Article 3 Minimum requirements regarding group-wide policies, procedures and controls


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 16 April 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 3 of the RTS on group-wide minimum requirements and additional measures for third-country subsidiaries and branches say?

This article builds directly on Article 16 of Regulation (EU) 2024/1624 by specifying the minimum requirements that must be embedded within a group's AML/CFT policies, procedures and controls.

It is addressed squarely at the parent undertaking in the Union, placing on it the responsibility to ensure the group operates with a coherent, documented, and consistently applied framework for managing money laundering, terrorist financing, and targeted financial sanctions risks.

The article covers the full lifecycle of group-wide governance: from establishing a properly structured compliance organisation at group level, to ensuring information flows between management and control functions, to requiring regular reviews and group-wide communication of policies.

It also sets out clear approval and documentation obligations, with internal policies requiring sign-off from the management body and all written materials to be made available to supervisors on request.

Important points:

  • Establish and maintain a documented group-level organisational structure with clear decision-making powers, functions, responsibilities and reporting lines for AML/CFT compliance.
  • Group-wide internal policies must be approved by the management body of the parent undertaking in the Union; procedures and controls must be approved at least at the level of the group compliance manager.
  • All group-wide policies, procedures and controls must be recorded in writing, kept up to date, and made available to supervisors upon request.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. In addition to the requirements set out in Article 16(1), (2) and (3) of Regulation (EU) 2024/1624, the parent undertaking in the Union shall ensure that the following minimum requirements are part of the group-wide policies, procedures and controls:

      1. to set up, implement and maintain an organisation and coordination structure or body at group level with sufficient decision-making powers for the group compliance manager and compliance officer appointed pursuant to Article 16(2) of Regulation (EU) 2024/1624, where applicable, to manage and prevent money laundering, terrorist financing risks as well as to prevent the non-implementation and evasion of targeted financial sanctions. Such structure or body shall have a proper allocation of functions, responsibilities and reporting lines and shall be clearly documented;

      2. to ensure that the management body and the control functions have the necessary information at group level to be able to carry out their functions under Regulation (EU) 2024/1624, Regulation (EU) 2023/1113 and to address and implement any administrative act issued by any relevant supervisor for the oversight and management of subsidiaries and branches of the group in Member States and in third countries;

      3. to identify and mitigate conflicts of interests between the prevention and management of risks related to money laundering, terrorist financing and the non-implementation and evasion of targeted financial sanctions risk and the tasks of the commercial functions of groups, including at subsidiary and branch level;

      4. to carry out and update the business-wide risk assessment at group level pursuant to Article 16(1) of Regulation (EU) 2024/1624 to ensure that it is commensurate to the size, complexity and the risk profile of the group;

      5. to ensure that the compliance functions referred to in Article 16(2) of Regulation (EU) 2024/1624 have regular and documented information exchanges, at least on a periodic basis appropriate to the level of risk, with the management body, commercial functions, other compliance functions at group level where these are separate functions, and the control functions at group level. Such exchanges shall cover, at a minimum, relevant information on identified risks, significant compliance issues, and measures adopted to address them;

      6. to ensure that the group-wide policies, procedures and controls take into account group-specific risks in their design, execution and application and include group-wide measures to address non-compliance. The parent undertaking in the Union shall take into account in its money laundering and terrorism financing risk management system at group level the individual risks of the various entities of the group and their possible interrelations that could have a significant impact on the group-wide risk exposure, including outsourcing and reliance arrangements. In this respect, particular attention shall be paid to the risks to which the group’s branches or subsidiaries established in third countries are exposed to, especially if they are of high money laundering and terrorism financing risk or of evasion or non-implementation of targeted financial sanctions risk. The compliance functions referred to in Article 16(2) of Regulation (EU) 2024/1624 and the control functions shall ensure that the group-wide policies, procedures and controls are adequate to the actual structure, composition and operations of the group and are appropriately designed to take into account the individual situation of the entities and branches in the group;

      7. to ensure that the compliance functions referred to in Article 16(2) of Regulation (EU) 2024/1624 and the control functions regularly review the effectiveness of the group-wide policies, procedures and controls, inform relevant stakeholders, and address deficiencies. The group-wide policies, procedures and controls and the group-wide risk assessments shall be implemented consistently in all the obliged entities that are part of the group and shall be adequately reviewed and reassessed at the level of the parent undertaking in the Union;

      8. to ensure that the group-wide policies, procedures and controls are communicated to relevant staff, including staff employed in subsidiaries and branches established in Member States or third countries.

    2. When complying with the requirements set out in this paragraph, the parent undertaking in the Union shall take into account the nature of the business of the group, including its size, complexity and risks, to identify and assess the risks of money laundering and terrorist financing to which the group is exposed to, as well as the risks of non-implementation and evasion of targeted financial sanctions.

    1. Group-wide internal policies shall be approved by the management body of the parent undertaking in the Union in its management function. Group-wide procedures and controls shall be approved at least at the level of the group compliance manager referred to in Article 16(1) of Regulation (EU) 2024/1624.

    1. Group-wide policies, procedures and controls shall be recorded in writing and kept up to date and made available to supervisors upon request.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod