Article 11 Sharing and processing of customer data within the group or with the obliged entity


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 16 April 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 11 of the RTS on group-wide minimum requirements and additional measures for third-country subsidiaries and branches say?

This article addresses a specific conflict that arises when third-country law blocks or restricts a branch or subsidiary from sharing customer information within the group for AML/CFT purposes — the information-sharing obligations set out in Article 4 of this regulation.

It follows a clear escalation logic: first, notify the supervisor and seek customer consent to overcome the legal barrier; if consent is not obtainable, apply additional measures from Article 15; and if AML/CFT risk still cannot be managed effectively, close down some or all of the third-country operations.

Throughout, any additional measures taken must be determined on a risk-sensitive basis and reported to the home supervisor.

Important points:

  • Notify the home Member State supervisor within 28 calendar days of identifying a third-country restriction on customer information sharing for AML/CFT purposes, and explore whether customer consent can legally overcome that restriction.
  • Where consent is not feasible, apply one or more of the additional measures set out in points (a) to (c) of Article 15.
  • If AML/CFT risk cannot be effectively managed through those measures, close down some or all operations of the affected branch or subsidiary in the third country.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Where the parent undertaking in the Union or an obliged entity identifies that the law of a third country does not permit or restricts the application of Regulation (EU) 2024/1624 by a subsidiary or a branch when it comes to the sharing of customer information referred to in Article 4 of this Regulation for anti-money laundering and countering the financing of terrorism purposes within the group or with the obliged entity, it shall at least:

      1. inform the supervisor of the home Member State without undue delay and in any case no later than 28 calendar days of the following:

        1. the name of the third country concerned;

        2. how the application of the law of the third country concerned does not permit or restricts the sharing or processing of customer data for anti-money laundering and countering the financing of terrorism purposes;

      2. ensure that their branches or subsidiaries established in the third country determine whether consent from their customers and, where applicable, their customers’ beneficial owners, can be used to legally overcome the restrictions or prohibitions referred to in point (a)(ii);

      3. ensure that their branches or subsidiaries established in the third country require their customers and, where applicable, their customer’s beneficial owners, to provide consent to overcome restrictions or prohibitions referred to in point (a)(ii) to the extent that this is compatible with the law of the third country.

    1. In cases where obtaining the consent referred to in point (c) of paragraph 1 is not feasible, the parent undertaking in the Union or the obliged entity shall apply one or more of the additional measures set out in points (a) to (c) of Article 15.

    1. Where a parent undertaking in the Union or an obliged entity cannot effectively manage the risk of money laundering and terrorist financing by applying the measures referred to in paragraphs 1 and 2, it shall close down some or all of the operations provided by their branch or subsidiary established in the third country.

    1. The parent undertaking in the Union or the obliged entity shall always determine the extent of the required additional measures set out in paragraph 2 and 3 of this Article on a risk-sensitive basis and shall inform without undue delay the supervisor of the home Member State that the extent of the additional measures is appropriate in view of the risk of money laundering and terrorist financing.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod