By Stuart Watkins, CEO, Zenoo
A fintech we work with recently expanded from three EU markets to twelve. Their compliance team expected the expansion to be straightforward: same AML directives, same general framework, one additional market at a time. What they discovered was that "harmonised" EU AML rules produce 27 different sets of local requirements, each with its own interpretation, its own supervisor, and its own expectations for what constitutes adequate KYC.
The EU AML Package will eventually standardise much of this. But "eventually" does not help a compliance team that needs to onboard customers across multiple member states today. And even after the AML Regulation takes direct effect, there will still be national variations in supervision, enforcement priorities, and practical expectations.
This guide is for compliance teams operating across multiple EU jurisdictions (or planning to) who need a practical framework for managing the complexity.
The myth of harmonisation
The EU's AML framework is built on directives that member states transpose into national law. The 4th and 5th Anti-Money Laundering Directives provide the framework. But directives are minimum standards. Member states can (and do) go further, adding additional requirements, lower thresholds, or stricter interpretations.
The result is that while every EU member state requires Customer Due Diligence, the specific requirements for what CDD involves vary. While every member state requires Enhanced Due Diligence for high-risk relationships, the triggers for EDD and the specific enhanced measures required differ. While every member state requires ongoing monitoring, the expected frequency and methodology vary.
Here are some of the variations we encounter most frequently.
Beneficial ownership thresholds. The directive sets 25% as the default threshold for identifying beneficial owners. But some member states have lower thresholds: 10% for certain entity types in some jurisdictions, 20% in others. If you apply a uniform 25% threshold across all jurisdictions, you may be non-compliant in some.
Identity verification methods. What constitutes acceptable identity verification varies. Some jurisdictions accept video identification. Others require in-person verification for certain customer types. Some accept electronic identity schemes (eIDAS-recognised), while others have additional requirements. The eIDAS 2.0 framework will help standardise electronic identification, but adoption timelines vary across member states.
Simplified Due Diligence conditions. The circumstances under which Simplified Due Diligence can be applied differ across jurisdictions. A customer relationship that qualifies for SDD in one member state may require standard CDD or even EDD in another, depending on the product type, customer profile, and local regulatory interpretation.
"We assumed that a customer onboarded in Germany under German CDD requirements would meet the CDD requirements in the Netherlands when we expanded. We were wrong. The Dutch supervisor had additional requirements for the customer segment we were serving. We had to re-verify about 2,000 customers. That was three months of work and a very uncomfortable conversation with our board."
Mapping your jurisdictional requirements
The first step in managing multi-jurisdictional KYC is to create a detailed requirement map. This is a matrix that shows, for each jurisdiction you operate in, the specific requirements for: CDD components and acceptable verification methods, EDD triggers and required enhanced measures, SDD eligibility conditions, beneficial ownership thresholds and verification requirements, ongoing monitoring frequency and methodology, suspicious activity reporting obligations and timelines, and record-keeping requirements and retention periods.
This map should be maintained as a living document, updated whenever a jurisdiction changes its requirements. The work to create it initially is significant (budget 2 to 4 weeks for a compliance analyst per jurisdiction), but the alternative is discovering requirements gaps reactively, which is more expensive and more risky.
The highest-standard approach
One common strategy for managing multi-jurisdictional complexity is to apply the highest standard across all jurisdictions. If jurisdiction A requires beneficial ownership verification at 25% and jurisdiction B requires it at 10%, apply the 10% threshold everywhere. If jurisdiction C requires annual reviews for medium-risk customers and jurisdiction D requires biennial reviews, apply annual reviews everywhere.
This approach has the advantage of simplicity. One set of processes. One set of thresholds. One training programme. The compliance team does not need to track which customer is in which jurisdiction or apply different rules to different customer segments.
But it has costs. Applying the highest standard universally means over-compliance in jurisdictions with lower requirements. That translates to longer onboarding times, higher operational costs, and more friction for customers in lower-requirement jurisdictions. For a business competing on speed and customer experience, this friction has commercial consequences.
The firms we see most often adopt a tiered approach: a high baseline that meets the majority of jurisdictional requirements, with jurisdiction-specific overlays for the areas where local requirements exceed the baseline. This balances compliance rigour with operational efficiency.
Data source coverage: the hidden jurisdictional problem
Even if your KYC processes are correctly configured for each jurisdiction, your results are only as good as the data sources available in that jurisdiction. Identity verification data quality, company registry accessibility, beneficial ownership register coverage, and adverse media sourcing all vary enormously across EU member states.
In jurisdictions with mature digital infrastructure (the Nordics, the Netherlands, Germany), identity verification data is comprehensive and reliable. In jurisdictions with less developed infrastructure, data coverage may be thinner, verification may be less reliable, and alternative approaches may be needed.
This is where a multi-provider approach becomes essential. No single data provider has equally strong coverage across all 27 EU member states. A provider that is excellent in Western Europe may have limited data depth in Southern or Eastern European jurisdictions. Routing verification requests to the best provider for each specific jurisdiction produces better results than relying on one provider's global coverage.
"We ran the same set of test verifications through three providers across eight EU jurisdictions. In Germany, France, and the Netherlands, all three performed well. In two South-Eastern European jurisdictions, only one provider returned usable results. If we had relied on a single provider, we would have had a significant verification gap in those markets."
Regulatory relationships across borders
Operating in multiple jurisdictions means engaging with multiple regulators. Each national competent authority has its own supervisory approach, its own expectations for communication, and its own priorities for examination.
Some practical lessons from firms that manage this well.
Assign a regulatory lead per jurisdiction. Even if your compliance team is centralised, designate a specific person as the point of contact for each regulator. Regulators want to know who to call, and they want that person to understand their specific requirements and concerns.
Understand each regulator's current priorities. Regulators publish supervisory strategies, thematic reviews, and enforcement priorities. These tell you what they are likely to focus on in their next examination. A regulator that has just published a thematic review on PEP screening is going to look at your PEP processes. A regulator that has recently fined firms for transaction monitoring failures is going to examine your monitoring system.
Proactive engagement beats reactive compliance. The firms that have the best regulatory relationships are the ones that engage their supervisors proactively: sharing risk assessment updates, discussing material changes to their compliance programme, and seeking guidance on ambiguous requirements before making decisions. Regulators generally respond positively to firms that seek to do the right thing, and they respond negatively to firms that only engage when there is a problem.
Technology architecture for multi-jurisdictional KYC
The technology that supports multi-jurisdictional KYC needs several capabilities that single-jurisdiction systems often lack.
Jurisdiction-aware workflow routing. Your onboarding workflow needs to determine which jurisdiction's requirements apply to each customer and route them through the appropriate verification and assessment steps. This means your system needs to support configurable workflows that vary by jurisdiction, customer type, and risk tier.
Multi-provider data routing. As discussed above, different data providers have strengths in different jurisdictions. Your system needs to route verification requests to the best provider for each jurisdiction, check type, and customer type. This requires an orchestration layer that abstracts the complexity of multiple provider integrations.
Configurable risk models. Your risk assessment model needs to accommodate jurisdiction-specific risk factors and weightings. A risk model calibrated for the UK will not produce accurate results when applied to a different regulatory environment without adjustment.
Multi-language support. If you are collecting documents and information from customers across 27 member states, your system needs to handle documents and data in multiple languages. This affects document verification, adverse media screening, and customer communication.
Centralised reporting with jurisdictional detail. Your compliance reporting needs to provide both a consolidated view (for group-level oversight) and jurisdiction-level detail (for individual regulators). A regulator in one jurisdiction does not want to see group-level statistics. They want to see data specific to their jurisdiction.
