What's Actually in AMLA's Article 28 CDD Standards: A Read of the Draft RTS Before the Window Closes

Compliance officers tend to think of regulation as the visible part of the iceberg. The Anti-Money Laundering Regulation (AMLR), which applies from 10 July 2027, is the part everyone has been planning around. But underneath it, the technical standards that determine what compliance actually looks like in practice are still being written. The window to influence them closes on 8 May 2026, four days from the publication of this article.

On 9 February 2026, the European Anti-Money Laundering Authority (AMLA) opened a public consultation on the draft Regulatory Technical Standards under Article 28(1) of the AMLR. The draft RTS is the document that will turn the AMLR's principles on customer due diligence into specific operational requirements. AMLA must submit its final draft to the European Commission by 10 July 2026. Once adopted, it will become directly applicable across the EU without national transposition.

The consultation has received serious engagement from law firms and trade associations, but limited engagement from the obliged entities that will have to implement it. That asymmetry matters, because the questions the draft RTS leaves open are not theoretical. They will determine what management companies, fund managers and TCSPs have to capture, store and produce on supervisory request from July 2027.

What the Draft RTS Actually Does

Article 28(1) of the AMLR mandated AMLA to specify, in technical detail, what information obliged entities must collect for standard, simplified and enhanced customer due diligence. The draft RTS is principle-based rather than prescriptive. It tells obliged entities what categories of information must be collected and from what types of source, but does not list specific documents. That choice was deliberate. AMLA is trying to leave room for technological evolution, including remote onboarding and qualified electronic identification under eIDAS 2.0, while still imposing harmonised data points across the EU.

The draft consists of around 30 articles, organised into sections on customer identification and verification, beneficial ownership, ownership and control structure, purpose and nature of the relationship, sectoral measures, simplified due diligence, enhanced due diligence and screening. AMLA has track-changed the version that the European Banking Authority submitted in October 2025, so it is possible to read the draft alongside its predecessor and see which judgements AMLA has made.

Three of those judgements deserve attention.

The First Provision That Matters: Ownership and Control Structures

Article 10 of the draft RTS specifies what obliged entities must collect when a customer's ownership structure includes intermediary legal entities or arrangements between the customer and the ultimate beneficial owner. The current text requires the obliged entity to obtain a reference to all such intermediary entities, plus, for each of them, a list of attributes that includes legal form, jurisdiction, registered address, ownership percentages, voting rights and the presence of any nominee shareholders.

For a Luxembourg management company looking after a fund with three or four layers of holding structures, this is significant. Most files will already capture some of this information. Few will capture all of it in machine-readable form, consistently across the customer base, with each attribute tied to a verifiable source. The Association for Financial Markets in Europe has already pushed back on Article 10 in its consultation response, calling the obligation to reference all intermediary layers excessive and inconsistent with the risk-based approach. Whether AMLA softens it in the final draft or holds the line will materially change what fund managers need to capture in 2027.

The broader point is that beneficial ownership work has historically been treated as a downstream task: identify the UBO and document the chain. The draft RTS treats the chain itself as primary evidence. Each intermediary entity is a record the obliged entity must hold and be able to produce. That is closer to a structured data problem than a documentary one.

The Second Provision That Matters: Senior Managing Officials

Article 12 of the draft RTS deals with senior managing officials (SMOs). Under Article 22(2) of the AMLR, where no beneficial owner can be identified, obliged entities must identify the SMOs who exercise control over the legal entity. The draft RTS requires obliged entities to collect and verify information on those SMOs in essentially the same way they would for a UBO.

This is the provision that has drawn the most operational pushback from trade bodies, and for understandable reasons. SMOs are often a broad set of people, including board members and senior executives, who do not have a personal financial interest in the customer. Asking obliged entities to collect identity documents and addresses for the executive team of, for example, a large listed corporate is treated by some respondents as disproportionate to the actual money laundering risk, particularly in wholesale and institutional contexts.

The European Banking Authority's earlier draft permitted the use of a business address rather than a residential address for SMOs, a small concession to the operational burden. AMLA has retained that flexibility but has not, in the current draft, materially reduced the scope of identification required. For management companies with institutional and corporate clients, this means the population of natural persons whose data must be collected and verified at onboarding is materially larger than it was under the directive-based regime.

The practical consequence: any data model that treats the UBO as a single field will not survive 2027. The model needs to handle a structured, possibly numerous, set of identified natural persons with verified attributes per relationship.

The Third Provision That Matters: Verification Sources and Reliance

Article 9 of the draft RTS addresses what obliged entities can rely on to verify the beneficial owner. The version under consultation confirms a position that some respondents had hoped would be revisited: central transparency registers may be used to identify a beneficial owner, but cannot be used to verify the identity of that beneficial owner. Verification must come from another source.

For Luxembourg, where the Registre des Bénéficiaires Effectifs (RBE) has historically been a primary input, this is a meaningful change. The draft RTS effectively treats register data as a starting point that has to be corroborated against an independent source, not as evidence in itself. Article 7 lists the kinds of independent sources that qualify, and Article 8 deals with virtual IBANs, but the broader consequence is that any CDD workflow that ends at "checked the register" will not satisfy the new standard.

The draft RTS also confirms that obliged entities may, under certain conditions, rely on UBO information already verified by another credit or financial institution under Article 22(7) AMLR and Article 9 of the draft RTS. This is a meaningful efficiency provision for management companies sitting downstream of an already-regulated entity, but the conditions are tight and the documentation requirements are not trivial.

What This Means for Implementation Work in 2026 and 2027

Three practical implications follow.

First, the draft RTS confirms that AMLR readiness is structurally a data problem rather than a policy problem. The principle-based drafting allows flexibility in how information is collected, but it does not soften the requirement that the information be collected, verified, and produceable. Firms that approach AMLR as a question of updating policies and procedures will find themselves underestimating the scope of the data work.

Second, the draft RTS specifies a transitional approach. Obliged entities are not expected to bring every existing customer relationship in line with the new standard at the moment AMLR applies. The risk-based approach allows high-risk relationships to be remediated first, with up to a five-year transition period for non-high-risk relationships. That window is generous on paper but tight in practice once the volume of remediation work is understood.

Third, and most importantly for any firm with a 14-month implementation window, the substantive provisions of the draft RTS are very close to what the final RTS will look like. AMLA has been clear that this consultation is an opportunity for refinement, not a wholesale rewrite. The structural shape of CDD under the AMLR is now visible enough that firms can begin building against it without waiting for the final text.

A Note on the Consultation Window

The consultation closes on 8 May 2026 at 23:59. Submitting a substantive response is not the only useful action. Reading the draft RTS carefully, mapping its requirements against the firm's current data model, and identifying where the gaps sit are arguably more valuable internal exercises than a public response. The firms that are using this consultation period as a reading exercise, rather than treating it as someone else's job, will arrive in 2027 with a substantially clearer picture of what their systems need to do.

The AMLR will not be rewritten between now and July 2027. The technical standards that operationalise it largely will not be rewritten between now and 10 July 2026. After that, the implementation runway is what it is. The draft RTS is the closest thing the industry currently has to a finalised specification, and it is sitting on AMLA's website. The most useful action this week is to read it.

Want a structured walkthrough of how the Article 28 RTS draft maps to your current CDD data model, or help identifying the structural gaps that need to be closed before July 2027? Talk to our team.