Source: AMLA consultation paper draft
RTS on group-wide minimum requirements and additional measures for third-country subsidiaries and branches
COMMISSION DELEGATED REGULATION (EU) .../...
of XXX
supplementing Regulation (EU) 2024/1624 of the European Parliament and of the Council with regard to regulatory technical standards on group-wide requirements, on additional measures and additional supervisory actions related to obliged entities’ branches or subsidiaries in third countries
This is a draft act
This text has been parsed from the AMLA consultation paper draft as published on 16 April 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and in particular Articles 16(4) and 17(3) thereof,
Whereas:
Recital 1
Regulation (EU) 2024/1624 aims for harmonisation of the measures to be put in place to prevent money laundering, its predicate offences, terrorist financing and the non- implementation and evasion of targeted financial sanctions at Union level, including when such measures are designed and implemented in a group or in a structure mentioned in Regulation (EU) 2024/1624. Consistent implementation of group-wide anti-money laundering, countering the financing of terrorism and of group-wide requirements to target the non-implementation or evasion of targeted financial sanctions is key to the robust and effective management of risks, especially in a cross-border context.
Recital 2
Minimum requirements for group-wide policies, procedures and controls should be developed, implemented and applied at group level in an adequate and consistent manner, while avoiding any risks of compromising anti-money laundering, countering the financing of terrorism requirements as well as preventing the non-implementation or evasion of targeted financial sanctions. Minimum requirements are also applicable to structures other than groups when such structures fulfil the conditions set out in this Regulation. Group-wide policies, procedures and controls should be designed to ensure consistency in the implementation of the group-wide requirements mentioned in Regulation (EU) 2024/1624 such as to enhance governance arrangements, the standing and role of the compliance manager and compliance officer at group level, the relations between the parent undertaking and the subsidiaries in the Union and in third countries as well as the business-wide risk assessments at group level.
Recital 3
Group-wide policies, procedures and controls should not result in a derogation for the parent undertaking in the Union from carrying out the entity level policies, procedures and controls, including its entity-level risk assessment.
Recital 4
Information sharing within groups and other structures, such as networks, partnerships, franchises and branches, is a key element to ensure appropriate understanding of money laundering, terrorist financing risks as well as risks of non-implementation and the evasion of targeted financial sanctions. Information sharing should mitigate these risks especially when they are associated with customers and transactions. Among others, the type of information to be shared within the group and structures should include information on customers, transactions, services and activities, risk assessments, control functions, external audits, suspicious transactions or activity reporting, group-wide policies, procedures and controls, and interactions with supervisors and competent authorities. In any case information sharing should take into account the requirements set out in Regulation (EU) 2024/1624, Regulation (EU) 2023/1113 and any administrative act of the supervisors.
Recital 5
Obliged entities should use the information shared by other entities in the group to make, among others, informed decisions on customers, transactions and risk assessments and potentially restrict or refuse to enter into a new relationship or terminate existing business relationships or restrict or refuse to carry out the execution of occasional transactions in accordance with Regulation (EU) 2024/1624. Furthermore, the information shared within the group and structures should be used to prevent and mitigate money laundering, terrorist financing as well as the non-implementation and evasion of targeted financial sanctions and to inform the parent undertaking in the Union on the group-wide level risk assessment.
Recital 6
Information sharing should include also ad hoc sharing of newly identified relevant information, such as negative or adverse media reports concerning customers or beneficial owners or trends related to the non-implementation or the evasion of targeted financial sanctions.
Recital 7
Information sharing within groups should not lead to an automatic group-wide acceptance or rejection of a customer or categories of customers and to pursue de-risking practices which might result in circumventing other legal obligations, in particular those laid down in Directive 2014/92/EU of the European Parliament and of the Council or Directive (EU) 2015/2366.
Recital 8
The Union AML/CFT framework applies to a wide variety of obliged entities. Some obliged entities perform transactions, other obliged entities such as real estate agents, lawyers and notaries provide services or activities connected to transactions. For these obliged entities, information sharing requirements should include the information related to the provision of the services or activities under the AML/CFT framework.
Recital 9
Certain aspects of the implementation of the AML/CTF framework involve the collection, analysis, storage and sharing of data, including personal data. The processing of personal data should be permitted only for the purposes of the prevention and management of money laundering, terrorist financing and the non-implementation or evasion of targeted financial sanctions. Information sharing should be subject to sufficient guarantees in terms of confidentiality, data protection and the use of information as well as fully respecting fundamental rights.
Recital 10
The sharing of information should be proportionate to the type of request for information sharing and be based on a need-to-know assessment. There are, though, regulatory limitations to information sharing within a group stemming from Regulation (EU) 2024/1624. First, cases in which information comes from partnerships for information sharing, which can only be shared under the conditions set out in Article 75(5) of Regulation (EU) 2024/1624. Second, information mentioned in Article 70(2) of Regulation (EU) 2024/1624 when covered by legal privilege shall not fall under the scope of this Regulation.
Recital 11
Obliged entities in the Union might share information with other entities of the group or the structure outside the Union. In this case, this Regulation clarifies that in cases of restrictions or prohibitions to the sharing of information to third countries, the parent undertaking in the Union and the other obliged entities of the group or structure in the Union need to assess the restrictions and prohibitions and communicate them to the supervisors in the Union. Similarly, in cases where restrictions or prohibitions on the sharing of information exist from third countries to the Union, including to supervisors in the Union, obliged entities in the Union need to assess restrictions or prohibitions and communicate them to the supervisors in the Union. In any case, obliged entities should take appropriate measures to address such restrictions or prohibitions to share information.
Recital 12
There are circumstances where a group operates branches or subsidiaries in a third country whose law does not permit the implementation of group-wide anti-money laundering and countering the financing of terrorism policies, procedures and controls. This can be the case, for example, where the third country's data protection, banking secrecy or professional secrecy law limits the group's ability to access, process or exchange information related to customers of branches or subsidiaries in the third country.
Recital 13
In those circumstances, and in situations where the ability of supervisors to effectively supervise the group's compliance with the requirements Regulation (EU) 2024/1624 is impeded because supervisors do not have access to relevant information held at branches or subsidiaries in third countries, additional policies, procedures and controls are required to manage money laundering and terrorist financing risk effectively. These additional policies, procedures and controls may include obtaining consent from customers, which can serve to overcome certain legal obstacles to the implementation of group-wide anti-money laundering and countering the financing of terrorism policies, procedures and controls in third countries where other options are limited.
Recital 14
The need to ensure a consistent Union level response to legal obstacles to the implementation of group-wide policies, procedures and controls justifies the imposition of specific minimum actions obliged entities should be required to take in those situations. However, the extent of such additional policies, procedures and controls should be proportionate and risk-based.
Recital 15
Obliged entities should be able to demonstrate to their supervisor that the extent of additional measures they have taken is appropriate in view of the money laundering and terrorist financing risk. However, should the supervisor consider that the additional measures an obliged entity has taken are insufficient to manage that risk, the supervisor should be able to direct the obliged entity to take specific measures to ensure the obliged entity's compliance with its anti-money laundering and countering the financing of terrorism obligations.
Recital 16
The additional supervisory actions described in this Regulation are specific to situations where, in the context of operations carried out in a third country, including through branches or subsidiaries forming part of the group, the parent undertaking in the Union or the obliged entity does not put in place adequate systems and controls to manage the money laundering and terrorist financing risks where the law of that third country does not permit the application of group-wide AML/CFT systems and controls that comply with Union law. The assessment of whether such third-country legal or regulatory impediments prevent effective compliance should not depend on the internal allocation of functions within the group. Where operations are carried out in a third country through a branch or subsidiary, such assessment should be made irrespective of whether specific AML/CFT functions are performed locally or at group level. Following a supervisory assessment, where the policies, procedures, systems and controls put in place do not ensure that the associated money laundering and terrorist financing risks are effectively managed, supervisors should apply the additional supervisory actions provided for in this Regulation. Those additional supervisory actions complement other supervisory actions and measures that supervisors may apply under Union or national law, including enforcement measures available under those legal frameworks. The actions supervisors take should be proportionate and risk-based, taking into account the specific circumstances of the case.
Recital 17
The provisions of this Regulation should also be without prejudice to the enhanced due diligence measures obliged entities are required to take when dealing with natural persons or legal entities established in countries identified by the Commission as having significant strategic deficiencies in their national AML/CFT regimes, weaknesses in their national AML/CFT regimes, and or, posing a specific and serious threat to the Union’s financial system pursuant to Articles 29, 30 and 31 of Regulation (EU) 2024/1624.
Recital 18
For groups whose head office is located outside of the Union, where at least two subsidiaries are obliged entities established in the Union and they are not in a relationship of control with each other pursuant to Article 2(1) number (42)(b) of Regulation (EU) 2024/1624, a parent undertaking in the Union, responsible for the implementation of the AML/CFT and the prevention to the non-implementation and evasion of financial sanctions framework, should be determined.
Recital 19
In the situation covered by Article 2(1) number (42)(b) of Regulation (EU) 2024/1624, before notifying the home supervisor, the parent undertaking in the Union should assess its role, taking into account certain criteria such as the prominence of activities, the understanding of operations and the responsibility of implementing group-wide requirements. These criteria should be based on elements such as the customer base, the amount of transactions when these are performed, the total annual turnover in the group, the types of powers and influence of each obliged entity in the Union.
Recital 20
To ensure that supervisors are aware of the identified parent undertaking in the Union for groups whose head office is located outside of the Union and that have two or more obliged entities in the Union which are not a subsidiary of another undertaking that is an obliged entity established in the Union, a notification mechanism to supervisors should be included.
Recital 21
Supervisors should receive a notification by the identified parent undertaking in the Union pursuant to Article 2(1) number (42)(b) of Regulation (EU) 2024/1624 and be permitted to request, where necessary, specific clarifications or additional information regarding the parent undertaking assessment performed by the identified parent undertaking in the Union. The home supervisor of the identified parent undertaking should be able to reach a decision on the identification of the parent undertaking in the Union within two months after the complete notification by the identified parent undertaking.
Recital 22
All the relevant supervisors and the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (´the Authority´) should be fully informed in any case on the notification procedure to identify the parent undertaking in the Union pursuant to Article 2(1) number (42)(b) of Regulation (EU) 2024/1624. This is to ensure that appropriate information sharing and good cooperation between supervisors take place and that the home supervisor adopts the decision on the identification of the parent undertaking in the Union in due course. In cases of disagreement between supervisors on the assessment of the parent undertaking performed by the home supervisor, one or more supervisors may ask the Authority to settle the disagreement between supervisors in cross-border situations.
Recital 23
In addition to groups, structures exist, such as networks or partnerships or franchisees, in which obliged entities might share common ownership, management or compliance control, which should be subject to group-equivalent requirements. To ensure a level playing field across the sectors whilst avoiding overburdening those sectors, this Regulation identifies situations where group-wide policies, procedures and controls, including information sharing requirements, should apply to those structures, taking into account the principle of proportionality.
Recital 24
Given the different types of structures that could exist in different sectors and jurisdictions, especially in the non-financial sector, the conditions for the qualification of structures that share common ownership, management or compliance control should be designed in a general and comprehensible manner to ensure harmonisation at Union level. Furthermore, such conditions should be designed broadly to allow a wide application of the group-wide equivalent requirements. For instance, common compliance control should not be limited to compliance under the AML/CFT framework, but include other types of compliance such as prudential, product or service compliance arrangements in place.
Recital 25
Networks, as defined in this Regulation, are common arrangements, usually, but not only for auditors, external accountants, lawyers and other professionals where structures are established for specific purposes and that can have common ownership, common management or common compliance control. Similarly, partnerships are common arrangements for auditors, external accountants, lawyers and notaries, including inter- professional or multi-disciplinary networks, with obliged entities belonging to different categories, where common ownership, common management, common compliance control can be established. Further, franchises are common arrangements for instance for professionals, real estate agents, real estate professionals and the gambling sector where arrangements are put in place under a common franchise sharing certain elements of common management or common compliance control for the purposes of marketing specific types of goods and/or services. Under the conditions set out in this Regulation these structures should be subject to group-wide equivalent requirements.
Recital 26
Given the close operational and organisational links between the legal entity and their branches, the application of group-wide policies, procedures and controls to such structures is necessary to ensure a consistent and comprehensive approach to AML/CFT risk management throughout the Union. For instance, an obliged entity authorised in one Member State that operates in other Member States through one or more branches, even when it has no subsidiaries, should be subject to this Regulation. Similarly, when an entity in a third country operates only through branches in the Union, these branches should be subject to this Regulation. In these cases, such structures have in place common ownership, common management or common compliance control.
Recital 27
Differently, there can be structures other than groups that do not share any elements of common ownership, common management or common compliance control, such as pure cooperation agreements or arrangements that establish or develop only common technical tools or sharing of knowledge, customer referrals or exchanges of best practices or only the same name or branding or outsourcing arrangements of compliance control to the same service provider. To ensure proportionality in the application of the requirements, these structures do not fall in the scope of this Regulation.
Recital 28
The relationship between an agent and its principal and between a distributor and its principal does not fall within the scope of this Regulation when it is subject to specific provisions stated in Article 12 and 8(5) of Regulation (EU) 2024/1624.
Recital 29
For arrangements other than groups that share common ownership, common management or common compliance control, the parent undertaking in the Union should be identified to determine the entity in charge of developing and implementing group-wide equivalent requirements taking into account the nature of the risk and the annual turnover of the obliged entities of the structure. The criteria to determine the parent undertaking in the Union should consider the position of the entity identified as parent undertaking in the structure in the Union, its powers of control and management, and its annual turnover.
Recital 30
A notification mechanism to the supervisor of the identified parent undertaking in the Union of the structures falling in the scope of this Regulation other than groups should be included to ensure clarity and effectiveness in the identification of the parent undertaking in the Union in such cases. Supervisors should receive a notification by the identified parent undertaking in the Union and be permitted to request, where necessary, specific clarifications or additional information regarding the parent undertaking assessment performed by the identified parent undertaking in the Union. The home supervisor of the identified parent undertaking should be able to reach a decision on the identification of the parent undertaking in the Union within two months after the complete notification by the identified parent undertaking.
Recital 31
This Regulation is based on the draft regulatory technical standards submitted to the Commission by the Authority.
Recital 32
The Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based and analysed the potential related costs and benefits.
Recital 33
Application of this Regulation is deferred to 10 July 2027 to align with the date of applicability of Regulation (EU) 2024/1624.
HAS ADOPTED THIS REGULATION:
- Section 1General provisions
- Section 2Minimum group-wide requirements
- Section 3Information sharing
- Article 4Information sharing within a group
- Article 5Information sharing within groups whose head office is in the Union and have branches or subsidiaries in third countries
- Article 6Information sharing within groups whose head office is located outside of the Union
- Article 7Information sharing for supervisory purposes
- Article 8Information sharing in the framework of partnerships for information sharing
- Article 9Information sharing concerning reporting of suspicions by certain categories of obliged entities
- Article 4Information sharing within a group
- Section 4Additional measures for branches or subsidiaries in third countries of obliged entities and parent undertakings in the union
- Article 10Individual risk assessments
- Article 11Sharing and processing of customer data within the group or with the obliged entity
- Article 12Disclosure of information related to the reporting of suspicious transactions
- Article 13Sharing of customer data for the purposes of supervision
- Article 14Record retention
- Article 15Additional Measures
- Article 16Supervisory actions
- Article 10Individual risk assessments
- Section 5Criteria for identifying the parent undertaking in the union in cases of two or more obliged entities whose head office is located outside of the union
- Section 6Conditions for the application of group-wide requirements to structures sharing common ownership, management or compliance control
- Article 21Conditions for the application of group-wide requirements to structures sharing common ownership, management or compliance control
- Article 22Criteria for identifying the parent undertaking in the Union for entities that are part of a structure which shares common ownership, management or compliance control
- Article 23Notification to the supervisor in case the parent undertaking is an obliged entity
- Article 24Notification to the supervisor in case the parent undertaking is not an obliged entity
- Article 21Conditions for the application of group-wide requirements to structures sharing common ownership, management or compliance control
- Section 7Final provisions
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels,
For the Commission
The President
[For the Commission
On behalf of the President
[Position]
Definition
supervisor
Definition
funds or other assets
Definition
franchise
- at least two obliged entities establish a relationship between each other and/or with a third entity in exchange for direct or indirect financial benefits exploiting a brand, the know‑how, and/or business systems owned or managed by a franchisor for the purposes of marketing specific types of goods and/or services; and
- the relationship is established in a structure under common ownership, common management or common compliance control.
Definition
parent undertaking
- for groups whose head office is located in the Union, an obliged entity that is a parent undertaking as defined in Article 2, point (9), of Directive 2013/34/EU that is not itself a subsidiary of another undertaking in the Union, provided that at least one subsidiary undertaking is an obliged entity;
- for groups whose head office is located outside of the Union, where at least two subsidiary undertakings are obliged entities established in the Union, an undertaking within that group established in the Union that:
- is an obliged entity;
- is an undertaking that is not a subsidiary of another undertaking that is an obliged entity established in the Union;
- has a sufficient prominence within the group and a sufficient understanding of the operations of the group that are subject to the requirements of this Regulation; and
- is given the responsibility of implementing group-wide requirements under Chapter II, Section 2 of this Regulation;
Definition
partnership for information sharing
Definition
partnership
- at least two obliged entities exercise an activity in common with a view to profit or cost-sharing or achieving a common purpose; and
- the relationship is established in a structure under common ownership, common management or common compliance control.
Definition
property
Definition
express trust
Definition
legal arrangement
Definition
competent authority
- a Financial Intelligence Unit (FIU);
- a supervisory authority;
- a public authority that has the function of investigating or prosecuting money laundering, its predicate offences or terrorist financing, or that has the function of tracing, seizing or freezing and confiscating criminal assets;
- a public authority with designated responsibilities for combating money laundering or terrorist financing;
Definition
terrorist financing
Definition
targeted financial sanctions
Definition
group
Definition
money laundering
Definition
self-regulatory body
Definition
structure
- includes at least two obliged entities;
- is not a group with a parent undertaking within the meaning of Article 2(1), point (42) of Regulation (EU) 2024/1624; and
- has the objective of establishing a common framework of business, professional or commercial relationships connecting two or more obliged entities.
Definition
network
- at least two obliged entities carry out their activities in a framework which aims at cooperation and common profit- or cost-sharing, or has in place a common business strategy, or shares common compliance policies, procedures or controls, or uses a common brand or marketing name; and
- the relationship is established in a structure under common ownership, common management or common compliance control.
Definition
third country
Definition
funds
Definition
beneficial owner
Definition
business relationship
Definition
supervisory authority
Definition
control function