AMLA's CDD Standards: What Identity Systems Must Deliver

On May 8, 2026, a consultation period closed in Brussels that most compliance teams had not flagged on their calendars. The Anti-Money Laundering Authority had been accepting public feedback on its draft Regulatory Technical Standards on Customer Due Diligence — a document that will define, with legal precision, exactly how identity verification must work across the entire EU.

The final standards are due to the European Commission by July 10, 2026. From that point, obliged entities will have until July 10, 2027 to adapt their policies, systems, and controls accordingly.

That is a 14-month window. It sounds comfortable. It is not.

What the AMLA CDD Technical Standards Actually Cover

AMLA's draft RTS on Customer Due Diligence (under Article 28(1) of the AML Regulation) does not describe general principles. It specifies operational requirements: which documents can be accepted, which electronic identification means qualify, what risk factors must trigger escalation from standard to enhanced due diligence, and under what conditions simplified CDD is permissible.

This is the technical rulebook that will govern how identity is verified across the EU financial system, crypto sector, real estate sector, luxury goods market, and all other categories of obliged entity under the AMLR.

The consultation covered three distinct areas:

Area	Legal Basis	What It Governs
CDD requirements	Art. 28(1) AMLR	Documents, electronic means, verification methods
Business relationship monitoring	Art. 19(9) AMLR	Triggers for ongoing review and re-verification
Harmonised supervision	Art. 53(10) AMLD6	Supervisor methodology for assessing CDD compliance

Understanding these three pillars is the foundation for understanding what identity systems will need to do from July 2027.

The Three-Tier CDD Framework

The AMLR formalises a three-tier approach to customer due diligence: standard, simplified, and enhanced. The RTS defines the technical boundary conditions for each.

Standard CDD

Standard CDD applies to the default customer relationship. The RTS specifies which identity documents obliged entities may collect and rely upon to verify customer identity and beneficial ownership.

Critically, the RTS formally establishes which electronic identification means satisfy CDD requirements. Under the framework, eIDAS-compliant electronic identification — including credentials issued through the EU Digital Identity Wallet — qualifies for standard CDD and is explicitly considered equivalent to face-to-face verification for these purposes.

This matters structurally: if your onboarding system accepts government-issued eIDAS credentials at the same assurance level it applies to physical documents, the CDD obligation is met without additional manual review. If it does not, you are building technical debt that becomes a compliance liability in 2027.

Simplified CDD

The draft RTS addresses the conditions under which obliged entities may apply reduced CDD measures. This includes specific provisions for electronic money instruments — prepaid cards and similar products — where AMLA specifies the risk thresholds below which full CDD is not required.

Simplified CDD is not an opt-out from KYC. It is a calibrated reduction in the depth of verification measures permitted only when documented risk factors fall below defined thresholds. The RTS defines those thresholds explicitly, removing the interpretive grey area that compliance teams have operated in under the previous national transpositions of AMLD4 and AMLD5.

Enhanced CDD

Enhanced CDD triggers when specific risk factors are present. The RTS does not leave "high risk" undefined — it enumerates the conditions that mandate escalation:

• Customers from jurisdictions on FATF grey or black lists
• Politically exposed persons (PEPs) and their associates
• Transactions involving complex corporate structures or nominee arrangements
• Unusual transaction patterns relative to stated business purpose
• Non-face-to-face onboarding in contexts where additional verification is warranted

For identity systems, enhanced CDD has a specific technical implication: the verification measures must be documentably more rigorous. That means additional document types, additional liveness checks, source of funds verification, and in some cases, senior management sign-off. The RTS introduces a proportionality requirement — enhanced measures must be proportionate to the specific risk factors present, not simply maximum intensity applied uniformly.

The eIDAS 2.0 Intersection

One of the most operationally significant aspects of the CDD RTS is its treatment of electronic identification means. This is where the AMLA standards connect directly to the eIDAS 2.0 framework and EUDI Wallet deployment timeline.

Under the draft RTS, electronic identification means that meet certain attributes are considered valid for CDD. Specifically, the RTS defines the technical requirements that electronic identification means must fulfil — assurance levels, cryptographic properties, issuer trust — to be accepted for standard and enhanced due diligence.

This creates a direct implementation dependency: businesses that delay their eIDAS 2.0 relying party registration will find themselves building a compliance capability that is already technically outdated when the AMLR RTS enters force. The two regulatory timelines — EUDI Wallet deployment by December 2026 and AMLR RTS application from July 2027 — converge within seven months of each other.

The practical consequence is that identity systems designed around document capture alone will require fundamental re-architecture to satisfy both eIDAS 2.0 and the AMLR CDD standards simultaneously.

Who This Affects Beyond Financial Institutions

The AMLR significantly expands the category of obliged entities compared to previous AML directives. The CDD RTS applies not just to banks and payment institutions but to the full list of regulated sectors:

• Crypto-asset service providers (CASPs) under MiCA
• Real estate agents and property managers
• Luxury goods dealers above transaction thresholds
• Accountants, auditors, tax advisors
• Trust and company service providers
• High-value goods dealers and auctioneers

For CASPs already navigating the MiCA licensing deadline of July 1, 2026, the CDD RTS adds a second layer of technical obligation arriving twelve months later. Firms that have built MiCA-compliant KYC flows will need to audit those flows against the AMLR CDD standards before July 2027 — and many will find gaps.

For real estate professionals, the AMLR CDD standards represent an entirely new compliance domain. The sector has historically operated under lighter-touch AML requirements. The AMLR changes that categorically. The RTS specifies what identity verification for property transactions must include, which document types are acceptable, and what ongoing monitoring is required for business relationships.

What Firms Need to Build Before July 2027

The 14 months between the RTS publication (July 2026) and its application date (July 2027) sounds like adequate preparation time. It is not, for two reasons.

First, the RTS is not the only deliverable. AMLA is publishing approximately 26 technical standards, implementing standards, and guidelines in 2026 alone. Each requires interpretation, gap analysis, system adaptation, and documentation. Teams working sequentially through this backlog will be completing the last item as the first compliance deadline hits.

Second, the technical changes required are not configuration updates. They involve:

• Revising document acceptance logic to align with the RTS-defined acceptable document types
• Building or integrating eIDAS-compliant electronic identification verification
• Implementing risk-factor detection for automated CDD level determination
• Adding documented enhanced CDD workflows with approval chains
• Updating ongoing monitoring triggers based on the RTS-defined business relationship review conditions
• Producing audit-ready records that satisfy the RTS documentation requirements

Action	When
Gap analysis: current KYC system vs. AMLR CDD RTS	Now — Q2 2026
Begin eIDAS 2.0 relying party registration	Q2–Q3 2026
Implement risk-factor-based CDD level logic	Q3 2026
Complete enhanced CDD workflow architecture	Q4 2026
Full testing and documentation review	Q1 2027
AMLR CDD RTS application date	July 10, 2027

Where AI Agents Change the Equation

The manual compliance approach — analysts reviewing cases, applying judgement to CDD levels, documenting decisions retrospectively — cannot scale to the volume and complexity the AMLR CDD RTS demands. The standards require dynamic, documented, risk-proportionate decisions at the point of onboarding and throughout the business relationship.

This is precisely where agentic KYC systems offer a structural advantage. An AI agent continuously evaluating customer risk factors against RTS-defined triggers can determine the appropriate CDD level in real time, apply the correct verification measures, document the decision with an audit trail, and re-evaluate when the risk profile changes.

The AMLR CDD RTS, read carefully, describes a continuous intelligence problem — not a one-time document collection exercise. The verification must be ongoing, the risk assessment must be updated, and the documentation must be contemporaneous. That is a workflow that agents handle systematically and that human-led processes handle at significant cost and inconsistency.

KYC 3.0 architectures — built around continuous, contextual, intelligence-driven verification — are already aligned with the AMLR CDD RTS design. Those built around static document capture at onboarding will require a fundamental rethink before July 2027.

Joinble's AI Agents are designed to handle exactly this kind of dynamic, risk-calibrated compliance workflow — where the CDD level is determined by real-time risk signals rather than a manual questionnaire completed at sign-up.

A Practical Timeline for Compliance Teams

The CDD RTS consultation closed May 8. AMLA now processes stakeholder feedback and submits the final standards to the European Commission by July 10, 2026. The Commission reviews and adopts the standards. They enter application on July 10, 2027.

The visible milestone is July 2027. The real deadline is now — because the systems, integrations, and workflows that need to exist by July 2027 take 12 to 18 months to build and validate.

Compliance teams that treat this as a 2027 problem will face an uncomfortable reality in Q1 2027: they have six months to implement changes that require 18.

FAQ

What is the AMLA CDD RTS and why does it matter?

The AMLA Regulatory Technical Standard on Customer Due Diligence specifies exactly how obliged entities must verify customer identity across the EU. It defines acceptable documents, qualifying electronic identification means, and the conditions for standard, simplified, and enhanced due diligence. It is not guidance — it is binding technical law, applicable from July 10, 2027.

When do the final CDD technical standards get published?

AMLA must submit its final draft RTS to the European Commission by July 10, 2026. After Commission adoption, the standards will apply from July 10, 2027. Firms have 12 months to implement the required changes from final publication.

Who does the AMLR CDD RTS apply to?

Every obliged entity under the AMLR: banks, payment institutions, e-money institutions, crypto-asset service providers (CASPs), real estate agents, luxury goods dealers, accountants, auditors, trust and company service providers, and others. This is significantly broader than previous AML directives.

How does eIDAS 2.0 relate to the CDD technical standards?

The AMLA CDD RTS formally recognises eIDAS-compliant electronic identification means as valid for customer due diligence. Credentials issued through the EU Digital Identity Wallet will qualify for both standard and enhanced CDD where they meet the technical attributes defined in the RTS. Businesses that do not integrate eIDAS-compliant verification by July 2027 will face a compliance gap.

How does simplified CDD differ from standard CDD under the RTS?

Simplified CDD allows reduced verification measures when documented risk factors fall below defined thresholds. The RTS specifies those thresholds explicitly — including conditions for electronic money instruments. It is not a general risk-based discretion: the conditions for simplified CDD must be met and documented, and ongoing monitoring continues even under simplified measures.

How can AI agents help meet the AMLR CDD requirements?

AI agents can evaluate customer risk factors against AMLR-defined triggers in real time, determine the appropriate CDD level, apply the corresponding verification measures, document the decision with a complete audit trail, and update the assessment when risk indicators change. This is the kind of continuous, documented, proportionate compliance workflow the AMLR CDD RTS requires — and the kind that manual processes cannot deliver at scale.