Art. 18 Outsourcing | Anti-money laundering regulation (AMLR) | AML

1. Obliged entities may outsource tasks resulting from this Regulation to service providers. The obliged entity shall notify the supervisormeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; of the outsourcing before the service provider starts to carry out the outsourced task.
1. When performing tasks under this Article, service providers shall be regarded as part of the obliged entity, including where they are required to consult the central registers referred to in Article 10 of Directive (EU) 2024/1640 (‘central registers’) for the purposes of carrying out customer due diligence on behalf of the obliged entity.
2. The obliged entity shall remain fully liable for any action, whether an act of commission or omission, connected to the outsourced tasks that are carried out by service providers.
3. For each outsourced task, the obliged entity shall be able to demonstrate to the supervisormeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; that it understands the rationale behind the activities carried out by the service provider and the approach followed in their implementation, and that such activities mitigate the specific risks to which the obliged entity is exposed.
1. The tasks outsourced pursuant to paragraph 1 of this Article shall not be undertaken in such a way as to impair materially the quality of the obliged entity’s policies and procedures to comply with the requirements of this Regulation and of Regulation (EU) 2023/1113, and of the controls in place to test those policies and procedures. The following tasks shall not be outsourced under any circumstances:
  1. the proposal and approval of the obliged entity’s business-wide risk assessment pursuant to Article 10(2);
  2. the approval of the obliged entity’s internal policies, procedures and controls pursuant to Article 9;
  3. decision on the risk profile to be attributed to the customer;
  4. the decision to enter into a business relationshipmeans a business, professional or commercial relationship connected with the professional activities of an obliged entity, which is set up between an obliged entity and a customer, including in the absence of a written contract and which is expected to have, at the time when the contact is established, or which subsequently acquires, an element of repetition or duration; or carry out an occasional transaction with a client;
  5. the reporting to FIU of suspicious activities pursuant to Article 69 or threshold-based reports pursuant to Article 74 and 80, except where such activities are outsourced to another obliged entity belonging to the same groupmeans a group of undertakings which consists of a parent undertaking, its subsidiaries, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU; and established in the same Member State;
  6. the approval of the criteria for the detection of suspicious or unusual transactions and activities.
1. Before an obliged entity outsources a task pursuant to paragraph 1, it shall assure itself that the service provider is sufficiently qualified to carry out the tasks to be outsourced.
2. Where an obliged entity outsources a task pursuant to paragraph 1, it shall ensure that the service provider, as well as any subsequent sub-outsourcing service provider, applies the policies and procedures adopted by the obliged entity. The conditions for the performance of such tasks shall be laid down in a written agreement between the obliged entity and the service provider. The obliged entity shall perform regular controls to ascertain the effective implementation of such policies and procedures by the service provider. The frequency of such controls shall be determined on the basis of the critical nature of the tasks outsourced.
1. Obliged entities shall ensure that outsourcing is not undertaken in such way as to impair materially the ability of the supervisory authoritiesmeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor; to monitor and retrace the obliged entity’s compliance with this Regulation and Regulation (EU) 2023/1113.
1. By way of derogation from paragraph 1, obliged entities shall not outsource tasks deriving from the requirements under this Regulation to service providers residing or established in third countriesmeans any jurisdiction, independent state or autonomous territory that is not part of the Union and that has its own AML/CFT legislation or enforcement regime; identified pursuant to Section 2 of Chapter III, unless all of the following conditions are met:
  1. the obliged entity outsources tasks solely to a service provider that is part of the same groupmeans a group of undertakings which consists of a parent undertaking, its subsidiaries, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU;;
  2. the groupmeans a group of undertakings which consists of a parent undertaking, its subsidiaries, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU; applies AML/CFT policies and procedures, customer due diligence measures and rules on record-keeping that are fully in compliance with this Regulation, or with equivalent rules in third countriesmeans any jurisdiction, independent state or autonomous territory that is not part of the Union and that has its own AML/CFT legislation or enforcement regime;;
  3. the effective implementation of the requirements referred to in point (b) of this paragraph is supervised at groupmeans a group of undertakings which consists of a parent undertaking, its subsidiaries, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU; level by the supervisory authoritymeans a supervisor who is a public body, or the public authority overseeing self-regulatory bodies in their performance of supervisory functions pursuant to Article 37 of Directive (EU) 2024/1640, or AMLA when acting as a supervisor; of the home Member State in accordance with Chapter IV of Directive (EU) 2024/1640.
1. By way of derogation from paragraph 3, where a collective investment undertaking has no legal personality, or has only a board of directors and has delegated the processing of subscriptions and the collection of fundsor ‘property’ means property as defined in Article 2, point (2), of Directive (EU) 2018/1673; as defined in Article 4, point (25), of Directive (EU) 2015/2366 from investors to another entity, it may outsource the task referred to in paragraph 3, points (c), (d) and (e) to one of its service providers.
2. The outsourcing referred to in the first subparagraph of this paragraph may only take place after the collective investment undertaking has notified its intention to outsource the task to the supervisormeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; pursuant to paragraph 1, and the supervisormeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; has approved such outsourcing taking into consideration:
  1. the resources, experience and knowledge of the service provider in relation to the prevention of money launderingmeans the conduct set out in Article 3, paragraphs 1 and 5, of Directive (EU) 2018/1673 including aiding and abetting, inciting and attempting to commit that conduct, whether the activities which generated the property to be laundered were carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; and terrorist financingmeans the conduct set out in Article 11 of Directive (EU) 2017/541 including aiding and abetting, inciting and attempting to commit that conduct, whether carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances;;
  2. the knowledge of the service provider of the type of activities or transactions carried out by the collective investment undertaking.
1. By 10 July 2027, AMLA shall issue guidelines addressed to obliged entities on:
  1. the establishmentmeans the actual pursuit by an obliged entity of an economic activity covered by Article 3 in a Member State or third country other than the country where its head office is located for an indefinite period and through a stable infrastructure, including:a branch or subsidiary;in the case of credit institutions and financial institutions, an infrastructure qualifying as an establishment under prudential regulation; of outsourcing relationships, including any subsequent outsourcing relationship, in accordance with this Article, their governance and procedures for monitoring the implementation of functions by the service provider and in particular those functions that are to be regarded as critical;
  2. the roles and responsibility of the obliged entity and the service provider within an outsourcing agreement;
  3. supervisory approaches to outsourcing as well as supervisory expectations regarding the outsourcing of critical functions.