2026-2027 AML & Digital Identity: why we are facing a structural revolution in KYC

AML-KYC: a structural shift, not an incremental change

The years 2026 and 2027 will not simply mark another regulatory milestone for compliance departments. They will represent a structural turning point for digital identity, customer onboarding, payments, and trust infrastructure across Europe, and likely far beyond.

What is approaching is not a wave. It is a tsunami.

At the center of this transformation stands the revised eIDAS Regulation (eIDAS 2.0), which mandates that by December 2026 all EU Member States must make available at least one European Digital Identity Wallet (EUDIW). By December 2027, the obligation to accept these wallets will extend not only to public administrations but also to large online platforms and regulated private entities, including banks, telecom operators, and utilities.

In parallel, 2027 will also mark the full applicability of the new Anti-Money Laundering Regulation (AMLR), supervised by the new European AML Authority (AMLA). Regulatory Technical Standards (RTS) are already under public consultation, signaling that the compliance perimeter is tightening while digital infrastructure is being reimagined.

Layered onto this is the rapid evolution of AI-driven fraud, biometric NFC-based flows, agentic systems, and a new economy where not only individuals (KYC) but also businesses (KYB) and autonomous agents (KYA) must be verified, monitored, and trusted.

Finally, identity and payments – long treated as adjacent domains – are converging. Recent global discussions, including major contributions from international institutions and European industry consortia, suggest that the fusion of digital identity and payment rails could unlock new models of financial inclusion, security, and economic efficiency.

The implications for onboarding are profound. For trust service providers, regulated industries, and digital platforms, the next two years will redefine scale, interoperability, and competitive advantage.

From availability to adoption: the real challenge of the European digital identity wallet

By December 2026, EU Member States must provide citizens with access to a European Digital Identity Wallet. The regulation sets the infrastructure in motion. However, availability does not mean equal adoption.

Europe has seen this dynamic before.

Consider Italy’s SPID (Sistema Pubblico di Identità Digitale). Introduced in 2016, SPID required nearly a decade to reach a significant percentage of the population (now at almost 100% considering younger generations). Adoption accelerated only when concrete use cases became indispensable: tax filings, pandemic-related services, public benefits, and digital public services. Infrastructure alone did not drive growth, utility did.

The European Commission has set an ambitious target: 80% of EU citizens using a digital identity solution by 2030. Achieving that goal requires more than regulatory deadlines. It requires a compelling ecosystem of services that make the wallet indispensable.

The EUDIW will contain identity attributes, credentials, and attestations that can be selectively disclosed. But its transformative potential lies in its ability to reduce friction in onboarding and authentication across borders. If properly implemented, it could eliminate repetitive KYC procedures, enable portable trust, and streamline cross-border transactions.

Most of the truly new use cases emerging around the wallet are not based on the mere proof of identity, but on the controlled exchange of specific attributes: professional qualification, residence, corporate role, beneficial ownership, income range/thresholds, insurance credentials, IBAN attestations. Attributes are the real revolution of the EUDIW. They enable selective disclosure, data minimization, and purpose-specific verification, fundamentally reshaping how onboarding and compliance processes are designed.

For this revolution to scale, however, issuing and verifying attributes must be economically sustainable. This is why it is essential to design transactional models for attribute verification that create clear incentives for issuers, verifiers, and relying parties.

As Namirial, we are at the forefront of defining the enablers that make such transactional attribute models sustainable at scale, exactly the kind of model that has already proven successful in nationally adopted digital identity schemes such as SPID in Italy, itsme in Belgium, BankID in the Nordics, or Evrotrust in Bulgaria. These ecosystems demonstrate that when verification is supported by viable economic frameworks, adoption follows and trust infrastructures become durable.

Yet adoption hinges on three critical factors:

1. Compelling private-sector use cases.
2. Seamless user experience.
3. Trust in security and data protection.

Without these, the wallet risks becoming a formal compliance instrument rather than a daily digital companion.

December 2027: the moment of mandatory acceptance

If 2026 is about issuance, 2027 is about obligation.

From December 2027, pursuant to Article 5f of the revised eIDAS Regulation (eIDAS 2.0), public administrations must accept the European Digital Identity Wallet. More significantly, the same provision extends the obligation to large online platforms designated under EU law and to regulated private entities such as banks, telecom operators, and utilities, which will also be required to accept it for authentication and identification.

This changes the competitive landscape dramatically.

Large platforms – Google, Amazon, Meta – will need to integrate European identity standards into their authentication flows. Regulated industries will have to redesign onboarding journeys to incorporate wallet-based identity verification.

The question will no longer be whether to accept the wallet, but how to integrate it in a way that enhances customer experience while maintaining compliance.

For banks, this could mean that a new customer onboarding process shifts from document upload and biometric capture toward credential retrieval and selective disclosure. For telecom operators, SIM registration and customer activation may become wallet-native processes. For utilities, subscription and contract signing could be nearly instantaneous.

All that means less customer acquisition costs, higher conversion rates, higher security, better customer journeys. And we have already seen that with existing eIDs, where onboarding time dropped from minutes to seconds, with a significant increase in the funnel conversion rate.

So, thank you Santa!

The obligation to accept the wallet will effectively create a continental identity interoperability layer. Yet this new layer will not be static: over the next five to ten years, organizations will need flexible, modular onboarding and authentication processes capable of handling different types of flows – ranging from simple identity proofs to complex, multi-attribute verifications – while accommodating diverse user preferences in how credentials are shared and consent is managed.

The winners will be those who can design adaptive architectures that orchestrate identity data, attributes, and user-controlled disclosures dynamically, leveraging the wallet and KYC strategically rather than treating it as a regulatory checkbox.

AMLR and AMLA: compliance now at European level

At the same time, 2027 will mark the applicability of the new Anti-Money Laundering Regulation (AMLR), directly applicable across Member States from July 2027 and overseen by the new European Anti-Money Laundering Authority (AMLA).

This is not a minor update. It is a systemic harmonization of AML obligations across Europe.

The Regulatory Technical Standards (RTS), currently under consultation, indicate a move toward more granular risk assessment, harmonized due diligence, and strengthened reporting obligations. In particular, Article 22 of the AMLR strengthens the framework for customer due diligence (CDD) clarifying the requirements for identification and verification of customers and beneficial owners, while the corresponding Article 7 of the draft CDD RTS further specifies the operational and technical standards that obliged entities must follow when relying on digital identification means and trust services.

The shift from directive-based transposition to regulation-based direct applicability reduces fragmentation and increases supervisory convergence. Ultimately, the legislator’s effort is to create identification and compliance processes that are usable across the entire European Union, reducing the need for fragmented national interpretations or supervisory localizations – such as those historically seen with authorities like BaFin in Germany (see also “Germany: Video identification only as a fallback: EBA is shifting to eIDAS” article from Bird&Bird firm) or SEPBLAC in Spain – and fostering a truly harmonized single market for digital identity and AML compliance.

For onboarding processes, this means that obliged entities will need to adopt a risk-based and context-driven approach, combining different identification means depending on the specific use case, risk profile, and customer journey.

In some scenarios, reliance on the European Digital Identity Wallet and qualified electronic attestations may be appropriate; in others, nationally notified eID schemes or existing domestic digital identity systems may remain preferable; in other situations, biometric verification, liveness detection, or enhanced due diligence measures may be required respecting the updated requirements coming from the upcoming CDD RTS.

So, also for AMLR, Santa is coming and even during summer 2027.

Crucially, institutions will need to document and justify these choices to their competent authorities, demonstrating that the selected identification flow is proportionate, compliant with Article 22 AMLR and the related RTS, and aligned with their internal risk assessment framework:

• greater scrutiny of identity verification reliability
• clearer requirements for ongoing monitoring
• stronger expectations for digital audit trails
• increased accountability for high-risk sectors

The interaction between AMLR and the European Digital Identity Wallet is where the revolution becomes evident. If wallets provide high-assurance identity attributes and verifiable credentials, they can serve as standardized inputs into AML processes. However, institutions will remain responsible for risk assessment.

In other words, wallets may simplify data acquisition, but they do not eliminate compliance responsibility.

The organizations that can combine wallet-based onboarding with AI-driven risk analysis, fraud detection, and continuous monitoring will define the next generation of compliant onboarding ecosystems, capable not only of satisfying regulators, but also of winning the customer experience battle.

The fraud battlefield: AI vs AI

Digital identity is under siege.

Generative AI has made synthetic identities, deepfake videos, and automated phishing campaigns more sophisticated and scalable than ever. Fraudsters now operate with tools that rival enterprise-grade technology.

But the same AI revolution provides countermeasures.

Advanced liveness detection, behavioral biometrics, injection attack and presentation attack detection, and real-time risk scoring systems are increasingly capable of identifying synthetic manipulation. The battlefield is becoming AI versus AI.

In this environment, onboarding must balance three competing objectives:

1. Security against advanced fraud.
2. Regulatory compliance.
3. Frictionless customer experience.

Historically, increasing security meant increasing friction. The promise of wallet-based identity is to reduce friction while maintaining high assurance levels. Instead of capturing biometric data repeatedly, institutions may rely on pre-verified credentials stored in the wallet.

However, fraud does not disappear; it shifts. Attackers may target wallet issuance processes, credential theft, or social engineering.

In this context, the use of advanced biometric technologies becomes increasingly indispensable to ensure high‑assurance remote identity proofing and to counter sophisticated AI‑driven attacks such as deepfakes and synthetic identities.

For this reason, compliance with rigorous technical standards and independent certifications is becoming a critical trust factor for the entire ecosystem. Frameworks such as ETSI TS 119 461 v2.1.1, which defines updated requirements for trustworthy remote identity proofing services, are essential to guarantee reliability, security, and regulatory acceptance across Europe.

This is also why at Namirial we have invested significantly in achieving ETSI 119 461 certification, reinforcing our commitment to delivering identity verification technologies that meet the highest European standards while supporting scalable and secure digital onboarding.

Beyond individuals: KYB and the rise of the Business Wallet

The revolution is not limited to individuals.

Know Your Business (KYB) processes remain notoriously complex, especially for cross-border operations. Corporate structures, beneficial ownership, and documentation requirements create friction and delays.

The emerging concept of a Business Wallet – storing verifiable corporate credentials, registration certificates, beneficial ownership attestations, and compliance documentation – could dramatically simplify B2B onboarding.

A standardized European framework for business identity would enable:

• Faster supplier onboarding.
• Streamlined financial services access for SMEs.
• Cross-border corporate authentication.

In a single market striving for digital sovereignty and competitiveness, reducing KYB friction could unlock significant economic value.

At Namirial, we strongly believe that the Business Wallet is not merely a technical evolution of KYB processes, but a strategic pillar for Europe’s future, enabling trusted cross-border commerce, strengthening digital sovereignty, and providing SMEs and large enterprises alike with a scalable, interoperable identity infrastructure fit for the next decade of economic integration.

KYA: identifying agents in the agentic economy

The rise of autonomous AI agents introduces a new dimension: Know Your Agent (KYA).

As AI systems increasingly act on behalf of individuals and businesses – executing transactions, negotiating contracts, initiating payments – the question becomes: how do we identify, authenticate, and authorize non-human actors?

Industry discussions are already exploring trusted identities for AI agents. The concept involves assigning verifiable credentials to agents, linking them to accountable legal entities, and ensuring traceability.

Without a robust trust framework, the agentic economy risks becoming a breeding ground for unaccountable automation and fraud.

Europe’s digital identity framework offers a unique opportunity to define standards for agent identity early. If business wallets and digital identity wallets can interact with agent credentials, Europe may shape global norms for responsible AI transactions.

Identity meets payments: a strategic convergence

Historically, identity verification and payments have operated in parallel. But convergence is accelerating.

Digital wallets capable of storing identity credentials alongside payment instruments create opportunities for seamless onboarding and transaction flows. Strong customer authentication (SCA), AML compliance, and payment authorization can become parts of a unified experience. This is precisely why, within the Architecture and Reference Framework (ARF) of the EUDI Wallet, we are beginning to see explicit references to SCA mechanisms and to the capability of managing transaction tokens in a secure and interoperable manner. On the regulatory horizon, we expect the same openness and technical neutrality to be reflected in the forthcoming Payment Services Regulation (PSR) and PSD3 framework, enabling identity wallets to interact natively with payment ecosystems and to support compliant, user-centric transaction flows across Europe.

Recent global discussions emphasize the importance of linking digital identity systems with payment infrastructures to enhance financial inclusion and reduce fraud. This perspective is strongly reflected in the World Bank’s recent report (ID Meets Instant: Enabling Trusted, Inclusive Fast Payments through Digital ID, Feb 2026) on the convergence of digital identity and payments, which highlights how interoperable ID systems can unlock safer, more inclusive financial ecosystems, as well as in the Webuild Consortium’s non-paper, “Trusted Identities for AI Agents – An Opportunity for Europe”, which calls for a strategic alignment between trusted digital identities, transactional capabilities, and Europe’s competitiveness.

When identity is reliable and portable, financial services can be delivered faster and at lower cost.

However, combining identity and payments also raises governance, privacy, and liability questions. Clear separation of functions, user consent, and data minimization must remain central. In addition, the allocation of liabilities between wallet issuers, payment service providers, relying parties, and attribute issuers must be clearly defined: who is responsible in case of fraudulent use of credentials, compromised transaction tokens, incorrect attributes, or failed authentication flows?

As identity and payment layers converge, legal certainty around liability frameworks will become as important as technical interoperability, ensuring that innovation does not outpace accountability. It is precisely in the technical details – within the evolving Architecture and Reference Framework and, above all, in the final design and interpretations of PSR and PSD3 – that this allocation of responsibilities and the practical interaction between identity and payment layers will become clearer, shaping the real operational balance between innovation, risk, and accountability.

Scale as the decisive factor

Trust infrastructure is capital-intensive.

Building compliant identity systems, maintaining cybersecurity defenses, integrating AI-based fraud detection, and ensuring cross-border interoperability require significant investment.

Scale is not optional, it is fundamental.

Large trust service providers, qualified trust service providers (QTSPs), and established identity players are uniquely positioned to support the ecosystem. They combine regulatory expertise, technological capability, and operational resilience.

In a fragmented market, smaller actors may struggle to sustain the pace of regulatory change and technological innovation. Consolidation and strategic partnerships are likely.

The role of trust leaders in the new ecosystem

As Europe enters this transformative phase, trust service providers play a pivotal role.

They serve as:

• Issuers of qualified certificates and credentials.
• Providers of remote identification solutions.
• Integrators of wallet infrastructure.
• Compliance enablers for regulated industries.

Their mission expands beyond technical service provision. They become architects of digital trust ecosystems.

In this environment, innovation must coexist with reliability. Regulatory compliance cannot be an afterthought; it must be embedded in design. At Namirial, we are strongly investing in these evolving identity and payment flows, building KYC and onboarding solutions that enable our largest clients to manage the regulatory, technical, and operational complexity that awaits them over the next decade.

We believe that only flexible, interoperable, and compliance-by-design platforms can truly support institutions facing converging eIDAS, AMLR, and payments obligations. We are proud that our Namirial Onboarding platform has already positioned us as a recognized leader in regulated identity proofing markets, demonstrating our ability to combine high-assurance identification, advanced biometric verification, supporting eID schemes, upcoming wallets and scalable orchestration capabilities in environments where compliance and customer experience must go hand in hand.

The 2026–2027 inflection point

When historians of digital transformation look back, 2026–2027 may appear as the moment Europe shifted from fragmented digital identity initiatives to a unified trust architecture.

The mandatory issuance of wallets, the obligation to accept them, the enforcement of AMLR under AMLA supervision, the maturation of AI-driven fraud defenses, the emergence of business wallets, and the early steps toward agent identity together create a convergence rarely seen in regulatory history.

For organizations, complacency is not an option, but the ultimate goal is turning regulations into competitive advantages.

Preparation requires:

• Strategic roadmap alignment.
• Technology investment and adaptive architectures.
• Cross-functional coordination between compliance, IT, and business units.

Those who move early will shape the ecosystem. Those who delay will adapt to it.

Conclusion: riding the tsunami

A tsunami reshapes coastlines.

The digital identity and onboarding revolution of 2026–2027 will reshape trust infrastructures, regulatory compliance, and customer experience across Europe.

For organizations, the message is clear: preparation must start now. Institutions should begin by mapping their future onboarding architectures, evaluating how EUDI Wallet flows, national eID schemes, and biometric identity proofing can coexist within flexible orchestration platforms. They should reassess their risk models in light of AMLR Article 22 and the emerging RTS, invest in AI‑driven fraud detection and certified biometric technologies, and ensure their systems are ready to handle attribute‑based verification and wallet‑based authentication. Just as importantly, they must align compliance, IT, product, and customer experience teams to redesign onboarding journeys that are both regulator‑ready and customer‑centric.

At the center of this transformation lies a simple truth: trust must be scalable.

The organizations capable of combining regulatory rigor, technological excellence, and continental scale will not merely survive the tsunami: they will define the new shoreline of digital Europe. As Namirial, we are ready to support our clients in the strategic steps that lie ahead, partnering with them to navigate regulatory complexity, technological transformation, and the new trust paradigms that will define Europe’s digital future.