On July 10, the EU’s new Anti-Money Laundering Authority (AMLA) will submit the technical standards that will define compliant customer verification across Europe through 2027 and beyond. Here’s what’s at stake; where the draft standards fall short; and how IDnow formally responded to the consultation.
There is a date in July that most businesses haven’t put in their diaries but probably should.
On July 10, the AMLA (the newly established EU body charged with unifying and directly supervising anti-money laundering enforcement across the bloc) will submit its draft Regulatory Technical Standards (RTS) on customer due diligence to the European Commission. Those standards will define, in precise and binding terms, what compliant customer identity verification looks like across the EU from 2027 onwards.
Once adopted by the Commission, these standards will apply directly across all 27 member states — no national transposition, no room for interpretation, no grace period for businesses that weren’t paying attention.
If you are a bank, a fintech, a telecoms operator, an insurance firm, a crypto asset service provider, or any other entity within the scope of EU anti-money laundering law, the July 10 deadline is the moment the rules of the game are written down.
IDnow has spent months analysing those draft standards. What we found is a framework that gets much right — and contains several critical flaws that, if not corrected before adoption, will undermine the very objectives the AMLR was designed to achieve.
A Brief History of European Anti-Money Laundering Efforts.
Europe’s approach to anti-money laundering has historically been built on Anti-Money Laundering Directives. The Fourth AML Directive, the Fifth, and the Sixth each set minimum standards that member states were required to implement in national law.
“Unfortunately, how ‘minimum’ was defined was very much open to interpretation. Transposition was inconsistent. Enforcement was fragmented. A business operating across multiple EU markets faced the practical complexity of multiple national frameworks, each with its own interpretation of what customer due diligence required.”
Liudmyla Rabchynska, Director of Global and Regulatory Affairs at IDnow.
The EU AML Package, adopted in 2024, changed that architecture entirely. At its centre is the Anti-Money Laundering Regulation (AMLR), which, unlike a directive, applies directly and uniformly without national transposition or ‘interpretation’, from July 10, 2027. The AMLA is tasked with preparing regulatory technical standards across 23 mandates, most of them due by July 10, 2026. The customer due diligence RTS is the most consequential for any business that verifies customer identity.
For the first time, a business operating in France, Germany and the Netherlands will face the same legal requirements in all three markets. The era of regulatory arbitrage within the EU’s AML framework is ending.
What the AMLA’s Customer Due Diligence RTS will cover.
Based on Article 28 of the AMLR and the draft standards published for consultation, the RTS will specify:
- The information to be collected during customer due diligence: What data must be gathered, verified and recorded for different customer types and risk profiles
- The methods by which identity verification may be conducted: Which electronic identification means, biometric processes and document verification methods satisfy the required assurance levels under the eIDAS 2.0 framework
- Simplified and enhanced due diligence triggers: When standard verification is sufficient, and when more is required
- Ongoing monitoring obligations: What continuous monitoring of customer relationships must look like in practice, including triggers for re-verification
- Third-party reliance: The conditions under which regulated entities may rely on verification conducted by another party
AMLA’s public hearing on the draft standards in March 2026 was attended by over 1,600 stakeholders from across financial services, fintech and professional services — a signal of just how consequential these standards are across the industry.
What IDnow told AMLA — and Why it Matters.
In our formal response to the AMLA’s consultation, IDnow broadly support the framework’s objectives but identified several deficiencies that, if not corrected, will create exploitable gaps at the heart of the EU’s AML architecture.
The Fallback Problem.
The most significant concern centres on Article 7(2)-(4), which introduces a fallback verification pathway — essentially, remote document scanning with lower security guarantees — for situations where electronic identification means or qualified trust services are “unavailable.” The problem is that premise is factually incorrect.
“The AMLR is explicit and provides two — and only two — acceptable means of verifying identity for non-face-to-face customer due diligence: electronic identification means at assurance levels ‘substantial’ or ‘high’ (notified eID schemes, EUDI Wallets), and relevant qualified trust services under eIDAS. The regulation does not authorise a third pathway.”
Liudmyla Rabchynska, Director of Global and Regulatory Affairs at IDnow.
Also, the premise of the fallback — that qualified trust services might not be available in some member states — is simply wrong. The EU Trusted List, maintained by each member state and published by the European Commission, confirms that qualified trust service providers are operational in every EU member state. There is no member state in which these services are “not available.”
A Security Gap that Fraudsters will Exploit.
The fallback isn’t just legally problematic. It is a security risk.
The current draft’s Article 7(3)(a) requires only that “the natural person presenting the customer’s identity document is the person on the picture of the document.” However, as stated in our response, this can be “circumvented by overlaying a deepfake of the document holder’s face onto a live video stream,” and, at the moment, the draft RTS does not require injection attack detection (controls to ensure that a biometric feed originates from a device’s physical camera, rather than from software injecting pre-recorded or synthetic video).
As AI-generated synthetic identity documents are now commercially available, the draft standards would not reliably detect them.
“Security is only as strong as its weakest link. The fallback in Article 7(2)-(4) risks introducing severe weaknesses into customer due diligence, creating low-assurance pathways vulnerable to deepfakes and social engineering,” adds Liudmyla.
The fixes IDnow has proposed are specific and technically grounded: mandatory presentation attack detection (PAD) and liveness checks compliant with ISO/IEC 30107-3, injection attack detection compliant with CEN/TS 18099, NFC chip verification where available, and explicit compliance with ETSI TS 119 461 v2.1.1 — the European standard for identity proofing.
If the fallback is retained at all, it should be strictly time-limited, automatically expiring once the EUDI Wallet is operational in each member state.
QEAA Needs to be Named.
A third issue is less dramatic but equally important in practice. The draft RTS uses the generic phrase “relevant qualified trust services” without specifying which services qualify. This matters most for Qualified Electronic Attestations of Attributes (QEAA) — the credentials at the heart of the European Digital Identity Wallet — which is not explicitly named.
QEAA is, by design, purpose-built for customer due diligence. A QEAA attesting a customer’s name, date of birth, nationality and address — issued by a supervised provider that has itself verified these attributes against authentic sources — provides a higher level of assurance than a document scan. It enjoys a presumption of accuracy under eIDAS 2.0. It must be recognised cross-border across the entire EU.
As Liudmyla explains, the failure to name it explicitly creates legal uncertainty for both providers and obliged entities:
“A QEAAP cannot determine with legal certainty whether its QEAA will be accepted as sufficient for standard CDD, or whether an obliged entity will reject it because it lacks certain attributes.”
That is precisely the kind of fragmentation the AMLR was designed to eliminate.
2026 is the Action Year. Not 2027.
There is a tendency to treat July 10, 2027 — the date AMLR enters full force — as the deadline. It is not. It is the date by which compliance is required. The preparation deadline is now. The Compliance Countdown has started. Will you beat the clock?
Businesses that wait for adoption before beginning their gap analysis, technology assessment and implementation planning will have, at best, months to close gaps that take years to address properly.
Three gaps are likely to be the most common:
Method assurance levels. The AMLR operates within the eIDAS 2.0 assurance level framework, with Low, Substantial and High levels. Many businesses don’t currently know which level their existing verification methods achieve, because previousframeworks didn’t require them to. If methods fall below that threshold, your current process will be non-compliant from July 2027.
Ongoing monitoring capability. AMLR is explicit: customer due diligence is not a one-time exercise. Ongoing monitoring — flagging changes in customer risk profiles, triggering re-verification, maintaining up-to-date records — is a legal obligation. Businesses whose compliance architecture relies on periodic manual reviews rather than continuous, signal-based monitoring will need to close a significant gap.
Audit trail coherence. The RTS will specify data retention and audit requirements. For businesses operating with fragmented technology stacks, including multiple vendors, separate audit logs and inconsistent data formats, demonstrating compliance to a regulator will be considerably harder than for those with a unified, auditable record of every customer interaction.
What Comes Next.
When AMLA submits its customer due diligence RTS to the European Commission in July 2026, it will prompt significant coverage across compliance and financial services media. The honest read is this: the framework is more demanding than most businesses currently appreciate, and less impossible than the most alarming headlines will suggest.
The underlying goal to create a single, coherent European standard for knowing who your customers are, continuously, across borders is also a commercial one. The businesses that reach it first will onboard faster, monitor more effectively, and build more durable customer trust than those still operating on processes designed for a regulatory world that no longer exists.
The IDnow Trust Platform is AMLR-ready — covering identity verification, ongoing monitoring, risk intelligence and the full customer trust lifecycle through a single, auditable platform.
By
Jody Houton
Senior PR & Content Manager at IDnow
Connect with Jody on LinkedIn
