Article 11 Understanding the ownership and control structure of the customer


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 9 February 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 11 of the RTS on customer due diligence say?

This article sets out the obligations on obliged entities to understand the ownership and control structure of their customers, building directly on the customer due diligence requirements referenced in Article 20(1) of Regulation (EU) 2024/1624.

Where a customer's structure involves more than one legal entity or legal arrangement, the article becomes particularly detailed, specifying the types of information that must be gathered about intermediate entities — from their legal form and jurisdiction of incorporation, to shareholding percentages and the nature of any control exercised.

Crucially, the article goes beyond mere data collection: obliged entities must actively assess the credibility of the information obtained, satisfy themselves that there is a rational basis for the structure, and understand how the overall structure bears on the ML/TF risk profile of the customer.

Important points:

  • Obtain a comprehensive understanding of your customer's ownership and control structure, with specific information requirements applying where multiple legal entities or legal arrangements sit between the customer and their beneficial owners.
  • Assess not just the structure itself but also its credibility, its rationale, and its implications for ML/TF risk.
  • Article 12 of this regulation builds on this article by setting out what constitutes a complex corporate structure and the additional measures required in those cases.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Obliged entities shall take risk-sensitive measures to ensure they obtain a comprehensive understanding of the ownership and control structure of the customer pursuant to Article 20(1) point (b) of Regulation (EU) 2024/1624.

    1. For the purposes of the first paragraph and in situations where the customer’s ownership and control structure contains more than one legal entity or legal arrangement, obliged entities shall take risk-sensitive measures to obtain and assess at least the following information:

      1. a description of the ownership and control structure, including the legal entities and/or legal arrangements that constitute intermediate entities between the customer and their beneficial owners and relevant for understanding the ownership and control structure; and

      2. where applicable:

        1. where beneficial ownership is determined on the basis of control, information on how this is expressed and exercised; or

        2. information on the regulated market on which the securities are listed, in case a legal entity at an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the number and percentage of shares listed if not all the legal entity’s securities are listed on a regulated market.

    1. With respect to the legal entities and/or legal arrangements described in paragraph (2), point (a), and to the extent that it is relevant, obliged entities shall take risk-sensitive measures to obtain the following information:

      1. the legal form of such entities and/or arrangements, and reference to the existence of any nominee shareholders;

      2. the jurisdiction of incorporation or registration of the legal person or legal arrangement,

      3. in the case of a trust, the jurisdiction of its governing law;

      4. where applicable, the shares of interest held by each legal entity or legal arrangement, its sub-division, by class or type of shares and/or voting rights expressed as a percentage of the respective total.

    1. When obliged entities assess the ownership and control structure, they must be satisfied that:

      1. the information included in the description pursuant to paragraph 2, point (a) is credible;

      2. that there is an economic, legal or other rationale behind the structure; and

      3. that they understand how the overall structure affects the ML/TF risk associated with the customer.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod