Source: OJ L, 2024/1624, 19.6.2024Current language: EN
- Anti-money laundering
Basic legislative acts
- Anti-money laundering regulation (AMLR)
Article 9 Scope of internal policies, procedures and controls
Summary What does Article 9 of the Anti-money laundering regulation (AMLR) say?
This is a foundational article establishing the internal governance framework that obliged entities must have in place to comply with the regulation.
It sets out the requirement for internal policies, procedures and controls, and then details at length what those must cover — from risk assessments and customer due diligence to staff training, outsourcing, record retention and suspicious transaction reporting.
The article also requires these frameworks to be documented in writing and kept up to date.
It connects closely to Article 10 (business-wide risk assessment) and Chapter III (customer due diligence), which the internal framework is designed to operationalise.
AMLA is tasked with issuing guidelines by 10 July 2026 to help obliged entities calibrate the extent of their internal controls based on their size and risk profile.
Important points:
- Implement internal policies, procedures and controls covering the full breadth of AML/CFT obligations, including risk management, customer due diligence, suspicious transaction reporting, outsourcing, record retention and staff training.
- All internal policies must be approved by the management body in its management function, with procedures and controls approved at least at the level of the compliance manager.
- AMLA is required to issue guidelines by 10 July 2026 specifying how obliged entities should structure their compliance functions, including when an independent audit function may be carried out by an external expert.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Obliged entities shall have in place internal policies, procedures and controls in order to ensure compliance with this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor and in particular to:
mitigate and manage effectively the risks of money laundering and terrorist financing identified at the level of the Union, the Member State and the obliged entity;
in addition to the obligation to apply targeted financial sanctions, mitigate and manage the risks of non-implementation and evasion of targeted financial sanctions.
The policies, procedures and controls referred to in the first subparagraph shall be proportionate to the nature of the business, including its risks and complexity, and the size of the obliged entity and shall cover all the activities of the obliged entity that fall under the scope of this Regulation.
The policies, procedures and controls referred to in paragraph 1 shall include:
internal policies and procedures, including in particular:
the carrying out and updating of the business-wide risk assessment;
the obliged entity’s risk management framework;
customer due diligence to implement Chapter III of this Regulation, including procedures to determine whether the customer, the beneficial owner, or the person on whose behalf or for the benefit of whom a transaction or activity is being conducted, is a politically exposed person or a family member or person known to be a close associate;
reporting of suspicious transactions;
outsourcing and reliance on customer due diligence performed by other obliged entities;
record retention and policies in relation to the processing of personal data pursuant to Articles 76 and 77;
the monitoring and management of compliance with such internal policies and procedures in accordance with point (b) of this paragraph, the identification and management of deficiencies and the implementation of remedial actions;
the verification, proportionate to the risks associated with the tasks and functions to be performed, when recruiting and assigning staff to certain tasks and functions and when appointing agents and distributors, that those persons are of good repute;
the internal communication of the obliged entity’s internal policies, procedures and controls, including to its agents, distributors and service providers involved in the implementation of its AML/CFT policies;
a policy on the training of employees and, where relevant, agents and distributors with regard to measures in place in the obliged entity to comply with the requirements of this Regulation, Regulation (EU) 2023/1113 and any administrative act issued by any supervisor;
internal controls and an independent audit function to test the internal policies and procedures referred to in point (a) of this paragraph and the controls in place in the obliged entity; in the absence of an independent audit function, obliged entities may have this test carried out by an external expert.
The internal policies, procedures and controls set out in the first subparagraph shall be recorded in writing. Internal policies shall be approved by the management body in its management function. Internal procedures and controls shall be approved at least at the level of the compliance manager.
The obliged entities shall keep the internal policies, procedures and controls up-to-date, and enhance them where weaknesses are identified.
By 10 July 2026, AMLA shall issue guidelines on the elements that obliged entities should take into account, based on the nature of their business, including its risks and complexity, and their size, when deciding on the extent of their internal policies, procedures and controls, in particular as regards the staff allocated to the compliance functions. Those guidelines shall also identify situations where, due to the nature and size of the obliged entity:
internal controls are to be organised at the level of the commercial function, of the compliance function and of the audit function;
the independent audit function can be carried out by an external expert.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
supervisor
Definition
funds or other assets
Definition
politically exposed person
- in a Member State:
- heads of State, heads of government, ministers and deputy or assistant ministers;
- members of parliament or of similar legislative bodies;
- members of the governing bodies of political parties that hold seats in national executive or legislative bodies, or in regional or local executive or legislative bodies representing constituencies of at least 50 000 inhabitants;
- members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;
- members of courts of auditors or of the boards of central banks;
- ambassadors, chargés d’affaires and high-ranking officers in the armed forces;
- members of the administrative, management or supervisory bodies of enterprises controlled under any of the relationships listed in Article 22 of Directive 2013/34/EU either by the state, or, where those enterprises qualify as medium sized or large undertakings or medium sized or large groups, as defined in Article 3(3), (4), (6) and (7) of that Directive, by regional or local authorities;
- heads of regional and local authorities, including groupings of municipalities and metropolitan regions, with at least 50 000 inhabitants;
- other prominent public functions provided for by Member States;
- in an international organisation:
- the highest ranking officials, their deputies and members of the board or equivalent functions of an international organisation;
- representatives to a Member State or to the Union;
- at Union level:
functions at the level of Union institutions and bodies that are equivalent to those listed in points (a) (i), (ii), (iv), (v) and (vi);
- in a third country:
functions that are equivalent to those listed in point (a);
Definition
parent undertaking
- for groups whose head office is located in the Union, an obliged entity that is a parent undertaking as defined in Article 2, point (9), of Directive 2013/34/EU that is not itself a subsidiary of another undertaking in the Union, provided that at least one subsidiary undertaking is an obliged entity;
- for groups whose head office is located outside of the Union, where at least two subsidiary undertakings are obliged entities established in the Union, an undertaking within that group established in the Union that:
- is an obliged entity;
- is an undertaking that is not a subsidiary of another undertaking that is an obliged entity established in the Union;
- has a sufficient prominence within the group and a sufficient understanding of the operations of the group that are subject to the requirements of this Regulation; and
- is given the responsibility of implementing group-wide requirements under Chapter II, Section 2 of this Regulation;
Definition
family member
- a spouse, or a person in a registered partnership or civil union or in a similar arrangement;
- a child and a spouse of, or a person in a registered partnership or civil union or in a similar arrangement with, that child;
- a parent;
- for the functions referred to in point (34)(a)(i) and equivalent functions at Union level or in a third country, a sibling;
Definition
property
Definition
express trust
Definition
legal arrangement
Definition
management body
Definition
terrorist financing
Definition
targeted financial sanctions
Definition
group
Definition
money laundering
Definition
third country
Definition
person known to be a close associate
- a natural person who is known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a politically exposed person;
- a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person;
Definition
funds
Definition
beneficial owner
Definition
management body in its management function