EBA ¦ Draft RTS on Customer Due Diligence under Article 28(1) of Regulation (EU) 2024/1624

Draft RTS on Customer Due Diligence: What AML Practitioners Need to Know

The draft Regulatory Technical Standards (RTS) supplementing Regulation (EU) 2024/1624 set out a detailed, risk-sensitive framework for customer due diligence (CDD) across the European Union. The text aims to standardise what information obliged entities must collect, how identity and beneficial ownership should be verified, and when simplified or enhanced measures apply. That harmonisation objective runs through the draft: the same basic approach applies to natural persons and legal persons, and Member States and obliged entities are expected to align their practices with the common parameters the RTS defines.

Identity data and documentation: more precision, more flexibility

The RTS specifies minimum data elements for names, addresses, place of birth and nationalities, and clarifies acceptable documents and electronic identification methods. For natural persons, obliged entities must capture all names and surnames that appear on identity documents, the place of birth (at least the country), date of birth and nationalities or, where relevant, stateless or refugee status. For legal persons, the registered name and any trade name must be obtained, with the registered office and identifiers collected where available.

Documents used to verify identity must be issued by a state or public authority, contain a document number, expiry date, a facial image and signature, and include security features to demonstrate authenticity. The RTS recognises situations where traditional documents are unavailable — such as for refugees, stateless persons or homeless individuals — and permits the use of other credible means to obtain required information, while emphasising that this flexibility is not an exemption from collecting the prescribed data.

Non-face-to-face verification and electronic identification

The draft RTS endorses the use of qualified electronic identification means that comply with eIDAS for non-face-to-face verification. Where eIDAS-based solutions are not available, remote verification methods may still be used provided they rely on reliable and independent data sources and incorporate safeguards: biometric and document checks to ensure the person in the session matches the document photo, secure communications, readable capture of images and audio/video, time-stamping and secure storage for ex-post checks. Firms using remote tools must be able to demonstrate compliance to competent authorities and must respect applicable data protection rules.

Beneficial ownership and senior managing officials

Obtaining reliable beneficial ownership information remains central. The RTS underlines that consulting central registers alone is necessary but not sufficient; obliged entities must take reasonable additional measures to verify beneficial owners. If, after exhausting means, beneficial owners cannot be reliably identified, the RTS permits identification and verification of senior managing officials (SMOs), with the same information requirements as for beneficial owners, although in some cases the registered office address may substitute for a residential address.

Bastian Schwind-Wagner_Follow "The draft RTS under Regulation (EU) 2024/1624 establishes clear, risk-sensitive CDD standards that strengthen beneficial ownership verification, remote identification safeguards and sanctions screening while preserving flexibility to prevent financial exclusion. Obliged entities must update processes, technologies and record-keeping to meet these harmonised EU requirements once the RTS is adopted."

Understanding ownership and control structures

Obliged entities must obtain a structured description of ownership and control, including intermediate entities, jurisdictions, legal form, presence of nominee arrangements and the percentage holdings or voting rights where relevant. The RTS defines a “complex corporate structure” as one with three or more layers between the customer and the beneficial owner plus aggravating features such as nominee arrangements, non-EU registrations, trusts or structures that obscure transparency. In such cases, additional measures — including organigrams and further documentary evidence — will be required so that the obliged entity gains a comprehensive understanding and can assess related money laundering and terrorist financing (ML/TF) risks.

Purpose and intended nature of the relationship

The draft RTS provides granular guidance on the information needed to understand the purpose and intended nature of a business relationship or occasional transaction. Firms must, where necessary, obtain information on the reason for using services or products, intended use, estimated transaction volumes and amounts, source and destination of funds, expected transaction counterparties and the customer’s business activity or occupation. This information supports the proportional application of CDD and feeds into ongoing monitoring.

Politically exposed persons: screening and ongoing review

The RTS requires screening for politically exposed persons (PEPs), their family members and known close associates at onboarding and periodically thereafter on a risk-sensitive basis, and without delay when new information arises. Automated screening tools — or a mix of automated tools and manual checks — are expected except where a firm’s size or business model justifies manual-only checks. The draft also requires timely responses to updates in lists of prominent public functions.

Graduated approach: simplified and enhanced due diligence

The text codifies what qualifies as low-risk and the minimum identification data required in such cases. In low-risk situations, identification can be limited to core passport-like data for natural persons (names, place of birth, date of birth, nationalities or status) and to basic registry information for legal persons (legal form, registered name, registered office, registration or tax numbers). For pooled accounts held by obliged entities, the RTS allows sectoral simplified measures where the account holder is itself an obliged entity subject to robust AML/CFT supervision and the risk is low.

Conversely, where ML/TF risks are higher, the RTS lists enhanced due diligence measures and the additional information firms should obtain:

• documentation and corroboration to ensure the authenticity of customer and beneficial ownership data;
• deeper information on source of funds and source of wealth (tax returns, payroll, audited accounts, property deeds, contracts, registry data and other independent evidence); and
• fuller explanations for unusual or high-risk transactions and their consistency with the stated business relationship.

Targeted financial sanctions screening

The draft RTS places explicit obligations on obliged entities to screen customers, beneficial owners and controlling persons against targeted financial sanctions lists. Screening should use automated tools when possible and cover names and transliterations, aliases, trade names and, where available, digital wallet addresses. In cases of matches, firms must cross-check against all due diligence data and public sources to determine whether the match represents the targeted person. Screening must occur at onboarding, on designation changes, and when substantial customer data changes occur.

Electronic money instruments and supervisory discretion

For electronic money issuers, the RTS provides a non-exhaustive set of risk factors supervisors should consider when deciding whether to grant CDD exemptions and their scope. Factors include transaction limits, issuer verification of fund origin, pricing, permitted goods and services, geographical and distribution limitations, intermediary controls, technological safeguards (geo-fencing, IP tracking), and whether intermediaries applying the instrument are obliged entities themselves.

Attributes for eID and trust services

Annex I (referenced in the draft) ties electronic identification and qualified trust services to concrete attribute sets that will satisfy standard, simplified or enhanced due diligence requirements. Obliged entities may ask for additional attributes where risk justifies it and must supplement any missing attributes by other verification means.

Operational implications for obliged entities

The RTS imposes detailed operational requirements that will affect onboarding workflows, remote verification technologies, screening systems, and record-keeping. Firms will need to:

• Review and possibly update customer identification forms and data capture to ensure capture of all required elements, including multiple nationalities and place of birth.
• Validate that remote onboarding solutions meet technical and documentary safeguards and can produce verifiable records for supervisory review.
• Enhance beneficial ownership verification processes to go beyond register checks, using independent sources and cross-institutional confirmations.
• Strengthen systems to detect complex structures and trigger organigrams and deeper checks where the defined complexity thresholds are met.
• Ensure PEP screening tools cover family members, close associates, transliterations, aliases and digital wallet addresses and support risk-sensitive periodic reviews.
• Document risk assessments that justify simplified due diligence, and maintain procedures to revert to standard or enhanced measures if risk indicators change.
• Integrate targeted financial sanctions screening into onboarding and ongoing monitoring with clear escalation procedures for matches and suspected circumvention.

Regulatory timing and transition

The draft RTS notes that update cycles for existing customers should not start until the RTS takes effect, and gives maximum periods of one and five years for updating customer data depending on the requirement. Where customers were onboarded before Regulation (EU) 2024/1624 came into force, firms have up to five years to update certain information, taking account of risk profiles. The draft enters into force 20 days after publication and applies from a specified application date.

Conclusion: greater consistency, higher operational demands

The draft RTS delivers a comprehensive and prescriptive framework meant to harmonise CDD across the EU, reduce regulatory divergence, and tighten verification of beneficial ownership and PEP exposure. For compliance teams, the demand is for clearer policies, stronger technical controls for remote onboarding and sanctions screening, and robust processes for complex ownership structures and enhanced due diligence. Firms should start gap analyses now to align intake forms, verification technologies, screening logic and record-keeping with the RTS so they can meet supervisory expectations promptly once the standards are finalised and enter into force.

Dive deeper

• EBA ¦ The EBA advises the European Commission on the foundations of the new anti-money laundering/countering the financing of terrorism regime ¦ Link