AMLR Articles 19–20: customer due diligence, risk assessment and ongoing monitoring

We continue Morling Consulting’s blog series on the EU’s new Anti-Money Laundering Regulation (AMLR). A previous part covered, among other things, requirements for internal procedures and whistleblowing, with a focus on employees and their privacy.

This part shifts the focus to the core of the risk-based AML framework, namely customer due diligence (CDD). Articles 19 and 20 of the AMLR clarify both when obliged entities must take CDD measures and what those measures must comprise in practical terms. Together, these provisions form the basis for how firms should understand their customers, their transactions and the overall risks of money laundering and terrorist financing.

Against this backdrop, Morling Consulting supports organisations with AML expertise, providing legal support in areas such as CDD, risk classification and ongoing monitoring. Below is a summary of the central elements of the AMLR’s CDD regime under Articles 19 and 20, linked to their impact on practical AML work.

Article 19 AMLR – Taking customer due diligence measures

Article 19 sets out the situations in which obliged entities must apply CDD measures. The first and most fundamental is when establishing a business relationship. It is essential that the obliged entity ensures adequate knowledge of the customer before commencing the relationship. At this stage, a risk assessment must be performed to underpin both the customer’s risk profile and subsequent monitoring.

Article 19 also regulates when CDD must be applied to occasional transactions. As a general rule, there is a threshold of at least EUR 10,000, whether reached through a single transaction or several linked transactions. This prevents structuring designed to circumvent AML requirements.

An important feature of Article 19 is the obligation to conduct CDD when participating in the creation of legal entities or legal arrangements, and upon transfers of ownership in such entities. For this provision, the value of the transaction is irrelevant. The focus is the structural risk associated with the misuse of corporate structures and complex ownership chains, rather than individual cash flows.

Article 19 further clarifies that CDD must always be carried out where there is suspicion of money laundering or terrorist financing. This duty applies irrespective of thresholds or any exemptions. In addition, measures must be taken where there are doubts as to the reliability of previously collected customer information. The Regulation also provides that measures must be taken whenever there is uncertainty as to whether a person is the customer or is authorised to act on the customer’s behalf.

Beyond the general situations, Article 19 introduces specific rules for certain sectors and transaction types. Credit institutions and financial institutions must, in addition to the circumstances above, take measures when they initiate or execute certain occasional transactions. This applies to transactions of at least EUR 1,000 and applies whether executed in several steps or at one time. For crypto-asset service providers, the same threshold applies, with additional, albeit more limited, requirements even for transactions below this amount.

Cash transactions are also subject to special rules. For cash transactions of at least EUR 3,000, identification measures must be taken unless the Member State has introduced stricter cash limits. For gambling services, CDD measures are required at a specific threshold of EUR 2,000 for stakes or payouts.

A central part of Article 19 concerns whom obliged entities should treat as the customer in different scenarios. For several professions—such as lawyers, estate agents and payment service providers—the concept of customer is broadened to include both parties to a transaction or other economically relevant actors, such as goods suppliers. This widens the scope of CDD and helps ensure that key risk actors do not fall outside the AML framework.

Article 19 also covers the possibility for supervisory authorities to exempt obliged entities, in whole or in part, from applying CDD measures in relation to electronic money. Any exemption requires evidence of low risk. A number of conditions must also be met, including those governing the design of the payment instrument.

Article 20 AMLR – Customer due diligence measures

While Article 19 specifies when CDD must be applied, Article 20 sets out what CDD entails in practice. The provision lists a coherent set of measures that together must give the obliged entity a sufficient understanding of the customer and the risks associated with the business relationship. Obliged entities must carry out all measures listed in Article 20.

The foundation of CDD is identifying the customer and verifying their identity. For legal persons, this also includes identifying and verifying the beneficial owners and understanding the ownership and control structure.

Article 20 further requires the obliged entity to assess and, where applicable, obtain information on the purpose and intended nature of the business relationship or transaction. This is central to enabling transaction monitoring and identifying deviations from expected behaviour.

Screening to determine whether the beneficial owners or the customer are subject to targeted financial sanctions is a mandatory element of the CDD process. This also applies where a customer that is a legal entity is controlled by, or has more than 50% of its ownership held by, any natural or legal person subject to targeted financial sanctions.

Article 20 mandates ongoing monitoring of the business relationship for its entire duration. This includes reviewing transactions and keeping customer data up to date. Ongoing monitoring is crucial to ensuring the original risk assessment remains relevant over time. The Article also covers measures such as assessing information on the nature of the customer’s business, employment or profession, and determining whether the customer, beneficial owner or person acting on the customer’s behalf is a politically exposed person. Finally, verification and identification must be conducted for transactions where an individual claims to act on behalf of, or for the benefit of, the customer.

Article 20(2) clarifies that the extent of CDD measures must be determined by an individual risk analysis covering money-laundering and terrorist-financing risks. The analysis must consider the nature and characteristics of the customer, relationship or transaction, as well as the obliged entity’s overall risk assessment. Where risk is higher, the firm must apply enhanced measures, while simplified measures may be permitted where risk is low. Under Article 20(4), obliged entities must always be able to demonstrate to the supervisory authorities that the measures taken are appropriate in light of the risks identified.

Customer due diligence as the core of risk-based AML practice

Articles 19 and 20 of the AMLR show that CDD is not a one-off onboarding step but a continuous process spanning the entire lifecycle of the business relationship. For obliged entities, this means CDD must be integrated into the organisation’s overall risk framework, governance and internal control.

In practice, the AMLR sets high expectations that obliged entities can explain and justify the level of CDD selected in each case. Documentation of risk assessments, choice of measures and follow-up are therefore central to avoiding supervisory findings and managing the risks associated with non-compliance.

At Morling Consulting, our AML lawyers help companies and other obliged entities design, implement and review CDD—from risk assessments and governance documents to practical procedures, system requirements and training. For more information on how we can support your organisation’s AML work, visit morlings.se.

The series continues with the following topic: Inability to meet customer due diligence requirements under the AMLR