Customer due diligence under AMLR: identity, beneficial ownership and the purpose of the relationship

We continue with part 10 of our blog series on the EU Regulation on measures to prevent money laundering and terrorist financing (AMLR). In this instalment we cover Articles 22–25, which set out the core stages of the customer due diligence process—from identifying and verifying the identity of the customer and beneficial owner, to understanding the purpose of the business relationship and addressing discrepancies in register data.

In groups where multiple business lines fall within the scope of AML requirements, customer due diligence processes must be harmonised across companies, business areas and jurisdictions. Work on group-level AML is closely linked to how governance, internal control and culture are designed and embedded. We have also addressed this in our post on AMLR Articles 13–15 on employee privacy, whistleblowing and internal control, which focuses on the human and organisational dimensions of the framework.

At Morling Consulting, we support organisations with practical support from experienced AML specialists in interpreting and applying these requirements to ensure a consistent and legally robust implementation of the rules.

Article 22 AMLR – Establishing and verifying the identity of the customer and beneficial owners

Article 22 AMLR specifies what customer due diligence means in practice by setting out the information that must, at a minimum, be obtained to identify the customer, persons acting on the customer’s behalf, and the natural persons on whose behalf or for whose benefit a transaction is carried out. The provision applies subject to the exception for lower-risk situations where simplified measures may be applied, and without prejudice to the requirements to apply enhanced measures where risk is higher.

For natural persons, obliged entities must obtain a relatively extensive information set. This includes all forenames and surnames, place of birth and full date of birth, nationality or equivalent status and, where applicable, a national identification number. In addition, information is required on the habitual residence address or an alternative contact address and, where available, a tax identification number.

Where the customer is a legal person, obliged entities must also obtain information including legal form, name, registered office address, principal place of business and country of establishment. Further information is required on the names of legal representatives, registration number, tax identification number, identification code and the names of shareholders or persons holding board positions acting as nominees, as well as details of their capacity. For groups with complex structures, many branches or operations across multiple jurisdictions, this becomes particularly important and underscores the need for coordinated processes and shared customer due diligence standards at group level.

Article 22 also contains specific provisions for trusts and similar legal arrangements. Obliged entities must obtain basic information on the arrangement, the trustees, their powers, their residential address, and the place from which the trust is administered where this differs from the residential address. The basic information must, however, be limited to the assets relevant to the specific business relationship or transaction.

For other organisations with legal capacity under national law, the required information includes the name, registered office address and the names of persons authorised to represent the organisation. Where relevant, this also includes information on legal form, tax identification number, identification code and registration number for legal persons, as well as the instrument of constitution.

Article 22(2) governs the identification of beneficial owners in legal entities and refers to the information set out in Article 62. Under Article 62(1), second subparagraph (a), this includes, among other things, the beneficial owner’s full name, place of birth, date of birth and country of residence.

If no natural person can be identified as the beneficial owner despite all reasonable means having been used, or if there are doubts regarding the persons identified, this must be documented by the obliged entity. In such cases, senior managing officials must be identified and their identity verified.

The provision includes an important safeguard: if there is a risk that the customer may become aware of the entity’s doubts regarding beneficial ownership, the obliged entity must not carry out the identity verification of senior managing officials. Instead, the steps taken and the difficulties encountered in identifying the beneficial owner must be documented.

Article 22(3) introduces specific requirements for credit institutions and financial institutions that issue virtual IBANs. The identity of the natural and legal persons using such numbers must be identified and verified together with the associated bank or payment account. The information must be capable of being shared rapidly between credit institutions and financial institutions where different institutions are involved in the process.

For beneficiaries of trusts or similar legal entities defined by a class or characteristic, obliged entities must obtain sufficient information to establish identity at the time of payout or when rights are exercised. Equivalent considerations apply to discretionary trusts, where identification may become relevant only when trustees’ powers are exercised or not exercised.

Articles 22(6) and 22(7) govern how the customer’s identity, and the identity of persons claiming to act on the customer’s behalf, must be verified. This may be done by obtaining information through identity documents, reliable and independent sources, or electronic identification in accordance with Regulation (EU) 910/2014.

For verification of beneficial owners, as well as persons on whose behalf or for whose benefit a transaction or activity is carried out, obliged entities must also take reasonable measures to obtain the necessary information and documents from the customer or other trusted sources, including checks against public registers. In addition to these identity verification methods, obliged entities must also verify the information against the central registers.

The choice of verification method and the extent of information obtained must reflect the risks associated with the specific business relationship or transaction and the beneficial owner, including the complexity of the ownership structure.

Article 23 AMLR – Timing of verification of the customer’s and beneficial owner’s identity

Article 23 AMLR governs when verification of the customer’s identity, the beneficial owner’s identity, and the identity of persons carrying out a transaction on behalf of or for the benefit of someone other than the customer must be completed. It complements Article 22—which sets out what information must be obtained and how identity must be verified—by establishing the applicable timeframe. Under Article 23(1), the customer’s identity must be verified before entering into a business relationship or carrying out an occasional transaction. The Article also contains an express exception for lower-risk situations where simplified measures under Section 3 of the Chapter apply. In such cases, identity verification may be deferred, provided the lower risk justifies doing so. This does not permit identity verification to be omitted; it only allows the timing to be adjusted.

Real estate agents are subject to a specific rule under Article 23(1). In these cases, identity verification must take place after an offer has been accepted by the seller or lessor, but always before funds or property are transferred.

Article 23(2) provides a further exception to the main rule. Verification of the customer’s and beneficial owner’s identity may be completed when the business relationship is entered into, provided this is necessary to avoid disrupting normal business operations and the risk of money laundering or terrorist financing is low. This exception is also subject to limitations, including that verification must be completed as soon as possible after the initial contact.

Article 23(3) contains a specific provision for credit institutions and financial institutions. These institutions may open an account, including accounts enabling transactions in transferable securities, before the customer due diligence measures under Article 20(1)(a) and (b) have been fully completed, provided sufficient safeguards are in place to ensure that no transactions can be carried out by the customer or on the customer’s behalf.

Finally, Article 23(4) requires that where a new business relationship is entered into with certain legal entities or trusts subject to beneficial ownership registration requirements, obliged entities must obtain valid evidence of such registration or a recently issued register extract confirming its validity. This strengthens the link between customer due diligence and the central beneficial ownership registers established within the EU by requiring obliged entities to actively verify that the registration obligation has been met.

Article 24 AMLR – Reporting discrepancies in beneficial ownership registers

Article 24 sets out obliged entities’ duty to act where differences are identified between beneficial ownership information recorded in the central registers and the information the entity itself obtains as part of customer due diligence. Under Article 24(1), obliged entities must report any discrepancies they discover between information in the central registers and the information collected under Article 20(1)(b) and Article 22(7). Reporting must be made without undue delay and no later than 14 calendar days from the date the discrepancy is detected. The obliged entity must attach information evidencing the discrepancy and explain which natural persons it considers to be beneficial owners. Where applicable, information on nominee shareholders and nominee directors must also be provided.

Article 24(2) provides a limited exception to the main rule. Obliged entities may refrain from reporting a discrepancy and instead request further information from the customer if the discrepancy is either purely technical (such as typographical errors, transliteration differences or minor inaccuracies) that do not affect the identification of beneficial owners, or arises because registered information is outdated, provided the obliged entity knows the beneficial owners from another reliable source and there are no grounds to suspect intentional concealment.

If, in such cases, the obliged entity concludes that the register information is incorrect, the customer must be instructed to submit correct information to the register without undue delay and no later than 14 calendar days. It is important to note that this exception does not apply in higher-risk situations where enhanced measures under Section 4 must be applied. Under Article 24(3), the obliged entity must report the discrepancy to the central register if the customer has not submitted correct information within the prescribed deadline.

Article 24(4) provides an exception for notaries, lawyers, other independent legal professionals, accountants, external auditors and tax advisers, to the extent the information was obtained in the course of assessing a client’s legal position or providing defence and representation in legal proceedings. However, where legal advice is provided in situations covered by Article 21(2), second subparagraph, the reporting requirements also apply to these actors.

Article 25 AMLR – Identifying the purpose and intended nature of the business relationship or occasional transaction

Article 25 addresses another core component of customer due diligence: the obliged entity’s duty to understand the purpose and intended nature of the business relationship or the occasional transaction. This is met by obtaining, where necessary, the following information:

• the purpose and economic rationale of the business relationship or transaction,
• the estimated amount of planned activity,
• the origin and destination of funds, and
• the customer’s business activity or profession.

Article 25, second subparagraph, introduces a specific requirement for obliged entities within the scope of Article 74, namely actors dealing in high-value goods. When applying point (a) of the first subparagraph on the purpose of the transaction or business relationship, these entities must collect information to determine whether the intended use of goods under Article 74 is commercial or non-commercial.

Practical and legal significance of customer due diligence under AMLR

Taken together, Articles 22–25 of AMLR form a coherent and detailed framework for how customer due diligence must be established, carried out and maintained in practice. The provisions clarify which identity data must be obtained and verified, when those checks must generally be completed, how obliged entities must respond where beneficial ownership is uncertain or register information is inconsistent, and what is required to understand the purpose and economic logic of the business relationship or occasional transaction. Obliged entities are assigned clear, end-to-end responsibility for the full customer due diligence lifecycle—from initial identification through ongoing verification and follow-up.

At Morling Consulting, our lawyers and AML specialists support organisations across Europe with qualified advice on AML requirements. Combining legal analysis with operational insight, we help businesses structure, implement and continuously improve AML processes in a legally robust and proportionate manner. Read more at morlings.se.