TL;DR
- The CBI/RBI market is expanding, with experts anticipating multiple new program launches despite tighter oversight, creating both opportunity and regulatory exposure (source).
- Reputational risk remains elevated due to ethics lapses, weak AML/KYC, and aggressive marketing—areas EU stakeholders tie to Schengen security concerns (source).
- ETIAS pre-travel authorization and the EU Entry/Exit System increase traveler screening and data trails, raising the bar for due diligence and client counseling (source; source).
- Law firms should formalize pricing governance (no discounting drift), compliance-led marketing reviews, and risk-based KYC/AML with technology-enabled due diligence (source; source).
- Implement a reputational risk register for program selection and onboarding decisions, and align client travel advice with ETIAS/EES-era scrutiny (source; source).
Investment migration will likely see more new CBI programs even as scrutiny intensifies. For law firms, that “growth-with-oversight” reality demands disciplined pricing, transparent marketing, and stronger due diligence to manage reputational risk and CBI discounting pressures.
Market outlook: new CBI programs, more scrutiny
Industry observers describe the next 12–18 months as pivotal, with multiple new CBI/RBI programs expected and greater integration of compliance across the ecosystem (source). That expansion brings opportunity but also higher expectations from European policymakers who have linked some “golden” schemes to money-laundering and called for stronger due diligence to safeguard Schengen states (source).
Demand drivers remain broad-based—in some segments, US applicants account for a meaningful share of investor migration flows—yet the balance of growth and governance is reshaping how firms must position themselves (source). The winners will scale ethically, standardize controls, and advise clients in line with EU travel-screening realities.
Persistent reputational risks: pricing and ethics
Reputational risk in investment migration continues to spring from the same fault lines: ethics lapses, weak AML/KYC practice, and promotional claims that get ahead of legal reality (source). EU institutions have repeatedly flagged due-diligence weaknesses around certain citizenship or residence-by-investment pathways, reinforcing the need for robust background checks by intermediaries and counsel (source).
Compliance data point to a capability gap: as recently as 2023, only a minority of law firms were fully AML-compliant, underscoring regulatory and reputational exposure if controls are not modernized (source). Against this backdrop, aggressive CBI discounting and uneven pricing practices can further erode trust, inviting scrutiny from regulators and program authorities (source).
ETIAS/EES: Schengen-era scrutiny
Two EU systems are transforming how clients travel and how their data are screened. The EU Entry/Exit System (EES) logs non‑EU travelers’ entries and exits to strengthen Schengen security and manage overstays, with operations commencing in 2025 (source). Separately, visa‑exempt travelers will need ETIAS pre‑travel authorization, adding a new layer of front‑end screening before departure (source).
For investor migrants and their families, these systems mean earlier risk detection and more consistent data trails across borders. Counsel should therefore calibrate advice on visa pathways, residency, and citizenship with realistic travel expectations and compliance behaviors that minimize alerts (source). Clients evaluating citizenship options may also explore diversified strategies, including secure residency or investment alternatives as part of broader mobility planning (citizenship; residency; visas).
A 2026 compliance playbook
The following controls translate regulatory expectations into daily practice, with an emphasis on CBI discounting risk, reputational safeguards, and due diligence.
1) Pricing governance (CBI discounting control)
- Adopt standardized client engagement letters with program‑specific fee schedules and prohibited discount clauses; require documented approvals for any deviation to prevent price undercutting that may signal misconduct (source).
- Centralize pricing authority with audit trails; run quarterly variance analytics to detect systematic discounting patterns that can damage reputation with program authorities (source).
2) Compliance-led marketing oversight
- Pre‑clear all marketing with compliance; ban guaranteed outcomes and misleading timelines; incorporate risk disclosures for EU travel screening and due‑diligence outcomes (source).
- Maintain a marketing claims register mapping each statement to a legal source or official program document to withstand regulator review (source).
3) Risk-based KYC/AML and due diligence
- Implement a tiered risk model by nationality, source of funds, business sector, and politically exposed person (PEP) status; apply enhanced due diligence where risk exceeds threshold (source).
- Adopt AI‑enabled screening hubs to consolidate watchlists, adverse media, and sanctions checks across jurisdictions, reducing weak‑link exposure and harmonizing controls (source).
- Align travel counseling with ETIAS/EES rules; document client acknowledgment of travel compliance obligations to mitigate future disputes (source; source).
4) Program selection and onboarding ethics
- Use a reputational risk register to rate programs on transparency, due‑diligence stringency, and political/stability outlook; avoid jurisdictions with unresolved EU concerns (source).
- Codify go/no‑go client criteria reflecting EU AML expectations and internal risk appetite; track exceptions with senior sign‑off (source).
5) Data governance for the digital border era
- Map client data flows to meet documentation needs for ETIAS/EES‑related inquiries, while applying data minimization and retention schedules consistent with EU expectations (source).
- Ensure that mobility advice (residency, visas, taxation) is integrated with data‑protection controls, given increased cross‑border data sharing (taxes; visas).
How to operationalize in 90 days
- Week 1–2: Appoint a compliance lead; launch a gap assessment for AML/KYC, marketing, and pricing workflows using current EU expectations and internal risk appetite (source; source).
- Week 3–4: Publish a standardized pricing policy and discounting protocol; update client engagement templates and approval logs (source).
- Week 5–6: Stand up compliance-led marketing review; create a claims register and program source library; refresh website copy for accuracy around ETIAS/EES travel checks (source; source).
- Week 7–8: Deploy enhanced due diligence tech (PEP/sanctions/adverse media); train staff on risk‑based onboarding and documentation standards (source).
- Week 9–10: Build the reputational risk register for program selection; set escalation thresholds and committee cadence (source).
- Week 11–12: Pilot the end‑to‑end workflow with two matters; conduct a post‑implementation review and refine controls before full rollout (source).
Monitoring and escalation: the risk register
A practical risk register keeps program selection and client intake grounded in evidence. Weight factors such as AML regime strength, EU/Schengen sensitivities, past adverse media, and geopolitical stability. Rate each client and program, then require senior approval above a threshold score (source; source). Document declines and rationales for auditability.
Finally, align strategic advice with alternative avenues—such as compliant residency or business establishment—when risk scores are elevated or when EU travel considerations favor a staged approach (residency; business registration; investment).
Quick-reference checklist
| Control area | Objective | Quick win |
|---|---|---|
| Pricing governance | Eliminate harmful CBI discounting | Standard fee schedules; discount approval log (source) |
| Marketing oversight | Truthful, compliant advertising | Compliance pre‑clearance and claims register (source) |
| Risk‑based KYC/AML | Reduce onboarding risk | Enhanced PEP/sanctions/adverse media checks (source) |
| Travel compliance | ETIAS/EES alignment | Client advisories and consent on travel rules (source; source) |
| Program selection | Reputational resilience | Risk register with thresholds and approvals (source) |
Conclusion
New CBI programs will continue to appear, but so will scrutiny. Firms that control CBI discounting, confront reputational risk directly, and harden due diligence for the ETIAS/EES era will convert market growth into durable advantage (source; source). If you want a tailored compliance roadmap—bridging pricing governance, marketing oversight, and risk‑based onboarding—contact our team today at /contact/.
FAQ
Will there really be new CBI programs in the near term?
Yes. Industry analysis points to multiple new CBI/RBI launches in the coming cycle, even as oversight expands, so firms should prepare capacity and controls accordingly (source).
Why is CBI discounting a reputational risk?
Uneven or opaque discounting can signal unethical conduct and undermine trust with clients and program authorities, triggering scrutiny; standardized pricing and approval logs help prevent this (source).
How do ETIAS and EES affect investor migrants?
What due diligence upgrades are most impactful?
How should firms choose which programs to support?
Use a reputational risk register to score programs on AML robustness, EU sensitivities, transparency, and stability, and set thresholds for committee review and client disclosures (source).
