Navigating the Future of AML/CFT: EBA's Draft RTS Consultation

On 6 March 2025, the European Banking Authority (EBA) launched a public consultation on their draft of four Regulatory Technical Standards (RTS):

1. RTS on the assessment of the inherent and residual risk profile of obliged entities;
2. RTS on the risk assessment for the purpose of selection of institutes for direct supervision by AMLA;
3. RTS on Customer Due Diligence (CDD); and
4. RTS on pecuniary sanctions, administrative measures and periodic penalty payments.

The draft RTS are the first of a series of regulatory standards concretising the EU's new Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) package that aims to harmonise the requirements for obliged entities under the supervision of the new AML/CFT Authority (AMLA).

This AML/CFT package consists of the following regulations and directives¹:

• Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 (AMLD6). The AMLD6 will replace the existing Directive 2015/849/EU (the fourth AML directive, as amended by Directive 2018/843, the fifth AML directive);
• Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 (AMLR); and
• Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 (AMLAR).

The consultation for the draft RTS is open until 6 June 2025. Stakeholders are encouraged to participate and provide their feedback to shape the future of AML/CFT regulations in the EU. In response to the European Commission's Call for Advice (12 March 2024), EBA will submit the proposed RTS to the Commission on 31 October 2025.

The draft RTS focus on the financial sector. Nonetheless, EBA’s response to the Call for Advice will highlight which aspects of the RTS could also be relevant for the non-financial sector.²

Here are some key points included in the drafts up for consultation:

1. Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40 para. 2 AMLD6

Article 40 of the AMLD6 requires supervisors to apply a risk-based approach to AML/CFT supervision, taking into account the risk in the Member State as well as risks associated with customers, products and services. Under a risk-based approach, supervisors are required to adjust the frequency and intensity of supervision based on the Money Laundering/Terrorism Financing (ML/TF) risks of the respective entity.

Considering this, the EBA proposes a three-step methodology that supervisors will have to follow in order to create risk profiles as a basis for risk-based supervisory measures:

• assessing each obliged entity's inherent ML/TF risk;
• assessing the quality of the AML/CFT controls put in place by the obliged entity to address these risks; and
• assessing the residual ML/TF risk to which the obliged entity remains exposed.

The EBA proposes an automatic scoring system to assess and classify the inherent and residual risk profile of each obliged entity in a consistent manner by all competent authorities. Supervisors should assign numerical scores ranging from 1 (lowest level of risk) to 4 (highest level of risk) to assess inherent risk indicators based on pre-determined factors relating to customers, products and geography, as outlined in Annex I, section A of the draft RTS. These scores should be combined and weighted to determine the overall inherent risk score for the obliged entity, reflecting the significance of each risk category.

The same methodology applies to the assessment and classification of the quality of AML/CFT controls (on a scale from poor quality of controls to very good quality of controls). Data points as per Annex I, section B relate to the categories (i) AML/CFT governance structure, (ii) risk assessment, (iii) AML/CFT policies and procedures as well as (iv) group oversight. Previous supervisory assessments or external auditors' assessments may warrant an adjustment of any of the combined scores.

An automated scoring system would then combine the inherent risk with the controls quality score to produce the residual risk profile of the obliged entity.

Article 5 of the draft RTS requires supervisors to review the inherent and residual risk profiles of obliged entities at least annually, or at least every three years in specific cases (that may include, for example, small businesses, insurance intermediaries or credit intermediaries) if no major events or developments in the management and operations trigger an ad hoc assessment and classification.

2. Draft RTS on the risk assessment for the purpose of selection of credit institutions, financial institutions and groups of credit and financial institutions for direct supervision under Article 12 para. 7 AMLAR

In accordance with Article 12 and 13 AMLAR, AMLA will select a list of approximately 40 obliged entities for its direct supervision. An entity is considered in the selection process if it operates in at least six Member States and its residual risk profile has been classified as high.

EBA's draft RTS specifies the conditions required for an entity to be considered operating in a Member State and sets thresholds to determine whether operations are material and count towards the number of Member States. This should ensure that AMLA focuses on obliged entities with a strong footprint in the EU, rather than those that, under the freedom to provide services, notified their supervisors of their intention to operate in a Member State but then do not provide this service in practice, or provide such services in a way that is not relevant to its overall business.

Material activities in a Member State other than where it is established are considered, where

• the number of customers that are resident in the respective Member State is above 20.000, or
• the total value of incoming and outgoing transactions by such customers is above EUR 50 million.

For assessing and classifying the (group-wide) residual risk profile, the EBA proposes to aggregate entity-level residual risk scores using a weighted averaging method. Based on these scores, which are calculated using the same three-step methodology as set out in section 1 above with minor specifications, AMLA will classify the residual risk profile of the group as low, medium, substantial, or high, which will determine the group's eligibility for direct supervision.

3. Draft RTS under Article 28 para. 1 AMLR on Customer Due Diligence

The draft RTS specifies which information obliged entities must collect to perform standard CDD, simplified due diligence (SDD) and enhanced due diligence (EDD) and which sources of information obliged entities may use to verify the identity of natural or legal persons. The draft RTS hereby aims to adopt a principle-based approach by listing the type and source of information to be collected but not listing specific documents. This is how EBA aims to facilitate the implementation and to limit the cost of compliance for obliged entities, that will be significantly impacted by the new CDD requirements.³

Identification & Verification (ID&V)

For identification and verification purposes, obliged entities are required to obtain such information as names/registered name/commercial name, addresses, place and date of birth and any nationalities the customer may hold. In principle, it is assumed that an original identity document, passport or equivalent is used by the obliged entity to verify the identity of the natural person on a face-to-face basis.⁴

Article 6 of the RTS sets out the verification method in a non face-to-face context. According to Article 6, obliged entities may also use electronic identification means, which meet the requirements of the eIDAS Regulation⁵ with regard to the assurance levels "substantial" or "high" or qualified trust services as set out in that Regulation.

The current draft RTS read as though only in cases where this verification in line with the requirements of eIDAS is not available or cannot reasonably be expected to be provided, obliged entities may use other remote solutions to acquire the customer's identity document or equivalent (cf. Article 6 para. 3 – 6 of the RTS). The obliged entities must use reliable and independent information sources and in particular must meet the following safeguards in line with Article 6 para. 4:

1. controls ensuring that the person presenting the customer’s identity document (or equivalent) is the same person as the person on the picture of the document;
2. the integrity and confidentiality of the audiovisual communication with the person should be adequately ensured; for this reason, only end-to-end encrypted video chats are permitted;
3. any images, video, sound and data are captured in a readable format and with sufficient quality so that the customer is unambiguously recognisable;
4. the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected;
5. the information obtained through the remote solution is up to-date;
6. the documents and information collected during the remote identification process, which are required to be retained, are time-stamped and stored securely by the obliged entity. The content of stored records, including images, videos, sound and data shall be available in a readable format and allow for ex-post verifications.

It remains to be seen whether ID&V in line with eIDAS will become the central remote onboarding solution and in what circumstances supervisors will determine that the verification under the requirements of eIDAS "cannot reasonably be expected".

Ultimate Beneficial Owner and Senior Managing Officials

The draft RTS includes several provisions that specify requirements regarding the identification and verification of beneficial owners. In particular, obliged entities are required to understand the ownership and control structure of their customers by obtaining a reference to all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners. Moreover, an extensive list of references is to be obtained with respect to each of these legal entities or legal arrangements⁶:

• legal form
• reference to the existence of any nominee shareholders
• jurisdiction of incorporation (for trusts: governing law)
• shares of interest held / type of shares / voting rights
• information on the regulated market on which a security is listed / the extent of listing.

In relation to senior managing officials as referred to in Article 22 para. 2 AMLR, obliged entities shall collect and verify the information in the same way as for beneficial owners.⁷

Purpose and intended nature of the business relationship or the occasional transaction

Obliged entities must take risk-sensitive measures to determine why the customer has chosen their products and services, how the customer plans to use them, whether the customer has additional business relationships with the entity or its group, and, in higher-risk situations, the source of the customer's wealth. The draft RTS further requires entities to take risk-sensitive measures to obtain information on the purpose and economic rationale of the relationship or transaction, the estimated amount of funds and transaction details, the source and destination of funds, and the customer's business activity or occupation.⁸

For low risk clients, obliged entities shall, at a minimum, take risk sensitive measures necessary to understand why the client has chosen the obliged entities’ products and services, the source of the funds used in the business relationship or occasional transaction, and how the client plans to use the products or services provided, including where applicable the estimated amounts flowing through the account.⁹

SDD & EDD

Minimum requirements (SDD)

Additional required Information (EDD)

Customer identification: Natural Person names place and date of birth nationalities (or statelessness and refugee or subsidiary protection status) Legal entity legal form registered name & commercial name address of the registered official office registration number tax identification number (or legal entity identifier where applicable) ID&V of the beneficial owner or senior managing official: Obliged entity may consult one of the following sources for the identification of, and use another source (other than the central register or company register) central register / company register the statement or explanation provided by the customer, any publicly available, reliable sources of information including internet research.

Obliged entities shall obtain additional information, that enables the entity to verify the authenticity and accuracy of the information on the customer and the beneficial owner or the ownership and control structure of the customer other than a natural person assess the reputation of the customer and the beneficial owner assess the ML/TF risk associated with the customer's / beneficial owner's past and present business activities in cases the obliged entity has reasonable grounds to suspect criminal activity, to obtain a more holistic view on ML/TF risks by obtaining information on individuals closely related the customer or the beneficial owner.

Additionally, as part of the EDD measures, the draft RTS also includes further stipulations regarding the obligations to obtain additional information on

• the intended nature of the business relationship,
• the source of funds and source of wealth of the customer and of the beneficial owners,
• the reasons for the intended or performed transactions and their consistency with the business relationship.¹⁰

Based on Article 20 para. 1 lit. d) AMLR, which requires obliged entities to screen customers and beneficial owners with regard to targeted financial sanctions as part of the CDD, Article 29 of the RTS also specifies the requirements for screening. Obliged entities must carry out regular screening using automated screening tools and/or manual checks.

EBA acknowledges the difficulties for obliged entities to apply the new CDD standards to all clients by 10 July 2027, the day from which the AMLR shall apply and by which AMLA must issue various RTS. To make the process of upgrading all client relationships to the new AML/CFT standards more manageable, EBA refers to the risk-based approach and requires obliged entities to prioritise their high ML/TF risk business relationships. EBA proposes a 5-year transition period for the updating of all other (non-high-risk) business relationships.¹¹

4. Draft RTS under Article 53 para. 10 AMLD6 on pecuniary sanctions, administrative measures and periodic penalty payments

The draft RTS aims to harmonise the approach of AML/CFT supervisors across the EU on enforcement measures. For this, the draft RTS includes

• indicators for classifying the severity of breaches,
• criteria for setting the level of pecuniary sanctions and applying administrative measures, and a
• methodology for imposing periodic penalty payments.

The draft RTS includes a catalogue of indicators that shall be considered by supervisors for classifying the severity of breaches. The indicators include factors such as the duration and repetition of the breach, the conduct of the person responsible and any other indicator identified by the supervisors.

The criteria to be taken into account when setting the level of pecuniary sanctions and applying administrative measures include, among other things, the level of cooperation of the natural or legal person held responsible with the supervisor. Additional relevant criteria are: (i) whether the complete breach has been quickly brought to the supervisor's attention, and (ii) the conduct of the responsible person. Supervisors may identify further criteria that are to be considered.

The draft RTS assigns the presence of the individual indicators to four categories of levels of gravity of breaches, increased in order of severity. A breach with a level of gravity classified as category three or four shall be deemed serious, repeated or systematic in the meaning of Article 55 para. 1 AMLD6.¹² Thereby, the draft RTS aims to harmonise the imposition of pecuniary sanctions resulting from serious, repeated or systematic breaches.