Source: OJ L, 2024/1624, 19.6.2024Current language: EN
- Anti-money laundering
Basic legislative acts
- Anti-money laundering regulation (AMLR)
Article 18 Outsourcing
Summary What does Article 18 of the Anti-money laundering regulation (AMLR) say?
This article governs the outsourcing of AML/CFT compliance tasks by obliged entities to third-party service providers.
It permits outsourcing while making clear that accountability stays firmly with the obliged entity, not the service provider.
The article is notably detailed, setting out not only the general framework for permissible outsourcing but also a hard list of tasks that can never be outsourced, rules on third-country service providers, and a specific carve-out for certain collective investment undertakings.
It connects directly to the internal governance obligations in Articles 9 and 10, as the approval of risk assessments and internal policies established under those articles are among the tasks explicitly ring-fenced from outsourcing.
Important points:
- Remain fully liable for all outsourced tasks — full accountability cannot be delegated to a service provider under any circumstances.
- Certain core decisions can never be outsourced, including approving risk assessments and internal policies, determining a customer's risk profile, and deciding whether to enter into a business relationship.
- Outsourcing to service providers in high-risk third countries identified under Chapter III is prohibited unless the provider is part of the same group, the group applies fully compliant AML/CFT standards, and group-level supervision is in place.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Obliged entities may outsource tasks resulting from this Regulation to service providers. The obliged entity shall notify the supervisor of the outsourcing before the service provider starts to carry out the outsourced task.
When performing tasks under this Article, service providers shall be regarded as part of the obliged entity, including where they are required to consult the central registers referred to in Article 10 of Directive (EU) 2024/1640 (‘central registers’) for the purposes of carrying out customer due diligence on behalf of the obliged entity.
The obliged entity shall remain fully liable for any action, whether an act of commission or omission, connected to the outsourced tasks that are carried out by service providers.
For each outsourced task, the obliged entity shall be able to demonstrate to the supervisor that it understands the rationale behind the activities carried out by the service provider and the approach followed in their implementation, and that such activities mitigate the specific risks to which the obliged entity is exposed.
The tasks outsourced pursuant to paragraph 1 of this Article shall not be undertaken in such a way as to impair materially the quality of the obliged entity’s policies and procedures to comply with the requirements of this Regulation and of Regulation (EU) 2023/1113, and of the controls in place to test those policies and procedures. The following tasks shall not be outsourced under any circumstances:
the proposal and approval of the obliged entity’s business-wide risk assessment pursuant to Article 10(2);
the approval of the obliged entity’s internal policies, procedures and controls pursuant to Article 9;
decision on the risk profile to be attributed to the customer;
the decision to enter into a business relationship or carry out an occasional transaction with a client;
the reporting to FIU of suspicious activities pursuant to Article 69 or threshold-based reports pursuant to Article 74 and 80, except where such activities are outsourced to another obliged entity belonging to the same group and established in the same Member State;
the approval of the criteria for the detection of suspicious or unusual transactions and activities.
Before an obliged entity outsources a task pursuant to paragraph 1, it shall assure itself that the service provider is sufficiently qualified to carry out the tasks to be outsourced.
Where an obliged entity outsources a task pursuant to paragraph 1, it shall ensure that the service provider, as well as any subsequent sub-outsourcing service provider, applies the policies and procedures adopted by the obliged entity. The conditions for the performance of such tasks shall be laid down in a written agreement between the obliged entity and the service provider. The obliged entity shall perform regular controls to ascertain the effective implementation of such policies and procedures by the service provider. The frequency of such controls shall be determined on the basis of the critical nature of the tasks outsourced.
Obliged entities shall ensure that outsourcing is not undertaken in such way as to impair materially the ability of the supervisory authorities to monitor and retrace the obliged entity’s compliance with this Regulation and Regulation (EU) 2023/1113.
By way of derogation from paragraph 1, obliged entities shall not outsource tasks deriving from the requirements under this Regulation to service providers residing or established in third countries identified pursuant to Section 2 of Chapter III, unless all of the following conditions are met:
the obliged entity outsources tasks solely to a service provider that is part of the same group;
the group applies AML/CFT policies and procedures, customer due diligence measures and rules on record-keeping that are fully in compliance with this Regulation, or with equivalent rules in third countries;
the effective implementation of the requirements referred to in point (b) of this paragraph is supervised at group level by the supervisory authority of the home Member State in accordance with Chapter IV of Directive (EU) 2024/1640.
By way of derogation from paragraph 3, where a collective investment undertaking has no legal personality, or has only a board of directors and has delegated the processing of subscriptions and the collection of funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 from investors to another entity, it may outsource the task referred to in paragraph 3, points (c), (d) and (e) to one of its service providers.
The outsourcing referred to in the first subparagraph of this paragraph may only take place after the collective investment undertaking has notified its intention to outsource the task to the supervisor pursuant to paragraph 1, and the supervisor has approved such outsourcing taking into consideration:
the resources, experience and knowledge of the service provider in relation to the prevention of money laundering and terrorist financing;
the knowledge of the service provider of the type of activities or transactions carried out by the collective investment undertaking.
By 10 July 2027, AMLA shall issue guidelines addressed to obliged entities on:
the establishment of outsourcing relationships, including any subsequent outsourcing relationship, in accordance with this Article, their governance and procedures for monitoring the implementation of functions by the service provider and in particular those functions that are to be regarded as critical;
the roles and responsibility of the obliged entity and the service provider within an outsourcing agreement;
supervisory approaches to outsourcing as well as supervisory expectations regarding the outsourcing of critical functions.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
crypto-asset services
Definition
supervisor
Definition
financial mixed activity holding company
Definition
crypto-asset service provider
Definition
credit institution
- a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013;
- a branch of a credit institution, as defined in Article 4(1), point (17), of Regulation (EU) No 575/2013, when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
parent undertaking
- for groups whose head office is located in the Union, an obliged entity that is a parent undertaking as defined in Article 2, point (9), of Directive 2013/34/EU that is not itself a subsidiary of another undertaking in the Union, provided that at least one subsidiary undertaking is an obliged entity;
- for groups whose head office is located outside of the Union, where at least two subsidiary undertakings are obliged entities established in the Union, an undertaking within that group established in the Union that:
- is an obliged entity;
- is an undertaking that is not a subsidiary of another undertaking that is an obliged entity established in the Union;
- has a sufficient prominence within the group and a sufficient understanding of the operations of the group that are subject to the requirements of this Regulation; and
- is given the responsibility of implementing group-wide requirements under Chapter II, Section 2 of this Regulation;
Definition
crypto-asset
Definition
establishment
- a branch or subsidiary;
- in the case of credit institutions and financial institutions, an infrastructure qualifying as an establishment under prudential regulation;
Definition
property
Definition
terrorist financing
Definition
group
Definition
money laundering
Definition
financial institution
- an undertaking other than a credit institution or an investment firm, which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU of the European Parliament and of the Council(32), including the activities of currency exchange offices (bureaux de change), but excluding the activities referred to in point (8) of Annex I to Directive (EU) 2015/2366, or an undertaking the principal activity of which is to acquire holdings, including a financial holding company, a mixed financial holding company and a financial mixed activity holding company;
- an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council(33), insofar as it carries out life or other investment-related assurance activities covered by that Directive, including insurance holding companies and mixed-activity insurance holding companies as defined, respectively, in Article 212(1), points (f) and (g), of Directive 2009/138/EC;
- an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 where it acts with respect to life insurance and other investment-related insurance services, with the exception of an insurance intermediary that does not collect premiums or amounts intended for the customer and which acts under the responsibility of one or more insurance undertakings or intermediaries for the products which concern them respectively;
- an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU of the European Parliament and of the Council(34);
- a collective investment undertaking, in particular:
- an undertaking for collective investment in transferable securities (UCITS) as defined in Article 1(2) of Directive 2009/65/EC and its management company as defined in Article 2(1), point (b), of that Directive or an investment company authorised in accordance with that Directive and which has not designated a management company, that makes available for purchase units of UCITS in the Union;
- an alternative investment fund as defined in Article 4(1), point (a), of Directive 2011/61/EU and its alternative investment fund manager as defined in Article 4(1), point (b), of that Directive that fall within the scope set out in Article 2 of that Directive;
- a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 of the European Parliament and of the Council(35);
- a creditor as defined in Article 4, point (2), of Directive 2014/17/EU of the European Parliament and of the Council(36) and in Article 3, point (b), of Directive 2008/48/EC of the European Parliament and of the Council(37);
- a credit intermediary as defined in Article 4, point (5), of Directive 2014/17/EU and in Article 3, point (f), of Directive 2008/48/EC, when holding the funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 in connection with the credit agreement, with the exception of the credit intermediary carrying out activities under the responsibility of one or more creditors or credit intermediaries;
- a crypto-asset service provider;
- a branch of a financial institution referred to in points (a) to (i), when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
self-regulatory body
Definition
third country
Definition
funds
Definition
business relationship
Definition
supervisory authority