Source: AMLA consultation paper draft

EN

Article 1 Indicators to classify the level of gravity of breaches

This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 9 February 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

  1. To classify the level of gravity of a breach, supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; shall take into account all of the following indicators, to the extent that they apply:

    1. the duration of the breach;

    2. the repetition of the breach;

    3. the conduct of the natural person or legal person that committed, permitted or did not prevent the breach;

    4. the impact of the breach on the obliged entity, by assessing:

      1. whether the breach concerns the obliged entity and whether it has an impact at groupmeans a group of undertakings which consists of a parent undertaking, its subsidiaries, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU; level or any cross-border impact;

      2. the extent to which the products and services are affected by the breach;

      3. the approximate number of customers affected by the breach;

      4. the extent to which the effectiveness of the AML/CFT systems, controls and policies are affected by the breach;

    5. the impact of the breach on the exposure of the obliged entity, or of the groupmeans a group of undertakings which consists of a parent undertaking, its subsidiaries, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU; to which it belongs, to money launderingmeans the conduct set out in Article 3, paragraphs 1 and 5, of Directive (EU) 2018/1673 including aiding and abetting, inciting and attempting to commit that conduct, whether the activities which generated the property to be laundered were carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; and terrorist financingmeans the conduct set out in Article 11 of Directive (EU) 2017/541 including aiding and abetting, inciting and attempting to commit that conduct, whether carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; risks;

    6. the nature of the breach, by assessing whether the breach is related to internal policies, procedures and controls of the obliged entity, customer due diligence, reporting obligations or records retention;

    7. whether the breach could have facilitated or otherwise led to criminal activitiesmeans criminal activity as defined in Article 2, point (1), of Directive (EU) 2018/1673, as well as fraud affecting the Union’s financial interests as defined in Article 3(2) of Directive (EU) 2017/1371, passive and active corruption as defined in Article 4 (2) and misappropriation as defined in Article 4(3), second subparagraph, of that Directive; as defined in Article 2(1), point (3), of Regulation (EU) 2024/1624;

    8. whether there is a structural failure within the obliged entity with regards to AML/CFT systems, controls or policies or a material failure of the entity to put in place adequate AML/CFT systems, controls or policies;

    9. the actual or potential impact of the breach on the financial viability of the obliged entity or of the groupmeans a group of undertakings which consists of a parent undertaking, its subsidiaries, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU; of which the obliged entity is part;

    10. the actual or potential impact of the breach:

      1. on the integrity, transparency and security of the financial system of a Member State or of the Union as a whole, or on the financial stability of a Member State or of the Union as a whole;

      2. on the orderly functioning of the financial markets;

    11. the systematic nature of the breach;

    12. any other indicator identified by the supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620;.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod