On 1 July 2025, the EU’s Anti-Money Laundering Authority, AMLA, opened its doors in Frankfurt’s Messeturm. By 1 January 2026, it had absorbed every AML mandate from the European Banking Authority. From 2028, it will directly supervise 40 of the highest-risk financial institutions in the EU.
For lenders, the implications are immediate. The Anti-Money Laundering Regulation (AMLR), adopted in May 2024, replaces the old directive-based patchwork with a single, directly applicable rulebook. Dutch mortgage lenders, German consumer finance companies and French credit institutions now face identical EU AML document verification compliance obligations. No more national interpretations. No more gaps between jurisdictions.
If you are a lender operating anywhere in the EU and still treating document verification as “glance at the PDF, check the box,” you are already behind. Here is what the new rules actually require, and what you need to change before the 10 July 2027 enforcement deadline.
The single rulebook killed regulatory arbitrage for lenders
Until the AMLR, anti-money laundering rules in Europe were based on directives, from AMLD1 through AMLD6. Each member state transposed them into national law differently. A Dutch mortgage lender’s CDD process could look completely different from a German one, even though both were supposedly following the same directive.
This created real problems. Fraudsters knew which jurisdictions had lighter requirements and they targeted lenders there. We saw this pattern repeatedly at VerifyPDF: criminal networks submitting loan applications in whichever country was easiest to exploit. A fake payslip that got flagged in the Netherlands sailed through checks in another member state where the rules were more ambiguous.
The AMLR changes this fundamentally. As a regulation (not a directive), it applies directly in all 27 member states without national transposition. One set of rules. Identical obligations. No wiggle room.
For lenders specifically, this means:
- Your CDD and EDD processes must meet the same standard whether you operate in Amsterdam, Berlin or Paris
- Document verification obligations are spelled out in regulatory technical standards, not left to national interpretation
- AMLA will coordinate supervisory approaches across national authorities, so inconsistent enforcement is no longer a shield
- Maximum fines have jumped to €10 million or 10% of annual turnover, whichever is higher
The era of picking your compliance approach based on where your license sits is over. And the era of “we follow local practice” as a defense is over too.
What “document verification” actually means under the new rules
Here is the requirement that should concern every lender reading this. Article 6(3) of the draft Customer Due Diligence Regulatory Technical Standards states that obliged entities must take “reasonable steps to ensure that all documents obtained for the verification of identity are authentic and have not been forged or tampered with.”
Read that again. Not “check that the document looks right.” Not “confirm the name matches.” The regulation says you must verify that documents are authentic and untampered.
That is a forensic standard, not a visual one.
For lenders, this applies to every document in your loan application pipeline:
Income verification documents:
- Payslips and salary statements, the single most commonly forged document type we see at VerifyPDF
- Employment contracts confirming salary and position
- Tax returns, annual income statements and UWV declarations (in the Netherlands)
Bank statements:
- Account history proving income deposits match the claimed salary
- Transaction records showing spending patterns and financial behavior
- Balance confirmations for savings and investment accounts
Source of funds documentation (for enhanced due diligence):
- Investment portfolio statements
- Property sale contracts and notarial deeds
- Inheritance documentation
- Business financial statements and audited accounts
Proof of address:
- Utility bills, government correspondence, bank letters
- Municipal registration extracts (BRP in the Netherlands, Meldebescheinigung in Germany)
How many of these does your team currently run forensic-level checks on? If the honest answer is “we visually review them”, you have a compliance gap. We wrote a detailed breakdown of what the CDD RTS requires in our post on AMLA compliance and the 2027 deadline. The short version: it is the most specific AML rule Europe has ever produced on document verification.
Why lenders are the primary target, and criminals know it
Lending is where document fraud does the most damage. A fake payslip submitted to an insurance company might inflate a claim by a few thousand euros. A fake payslip submitted to a mortgage lender can unlock hundreds of thousands in credit. The incentive structure is clear, and fraudsters know it.
In 2024, Amsterdam police uncovered a criminal network that used fake income documents to obtain mortgage loans across the Netherlands. The scheme was straightforward: forged payslips and manipulated bank statements, submitted to lenders who relied on manual document review. The documents looked right. The numbers were plausible. The lenders approved the loans.
The criminals walked away with properties purchased on fabricated income. The lenders were left holding mortgages that would eventually default.
This is not an isolated case. At VerifyPDF, we process thousands of lending-related documents every month and the pattern is consistent: roughly 80% of the fake documents we flag started as genuine documents with small alterations. A salary bumped up by €500 per month. A negative transaction quietly deleted from a bank statement. An account balance inflated just enough to meet a loan-to-value threshold. You get the point.
These are not the kind of changes you catch by looking at a document. The fonts match because the original was genuine. The layout is identical because nothing structural changed. The bank logo is real. The manipulation happens at the byte level of the PDF, in content streams and metadata, invisible to the naked eye but detectable through document forensics.
The AMLR is essentially telling lenders: you cannot claim you did not know. The tools exist. The regulation now requires you to use them.
Enhanced due diligence: where most lending teams fall short
Standard CDD applies to every borrower. But enhanced due diligence kicks in for higher-risk situations, and this is where most lenders have the biggest gaps in their document verification.
Under the AMLR, EDD is triggered by:
- Politically exposed persons (PEPs), current or former senior public officials, their family members and known associates applying for mortgages or business loans
- Customers from high-risk third countries, as designated by the European Commission’s delegated acts
- Complex or unusually large transactions, including mortgage applications significantly above the median for the local market
- Cross-border lending, applications from customers in a different member state than the lender, increasingly common with digital lending platforms
- Non-face-to-face business relationships, covering most online mortgage brokers and digital consumer lenders
When EDD is triggered, the document requirements escalate. You need source of funds and source of wealth documentation, and you need to verify it is genuine. Not “it looks fine.” Genuine.
Picture a real scenario. A customer applies for a €500,000 mortgage. They are a dual national with business interests in two EU countries. EDD is triggered. They submit investment statements from a brokerage in Luxembourg, rental income proof from properties in Portugal and bank statements from accounts in Germany and the Netherlands.
Can your compliance team verify that all of these documents are authentic? That the Luxembourg investment statement was actually generated by that brokerage’s system, not edited in Adobe Acrobat? That the Portuguese rental contracts have not been manipulated to inflate income?
Most lending teams cannot. They are relying on visual review of formats they have never seen before, from institutions they have never dealt with. The regulation now says that is not enough. It never was, it is just that now there are consequences.
A practical EU AML document verification compliance checklist for lenders
Enough about what the rules say. Here is what you should actually do. We put this checklist together based on the AMLR requirements, the draft CDD RTS and our experience working with European lenders.
1. Map your document intake.
List every document type you collect during the loan application process. For each one, write down how you currently verify it is genuine. “Manual review” and “visual check” are the same thing and neither meets the new standard. This gap analysis is step one and most lenders who do it honestly are surprised by how many documents pass through with no real verification at all.
2. Require original PDFs, not screenshots or scans.
This is foundational. When a borrower sends you a photo of their computer screen or a scanned printout of a bank statement, you lose all forensic data. The metadata is gone. The font information is gone. The internal PDF structure is gone. There is no legitimate reason for someone to print a digital bank statement and scan it back in. If they do, that is a red flag, not standard practice.
3. Automate document integrity checks.
The AMLR is technology-neutral. It does not prescribe a specific solution. But verifying documents are “authentic and not tampered with” at scale is practically impossible without automation. A compliance team processing 200 mortgage applications per month, each with 5-8 supporting documents, cannot perform forensic-level checks on 1,000+ PDFs manually. The math does not work.
At VerifyPDF, we check every document in under 5 seconds, analyzing metadata, font consistency, content layer integrity and editing history. The output is a risk rating (Trusted, Low risk, Needs attention, High risk) with detailed forensic evidence your compliance team can act on.
4. Cross-reference documents against each other.
The AMLR explicitly requires consistency checks across CDD information. A payslip claiming €6,000 monthly salary should match bank statement deposits. Tax returns should match both. A proof of address should show the same city as the employment contract. When documents contradict each other, your system should flag the discrepancy, not quietly approve the application because each document “looked fine” individually.
5. Build the audit trail from day one.
Article 77 of the AMLR requires five years of retention for all CDD records, starting from the end of the business relationship. Every document verification check needs to generate a detailed, timestamped report: what was checked, what was found, what risk rating was assigned and what decision followed.
If your current process is “compliance officer reviewed the document and approved,” you do not have an audit trail. You have an opinion. When AMLA or your national supervisor comes asking for evidence, an opinion is not going to be enough.
6. Plan for ongoing verification, not just onboarding.
Most lending fraud does not happen at the application stage. It happens when an existing customer requests a credit increase, a refinance or a top-up and submits fresh documents that nobody checks as rigorously as the originals. Every new document submission during the customer lifecycle should go through the same verification pipeline as the initial application. The AMLR makes this explicit.
How automated PDF verification maps to the AMLA framework
The AMLR’s document verification requirements map directly onto what automated PDF forensics tools do:
| AMLR requirement | What it means for lenders | How automated verification addresses it |
|---|---|---|
| Documents must be “authentic and not tampered with” | Forensic-level verification of every supporting document | Metadata, font and content layer analysis at the byte level |
| Cross-referencing of CDD information | Consistency checks across all documents from the same borrower | Automated comparison of income figures, balances and personal details |
| Risk-based approach to CDD | Higher scrutiny for higher-risk borrowers and transactions | Configurable risk scoring with escalation to human review |
| Record-keeping for five years | Detailed audit trail for every verification decision | Timestamped forensic reports stored and managed automatically |
| Ongoing monitoring | Re-verification when the borrower submits new documents | Same pipeline applied at any stage of the customer lifecycle |
The regulation is deliberately technology-neutral, so it does not prescribe solutions that might become outdated. But the practical reality is clear. No lending team can manually perform forensic PDF analysis on every document in every loan application, especially when the regulation also demands a five-year audit trail proving what you checked and what you found.
That is not a manual process. That is an automated document review pipeline.
The clock is ticking, and fraudsters are reading the same regulation
The AMLR enforcement date is 10 July 2027. AMLA’s direct supervision of the 40 highest-risk institutions begins 1 January 2028. The draft CDD technical standards are being finalized as you read this.
If you are a European lender, the roadmap is clear. Get forensic-level document verification into your lending pipeline. Build the audit trail. Train your team on the new requirements. Pressure-test the whole process before mid-2027.
Move early and you get more than compliance. You catch more fraud. You write fewer loans that default. And when AMLA comes asking, you can show what you checked, not just what you promised to check.
At VerifyPDF, we help European lenders add automated document forensics to their lending pipelines. Our API processes documents in seconds, covering bank statements from over 90 countries and flagging the subtle signs of manipulation that manual reviews miss. If you want to see what EU AML document verification compliance looks like in practice for lending, get in touch.
The single rulebook is here. The rules are identical for every lender in Europe. The only question left is whether you will be ready, or whether the fraudsters will get there first.