Art. 37 Warnings of breaches of Union law by non-financial supervisors and public authorities overseeing self-regulatory bodies | Anti-money laundering authority regulation (AMLAR) | AML

This article sets out the enforcement mechanism available to the Authority when it suspects that a non-financial supervisor or a public authority overseeing self-regulatory bodies has failed to correctly apply Union law.

It is the non-financial sector counterpart to Article 34, which covers the same investigatory and escalation process for financial supervisors.

The article follows a structured escalation path: investigation, recommendation, and ultimately a public warning if the breach remains unresolved.

The Authority can act on its own initiative or upon request from a range of institutions, and has the power to gather information not only from the suspected party but also from other supervisors if the initial information gathered proves insufficient.

Important points:

The Authority is required to investigate suspected breaches by non-financial supervisors or relevant public authorities, inform the subject of the investigation, and may issue a recommendation within six months of initiating that investigation.
Non-financial supervisors and public authorities are required to provide requested information without delay and must respond to any recommendation within 10 working days.
Where a breach is not resolved within one month of receiving a recommendation, the Authority shall issue a warning to counterpart supervisors in other Member States or, as applicable, to the self-regulatory bodies under the oversight of the public authority concerned.

1. Where the Authority has grounds to suspect that a non-financial supervisor or a public authority overseeing self-regulatory bodies referred to in Article 52 of Directive (EU) 2024/1640 has not applied the Union acts or the national legislation referred to in Article 1(2) of this Regulation, or has applied them in a way which appears to breach Union law, it shall inform the supervisor or public authority concerned of those suspected breaches and investigate them.
2. For the purposes of the first subparagraph, the Authority may act upon the request of one or more non-financial supervisors or public authorities, the European Parliament, the Council or the Commission, or on its own initiative, including where such action is based on well-substantiated information from natural or legal persons pursuant to Article 90.
1. The Authority shall be able to request from the supervisor or public authority concerned all information which the Authority considers necessary for its investigation, including information on how the Union acts or national legislation referred to in Article 1(2) of this Regulation are applied in accordance with Union law, but with the exception of information covered by legal privilege, unless the exemptions set out in Article 21(2), second subparagraph, and Article 70(2), second subparagraph, of Regulation (EU) 2024/1624 and in Article 52(3), point (a), of Directive (EU) 2024/1640 apply.
2. The supervisor or public authority concerned shall, without delay, provide the Authority with the requested information.
3. Whenever the requested information from the supervisor or public authority concerned has proven, or is deemed to be, insufficient to obtain the information that is deemed necessary for the purposes of investigating the suspected breach, the Authority may, after having informed the supervisor or public authority concerned, address a duly justified and reasoned request for information directly to other supervisors or public authorities overseeing self-regulatory bodies.
4. The addressee of such a request shall provide the Authority with clear, accurate and complete information without undue delay.
1. The Authority may, not later than six months from initiating its investigation, address a recommendation to the supervisor or public authority concerned setting out the action necessary to remedy the identified breach.
2. Before issuing such a recommendation, the Authority shall engage with the supervisor or public authority concerned where it considers such engagement appropriate in order to resolve the breach, in an attempt to reach agreement on the actions necessary to that end.
3. The supervisor or public authority concerned shall, within 10 working days of receipt of the recommendation, inform the Authority of the steps it has taken or intends to take to resolve the breach.
1. Where the supervisor or public authority has not resolved the identified breach referred to in paragraph 3, first subparagraph, within one month of receipt of the Authority’s recommendation, the Authority shall issue a warning detailing the breach and identifying measures to be implemented by the addressees of the warning to mitigate its effects.
2. The warning referred to in the first subparagraph shall be addressed:
  1. in the case of a non-financial supervisor, to the counterpart supervisors in other Member States and, where the supervisor is a self-regulatory body, its public authority;
  2. in the case of a public authority, to the self-regulatory bodies under its oversight.
1. As soon as the supervisor or public authority concerned has resolved the breach, the Authority shall inform the addressees of its warning referred to in paragraph 4 that the breach has been resolved and that the mitigating measures have ceased.