🎧KYC and KYB are taking centre stage in the new EU AML framework. In this episode of Alles Legal – Fintech-Recht kompakt, Dana Wondra speaks with Sebastian Glaab and Dr Camillo Werdich about how the EU AML package reshapes customer due diligence and why KYC will increasingly become a continuous, risk-based process.
From onboarding step to continuous monitoring
In this episode, Dana Wondra (Payment & Banking) speaks with Sebastian Glaab (Annerton) and Dr Camillo Werdich (Sinpex) about the evolving Know Your Customer (KYC) and Know Your Business (KYB) requirements under the EU AML package.
A key takeaway: the regulatory understanding of KYC is shifting. Instead of being treated primarily as a one-off onboarding procedure, regulators increasingly expect institutions to treat KYC as a continuous and risk-based process.
After all, effective anti-money laundering measures ultimately depend on whether firms truly know who they are doing business with.
More data points and stricter expectations
KYC was always intended to be an ongoing process. In practice, however, many institutions relied heavily on periodic reviews, sometimes with several years between updates.
The AMLR and the Regulatory Technical Standards (RTS) now provide much clearer expectations and expand the scope of KYC considerations, including:
- customer identity
- beneficial ownership structures
- authorised representatives
- sanctions exposure
- data maintenance and updates
- documentation and traceability
As a result, KYC is evolving from a compliance checklist into a structured process architecture.
Data quality and “defensibility”
Many organisations still operate systems that were never designed to manage KYC/KYB as a continuous lifecycle process. Data flows are sometimes still handled manually – using spreadsheets, shared folders or scattered documentation.
Under the new regulatory framework, this becomes problematic. Institutions must not only present outcomes but also demonstrate how those outcomes were reached, including:
- the underlying documentation
- the steps taken in the process
- the audit trail behind the decision
This concept is often referred to as “defensibility” – the ability to justify and document compliance decisions during regulatory reviews.
Small data fields, big operational impact
One example discussed in the episode illustrates how seemingly small regulatory changes can create significant operational challenges.
In the future, nationalities must be collected more comprehensively. While this may appear minor, it raises major questions for existing customer data, potentially requiring firms to update records and contact customers again.
Many such additional data points together can quickly evolve into a large-scale transformation project for KYC processes and data management.
Technology helps – responsibility stays in-house
Another key discussion point concerns third-party service providers.
Many institutions rely on external providers for identification and verification processes. However, the new regulatory framework makes one thing very clear:
Responsibility cannot be outsourced.
Technology may accelerate processes and support compliance teams, but risk decisions remain with the regulated entity.
Start with an honest gap analysis
As a practical takeaway, the speakers recommend beginning with a comprehensive gap analysis of existing KYC processes.
Key questions include:
- What data is currently collected?
- Where do manual steps still exist?
- Which documentation is missing?
- How transparent and auditable are the current processes?
Organisations that still treat KYC primarily as a single onboarding step may find that incremental adjustments are no longer sufficient under the new EU AML regime.
Instead, the focus will increasingly shift to process architecture, data governance and accountability.
About This Podcast
Alles Legal – Fintech Law in Brief delivers weekly insights into legal and compliance topics in the banking and fintech sectors.
This podcast is a collaboration between Payment & Banking and PayTechLaw.
Each Wednesday, our experts explain current legal developments in a clear and concise way – no legalese, just the context you need. Since 2021, PayTechLaw authors and Annerton lawyers have been bringing legal depth to the mic without losing clarity.
Whether it’s PSD3, DORA or FiDA – we provide the background you need. In 20 minutes. Straight to the point.
