The way businesses verify who their customers are is about to fundamentally change. Here’s what that means, and why identity relationships are so important.
Key takeaways
- One-time KYC checks are a conceptual failure as they can’t detect fraud that happens after onboarding
- eIDAS 2.0, the EU AMLR, and PSD3 are converging on a single answer: continuous, event-driven identity assurance
- The 2027 deadline for EUDI Wallet acceptance and AMLA supervision is closer than it looks
- The fix is an identity relationship, not an identity check
Picture the scene. A customer opens a bank account. They upload their ID document, take a selfie, blink on command. The automated check runs. Green light. Account created. Compliance box ticked. Job done.
Right?
Six months later, that same customer’s phone has been SIM-swapped. Their email is compromised. The device they used to open the account has been cloned and is now logging in from an IP address three countries away. The fraudster who carried out the attack knows all of this. They’re inside the account, moving funds, adding payees, working fast.
The bank’s KYC check that was performed six months ago knows none of it. It never could. It was never designed to.
The limits of the one-time KYC check is not a technology failure; it is a conceptual one and is what Europe’s incoming regulatory architecture is designed to fix.
AMLR, PSD3 and eIDAS 2.0: 3 regulations. 1 direction.
What is striking about the current regulatory moment in Europe is not the volume of change — it is the coherence of it. eIDAS 2.0, the Anti-Money Laundering Regulation (AMLR) and the second Payment Services Directive revision (PSD3) are being written and implemented simultaneously.
“What we are seeing is not three separate regulatory updates. It is a single, coordinated rewriting of how trust is established and maintained in the European digital economy. The question regulators are asking, and that businesses now need to answer, is: ‘do you know, right now, that your customer is who they say they are?'”
Liudmyla Rabchynska, Director of Global Regulatory and Government Affairs at IDnow
The Compliance Clock is ticking. The European Anti-Money Laundering Authority (AMLA) is required to submit its draft regulatory technical standards on customer due diligence in July 2026. The EUDI Wallet, which every EU member state must issue by the end of 2026, must be accepted by regulated businesses under eIDAS 2.0 by 2027.
PSD3 brings strong customer authentication requirements into alignment with both.
For businesses that have built their compliance architecture on a one-time KYC check, this represents a major rebuild.
The Good News Nobody’s Saying Out Loud.
Financial services have a tangible deadline and there’s much to be done before the Compliance Clock strikes 12. However, it’s important to note that these changes are not being imposed on businesses despite their interests. It is being driven, in part, because the old model was already failing them.
The scale of the problem is not abstract. According to the joint ECB/EBA report on payment fraud, fraudulent payment transactions across the EEA totalled €4.3 billion in 2022 — and that figure was already climbing, with €2 billion recorded in the first half of 2023 alone. By 2024, fraudulent credit transfers had risen a further 16% year-on-year, to €2.2 billion, with card fraud adding another €1.3 billion on top, according to the EBA-ECB’s 2025 payment fraud report. This is the cost of a model that was never built to keep pace with modern fraud.
For example, synthetic identity fraud is among the fastest-growing threats, and according to Experian’s analysis of UK credit applications, now accounts for nearly a third of all identity fraud cases. TransUnion’s 2023 global fraud report named it the fastest-growing form of digital fraud worldwide. Account takeover attacks, which exploit the gap between a one-time KYC check and any subsequent authentication, sit alongside it as a rapidly escalating threat.
“The businesses I speak to who are ahead of this aren’t thinking about eIDAS 2.0 as a compliance obligation. They’re thinking about it as the moment they finally get infrastructure that matches the sophistication of the threat they’re facing. The regulatory moment and the commercial moment are the same.”
Jonas Mendes, Director of Product for the IDnow Trust Platform
The businesses that understand and see the regulatory shift as an opportunity to build a genuinely more resilient relationship with their customers will be compliant by 2027, and most importantly, be better businesses.
With the IDnow Trust Platform users benefit from an ongoing relationship with their customers; one that can trigger re-verification when something changes. One that can apply different identity verification methods at different risk levels. One that can accommodate the EUDI Wallet when it arrives, without requiring a separate integration project.
“The goal,” says Jonas, “is that when a regulation changes, or a new verification method becomes available, or a new fraud typology emerges, the IDnow Trust Platform accommodates that change. The customer doesn’t have to rebuild. They don’t even have to notice. That’s what infrastructure is supposed to do.”
Building the Identity Relationship… by 2027.
There is a version of this story that sounds frightening. Three converging regulations. A new digital wallet that must be accepted across 27 member states. Evolving fraud that defeats traditional checks. A 2027 deadline that is closer than it looks.
That version is not wrong. But it is incomplete.
The reason European regulators are moving in this direction simultaneously is because the old model was creating the very problems it claimed to prevent. A one-time check, bolted onto the front of a customer relationship and never revisited, was never real compliance. It was a ritual. The new model asks for something more demanding, and in doing so, makes the goal of long-lasting trust between businesses and their customers achievable.
The identity check is dead. Long live the identity relationship.
Find out more from Jonas Mendes on the thinking behind the IDnow Trust Platform’s Orchestrate, Observe and Decide capabilities in his blog ‘Lessons From… Building a Platform That Makes Compliance Simple Again.’
By

Jody Houton
Senior PR & Content Manager at IDnow
Connect with Jody on LinkedIn






