Article 11 Central AML/CFT database

The Authority shall establish and keep up to date a central database of information pursuant to this Article.

The Authority shall make the information available to supervisory authorities, non-AML/CFT authorities, other national authorities and bodies competent for ensuring compliance with Directive 2008/48/EC of the European Parliament and of the Council(²⁸), Directive 2009/110/EC of the European Parliament and of the Council(²⁹), Directive 2009/138/EC of the European Parliament and of the Council(³⁰), Directive 2014/17/EU of the European Parliament and of the Council(³¹), Regulation (EU) No 537/2014 of the European Parliament and of the Council(³²), Directive 2014/56/EU of the European Parliament and of the Council(³³), Directive 2014/65/EU of the European Parliament and of the Council(³⁴) or Directive (EU) 2015/2366 of the European Parliament and of the Council(³⁵), and to the European Supervisory Authorities, namely, the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) (collectively, ‘the ESAs’), on a need-to-know and confidential basis, where it is necessary for the fulfilment of their tasks.

The Authority shall also analyse the collected information and may share the results of its analysis on its own initiative with supervisory authorities, where to do so would facilitate their supervisory activities, and, where relevant, with obliged entities.

1. a list of all supervisory authorities and self-regulatory bodies in their Member State entrusted with the supervision of obliged entities, including information about their mandate, tasks and powers and, where applicable, the identification of the leading supervisor or coordination mechanism;

2. statistical information about the categories and the number of supervised obliged entities per category in their Member State and basic information about the risk profile of those entities;

3. the administrative measures applied and pecuniary sanctions imposed in the course of supervision of individual obliged entities in response to breaches of AML/CFT requirements, accompanied by:

   1. the grounds for applying the administrative measure or imposing the pecuniary sanction, such as the nature of the breach;

   2. related information on the supervisory activities and outcomes which led to the administrative measure being applied or the pecuniary sanction being imposed;

4. any advice or opinion related to ML/TF risks provided to other authorities in relation to authorisation procedures, withdrawal of authorisation procedures, and ‘fit and proper’ assessments of shareholders or members of the management body of individual obliged entities;

5. the outcomes of their assessments of the inherent and residual risk profiles of all credit institutions and financial institutions that meet the criteria set out in Article 12(1);

6. the outcomes and reports of thematic reviews and other horizontal supervisory actions with regard to high-risk areas or activities;

7. information regarding the supervisory activities they performed over the past calendar year, gathered pursuant to Article 40(5) of Directive (EU) 2024/1640;

8. statistical information about staffing and other resources of supervisors and supervisory authorities.

The information provided pursuant to the first subparagraph shall not include references to specific suspicions reported pursuant to Article 69 of Regulation (EU) 2024/1624.

The Authority shall also enter into the database the information stemming from its activities in the area of direct supervision which corresponds to the categories of information listed in the first subparagraph, as well as the outcomes of the risk assessment process carried out by the Authority pursuant to Article 12.

The Authority may request supervisory authorities to provide other information in addition to that referred to in paragraph 2. The supervisory authorities shall update any provided information as soon as the update is necessary or at the Authority’s request.

The Authority shall enter into the database any data or information relevant for the purposes of AML/CFT supervisory activities which is provided by non-AML/CFT authorities, other national authorities and bodies competent for ensuring compliance with the requirements of Directive 2008/48/EC, Directive 2009/110/EC, Directive 2009/138/EC, Directive 2014/17/EU, Regulation (EU) No 537/2014, Directive 2014/56/EU, Directive 2014/65/EU or Directive (EU) 2015/2366, or by the ESAs.

The information referred to in the first subparagraph shall include instances where the authorities and bodies referred to in that subparagraph have reasonable grounds to suspect that ML/TF is being attempted or committed or that an increased risk thereof exists in connection with an obliged entity, and where such reasonable grounds arose in the context of the exercise of their respective tasks. The database shall also include relevant information which authorities or bodies supervising credit institutions in accordance with Directive 2013/36/EU of the European Parliament and of the Council(³⁶), including the ECB when acting in accordance with Regulation (EU) No 1024/2013, have obtained, in the context of ongoing supervision, including information on business model assessments, assessments of governance arrangements, authorisation procedures, assessments of acquisitions of qualifying holdings, ‘fit and proper’ assessments and procedures related to the withdrawal of licences.

The authorities and bodies referred to in paragraph 1, second subparagraph, may address to the Authority a reasoned request for information collected pursuant to this Article, if that information is necessary for their supervisory activities. The Authority shall assess those requests and provide the information requested on a need-to-know and confidential basis and in a timely manner. The Authority shall inform the authority or body that has initially provided the requested information of the identity of the requesting authority or body, the identity of any obliged entity concerned, the reason for the information request as well as whether the information has been provided to the requesting authority or body. Where the Authority decides not to provide the requested information, it shall provide a reasoned justification for that decision.

1. the procedure, formats and timelines for the transmission of information pursuant to paragraphs 2 and 3;

2. the scope and level of detail of the information to be transmitted, taking into account relevant distinctions between obliged entities, such as their risk profile;

3. the scope and level of detail of the information to be transmitted in relation to obliged entities in the non-financial sector;

4. the type of information the disclosure of which by the Authority, pursuant to a reasoned request or at its own initiative, requires the prior consent of the supervisory authority that originated it;

5. which level of materiality a breach needs to have in order for a supervisory authority to be obliged to transmit information on the breach pursuant to paragraph 2, point (c);

6. the conditions under which the Authority may request additional information pursuant to paragraph 3;

7. the types of additional information to be transmitted to the Authority pursuant to paragraph 3.

The Authority shall submit those draft regulatory technical standards to the Commission by 27 December 2025.

The Commission is empowered to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Article 49 of this Regulation.

Personal data collected in accordance with this Article may be kept in an identifiable form for a period of up to 10 years after the date of collection of the data by the Authority, at the end of which those data shall be deleted. Based on a regular assessment of their necessity, personal data may be deleted before the expiry of that period on a case-by-case basis.