Article 4 Information sharing within a group


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 16 April 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 4 of the RTS on group-wide minimum requirements and additional measures for third-country subsidiaries and branches say?

This is one of the more detailed articles in the regulation, and it serves as the operational core of the group-wide information sharing framework referenced in Article 3.

Building directly on the group-wide policies and controls established there, Article 4 defines the minimum categories of information that must flow between entities within a group for AML/CFT purposes.

These categories are broad, covering customer due diligence data, transaction details, risk assessments, suspicious transaction reporting, and other relevant compliance information.

The article also sets clear boundaries: information must be shared on a need-to-know basis, in line with data protection rules, and crucially, sharing information does not relieve any individual obliged entity of its own compliance responsibilities.

Important points:

  • Ensure your group-wide information sharing framework covers all minimum categories specified, including customer due diligence, transaction data, risk assessments, suspicious activity reports, and general compliance information.
  • The parent undertaking in the Union is responsible for defining which situations trigger information sharing, but at a minimum this must cover common customers, customers with the same beneficial owners, and customers belonging to the same group or structure.
  • Receiving shared information does not remove your obligation to conduct your own customer due diligence and risk assessments — each obliged entity remains fully responsible for its own AML/CFT decisions.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. When information is relevant for the purposes of the prevention of money laundering, terrorist financing and the non-implementation or evasion of targeted financial sanctions, information sharing within a group as referred to in provisions of Article 16(3) of Regulation (EU) 2024/1624 shall enable at least the sharing of the following information:

      1. on customer due diligence:

        1. the identity and characteristics of a customer, including any information and documents obtained in the course of identifying and verifying the identity of the customer;

        2. information regarding the beneficial owner of a customer, including any information and documents obtained in the course of identifying and verifying the identity of the beneficial owner(s), where applicable;

        3. the identity and characteristics of the person on behalf of whom the customer acts, including any information and documents obtained in the course of identifying and verifying the identity of the person on behalf of whom the customer acts;

        4. the customer’s expected transactional behaviour or business profile, where such information has been established as part of customer due diligence;

        5. the purpose and intended nature of the business relationship or occasional transactions between the customer and the obliged entity, as well as the source of wealth and source of funds of the customer, where applicable;

        6. the customer’s ownership and control structure, including complex ownership arrangements, where relevant for risk assessment purposes;

        7. verification on whether customer or the beneficial owners are subject to targeted financial sanctions and, in the case of a customer or party to a legal arrangement who is a legal entity, whether natural or legal persons subject to targeted financial sanctions control the legal entity or have more than 50 % of the proprietary rights of that legal entity or majority interest in it, whether individually or collectively;

        8. information on the restrictive measures implementing targeted financial sanctions applied to customers, their transactions and their assets;

        9. basic information on legal entities and legal arrangements as referred to in Article 2(1) number (33) of Regulation (EU) 2024/1624;

        10. reliance or outsourcing arrangements related to customer due diligence performed by other entities within the group;

        11. material changes in the customer’s risk profile or status, including changes in beneficial ownership, business activity or risk classification;

        12. any information that has been collected and verified, whenever applicable, under the Delegated Regulation [XXX] on Customer Due Diligence under Article 28(1) of Regulation (EU) 2024/1624.

      2. on transactions, services and activities:

        1. where a transaction, service or activity is being conducted on behalf of or for the benefit of natural or legal persons other than the customer, information on the identification and verification of the identity of those natural or legal persons;

        2. information on customer or counterparties transactions, provision of services, or activities, including as a minimum information to identify the persons, the nature, the location, the origin and destination of such transactions, activities or provision of services and their due diligence, where applicable;

        3. information on occasional transactions, or provision of services;

        4. cash transactions volumes and amounts, where applicable;

        5. payment methods and accounts, where applicable.

      3. on risk assessments:

        1. the business wide-risk assessment, including typologies and risk indicators related to customers, products, geographies, delivery channels identified by the obliged entity or to which the obliged entity is exposed to;

        2. money laundering, terrorist financing and targeted financial sanctions control functions reviews performed at group level and at obliged entity level as well as external audit reviews related to these risks, including findings, remediation measures, actions, recommendations, results and any other corrective measure as deemed relevant;

        3. individual risk assessments, including information on higher and lower risk factors associated with individual customers and the entity´s analysis of the risks associated with the customer;

        4. individual risk assessments of occasional transactions;

        5. information on politically exposed persons, their close family members or closely associated persons including their risk levels and assets under management, where applicable;

        6. information on the risk assessment to prevent and mitigate the non-implementation and evasion of targeted financial sanctions;

        7. information on blocked accounts for reasons related to money laundering, terrorist financing and/or the non-implementation or evasion of targeted financial sanctions;

        8. information on breaches in the group related to anti-money laundering, counter terrorist financing and prevention and management of the non-implementation or evasion of targeted financial sanctions;

        9. information on customers whose entry into business relationship was declined or whose business relationship was terminated for money laundering, terrorist financing or targeted financial sanctions reasons, including the grounds of such decisions;

        10. negative or adverse media reports concerning customers or beneficial owners, including analysis of their potential impact on risks related to money laundering, terrorist financing and the non-implementation or evasion of targeted financial sanctions.

      4. on suspicious transaction and activity reporting:

        1. the suspicions or reasonable grounds to suspect that funds or activities are the proceeds of criminal activity or are related to terrorist financing reported to FIU pursuant to Article 69 of Regulation (EU) 2024/1624, accompanied by the underlying analyses, unless otherwise instructed by the competent FIU;

        2. number and typologies of suspicious transactions and activity reporting.

      5. on other relevant information:

        1. information on the implementation of group-wide policies, procedures and controls pursuant to Article 9 of Regulation (EU) 2024/1624, including outsourcing and reliance arrangements;

        2. information on training related to risks of money laundering, terrorist financing or the non-implementation or evasion of targeted financial sanctions as deemed appropriate;

        3. information on interactions with supervisors, including information on on-site inspections;

        4. information held by the obliged entity of the group pursuant to the obligation of data retention;

        5. any other relevant information related to risks of money laundering, terrorist financing or the non-implementation or evasion of targeted financial sanctions as deemed appropriate.

    1. Information shall be provided within the group to any obliged entity established in the Union taking into account the size, the complexity and the risks of the group as well as the availability and quality of the information.

    2. The parent undertaking in the Union shall define what situations are relevant for information sharing, considering their size, complexity and risks. Information sharing within the group shall cover at least common customers, customers having the same beneficial owners, customers that belong to the same group or structure.

    3. Information-sharing policies, procedures and controls at group level shall include appropriate records of information exchanges to ensure traceability and accountability of such information as well as effective supervision.

    1. To the extent that it is strictly necessary for the purposes of preventing money laundering, terrorist financing and the non-implementation or evasion of targeted financial sanctions, information shall be up-to-date, provided in an adequate and comprehensible form, on a need-to-know basis and be shared in line with the requirements stipulated by the applicable data protection legislation and respecting requirements on confidentiality.

    1. Information sharing shall not exempt obliged entities within the group from the need to conduct adequate own customer due diligence or risk assessments related to customers, products, services, transactions, delivery channels and geographical areas proportionate to the nature of the business, including their size, risks and complexity, also taking into account any outsourcing or reliance arrangements in place.

    2. Information sharing within the group shall not affect the individual responsibility of each obliged entity for its anti-money laundering, counter terrorist financing and the prevention from the non-implementation or evasion of targeted financial sanctions obligations. Each obliged entity shall remain fully responsible for its own risk assessments and decisions, even when such decisions are based on information shared at group level.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod