Navigating The Future Of AML/CFT – Update Of EBA'S Draft RTS

On 30 October 2025, the European Banking Authority (EBA) responded to the European Commission's Call for Advice, addressing key elements of the EU's evolving Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) framework.

Earlier, in March 2025, EBA had released draft Regulatory Technical Standards (RTS) for public consultation. In a previous blog post, we highlighted some of the main provisions of these draft RTS, which covered:

1. Assessing the inherent and residual risk profiles of obliged entities;
2. The risk assessment for selecting institutions for direct supervision by the new Anti-Money Laundering Authority (AMLA);
3. Customer Due Diligence (CDD) requirements; and
4. Rules on pecuniary sanctions, administrative measures, and periodic penalty payments.

Public responses to the consultation focused particularly on therisk-based approach, the clarification of indicators and criteria particularly regarding CDD measures as well as on operational burdens generated. In response, EBA has introduced substantial changes to the wording and specific provisions in the new draft RTS ("Revised RTS"), aiming to strike a better balance between regulatory objectives and practical implementation.

Here are some noteworthy changes to the RTS:

1. Revised RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40 para. 2 AMLD6¹

The Revised RTS continue to use the proposed three-step methodology for supervisors to create risk profiles, which serve as the basis for risk-based supervisory measures. To enhance this framework, EBA's response has been supplemented by a new matrix that classifies the scoring system's risk categories using colour coding. The matrix illustrates the residual risk that results from the inherent risk, combined with the effective controls applied to mitigate inherent risk.²

More significant changes have been made to Annex 1.³ In response to the public feedback received during the consultation phase, EBA has now segmented the requirements for data points into sectors and specified which data points must be collected within each sector. Not only have certain data points for individual sectors been omitted, but EBA has also deleted some data points entirely (e.g. the number of customers being Non-Profit Organisations (NPOs)). Another new addition is the new Annex 2⁴, which supplements Annex 1 with an interpretative note explaining and clarifying how the data points listed in Annex 1 should be understood.

2. Revised RTS on the risk assessment for the purpose of selection of credit institutions, financial institutions and groups of credit and financial institutions for direct supervision under Article 12 para. 7 AMLAR⁵

AMLA will select a list of approximately 40 obliged entities for its direct supervision. An entity is considered in the selection process if

1. it operates in at least six Member States, and
2. its residual risk profile has been classified as high.

As in the previous RTS, the Revised RTS consider activities material in another Member State if either the number of resident customers exceeds 20,000 or their total transactions exceed EUR 50 million.

The Revised RTS also maintain the approach of applying the three-step risk methodology as established in the RTS under Article 40 para. 2 AMLD6 (see above) to determine the residual risk. However, EBA sees the risk that the RTS under Article 40 para. 2 AMLD6 might not yet have entered into force, while the RTS under Article 12 AMLAR already refer to them. To address this, EBA decided to reproduce the provisions on the methodology within the Revised RTS under Article 12 AMLAR, rather than referencing them. EBA clarifies that eventually, the selection assessment under Article 12 AMLAR is intended to use the same scoring system and be built on the assessment under Article 40 para. 2 AMLD6.⁶

Another minor modification was made to the transitional provision in Article 6 of the RTS. A new paragraph was added, stipulating that the following two indicators from Annex 1 which are generally to be considered when determining the inherent risk and the quality of AML/CFT controls, shall not be considered for the first selection of directly supervised institutions:

• Number of customers with high-risk activities;
• Number of customers whose CDD data and information is not yet in line with the requirements of Article 20 AMLR.⁷

This is only consistent, given that there is currently no harmonised and comprehensive list of high-risk economic activities and Article 20 AMLR has not yet entered into force. Aside from these changes to ensure a smooth transition and a few linguistic refinements, there have been no fundamental changes to the RTS.

3. Revised RTS under Article 28 para. 1 AMLR⁸ on Customer Due Diligence

The Revised RTS introduce several changes – some that look minor but have major practical implications, and others that seem significant yet align with current market practice. Here are some points worth mentioning:

Identification & Verification

• Multiple Nationalities: Under Article 22 para. 1a (iii) AMLR, obliged entities must now identify all nationalities of the natural person. Previously, the RTS specified that obliged entities "shall obtain necessary information to satisfy themselves that they know of any other nationalities their customer may hold".⁹ This wording was unclear — verifying a nationality based on a document is straightforward, but verifying the absence of any other nationality is practically impossible. EBA now clarifies in its recital that "where a customer holds multiple nationalities and declares them in good faith, verifying one nationality will be sufficient."¹⁰ However, the final wording of Article 5 of the Revised RTS itself gives little guidance.¹¹ Whether it will suffice AMLA to rely on the customer's declaration will need to be seen.
• Foreign Documents: One point in the initial draft of the RTS that seemed minor but would have had significant cost and procedural impact was the proposed requirement for certified translations of documents in a foreign language.¹² This requirement has now been dropped in the Revised RTS. Instead, obliged entities must simply "ensure that they understand" the content.¹³ What this means in practice is still unclear: Can firms rely on their multi-lingual compliance teams? Would the use of AI translation tools be acceptable? If and how this will be documented remains an open question.
• Remote Verification: On the plus side, obliged entities are no longer required to obtain the person's explicit consent during remote verification under the Revised RTS.¹⁴ There was no apparent reason why consent should only be required in remote onboarding scenarios, and such a rule would have added unnecessary complexity - raising data privacy concerns and creating additional costs and operational burdens. On the downside, one of the biggest pain points remains unsolved: flexibility for remote verification is still limited.¹⁵ EBA agrees that obliged entities should not be forced to rely exclusively on eIDAS-compliant tools and that remote solutions meeting the EBA's Remote Customer Onboarding Guidelines should be considered as equal alternatives. However, EBA points out that eIDAS solutions are legally required under Article 22 para. 6 AMLR, which prevents it from offering broader flexibility.¹⁶ Only where eIDAS compliant tools are not available, or cannot reasonably be expected, the obliged entities may use a different verification solution that meet the conditions set out in Article 7 paras. 3-5 of the Revised RTS.¹⁷ What cannot reasonably be expected means is unclear. This reflects a broader trend: the EU's preference for harmonisation often translates into a single interpretation becoming the default, even when market realities call for more flexibility. The hope now is that AMLA will interpret these exceptions broadly and allow practical alternatives.
• CIU Reliance: Under the Revised RTS, collective investment undertakings (CIU) may rely on their counterparties' due diligence of the final investors, provided the requirements under Article 17 are met.¹⁸ What used to be the exception – limited to simplified due diligence (SDD) – has now become the general rule. The exception is now that reliance is not allowed where, inter alia, the credit or financial institution is associated with high risk.
• Regular Reviews:The grace period is 5 years from the date of the publication of the final RTS and obliged entities shall take the risk profile of the customer into account, i.e. begin with the existing high-risk clients before moving to medium- and low-risk clients. EBA has confirmed that the RTS will not be applicable before the application date of the AMLR.¹⁹

UBOs & SMOs:

• UBO verification: Following the consultation phase, EBA clarified that the measures for verifying the ultimate beneficial owner ("UBO") are risk sensitive and should not be applied cumulatively. Notably, the draft framework does not differentiate between sources of information, treating them equally - whether consulting public registers, using reputable data services providers or relying on utility bills provided by the customer. Article 10 (b)(iii) even permits reliance on the identification and verification performed by another credit or financial institution.²⁰ EBA did not adopt suggestions to exempt certain categories, such as public entities, from UBO verification. Instead, EBA pointed to the possibility of applying SDD measures where appropriate, thereby maintaining a principle-based approach without categorical exclusion.²¹
• Understanding the ownership and control structure: For both standard and complex corporate structures, EBA has revised the wording of Articles 11 and 12 to reinforce a risk based approach and granting obliged entities a bit more flexibility to tailor CDD to the specific circumstances.²² The definition of a "complex corporate structure" has also been updated: it now applies where there are three or more layers between the customer and the UBO and more than one of the conditions in paragraph 1(a)–(d) is met.²³ This change is significant. Under the previous wording, a corporate structure with only two layers in between – such as where the customer and one intermediary entity were registered in the United Kingdom – would have been classified as "complex." In a global business environment, such cases do not necessarily warrant enhanced scrutiny. The revised definition therefore introduces a more proportionate standard.
• SMO: The EBA reiterates that, where senior managing officials (SMO) must be identified instead of an UBO, equivalent information to that required for UBOs must be collected, in line with Article 63 para. 4 (b) AMLR. EBA cannot grant exemptions from Level 1 requirements. However, it now permits the use of a business address instead of a residential address for SMOs.²⁴ While this adjustment is helpful and consistent with a risk-based approach, the identification and verification of all SMOs of a client will cause a significant operational burden on obliged entities.
• UBO SDD: EBA has revised the SDD measures for identifying and verifying the UBO or, where applicable, the SMO. It particularly confirms that central registers (transparency registers) may be used to identify the UBO but cannot be used to verify the identity of the UBO or SMO. For verification, obliged entities may now consult any information provided by the customer or data already held by the entity. Article 21 further specifies that, regardless of which sources are used for identification and verification, the same source cannot be used for both steps.²⁵

Understanding the Purpose and Intended Nature of the Business Relationship

• In response to the consultation, EBA has streamlined, merged, amended and restructured the articles on determining the nature of the business relationship. While the changes clarify in some cases that not all measures must be applied cumulatively, the requirements for identifying the purpose and intended nature of the relationship remain extensive – even for standard-risk cases. Even for SDD, obliged entities may still need to estimate the expected value of transactions during the relationship or understand the source of funds.²⁶

4. Draft RTS under Article 53 para. 10 AMLD6 on pecuniary sanctions, administrative measures and periodic penalty payments

The draft RTS seek to harmonise the approach of AML/CFT supervisors across the EU with regard to enforcement measures. To this end, the draft RTS include

• indicators for classifying the severity of breaches,
• criteria for setting the level of pecuniary sanctions and applying administrative measures, and a
• methodology for imposing periodic penalty payments.

It is only natural that the consultation on these provisions prompted numerous requests for more clarification and for a case-by-case assessment when it comes to the various indicators, criteria and the methodology. At least in response to the demand for more detailed criteria for assessing the level of pecuniary sanctions against natural persons, for example, EBA has taken action in the latest version of the RTS. EBA amended Article 4 para. 4 of the RTS to stipulate that not just the natural person's role and scope of function are to be taken into account but also the effective responsibilities in the obliged entity and the extent of their involvement in the breach.²⁷ More generally, EBA clarifies that supervisors must exercise supervisory judgement to determine whether, and to what extent, the various indicators and criteria are met.²⁸

Next Steps

It is for AMLA to take these drafts forward and submit them to the Commission for adoption. With this, EBA will hand over its anti-money laundering functions to AMLA on 31 December 2025.

Next, AMLA will need to draft several additional RTS and guidelines to contribute to a harmonised framework and its timely implementation. The Commission's Call for Advice already emphasised two additional areas of priority:

• RTS on minimum requirements of group-wide policies under Article 16 para. 4 AMLR;
• Guidelines on base amounts for the imposing of pecuniary sanctions under Article 53 para. 11 AMLD6.

Considering EBA's limited resources, the Commission asked EBA to provide technical advice on these aspects and to present options that AMLA should consider.²⁹ EBA did not conduct a public consultation on these RTS and guidelines but based its preparatory work solely on information already held by EBA or contained in existing regulatory instruments. AMLA has until 10 July 2026 to draft these RTS and issue these guidelines.³⁰

Footnotes

1. Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 (AMLD6).

2. EBA Response to the European Commission's Call for Advice on six AMLA mandates (EBA Response), p. 9.

3. EBA Response, p. 183 – 193.

4. EBA Response, p. 194 – 201.

5. Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 (AMLAR).

6. EBA Response, p. 14, 37 – 41, 117.

7. EBA Response, p. 42.

8. Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 (AMLR).

9. EBA Consultation Paper on Response to Call for Advice on new AMLA mandates, p. 38.

10. EBA Response, p. 44, 103.

11. EBA Response, p. 49.

12. EBA Consultation Paper on Response to Call for Advice on new AMLA mandates, p. 38.

13. EBA Response, Article 6 para. 4, p. 50.

14. EBA Response, p. 49 et seq.

15. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 (eIDAS).

16. EBA Response, p. 104, 120 et seq.

17. EBA Response, p. 50.

18. EBA Response, p. 46, 54, 104, 120.

19. EBA Response, p. 48, 64, 102, 164.

20. EBA Response, p. 52.

21. EBA Response, p. 139.

22. EBA Response, p. 139 et seq.

23. EBA Response, p. 52, 104, 140.

24. EBA Response, p. 53, 104, 141.

25. EBA Response, p. 45, 58, 149.

26. EBA Response, p. 55, 59.

27. EBA Response, p. 72.

28. EBA Response, p. 19.

29. European Commission, Provisional request for advice to the European Banking Authority (EBA) regarding regulatory technical standards and guidelines under the future anti-money laundering / countering the financing of terrorism (AML/CFT) framework (12 March 2024), p. 5.

30. EBA Response, p. 7.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.