regulations, firms should explain these impacts to the EBA in their consultation responses.  The EBA will also likely want to hear from firms about any potential constraints these requirements could have on access to infrastructure services for online retailers, money services businesses or online payment services providers.

The proposed RTS or AMLA guidelines is an opportunity to mitigate some of these risks by providing definitions for words and phrases such as:

• “servicing”
• “issuing”
• “using the associated bank or payment account” and
• “redirects payments”.

Other technical changes about which firms may have questions for the EBA or AMLA

Timing of customer due diligence

There is a change in the new Regulations on the timing of customer due diligence for which firms may want to seek guidance from the EBA in this RTS consultation.  This change relates to relationships that are not currently direct business relationships but might become business relationships in the future, such as:

• Guarantors of a loan
• Beneficiaries that might have legal rights to take direct control over the assets of a trust
• Contractors that might have contractual rights to step into a property development project
• Over-the-counter (OTC) trading counterparties.

The new Regulation has amended the definition of a business relationship to include relationships that might subsequently acquire an element of repetition or duration.  But it is unclear from new Regulation whether firms are expected to identify and verify persons who could subsequently acquire such a relationship:

• at the time the customer is onboarded, or
• at the time such element of duration or repetition is subsequently acquired.

Firms that are not currently performing customer due diligence on these types of relationships at the time of customer onboarding might want to ask the EBA for guidance on this in their consultation responses. This will help firms to understand from the EBA what this change to the definition of “business relationship” was intended to achieve.

Changes to the standard of identification and verification for certain ancillary relationships

Firms may wish to consider whether there will be any operational challenges to implementing changes to the standard to which the following need to be identified and verified:

• “persons acting on behalf of the customer” will need to be identified and verified to the same standards as natural person customers.
• “persons on whose behalf or for whose benefit a transaction or activity is being carried out” must be identified and verified to the same standards as a beneficial owner.In this regard, it is, for example, unclear whether the obliged entity needs to take proactive steps to investigate whether a customer might be making a transaction on behalf or, or for the benefit of, someone else.

Changes to the identification and verification requirements for discretionary trusts

For discretionary trusts, obliged entities will need to obtain sufficient information concerning the objects of a power and default takers to enable the obliged entity to establish the identity of a beneficiary at the time:

• the trustees exercise their power of discretion, or
• at the time the default takers become the beneficiaries because the trustees failure to exercise their power of discretion.

This is in addition to the customer due diligence requirements that apply to all types of trust.  Firms may wish to consider whether they have any questions about how they should operationalise this additional requirement for discretionary trust customers.

Be on the lookout for the draft RTS on high net worth customers

Article 34(5) of the new Regulation includes a requirement to apply enhanced due diligence for customers holding assets of more than €50million (excluding the family home).  This is not covered by the customer due diligence RTS on which the EBA is currently consulting. 

Article 34(5) includes a requirement for guidance to be provided.  Guidance will be critical for firms to understand the level of due diligence then need to perform to establish whether the customer is holding assets above the €50million threshold.  Firms will likely also be keen to understand whether they have to investigate this for all customers, or only those customers where the firm holds information that suggests the customer may potentially hold assets above the threshold.

How can Hogan Lovells help?

The combination of our legal and consulting teams provides you with a full range of services, and clear guidance on how the solutions can be applied within the business. If you would like to discuss your consultation response, the impact of the customer due diligence changes being introduced under the EU’s 6^th money laundering package, or any other questions you may have in relation to the new EU Regulations, please reach out to any of the people listed in this article or your usual Hogan Lovells contact.

Authored by Ann Doan.