Article 13 Sharing of customer data for the purposes of supervision


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 16 April 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 13 of the RTS on group-wide minimum requirements and additional measures for third-country subsidiaries and branches say?

This article addresses a specific scenario that sits within the broader framework dealing with third-country restrictions: what happens when a third country's law prevents or limits the sharing of customer data from a branch or subsidiary with the supervisory authority in a Member State for AML/CFT purposes.

It builds on the same logic as Articles 10, 11, and 12, applying a structured response obligation when such a legal barrier is identified.

Rather than allowing the restriction to create a supervisory blind spot, the article requires the parent undertaking or obliged entity to compensate through a combination of internal escalation, enhanced oversight of the affected branch or subsidiary, and alternative reporting to senior management that can then be made available to supervisors on request.

Important points:

  • Notify the home Member State supervisor within 28 calendar days of identifying a third-country law that restricts customer data sharing for AML/CFT supervision purposes, specifying the country and the nature of the restriction.
  • Carry out enhanced reviews of the affected branch or subsidiary — including on-site checks or independent audits where appropriate — and provide the findings to the home supervisor without undue delay.
  • Require the branch or subsidiary to regularly report key risk data to senior management, covering high-risk customer numbers and suspicious transaction figures, and make this information available to the supervisor upon request.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

  1. Where the parent undertaking in the Union or an obliged entity identifies that the law of a third country does not permit or restricts the application of Regulation (EU) 2024/1624 when it comes to sharing data related to customers of a branch or subsidiary established in a third country with the supervisor in a Member State for the purpose of supervision for anti-money laundering and countering the financing of terrorism, it shall at least:

    1. inform the supervisor of the home Member State without undue delay and in any case no later than 28 calendar days of the following:

      1. the name of the third country concerned;

      2. how the application of the law of a third country does not permit or restricts the sharing of data related to customers for the purpose of supervision for anti-money laundering and countering the financing of terrorism;

    2. carry out enhanced reviews, including, where this is commensurate with the money laundering and terrorist financing risk associated with the operation of the branch or subsidiary established in the third country, onsite checks or independent audits, to be satisfied that the branch or subsidiary effectively implements group-wide policies, procedures and controls, and that it adequately identifies, assesses and manages the money laundering and terrorist financing risks;.

    3. provide the findings of the reviews referred to in point (b) of this paragraph to the supervisor of the home Member State without undue delay;

    4. require the branch or subsidiary established in the third country to regularly to provide relevant information to the obliged entity’s or parent undertaking’s senior management, including at least the following:

      1. the number of high-risk customers and aggregated statistical data providing an overview of the reasons why customers have been classified as high risk, such as the politically exposed person status;

      2. the number of suspicious transactions identified and reported and aggregated statistical data providing an overview of the circumstances that gave rise to suspicion;

    5. make the information referred to in point (d) of this paragraph available to the supervisor of the home Member State upon request.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod