Article 21 Minimum requirements for the identification and verification of beneficial owner or senior managing officials in situations of low risk


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 9 February 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 21 of the RTS on customer due diligence say?

This article sits within the simplified due diligence framework, specifically addressing how obliged entities should handle the identification and verification of beneficial owners or senior managing officials when the ML/TF risk is low.

It sets out an acceptable range of information sources for identification, and then adds a cross-checking requirement for the verification step, ensuring that a different source is used than the one already consulted for identification.

Important points:

  • In low-risk situations, consult at least one of three permitted sources to identify a beneficial owner or senior managing official: a central/company register, customer-provided information, or a reliable independent open source.
  • For verification, obliged entities must use a source from the permitted list that was not already used for identification — ensuring a degree of independence between the two steps.
  • This article builds directly on the simplified due diligence measures framework and applies exclusively to low-risk situations; higher-risk scenarios are governed by stricter requirements elsewhere in the regulation.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. To identify the beneficial owner or senior managing officials in situations of low risk, obliged entities shall consult one of the following sources of information:

      1. the information contained in the central register, business or company register;

      2. any information provided by the customer, including information that obliged entities may already hold;

      3. any publicly available information contained in a reliable independent open source.

    1. To verify the identity of the beneficial owner or senior managing officials in situations of low risk, the obliged entity shall consult one of the sources of information listed in paragraph (1), points (b) or (c), that was not used for identification purposes.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod