The AMLR Single Rulebook: What Changes for EU Fintechs in 2026
AMLR's KYB impact gets most of the attention. The retail customer file has its own gap to close.
VOVE ID helps retail-facing fintechs prepare for AMLR in markets where the KYB conversation gets all the attention and the individual customer file quietly falls behind. On paper AMLR is one rulebook. In practice it lands differently depending on which side of the customer base a team is looking at.
The short answer
Most AMLR coverage in 2026 focuses on business verification and beneficial ownership. That leaves a gap: AMLR also raises the bar for individual customer due diligence — how risk is assessed at onboarding, when a retail file needs to be refreshed, how much room simplified due diligence still has, and how convincingly a fintech can show that a customer's activity still matches their original profile. Firms that treat this as "the KYB regulation" are missing half of what changes.
Why the retail file gets less attention than it should
Business verification produces the harder-looking problems: UBO structures, layered ownership, entity screening. Individual onboarding looks comparatively simple, so teams assume it already meets the standard. That assumption is where AMLR exposure tends to hide.
Under AMLD 5, many fintechs built retail onboarding around a fixed model: verify identity once, assign a risk tier, and revisit the file only if something obviously changes. AMLR pushes toward a more risk-sensitive posture, where the trigger for review is tied to actual customer behavior and life events, not a calendar date picked at launch.
That distinction matters because a static renewal date is easy to build and easy to defend on paper. A risk-sensitive trigger model is harder to build, but it is what AMLR actually expects.
What AMLR changes for individual due diligence
- Risk scoring has to reflect what the customer is actually doing, not just what they declared at onboarding.
- Refresh timing shifts from fixed intervals toward event-driven triggers — new income source, address change, PEP status change, unusual activity.
- Simplified due diligence has less room to apply automatically; the justification for a lighter check needs to be documented, not assumed.
- Source-of-funds evidence needs to be tied to the transaction pattern, not collected once and filed away.
For a full breakdown of individual identity verification requirements, see our KYC Requirements Explained 2026.

Simplified due diligence gets harder to justify
Many retail products lean on simplified due diligence to keep onboarding fast — lower checks for low-value accounts, domestic transfers, or specific product types. That shortcut is not disappearing under AMLR, but the justification for using it needs to be explicit and reviewable.
A fintech that applies simplified due diligence because "the product category has always qualified" will struggle if a regulator or partner asks for the underlying risk assessment. The expectation shifts from "we assumed lower risk" to "we can show why this segment carries lower risk, and we recheck that assumption periodically."
A realistic AMLR failure
Imagine a Dutch neobank that built its retail onboarding around AMLD 5 expectations: strong identity verification at signup, a risk tier assigned once, and simplified due diligence applied automatically to standard current accounts. The onboarding flow itself holds up well under review.
The gap appears somewhere else. Customer risk tiers were never revisited after onboarding. A subset of accounts showed transaction patterns that no longer matched the declared purpose of the account, but nothing in the system flagged that mismatch for a fresh review. When the bank samples its retail book against AMLR expectations, it finds accounts open for two years with a risk assessment that reflects day one and nothing since.
That is not a fraud failure. It is a due diligence currency failure — the kind AMLR is specifically designed to close.
How VOVE ID supports individual due diligence under AMLR
VOVE ID helps fintechs build the retail side of AMLR as a connected workflow rather than a one-time onboarding gate.
That includes:
- risk scoring that updates against observed behavior, not only declared information
- refresh triggers tied to real account events instead of fixed calendar dates
- documented rationale for where simplified due diligence still applies
- source-of-funds evidence linked to the transaction pattern that prompted the review
For a full breakdown of ongoing monitoring obligations, see our AML Requirements Explained 2026.
AMLR retail-CDD checklist
- Risk tiers are revisited on triggers, not left static after onboarding
- Simplified due diligence has a documented, periodically reviewed justification
- Source-of-funds evidence is tied to actual transaction behavior, not collected once and archived
Common questions
Does AMLR mainly affect business customers?
No. Business verification gets more attention, but AMLR raises the bar for individual due diligence too — particularly around refresh logic and simplified due diligence justification.
Is a fixed renewal schedule still acceptable under AMLR?
It is not automatically disqualifying, but a purely calendar-based refresh model is harder to defend than one tied to observed risk changes.
What should retail-facing fintechs review first?
Start with how long risk tiers go unreviewed after onboarding, and whether simplified due diligence is applied with a documented rationale or by default.
Conclusion
AMLR's KYB implications get most of the coverage, but the individual customer file carries its own exposure. Fintechs that only rebuild their business-verification stack while leaving retail onboarding on a fixed-interval model will find the gap in the same place: a file that looked right on day one and was never revisited since.
Want to see how VOVE ID supports individual due diligence under AMLR? The retail side of the rulebook is usually the part teams rebuild last, and check first.
This article is intended for general informational purposes only and does not constitute legal, financial, or regulatory advice. KYC/KYB/AML requirements may vary depending on jurisdiction, industry, and specific business circumstances. For up-to-date and binding compliance obligations, readers should refer to the relevant regulatory authorities or consult qualified professionals.