Skip to main content
· REELIANT

AML/KYC: What the New Directives Change for Your Onboarding

6AMLD, AMLA, PVID level 2 : the AML/KYC framework is tightening. What it means technically for identity verification in onboarding flows.

digital trustKYCregulationAMLPVID

Anti-money laundering and counter-terrorist financing (AML/CTF) regulations are evolving faster than most onboarding systems can follow. AMLA (the future European anti-money laundering authority), the 6th AML Directive, the rise of PVID level 2 as a reference standard: for teams operating regulated onboarding flows, the gap between regulatory requirements and technical reality is widening.

The regulatory landscape

From 5AMLD to AMLA: Accelerating Harmonization

The 5th AML Directive (2018) introduced the obligation for risk-based remote identification. The 6th Directive (2021) tightened criminal liability and extended the definition of predicate offenses.

The major upcoming shift: the AMLA Regulation (EU 2024/1624), adopted in 2024, creates a European AML/CTF supervisory authority with direct powers over cross-border “obliged entities” (large banks, crypto-asset service providers). It enters full force progressively from 2025-2027.

Practical implication: regulatory standards will increasingly be set at European level, not national level. A French bank and a German payment institution will have to comply with the same detailed requirements for their KYC procedures.

PVID: The French Reference Standard for Remote Identification

In France, ANSSI’s PVID (Prestataire de Vérification d’Identité à Distance) framework defines two assurance levels for remote identity verification:

PVID level 1: corresponds to “substantial” assurance level according to eIDAS. Verification using an identity document + liveness detection. Suitable for most standard regulatory uses.

PVID level 2: corresponds to “high” assurance level. Adds requirements for document quality verification (chip or UV reading), qualified biometric liveness, and additional controls against presentation attacks. Required for certain high-risk acts (opening premium accounts, certain insurance contracts).

The ANSSI-certified providers list for PVID is the operational reference. Using a non-certified provider for a regulated act creates a non-compliance risk even if the technical process seems equivalent.

What changes technically

The KYC Stack in 2024-2025

A robust KYC stack now typically combines:

  1. Document capture: progressive quality guidance (brightness, angle, no blur) with client-side validation before server upload
  2. Document analysis (OCR + classification + anti-fraud): reading of MRZ, chip NFC reading for ePassports, analysis of physical security features via AI
  3. Biometric liveness: passive liveness (behavioral analysis) or active liveness (requested gesture) + face matching against document
  4. Screening: cross-checking against sanctions lists (EU, OFAC, UN), PEP (Politically Exposed Persons), adverse media
  5. Risk scoring: automated decision or routing to manual review based on score + risk context
  6. Orchestration and auditability: complete traceability of each step for regulatory compliance

The NFC Challenge for Identity Documents

ePassports contain an NFC chip with a digitally signed copy of biometric data. Reading this chip provides the highest level of document assurance: the chip cannot be falsified.

The problem: NFC reading requires the user to:

  • Have an NFC-equipped smartphone (standard on modern devices)
  • Position the document correctly for several seconds (UX often abandoned)
  • Have enabled NFC (not always on by default)

Typical abandonment rates on the NFC step: 15-35% depending on target audience and UX quality. For a product requiring PVID level 2, the decision between imposing NFC or offering fallback to visual verification is a regulatory arbitrage.

Liveness: Evolution of Requirements

The definition of acceptable liveness continues to evolve. The main types:

Passive liveness (no user gesture): behavioral and micromovement analysis during a static video. Good UX, but variable performance against sophisticated deepfakes.

Active liveness with controlled challenge: random requested gestures (blink, turn, smile). More robust against presentation attacks, more constraining UX.

ISO 30107-3 defines PAD (Presentation Attack Detection) levels. Level 1 (basic detection) and level 2 (injection attack detection) are now relevant criteria when evaluating a vendor.

PVID-compliant e-KYC flow: from document capture to onboarding decision

Selecting a KYC vendor

When selecting or reassessing a KYC provider, key questions:

On certifications: Are they PVID certified (level 1 and/or 2)? What is their SOC 2 / ISO 27001 certification status?

On performance by document type: What is the OCR success rate on French identity cards, ePassports, European driving licenses? By country of issue?

On liveness: What is the false acceptance rate (FAR) and false rejection rate (FRR) on your target demographic? Have their models been tested against deepfake injection attacks?

On compliance: How do they handle GDPR? What are their data retention periods? Where is data processed (hosting, sub-processors)?

On integration: REST or SDK API? Webhook for async events? How are timeout and degraded mode cases handled?

The Specific Challenges of Cross-Border Onboarding

If you onboard customers from multiple EU member states, the technical complexity multiplies:

  • Document diversity: format, security features and biometric chip specifications vary by country and generation
  • Sanctions and PEP lists: each member state maintains national lists in addition to EU consolidated lists
  • Regulatory requirements: some countries have specific requirements beyond EU minimum (Germany, France)
  • Language and UX: instructions in local language, adapted for national document types

No single provider currently covers all cases with optimal performance. A tiered architecture (main provider + backup provider + specialized providers by country) is sometimes the most robust approach.

Conclusion

AML/KYC is no longer a compliance checkbox. It is a technical system that must be maintained, audited, and adapted as regulation evolves. A KYC stack deployed in 2021 may no longer comply with 2025 requirements without significant modifications.

The right approach: a regular gap analysis between your current technical capabilities and the applicable requirements at each regulatory milestone.

Designing an onboarding journey that holds up for the regulator and stays fluid for the user, without locking the architecture for the next directive. Digital trust and software development.

Related expertise

Related articles

  1. Data breaches: why MFA is now the sine qua non of trust.
  2. eIDAS 2 and the European e-wallet: what it concretely changes for your user journeys
  3. Electronic signature: a practical guide to choosing the right eIDAS level
Back to insights
See comparable references Talk to REELIANT