🎧External service providers have long played a key role in anti-money laundering compliance, but the new EU AML framework is shifting responsibility more clearly back to firms themselves. In the latest episode of “Alles Legal – Fintech-Recht kompakt”, Sebastian Glaab and Dana Wondra discuss what this means for outsourcing, KYC processes and digital identification. – Tune in now!
Table of Contents
Third-party providers in AML: what is changing under the new EU framework
In episode #130 of “Alles Legal – Fintech-Recht kompakt”, Dana Wondra from Payment & Banking speaks with Sebastian Glaab, attorney at Annerton and PayTechLaw author, about the future role of external service providers in anti-money laundering compliance. The episode focuses on a central question: which tasks firms may still outsource in future, and where regulatory responsibility will need to remain firmly in-house.
Outsourcing remains important – but with clearer limits
Third-party providers have become an integral part of AML practice. Whether for video identification, digital identity checks or technical support in KYC processes, many obliged entities have relied on external providers for years. Under the new European AML regime, however, the regulatory boundaries are becoming more clearly defined.
The overall direction is clear: certain core functions should no longer be capable of being fully outsourced. This applies in particular to strategic decisions, risk analysis and key control functions. Firms will therefore need to retain stronger ownership of essential compliance responsibilities.
Responsibility stays with the institution
This does not mean that third-party providers will disappear from AML structures. Their role is evolving rather than diminishing. They will remain relevant for operational and technical support, especially in identification procedures and digital compliance solutions.
At the same time, the new framework reinforces a fundamental principle: ultimate responsibility always remains with the obliged entity. Outsourcing a process does not outsource regulatory accountability. Firms will therefore need to manage and monitor external providers more closely and embed outsourced services within robust internal governance structures.
Identity verification is changing
One of the clearest examples of this shift can be seen in identity verification. Processes such as video identification are increasingly being reassessed, while more standardised and harmonised European solutions are gaining traction. Approaches linked to eIDAS and digital identity frameworks are likely to become more important.
The aim is to achieve more consistent, secure and harmonised identification across the EU. For firms, this also means reviewing current processes early and preparing for changing regulatory expectations.
Practical challenges for existing outsourcing models
In practice, many existing outsourcing models are unlikely to carry over unchanged into the new system. In areas such as monitoring, review procedures and control-related functions, firms will need to distinguish more carefully between tasks that can be delegated and those that must remain internal.
This creates uncertainty, but it also highlights the growing importance of clear internal responsibilities, reliable control frameworks and a well-defined relationship between institutions and their service providers.
What firms should focus on now
The episode makes one point particularly clear: third-party providers will remain an important part of modern AML compliance, but under different conditions. The decisive factor will be how effectively firms combine external solutions with internal accountability. Now is the right time to review outsourcing models, governance structures and identification processes in light of the new EU AML regime.
About This Podcast
Alles Legal – Fintech Law in Brief delivers weekly insights into legal and compliance topics in the banking and fintech sectors.
This podcast is a collaboration between Payment & Banking and PayTechLaw.
Each Wednesday, our experts explain current legal developments in a clear and concise way – no legalese, just the context you need. Since 2021, PayTechLaw authors and Annerton lawyers have been bringing legal depth to the mic without losing clarity.
Whether it’s PSD3, DORA or FiDA – we provide the background you need. In 20 minutes. Straight to the point.
