Article 5 Criteria to be taken into account when applying the administrative measures listed under this Regulation


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 9 February 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 5 of the RTS on pecuniary sanctions and administrative measures say?

This article guides supervisors on how to select the appropriate type of administrative measure to impose on an obliged entity.

Building directly on the gravity classification framework established in Articles 1 and 2, it sets out the specific criteria supervisors must weigh when deciding between three of the most severe measures available: restricting or limiting business operations, withdrawing or suspending an authorisation, and requiring a change in governance structure.

Across all three, a common thread is that the breach must generally have been classified as category three or four before such measures come into consideration.

Important points:

  • Supervisors are required to apply distinct sets of criteria depending on which type of administrative measure they are considering, meaning the decision-making process is tailored to the specific measure at hand.
  • Supervisors are required to consider a category three or four gravity classification as a threshold condition before imposing any of the three measures covered in this article.
  • Supervisors are required to factor in the conduct of the responsible person, including lack of cooperation, concealment of a breach, absence of remedial action, and ineffective internal controls, particularly when assessing whether a governance change is warranted.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. To set the type of administrative measure, supervisors shall, after assessing the indicators specified in Article 1 and 2, take into account:

      1. the circumstances referred in Article 53(6) of Directive (EU) 2024/1640, and

      2. the criteria specified in paragraphs 2 to 4.

    1. When considering whether to restrict or limit the business, operations or network of institutions comprising the obliged entity, or requiring the divestment of activities as referred to in Article 56(2), point (e), of Directive (EU) 2024/1640, supervisors shall take into account each of the following criteria, to the extent that they apply:

      1. the level of gravity is classified pursuant to Article 2 as category three or four;

      2. whether such a measure is capable of mitigating the actual impact or preventing a potential impact by assessing the indicators specified in Article 1, points (e), (g), (i) or (j);

      3. the extent to which the business, operations or network of institutions comprising the obliged entity are affected by the breach or the potential breach;

      4. the extent to which the measure could have a negative impact on customers or stakeholders;

      5. any other criteria identified by the supervisor.

    1. When considering whether to withdraw or suspend an authorisation as referred to in Article 56(2), point (f), of Directive (EU) 2024/1640, supervisors shall take into account each of the following criteria, to the extent that they apply:

      1. the level of gravity is classified pursuant to Article 2 as category three or four;

      2. whether such a measure is capable of mitigating the actual impact or preventing a potential impact by assessing the indicators specified in Article 1, points (e), (g), (i) or (j);

      3. the conduct of the natural person or legal person held responsible;

      4. whether there is a structural failure within the obliged entity, with regards to AML/CFT systems and controls and policies or a material failure of the entity to put in place adequate AML/CFT systems and controls;

      5. any other criteria identified by the supervisor.

    1. When considering the need for a change in the governance structure as referred to in Article 56(2), point (g), of Directive (EU) 2024/1640, supervisors shall take into account each of the following criteria to the extent that they apply:

      1. the level of gravity is classified pursuant to Article 2 as category three or four;

      2. the conduct of the natural person or legal person held responsible;

      3. the natural person or legal person held responsible has not cooperated with the supervisor or took actions aimed at partially or fully concealing the breach to the supervisor or at misleading the supervisor, or the absence of remedial actions since the breach was identified, either by the natural person of legal person held responsible or by the supervisor;

      4. the internal policies, procedures and controls put in place by the obliged entity are ineffective;

      5. any other additional information, where appropriate, including information from a financial intelligence unit, from a prudential supervisor or any other authority or from a judicial authority;

      6. any other criteria identified by the supervisor.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod