Skip to main content
· REELIANT

AML/KYC: What the New Directives Change for Your Onboarding

6AMLD, AMLA, PVID level 2 : the AML/KYC framework is tightening. What it means technically for identity verification in onboarding flows.

#digital trust#KYC#regulation#AML#PVID

Anti-money laundering and counter-terrorist financing (AML/CTF) regulations are evolving faster than most onboarding systems can follow. AMLA (the future European anti-money laundering authority), the 6th AML Directive, the rise of PVID level 2 as a reference standard: for teams operating regulated onboarding flows, the gap between regulatory requirements and technical reality is widening.

The Evolving Regulatory Landscape

From 5AMLD to AMLA: Accelerating Harmonization

The 5th AML Directive (2018) introduced the obligation for risk-based remote identification. The 6th Directive (2021) tightened criminal liability and extended the definition of predicate offenses.

The major upcoming shift: the AMLA Regulation (EU 2024/1624), adopted in 2024, creates a European AML/CTF supervisory authority with direct powers over cross-border “obliged entities” (large banks, crypto-asset service providers). It enters full force progressively from 2025-2027.

Practical implication: regulatory standards will increasingly be set at European level, not national level. A French bank and a German payment institution will have to comply with the same detailed requirements for their KYC procedures.

PVID: The French Reference Standard for Remote Identification

In France, ANSSI’s PVID (Prestataire de Vérification d’Identité à Distance) framework defines two assurance levels for remote identity verification:

PVID level 1: corresponds to “substantial” assurance level according to eIDAS. Verification using an identity document + liveness detection. Suitable for most standard regulatory uses.

PVID level 2: corresponds to “high” assurance level. Adds requirements for document quality verification (chip or UV reading), qualified biometric liveness, and additional controls against presentation attacks. Required for certain high-risk acts (opening premium accounts, certain insurance contracts).

The ANSSI-certified providers list for PVID is the operational reference. Using a non-certified provider for a regulated act creates a non-compliance risk even if the technical process seems equivalent.

What Changes Technically for Your Onboarding

The KYC Stack in 2024-2025

A robust KYC stack now typically combines:

  1. Document capture: progressive quality guidance (brightness, angle, no blur) with client-side validation before server upload
  2. Document analysis (OCR + classification + anti-fraud): reading of MRZ, chip NFC reading for ePassports, analysis of physical security features via AI
  3. Biometric liveness: passive liveness (behavioral analysis) or active liveness (requested gesture) + face matching against document
  4. Screening: cross-checking against sanctions lists (EU, OFAC, UN), PEP (Politically Exposed Persons), adverse media
  5. Risk scoring: automated decision or routing to manual review based on score + risk context
  6. Orchestration and auditability: complete traceability of each step for regulatory compliance

The NFC Challenge for Identity Documents

ePassports contain an NFC chip with a digitally signed copy of biometric data. Reading this chip provides the highest level of document assurance: the chip cannot be falsified.

The problem: NFC reading requires the user to:

  • Have an NFC-equipped smartphone (standard on modern devices)
  • Position the document correctly for several seconds (UX often abandoned)
  • Have enabled NFC (not always on by default)

Typical abandonment rates on the NFC step: 15-35% depending on target audience and UX quality. For a product requiring PVID level 2, the decision between imposing NFC or offering fallback to visual verification is a regulatory arbitrage.

Liveness: Evolution of Requirements

The definition of acceptable liveness continues to evolve. The main types:

Passive liveness (no user gesture): behavioral and micromovement analysis during a static video. Good UX, but variable performance against sophisticated deepfakes.

Active liveness with controlled challenge: random requested gestures (blink, turn, smile). More robust against presentation attacks, more constraining UX.

ISO 30107-3 defines PAD (Presentation Attack Detection) levels. Level 1 (basic detection) and level 2 (injection attack detection) are now relevant criteria when evaluating a vendor.

PVID-compliant e-KYC flow: from document capture to onboarding decision

Vendor Selection: Questions to Ask

When selecting or reassessing a KYC provider, key questions:

On certifications: Are they PVID certified (level 1 and/or 2)? What is their SOC 2 / ISO 27001 certification status?

On performance by document type: What is the OCR success rate on French identity cards, ePassports, European driving licenses? By country of issue?

On liveness: What is the false acceptance rate (FAR) and false rejection rate (FRR) on your target demographic? Have their models been tested against deepfake injection attacks?

On compliance: How do they handle GDPR? What are their data retention periods? Where is data processed (hosting, sub-processors)?

On integration: REST or SDK API? Webhook for async events? How are timeout and degraded mode cases handled?

The Specific Challenges of Cross-Border Onboarding

If you onboard customers from multiple EU member states, the technical complexity multiplies:

  • Document diversity: format, security features and biometric chip specifications vary by country and generation
  • Sanctions and PEP lists: each member state maintains national lists in addition to EU consolidated lists
  • Regulatory requirements: some countries have specific requirements beyond EU minimum (Germany, France)
  • Language and UX: instructions in local language, adapted for national document types

No single provider currently covers all cases with optimal performance. A tiered architecture (main provider + backup provider + specialized providers by country) is sometimes the most robust approach.

Conclusion

AML/KYC is no longer a compliance checkbox. It is a technical system that must be maintained, audited, and adapted as regulation evolves. A KYC stack deployed in 2021 may no longer comply with 2025 requirements without significant modifications.

The right approach: a regular gap analysis between your current technical capabilities and the applicable requirements at each regulatory milestone.

Designing or auditing an onboarding flow in a regulated context? Let’s discuss your architecture.

Related expertise

Digital Truste-KYC, e-signature, PKI & fraud prevention

Related articles

Data breaches: why MFA is now the sine qua non of trust.

eIDAS 2 and the European e-wallet: what it concretely changes for your user journeys

Electronic signature: a practical guide to choosing the right eIDAS level

Back to insights Talk with REELIANT