Article 15 Additional Measures


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 16 April 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 15 of the RTS on group-wide minimum requirements and additional measures for third-country subsidiaries and branches say?

This article serves as a menu of additional measures that the parent undertaking in the Union or an obliged entity must draw from when third-country law creates obstacles to applying EU AML/CFT requirements.

It is directly linked to Articles 10, 11, 12, and 14, which each address a specific type of legal impediment — such as restrictions on customer due diligence, information sharing, suspicious transaction reporting, or record retention — and which each refer back to this article when consent from customers cannot overcome those restrictions.

The measures available range from restricting the products and services offered by a third-country branch or subsidiary, to enhanced monitoring, to requiring senior management sign-off on higher-risk relationships, to ensuring suspicious transaction report information is shared up the chain.

Important points:

  • Apply one or more of the listed additional measures when third-country legal restrictions prevent full compliance, as triggered by Articles 10, 11, 12, or 14.
  • Third-country branches or subsidiaries must seek prior approval from the senior management of the parent undertaking or obliged entity before establishing or maintaining higher-risk business relationships or carrying out higher-risk occasional transactions.
  • Enhanced ongoing monitoring of business relationships and customers — including those who have been the subject of a suspicious transaction report within the group — must be maintained until the ML/TF risk is sufficiently understood.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

  1. Without prejudice to any measures taken under Articles 16 of Regulation (EU) 2024/1624 and this Regulation, the parent undertaking in the Union or an obliged entity shall take one or more of the following additional measures pursuant to Article 10(2), Article 11(2), Article 12(2), and Article 14(2) of this Regulation respectively:

    1. ensuring that its branch or subsidiary established in the third country restricts the nature and type of products and services provided by the branch or subsidiary in the third country to those that present a low money laundering and terrorist financing risk and have a low impact on the group's risk exposure;

    2. ensuring that other obliged entities of the same group do not rely on customer due diligence measures carried out by a branch or subsidiary established in the third country, but instead carry out customer due diligence on any customer of a branch or subsidiary established in the third country who wishes to be provided with products or services by any other branch or subsidiary of the same group;

    3. carrying out enhanced reviews, including, where this is commensurate with the money laundering and terrorist financing risk associated with the operation of the branch or subsidiary established in the third country, on-site checks or ordering the performance of independent audits, to be satisfied that the branch or subsidiary effectively identifies, assesses and manages the money laundering and terrorist financing risks;

    4. ensuring that their branches or subsidiaries established in the third country seek prior approval from the senior management of the parent undertaking or the obliged entity for the establishment and maintenance of higher-risk business relationships, or for carrying out of higher-risk occasional transactions;

    5. ensuring that their branches or subsidiaries established in the third country determine and document the source of funds and wealth and, where applicable, the destination of funds to be used in the business relationship or occasional transaction;

    6. ensuring that their branches or subsidiaries established in the third country carry out enhanced ongoing monitoring of the business relationship including enhanced transaction monitoring, until the branches or subsidiaries are reasonably satisfied that they understand the money laundering and terrorist financing risk associated with the business relationship and enhanced ongoing monitoring is no longer needed in view of the risk situation;

    7. ensuring that their branches or subsidiaries established in the third country share with the parent undertaking or the obliged entity the underlying suspicious transaction report information that gave rise to the knowledge, suspicion or reasonable grounds to suspect that money laundering and terrorist financing was attempted or occurred, such as facts, transactions, circumstances and documents upon which the knowledge or suspicions are based, including personal data to the extent permissible under the law of the third country;

    8. carrying out enhanced ongoing monitoring of any customer and, where applicable, beneficial owner of a customer of a branch or subsidiary established in the third country who is known to have been the subject of a suspicious transaction report filed by another entity within the same group;

    9. ensuring that their branches or subsidiaries established in the third country keep the risk profile and due diligence information related to a customer of a branch or subsidiary established in the third country up-to-date and secure as long as legally possible, and in any case for at least the duration of the business relationship.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod