On 1 March 2021, the EBA published its final report setting out revised guidelines on customer due diligence (CDD) and the factors credit and financial institutions should consider when assessing money laundering (ML) and terrorist financing (TF) risk associated with business relationships and occasional transactions under Articles 17 and 18(4) of Fourth Money Laundering Directive (EU 2015/849) (MLD4).

MLD4 and a risk-based approach

The anti-money laundering directives are the key pieces of legislation which make up the current European Union anti-money laundering (AML) and counter-terrorist financing (CTF) regime. MLD4 placed a risk-based approach at the center of the regime. As the risk of ML and TF can vary, a risk-based approach helps to manage that risk effectively. MLD4 was required to be transposed into national law by 26 June 2017.


The greater emphasis in MLD4 on a risk-based approach meant that there was a greater need for guidance for National Competent Authorities (NCAs) and firms. Under MLD4, the European Supervisory Authorities (ESAs) were required to issue guidelines by 26 June 2017, addressed to NCAs and firms, on the risk factors firms should take into consideration and the measures they should take in situations where simplified or enhanced customer due diligence (CDD) would be appropriate. The aim was to promote a common understanding, by firms and competent authorities, of what the risk-based approach to AML/CFT entails and how it should be applied.

The Final Guidelines (JC/2017/37) were published on 26 June 2017. The guidelines have applied since 26 June 2018. Guidelines are addressed to NCAs and firms and their purpose is to clarify the supervisory expectations and to enhance the convergence of supervisory practices. Although they are non-binding, NCAs and firms to whom guidelines are addressed are expected to comply with them (on a “comply or explain” basis).

MLD5 and ESA ongoing work

On 19 June 2018, the Fifth Money Laundering Directive (EU 2018/843) (MLD5) entered into force. MLD5 was required to transpose into national law by 10 January 2020. MLD5 amended MLD4 to strengthen the fight against terrorist finance and ensure the increased transparency of financial transactions. As a result, the Guidelines needed to be updated to take account of the new legal framework. At the same time, the ESAs’ ongoing work on ML/TF risk highlighted several areas where significant differences continued to exist in firms’ approaches to AML/CFT.

The EBA’s new role

Since 1 January 2020, the responsibility to produce these guidelines (and to update them) has been passed to the European Banking Authority (EBA), by virtue of Article 3(3) of the Omnibus Directive amending Article 17 of MLD4, giving the EBA powers to lead, co-ordinate and monitor efforts to strengthen AML and CTF measures across the EU in respect of financial institutions.

The EBA launched a consultation on a revised version of the guidelines on 5 February 2020 proposing changes to reflect MLD5, as well as concerns identified by the ESAs.

The revised guidelines

On 1 March 2021, the EBA published its final revised guidelines.

General Guidelines

The EBA has provided more details to existing central parts of the guidelines, as well as adding new guidance on emerging risks:

  • business-wide and individual ML/TF risk assessments;
  • customer due to diligence measures including the identification of the beneficial owner and
  • enhanced due diligence in relation to high risk third countries;
  • TF risk factors; and
  • emerging risks, such as the use of innovative solutions for CDD purposes.

High risk third countries

The revised Guidelines require firms to carefully assess the risks associated with business relationships and transactions where the customer is known to maintain close personal or professional links with a high-risk third country, or beneficial owner(s) is/are known to maintain close personal or professional links with a high-risk third country.

Beneficial ownership

Under the revised guidelines, when discharging their obligations set out in Article 13(1)(b) of MLD4 to understand the customer’s ownership and control structure, firms should:

  • ask the customer who their beneficial owners are;
  • document the information obtained; and
  • then take all necessary and reasonable measures to verify the information: to achieve this, firms should consider using beneficial ownership registers where available.

Beneficial ownership registers – Firms should be mindful that using information contained in beneficial ownership registers does not, in itself, fulfil their duty to take adequate and risk-sensitive measures to identify the beneficial owner and verify their identity. Firms may have to take additional steps to identify and verify the beneficial owner, specifically where the risk associated with the business relationship is increased or where the firm has doubts that the person listed in the register is the ultimate beneficial owner.

Control through other means – Firms should also take reasonable measures to understand the customer’s ownership and control structure. The measures firms take to understand the customer’s ownership and control structure should be sufficient so that the firm can be reasonably satisfied that it understands the risk associated with different layers of ownership and control. In particular, firms should be satisfied that, the customer’s ownership and control structure are not unduly complex or opaque; or complex or opaque ownership and control structures have a legitimate legal or economic reason.

Firms should pay particular attention to persons who may exercise ‘control through other means. Examples of ‘control through other means’ firms should consider include:

  • control without direct ownership, for example through close family relationships, or historical or contractual associations;
  • using, enjoying or benefiting from the assets owned by the customer;
  • responsibility for strategic decisions that fundamentally affect the business practices or general direction of a legal person.

Identifying the customer’s senior managing officials – Firms should resort to identifying the customer’s senior managing officials as beneficial owners only if:

  • They have exhausted all possible means of identifying the natural person who ultimately owns or controls the customer;
  • Their inability to identify the natural person who ultimately owns or controls the customer does not give rise to suspicions of ML/TF; and
  • They are satisfied that the reason given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible.


EBA also reiterates that there is no requirement for financial institutions to discontinue services to entire categories of customers that they associate with higher ML/TF risk (so-called ‘de-risking’). Instead, firms should balance the need for financial inclusion with the need to mitigate and manage ML/TF risk.

The EBA had launched a separate Call for Input in 2020, to understand why financial institutions choose to de-risk and therefore exacerbate financial exclusion, instead of managing the risks associated with certain sectors or categories of customers. The Call for Input received more than 300 responses by the deadline in September 2020 and the EBA is assessing the implications for its policy development in this area. The feedback gathered from this Call will potentially feed into other EBA outputs.

Electronic identification

Where a business relationship is initiated, established, or conducted in non-face to face situations or an occasional transaction is done in non-face to face situations, firms should take adequate measures to be satisfied that the customer is who he claims to be and assess whether the non-face to face nature of the relationship or occasional transaction gives rise to increased ML/TF risk. The use of electronic means of identification does not of itself give rise to increased ML/TF risk, especially where these electronic means provide a high level of assurance.

Moreover, MLD4 is technology neutral and firms may choose to use electronic or documentary means, or a combination thereof, to evidence their customers’ identity. Firms that use or intend to use innovative technological means for identification and verification purposes should assess the extent to which the use of innovative technological solutions can address, or might exacerbate, the ML/TF risks, particularly in non-face to face situations. Firms that use an external provider, rather than develop their own innovative solution in-house, remain ultimately responsible for meeting their CDD obligations.


Firms should put in place systems and controls to keep their assessments of the ML/TF risk associated with their business, and with their individual business relationships under review to ensure that their assessment of ML/TF risk remains up to date and relevant. The level, frequency and intensity of monitoring may be adjusted in a way that is commensurate to the ML/TF risk associated with the customer or the transactions. In high-risk situations, firms should consider whether enhanced ongoing monitoring of the relationship would be appropriate, including increasing the frequency of reviews to be satisfied that the firm continues to be able to manage the risk associated with the individual business. The guidelines list additional enhanced due diligence measures that may be of particular relevance in different sectors.

Sector-specific Guidelines

In addition, since the first publication of these Guidelines in 2017, the financial sector has evolved and existing and emerging risks have been identified. Therefore, new sectoral guidelines need to be included so as to tackle the specific AML/CFT risks of those sectors and to promote convergence in relation to the following sectors:

  • crowdfunding platforms
  • corporate finance
  • account information service providers (AISPs)
  • payment initiation services providers (PISPs), and
  • firms providing activities of currency exchanges offices.

Next steps and Timing of application of revised guidelines

The guidelines will be translated into the official EU languages and published on the EBA website and will apply three months after publication in all EU official languages. Upon the date of application, the original guidelines will be repealed and replaced with the revised guidelines.

For more insight on compliance technology options and benefits, visit https://complyportal.uk/modules/ and find out how our straightforward, comprehensive compliance technology solution can help you and your organisation.

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

  • Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
  • Registers: lists controlled by the Compliance officer, but easy for staff to view.
  • Risk: map and control risk areas to effectively identify and manage risk for your firm.
  • eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach