Mandatory KYC in 2026: who must comply and under what thresholds?
KYC: a mandatory framework for regulated sectors
The KYC obligation stems from the FATF recommendations (Financial Action Task Force, the intergovernmental body that sets anti-money-laundering rules), progressively transposed through the six European anti-money-laundering directives (1996 → AMLD6, the 6th EU Anti-Money Laundering Directive) and now consolidated by Regulation (EU) 2024/1624 (AMLR6), directly applicable in every Member State.
In France, the legal architecture rests on:
- the French Monetary and Financial Code, articles L561-1 and following,
- the ACPR-Tracfin AML/CFT guidelines — the ACPR (Autorité de contrôle prudentiel et de résolution, French prudential supervisor) and Tracfin jointly steer the anti-money-laundering and counter-financing-of-terrorism framework (AML/CFT) — updated in 2025,
- the French Criminal Code, article 324-1 (money laundering),
- sector-specific regulations (MiCA, TFR, eIDAS 2.0 on electronic identity, PSD2 on payment services).
According to the ACPR and Tracfin, the 2025 AML/CFT guidelines strengthen the expected vigilance of obliged entities without introducing new thresholds, while clarifying expectations regarding the KYC procedure. (Efficiale — 2025 AML/CFT guidelines)
The logic is consistent: prevent money laundering, terrorism financing and corruption, by imposing on obliged entities a risk-proportionate vigilance. Customer knowledge under KYC thus becomes a condition of market access, not a competitive advantage.
The 9 sector categories subject to KYC
BANKING
Banks and credit institutions
INSURANCE
Insurance companies
PAYMENT
Payment institutions and electronic money
FINTECH
Neobanks and fintechs
CRYPTO
Crypto-asset service providers (CASPs)
LEGAL PROFESSIONS
Notaries, lawyers and chartered accountants
GAMBLING
Casinos and gambling operators
ART & ANTIQUES
Art dealers and antique dealers
REAL ESTATE
Real estate agents and accounting professions
Key AML/CFT thresholds for 2026
Key point: crossing a threshold does not exempt you from vigilance below it — it imposes enhanced vigilance above.
Regulation (EU) 2024/1624 (AMLR6) harmonizes these thresholds across the European Union and removes certain national disparities. Pan-European players must now steer a single matrix that integrates the specifics of each market.
Sanctions for KYC non-compliance
Financial sanctions
Criminal sanctions
Reputational sanctions
According to the ACPR, in 2023, 71,274 accounts were closed for fraud reasons, totaling EUR 982 million in funds either non-returned or seized; in 2025, 90% of suspect accounts are closed in less than a year, including 70% in less than three months. (ACPR — FinTech Forum 2025)
These volumes reflect the mechanization of supervision: the ACPR, the AMF (Autorité des marchés financiers, the French financial markets regulator) and Tracfin now operate analysis tools that detect framework failures in near-real time.
Edge cases to watch in 2026
Crypto-assets and NFTs — with the full entry into application of MiCA + TFR, every transaction in crypto-assets carried out via a CASP is subject to KYC from the first euro. ID document and proof of address are systematic. Self-hosted wallets remain in a gray zone but are subject to enhanced vigilance.
Life insurance and beneficial owners — vigilance applies not only to the policyholder but to every designated beneficial owner. The beneficial ownership register (RBE) must be consulted at onboarding and updated on every change.
BNPL and short-term credit — Buy Now Pay Later players are subject as soon as they grant a credit or a deferred payment above EUR 200 in most European jurisdictions. KYC is mandatory above this threshold, sometimes below depending on risk.
E-commerce marketplaces collecting on behalf of third parties — if the platform collects funds on behalf of third-party sellers, it may be qualified as a payment institution and fall under the PSD2 + AML/CFT regime. The boundary is thin, and the ACPR clarified its doctrine in 2025.
Why a properly sized KYC framework protects your business
Beyond sanctions, a robust know your customer framework acts as a risk filter at the entry point and throughout the business relationship. It secures three plans simultaneously.
Regulatory plan — compliance with AML/CFT obligations (AMLR6, AMLD6, MiCA, TFR, eIDAS 2.0) sits in a framework supervised by the ACPR, the AMF, the ANJ and Tracfin. A documented procedure allows you to respond quickly to any request from the regulatory authorities and to produce suspicious-activity reports within the prescribed timeframes.
Operational plan — an automated process smooths onboarding and reduces friction. Low-risk profiles go through frictionless verification, high-risk profiles trigger enhanced customer due diligence (EDD). The banking sector gains conversion without degrading customer knowledge quality.
Financial plan — fraud detected at the door avoids operational losses. On an e-commerce platform with financial services, on an online bank, on a crypto CASP, assessing risk upstream divides downstream remediation costs by five.
Key point: a compliant framework is a defensive solution (regulator), an offensive one (conversion) and an economic one (fraud avoided), all at once.
Risk mapping: how to build it
The risk mapping — the cornerstone of AML/CFT obligations — relies on three intersecting axes.
Geographic axis — FATF lists (high-risk jurisdictions and jurisdictions under increased monitoring), EU list, French list. A client residing or operating in a listed country triggers enhanced customer due diligence.
Client profile axis:
- Politically exposed persons (PEPs): systematic EDD
- Offshore beneficial owners: EDD with hierarchical validation
- Companies with complex structures (stacked holdings, trusts)
- High-risk sectors (gambling, crypto, precious metals)
Product/channel axis:
- Credit, payment, e-money, crypto, life insurance: differentiated risks
- Transaction volume and frequency
- Distribution channel (remote vs. face-to-face)
- Cross-border digital services
The ACPR requires an annual review of this mapping, at minimum. Any change — new product, new market, new channel — triggers an update. The quality of customer knowledge under KYC depends directly on the quality of this mapping.
FAQ — Mandatory KYC in France and Europe
Who is concerned by KYC? Every company subject to AML/CFT: banks, financial institutions, fintechs, CASPs, payment services, notaries, lawyers, chartered accountants for high-risk transactions, art dealers above EUR 10,000, the real estate sector, casinos. Non-financial sectors are also concerned for certain activities.
Is there a mandatory KYC form? Yes, for all financial institutions and obliged sectors. The form formalizes client identification and the collection of supporting documents. Its format is free, but its content is framed by the Monetary and Financial Code.
What are the 4 steps of a KYC process? 1. Identification: civil-status information, ID document, postal/email/phone information. 2. Identity verification: opposable sources (data, biometrics, OCR). 3. Risk assessment: country × profile × product matrix. 4. Ongoing monitoring: transactions, PEP and sanctions screening, periodic refresh.
What AML/CFT obligations apply to an obliged company?
- Identify the client and beneficial owner before onboarding
- Assess risks and calibrate customer due diligence
- Monitor transactions and file Tracfin suspicious-activity reports
- Retain documents for 5 years after the end of the business relationship
- Continuous staff training and AML/CFT reporting
What is the difference between KYC and KYB? KYC = know your customer (individual clients). KYB = know your business (corporate clients). KYB requires a company registration extract, articles of association, the beneficial ownership register (RBE) and the identification of executives. The risks and controls are structurally different.
What does AMLR6 change vs. AMLD6? Regulation (EU) 2024/1624 (AMLR6) is directly applicable without national transposition. It harmonizes thresholds, unifies the definition of beneficial owner, strengthens cooperation between financial intelligence units, and extends the perimeter to crypto CASPs and luxury trade. Pan-European companies now steer a single matrix.
Quick glossary of KYC *obligations*
- AML: Anti-Money Laundering, English equivalent of LCB-FT in French.
- AMLR6: Regulation (EU) 2024/1624, directly applicable.
- CASP / PSCA: Crypto-Asset Service Provider / Prestataire de Services sur Crypto-Actifs (French equivalent).
- EBA: European Banking Authority.
- eIDAS 2.0: EU regulation on electronic identity and trust services.
- FATF / GAFI: Financial Action Task Force, the intergovernmental body that sets anti-money-laundering recommendations.
- MiCA: Markets in Crypto-Assets, the EU regulation on crypto services.
- PEP: politically exposed person.
- RBE: French beneficial ownership register.
- TFR: Travel Rule Regulation, traceability of crypto transfers.
- Tracfin: French financial intelligence unit.
How KYC protects your clients and your banking partners
The framework is not a defensive cost: it is a trust lever that secures your audiences, your banking partners and your investors.
End-user side — rigorous customer knowledge protects your audiences against identity theft, fraud and money laundering. A company investing in this layer demonstrates seriousness and alignment with AMLR6 obligations. B2B accounts now require this transparency before any partnership.
Banking partner side — payment and correspondent banks require an auditable framework from their corporate clients. They now refuse to open an account for a company whose AML/CFT obligations are not demonstrably mastered. Compliance becomes a condition of access to banking services.
Investors and M&A side — investment funds and acquirers integrate framework audits into their due diligence. A company exposed to ACPR sanctions sees its valuation drop. Poorly filtered risk profiles are hidden debt that resurfaces at exit.
Key point: a robust framework protects you on three fronts — end users, banking partners, investors. Compliance becomes a strategic asset, not an opportunity cost.
KYC solutions: how to choose under 2026 obligations
With obligations reinforced by AMLR6, MiCA and TFR, the market for solutions has evolved. Three families coexist.
All-in-one suites — solutions combining data, biometrics and document OCR (eIDV, electronic identity verification) in a single contract. Pros: ease of integration. Cons: average performance on each layer, no best-of-breed on any single link.
Specialized building blocks — data-driven eIDV (our approach), pure biometrics, pure OCR. Pros: best performance per layer, lower false-positive rate. Cons: more complex integration.
Multi-vendor orchestration — the approach we recommend: an independent orchestrator that mobilizes the best solutions on each layer, free of vendor bias. Our market knowledge — 4,000 worldwide sources, 197 countries — lets us identify the optimal solution for each use case, each sector, each profile.
For a player in the banking sector or a fintech subject to AMLR6, the right contract combines several building blocks in a unified framework, with automated routing depending on the profile and the risk level.
Unsure about your KYC obligations?
The regulatory ecosystem is alive. Between AMLD6 transposed late 2024, AMLR6 directly applicable, MiCA + TFR for crypto, and ACPR-Tracfin 2025 guidelines, your obligations matrix has probably evolved since your last audit.
A subsidiary of MV Group, Euroleads offers you a free audit that identifies the exact perimeter of your obligations, the thresholds applicable to your activity, any blind spots, and the optimizations available on your current framework — whether you operate in finance, real estate, IT, e-commerce, insurance, business equipment or media.
Our independence — we do not sell any database — guarantees a recommendation grounded in your operational interest alone. Reliable customer knowledge means a better-protected and higher-performing company.