Risk-based customer due diligence under AMLR – guidelines and simplified measures

Welcome to Part 12 of our AMLR blog series. This instalment covers Articles 32–33 on guidelines and simplified customer due diligence requirements. In the previous part of the series, we covered third countries and identification and verification as the starting point for KYC. Readers who want to explore the topic in more depth are encouraged to revisit that post. This instalment focuses on how identification and verification are used in a broader risk-based context under AMLR, particularly in relation to the option to apply simplified measures. Articles 32 and 33 regulate, first, how supervisory authorities should guide obliged entities on current risks and, second, when and how customer due diligence requirements can be adjusted where risk is lower. For senior management and boards, this increases the need for strategic oversight, where access to qualified compliance and AML support for senior management and boards is central to ensuring that the framework is applied correctly in practice.

Article 32 AMLR – Guidelines on risks, trends and methods related to money laundering and terrorist financing

Article 32 places the EU Anti-Money Laundering Authority (AMLA) in a central role in identifying and communicating risks, trends and methods of money laundering and terrorist financing involving geographic areas outside the EU to which obliged entities are exposed. By 10 July 2027 at the latest, AMLA must issue guidelines intended to provide practical support to obliged entities in their ongoing risk assessment and customer due diligence work. When issuing the guidelines, AMLA must in particular take into account the risk factors set out in Annex III to AMLR, which include risks relating to geographic area, customers, products, services and transactions.

Where the guidelines identify higher-risk situations, they must also cover enhanced customer due diligence measures. Obliged entities must then consider applying those enhanced customer due diligence measures to mitigate the higher risks. This means the guidelines will have direct significance for how obliged entities design their KYC processes.

Article 32(2) provides that the guidelines must be reviewed at least every two years. This regular review is critical to ensuring the framework remains relevant and up to date in light of changing risk drivers. For obliged entities, this means internal risk assessments and customer due diligence procedures must be sufficiently flexible to adapt promptly to AMLA’s updated guidelines. Both when issuing and reviewing the guidelines, AMLA must, under Article 32(3), take account of information, assessments, reports and evaluations from a broad range of stakeholders, including EU institutions, international organisations and agencies.

Article 33 AMLR – Simplified customer due diligence measures

Under Article 33(1), obliged entities may apply simplified customer due diligence measures where a low risk has been identified in a business relationship or a transaction, taking into account the risk factors in Annexes II and III. The simplified measures may include verifying the identity of the customer and the beneficial owner after the business relationship has been established, but no later than 60 days thereafter. The frequency of updates to information used to identify the customer may also be reduced, as well as the scope of information collected about the purpose of the business relationship. In addition, simplified measures may include reducing the level of scrutiny applied to the customer’s transactions.

Any simplified measures must be proportionate to the nature and size of the business and to the specific lower-risk elements identified. Obliged entities are required to monitor transactions and business relationships sufficiently closely to ensure that unusual or suspicious transactions can be detected. Article 33(2) requires internal procedures to set out the specific measures applied as part of simplified checks at lower risk. Decisions to apply simplified measures must be documented, including which factors support the conclusion that the risk is low. This is particularly important from a supervisory perspective, as obliged entities must be able to demonstrate that they have carried out an independent, well-founded risk assessment.

Where identification is deferred under Article 33(1)(a)—meaning the identity of the customer or beneficial owner is verified after a business relationship is entered into—obliged entities must also, under Article 33(3), adopt specific risk management procedures. These may include, for example, limits on transaction values, the number of permitted transactions, or enhanced monitoring during the period in which identification and verification have not yet been completed. Under Article 33(4), obliged entities must regularly verify that the conditions for applying simplified customer due diligence measures continue to be met.

The frequency of those checks must be tailored to the nature and size of the business, its risk profile and the specific business relationship. Article 33(5) expressly sets out situations in which simplified measures must not be applied by obliged entities. This includes, for example, where the factors indicating a lower risk no longer apply, where there is suspicion of money laundering or terrorist financing, where there are doubts about the accuracy of customer information at the identification stage, or where there is suspicion of circumvention of economic sanctions.

Practical and legal significance for businesses

In summary, Articles 32 and 33 show how AMLR’s risk-based approach is intended to operate in practice. Through Article 32, obliged entities gain access to common guidelines from AMLA on current risks, trends and methods, providing important support in assessing when customer due diligence needs to be strengthened.

Article 33 simultaneously creates scope for proportionate simplifications where risk is low, but makes clear that these must always be based on a documented risk assessment and be subject to ongoing follow-up. Taken together, the provisions clarify that simplified customer due diligence is never a departure from the requirement to identify and verify the customer; it is a controlled exception within the framework of effective KYC.

Morling Consulting supports operators with specialist legal advice across AMLR’s full scope of application. Our work is designed to ensure that the framework is implemented correctly, proportionately and in a way that is adapted to the business, in line with both legislative requirements and supervisory expectations across Europe.