Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We broadly agree with the direction of RTS Section 1, as it aims to operationalize Article 28(1) AMLR by standardizing the identification and verification of customers and beneficial owners. 

In the following sections we provide recommendations to further improve legal clarity, interoperability, and cost-efficiency — particularly for identity verification providers (IDVs), Qualified Trust Service Providers (QTSPs), and financial institutions relying on remote onboarding.

Please consider:

1. Need for harmonized treatment of identity attributes across eIDAS2 and AMLR

Articles 2, 5, 6, and 31 of the RTS touch on how identity information is captured and verified. 

However:

  • The address field (Article 2) is not part of the eIDAS2 Person Identification Data (PID) and must be separately issued via Qualified Electronic Attestation of Attributes (QEAA).
  • Without clear guidance on how to verify such address data — e.g., by accepting QEAA-based attestations or verified data sets — cross-border legal and technical uncertainty can arise.

Recommendation:

  • Clarifying that address data provided via a QTSP-issued QEAA in line with CIR 2024/2977 is sufficient to meet RTS and AMLR requirements.
  • Ensuring that PID, QEAA, and EUDI Wallet attributes can be used in a modular, reusable way to reduce friction and cost.
2. Clarification on Identity Documents (In accordance with EU AMLR Art. 22 6.a) and Art. 22 7 a)

The RTS Article 5 states Identity documents… must be valid, authentic, and issued by a government or equivalent authority.

We welcome that Article 5(f–g) recognizes identity documents containing machine-readable zones (MRZ), security features, and biometric data. 

Consider:

The RTS clarify that the methods used to verify these features — particularly AI-enhanced or automated document authentication systems — are acceptable when they meet reliability standards.

This clarification is important because:

  1. The RTS currently describes the document’s features, but not the technologies that verify them. Many IDV providers now use machine learning models and document integrity checks to validate holograms, fonts, MRZs, and tampering indicators in real time.
  2. There is no reference to international standards like ICAO 9303, which defines secure formats and digital signatures for passports and national ID cards — standards many automated systems are already built to recognize.

Recommendation:

We suggest including language that explicitly permits reliable, automated verification of document authenticity, especially when conducted in line with ICAO and eIDAS-aligned best practices.

  • Article 5(5) allows submission of original or certified copy.
  • It is unclear who certifies a copy and under what conditions. This could lead to legal uncertainty and fragmentation unless harmonized

 Consider defining or referring to acceptable certification mechanisms — e.g., eIDAS QTSPs issuing a Qualified Electronic Attestation of Attributes (QEAA) confirming ID document data.

3. Clarification needed on “Reliable Source” RTS (Article 7)

RTS Article 7 requires entities to assess the “reliability and independence” of sources used for verification but provides no concrete criteria.

This ambiguity can:

  • Force IDVs and FIs to conduct subjective, manual source assessments.
  • Increase audit risk and creates divergent interpretations across Member States.
  • Leads to increased onboarding costs and inconsistent customer experiences.

Consider:

Clearer criteria for “reliable source” and cross-border validation scenarios.

Consider clarification to help obliged entities understand:

  1. Whether sources must be officially government-run or merely supervised/regulated.
  2. How to evaluate “independence” when relying on third-party data providers — especially those aggregating information from public and commercial databases.
  3. How to treat reliable sources in cross-border contexts, such as onboarding a Spanish customer via an Italian bank using a German registry — and whether mutual recognition of digital sources applies.

Providing a baseline list of trusted source categories or linking to an EBA-endorsed reliability assessment framework, would give the industry legal clarity and reduce inconsistent interpretations by compliance teams and auditors.

This is especially important for service providers operating across multiple jurisdictions, where inconsistent local interpretations of “reliable source” may delay or block legitimate remote onboarding.

Recommendation:

  • Issuing a baseline list of acceptable source types (e.g., official registries, verified digital wallets, QTSP attestations).
  • Providing an annex or guidance document outlining how reliability and independence are assessed, especially cross-border data sources.

While Section 1 of the RTS presents a strong foundation, the current draft could benefit from clarifying implementation risks, particularly in the absence of:

  • Clarified equivalence of QEAA attributes (e.g., address, IBAN),
  • Harmonized standards for “reliable sources.”

These gaps could result in fragmentation, higher onboarding costs, and inconsistent application across Member States. We would advocate that the EBA further address these topics to improve cross-border compliance and operational certainty for AMLR stakeholders.

We suggest adding consultation specifically addressing:

• The role of Qualified Trust Services (QES, QEAA, Remote Identity Proofing) in AML-compliant identity verification.

• The practical interoperability challenges financial institutions face in integrating these services alongside legacy KYC solutions.

• How to define acceptable equivalency criteria between QTSP-issued credentials (Q) EAAS and QCs, and national eID schemes for CDD purposes.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

We welcome the structure and ambition of RTS Article 6, which aims to clarify the requirements for customer verification in non-face-to-face contexts. 

Please consider further clarifications that ensure legal certainty and practical interoperability, especially when comparing remote solutions under Article 6(2)-(6) to eIDAS-compliant means referenced in Article 6(1).

1.Protection against identity fraud:
We agree that the solutions described in RTS Article 6(2)-(6) — such as video-based identification, biometric checks, and encrypted document submission — can, when properly implemented and certified, provide a comparable level of assurance to eIDAS electronic identification means at substantial or high level.
This is especially the case when such remote identification systems comply with ETSI TS 119 461 v2.1.1, which defines strong technical safeguards including:
  • Biometric liveness and matching checks
  • Document integrity verification
  • Secure data transmission
  • Tamper-resistant audit logs

This standard is already used in several Member States and by QTSPs offering remote identity proofing.

Recommendation 

To avoid fragmentation and reinforce legal certainty across the EU, we propose that Article 6 explicitly:

Acknowledge the role of QTSPs issuing QEAA as part of a secure onboarding flow — even where national eID schemes or Wallets are not yet available.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

We welcome the inclusion of RTS Article 8 on the use of virtual IBANs as a tool for customer identification and tracking. 

However, we believe the article should go further to recognize the potential for Qualified Trust Service Providers (QTSPs) to issue Qualified Electronic Attestations of Attributes (QEAAs) that include IBANs — including virtual IBANs — as verified customer attributes.

1. QEAAs including IBANs: A trustworthy, reusable attribute source
Under eIDAS2 and its Implementing Acts (notably CIR 2024/2977 on QEAA and PID), QTSPs may issue attestations of various identity attributes. Given that IBANs are directly tied to customer identity and financial relationships, there is a strong rationale to:
  • Treat IBANs (including virtual IBANs) as verifiable attributes,
  • Allow these to be bound to natural or legal persons via QEAAs, and
  • Permit their reliable use in customer due diligence (CDD) across the EU.

This would allow virtual IBANs to be issued, verified, and reused through regulated, high-trust infrastructure — reducing fraud risk and supporting cross-border interoperability.

2. Enhanced AMLR compliance and auditability

A QTSP-issued QEAA containing a virtual IBAN:

  • Enhances traceability and non-repudiation for account ownership,
  • Enables interoperable AML checks across EU institutions,
  • Allows banks or financial service providers to verify that a specific IBAN belongs to the person being onboarded — without relying solely on proprietary or fragmented databases.

This could dramatically improve onboarding flows, especially for FinTechs, Payment Service Providers, or Banking as Service providers that issue non-traditional or virtual accounts.

Recommendation:

RTS Article 8 or its accompanying recitals:

  • Explicitly recognize virtual IBANs as eligible attributes for inclusion in QEAAs, when issued and bound to the identity of a customer by a QTSP;
  • Clarify that such QEAA-based attestations can be used to satisfy CDD and AMLR Article 22(1) requirements, particularly for account verification in remote onboarding scenarios.
  • Encourage supervisory authorities to develop a technical specification or mapping guideon how to structure and validate IBAN attributes in trust service-based attestations.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We broadly support the proposals in Section 2 of the draft RTS as a proportionate and risk-based elaboration of Articles 20(1)(c) and 25 of the AMLR. We would encourage the EBA to consider guidance in future. 

Consider:

  • How such information may be reliably collected via remote onboarding channels (e.g., structured digital forms, mobile apps, Wallet-based interactions)
  • Whether certain attributes — such as occupation, sector, source of funds — could be digitally attested using Qualified Electronic Attestations of Attributes (QEAA) issued by a QTSP, especially to reduce repetitive data requests in low-risk, high-volume onboarding flows
  • How firms may align these RTS provisions with privacy principles and data minimizationunder GDPR.

We believe RTS Articles 15 and 16 are consistent with a risk-based approach and would benefit from further operational clarification in supervisory Q&As or implementation notes — particularly regarding digital onboarding flows and structured data formats.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We agree with the principles set out in Section 4 of the draft RTS, which appropriately aim to balance proportionality and risk in low-risk scenarios. 

The explicit details provided in RTS Articles 19–23 help reduce ambiguity for obliged entities. 

Please consider further enhancements to improve clarity and reduce compliance friction, particularly for digital onboarding, QTSP-based workflows, and cross-border remote identification: 

1.Recognition of Digital Attestations in Simplified Due Diligence

We recommend that the RTS explicitly permit the use of Qualified Electronic Attestations of Attributes (QEAA) issued by QTSPs — under eIDAS2 and CIR 2024/2977 — as valid sources for fulfilling simplified due diligence requirements, including:

  • Names, date of birth, and nationality (RTS Article 18);
  • Occupation, sector, or source of funds (RTS Article 23);
  • Beneficial ownership declarations (RTS Article 19).

This would allow obliged entities to rely on structured, verified identity attributes that have already undergone certification and assurance procedures. It can reduce the need for repetitive document collection in low-risk contexts, especially for customers who onboard digitally across borders.

2. Clarification of acceptable “Reliable Sources” in Article 19

RTS Article 19 allows for the use of:

  • Central or company registers,
  • Customer declarations,
  • Publicly available sources (e.g. internet searches).

Recommendation:

We suggest that the RTS provide clear criteria or supervisory guidance on what constitutes a “reliable and independent” source, and whether digitally attested attributes from QTSPs fall within this definition. 

This would reduce interpretation of disparities and the cost of legal review in multi-jurisdictional compliance.

We support Section 4’s risk-sensitive approach, and believe it would be further improved by:

  • Recognizing QEAAs as reliable sources in SDD scenarios,
  • Clarifying the reliability criteria for beneficial ownership sources,
  • Allowing automated digital monitoring for information updates.

 

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

We encourage the EBA to extend the scope of sectoral SDD recognition under Section 4 to include:

  • Qualified Trust Service Providers (QTSPs) and their digital identity products,
  • Limited-function IBAN or eMoney accounts with risk-based limits and traceability,

These services are typically well-regulated, operate under controlled risk profiles, and increasingly leverage digital identity infrastructure that is auditable and tamper resistant. 

Providing clearer SDD guidance for these sectors would promote consistency, reduce friction, and focus compliance efforts on truly high-risk services.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We support the addition of Section 5 of the draft RTS, which provides a structured framework for Enhanced Due Diligence (EDD)under Article 34(4) of AMLR.

The proposed RTS Articles 24–27 are broadly aligned with best practices. 

Please consider:

1. Clarity on Acceptable Evidence and Digital Attestations:

EDD measures, as outlined in RTS Articles 24–27, rightly call for robust information regarding source of funds, source of wealth, legitimacy of transactions, and background of business relationships. 

Please note, the RTS currently emphasizes paper-based or manually certified documentation (e.g. pay slips, deeds, investment contracts). 

Consider:

  • The increasing use of digitally attested information from Qualified Trust Service Providers (QTSPs) under eIDAS2
  • The growing deployment of Qualified Electronic Attestations of Attributes (QEAA) to bind attributes like employer, occupation, or account ownership to a verified identity
  • Structured formats such as Verifiable Credentials (W3C VC) and ISO 18013-5 are used in EUDI Wallets.

Recommendation:

We recommend that the RTS explicitly allow for digitally attested or certified EDD information when it:

  • Is issued by QTSPs or regulated data providers,
  • Includes cryptographic integrity protections,
  • Is accompanied by verifiable data (e.g. issuer identity, timestamp, etc).

This would reduce reliance on paper trails, support automation, and increase assurance — particularly in cross-border or fully digital customer relationships.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We support the direction of Section 6 of the draft RTS and agree that robust, timely, and risk-sensitive screening for targeted financial sanctions (TFS) is a vital part of the AML/CFT framework. 

RTS Articles 28 and 29 do strike a balance between minimum requirements and implementation. 

Please consider:

  • Digital onboarding and remote ID verification tools can be efficiently integrated into TFS screening workflows,
  • Qualified trust services (QTSPs) can be leveraged to improve reliability and reduce false positives.

Recommendation:

1. Clarify alignment with digital identity sources and attested data

We recommend that the RTS clarify that screening processes — particularly those involving names, aliases, and identifiers — may incorporate structured identity data obtained from:

  • EUDI WalletsPID, or QEAA attributes under eIDAS2 (e.g., legal name, nationality, date of birth),
  • Remote IDV providers or QTSPs whose onboarding flows follow ETSI TS 119 461 v.2.1.1, to ensure identity verification and document validation,
  • Other trusted third-party data sources (e.g., regulated registries or verified databases).

This can ensure that data used for sanctions screening is accurate, standardized, and interoperable, reducing the risk of false positives (e.g., due to name translations or formatting inconsistencies).

2. Support for automation, especially in cross-border Digital Services

RTS Article 29 correctly encourages the use of automated screening tools unless clearly impractical. We support this direction and suggest further emphasizing:

  • The benefits of integrating real-time screening APIs with onboarding systems,
  • The use of automated alerts based on structured data (e.g., country of residence, nationality, customer segment),
  • And the ability to link TFS screening with eIDAS-compliant digital ID data for improved verification accuracy.

For digital-first service providers operating across Member States, harmonizing how and when sanctions checks are triggered (e.g., at onboarding, or when a digital credential is reused) could enhance consistency and compliance efficiency.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We support the inclusion of Article 30 in the RTS, which offers a structured and comprehensive set of risk-reducing factors to guide supervisory assessments of whether electronic money instruments (EMIs) qualify for exemptions under Article 19(7) of AMLR.

The criteria listed are appropriate and proportionate, and we agree that these products — when structured properly — can present low inherent ML/TF risk. 

Recommendation:

Consider further strengthening the RTS by:

  1. Clarifying how digital identity and remote onboarding safeguards apply in this context;
  2. Explicitly recognizing the use of Qualified Trust Services and QEAA-based verification;
  3. Ensuring consistent interpretation across Member States to reduce fragmentation and compliance complexity.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We strongly support the intent of Section 8 and Annex I of the RTS, which provide a structured approach to integrating electronic identification means and qualified trust services (QTS) into customer due diligence (CDD). 

The following clarifications and enhancements are worth consideration to:

  • Ensure practical interoperability across the EU,
  • Reduce fragmentation and compliance costs,
  • And align with existing trust frameworks under eIDAS2 and its implementing acts.

1. Alignment with eIDAS2, EUDI Wallets, and QEAAs

We welcome the recognition of electronic identification means and QTS as satisfying CDD obligations under Articles 20 and 22 of AMLR. 

We recommend that:

RTS Article 31 and Annex I explicitly reference the Qualified Electronic Attestation of Attributes (QEAA) and Person Identification Data (PID) formats under CIR 2024/2977.

The RTS acknowledges the use of EUDI Wallets, and the relevant data models specified including:

  • W3C Verifiable Credentials
    • ISO/IEC 18013-5:2021 for mDL compatibility.

These data models are already mandated under eIDAS2 and will be used to issue verified identity attributes across all Member States. 

Their use in CDD should be formally recognized in the RTS to promote reuse and reduce redundant manual processes.

Annex I lists “personal administrative number” among the attributes. 

The term “personal administrative number” is vague, varies by country, and could create confusion for cross-border implementation, especially among IDV providers and QTSPs.

We recommend that the RTS either:

Define the term explicitly or reference a harmonized EU standard (e.g., as aligned with the Implementing Regulation (EU) 2024/2977),

Or clarify whether national discretion applies and what level of assurance or data binding is expected from this attribute.

This would help ensure consistent implementation by identity verification providers and trust services integrating EUDI Wallets or national eID systems into AML-compliant onboarding.

2. Clarify that attributes from multiple QEAAs can be combined

Many identity flows involve modular trust sources, such as:

  • PID from a Wallet issuer,
  • Address from a QEAA by a QTSP,
  • IBAN from a financial institution attestation.

We recommend that RTS Article 31 clarify that multiple attributes across different (Q)Trust Services may be legally combined to fulfill AMLR’s Article 22(1) requirements, provided each is:

  • Issued by a qualified and supervised entity,
  • Bound to the user via strong authentication or signature,
  • Verified at the appropriate level of assurance.

This reflects the practical reality of digital onboarding and helps avoid friction where full attribute sets are not always available from a single source.

3. Call for explicit reference to trust services.

We recommend referencing Qualified Trust Services as a baseline for verifying identity when electronic identification means, particularly for fallback or complementary verification where not all Annex I attributes are available from the Wallet.

4. Cost and implementation impact without clarifications

Without these improvements, RTS Article 31 may result in:

  • Legal uncertainty about the acceptability of attributes from Wallets or QTSPs,
  • Duplicate compliance processes for entities already meeting eIDAS2 standards,
  • Delays in adoption and integration, especially for cross-border use cases where national supervisory practices differ.

A clear regulatory endorsement of modular, standards-based identity attributes and the relevant technical formats will reduce integration cost, harmonize onboarding flows, and support innovation without undermining AMLR safeguards.

Name of the organization

IDnow GmbH