Article 31 Risk factors


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 9 February 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 31 of the RTS on customer due diligence say?

This article directly supports the exemption framework established in Article 19(7) of Regulation (EU) 2024/1624, which permits supervisors to grant exemptions from certain customer due diligence requirements for specific payment instruments.

Article 31 provides supervisors with a checklist of risk factors they must weigh when deciding how far-reaching any such exemption should be.

The factors collectively paint a picture of how contained and low-risk a payment instrument is — looking at things like transaction limits, fund origin traceability, geographic reach, distribution controls, and the degree to which the instrument operates within an already-regulated ecosystem.

Important points:

  • Supervisors are required to consider one or more of the listed risk factors when determining the scope of a CDD exemption granted under Article 19(7) of Regulation (EU) 2024/1624.
  • Supervisors must assess characteristics of the payment instrument itself, such as transaction limits, limited duration, restricted geography, and whether distribution runs through obliged entities already applying CDD measures.
  • Supervisors must also weigh whether funds can be traced back to an EEA-regulated account and whether the issuer uses technological controls, such as geo-fencing and IP tracking, to restrict access to non-EU/EEA countries.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

  1. Where supervisors decide to allow for an exemption under Article 19(7) Regulation (EU) 2024/1624, based on the conditions listed in Article 19(7), points (a) to (d), of Regulation (EU) 2024/1624, supervisors shall consider one or more of the following risk factors to determine the extent of that exemption:

    1. the extent to which the payment instrument has low transaction limits or thresholds to limit transaction values;

    2. the extent to which the issuer can verify that the funds originate from an account held and controlled solely or jointly by the customer at an EEA-regulated credit or financial institution;

    3. the extent to which the payment instrument is issued at a nominal or no charge;

    4. the nature and the range of the goods or services that can be acquired, including the level of risks associated with these goods and services;

    5. the extent to which the payment instrument is valid in one or multiple Member States and its issuer is regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer;

    6. the extent to which the transactions through the electronic money instrument are executed by an obliged entity that applies customer due diligence measures and record-keeping requirements laid down in Regulation (EU) 2024/1624;

    7. the extent to which the payment instrument has a specific and limited duration in which the payment instrument can be used;

    8. the extent to which the payment instrument is available through direct channels which may include the issuer or a network of service providers and, in the case of online or non-face- to-face distributions, possess adequate safeguards, including electronic signatures, and anti-impersonation fraud measures;

    9. the extent to which distribution is limited to intermediaries that are themselves obliged entities applying customer due diligence measures and record-keeping requirements laid down in Regulation (EU) 2024/1624;

    10. the extent to which the payment instrument has a limited geographical distribution;

    11. the extent to which the issuer applies adequate technological tools, including geo-fencing and IP tracking, to restrict access from, transfers to or receiving funds from countries that are not EU Member States nor EEA countries.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod