Draft RTS on CDD published
In March 2025, the European Banking Authority (EBA) published its draft Regulatory Technical Standards (RTS) under Article 28(1) of the Anti-Money Laundering Regulation (AMLR). This development is a cornerstone of the EU’s shift toward a harmonised, single-rulebook framework for Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT), led by the newly established Anti-Money Laundering Authority (AMLA).
These draft RTS aim to unify and clarify Customer Due Diligence (CDD) obligations across the EU. For financial institutions and other obliged entities, this marks a significant evolution in AML/CFT compliance—moving away from fragmented national interpretations toward a more centralised, risk-based approach.
Key Objectives of the Draft RTS on CDD
The RTS under Article 28(1) AMLR seek to:
Standardise CDD practices across Member States
Clarify the information to be collected under Standard, Simplified, and Enhanced Due Diligence regimes
Define acceptable sources for verifying identity
Guide supervisors on risk factors for electronic money exemptions
Set out attributes for electronic identification means and trust services
The overarching intent is to reduce compliance uncertainty, regulatory arbitrage, and operational inefficiencies—particularly for cross-border providers.
Principles-Based and Risk-Based: A Balanced Approach
Responding to private sector feedback, the EBA has steered clear of a one-size-fits-all, overly prescriptive rulebook. Instead, the RTS adopt a principles-based, risk-sensitive approach. This allows obliged entities flexibility in how they collect and verify customer information, provided outcomes meet regulatory expectations.
For instance, the RTS refrain from mandating specific documents for CDD but instead require that the sources be “reliable and independent,” allowing entities to align verification methods with the customer profile, risk level, and delivery channel.
Implications for Electronic Identification and eIDAS
A critical point of discussion has been the interpretation of Article 22(6) of the AMLR, which references eIDAS-compliant identity tools. The draft RTS clarify that while eIDAS-based verification should be used where available and reasonable, it should not be the sole pathway. This is particularly important for:
Non-EU residents
Vulnerable populations
Firms operating in jurisdictions where eIDAS is not commonly adopted
Obliged entities may continue to use robust, alternative digital onboarding solutions, such as those aligned with the EBA’s 2022 Remote Customer Onboarding Guidelines.
Staged Implementation for Existing Customers
Another practical measure proposed by the EBA is a transitional approach to updating CDD records for existing clients. While the AMLR suggests a compliance date of 10 July 2027, the RTS recommend a risk-based prioritisation strategy:
High-risk relationships should be updated by 2027
Other relationships may be updated over a five-year transition period
This phased strategy is critical for managing operational burden while maintaining AML/CFT effectiveness.
What This Means for Financial Institutions
With the publication of these draft RTS, firms must begin preparing for a significantly more standardised and supervised CDD regime. Key actions include:
Gap assessments against the draft RTS and AMLR provisions
Reviewing and enhancing digital onboarding processes
Aligning internal policies with the risk-based approach to data collection and verification
Planning for the transition period, including resource allocation and client communication strategies
How I Can Help
As a regulatory consultant specialising in AML/CFT and fintech regulation, I assist firms in understanding and implementing complex compliance frameworks like the AMLR and its technical standards. I offer:
Detailed CDD framework reviews
Policy and procedure design aligned with the AMLR and RTS
Support for remote onboarding assessments
Strategic advice on risk-based implementation timelines
