Art. 28 Regulatory technical standards on the information necessary for the performance of customer due diligence | Anti-money laundering regulation (AMLR) | AML

This article is a delegating provision, tasking AMLA with developing the regulatory technical standards that will give concrete shape to the customer due diligence framework established elsewhere in the regulation.

Rather than setting rules itself, Article 28 instructs AMLA to define the detailed technical content — covering what information must be collected, what simplified measures look like in practice, and what qualifies as a reliable source for identity verification.

It also establishes that AMLA must keep these standards updated over time to reflect innovation and technological developments, and it formally delegates to the Commission the power to adopt them.

Important points:

AMLA is required to develop draft regulatory technical standards by 10 July 2026 and submit them to the Commission for adoption.
The standards must cover due diligence requirements across standard, simplified and enhanced scenarios, and must be grounded in criteria such as service risk, customer category, transaction nature, and delivery channel.
AMLA is also required to regularly review and, where necessary, update these standards to account for innovation and technological developments.

1. By 10 July 2026, AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption. Those draft regulatory technical standards shall specify:
  1. the requirements that apply to obliged entities pursuant to Article 20 and the information to be collected for the purpose of performing standard, simplified and enhanced due diligence pursuant to Articles 22 and 25 and Articles 33(1) and 34(4), including minimum requirements in situations of lower risk;
  2. the type of simplified due diligence measures which obliged entities may apply in situations of lower risk pursuant to Article 33(1) of this Regulation, including measures applicable to specific categories of obliged entities and products or services, having regard to the results of the risk assessment at Union level conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640;
  3. the risk factors associated with features of electronic money instruments that should be taken into account by supervisors when determining the extent of the exemption under Article 19(7);
  4. the reliable and independent sources of information that may be used to verify the identification data of natural or legal persons for the purposes of Article 22(6) and (7);
  5. the list of attributes which electronic identification means and relevant qualified trust services referred to in Article 22(6), point (b), must feature in order to fulfil the requirements of Article 20(1), points (a) and (b), in the case of standard, simplified and enhanced due diligence.
1. The requirements and measures referred to in paragraph 1, points (a) and (b), shall be based on the following criteria:
  1. the inherent risk involved in the service provided;
  2. the risks associated with categories of customers;
  3. the nature, amount and recurrence of the transaction;
  4. the channels used for conducting the business relationship or the occasional transaction.
1. AMLA shall review regularly the regulatory technical standards and, if necessary, prepare and submit to the Commission the draft for updating those standards in order, inter alia, to take account of innovation and technological developments.
1. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraphs 1 and 3 of this Article in accordance with Articles 49 to 52 of Regulation (EU) 2024/1620.