Preamble Recitals


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 16 April 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Recital 1

Regulation (EU) 2024/1624 aims for harmonisation of the measures to be put in place to prevent money laundering, its predicate offences, terrorist financing and the non- implementation and evasion of targeted financial sanctions at Union level, including when such measures are designed and implemented in a group or in a structure mentioned in Regulation (EU) 2024/1624. Consistent implementation of group-wide anti-money laundering, countering the financing of terrorism and of group-wide requirements to target the non-implementation or evasion of targeted financial sanctions is key to the robust and effective management of risks, especially in a cross-border context.

Recital 2

Minimum requirements for group-wide policies, procedures and controls should be developed, implemented and applied at group level in an adequate and consistent manner, while avoiding any risks of compromising anti-money laundering, countering the financing of terrorism requirements as well as preventing the non-implementation or evasion of targeted financial sanctions. Minimum requirements are also applicable to structures other than groups when such structures fulfil the conditions set out in this Regulation. Group-wide policies, procedures and controls should be designed to ensure consistency in the implementation of the group-wide requirements mentioned in Regulation (EU) 2024/1624 such as to enhance governance arrangements, the standing and role of the compliance manager and compliance officer at group level, the relations between the parent undertaking and the subsidiaries in the Union and in third countries as well as the business-wide risk assessments at group level.

Recital 3

Group-wide policies, procedures and controls should not result in a derogation for the parent undertaking in the Union from carrying out the entity level policies, procedures and controls, including its entity-level risk assessment.

Recital 4

Information sharing within groups and other structures, such as networks, partnerships, franchises and branches, is a key element to ensure appropriate understanding of money laundering, terrorist financing risks as well as risks of non-implementation and the evasion of targeted financial sanctions. Information sharing should mitigate these risks especially when they are associated with customers and transactions. Among others, the type of information to be shared within the group and structures should include information on customers, transactions, services and activities, risk assessments, control functions, external audits, suspicious transactions or activity reporting, group-wide policies, procedures and controls, and interactions with supervisors and competent authorities. In any case information sharing should take into account the requirements set out in Regulation (EU) 2024/1624, Regulation (EU) 2023/1113 and any administrative act of the supervisors.

Recital 5

Obliged entities should use the information shared by other entities in the group to make, among others, informed decisions on customers, transactions and risk assessments and potentially restrict or refuse to enter into a new relationship or terminate existing business relationships or restrict or refuse to carry out the execution of occasional transactions in accordance with Regulation (EU) 2024/1624. Furthermore, the information shared within the group and structures should be used to prevent and mitigate money laundering, terrorist financing as well as the non-implementation and evasion of targeted financial sanctions and to inform the parent undertaking in the Union on the group-wide level risk assessment.

Recital 6

Information sharing should include also ad hoc sharing of newly identified relevant information, such as negative or adverse media reports concerning customers or beneficial owners or trends related to the non-implementation or the evasion of targeted financial sanctions.

Recital 7

Information sharing within groups should not lead to an automatic group-wide acceptance or rejection of a customer or categories of customers and to pursue de-risking practices which might result in circumventing other legal obligations, in particular those laid down in Directive 2014/92/EU of the European Parliament and of the Council or Directive (EU) 2015/2366.

Recital 8

The Union AML/CFT framework applies to a wide variety of obliged entities. Some obliged entities perform transactions, other obliged entities such as real estate agents, lawyers and notaries provide services or activities connected to transactions. For these obliged entities, information sharing requirements should include the information related to the provision of the services or activities under the AML/CFT framework.

Recital 9

Certain aspects of the implementation of the AML/CTF framework involve the collection, analysis, storage and sharing of data, including personal data. The processing of personal data should be permitted only for the purposes of the prevention and management of money laundering, terrorist financing and the non-implementation or evasion of targeted financial sanctions. Information sharing should be subject to sufficient guarantees in terms of confidentiality, data protection and the use of information as well as fully respecting fundamental rights.

Recital 10

The sharing of information should be proportionate to the type of request for information sharing and be based on a need-to-know assessment. There are, though, regulatory limitations to information sharing within a group stemming from Regulation (EU) 2024/1624. First, cases in which information comes from partnerships for information sharing, which can only be shared under the conditions set out in Article 75(5) of Regulation (EU) 2024/1624. Second, information mentioned in Article 70(2) of Regulation (EU) 2024/1624 when covered by legal privilege shall not fall under the scope of this Regulation.

Recital 11

Obliged entities in the Union might share information with other entities of the group or the structure outside the Union. In this case, this Regulation clarifies that in cases of restrictions or prohibitions to the sharing of information to third countries, the parent undertaking in the Union and the other obliged entities of the group or structure in the Union need to assess the restrictions and prohibitions and communicate them to the supervisors in the Union. Similarly, in cases where restrictions or prohibitions on the sharing of information exist from third countries to the Union, including to supervisors in the Union, obliged entities in the Union need to assess restrictions or prohibitions and communicate them to the supervisors in the Union. In any case, obliged entities should take appropriate measures to address such restrictions or prohibitions to share information.

Recital 12

There are circumstances where a group operates branches or subsidiaries in a third country whose law does not permit the implementation of group-wide anti-money laundering and countering the financing of terrorism policies, procedures and controls. This can be the case, for example, where the third country's data protection, banking secrecy or professional secrecy law limits the group's ability to access, process or exchange information related to customers of branches or subsidiaries in the third country.

Recital 13

In those circumstances, and in situations where the ability of supervisors to effectively supervise the group's compliance with the requirements Regulation (EU) 2024/1624 is impeded because supervisors do not have access to relevant information held at branches or subsidiaries in third countries, additional policies, procedures and controls are required to manage money laundering and terrorist financing risk effectively. These additional policies, procedures and controls may include obtaining consent from customers, which can serve to overcome certain legal obstacles to the implementation of group-wide anti-money laundering and countering the financing of terrorism policies, procedures and controls in third countries where other options are limited.

Recital 14

The need to ensure a consistent Union level response to legal obstacles to the implementation of group-wide policies, procedures and controls justifies the imposition of specific minimum actions obliged entities should be required to take in those situations. However, the extent of such additional policies, procedures and controls should be proportionate and risk-based.

Recital 15

Obliged entities should be able to demonstrate to their supervisor that the extent of additional measures they have taken is appropriate in view of the money laundering and terrorist financing risk. However, should the supervisor consider that the additional measures an obliged entity has taken are insufficient to manage that risk, the supervisor should be able to direct the obliged entity to take specific measures to ensure the obliged entity's compliance with its anti-money laundering and countering the financing of terrorism obligations.

Recital 16

The additional supervisory actions described in this Regulation are specific to situations where, in the context of operations carried out in a third country, including through branches or subsidiaries forming part of the group, the parent undertaking in the Union or the obliged entity does not put in place adequate systems and controls to manage the money laundering and terrorist financing risks where the law of that third country does not permit the application of group-wide AML/CFT systems and controls that comply with Union law. The assessment of whether such third-country legal or regulatory impediments prevent effective compliance should not depend on the internal allocation of functions within the group. Where operations are carried out in a third country through a branch or subsidiary, such assessment should be made irrespective of whether specific AML/CFT functions are performed locally or at group level. Following a supervisory assessment, where the policies, procedures, systems and controls put in place do not ensure that the associated money laundering and terrorist financing risks are effectively managed, supervisors should apply the additional supervisory actions provided for in this Regulation. Those additional supervisory actions complement other supervisory actions and measures that supervisors may apply under Union or national law, including enforcement measures available under those legal frameworks. The actions supervisors take should be proportionate and risk-based, taking into account the specific circumstances of the case.

Recital 17

The provisions of this Regulation should also be without prejudice to the enhanced due diligence measures obliged entities are required to take when dealing with natural persons or legal entities established in countries identified by the Commission as having significant strategic deficiencies in their national AML/CFT regimes, weaknesses in their national AML/CFT regimes, and or, posing a specific and serious threat to the Union’s financial system pursuant to Articles 29, 30 and 31 of Regulation (EU) 2024/1624.

Recital 18

For groups whose head office is located outside of the Union, where at least two subsidiaries are obliged entities established in the Union and they are not in a relationship of control with each other pursuant to Article 2(1) number (42)(b) of Regulation (EU) 2024/1624, a parent undertaking in the Union, responsible for the implementation of the AML/CFT and the prevention to the non-implementation and evasion of financial sanctions framework, should be determined.

Recital 19

In the situation covered by Article 2(1) number (42)(b) of Regulation (EU) 2024/1624, before notifying the home supervisor, the parent undertaking in the Union should assess its role, taking into account certain criteria such as the prominence of activities, the understanding of operations and the responsibility of implementing group-wide requirements. These criteria should be based on elements such as the customer base, the amount of transactions when these are performed, the total annual turnover in the group, the types of powers and influence of each obliged entity in the Union.

Recital 20

To ensure that supervisors are aware of the identified parent undertaking in the Union for groups whose head office is located outside of the Union and that have two or more obliged entities in the Union which are not a subsidiary of another undertaking that is an obliged entity established in the Union, a notification mechanism to supervisors should be included.

Recital 21

Supervisors should receive a notification by the identified parent undertaking in the Union pursuant to Article 2(1) number (42)(b) of Regulation (EU) 2024/1624 and be permitted to request, where necessary, specific clarifications or additional information regarding the parent undertaking assessment performed by the identified parent undertaking in the Union. The home supervisor of the identified parent undertaking should be able to reach a decision on the identification of the parent undertaking in the Union within two months after the complete notification by the identified parent undertaking.

Recital 22

All the relevant supervisors and the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (´the Authority´) should be fully informed in any case on the notification procedure to identify the parent undertaking in the Union pursuant to Article 2(1) number (42)(b) of Regulation (EU) 2024/1624. This is to ensure that appropriate information sharing and good cooperation between supervisors take place and that the home supervisor adopts the decision on the identification of the parent undertaking in the Union in due course. In cases of disagreement between supervisors on the assessment of the parent undertaking performed by the home supervisor, one or more supervisors may ask the Authority to settle the disagreement between supervisors in cross-border situations.

Recital 23

In addition to groups, structures exist, such as networks or partnerships or franchisees, in which obliged entities might share common ownership, management or compliance control, which should be subject to group-equivalent requirements. To ensure a level playing field across the sectors whilst avoiding overburdening those sectors, this Regulation identifies situations where group-wide policies, procedures and controls, including information sharing requirements, should apply to those structures, taking into account the principle of proportionality.

Recital 24

Given the different types of structures that could exist in different sectors and jurisdictions, especially in the non-financial sector, the conditions for the qualification of structures that share common ownership, management or compliance control should be designed in a general and comprehensible manner to ensure harmonisation at Union level. Furthermore, such conditions should be designed broadly to allow a wide application of the group-wide equivalent requirements. For instance, common compliance control should not be limited to compliance under the AML/CFT framework, but include other types of compliance such as prudential, product or service compliance arrangements in place.

Recital 25

Networks, as defined in this Regulation, are common arrangements, usually, but not only for auditors, external accountants, lawyers and other professionals where structures are established for specific purposes and that can have common ownership, common management or common compliance control. Similarly, partnerships are common arrangements for auditors, external accountants, lawyers and notaries, including inter- professional or multi-disciplinary networks, with obliged entities belonging to different categories, where common ownership, common management, common compliance control can be established. Further, franchises are common arrangements for instance for professionals, real estate agents, real estate professionals and the gambling sector where arrangements are put in place under a common franchise sharing certain elements of common management or common compliance control for the purposes of marketing specific types of goods and/or services. Under the conditions set out in this Regulation these structures should be subject to group-wide equivalent requirements.

Recital 26

Given the close operational and organisational links between the legal entity and their branches, the application of group-wide policies, procedures and controls to such structures is necessary to ensure a consistent and comprehensive approach to AML/CFT risk management throughout the Union. For instance, an obliged entity authorised in one Member State that operates in other Member States through one or more branches, even when it has no subsidiaries, should be subject to this Regulation. Similarly, when an entity in a third country operates only through branches in the Union, these branches should be subject to this Regulation. In these cases, such structures have in place common ownership, common management or common compliance control.

Recital 27

Differently, there can be structures other than groups that do not share any elements of common ownership, common management or common compliance control, such as pure cooperation agreements or arrangements that establish or develop only common technical tools or sharing of knowledge, customer referrals or exchanges of best practices or only the same name or branding or outsourcing arrangements of compliance control to the same service provider. To ensure proportionality in the application of the requirements, these structures do not fall in the scope of this Regulation.

Recital 28

The relationship between an agent and its principal and between a distributor and its principal does not fall within the scope of this Regulation when it is subject to specific provisions stated in Article 12 and 8(5) of Regulation (EU) 2024/1624.

Recital 29

For arrangements other than groups that share common ownership, common management or common compliance control, the parent undertaking in the Union should be identified to determine the entity in charge of developing and implementing group-wide equivalent requirements taking into account the nature of the risk and the annual turnover of the obliged entities of the structure. The criteria to determine the parent undertaking in the Union should consider the position of the entity identified as parent undertaking in the structure in the Union, its powers of control and management, and its annual turnover.

Recital 30

A notification mechanism to the supervisor of the identified parent undertaking in the Union of the structures falling in the scope of this Regulation other than groups should be included to ensure clarity and effectiveness in the identification of the parent undertaking in the Union in such cases. Supervisors should receive a notification by the identified parent undertaking in the Union and be permitted to request, where necessary, specific clarifications or additional information regarding the parent undertaking assessment performed by the identified parent undertaking in the Union. The home supervisor of the identified parent undertaking should be able to reach a decision on the identification of the parent undertaking in the Union within two months after the complete notification by the identified parent undertaking.

Recital 31

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the Authority.

Recital 32

The Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based and analysed the potential related costs and benefits.

Recital 33

Application of this Regulation is deferred to 10 July 2027 to align with the date of applicability of Regulation (EU) 2024/1624.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod