Preamble Recitals


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 9 February 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Recital 1

Regulation (EU) 2024/1624 aims for harmonisation of customer due diligence measures across Member States and obliged entities within the EU. To achieve this, this Commission Delegated Regulation (‘Regulation’) sets common parameters for the application of customer due diligence measures. Obliged entities are required to adjust the customer due diligence measures based on the ML/TF risk associated with their customers, business relationships or an occasional transaction. This will ensure a proportionate and effective approach. Accordingly, obliged entities shall collect the information on a risk-sensitive basis and apply the measures laid down in this Regulation, ensuring that their scope, intensity and frequency are proportionate to the customer’s money laundering and terrorist financing risk profile.

Recital 2

Obliged entities should, when identifying a customer and verifying their identity, collect data and information in a consistent way in all Member States. The same approach should apply to all customers, whether they are a natural person or a legal person.

Recital 3

Obliged entities should collect information to understand the nationality and the place of birth of customers who are natural persons. Since not all government-issued identity documents contain information on the holder’s nationality or their place of birth, obliged entities may need to obtain that information from other sources. Where a person holds multiple nationalities and declares them in good faith, verifying one nationality will be sufficient. In situations where the person is stateless, or has refugee or subsidiary protection status, this information should instead be obtained.

Recital 4

Information collected by obliged entities for customer due diligence purposes may not always be in the form of documents. This Regulation specifies the situations where documents should be collected.

Recital 5

Obtaining data and documents from independent and reliable sources is key to ensuring that obliged entities can be satisfied that they know who their customers are. Reliable and independent sources of information for customers that are not natural persons include, but are not limited to: statutory documents of the legal entity or legal arrangement required by law, including certificates of incorporation or audited financial statements; the most recent version of the constitutive documents establishing the legal entity or legal arrangement, including the Memorandum of Association and Articles of Association, or a recent official copy of these documents issued by the applicable public registers and lists or an unofficial copy thereof certified by an independent professional or a public authority. In the case of a trust or similar legal arrangement that may not be subject to registration, a recent copy of the trust deed, or an extract thereof, together with any other document that determines the exercise of any powers by the trustees or similar administrators, certified by an independent professional, could qualify as reliable and independent sources of information.

Recital 6

Obliged entities should assess the level of reliability and independence of the sources of information they have obtained as part of their customer due diligence process based on certain criteria. For example, unless it has been issued by a state or public authority, a recent document may be more reliable than information that dates back several years. Once such assessment of a certain source is completed, the results of such assessment can be used for multiple customers.

Recital 7

There may be situations where identity documents issued to or held by the customer do not meet the attributes of an identity card or passport. This could be the case, for example, where the customer has credible and legitimate reasons for being unable to provide traditional forms of identity documentation: being an asylum seeker; a refugee; a person to whom a residence permit was not granted, but whose repatriation is impossible for legal or factual reasons; being homeless or being otherwise vulnerable. Regulation (EU) 2024/1624 does not provide an exemption from the list of information obliged entities should collect for natural persons in this category. To mitigate the risk of financial exclusion and unwarranted de-risking, this Regulation makes the approach more flexible by allowing obliged entities to obtain the requested information from these natural persons via other credible means. This could be the case where the customer is or acts on behalf of a minor child who does not possess a passport or identity document. In view of the minor’s representation by a parent or legal guardian, who would themselves be subject to identification and verification, it would be appropriate to consider a birth certificate as a credible source for the purposes of identifying and verifying the identity of the minor child.

Recital 8

Obtaining beneficial owner information for all customers that are not natural persons is essential for complying with anti-money laundering and countering the financing of terrorism (AML/CFT) requirements and with targeted financial sanctions obligations. For this reason, consultation of central registers for information on beneficial owners is necessary but not sufficient to fulfil the verification requirements.

Recital 9

There are legitimate situations where the obliged entity may be unable to identify a natural person as the beneficial owner of its customer. In these situations, Regulation (EU) 2024/1624 instead requires the identification of senior managing officials (SMOs). While SMOs are not beneficial owners, for the purposes of identification and verification measures, obliged entities should collect equivalent information for SMOs as they do for the beneficial owners.

Recital 10

The identification of SMOs is permitted under Regulation (EU) 2024/1624 only in cases where the obliged entity has been unable to identify beneficial owners having ‘exhausted all possible means of identification’ or where ‘there are doubts that the persons identified are the beneficial owners’. Finding it difficult to identify the beneficial owner, for example in cases of complex corporate structures, does not amount to ‘doubts’ and therefore will not provide a sufficient basis for the obliged entity to instead identify the SMOs.

Recital 11

When collecting information on the identity of SMOs in line with Article 22(2), second subparagraph, of Regulation (EU) 2024/1624, the obliged entity may collect the address of the registered office of the legal entity instead of the residential address and country of residence required under Article 62(1), second subparagraph, point (a), of Regulation (EU) 2024/1624.

Recital 12

This Regulation specifies that, in addition to the information to be collected pursuant to the relevant provisions of Section 2 of this Regulation, obliged entities shall obtain information enabling them to verify the existence and scope of any power of representation. Such information may include documentation evidencing a power of attorney or statutory representation, such as proof of legal or parental representation by means of a birth certificate or court-appointed guardianship.

Recital 13

Understanding the purpose and intended nature of a business relationship or occasional transaction is an important component of the customer due diligence process and the modalities are set out in Article 25 of Regulation (EU) 2024/1624. Obliged entities should assess whether the information already at their disposal is sufficient to understand its purpose and intended nature. In situations where they need further information in order to be satisfied that they understand the purpose and intended nature of the business relationship or occasional transaction, this Regulation specifies which information obliged entities should obtain before entering into a business relationship or performing an occasional transaction to satisfy their information needs.

Recital 14

Article 20(1), point (h), of Regulation (EU) 2024/1624 requires that obliged entities identify and verify the identity of the natural person on whose behalf or for the benefit of whom a transaction or activity is being conducted. This Regulation lays down specific rules for the identification and verification of the identity of the final investors of a collective investment undertaking (CIU) that distributes its shares or units through another credit or financial institution, which acts in its own name but on behalf or for the benefit of one or more final investors. To ensure the effectiveness of customer due diligence measures and the proportionality of their application, it is appropriate to allow CIUs, where the relationship with the intermediary institution is assessed as low or standard risk, to rely on that institution for the identification and verification of the final investors, provided that strict conditions are met and that information on the final investors can be obtained without undue delay. CIUs do not need to obtain information on the identity of the underlying investor in all cases and in a systematic manner. Consistent with a risk-based approach and in line with the principle of proportionality, the extent, including frequency and timing, and rationale for obtaining such information should be determined by the specific risks to be mitigated.

Recital 15

Regulation (EU) 2024/1624 requires specific measures to be applied to transactions or business relationships with politically exposed persons (PEPs). The focus of this Regulation is on measures for the identification, by obliged entities, of politically exposed persons, their family members or persons known to be close associates. PEP screening measures should apply to the customer, its beneficial owner and the person on whose behalf or for the benefit of whom a transaction or activity is being carried out. These measures are important because once a PEP is identified, the obliged entity should apply specific and additional customer due diligence measures in relation to that customer.

Recital 16

In situations where the ML/TF risk is assessed as low, Regulation (EU) 2024/1624 allows the application of simplified due diligence measures. Simplified due diligence measures should ease the administrative burden on obliged entities and on their customers.

Recital 17

Minimum requirements for the identification of natural persons in low-risk situations should include at least the type of information that is usually included in a passport or identity document. This ensures that obliged entities have sufficient and verifiable information to establish the identity of their customers, while keeping the requirements proportionate to the lower level of ML/TF risk.

Recital 18

This Regulation identifies a service that would benefit from specific simplified due diligence measures. This is the case where a credit institution opens a pooled account for a customer that is an obliged entity, to hold or administer funds that belong to the customer’s own clients, where the ML/TF risk of that service is assessed as low, based on the credit institution’s risk assessment. In such cases, since the final customers are already subject to the customer due diligence measures applied by the obliged entity, it is proportionate to allow specific simplified due diligence measures, in order to avoid duplication of controls while ensuring that appropriate safeguards remain in place. Situations where credit institutions open a payment account for payment institutions or electronic money institutions will fall outside the scope of the sectoral simplified measures provision of this Regulation. Such situations would be regarded as correspondent relationships within the meaning of Article 2(22), point (b), of Regulation (EU) 2024/1624.

Recital 19

In situations where the ML/TF risks are higher, Regulation (EU) 2024/1624 calls for the application of enhanced due diligence measures to manage and mitigate these risks appropriately. Where obliged entities obtain additional information in relation to the measures mentioned in Article 34(4) of Regulation (EU) 2024/1624 to meet these requirements and to mitigate the higher risk appropriately and effectively, this information should be of sufficient quality to enable them to assess the authenticity and accuracy of the information provided. It should also meet the criteria of reliability and independence.

Recital 20

Additional information obliged entities obtain for understanding the source of funds and the source of wealth of the customer and of the beneficial owners in high-risk situations should enable them to satisfy themselves that the funds and assets used by the customer and beneficial owners are of legitimate origin.

Recital 21

There may be situations where the information to be collected under Regulation (EU) 2024/1624 and this Regulation is already available to the obliged entity or, for example, to other obliged entities within the group. This could also be the case when information is obtained, for instance, to understand the customer's investment profile, or the nature of the engagement, or as part of the audit acceptance process. Where this is the case, obliged entities should consider how such information contributes to complying with their AML/CFT requirements, such as understanding the purpose and intended nature of the beneficial ownership or occasional transaction, before requesting similar information to avoid unnecessary duplication and reduce the regulatory burden on both the obliged entity and its customers. Where the existing information is not deemed sufficient, additional information should be obtained.

Recital 22

Customer due diligence measures include a specific requirement for obliged entities to verify whether the customer or the beneficial owner is subject to targeted financial sanctions as defined by Article 2(49) of Regulation (EU) 2024/1624. Screening for the application of trade or economic sanctions such as arms embargoes, trade restrictions or travel bans falls outside the scope of Regulation (EU) 2024/1624 and, consequently, of this Regulation.

Recital 23

Article 19(7) of Regulation (EU) 2024/1624 provides for a list of four conditions on the basis of which AML/CFT supervisors may decide to grant an exemption for electronic money issuers from the customer due diligence measures in Article 20(1), points (a), (b) and (c), of that Regulation. To enable supervisors to determine the extent of such exemption (i.e. ‘fully or partially’) in a consistent way across Member States, this Regulation provides AML/CFT supervisors with a non-exhaustive list of risk factors associated with features of electronic money instruments.

Recital 24

The use of attributes of means of electronic identification and qualified trust services for customer due diligence purposes should be aligned with the risk of ML/TF posed by the customer or beneficial owner.

Recital 25

Obliged entities need to ensure that their customer information remains up to date. The maximum periods of 1 and 5 years, respectively, for updating customer information in accordance with the requirements of the Regulation (EU) 2024/1624 should only start with the application date of this Commission Delegated Regulation for existing customers onboarded before Regulation (EU) 2024/1624 took effect.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod