Source: OJ L, 2024/1624, 19.6.2024

Current language: EN

Article 9 Scope of internal policies, procedures and controls

    1. Obliged entities shall have in place internal policies, procedures and controls in order to ensure compliance with this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisormeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; and in particular to:

      1. mitigate and manage effectively the risks of money launderingmeans the conduct set out in Article 3, paragraphs 1 and 5, of Directive (EU) 2018/1673 including aiding and abetting, inciting and attempting to commit that conduct, whether the activities which generated the property to be laundered were carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; and terrorist financingmeans the conduct set out in Article 11 of Directive (EU) 2017/541 including aiding and abetting, inciting and attempting to commit that conduct, whether carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; identified at the level of the Union, the Member State and the obliged entity;

      2. in addition to the obligation to apply targeted financial sanctionsmeans both asset freezing and prohibitions to make funds or other assets available, directly or indirectly, for the benefit of designated persons and entities pursuant to Council Decisions adopted on the basis of Article 29 TEU and Council Regulations adopted on the basis of Article 215 TFEU;, mitigate and manage the risks of non-implementation and evasion of targeted financial sanctionsmeans both asset freezing and prohibitions to make funds or other assets available, directly or indirectly, for the benefit of designated persons and entities pursuant to Council Decisions adopted on the basis of Article 29 TEU and Council Regulations adopted on the basis of Article 215 TFEU;.

    2. The policies, procedures and controls referred to in the first subparagraph shall be proportionate to the nature of the business, including its risks and complexity, and the size of the obliged entity and shall cover all the activities of the obliged entity that fall under the scope of this Regulation.

    1. The policies, procedures and controls referred to in paragraph 1 shall include:

      1. internal policies and procedures, including in particular:

        1. the carrying out and updating of the business-wide risk assessment;

        2. the obliged entity’s risk management framework;

        3. customer due diligence to implement Chapter III of this Regulation, including procedures to determine whether the customer, the beneficial ownermeans any natural person who ultimately owns or controls a legal entity or an express trust or similar legal arrangement;, or the person on whose behalf or for the benefit of whom a transaction or activity is being conducted, is a politically exposed personmeans a natural person who is or has been entrusted with prominent public functions including:in a Member State:heads of State, heads of government, ministers and deputy or assistant ministers;members of parliament or of similar legislative bodies;members of the governing bodies of political parties that hold seats in national executive or legislative bodies, or in regional or local executive or legislative bodies representing constituencies of at least 50 000 inhabitants;members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;members of courts of auditors or of the boards of central banks;ambassadors, chargés d’affaires and high-ranking officers in the armed forces;members of the administrative, management or supervisory bodies of enterprises controlled under any of the relationships listed in Article 22 of Directive 2013/34/EU either by the state, or, where those enterprises qualify as medium sized or large undertakings or medium sized or large groups, as defined in Article 3(3), (4), (6) and (7) of that Directive, by regional or local authorities;heads of regional and local authorities, including groupings of municipalities and metropolitan regions, with at least 50 000 inhabitants;other prominent public functions provided for by Member States;in an international organisation:the highest ranking officials, their deputies and members of the board or equivalent functions of an international organisation;representatives to a Member State or to the Union;at Union level:functions at the level of Union institutions and bodies that are equivalent to those listed in points (a) (i), (ii), (iv), (v) and (vi);in a third country:functions that are equivalent to those listed in point (a); or a family membermeans:a spouse, or a person in a registered partnership or civil union or in a similar arrangement;a child and a spouse of, or a person in a registered partnership or civil union or in a similar arrangement with, that child;a parent;for the functions referred to in point (34)(a)(i) and equivalent functions at Union level or in a third country, a sibling; or person known to be a close associate;

        4. reporting of suspicious transactions;

        5. outsourcing and reliance on customer due diligence performed by other obliged entities;

        6. record retention and policies in relation to the processing of personal data pursuant to Articles 76 and 77;

        7. the monitoring and management of compliance with such internal policies and procedures in accordance with point (b) of this paragraph, the identification and management of deficiencies and the implementation of remedial actions;

        8. the verification, proportionate to the risks associated with the tasks and functions to be performed, when recruiting and assigning staff to certain tasks and functions and when appointing agents and distributors, that those persons are of good repute;

        9. the internal communication of the obliged entity’s internal policies, procedures and controls, including to its agents, distributors and service providers involved in the implementation of its AML/CFT policies;

        10. a policy on the training of employees and, where relevant, agents and distributors with regard to measures in place in the obliged entity to comply with the requirements of this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisormeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620;;

      2. internal controls and an independent audit function to test the internal policies and procedures referred to in point (a) of this paragraph and the controls in place in the obliged entity; in the absence of an independent audit function, obliged entities may have this test carried out by an external expert.

    2. The internal policies, procedures and controls set out in the first subparagraph shall be recorded in writing. Internal policies shall be approved by the management body in its management functionmeans the management body responsible for the day-to-day management of the obliged entity;. Internal procedures and controls shall be approved at least at the level of the compliance manager.

    1. The obliged entities shall keep the internal policies, procedures and controls up-to-date, and enhance them where weaknesses are identified.

    1. By 10 July 2026, AMLA shall issue guidelines on the elements that obliged entities should take into account, based on the nature of their business, including its risks and complexity, and their size, when deciding on the extent of their internal policies, procedures and controls, in particular as regards the staff allocated to the compliance functions. Those guidelines shall also identify situations where, due to the nature and size of the obliged entity:

      1. internal controls are to be organised at the level of the commercial function, of the compliance function and of the audit function;

      2. the independent audit function can be carried out by an external expert.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod