They should standardise onboarding, due diligence, and review workflows against the new EU baseline rather than relying on local policy variants. The key test is whether the organisation can prove consistent identity evidence, risk classification, and monitoring decisions across jurisdictions. Harmonisation turns uneven practice into a governance liability.
Why This Matters for Security Teams
When AML rules move to a harmonised EU model, identity verification teams lose the safety net of country-by-country interpretation. The operational question is no longer whether a local workflow is “acceptable” in one market, but whether the organisation can show consistent evidence standards, risk decisions, and review cadence everywhere. That matters because harmonisation increases comparability, auditability, and regulator scrutiny at the same time.
For teams handling customer identity, beneficial ownership, or delegated onboarding, the change also affects how identity proofing connects to ongoing monitoring. A harmonised baseline should reduce fragmentation, but it can also expose weak spots in exception handling, manual overrides, and local policy drift. Guidance from the FATF Recommendations — AML and KYC Framework remains relevant because it sets the risk-based logic that EU harmonisation tends to operationalise, while eIDAS 2.0 — EU Digital Identity Framework helps anchor trusted identity evidence across borders.
NHIMG research shows how often identity control gaps become governance failures: the Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, a reminder that inconsistent identity controls create risk long before a formal finding appears. In practice, many teams discover harmonisation gaps only after a regulator, auditor, or financial crime review has already challenged the quality of their evidence trail.
How It Works in Practice
The practical response is to turn the EU baseline into a single operating model for onboarding, due diligence, and periodic review. That means defining one identity evidence standard, one set of risk indicators, and one decision record format that applies across jurisdictions, even if local legal obligations still vary. The team should separate “policy variance” from “process variance”: a local filing rule may differ, but the underlying verification logic should not.
In mature programmes, this usually includes:
- Standard identity evidence thresholds for individuals, beneficial owners, and authorised representatives.
- Common risk scoring rules for PEP, sanctions, geography, product, and behavioural signals.
- Documented escalation paths for exceptions, manual review, and enhanced due diligence.
- Retention of decision artifacts so each case can be reconstructed across lines of business and jurisdictions.
This is where governance and identity security overlap. Harmonised AML controls depend on trusted identity assertion, but they also require strong process integrity. If a workflow accepts inconsistent documents, weak ownership evidence, or ad hoc reviewer judgement, the organisation can no longer demonstrate that the same customer would have received the same outcome elsewhere. That is why teams should align their control design to authoritative guidance such as the FATF Recommendations — AML and KYC Framework and document how identity assurance is actually enforced in production, not just described in policy.
NHIMG’s 52 NHI Breaches Analysis and Top 10 NHI Issues are useful reminders that control failure is often about lifecycle discipline, not the initial approval event. These controls tend to break down when teams keep local review exceptions in spreadsheets, because evidence quality and decision consistency become impossible to prove at scale.
Common Variations and Edge Cases
Tighter harmonisation often increases operational overhead, requiring organisations to balance consistency against local legal or product constraints. The current guidance suggests the answer is not to preserve local AML playbooks indefinitely, but to centralise the core control model and explicitly catalogue the few exceptions that law still requires.
Edge cases usually arise in three places. First, cross-border groups may still need jurisdiction-specific document types or retention periods, but those differences should be treated as controlled deviations, not separate processes. Second, fintechs and marketplaces may rely on embedded or delegated onboarding, which creates identity verification chain-of-custody issues that need clear accountability. Third, where companies use digital wallets or remote identity sources, the trust level of the evidence may depend on interoperability and assurance rules that are still evolving. In those cases, teams should align the verification method to the assurance level, not assume all digital evidence is equivalent.
For organisations building toward reusable digital identity, eIDAS 2.0 — EU Digital Identity Framework may support more standardised evidence flows, but there is no universal standard for every AML use case yet. The safest approach is to maintain a single EU control baseline, then attach jurisdictional overlays only where legally unavoidable. That keeps the compliance story coherent while reducing the risk of inconsistent identity outcomes across the group.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while DORA define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | AAL2 | Identity proofing and assurance levels matter when harmonised AML evidence must be comparable. |
| NIST CSF 2.0 | GV.OC-01 | Governance must define the common AML operating model and decision accountability. |
| DORA | Operational resilience depends on repeatable controls and auditable evidence across the group. |
Map onboarding evidence to assurance levels and require the same proof standard across jurisdictions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org