DOMAIN:EU_REGULATION:KYC_AML¶

OWNER: eric
ALSO_USED_BY: julian, aimee, margot
UPDATED: 2026-03-26
SCOPE: KYC/AML requirements for client onboarding and regulated-sector projects

OVERVIEW¶

Know Your Customer (KYC) and Anti-Money Laundering (AML) are legal obligations.
Eric handles KYC verification during client onboarding.
Even though GE is not a financial institution, regulated clients may impose cascading obligations.
The EU AML framework is undergoing its biggest overhaul since inception.

KEY_INSTRUMENTS:
- 6AMLD — Directive (EU) 2024/1640 (transposition deadline Jul 2027)
- AMLR — Regulation (EU) 2024/1624 (directly applicable from Jul 10, 2027)
- AMLA Regulation — entered force Jul 1, 2025 (new EU-level supervisor)
- Current: 4AMLD/5AMLD remain in force until 6AMLD transposition
- Dutch: Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme)

THE NEW AML PACKAGE (adopted May 30, 2024)¶

THREE PILLARS¶

AMLA (Authority for AML/CFT) — Frankfurt HQ
operational since Jul 1, 2025
direct supervision of highest-risk cross-border entities from 2026-2027
Regulatory Technical Standards due by Jul 10, 2026
replaces fragmented national supervision for systemically important entities
AMLR (Anti-Money Laundering Regulation)
directly applicable (no transposition needed) from Jul 10, 2027
single rulebook replacing patchwork of national implementations
exception: football clubs/agents from Jul 10, 2029
6AMLD (Sixth Anti-Money Laundering Directive)
Member States must transpose by Jul 10, 2027
replaces current 4AMLD/5AMLD framework
22 predicate offences including cybercrime and environmental crime
minimum 4-year prison sentences (up from 1 year)

CUSTOMER DUE DILIGENCE (CDD)¶

WHEN CDD IS REQUIRED¶

TRIGGER: establishing a business relationship or carrying out occasional transaction
FOR_GE: every new client onboarding = new business relationship = CDD required

STANDARD CDD MEASURES¶

CHECK: identify the client and verify identity using reliable independent sources
CHECK: identify the beneficial owner(s) and take reasonable measures to verify
CHECK: assess and obtain information on the purpose and intended nature of the business relationship
CHECK: conduct ongoing monitoring of the business relationship

IDENTIFICATION REQUIREMENTS¶

NATURAL PERSONS¶

COLLECT: full name, date of birth, place of birth, nationality, residence address
VERIFY_WITH: government-issued photo ID (passport, national ID card, residence permit)
METHOD: document verification + liveness detection (remote) OR in-person verification

LEGAL ENTITIES¶

COLLECT: legal name, registered office, registration number, legal form
COLLECT: names of directors, authorised representatives
COLLECT: articles of association or equivalent
VERIFY_WITH: chamber of commerce extract (KvK-uittreksel in NL)

KvK VERIFICATION (NETHERLANDS)¶

SOURCE: Kamer van Koophandel (kvk.nl)
EXTRACT_CONTAINS: trade name, legal form, registration date, SBI codes, authorised signatories
UBO_REGISTER: separate from trade register — see beneficial ownership section
COST: EUR 3.45 per online extract (as of 2026)
FREQUENCY: verify at onboarding + annual refresh
API: KvK Handelsregister API available for automated verification

ACTION: Eric must obtain KvK extract for every Dutch client before contract signing.

ENHANCED DUE DILIGENCE (EDD)¶

WHEN EDD IS REQUIRED¶

MANDATORY_FOR:
- politically exposed persons (PEPs) and their family/close associates
- complex or unusually large transactions
- unusual patterns of transactions with no apparent economic purpose
- clients from high-risk third countries (Commission delegated list)
- correspondent banking relationships
- any situation where ML/TF risk is assessed as higher than normal

EDD MEASURES¶

ADDITIONAL_CHECKS:
- obtain additional information on the client and beneficial owner
- obtain additional information on intended nature of business relationship
- obtain information on source of funds and source of wealth
- obtain senior management approval to establish/continue relationship
- conduct enhanced ongoing monitoring
- increase frequency and depth of ongoing reviews

BENEFICIAL OWNERSHIP¶

DEFINITION¶

BENEFICIAL_OWNER: natural person who ultimately owns or controls a legal entity
THRESHOLD: 25%+ of shares/voting rights/ownership interest
IF no person identified above threshold: senior managing official(s)

AMLR CHANGES (from Jul 2027)¶

THRESHOLD: remains 25% as default
HIGH_RISK_SECTORS: Commission may lower threshold to 15%
MULTI-LAYERED: must identify through entire ownership chain
NOMINEE_ARRANGEMENTS: must be declared and looked through

UBO REGISTER (Netherlands)¶

LEGAL_BASIS: Wwft (implementing 5AMLD)
STATUS: operational but access restricted after CJEU ruling (Nov 2022)
ACCESS: only competent authorities, FIUs, and obliged entities (not general public)
REGISTRATION: all Dutch legal entities must register UBOs
NON_COMPLIANCE: fine up to EUR 22,500 or economic offence prosecution
CHECK: Eric must verify UBO register data against client-provided information

POLITICALLY EXPOSED PERSONS (PEP)¶

DEFINITION¶

PEP: natural person who holds or has held a prominent public function
INCLUDES: heads of state, government ministers, members of parliament, supreme court judges,
central bank governors, ambassadors, senior military officers, state-owned enterprise directors
FAMILY: spouse/partner, children and their spouses, parents
CLOSE_ASSOCIATES: known close business relationships, beneficial owners of legal entities
known to be set up for PEP's benefit

PEP SCREENING¶

FREQUENCY: at onboarding + ongoing (minimum annually)
TOOLS: commercial PEP databases (Refinitiv World-Check, Dow Jones, Moody's)
MATCH_HANDLING: investigate all potential matches — do not auto-reject
FALSE_POSITIVES: document investigation and reasoning for clearance
IF_CONFIRMED_PEP: apply EDD measures + senior management approval

POST-FUNCTION PEPs¶

AFTER leaving office: EDD applies for at least 12 months (current framework)
AMLR (from 2027): harmonised 12-month period after leaving prominent public function
RISK_ASSESSMENT: may extend beyond 12 months based on risk factors

IDENTITY VERIFICATION METHODS¶

DOCUMENT VERIFICATION¶

ACCEPTED_DOCUMENTS:
- passport (strongest — machine-readable zone, biometric chip)
- national identity card (EU/EEA — NFC chip verification where available)
- residence permit
- driving license (NOT sufficient as sole document in most frameworks)

VERIFICATION_CHECKS:
CHECK: document authenticity (security features, MRZ validation, chip reading)
CHECK: document validity (not expired)
CHECK: photo match to presenter
CHECK: consistency across multiple data points

REMOTE/DIGITAL VERIFICATION (eKYC)¶

METHODS:
1. VIDEO_IDENTIFICATION: live video call with trained agent
2. AUTOMATED: document scan + liveness detection (selfie + movement/depth)
3. NFC: chip reading from biometric passport/ID via smartphone
4. eIDAS_WALLET (from 2026-2027): qualified electronic attestation of identity

LIVENESS_DETECTION:
PURPOSE: prevent presentation attacks (printed photos, deepfakes, masks)
TYPES: active (user performs actions) or passive (AI-based analysis)
STANDARD: ISO 30107-3 for biometric presentation attack detection
DEEPFAKE_RISK: increasing sophistication requires continuous tool updates

eIDAS 2.0 IMPACT ON KYC¶

WALLET_VERIFICATION: will provide highest-assurance digital identity
SELECTIVE_DISCLOSURE: verify age/nationality without revealing full identity
TIMELINE: pilot 2025-2026, deployment 2026-2027, mandatory acceptance 2028
ACTION: design KYC flows to accept wallet credentials when available

SANCTIONS SCREENING¶

LISTS_TO_CHECK:
- EU consolidated sanctions list (data.europa.eu)
- UN Security Council sanctions list
- OFAC SDN list (if US nexus exists)
- Dutch national sanctions (sanctiekaart.nl)
- UK sanctions list (if UK clients)

FREQUENCY: at onboarding + ongoing (real-time or daily batch)
TOOL: commercial screening tools (Refinitiv, Dow Jones, ComplyAdvantage)
MATCH_HANDLING: investigate all potential matches, escalate confirmed matches
IF_MATCH_CONFIRMED: do NOT proceed with onboarding — report to FIU-Nederland

SUSPICIOUS TRANSACTION REPORTING¶

DUTCH FRAMEWORK (Wwft)¶

REPORT_TO: FIU-Nederland (Financial Intelligence Unit)
WHEN: unusual transaction detected based on objective or subjective indicators
DEADLINE: immediately upon detection — no fixed hour deadline but without undue delay
METHOD: electronic via goAML portal
TIPPING_OFF: PROHIBITED — never inform client they have been reported

OBJECTIVE INDICATORS¶

transactions above EUR 15,000 (cash)
transactions involving high-risk countries
transactions with unusual complexity

SUBJECTIVE INDICATORS¶

transactions with no apparent economic purpose
client reluctant to provide information
discrepancies in documentation
unusual patterns relative to client profile

RECORD RETENTION¶

CURRENT FRAMEWORK (Wwft)¶

CDD_RECORDS: 5 years after end of business relationship
TRANSACTION_RECORDS: 5 years after transaction execution
REPORTS: 5 years after filing

AMLR (from Jul 2027)¶

CDD_RECORDS: 5 years (unchanged but harmonised EU-wide)
RE-VERIFICATION: maximum 24-month cycle for high-risk, risk-based for others
FORMAT: must be retrievable in machine-readable format

ACTION: Eric must maintain auditable KYC records for every client in the admin system.
STORAGE: encrypted, access-controlled, deletion automated after retention period.

CASH PAYMENT LIMITS (AMLR — from Jul 2027)¶

EU-WIDE: EUR 10,000 maximum for cash payments in business context
IDENTIFICATION: required for cash transactions of EUR 3,000+
FOR_GE: minimal impact (digital invoicing), but relevant for client projects handling payments

OBLIGED ENTITIES — SCOPE EXPANSION¶

CURRENT OBLIGED ENTITIES (relevant to GE)¶

financial institutions, credit institutions
tax advisors, accountants, notaries
real estate agents
trust and company service providers

AMLR EXPANSION (from Jul 2027)¶

NEW: crypto-asset service providers (MiCA-regulated)
NEW: crowdfunding platforms
NEW: professional football clubs and agents
NEW: traders in high-value goods (precious metals, gemstones) above thresholds

GE_STATUS: GE is NOT an obliged entity under Wwft/AMLR
HOWEVER: regulated clients may contractually require GE to apply equivalent CDD
ACTION: if client is obliged entity, Eric must confirm whether cascading KYC applies

RISK-BASED APPROACH¶

CLIENT RISK FACTORS¶

HIGH_RISK:
- client in high-risk third country
- complex ownership structure
- cash-intensive business
- PEP involvement
- adverse media
- unusual transaction patterns
- newly established entity with no track record

MEDIUM_RISK:
- non-regulated entity in standard jurisdiction
- straightforward ownership
- consistent transaction patterns

LOW_RISK:
- listed company (subject to disclosure requirements)
- government entity
- entity in low-risk sector with simple structure

RISK ASSESSMENT PROCESS¶

identify risk factors at onboarding
assign risk score (low/medium/high)
apply proportionate CDD/EDD measures
document risk assessment reasoning
review risk score annually or upon trigger event
escalate high-risk to senior management

TIMELINE SUMMARY¶

Milestone	Date	Status
AMLA operational	Jul 1, 2025	ACTIVE
UBO register access (competent authorities)	Jul 10, 2025	ACTIVE
AMLA Regulatory Technical Standards	Jul 10, 2026	UPCOMING
AMLR directly applicable	Jul 10, 2027	UPCOMING
6AMLD transposition deadline	Jul 10, 2027	UPCOMING
AMLR for football	Jul 10, 2029	FUTURE

READ_ALSO: domains/eu-regulation/index.md, domains/eu-regulation/contract-law.md, domains/privacy/gdpr-implementation.md