Article 14 Record retention


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 16 April 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 14 of the RTS on group-wide minimum requirements and additional measures for third-country subsidiaries and branches say?

This article addresses a specific problem that arises when a third country's law blocks or restricts the application of EU record retention rules — particularly those in Article 77 of Regulation (EU) 2024/1624 — by branches or subsidiaries operating in that country.

It sits within a broader framework of articles (including Article 15) that together deal with how groups must respond when third-country laws create compliance gaps.

The article sets out a sequenced response: first notify, then attempt to resolve the conflict through customer consent, and if that fails, escalate to the additional measures available under Article 15.

Important points:

  • Notify the home Member State supervisor within 28 calendar days of identifying a third country whose law restricts the application of record retention rules, specifying the country and nature of the restriction.
  • Attempt to resolve the restriction by seeking customer and beneficial owner consent, where compatible with the law of the third country.
  • Where consent is not feasible, apply one or more additional measures as set out in Article 15, determined on a risk-sensitive basis, and inform the supervisor that those measures are appropriate in view of money laundering and terrorist financing risks.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Where the parent undertaking in the Union or an obliged entity identifies that the law of a third country does not permit or restricts the application of Regulation (EU) 2024/1624 when it comes to the application of record retention rules, especially those specified in Article 77 of Regulation (EU) 2024/1624, it shall at least:

      1. inform the supervisor of the home Member State without undue delay and in any case no later than 28 calendar days after identifying the third country of the following:

        1. the name of the third country concerned;

        2. how the application of the law of the third country concerned does not permit or restricts the application of record retention duties;

      2. establish whether consent from the customer and, where applicable, their beneficial owner, can be used to legally overcome restrictions or prohibitions referred to in point (a)(ii) of this paragraph;

      3. ensure that its branch or subsidiary established in the third country requires customers and, where applicable, their customers’ beneficial owners, to provide consent to overcome restrictions or prohibitions referred to in point (a)(ii) of this paragraph to the extent that this is compatible with the law of the third country.

    1. In cases where consent referred to in point (c) of paragraph 1 is not feasible, the parent undertaking in the Union or the obliged entity shall apply one or more of the additional measures set out in Article 15 paragraph 1 letters (a) to (c) and (i) of this Regulation.

    1. The parent undertaking in the Union or the obliged entity shall always determine the extent of the required additional measures set out in paragraph 2 on a risk-sensitive basis and shall inform without undue delay the supervisor of the home Member State that the extent of the additional measures is appropriate in view of the risk of money laundering and terrorist financing.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod