EU AMLR 2027: Your KYC Stack Needs a Non-EU Identity Layer

April 17, 2026 ·Mairi Kutberg ·

amlramlkyccddeidaseudi-walletnon-eu-identityfinancial-compliance

The EU AMLR applies 10 July 2027, demanding verifiable identity for every customer. The EUDI Wallet covers 27 EU countries — your non-EU customers need another path.

EU AMLR 2027: Your KYC Stack Needs a Non-EU Identity Layer

The EU AMLR applies 10 July 2027, requiring every obliged entity — banks, fintechs, crypto platforms, luxury traders — to verify each customer's identity against authoritative sources. The EUDI Wallet covers 27 EU countries. For roughly 150 non-EU jurisdictions whose nationals open EU accounts, obliged entities need a second compliant pathway, and they need to choose it in 2026.

The EU Anti-Money Laundering Regulation (AMLR) becomes directly applicable across every Member State on 10 July 2027. From that date, every obliged entity — banks, fintechs, crypto platforms, crowdfunding sites, and luxury-goods traders — must verify each customer's identity against authoritative sources. (A narrower set of newly-in-scope entities such as professional football clubs and football agents, covered by Article 3(3)(n) and (o), apply from 10 July 2029.) Self-reported data is no longer enough. And the EU Digital Identity Wallet, often presented as the default compliant path, only covers the 27 Member States. For the roughly 180 countries and regions that issue ePassports worldwide, obliged entities need a different compliant layer — and they need to choose it in 2026, not 2027.

What AMLR Actually Requires

AMLR entered into force on 9 July 2024 and will apply directly, without national transposition, from 10 July 2027 (EUR-Lex summary). The European Anti-Money Laundering Authority (AMLA), based in Frankfurt, has been operational since 2025 (AMLA — About). It is expected to open its first selection process for direct supervision on 1 July 2027, select at least 40 large, high-risk financial institutions by the end of 2027, and reach full operational readiness for its first supervisory cycle by mid-2028 (AMLA press release, 2026). The European Banking Authority submitted its draft Regulatory Technical Standards on Customer Due Diligence (CDD RTS) to the European Commission on 30 October 2025; AMLA has since taken the file over and launched its own public consultation on 9 February 2026 (AMLA consultation page).

The operational centre of gravity for anyone onboarding customers remotely is Article 22 (AMLR Article 22 — full text). It requires, for every natural person, at minimum the collection and verification of name, nationality, and address — verifiable against authoritative sources, not simply self-declared.

AMLR does not mandate a specific technology. It mandates that whatever technology you use must produce identity data that is verifiable, high-assurance, and auditable.

AMLR also tightens several thresholds at once:

A Union-wide cap of €10,000 on cash payments in commercial transactions, whether single or linked.
The CDD threshold for occasional transactions drops from €15,000 to €10,000.
Occasional cash transactions of €3,000 or more now trigger limited CDD.
Enhanced Due Diligence (EDD) is required when the business relationship involves assets of €5 million or more, or a customer with net worth above €50 million — in addition to high-risk third-country scenarios under Articles 29, 30, and 31.

The Two Remote-Verification Pathways

Article 22(6) of AMLR is short and binary. Obliged entities shall obtain verification information through either of the following means:

The two AMLR-compliant remote identification pathways under Article 22(6) and where each one stops working

Article 22(6)(a) — Document-based remote onboarding. Submission of an identity document, passport, or equivalent and, where relevant, the acquisition of information from reliable independent sources, whether accessed directly or provided by the customer. The draft CDD RTS layer on top of this additional technical requirements for remote flows: real-time liveness detection, high-quality data capture, and time-stamped records.
Article 22(6)(b) — Electronic identification means under eIDAS. Electronic identification means at the assurance levels Substantial or High under Regulation (EU) No 910/2014, together with the relevant qualified trust services set out in that Regulation. The EUDI Wallet falls here and, through the interplay between AMLR and eIDAS 2.0, will need to operate at the High assurance level for AML onboarding by 2027.

The second pathway is built around the EU's own trust infrastructure. The first is the one obliged entities must use whenever the customer does not have — and cannot get — an EU-issued electronic identity.

Where the EUDI Wallet Stops

By the end of 2026, all 27 EU Member States are required to issue digital identity wallets to their citizens and residents. Banks and large online platforms must accept them. Within the EU, this closes a long-standing verification gap.

But the EUDI Wallet is, by design, an EU-citizen and EU-resident instrument. It does not extend to:

Third-country nationals who open a European bank account, invest in a European fund, or buy a MiCAR-regulated crypto asset through an EU-authorised CASP.
Foreign beneficial owners of EU legal entities that AMLR requires be identified.
Non-EU counterparties in any high-value transaction that triggers CDD under the lowered €10,000 threshold.

For those customers — and they are a material share of every bank's, CASP's, and high-value trader's book — the only available pathway is the first one: document-based remote onboarding under Article 22(6)(a).

Why Document-Plus-Selfie Is Not Enough

Most existing remote-onboarding stacks rely on a photo of an identity document and a live selfie, compared by a facial-recognition model with a liveness probe. That combination was already under pressure before generative AI; it is untenable after it. We covered the five specific attack vectors — deepfake video, camera-pipeline injection, AI-forged documents, real-time face swap, and synthetic identity — in detail in the camera-vs-chip post from 3 April 2026.

The AMLR draft RTS explicitly require real-time liveness detection, high-quality data capture, and secure time-stamped copies for any document-based remote onboarding. Whether a given vendor's selfie-plus-document flow actually clears that bar is precisely what supervisors will be asking about from 2027 onward — and what AMLA will be asking the directly-supervised 40 about from 2028 onward.

Passport Chip Verification as the Scalable Non-EU Path

Every biometric passport issued under ICAO Doc 9303 — now issued by roughly 180 countries and regions (Signicat, December 2025) — contains an NFC chip that holds the holder's data signed by the issuing government. The chip supports Passive Authentication (proving the data is government-signed), Active or Chip Authentication (proving the chip is the original, not a clone), and the PACE access-control protocol (proving the holder is physically present with the document). A passport chip cannot be deepfaked. A government signature cannot be prompt-engineered.

When an AMLR-obliged entity reads a non-EU customer's passport chip in a supervised onboarding flow, the result is cryptographically verifiable identity data — name, nationality, document number, date of birth, photograph — signed by the sovereign that issued the passport. That is the highest-assurance verification available for any human being on the planet whose government still issues travel documents to the ICAO standard, and it works the same way in all 179 countries.

What Obliged Entities Should Be Doing in 2026

The RTS will be final in Q1 2026. AMLR applies in July 2027. The vendors, contracts, and integrations that have to be in production by then will be signed in 2026. A practical pre-2027 checklist for any obliged entity:

Map your customer base by eIDAS reach. What share has an EU-notified eID today? What share will have an EUDI Wallet at High LoA by end of 2026? What share will not — ever?
Stress-test your document-based flow against the draft RTS. Real-time liveness, high-quality capture, time-stamping, and source reliability — not just on paper, but in a live pen-test.
Run the deepfake scenario. If your current selfie-plus-document vendor cannot block a current-generation injection attack, you have a 2026 project, not a 2027 one.
Prefer cryptographic over probabilistic. Where a passport chip can be read instead of photographed, read it — the evidence is not a model's opinion, it is a government's signature.
Document your pathway choice. AMLA will expect to see, for each customer segment, a documented reason for the verification method used. "That is what our vendor offered" will not satisfy it.

The AMLR question is not whether your KYC vendor can onboard a customer. It is whether, 18 months from now, you can prove to a supervisor that the identity you verified is the identity you accepted.

Conclusion

AMLR is the first time the EU has written identity verification rules that apply directly, uniformly, and with a supervisor in Frankfurt able to enforce them against the largest financial institutions. The parallel push under NIS2 Article 21 is examining the same identity-evidence question for essential and important entities. The EUDI Wallet solves the EU half of the customer base. The document-based pathway, done with cryptographic evidence rather than probabilistic matching, solves the other half. The obliged entities that have both layers in production by mid-2027 will be compliant. Those that do not will, at best, spend 2028 in remediation — and at worst, be AMLA's first public enforcement case.

Sources

AMLR / AMLA regulation

AMLA Frankfurt

CDD Regulatory Technical Standards

eIDAS 2.0 and the EUDI Wallet

ePassport adoption (ICAO 9303)

About the author

Mairi Kutberg is co-founder of IdentiGate, where she runs operations and content. She works at the intersection of EU regulation (eIDAS, NIS2, AMLR, eFTI), cross-border digital identity, and the practical compliance angles of advanced electronic signatures.