Skip to content
Compliance Due diligence Automation

AMLA compliance 2027: document verification for EU firms

by Julia Jansen 10 min read

On 9 February 2026, the EU’s Anti-Money Laundering Authority (AMLA) opened a public consultation on draft technical standards that will shape how document verification works for AMLA compliance across all 27 member states. The consultation closes on 8 May 2026.

By July 2027, every obliged entity in Europe, banks, fintechs, crypto platforms, real estate agents, even crowdfunding services, must comply with a single, directly applicable regulation. No more national interpretations. No more loopholes between jurisdictions.

At VerifyPDF, we have been going through the draft Regulatory Technical Standards (RTS) on Customer Due Diligence (CDD) line by line. The requirement that jumped out at us: obliged entities must take “reasonable steps to ensure that all documents obtained for the verification of identity are authentic and have not been forged or tampered with.”

That is a direct quote from Article 6, paragraph 3 of the draft CDD RTS. Here is what it means for your business and why it is more specific than any AML rule Europe has seen before.

What the EU’s single AML rulebook changes for document checks

Until now, anti-money laundering rules in Europe were based on directives. Each member state transposed them into national law differently. A Dutch bank, a German fintech and a French insurer all had to follow AML rules, but the specifics of how they verified documents varied wildly. In our experience, this patchwork created gaps that fraudsters exploited by operating across borders.

The Anti-Money Laundering Regulation (AMLR), formally adopted on 31 May 2024, replaces this patchwork with a single rulebook applying from 10 July 2027. It is a regulation, not a directive, meaning it applies directly in all member states without any national transposition. One set of rules, 27 countries, no wiggle room.

AMLA, headquartered in Frankfurt’s Messeturm, is the new central authority coordinating all of this. It became operational on 1 July 2025 and took over all AML mandates from the European Banking Authority in January 2026.

Now it is writing the detailed technical standards that tell firms exactly what compliance looks like. The CDD RTS is the most important of these for anyone handling customer documents.

The CDD requirement that should worry you

Most firms think of Customer Due Diligence as “check the passport, match the face, move on.” That has never been enough, as we have argued in our post on why ID verification alone leaves the door wide open, but now the regulation spells it out in black and white.

Article 6(3) of the draft CDD RTS requires that obliged entities verify documents are “authentic and have not been forged or tampered with.” This is not about checking that a passport photo matches a selfie. This is about the document itself.

Is the PDF genuine? Has it been edited? Were the metadata, fonts or content layers manipulated after the original was created?

For firms that currently accept scanned copies of documents and give them a quick visual once-over, this is a big shift. A human reviewer looking at a well-made fake payslip will not spot the manipulation, we see this every day. The regulation is saying: you need forensic-level verification and “we did not notice” is no longer a valid defense.

Which documents need verification under AMLA compliance

The CDD requirements cover far more than just passports and ID cards. Here is what the draft RTS and the AMLR specify:

Identity verification documents:

  • Passports, national ID cards or equivalent government-issued documents
  • Must contain the person’s full name, date of birth, expiration date, document number, facial image and signature
  • For remote onboarding: eIDAS-compliant electronic identification at “substantial” or “high” assurance levels, or qualified trust services

Source of funds and wealth documentation (enhanced due diligence):

  • Tax declarations
  • Recent payslips or employment contracts specifying salary
  • Bank statements
  • Official income statements, audited accounts and investment documentation

Beneficial ownership documentation:

  • Multiple sources required, central registers alone are not sufficient
  • Must verify using identification documents or “reasonable measures” from reliable independent sources

The source of funds requirement is where things get interesting. Payslips and bank statements are the most commonly forged documents we see. And criminals know this. As we covered in our analysis of the rising threat of fake bank statements, about 80% of the fake documents we process started as genuine documents with small alterations, a salary bumped up by a few hundred euros, a balance inflated to meet a lending threshold.

These are exactly the kind of documents AMLA now says you must verify as authentic.

How many of these document types does your team currently run forensic checks on? If the honest answer is “just the ID,” you have a compliance gap that needs closing before July 2027.

What “authentic and not tampered with” means in practice

The draft RTS does not prescribe a specific technology, it is deliberately technology-neutral. But the obligation to confirm documents have not been forged or tampered with requires more than a visual check. You get the point: glancing at a PDF and deciding it “looks fine” is not going to cut it anymore.

In practice, forensic document verification involves:

  • Metadata analysis. Check when the document was created, which software produced it and whether the creation and modification timestamps are consistent. A bank statement allegedly from ING that was last modified in Adobe Acrobat? That is a red flag.
  • Font and content layer inspection. Genuine PDFs from banks and employers have consistent font usage throughout. When someone edits a number in a payslip, the replacement text often uses a slightly different font embedding, invisible to the naked eye, but detectable at the byte level.
  • Structural integrity checks. PDF files have an internal structure (cross-reference tables, object streams, incremental saves) that tells a story. A document that has been opened, edited and re-saved leaves traces in this structure. This is what document forensics is all about.
  • Cross-referencing documents. A payslip claiming a monthly salary of €8,000 should match a bank statement showing roughly that amount deposited. The AMLR explicitly requires firms to assess consistency across the documents a customer submits.

At VerifyPDF, we run these forensic checks automatically in under 5 seconds per document. But regardless of which solution you pick, the bottom line is clear: the AMLR standard requires evidence-based verification, not gut feelings.

The audit trail you will need to keep for five years

Article 77 of the AMLR sets a clear record-keeping requirement: five years of retention for all CDD documents and transaction records, starting from the end of the business relationship or the date of an occasional transaction.

But it goes further than just storing PDFs in a folder. Firms must be able to reconstruct a customer’s identity, activity and risk decisions at any point during that five-year window.

That means your document verification process needs to generate detailed evidence, not just a pass/fail result, but a record of what was checked, what was found and what risk rating was assigned.

After the five-year period? Mandatory deletion. The AMLR aligns with GDPR here: you cannot hold CDD data indefinitely “just in case.” Sounds simple. It is not. Most firms have not designed for this data lifecycle at all.

For automated verification systems, this is straightforward, every check generates a timestamped report that can be stored and purged on schedule. For manual review processes, building this audit trail retroactively is going to be painful. And expensive.

Fines have doubled, and AMLA can enforce them directly

The fines got a lot bigger. Maximum penalties for serious breaches jumped from €5 million (or 5% of annual turnover) to €10 million or 10% of annual turnover, whichever is higher. For natural persons, the cap is €5 million. If the benefit from a breach can be determined, the fine must be at least twice that amount.

And here is what makes AMLA different from previous AML enforcement: starting 1 January 2028, AMLA will directly supervise 40 high-risk cross-border financial entities. These are the largest and most complex financial groups operating across multiple EU jurisdictions. For everyone else, AMLA sets the supervisory standards that national authorities must follow and it will be checking that they actually do.

The list of obliged entities has expanded too. Crypto-asset service providers (with CDD required for transactions exceeding just €1,000), crowdfunding platforms, mortgage credit intermediaries and even professional football clubs (from 2029) now fall under the same CDD obligations as banks.

If you are a fintech operating anywhere in the EU, there is zero ambiguity: these rules apply to you.

How to start preparing before July 2027

The CDD RTS consultation closes on 8 May 2026. AMLA must submit the final standards to the European Commission by July 2026. That gives firms roughly one year from the final text to full compliance. I have been working in document verification for years, and I have never seen regulation this specific about what “verification” actually means. The clock is ticking. Here is what you should be doing now:

  1. Run a gap analysis against the draft RTS. The consultation document is publicly available. Compare your current CDD process against what Article 6(3) requires. How do you currently verify that documents are authentic and not tampered with? If the answer is “manual review,” you have a gap.

  2. Stop accepting screenshots and scanned copies where originals exist. When a customer sends you a photo of their computer screen instead of the original PDF, you lose all forensic data. We wrote about this in detail: stop accepting screenshots and enable document forensics. The AMLR’s verification requirements are impossible to meet with a JPEG of a bank statement.

  3. Get automated document forensics in place. The volume of documents that need forensic-level verification under the new rules makes manual checking impractical. VerifyPDF checks documents in under 5 seconds, flags manipulation at the byte level and generates the audit trail you need for compliance.

  4. Design your retention and deletion workflow now. Five years of evidence, then mandatory deletion. Building this into your systems from day one is much easier than retrofitting it later.

  5. Cross-reference documents as part of CDD. Do not verify documents in isolation. The AMLR expects consistency checks across all documents submitted by a customer. A payslip, a bank statement and a tax return should tell the same story and when they do not, that should trigger an alert.

The firms that will struggle most are the ones that treat document verification as a checkbox exercise: accept the file, glance at it, tick the box. The new rules make it clear that this approach is over.

You need to prove that documents are genuine. You need forensic evidence. And you need to keep that evidence for five years.

At VerifyPDF, we built our platform for exactly this kind of regulatory reality. If you want to see what AMLA-ready document verification looks like, try it for free.

July 2027 is fifteen months away. The rulebook is being written right now. The firms that act early will achieve AMLA compliance. The firms that wait will be scrambling. And the fraudsters? They are already reading the same regulation, looking for gaps to exploit.

Stop guessing. Know in 5 seconds.

Upload a PDF. In under 5 seconds, VerifyPDF tells you if it's genuine or forged, with detailed evidence of every modification. Try it free for 15 days, no credit card needed.

Start free trial Watch demo

Trusted

This document is identical to others from this issuer

Match found in our document database
Document integrity verified
No traces of suspicious editing software