Special requirements on risk differentiation and unhosted addresses under the AMLR

View as Markdown
5 mins read • Legal Writer • ANTI–MONEY LAUNDERING • 13 April 2026
  1. The limits of simplified customer due diligence under the AMLR
  2. Article 40 AMLR – Measures to mitigate risks linked to transfers involving unhosted addresses
  3. Article 41 AMLR – Specific provisions for applicants for residence permits via investment schemes
  4. From risk differentiation to practical governance and control under the AMLR

In Part 16 of our blog series on the EU AMLR, we examine Articles 40 and 41. These provisions show how the framework applies risk differentiation by, on the one hand, regulating scenarios involving specific higher-risk factors and, on the other, clarifying the boundaries for when simplified customer due diligence may be appropriate. They demonstrate that simplified measures are never generally available; they require a structured, documented and risk-based analysis in the specific case. Readers who want to explore further scenarios that the AMLR treats as higher risk—and therefore trigger enhanced measures—are encouraged to read Part 11 of the series, which covers countries identified as high risk.

In this article, the focus shifts to more complex and risk-exposed scenarios, where getting the balance right between proportionality and compliance places significant demands on governance and legal analysis. In such contexts, access to specialist advice for regulatory inspections and internal reviews is critical to ensuring a consistent, legally robust and supervisory-ready application of the AMLR across Europe.

The limits of simplified customer due diligence under the AMLR

A core principle of the AMLR is that customer due diligence measures must be proportionate to the identified risks of money laundering and terrorist financing. This means the framework allows for both enhanced and simplified measures, depending on the circumstances of the individual case. However, the option to apply simplified due diligence (SDD) is strictly conditional and requires the obliged entity to demonstrate, on objective grounds, that the relevant business relationship or transaction presents a low risk. Articles 40 and 41 clearly illustrate where the boundary for simplified measures lies. In both cases, the provisions identify scenarios that are typically treated as higher risk, meaning simplified measures are, as a rule, not available.

Article 40 AMLR – Measures to mitigate risks linked to transfers involving unhosted addresses

Article 40 addresses transfers of crypto-assets that are directed to, or originate from, so-called unhosted addresses. For such transfers, crypto-asset service providers must identify and assess the risks of money laundering and terrorist financing. An unhosted address is defined in Article 3(20) of Regulation (EU) 2023/1113 as a distributed ledger address that is not associated with a crypto-asset service provider or an entity not established in the EU that provides similar services to those provided by a crypto-asset service provider. Against that backdrop, Article 40(1) requires crypto-asset service providers to have internal policies, procedures and controls in place.

A key feature of Article 40 is the requirement of proportionality. The risk-mitigating measures applied by crypto-asset service providers must be proportionate to the risks identified. Those measures may include one or more of the mitigations listed in the provision, including taking risk-based steps to identify and verify the identity of the originator or beneficiary of a transfer to or from an unhosted address, requiring additional information on the origin and destination of the crypto-assets, and applying enhanced ongoing monitoring of transactions involving an unhosted address.

Article 40(2) provides that AMLA must issue guidelines by 10 July 2027 specifying in more detail which measures are to be taken. The guidelines must include methods and criteria to identify and verify the originator’s or beneficiary’s identity for a transfer linked to an unhosted address, as well as criteria and methods for verifying whether the unhosted address is owned or controlled by a customer.

Article 41 AMLR – Specific provisions for applicants for residence permits via investment schemes

Article 41 targets a different category of risk, namely third-country nationals applying for a residence permit in a Member State in exchange for some form of investment, for example transfers, investments in government bonds, investments in corporate entities, or donations.

The AMLR provides that, in such situations, obliged entities must—on top of the general customer due diligence measures under Article 20—apply at least the enhanced customer due diligence measures under Article 34(4)(a), (c), (e) and (f). This includes measures such as obtaining additional information about the customer and the beneficial owners, the origin of the customer’s and beneficial owners’ funds, and obtaining senior management approval to establish or continue a business relationship. Article 41 therefore clearly signals that these scenarios are not compatible with simplified measures (SDD). Even where an investment may appear transparent or regulated in isolation, the overall risk profile is treated as requiring enhanced customer due diligence.

From risk differentiation to practical governance and control under the AMLR

Articles 40 and 41 illustrate how the AMLR differentiates its requirements depending on the nature and complexity of the risk. By introducing specific rules for transactions involving unhosted addresses and for investment-based residence permit schemes, the Regulation makes clear that certain phenomena require a more structured, technically informed and restrictive application of customer due diligence rules.

For obliged entities, this increases the responsibility not only to identify risks, but also to ensure that internal governance documents, processes and controls are sufficiently flexible to manage new forms of exposure. The provisions underline the AMLR’s overarching objective of creating a coherent framework for effective prevention of money laundering and terrorist financing in an increasingly cross-border and digitalised environment.

Morling Consulting supports regulated firms with specialist, business-facing advice across the full AMLR framework. With legal expertise in AML requirements and enhanced customer due diligence, we help organisations on both strategic and operational matters, including risk assessments and internal procedures. By combining legal and operational capability, we support organisations in achieving proportionate, legally robust and sustainable compliance with the EU AML framework across Europe.

The series continues here with the next section: Politically Exposed Persons and Important Public Functions – Articles 42 and 43 of the AMLR

Related posts

Material Design illustration of an ownership structure clarifying ultimate beneficial ownership under AMLR, with interconnected company nodes and a central person figure.

12 May 2026

Transparency in Beneficial Ownership under the AMLR
Read more
Illustration of two legal professionals reviewing documents and digital control flows between two organizations under third-party reliance rules in the AMLR

5 May 2026

Reliance on Third Parties and Sector-Specific Customer Due Diligence under Articles 47–50 AMLR
Read more
Material Design illustration of a lawyer with three panels symbolizing AMLR Articles 44–46 on insurance beneficiaries, former PEPs, and family members or close associates.

28 April 2026

AMLR Articles 44–46 on beneficiaries, former PEPs, and close associates
Read more