KYC/KYB and the Law – EU and Global Regulations

Introduction

Know Your Customer (KYC) and Know Your Business (KYB) obligations form the backbone of anti-money laundering (AML) and counter-terrorist financing (CTF) frameworks globally. They require verification of both individual customers and corporate beneficial ownership structures to prevent anonymity in access to sensitive financial and digital services.
The global standard-setter is the Financial Action Task Force (FATF), whose Recommendation 10 defines the principles of customer due diligence (CDD) and beneficial ownership identification¹.

1. EU Legal Framework for KYC/KYB

1.1 AML Directives (AMLD4–6)

The key EU instruments are:

• Directive (EU) 2015/849 (AMLD4) – establishes KYC/CDD duties²,

• Directive (EU) 2018/843 (AMLD5) – extends scope to crypto service providers³,

• Directive (EU) 2018/1673 (AMLD6) – harmonises criminal liability⁴.

Article 13(1) of AMLD4 requires obliged entities to:

1. identify and verify the customer’s identity using reliable and independent sources,

2. identify the beneficial owner,

3. obtain information on the purpose and intended nature of the business relationship, and

4. conduct ongoing monitoring of transactions².

Article 30 requires each Member State to establish beneficial ownership registers². Access was partially restricted after the CJEU judgment of 22 November 2022 (Joined Cases C-37/20 and C-601/20) due to data protection under the GDPR⁵.

AMLD5 extended obligations to:

• virtual currency exchange services and custodian wallet providers,

• restricted anonymous prepaid instruments,

• introduced enhanced due diligence for high-risk third countries³.

AMLD6 further clarified the definition of money laundering and strengthened the liability of legal persons⁴.

1.2 The New EU AML Package and AMLA

The upcoming EU AML Regulation will replace directives with a directly applicable law.
It will be supervised by the new Anti-Money Laundering Authority (AMLA), based in Frankfurt, ensuring consistent application of KYC/KYB standards across the Union⁶.

1.3 GDPR and Data Protection

All KYC/KYB processing must comply with the General Data Protection Regulation (GDPR)⁷.
Under Article 6(1)(c), KYC processing is based on legal obligation.
Article 5 requires data minimisation and storage limitation — AMLD4 Article 40 allows retention for 5 years, extendable to 10².

1.4 Crypto, Travel Rule, and MiCA

The EU Transfer of Funds Regulation (TFR), amended to cover crypto-assets, implements the FATF Travel Rule⁸.
Payment and crypto-asset service providers must transmit payer and payee information to ensure transaction traceability.
The Markets in Crypto-Assets Regulation (MiCA) complements this by introducing licensing and consumer protection for crypto entities⁹.

1.5 Sectors Covered in the EU

Under Article 2(1) of AMLD4, KYC/KYB applies to:

• credit and financial institutions,

• auditors, accountants, tax advisers,

• notaries and independent legal professionals,

• trust and company service providers,

• real estate agents,

• casinos,

• traders in goods with cash payments ≥ €10,000,

• and since AMLD5 – virtual asset service providers²³.

Telecom operators (SIM registration), marketplaces (under DAC7), and high-value dealers are also often included nationally.

2. Digital Identity, eIDAS and ETSI Standards

The eIDAS Regulation (EU) No 910/2014 provides for mutual recognition of electronic IDs and trusted services such as qualified e-signatures and seals¹⁰.
It enables cross-border KYC, where an eID with a “high” assurance level can replace physical ID verification.

The forthcoming eIDAS 2.0 introduces the European Digital Identity Wallet, allowing verified identity attributes to be shared directly with service providers¹¹.

Key technical standards:

• ETSI EN 319 401 – general security requirements for trust service providers,

• ETSI TS 119 461 – requirements for remote identity proofing and video identification¹².

Regulators increasingly recognise ETSI-certified processes as compliant with AMLD standards for remote onboarding.

3. Non-EU Jurisdictions

3.1 United States

US regulation is based on:

• Bank Secrecy Act (BSA) 31 U.S.C. §5311 et seq.¹³,

• USA PATRIOT Act 2001, Title III¹⁴,

• FinCEN Customer Identification Program (CIP) rule, 31 CFR §1020.220¹⁵,

• FinCEN CDD Rule, 31 CFR §1010.230¹⁶.

Banks must collect at least: full name, date of birth, address, and tax ID, and verify them before account opening.
For entities, beneficial owners with ≥25% ownership must be identified and verified.
The Corporate Transparency Act (CTA) (2021) creates a national beneficial ownership register¹⁷.

3.2 United Kingdom

• Proceeds of Crime Act 2002,

• Money Laundering Regulations 2017 (MLR) (as amended 2019–2020)¹⁸.
  The FCA provides guidance on remote onboarding, biometrics, and reliance on third-party verification.

3.3 Switzerland

• Anti-Money Laundering Act (AMLA) of 1997¹⁹,

• FINMA Ordinance on AMLA (OBA-FINMA).
  Banks must identify clients and beneficial owners, store data 10 years, and report to MROS.
  FATF’s Travel Rule is implemented for virtual assets¹.

3.4 Canada

• Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)²⁰,

• regulated by FINTRAC.
  KYC applies to banks, MSBs, casinos, and crypto exchanges.
  Remote verification is permitted (e.g. Verified.Me).
  Data privacy under PIPEDA limits processing to necessary AML purposes²¹.

3.5 Australia

• Anti-Money Laundering and Counter-Terrorism Financing Act 2006²²,

• enforced by AUSTRAC.
  Requires registration, CDD, and reporting of transactions ≥10,000 AUD.
  Strong enforcement culture – Westpac fined AUD 1.3 billion (2020) for AML/KYC breaches.

3.6 Singapore

• MAS Notice 626 for banks²³.
  Mandatory identification of customers and beneficial owners, with EDD for high-risk cases.
  Integration with SingPass enables secure e-KYC.
  Reporting of Suspicious Transaction Reports (STRs) to STRO is obligatory.

4. Comparative Analysis

5. Technology and Remote Onboarding

Regulators increasingly accept remote KYC provided it ensures:

1. equivalent assurance to face-to-face verification,

2. secure data processing,

3. auditability.

Solutions aligned with ETSI TS 119 461 and GDPR are recognised across the EU.
Globally, KYC APIs and biometric verification are becoming the standard for onboarding.

6. Non-Financial Sectors

KYC/KYB obligations extend beyond finance to:

• crypto and virtual asset providers (VASPs),

• insurance (life, investment-linked),

• gambling and gaming,

• real estate,

• lawyers, accountants, and notaries,

• high-value goods traders,

• telecom and digital platforms (e.g. DAC7 for platform transparency).

These sectors are now under supervision due to FATF’s “all-risk sectors” doctrine¹.

7. Data and Effectiveness

Despite growing automation, global AML risks remain high:

• estimated USD 800 billion – 2 trillion laundered annually (2–5% of GDP)²⁴,

• average corporate onboarding time: 2–5 months²⁵,

• cost of compliance for large institutions: USD 15–30 million/year²⁵.

This indicates that while frameworks are strong, inter-institutional data sharing and cross-border interoperability need improvement.

8. Conclusion

The global convergence of KYC/KYB standards reflects:

• harmonisation under FATF and EU AML packages,

• integration of digital identity (eIDAS, ETSI, SingPass),

• balance between transparency (UBO registers) and privacy (GDPR, PIPEDA),

• increasing use of API-driven compliance and AI-supported verification.

The policy challenge remains: how to ensure robust compliance without creating excessive friction for legitimate customers or SMEs.

Order a free KYC/KYB consultation online

References / Footnotes

Czy chcesz, żebym teraz przygotował tę wersję z pełnym formatowaniem w pliku DOCX lub PDF (z przypisami w stopce) — np. do publikacji eksperckiej lub wewnętrznego raportu?

Footnotes

1. FATF, International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, Recommendations 10, 11, 24 (updated 2023). ↩ ↩² ↩³

2. Directive (EU) 2015/849 (AMLD4), OJ L 141/73, 5.6.2015. ↩ ↩² ↩³ ↩⁴ ↩⁵

3. Directive (EU) 2018/843 (AMLD5), OJ L 156/43, 19.6.2018. ↩ ↩² ↩³

4. Directive (EU) 2018/1673 (AMLD6), OJ L 284/22, 12.11.2018. ↩ ↩²

5. CJEU, Joined Cases C-37/20 and C-601/20, 22 November 2022. ↩

6. Proposal for Regulation establishing an Anti-Money Laundering Authority (AMLA), COM(2021) 421 final. ↩

7. Regulation (EU) 2016/679 (GDPR), OJ L 119/1, 4.5.2016. ↩

8. Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (recast TFR). ↩

9. Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA). ↩

10. Regulation (EU) No 910/2014 (eIDAS). ↩

11. Proposal for a Regulation amending eIDAS (eIDAS 2.0), COM(2021) 281 final. ↩

12. ETSI TS 119 461:2021; ETSI EN 319 401:2019. ↩

13. Bank Secrecy Act (31 U.S.C. §5311 et seq.). ↩

14. USA PATRIOT Act, Pub. L. No. 107–56 (2001). ↩

15. FinCEN Rule, 31 CFR §1020.220 – Customer Identification Program. ↩

16. FinCEN Rule, 31 CFR §1010.230 – Customer Due Diligence Requirements. ↩

17. Corporate Transparency Act, 31 U.S.C. §5336 (2021). ↩

18. The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (UK). ↩

19. Federal Act on Combating Money Laundering and Terrorist Financing (AMLA), SR 955.0 (Switzerland). ↩

20. Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), Canada, 2000. ↩

21. Personal Information Protection and Electronic Documents Act (PIPEDA), Canada. ↩

22. Anti-Money Laundering and Counter-Terrorism Financing Act 2006, Australia. ↩

23. Monetary Authority of Singapore (MAS) Notice 626, 2020 revision. ↩

24. UNODC, Money Laundering Estimates, 2023. ↩

25. Fenergo, Global KYC/Onboarding Report 2022. ↩ ↩²

Order a free KYC/KYB consultation online